Swedish Windows Security User Group

An updated tracing package is now available from the Microsoft Download center page for Forefront Unified Access Gateway (UAG) Tracing Symbols.  This new trace package includes formatting for all UAG versions through Service Pack 4 Rollup 1.

Forefront UAG tracing can be run on the Forefront UAG server and on client endpoint devices connecting to Forefront UAG resources. You configure trace settings, start tracing, reproduce scenarios that require troubleshooting, stop tracing, and then convert the binary tracing output to text using the provided format files.

This download provides the following:
• A set of .tmf files in a zip file. These .tmf files can be used to convert binary trace files on the Forefront UAG server, and on client endpoint devices.
• A EULA license
• A document with instructions for configuring and running tracing

Note that the zip file provided by this download is cumulative. .tmf files included in the zip file can be used with the RTM version of Forefront UAG, and with subsequent Forefront UAG releases.

Versions of .tmf files provided by this download are as follows:

• UAG RTM (Version 4.0.1101.000)
• UAG Update 1 (Version 4.0.1152.100) KB Article 981323
• UAG Update 2 (Version 4.0.1269.200), KB Article 2288900
• UAG RTM MS10-089 bulletin (Version 4.0.1101.052), KB Article 2433585
• UAG Update 1 MS10-089 bulletin (Version 4.0.1152.150), KB Article 2433584
• UAG Update 2 MS10-089 bulletin (Version 4.0.1269.250), KB Article 2418933
• UAG SP1 (Version 4.0.1752.10000), KB Article 2285712
• UAG SP1 Rollup 1 (Version 4.0.1752.10020), KB Article 2475733
• UAG RTM MS11-079 bulletin (Version 4.0.1101.063), KB Article 2522482
• UAG Update 1 MS11-079 bulletin (Version 4.0.1152.163), KB Article 2522483
• UAG Update 2 MS11-079 bulletin (Version 4.0.1269.284), KB Article 2522484
• UAG SP1 MS11-079 bulletin (Version 4.0.1752.10073), KB Article 2522485
• UAG SP1 Update 1 (Version 4.0.1773.10100), KB Article 2585140
• UAG SP1 MS12-026 (Version 4.0.1753.10076), KB Article 2649261
• UAG SP1 Update 1 MS12-026 (Version 4.0.1773.10190), KB Article 2649262
• UAG SP2 (Version 4.0.2095.10000), KB Article 2710791
• UAG SP3 (Version 4.0.3123.10000), KB Article 2744025
• UAG SP3 Rollup 1 (Version 4.0.3206.10100), KB Article 2827350
• UAG SP4 (Version 4.0.4083.10000), KB Article 2861386
• UAG SP4 Rollup 1 (Version 4.0.4160.10100), KB Article 2922171

Thank you,

The Forefront UAG Product Team

Get the latest System Center news on Facebook and Twitter:

The Forefront UAG blog: http://blogs.technet.com/b/edgeaccessblog/ 
The Forefront TMG blog: http://blogs.technet.com/b/isablog/ 
The Application Proxy blog: http://blogs.technet.com/b/applicationproxyblog/

The Forefront Endpoint Protection blog : http://blogs.technet.com/b/clientsecurity/
The Forefront Identity Manager blog : http://blogs.msdn.com/b/ms-identity-support/ 

System Center All Up: http://blogs.technet.com/b/systemcenter/
System Center – Configuration Manager Support Team blog: http://blogs.technet.com/configurationmgr/
System Center – Data Protection Manager Team blog: http://blogs.technet.com/dpm/
System Center – Orchestrator Support Team blog: http://blogs.technet.com/b/orchestrator/
System Center – Operations Manager Team blog: http://blogs.technet.com/momteam/
System Center – Service Manager Team blog: http://blogs.technet.com/b/servicemanager
System Center – Virtual Machine Manager Team blog: http://blogs.technet.com/scvmm

Windows Intune: http://blogs.technet.com/b/windowsintune/
WSUS Support Team blog: http://blogs.technet.com/sus/
The AD RMS blog: http://blogs.technet.com/b/rmssupp/

App-V Team blog: http://blogs.technet.com/appv/
MED-V Team blog: http://blogs.technet.com/medv/
Server App-V Team blog: http://blogs.technet.com/b/serverappv

An updated tracing package is now available from the Microsoft Download center page for Forefront Unified Access Gateway (UAG) Tracing Symbols.  This new trace package includes formatting for all UAG versions through Service Pack 4 Rollup 1.

Forefront UAG tracing can be run on the Forefront UAG server and on client endpoint devices connecting to Forefront UAG resources. You configure trace settings, start tracing, reproduce scenarios that require troubleshooting, stop tracing, and then convert the binary tracing output to text using the provided format files.

This download provides the following:
• A set of .tmf files in a zip file. These .tmf files can be used to convert binary trace files on the Forefront UAG server, and on client endpoint devices.
• A EULA license
• A document with instructions for configuring and running tracing

Note that the zip file provided by this download is cumulative. .tmf files included in the zip file can be used with the RTM version of Forefront UAG, and with subsequent Forefront UAG releases.

Versions of .tmf files provided by this download are as follows:

• UAG RTM (Version 4.0.1101.000)
• UAG Update 1 (Version 4.0.1152.100) KB Article 981323
• UAG Update 2 (Version 4.0.1269.200), KB Article 2288900
• UAG RTM MS10-089 bulletin (Version 4.0.1101.052), KB Article 2433585
• UAG Update 1 MS10-089 bulletin (Version 4.0.1152.150), KB Article 2433584
• UAG Update 2 MS10-089 bulletin (Version 4.0.1269.250), KB Article 2418933
• UAG SP1 (Version 4.0.1752.10000), KB Article 2285712
• UAG SP1 Rollup 1 (Version 4.0.1752.10020), KB Article 2475733
• UAG RTM MS11-079 bulletin (Version 4.0.1101.063), KB Article 2522482
• UAG Update 1 MS11-079 bulletin (Version 4.0.1152.163), KB Article 2522483
• UAG Update 2 MS11-079 bulletin (Version 4.0.1269.284), KB Article 2522484
• UAG SP1 MS11-079 bulletin (Version 4.0.1752.10073), KB Article 2522485
• UAG SP1 Update 1 (Version 4.0.1773.10100), KB Article 2585140
• UAG SP1 MS12-026 (Version 4.0.1753.10076), KB Article 2649261
• UAG SP1 Update 1 MS12-026 (Version 4.0.1773.10190), KB Article 2649262
• UAG SP2 (Version 4.0.2095.10000), KB Article 2710791
• UAG SP3 (Version 4.0.3123.10000), KB Article 2744025
• UAG SP3 Rollup 1 (Version 4.0.3206.10100), KB Article 2827350
• UAG SP4 (Version 4.0.4083.10000), KB Article 2861386
• UAG SP4 Rollup 1 (Version 4.0.4160.10100), KB Article 2922171

Thank you,

The Forefront UAG Product Team

Get the latest System Center news on Facebook and Twitter:

The Forefront UAG blog: http://blogs.technet.com/b/edgeaccessblog/ 
The Forefront TMG blog: http://blogs.technet.com/b/isablog/ 
The Application Proxy blog: http://blogs.technet.com/b/applicationproxyblog/

The Forefront Endpoint Protection blog : http://blogs.technet.com/b/clientsecurity/
The Forefront Identity Manager blog : http://blogs.msdn.com/b/ms-identity-support/ 

System Center All Up: http://blogs.technet.com/b/systemcenter/
System Center – Configuration Manager Support Team blog: http://blogs.technet.com/configurationmgr/
System Center – Data Protection Manager Team blog: http://blogs.technet.com/dpm/
System Center – Orchestrator Support Team blog: http://blogs.technet.com/b/orchestrator/
System Center – Operations Manager Team blog: http://blogs.technet.com/momteam/
System Center – Service Manager Team blog: http://blogs.technet.com/b/servicemanager
System Center – Virtual Machine Manager Team blog: http://blogs.technet.com/scvmm

Windows Intune: http://blogs.technet.com/b/windowsintune/
WSUS Support Team blog: http://blogs.technet.com/sus/
The AD RMS blog: http://blogs.technet.com/b/rmssupp/

App-V Team blog: http://blogs.technet.com/appv/
MED-V Team blog: http://blogs.technet.com/medv/
Server App-V Team blog: http://blogs.technet.com/b/serverappv

An updated tracing package is now available from the Microsoft Download center page for Forefront Unified Access Gateway (UAG) Tracing Symbols.  This new trace package includes formatting for all UAG versions through Service Pack 4 Rollup 1.

Forefront UAG tracing can be run on the Forefront UAG server and on client endpoint devices connecting to Forefront UAG resources. You configure trace settings, start tracing, reproduce scenarios that require troubleshooting, stop tracing, and then convert the binary tracing output to text using the provided format files.

This download provides the following:
• A set of .tmf files in a zip file. These .tmf files can be used to convert binary trace files on the Forefront UAG server, and on client endpoint devices.
• A EULA license
• A document with instructions for configuring and running tracing

Note that the zip file provided by this download is cumulative. .tmf files included in the zip file can be used with the RTM version of Forefront UAG, and with subsequent Forefront UAG releases.

Versions of .tmf files provided by this download are as follows:

• UAG RTM (Version 4.0.1101.000)
• UAG Update 1 (Version 4.0.1152.100) KB Article 981323
• UAG Update 2 (Version 4.0.1269.200), KB Article 2288900
• UAG RTM MS10-089 bulletin (Version 4.0.1101.052), KB Article 2433585
• UAG Update 1 MS10-089 bulletin (Version 4.0.1152.150), KB Article 2433584
• UAG Update 2 MS10-089 bulletin (Version 4.0.1269.250), KB Article 2418933
• UAG SP1 (Version 4.0.1752.10000), KB Article 2285712
• UAG SP1 Rollup 1 (Version 4.0.1752.10020), KB Article 2475733
• UAG RTM MS11-079 bulletin (Version 4.0.1101.063), KB Article 2522482
• UAG Update 1 MS11-079 bulletin (Version 4.0.1152.163), KB Article 2522483
• UAG Update 2 MS11-079 bulletin (Version 4.0.1269.284), KB Article 2522484
• UAG SP1 MS11-079 bulletin (Version 4.0.1752.10073), KB Article 2522485
• UAG SP1 Update 1 (Version 4.0.1773.10100), KB Article 2585140
• UAG SP1 MS12-026 (Version 4.0.1753.10076), KB Article 2649261
• UAG SP1 Update 1 MS12-026 (Version 4.0.1773.10190), KB Article 2649262
• UAG SP2 (Version 4.0.2095.10000), KB Article 2710791
• UAG SP3 (Version 4.0.3123.10000), KB Article 2744025
• UAG SP3 Rollup 1 (Version 4.0.3206.10100), KB Article 2827350
• UAG SP4 (Version 4.0.4083.10000), KB Article 2861386
• UAG SP4 Rollup 1 (Version 4.0.4160.10100), KB Article 2922171

Thank you,

The Forefront UAG Product Team

Get the latest System Center news on Facebook and Twitter:

_64a4101d-1898-43ad-8493-b15123a8f037.gif” border=”0″ />

_e463ef66-6372-4614-ad1b-a2e20e16de5f.gif” border=”0″ />

The Forefront UAG blog: http://blogs.technet.com/b/edgeaccessblog/ 
The Forefront TMG blog: http://blogs.technet.com/b/isablog/ 
The Application Proxy blog: http://blogs.technet.com/b/applicationproxyblog/

The Forefront Endpoint Protection blog : http://blogs.technet.com/b/clientsecurity/
The Forefront Identity Manager blog : http://blogs.msdn.com/b/ms-identity-support/ 

System Center All Up: http://blogs.technet.com/b/systemcenter/
System Center – Configuration Manager Support Team blog: http://blogs.technet.com/configurationmgr/
System Center – Data Protection Manager Team blog: http://blogs.technet.com/dpm/
System Center – Orchestrator Support Team blog: http://blogs.technet.com/b/orchestrator/
System Center – Operations Manager Team blog: http://blogs.technet.com/momteam/
System Center – Service Manager Team blog: http://blogs.technet.com/b/servicemanager
System Center – Virtual Machine Manager Team blog: http://blogs.technet.com/scvmm

Windows Intune: http://blogs.technet.com/b/windowsintune/
WSUS Support Team blog: http://blogs.technet.com/sus/
The AD RMS blog: http://blogs.technet.com/b/rmssupp/

App-V Team blog: http://blogs.technet.com/appv/
MED-V Team blog: http://blogs.technet.com/medv/
Server App-V Team blog: http://blogs.technet.com/b/serverappv

Once again the UAG product group have worked diligently on releasing a much awaited update for UAG – SP4 Rollup 1

This update includes numerous fixes for the issues we have heard from customers over the last 12 months, plus also some improvements. However, one particular issue is not included in this release, so we thought to share the details on this…

  Problem Scenario

Users from a trusted forest are unable to change their password using the Credentials Management option on the UAG portal page.

E.g., a user from a trusted forest logs into the UAG portal and selects the Credentials Management icon on the toolbar. The user then chooses the “Change Password” option, which displays the password change dialog. After completing the form with their current and new password, the user clicks “Save” to apply the change. However, the password is not changed and the user receives an error message stating, “The password change cannot be applied”.

On the other hand, this behavior does not affect users from a domain within the UAG forest and their password is successfully changed. In this scenario, you may also observe that the “User name:” field appears to display the logged in user’s name as “Repositoryusername”, rather than “TrustedForestusername”.

  The Solution

The suggested fix is to make a modification to UAG’s LoginChangePassword.inc,so that the domain_name variable includes the user’s respective domain.

It’s not possible to customize the LoginChangePassword.incfile using the standard UAG CustomUpdate mechanism, and therefore it’s required to modify the built-in file using a manual method.

Note:Unless advised by Microsoft support personnel, making changes to core UAG files is wholly unsupported. You should not make changes to these files except under strict guidance set out by the UAG support team, or other exceptions provided through an official channel such as this blog. Applying any future updates or running repairs may overwrite the modified file.

1. Navigate to ..<UAG_Installation_path>Microsoft Forefront Unified Access GatewayvonInternalSiteinc and make a copy of the LoginChangePassword.incfile within the same folder

2. Now edit the original file and locate the below block of code…

3. Change this to include the following 6 lines…

4. Save the file and repeat these same steps on any other remaining UAG servers

AUTHOR

Rainier Amara

Support Escalation Engineer – Microsoft Edge Security Team

REVIEWERS

Lars Bentzen

Sr. Escalation Engineer – Microsoft Edge Security Team

Once again the UAG product group have worked diligently on releasing a much awaited update for UAG – SP4 Rollup 1

This update includes numerous fixes for the issues we have heard from customers over the last 12 months, plus also some improvements. However, one particular issue is not included in this release, so we thought to share the details on this…

  Problem Scenario

Users from a trusted forest are unable to change their password using the Credentials Management option on the UAG portal page.

E.g., a user from a trusted forest logs into the UAG portal and selects the Credentials Management icon on the toolbar. The user then chooses the “Change Password” option, which displays the password change dialog. After completing the form with their current and new password, the user clicks “Save” to apply the change. However, the password is not changed and the user receives an error message stating, “The password change cannot be applied”.

On the other hand, this behavior does not affect users from a domain within the UAG forest and their password is successfully changed. In this scenario, you may also observe that the “User name:” field appears to display the logged in user’s name as “Repository\username”, rather than “TrustedForest\username”.

  The Solution

The suggested fix is to make a modification to UAG’s LoginChangePassword.inc,so that the domain_name variable includes the user’s respective domain.

It’s not possible to customize the LoginChangePassword.incfile using the standard UAG CustomUpdate mechanism, and therefore it’s required to modify the built-in file using a manual method.

Note:Unless advised by Microsoft support personnel, making changes to core UAG files is wholly unsupported. You should not make changes to these files except under strict guidance set out by the UAG support team, or other exceptions provided through an official channel such as this blog. Applying any future updates or running repairs may overwrite the modified file.

1. Navigate to ..\<UAG_Installation_path>\Microsoft Forefront Unified Access Gateway\von\InternalSite\inc\ and make a copy of the LoginChangePassword.incfile within the same folder

2. Now edit the original file and locate the below block of code…

3. Change this to include the following 6 lines…

4. Save the file and repeat these same steps on any other remaining UAG servers

AUTHOR

Rainier Amara

Support Escalation Engineer – Microsoft Edge Security Team

REVIEWERS

Lars Bentzen

Sr. Escalation Engineer – Microsoft Edge Security Team

Once again the UAG product group have worked diligently on releasing a much awaited update for UAG – SP4 Rollup 1

This update includes numerous fixes for the issues we have heard from customers over the last 12 months, plus also some improvements. However, one particular issue is not included in this release, so we thought to share the details on this…

  Problem Scenario

Users from a trusted forest are unable to change their password using the Credentials Management option on the UAG portal page.

E.g., a user from a trusted forest logs into the UAG portal and selects the Credentials Management icon on the toolbar. The user then chooses the “Change Password” option, which displays the password change dialog. After completing the form with their current and new password, the user clicks “Save” to apply the change. However, the password is not changed and the user receives an error message stating, “The password change cannot be applied”.

On the other hand, this behavior does not affect users from a domain within the UAG forest and their password is successfully changed. In this scenario, you may also observe that the “User name:” field appears to display the logged in user’s name as “Repositoryusername”, rather than “TrustedForestusername”.

  The Solution

The suggested fix is to make a modification to UAG’s LoginChangePassword.inc,so that the domain_name variable includes the user’s respective domain.

It’s not possible to customize the LoginChangePassword.incfile using the standard UAG CustomUpdate mechanism, and therefore it’s required to modify the built-in file using a manual method.

Note:Unless advised by Microsoft support personnel, making changes to core UAG files is wholly unsupported. You should not make changes to these files except under strict guidance set out by the UAG support team, or other exceptions provided through an official channel such as this blog. Applying any future updates or running repairs may overwrite the modified file.

1. Navigate to ..<UAG_Installation_path>Microsoft Forefront Unified Access GatewayvonInternalSiteinc and make a copy of the LoginChangePassword.incfile within the same folder

2. Now edit the original file and locate the below block of code…

3. Change this to include the following 6 lines…

4. Save the file and repeat these same steps on any other remaining UAG servers

AUTHOR

Rainier Amara

Support Escalation Engineer – Microsoft Edge Security Team

REVIEWERS

Lars Bentzen

Sr. Escalation Engineer – Microsoft Edge Security Team

Revision Note: V1.1 (October 30, 2014): Advisory updated to include additional acknowledgments.
Summary: Microsoft is aware of a vulnerability affecting all supported releases of Microsoft Windows, excluding Windows Server 2003. The vulnerability could allow remote code execution if a user opens a specially crafted Microsoft Office file that contains an OLE object. An attacker who successfully exploited the vulnerability could gain the same user rights as the current user. Customers whose accounts are configured to have fewer user rights on the system could be less impacted than those who operate with administrative user rights. The attack requires user interaction to succeed on Windows clients with a default configuration, as User Account Control (UAC) is enabled and a consent prompt is displayed.

Revision Note: V1.1 (October 30, 2014): Advisory updated to include additional acknowledgments.
Summary: Microsoft is aware of a vulnerability affecting all supported releases of Microsoft Windows, excluding Windows Server 2003. The vulnerability could allow remote code execution if a user opens a specially crafted Microsoft Office file that contains an OLE object. An attacker who successfully exploited the vulnerability could gain the same user rights as the current user. Customers whose accounts are configured to have fewer user rights on the system could be less impacted than those who operate with administrative user rights. The attack requires user interaction to succeed on Windows clients with a default configuration, as User Account Control (UAC) is enabled and a consent prompt is displayed.

Today, we announced the availability of SSL 3.0 fallback warnings in Internet Explorer (IE) 11. For more information please visit the IE blog.

We have also published an update on the status of the changes we have made to our Azure offerings in response to the SSL 3.0 vulnerability. For more information please visit the Azure blog.

Tracey Pretorius
Director, Response Communications

UPDATE October 29, 2014: Today, we revised Security Advisory 3009008 to provide an easy, one-click Fix it for customers to disable SSL 3.0 in all supported versions of Internet Explorer (IE).

We are committed to helping protect our customers and providing the best possible encryption to protect their data. To do this, we’re working to disable fallback to SSL 3.0 in IE, and disable SSL 3.0 by default in IE, and across Microsoft online services, over the coming months.

Millions of people and thousands of organizations around the world rely on our products and services every day, and while the number of systems that rely on SSL 3.0 exclusively is very small, we recognize that, particularly for enterprises, disabling the protocol may cause some impact. That’s why we’re taking a planned approach to this issue and providing customers with advance notice.

We encourage everyone to use the workarounds and Fix it provided in Security Advisory 3009008 to investigate their websites, services and third-party applications now, and begin preparing for this change.

If you are currently using older versions of IE, such as IE 6, we recommend you upgrade to a newer browser as soon as possible, in addition to using the Fix it released today. IE 11 is our latest and most secure browser and customers who upgrade will continue to benefit from additional security features.

Please visit our Azure and Office 365 blogs for more detailed plans.

We’re taking ongoing steps to help ensure customers are protected on the Internet, and we’ll continue to provide updates on this journey over the coming months.

UPDATE October 19, 2014: Today, we published guidance on how to disable SSL 3.0 in Azure Websites, Roles, and Virtual Machines. For more information, please visit the Azure blog.

Original post October 14, 2014: Security Advisory 3009008 released
Today, we released Security Advisory 3009008 to address a vulnerability in Secure Sockets Layer (SSL) 3.0 which could allow information disclosure. This is an industry-wide vulnerability that affects the protocol itself, and is not specific to Microsoft’s implementation of SSL or the Windows operating system.

This advisory provides guidance for customers so that they can disable SSL 3.0 in the browser. Customers should be aware that once they disable SSL 3.0, if they visit a website that supports only SSL 3.0 and does not support newer encryption protocols, they will receive a connection error message and will not be able to connect to that website.

Today, we revised Security Advisory 3009008 to provide an easy, one-click Fix it for customers to disable SSL 3.0 in all supported versions of Internet Explorer (IE).

We are committed to helping protect our customers and providing the best possible encryption to protect their data. To do this, we’re working to disable fallback to SSL 3.0 in IE, and disable SSL 3.0 by default in IE, and across Microsoft online services, over the coming months.

Millions of people and thousands of organizations around the world rely on our products and services every day, and while the number of systems that rely on SSL 3.0 exclusively is very small, we recognize that, particularly for enterprises, disabling the protocol may cause some impact. That’s why we’re taking a planned approach to this issue and providing customers with advance notice.

We encourage everyone to use the workarounds and Fix it provided in Security Advisory 3009008 to investigate their websites, services and third-party applications now, and begin preparing for this change.

If you are currently using older versions of IE, such as IE 6, we recommend you upgrade to a newer browser as soon as possible, in addition to using the Fix it released today. IE 11 is our latest and most secure browser and customers who upgrade will continue to benefit from additional security features.

Please visit our Azure and Office 365 blogs for more detailed plans.

We’re taking ongoing steps to help ensure customers are protected on the Internet, and we’ll continue to provide updates on this journey over the coming months.

Tracey Pretorius
Director, Response Communications

UPDATE October 19, 2014: Today, we published guidance on how to disable SSL 3.0 in Azure Websites, Roles, and Virtual Machines. For more information, please visit the Azure blog.

Original post October 14, 2014: Security Advisory 3009008 released
Today, we released Security Advisory 3009008 to address a vulnerability in Secure Sockets Layer (SSL) 3.0 which could allow information disclosure. This is an industry-wide vulnerability that affects the protocol itself, and is not specific to Microsoft’s implementation of SSL or the Windows operating system.

This advisory provides guidance for customers so that they can disable SSL 3.0 in the browser. Customers should be aware that once they disable SSL 3.0, if they visit a website that supports only SSL 3.0 and does not support newer encryption protocols, they will receive a connection error message and will not be able to connect to that website.

Today, we announced the availability of SSL 3.0 fallback warnings in Internet Explorer (IE) 11. For more information please visit the IE blog.
We have also published an update on the status of the changes we have made to our Azure offerings in response to the SSL 3.0 vulnerability. For more information please visit the Azure blog.

Revision Note: V2.0 (October 29, 2014): Revised advisory to announce the deprecation of SSL 3.0, to clarify the workaround instructions for disabling SSL 3.0 on Windows servers and on Windows clients, and to announce the availability of a Microsoft Fix it solution for Internet Explorer. For more information see Knowledge Base Article 3009008.
Summary: Microsoft is aware of detailed information that has been published describing a new method to exploit a vulnerability in SSL 3.0. This is an industry-wide vulnerability affecting the SSL 3.0 protocol itself and is not specific to the Windows operating system. All supported versions of Microsoft Windows implement this protocol and are affected by this vulnerability. Microsoft is not aware of attacks that try to use the reported vulnerability at this time. Considering the attack scenario, this vulnerability is not considered high risk to customers.

Revision Note: V2.0 (October 29, 2014): Revised advisory to announce the deprecation of SSL 3.0, to clarify the workaround instructions for disabling SSL 3.0 on Windows servers and on Windows clients, and to announce the availability of a Microsoft Fix it solution for Internet Explorer. For more information see Knowledge Base Article 3009008.
Summary: Microsoft is aware of detailed information that has been published describing a new method to exploit a vulnerability in SSL 3.0. This is an industry-wide vulnerability affecting the SSL 3.0 protocol itself and is not specific to the Windows operating system. All supported versions of Microsoft Windows implement this protocol and are affected by this vulnerability. Microsoft is not aware of attacks that try to use the reported vulnerability at this time. Considering the attack scenario, this vulnerability is not considered high risk to customers.

We are happy to announce that Rollup 1 for Forefront UAG 2010 Service Pack 4 has been released.

UAG 2010 Service Pack 4 Rollup 1 is available as a hotfix download from Microsoft Support as an update to UAG 2010 Service Pack 4.

This update contains over 23 fixes for reported issues plus updates for application publishing templates. For details, please visit KB 2922171: Description of Rollup 1 for Forefront Unified Access Gateway 2010 Service Pack 4

Please download the Forefront Unified Access Gateway (UAG) 2010 Service Pack 4 Rollup package and learn more about UAG 2010 SP4 by visiting our TechNet Library.

Thank you,

The Forefront UAG Product Team

Get the latest System Center news on Facebook and Twitter:

The Forefront UAG blog: http://blogs.technet.com/b/edgeaccessblog/ 
The Forefront TMG blog: http://blogs.technet.com/b/isablog/ 
The Application Proxy blog: http://blogs.technet.com/b/applicationproxyblog/
The Forefront Endpoint Protection blog : http://blogs.technet.com/b/clientsecurity/
The Forefront Identity Manager blog : http://blogs.msdn.com/b/ms-identity-support/ 

System Center All Up: http://blogs.technet.com/b/systemcenter/
System Center – Configuration Manager Support Team blog: http://blogs.technet.com/configurationmgr/
System Center – Data Protection Manager Team blog: http://blogs.technet.com/dpm/
System Center – Orchestrator Support Team blog: http://blogs.technet.com/b/orchestrator/
System Center – Operations Manager Team blog: http://blogs.technet.com/momteam/
System Center – Service Manager Team blog: http://blogs.technet.com/b/servicemanager
System Center – Virtual Machine Manager Team blog: http://blogs.technet.com/scvmm

Windows Intune: http://blogs.technet.com/b/windowsintune/
WSUS Support Team blog: http://blogs.technet.com/sus/
The AD RMS blog: http://blogs.technet.com/b/rmssupp/

App-V Team blog: http://blogs.technet.com/appv/
MED-V Team blog: http://blogs.technet.com/medv/
Server App-V Team blog: http://blogs.technet.com/b/serverappv

We are happy to announce that Rollup 1 for Forefront UAG 2010 Service Pack 4 has been released.

UAG 2010 Service Pack 4 Rollup 1 is available as a hotfix download from Microsoft Support as an update to UAG 2010 Service Pack 4.

This update contains over 23 fixes for reported issues plus updates for application publishing templates. For details, please visit KB 2922171: Description of Rollup 1 for Forefront Unified Access Gateway 2010 Service Pack 4

Please download the Forefront Unified Access Gateway (UAG) 2010 Service Pack 4 Rollup package and learn more about UAG 2010 SP4 by visiting our TechNet Library.

Thank you,

The Forefront UAG Product Team

Get the latest System Center news on Facebook and Twitter:

The Forefront UAG blog: http://blogs.technet.com/b/edgeaccessblog/ 
The Forefront TMG blog: http://blogs.technet.com/b/isablog/ 
The Application Proxy blog: http://blogs.technet.com/b/applicationproxyblog/
The Forefront Endpoint Protection blog : http://blogs.technet.com/b/clientsecurity/
The Forefront Identity Manager blog : http://blogs.msdn.com/b/ms-identity-support/ 

System Center All Up: http://blogs.technet.com/b/systemcenter/
System Center – Configuration Manager Support Team blog: http://blogs.technet.com/configurationmgr/
System Center – Data Protection Manager Team blog: http://blogs.technet.com/dpm/
System Center – Orchestrator Support Team blog: http://blogs.technet.com/b/orchestrator/
System Center – Operations Manager Team blog: http://blogs.technet.com/momteam/
System Center – Service Manager Team blog: http://blogs.technet.com/b/servicemanager
System Center – Virtual Machine Manager Team blog: http://blogs.technet.com/scvmm

Windows Intune: http://blogs.technet.com/b/windowsintune/
WSUS Support Team blog: http://blogs.technet.com/sus/
The AD RMS blog: http://blogs.technet.com/b/rmssupp/

App-V Team blog: http://blogs.technet.com/appv/
MED-V Team blog: http://blogs.technet.com/medv/
Server App-V Team blog: http://blogs.technet.com/b/serverappv

We are happy to announce that Rollup 1 for Forefront UAG 2010 Service Pack 4 has been released.

UAG 2010 Service Pack 4 Rollup 1 is available as a hotfix download from Microsoft Support as an update to UAG 2010 Service Pack 4.

This update contains over 23 fixes for reported issues plus updates for application publishing templates. For details, please visit KB 2922171: Description of Rollup 1 for Forefront Unified Access Gateway 2010 Service Pack 4

Please download the Forefront Unified Access Gateway (UAG) 2010 Service Pack 4 Rollup package and learn more about UAG 2010 SP4 by visiting our TechNet Library.

Thank you,

The Forefront UAG Product Team

Get the latest System Center news on Facebook and Twitter:

The Forefront UAG blog: http://blogs.technet.com/b/edgeaccessblog/ 
The Forefront TMG blog: http://blogs.technet.com/b/isablog/ 
The Application Proxy blog: http://blogs.technet.com/b/applicationproxyblog/
The Forefront Endpoint Protection blog : http://blogs.technet.com/b/clientsecurity/
The Forefront Identity Manager blog : http://blogs.msdn.com/b/ms-identity-support/ 

System Center All Up: http://blogs.technet.com/b/systemcenter/
System Center – Configuration Manager Support Team blog: http://blogs.technet.com/configurationmgr/
System Center – Data Protection Manager Team blog: http://blogs.technet.com/dpm/
System Center – Orchestrator Support Team blog: http://blogs.technet.com/b/orchestrator/
System Center – Operations Manager Team blog: http://blogs.technet.com/momteam/
System Center – Service Manager Team blog: http://blogs.technet.com/b/servicemanager
System Center – Virtual Machine Manager Team blog: http://blogs.technet.com/scvmm

Windows Intune: http://blogs.technet.com/b/windowsintune/
WSUS Support Team blog: http://blogs.technet.com/sus/
The AD RMS blog: http://blogs.technet.com/b/rmssupp/

App-V Team blog: http://blogs.technet.com/appv/
MED-V Team blog: http://blogs.technet.com/medv/
Server App-V Team blog: http://blogs.technet.com/b/serverappv

​Earlier this month, Novetta took their initial public action in the first Coordinated Malware Eradication (CME) campaign against Win32/Hikiti and its associated threats.

Today, Novetta released a comprehensive report that describes in detail the threats and threat actors,  known as Axiom, targeted in this campaign.

Axiom is a well-resourced, disciplined, and sophisticated threat actor that analysts believe has been conducting espionage operations online since at least 2008. Since then, Axiom has pursued a wide variety of targets such as government agencies, global Fortune 500 companies, shapers of economic and environmental policies, and developers of cutting-edge information technology and telecommunications equipment. They have also targeted political activists, Non-Governmental Organizations (NGOs), and journalists.

If you know or suspect that your organization was affected by this threat, we highly recommend you run a full scan of your PC with a Microsoft security product or software from another trusted security vendor to ensure Hikiti and other malware are detected.

The Novetta report can help you discover other indicators and behaviors of Hikiti malware and other related threats used by these actors. It also explains how Axiom can set up their architecture in an infected environment.

Many thanks to our security partners F-Secure, FireEye, ThreatConnect, ThreatTrack Security, Volexity, Symantec, Tenable, Cisco, and iSIGHT for working with us and Novetta on this campaign. As we mentioned in our initial post, collaboration across private industry is crucial to addressing advanced persistent threats. This campaign is the first of many that we are launching through our CME program.

The Novetta paper focuses on the technical and operational aspect of Hikiti and Axiom, and I am going to focus on how this CME campaign got started, how it went, and what we learned.

Early beginnings

This campaign kicked off at the FIRST Conference in Boston just after the presentation on the CME program. I was introduced to Andre Ludwig from Novetta, who said he had an idea for a CME campaign. Hikiti, although small in overall prevalence, was broad in the number of environments it impacted globally. In other words, it takes only one infection to have a large impact to an organization or an individual.

Putting together the plan

We pulled together a long and distinguished list of security experts from multiple organizations and the campaign started to take shape. In a campaign, we typically analyze several aspects of the target malware to assess methods for eradication:

• Distribution and infection vector
• Monetization
• Actor/attribution

Because Axiom targeted specific individuals and organizations, a methodical process of shutting down parts of the infection vectors (spear phishing, watering hole attacks) didn’t make sense. Although the malware authors may be interested in the value of intellectual property, there was no evidence of commercial buying and selling of the information they were collecting. From what the team knew about Axiom, it was unlikely they could be arrested (there are more details about this in the Novetta paper) meaning traditional tactics wouldn’t apply to this campaign. What was missing, however, was widespread detection and knowledge about how these actors worked and the tools they used so that every organization, both big and small, large security team or not, could have all the pertinent details to discover if they had been impacted by this threat and discover any collateral damage.

We developed a plan focused on two primary objectives. 

First, we planned a simultaneous release of widespread detection for one of the more advanced, later stage components of these actors (Hikiti), along with related initial and secondary stage threats, such as Derusbi, Mdmbot, Moudoor, Plugx, and Sensode (see the comprehensive list in the Novetta report). Second, we planned to release detailed information about Axiom’s toolkit to help any affected organization effectively detect and mitigate its impact (our action today). Essentially, our plan was to fight the adversary with a plethora of public information to make it difficult for them, in their current incarnation, to hide.

Executing the plan and lessons learned

From an operational perspective, this campaign had fewer logistical components. There were no take-downs to execute and no arrests, so the timeline moved fast. Novetta created several documents to foster collaboration, created a common voice for the group, organized all of the team’s research, and ensured that everyone was in synch with timelines and messaging. We are now building templates based on what we learned and putting them back into the program for others to use.

We have more lessons learned, of course. The team will be meeting to discuss these lessons in depth, so that we can incorporate them back into the program.

What’s next

This campaign was a great first for the CME program. Thanks goes to the entire team that contributed samples, insight, analysis, reviews, and telemetry to the campaign, including our own Francis Tan Seng and Peter Cap. A special thank you to Andre Ludwig, who was our model campaign leader, and the entire Novetta team. We learned much from the operational expertise brought to this campaign from Andre and the rest of our partners. We’re building those learnings back into the program so that all future campaign leaders can leverage that experience. We have several campaigns already in progress, so look for more information about them in the upcoming months.

If you are one of our VIA members, or want to join us to lead the fight against malware like Novetta, have a look at the CME program page or reach out to us at cme-invite@microsoft.com.

Holly Stewart
MMPC

​Earlier this month, Novetta took their initial public action in the first Coordinated Malware Eradication (CME) campaign against Win32/Hikiti and its associated threats.

Today, Novetta released a comprehensive report that describes in detail the threats and threat actors,  known as Axiom, targeted in this campaign.

Axiom is a well-resourced, disciplined, and sophisticated threat actor that analysts believe has been conducting espionage operations online since at least 2008. Since then, Axiom has pursued a wide variety of targets such as government agencies, global Fortune 500 companies, shapers of economic and environmental policies, and developers of cutting-edge information technology and telecommunications equipment. They have also targeted political activists, Non-Governmental Organizations (NGOs), and journalists.

If you know or suspect that your organization was affected by this threat, we highly recommend you run a full scan of your PC with a Microsoft security product or software from another trusted security vendor to ensure Hikiti and other malware are detected.

The Novetta report can help you discover other indicators and behaviors of Hikiti malware and other related threats used by these actors. It also explains how Axiom can set up their architecture in an infected environment.

Many thanks to our security partners F-Secure, FireEye, ThreatConnect, ThreatTrack Security, Volexity, Symantec, Tenable, Cisco, and iSIGHT for working with us and Novetta on this campaign. As we mentioned in our initial post, collaboration across private industry is crucial to addressing advanced persistent threats. This campaign is the first of many that we are launching through our CME program.

The Novetta paper focuses on the technical and operational aspect of Hikiti and Axiom, and I am going to focus on how this CME campaign got started, how it went, and what we learned.

Early beginnings

This campaign kicked off at the FIRST Conference in Boston just after the presentation on the CME program. I was introduced to Andre Ludwig from Novetta, who said he had an idea for a CME campaign. Hikiti, although small in overall prevalence, was broad in the number of environments it impacted globally. In other words, it takes only one infection to have a large impact to an organization or an individual.

Putting together the plan

We pulled together a long and distinguished list of security experts from multiple organizations and the campaign started to take shape. In a campaign, we typically analyze several aspects of the target malware to assess methods for eradication:

• Distribution and infection vector
• Monetization
• Actor/attribution

Because Axiom targeted specific individuals and organizations, a methodical process of shutting down parts of the infection vectors (spear phishing, watering hole attacks) didn’t make sense. Although the malware authors may be interested in the value of intellectual property, there was no evidence of commercial buying and selling of the information they were collecting. From what the team knew about Axiom, it was unlikely they could be arrested (there are more details about this in the Novetta paper) meaning traditional tactics wouldn’t apply to this campaign. What was missing, however, was widespread detection and knowledge about how these actors worked and the tools they used so that every organization, both big and small, large security team or not, could have all the pertinent details to discover if they had been impacted by this threat and discover any collateral damage.

We developed a plan focused on two primary objectives. 

First, we planned a simultaneous release of widespread detection for one of the more advanced, later stage components of these actors (Hikiti), along with related initial and secondary stage threats, such as Derusbi, Mdmbot, Moudoor, Plugx, and Sensode (see the comprehensive list in the Novetta report). Second, we planned to release detailed information about Axiom’s toolkit to help any affected organization effectively detect and mitigate its impact (our action today). Essentially, our plan was to fight the adversary with a plethora of public information to make it difficult for them, in their current incarnation, to hide.

Executing the plan and lessons learned

From an operational perspective, this campaign had fewer logistical components. There were no take-downs to execute and no arrests, so the timeline moved fast. Novetta created several documents to foster collaboration, created a common voice for the group, organized all of the team’s research, and ensured that everyone was in synch with timelines and messaging. We are now building templates based on what we learned and putting them back into the program for others to use.

We have more lessons learned, of course. The team will be meeting to discuss these lessons in depth, so that we can incorporate them back into the program.

What’s next

This campaign was a great first for the CME program. Thanks goes to the entire team that contributed samples, insight, analysis, reviews, and telemetry to the campaign, including our own Francis Tan Seng and Peter Cap. A special thank you to Andre Ludwig, who was our model campaign leader, and the entire Novetta team. We learned much from the operational expertise brought to this campaign from Andre and the rest of our partners. We’re building those learnings back into the program so that all future campaign leaders can leverage that experience. We have several campaigns already in progress, so look for more information about them in the upcoming months.

If you are one of our VIA members, or want to join us to lead the fight against malware like Novetta, have a look at the CME program page or reach out to us at cme-invite@microsoft.com.

Holly Stewart
MMPC