Archive

Archive for December, 2015

2755801 – Update for Vulnerabilities in Adobe Flash Player in Internet Explorer and Microsoft Edge – Version: 52.0

Revision Note: V52.0 (December 29, 2015): Added the 3132372 update to the Current Update section.
Summary: Microsoft is announcing the availability of an update for Adobe Flash Player in Internet Explorer on all supported editions of Windows 8, Windows Server 2012, Windows RT, Windows 8.1, Windows Server 2012 R2, Windows RT 8.1, and Windows 10; the update is also available for Adobe Flash Player in Microsoft Edge on all supported editions of Windows 10. The update addresses the vulnerabilities in Adobe Flash Player by updating the affected Adobe Flash libraries contained within Internet Explorer 10, Internet Explorer 11, and Microsoft Edge.

Categories: Uncategorized Tags:

2755801 – Update for Vulnerabilities in Adobe Flash Player in Internet Explorer and Microsoft Edge – Version: 52.0

Revision Note: V52.0 (December 29, 2015): Added the 3132372 update to the Current Update section.
Summary: Microsoft is announcing the availability of an update for Adobe Flash Player in Internet Explorer on all supported editions of Windows 8, Windows Server 2012, Windows RT, Windows 8.1, Windows Server 2012 R2, Windows RT 8.1, and Windows 10; the update is also available for Adobe Flash Player in Microsoft Edge on all supported editions of Windows 10. The update addresses the vulnerabilities in Adobe Flash Player by updating the affected Adobe Flash libraries contained within Internet Explorer 10, Internet Explorer 11, and Microsoft Edge.

Categories: Uncategorized Tags:

MS15-DEC – Microsoft Security Bulletin Summary for December 2015 – Version: 1.3

Revision Note: V1.3 (December 23, 2015): Bulletin Summary revised to add a Known Issues reference to the Executive Summaries table for MS15-128. The issue involves missing video in Skype 2015 for Business meeting recordings after installation of the 3114351 update for Lync 2013. See Microsoft Knowledge Base Article 3114351 for more information.
Summary: This bulletin summary lists security bulletins released for December 2015.

Categories: Uncategorized Tags:

MS15-082 – Important: Vulnerabilities in RDP Could Allow Remote Code Execution (3080348) – Version: 1.1

Severity Rating: Important
Revision Note: V1.1 (December 23, 2015): Bulletin revised to correct the Updates Replaced for the Server Core installation option on Windows Server 2008 and Windows Server 2008 R2.This is an informational change only. Customers who have successfully installed the updates do not need to take any further action.
Summary: This security update resolves a vulnerability in Microsoft Windows. The vulnerability could allow remote code execution if an attacker sends a specially crafted sequence of packets to a targeted system with Remote Desktop Protocol (RDP) enabled. By default, RDP is not enabled on any Windows operating system. Systems that do not have RDP enabled are not at risk.

Categories: Uncategorized Tags:

MS15-082 – Important: Vulnerabilities in RDP Could Allow Remote Code Execution (3080348) – Version: 1.1

Severity Rating: Important
Revision Note: V1.1 (December 23, 2015): Bulletin revised to correct the Updates Replaced for the Server Core installation option on Windows Server 2008 and Windows Server 2008 R2.This is an informational change only. Customers who have successfully installed the updates do not need to take any further action.
Summary: This security update resolves a vulnerability in Microsoft Windows. The vulnerability could allow remote code execution if an attacker sends a specially crafted sequence of packets to a targeted system with Remote Desktop Protocol (RDP) enabled. By default, RDP is not enabled on any Windows operating system. Systems that do not have RDP enabled are not at risk.

Categories: Uncategorized Tags:

MS15-DEC – Microsoft Security Bulletin Summary for December 2015 – Version: 1.3

Revision Note: V1.3 (December 23, 2015): Bulletin Summary revised to add a Known Issues reference to the Executive Summaries table for MS15-128. The issue involves missing video in Skype 2015 for Business meeting recordings after installation of the 3114351 update for Lync 2013. See Microsoft Knowledge Base Article 3114351 for more information.
Summary: This bulletin summary lists security bulletins released for December 2015.

Categories: Uncategorized Tags:

Keeping browsing experience in users’ hands

December 21st, 2015 No comments

​In April last year we announced some changes to our criteria around Adware designed to ensure that users maintain control of their experience. These changes are described in our blog, Adware: a New Approach. Since then, we’ve taken policy and enforcement measures to address unwanted behaviors exhibited by advertising programs that take choice and control away from users.

Ad injection software has evolved, and is now using a variety of ‘man-in-the-middle’ (MiTM) techniques. Some of these techniques include injection by proxy, changing DNS settings, network layer manipulation and other methods. All of these techniques intercept communications between the Internet and the PC to inject advertisements and promotions into webpages from outside, without the control of the browser. Our intent is to keep the user in control of their browsing experience and these methods reduce that control.

There are many additional concerns with these techniques, some of these include:

  • MiTM techniques add security risk to customers by introducing another vector of attack to the system.
  • Most modern browsers have controls in them to notify the user when their browsing experience is going to change and confirm that this is what the user intends. However, many of these methods do not produce these warnings and reduce the choice and control of the user.
  • Also, many of these methods also alter advanced settings and controls that the majority of users will not be able to discover, change, or control.

To address these and to keep the intent of our policy, we’re updating our Adware objective criteria to require that
programs that create advertisements in browsers must only use the browsers’ supported extensibility model for installation, execution, disabling, and removal.

The choice and control belong to the users, and we are determined to protect that.

We encourage developers in the ecosystem to comply with the new criteria, as we provide ample notification period for them to work with developers as they fix their programs to become compliant.  Programs that will fail to comply will be detected and removed.

Enforcement starts on March 31, 2016.

Barak Shein and Michael Johnson

MMPC

Categories: Uncategorized Tags:

MS15-131 – Critical: Security Update for Microsoft Office to Address Remote Code Execution (3116111) – Version: 2.1

Severity Rating: Critical
Revision Note: V2.1 (December 18, 2015): Bulletin revised to correct the Updates Replaced for 3101532 and 3114342, and to add a workaround for CVE-2015-6172. This is an informational change only. Customers who have successfully installed the updates do not need to take any further action.
Summary: This security update resolves vulnerabilities in Microsoft Office. The most severe of the vulnerabilities could allow remote code execution if a user opens a specially crafted Microsoft Office file. An attacker who successfully exploited the vulnerabilities could run arbitrary code in the context of the current user. Customers whose accounts are configured to have fewer user rights on the system could be less impacted than those who operate with administrative user rights.

Categories: Uncategorized Tags:

MS15-131 – Critical: Security Update for Microsoft Office to Address Remote Code Execution (3116111) – Version: 2.1

Severity Rating: Critical
Revision Note: V2.1 (December 18, 2015): Bulletin revised to correct the Updates Replaced for 3101532 and 3114342, and to add a workaround for CVE-2015-6172. This is an informational change only. Customers who have successfully installed the updates do not need to take any further action.
Summary: This security update resolves vulnerabilities in Microsoft Office. The most severe of the vulnerabilities could allow remote code execution if a user opens a specially crafted Microsoft Office file. An attacker who successfully exploited the vulnerabilities could run arbitrary code in the context of the current user. Customers whose accounts are configured to have fewer user rights on the system could be less impacted than those who operate with administrative user rights.

Categories: Uncategorized Tags:

Microsoft updates Trusted Root Certificate Program to reinforce trust in the Internet

December 17th, 2015 No comments

At Microsoft, we are continuously working to deliver on our commitment to the security of our customers and their ecosystems. A core component of our strategy to inform Windows users about the safety of the websites, apps and software they’re accessing online is built into the
Microsoft Trusted Root Certificate Program. This program takes root certificates supplied by authorized Certificate Authorities (CAs) around the world and ships them to your device to tell it which programs, apps and websites are trusted by Microsoft.

Our efforts to provide a seamless and secure experience usually take place in the background, but today, we want to tell you about some changes we have made to this program. These crucial modifications will help us better guard against evolving threats affecting websites and the apps ecosystem, but they may impact a small set of customers who have certificates from affected partners.

This past spring, we began engaging with Certificate Authorities (CA) to solicit feedback and talk about upcoming changes to our Trusted Root Certificate Program. Among other things, the changes included more stringent technical and auditing requirements. The final program changes were published in June 2015. Since then, we have been working, directly and through community forums, to help our partners understand and comply with the new program requirements.

Through this effort, we identified a few partners who will no longer participate in the program, either because they have chosen to leave voluntarily or because they will not be in compliance with the new requirements. We’ve published a complete list of Certificate Authorities below that are out of compliance or voluntarily chose to leave the program and will have their roots removed from the Trusted Root CA Store in January 2016. We encourage all owners of digital certificates currently trusted by Microsoft to review the list and take action as necessary.

The certificate-dependent services you manage will be impacted if the certificates you use chain up to a root certificate Microsoft removes from the store. Though the actual screens and text vary depending on which browser a customer is using, here’s what will usually happen:

  • If you use one of these certificates to secure connections to your server over https, when a customer attempts to navigate to your site, that customer will see a message that there is a problem with the security certificate.
  • If you use one of these certificates to sign software, when a customer attempts to install that software on a Windows operating system, Windows will display a warning that the publisher may not be trusted. In either case, the customer may choose to continue.

We strongly encourage all owners of digital certificates currently trusted by Microsoft to review the below list and investigate whether their certificates are associated with any of the roots we will be removing as part of the update. If you use a certificate that was issued by one of these companies, we strongly recommend that you obtain a replacement certificate from another program provider. The list of all providers is located at
http://aka.ms/trustcertpartners.

With Windows 10 we will continue to work hard to provide you with safer experiences you expect from Windows, keeping you in control and helping you do great things.

Certificate Authorities to be removed in January 2016

CA  ​Root Name  SHA1 Thumbprint
​Certigna ​Certigna ​B12E13634586A46F1AB2606837582DC4ACFD9497
​Ceska Posta ​PostSignum Root QCA 2 ​A0F8DB3F0BF417693B282EB74A6AD86DF9D448A3
​CyberTrust ​Japan Certification Services, Inc. SecureSign RootCA1 ​CABB51672400588E6419F1D40878D0403AA20264
​CyberTrust ​Japan Certification Services, Inc. SecureSign RootCA2 ​00EA522C8A9C06AA3ECCE0B4FA6CDC21D92E8099
​CyberTrust ​Japan Certification Services, Inc. SecureSign RootCA3 ​8EB03FC3CF7BB292866268B751223DB5103405CB
​DanID ​DanID ​8781C25A96BDC2FB4C65064FF9390B26048A0E01
​E-Certchile ​E-Certchile Root CA ​C18211328A92B3B23809B9B5E2740A07FB12EB5E
​e-Tugra ​EBG Elektronik Sertifika Hizmet Saglayicisi ​8C96BAEBDD2B070748EE303266A0F3986E7CAE58
​e-Tugra ​E-Tugra Certification Authority ​51C6E70849066EF392D45CA00D6DA3628FC35239
​LuxTrust ​LuxTrust Global Root CA ​C93C34EA90D9130C0F03004B98BD8B3570915611
​Nova Ljubljanska ​NLB Nova Ljubljanska Banka d.d. Ljubljana ​0456F23D1E9C43AECB0D807F1C0647551A05F456
​Post.Trust ​Post.Trust Root CA ​C4674DDC6CE2967FF9C92E072EF8E8A7FBD6A131
​Secom ​SECOM Trust Systems Co Ltd. ​36B12B49F9819ED74C9EBC380FC6568F5DACB2F7
​Secom ​SECOM Trust Systems CO LTD ​5F3B8CF2F810B37D78B4CEEC1919C37334B9C774
​Secom ​SECOM Trust Systems CO LTD ​FEB8C432DCF9769ACEAE3DD8908FFD288665647D
​Serasa ​Serasa Certificate Authority I ​A7F8390BA57705096FD36941D42E7198C6D4D9D5
​Serasa ​Serasa Certificate Authority II ​31E2C52CE1089BEFFDDADB26DD7C782EBC4037BD
​Serasa ​Serasa Certificate Authority III ​9ED18028FB1E8A9701480A7890A59ACD73DFF871
​Wells Fargo ​WellsSecure Public Certificate Authority ​E7B4F69D61EC9069DB7E90A7401A3CF47D4FE8EE
​Wells Fargo ​WellsSecure Public Root Certification Authority 01 G2 ​B42C86C957FD39200C45BBE376C08CD0F4D586DB

How to determine your digital certificates

If you are unsure of how to determine the root of your digital certificates, I have included some guidance, by browser, below.  For more information on the program itself, visit
http://aka.ms/rootcert.

Microsoft Edge

  1. Navigate to a web page that uses your certificate.
  2. Click the
    Lock icon (in the web address field); the company under “Website Identification” is the company that owns the root.

Internet Explorer

  1. Navigate to a web page that uses your certificate.
  2. Click the
    Lock icon (in the web address field).
  3. Click
    View Certificates then Certification Path.
  4. View the certificate name at the top of the Certificate Path.

Chrome

  1. Navigate to a web page that uses your certificate.
  2. Click the
    Lock icon (in the web address field).
  3. Click
    Connection then Certificate Information.
  4. Click
    Certification Path.
  5. View the certificate name at the top of the Certificate Path.

Firefox

  1. Navigate to a web page that uses your certificate.
  2. Click the
    Lock icon (in the web address field) then click the arrow on the right.
  3. Click
    More Information then View Certificate.
  4. Click
    Details.
  5. View the certificate name at the top of the Certificate Path.

Aaron Kornblum
Enterprise & Security Group Program Manager, Governance, Risk Management & Compliance

Categories: Uncategorized Tags:

MS15-NOV – Microsoft Security Bulletin Summary for November 2015 – Version: 2.2

Revision Note: V2.2 (December 17, 2015): Bulletin Summary revised to add a Known Issue to the Executive Summaries table for MS15-116 and MS15-123. After you install security update 3101496, “Lync” is displayed in the title bar of the Contacts list. This issue occurs if you have configured the Skype for Business user interface to display in the Lync 2013 (Skype for Business) client. Microsoft is researching this problem and will post more information in this article when the information becomes available.
Summary: This bulletin summary lists security bulletins released for November 2015.

Categories: Uncategorized Tags:

MS15-NOV – Microsoft Security Bulletin Summary for November 2015 – Version: 2.2

Revision Note: V2.2 (December 17, 2015): Bulletin Summary revised to add a Known Issue to the Executive Summaries table for MS15-116 and MS15-123. After you install security update 3101496, “Lync” is displayed in the title bar of the Contacts list. This issue occurs if you have configured the Skype for Business user interface to display in the Lync 2013 (Skype for Business) client. Microsoft is researching this problem and will post more information in this article when the information becomes available.
Summary: This bulletin summary lists security bulletins released for November 2015.

Categories: Uncategorized Tags:

MS15-DEC – Microsoft Security Bulletin Summary for December 2015 – Version: 1.2

Revision Note: V1.2 (December 16, 2015): Bulletin Summary revised to add a Known Issue to the Executive Summaries table for 3104002. To resolve the issue, install hotfix 3125446. See Microsoft Knowledge Base Article 3104002 for more information.
Summary: This bulletin summary lists security bulletins released for December 2015.

Categories: Uncategorized Tags:

MS15-125 – Critical: Cumulative Security Update for Microsoft Edge (3116184) – Version: 1.1

Severity Rating: Critical
Revision Note: V1.1 (December 16, 2015): Revised the vulnerability description for CVE-2015-6161 to more accurately describe the ASLR Bypass. This is an informational change only. Customers who have already successfully installed security update 3116869 or 3116900 do not need to take any action.
Summary: This security update resolves vulnerabilities in Microsoft Edge. The most severe of the vulnerabilities could allow remote code execution if a user views a specially crafted webpage using Microsoft Edge. An attacker who successfully exploited the vulnerabilities could gain the same user rights as the current user. Customers whose accounts are configured to have fewer user rights on the system could be less impacted than those who operate with administrative user rights.

Categories: Uncategorized Tags:

MS15-124 – Critical: Cumulative Security Update for Internet Explorer (3116180) – Version: 1.1

Severity Rating: Critical
Revision Note: V1.1 (December 16, 2015): Bulletin revised to further clarify the steps users must take to be protected from the vulnerability described in CVE-2015-6161. This bulletin, MS15-124, provides protections for this issue, but user action is required to enable them; the cumulative update for Internet Explorer does not enable the protections by default. Before applying the protections, Microsoft recommends that customers perform testing appropriate to their environment and system configurations.
Summary: This security update resolves vulnerabilities in Internet Explorer. The most severe of the vulnerabilities could allow remote code execution if a user views a specially crafted webpage using Internet Explorer. An attacker who successfully exploited the vulnerabilities could gain the same user rights as the current user. Customers whose accounts are configured to have fewer user rights on the system could be less impacted than those who operate with administrative user rights.

Categories: Uncategorized Tags:

MS15-DEC – Microsoft Security Bulletin Summary for December 2015 – Version: 1.2

Revision Note: V1.2 (December 16, 2015): Bulletin Summary revised to add a Known Issue to the Executive Summaries table for 3104002. To resolve the issue, install hotfix 3125446. See Microsoft Knowledge Base Article 3104002 for more information.
Summary: This bulletin summary lists security bulletins released for December 2015.

Categories: Uncategorized Tags:

MS15-125 – Critical: Cumulative Security Update for Microsoft Edge (3116184) – Version: 1.1

Severity Rating: Critical
Revision Note: V1.1 (December 16, 2015): Revised the vulnerability description for CVE-2015-6161 to more accurately describe the ASLR Bypass. This is an informational change only. Customers who have already successfully installed security update 3116869 or 3116900 do not need to take any action.
Summary: This security update resolves vulnerabilities in Microsoft Edge. The most severe of the vulnerabilities could allow remote code execution if a user views a specially crafted webpage using Microsoft Edge. An attacker who successfully exploited the vulnerabilities could gain the same user rights as the current user. Customers whose accounts are configured to have fewer user rights on the system could be less impacted than those who operate with administrative user rights.

Categories: Uncategorized Tags:

MS15-124 – Critical: Cumulative Security Update for Internet Explorer (3116180) – Version: 1.1

Severity Rating: Critical
Revision Note: V1.1 (December 16, 2015):
Summary: This security update resolves vulnerabilities in Internet Explorer. The most severe of the vulnerabilities could allow remote code execution if a user views a specially crafted webpage using Internet Explorer. An attacker who successfully exploited the vulnerabilities could gain the same user rights as the current user. Customers whose accounts are configured to have fewer user rights on the system could be less impacted than those who operate with administrative user rights.

Categories: Uncategorized Tags:

Securing Privileged Access

December 15th, 2015 No comments

We’ve all probably heard the old axiom that a chain is only as strong as its weakest link. In the context of cybersecurity, in many IT environments the weakest link is the workstations that administrators with privileged accounts use to connect to critical infrastructure and applications. If these management workstations aren’t properly secured, high privilege user credentials can be stolen, and those stolen credentials will be used to compromise more infrastructure, applications and data.

One of the most common questions I get from security professionals who are trying to mitigate credential theft and reuse attacks is how to create a management workstation that secures privileged accounts?

I’d like to highlight some excellent new guidance that colleagues of mine in Microsoft’s new Enterprise Cybersecurity Group recently contributed to:

This new guidance was the result of a collaboration of folks from across Microsoft including contributions from the Enterprise Cybersecurity Group, our internal Microsoft IT security teams, the Microsoft Azure security team, as well as consultants in Microsoft Consulting Services and Premier Field Engineers that deliver these solutions every day, and many others across the company.

While they are pretty busy helping customers defend against cyberattacks, the authors are interested in hearing suggestions on how to improve this guidance. Please send feedback to CyberDocFeedback@microsoft.com.

Tim Rains
Chief Security Advisor
Enterprise Cybersecurity Group

Categories: cybersecurity Tags:

Further details and guidance regarding discontinuation of TMG Web Protection Services

December 15th, 2015 No comments

As discussed in the following blog, the Forefront Threat Management Gateway (TMG) Web Protection Services will be discontinued on December 31st, 2015:-

http://blogs.technet.com/b/applicationproxyblog/archive/2015/11/02/important-reminder-for-forefront-threat-management-gateway-tmg-web-protection-services-customers.aspx

We wanted to provide some additional details on what this will affect and recommendations on actions you should be taking.

The services that will be affected by this are:-

– URL Categorization
– Malware Inspection

Importantly, the Microsoft Reputation Services that supports URL Filtering will be turned off on or shortly after the 31st December 2015.

To avoid service impacting issues due to these services no longer being available, or incorrect rule processing where rules rely on URL Categorization categories, we would strongly advise customers review and amend their TMG configurations as follows:-

Review and amend any rules based on URL Categorization categories in your TMG policy

Any Allow and Deny rules that currently use URL Categories or URL Category Sets must be changed to remove the usage of URL filtering categories.

Using URL Sets or Domain Name Sets may provide limited replacement functionality or you may also want to consider a 3rd party URL filtering plug-in or upstream proxy service to provide replacement URL filtering functionality.

Note – If you have rules that are using URL filtering to allow traffic – HTTP traffic can be totally blocked after the service shutdown. Equally, if you use URL Filtering to block access to certain categories then these may be allowed after the change. There is also a possibility that performance issues will be seen if URL Filtering is left enabled after the MRS service is taken offline.

Disable URL Filtering

After amending your TMG policy ensure you then disable URL Filtering. This can be done in the TMG Management Console in the Web Access Policy node by selecting URL Filtering and unchecking the “Enable URL Filtering” check-box. This is essential to avoid TMG trying to contact the MRS services after they go offline.

clip_image002

Malware Inspection may continue to work but would not receive updated signatures

We would recommend implementing an alternative Anti-Virus solution and to disable Malware Inspection once this is in place.

As noted in the previous blog, Forefront Threat Management Gateway 2010, remains under extended support until April 14, 2020.

For details on moving from TMG to our new web publishing solutions please visit this URL:

http://blogs.technet.com/b/applicationproxyblog/archive/2015/07/02/transitioning-to-application-proxy-from-uag-and-tmg.aspx

Some Frequently Asked Questions we’ve had regarding the change are:-

Q1. Is it possible to use the MRS Cache to continue to benefit from URL Filtering after 31st December 2015?

A1. No, the MRS cache is a temporary in-memory cache of the latest lookups intended to provide internal efficiency optimizations. It does not provide a full offline cache and cannot be used for this purpose. There is no mechanism to have an offline database.

Q2. Is it possible to extend our usage of Forefront Threat Management Gateway (TMG) Web Protection Services past 31st December 2015?

A2. No, this is not possible. These dates were announced in September 2012 in order to provide sufficient time for alternative solutions to be deployed.

For the original announcement of the Forefront product roadmap changes please refer to the following URL:

http://blogs.technet.com/b/server-cloud/archive/2012/09/12/important-changes-to-forefront-product-roadmaps.aspx

Categories: EMP, malware inspection, TMG, URL filtering, URLF Tags: