Wednesday, August 27, 2014

WindowSecurity.com - Monthly Newsletter - August 2014

WindowSecurity.com - Monthly Newsletter - August 2014

Hi Security World,

Welcome to the WindowSecurity.com newsletter by Richard Hicks (MCSE, MCITP:EA, Enterprise Security MVP), Technical Services Director for Celestix Networks <http://www.celestix.com/>. Each month we will bring you interesting and helpful information pertaining to Windows Security. We want to know what all of *you* are interested in hearing about, so please send your questions and suggestions for future newsletter content to winsec@richardhicks.com


Editor's Corner
---------------------------------------------------

The patching of Windows systems, or any software or firmware for that matter, is vital to providing the highest
levels of security and protection. Microsoft has built what is arguably the best, most mature, and well
understood automated update system there is today â€" Windows Update. By configuring a Windows system (client or
server) to automatically check for and install updates when they are available, our systems are much less
vulnerable to attack than they are without it. In fact, many systems would not be patched at all, ever, if
Windows Update didn’t exist. On the consumer side, I regularly encourage my friends and family to opt in to this
service. For small and mid-sized businesses I recommend the configuration and deployment of a Windows Server
Update Services (WSUS), which is a patch management solution included freely with Windows Server 2012 R2. WSUS
can be configured to selectively distribute Microsoft system updates, and it provides valuable reporting tools
to evaluate the effectiveness and coverage of our update distribution. You can even manage system updates using
Microsoft’s cloud-based PC and mobile device management platform, Windows Intune. What happens when this process
causes more problems than it solves? This month we’ll consider just that scenario.

--Rich

Windows Update

In an ideal world, everyone would automatically deploy all of Microsoft’s updates immediately upon release,
which is the second Tuesday of every month. Remember that when Microsoft makes a public announcement of a
security vulnerability in any one of their platforms or applications, the bad guys get this information at the
same time. They will review the list of vulnerabilities, download the updates, and immediately begin to reverse
engineer them in an effort to determine how to exploit them. Microsoft has stated that they’ve seen an exploit
created using this process in as little as four hours after public availability of a hotfix. Clearly it’s a good
idea to patch quickly and completely. But what happens when an update causes instability? Perhaps it breaks some
important functionality, or ever worse, cause the system to completely fail. It doesn’t happen often, but
disturbingly, scenarios like this have become increasingly more common in the last few years.

This month, Microsoft released a number of updates (details later in this newsletter) addressing several
important vulnerabilities. However, it appears that a few of them are causing serious issues for many users.
In fact, Microsoft has gone so far as to pull one of the updates, MS14-045, which is reportedly generating stop
errors (blue screens of death) on Windows 7 PCs running the 64-bit version of the operating system. Microsoft
also recommends removing the patch if it was previously installed. The removal process isn’t trivial, and
involves deleting a file and editing the registry. Obviously this is a bad situation, as you don’t want
consumers having to make changes like this. Also, for mid-sized and large organizations, removing an update in
this manner doesn’t scale well at all, making removal across many thousands of machines extremely tedious.

Statistically speaking, the vast majority of software updates that Microsoft releases work without issue. This
is an amazing feat if you consider the ecosystem that they have to support and the number of supported
deployment scenarios they have to consider. However, it seems that in recent months (and this month in
particular) the stability of updates being produced by Microsoft has fallen off. I don’t have any hard data to
back this up, but I’m sure you’ll agree that the frequency with which issues are being reported with updates is
increasing. This is disturbing because many individuals and organizations, perhaps rightfully so, will now
consider delaying installing updates until they’ve been proven to be stable. This will have a tremendously
negative impact on our ability to protect our systems from attack and exploitation and will definitely give
attackers an increased window with which to build attack tools to take advantage of these vulnerabilities.

In light of all this, I’d still encourage you to deploy critical updates, especially those that are remotely
exploitable, as soon as possible. Given the recent trends, testing and evaluation of updates should be performed
with more scrutiny than ever. In addition, it might be a good idea to roll these updates out to limited groups
of systems (those that are most vulnerable) and monitor the status of these systems closely for a period of
time. If there are no reports of instability or issues caused by the update, proceed with the rest of your
deployment as normal.


Practical IPv6 for Windows Administrators
----------------------------------------------------------

With the rapid depletion of the global IPv4 address pool, the adoption of IPv6 is growing significantly. The total exhaustion of public IPv4 addresses is inevitable, making IPv6 knowledge an important and essential skill that network engineers and systems administrators will need to have to be successful. While there are some excellent IPv6 references available today, until now there has been a lack of practical, real-world implementation guidance for IPv6. Until now! Practical IPv6 for Windows Administrators <http://www.amazon.com/Practical-Windows-Administrators-Edward-Horley/dp/1430263709/> provides detailed information necessary for network engineers and systems administrators planning to deploy IPv6 on their corporate networks. It covers important topics such as IPv6 address assignment and name resolution, along with specific IPv6 integration information for Microsoft services such as Exchange, SQL, SharePoint, Hyper-V, and more.

IPv4 is a dead man walking. IPv6 is the way of the future; in fact, it is here now! Order your copy of Practical IPv6 for Windows Administrators <http://www.amazon.com/Practical-Windows-Administrators-Edward-Horley/dp/1430263709/> today.


Microsoft Security Bulletins for August 2014
----------------------------------------------------------

For the month of August, Microsoft released 9 security bulletins addressing 41 vulnerabilities. 2 bulletins
are rated as critical, and 7 are rated as important. Affected software includes Windows, Internet Explorer,
Office, SQL, SharePoint, and .NET Framework. For more information about August’s security bulletins click here
< https://technet.microsoft.com/library/security/ms14-aug >. Microsoft also released security advisory 2755801
< https://technet.microsoft.com/en-US/library/security/2755801 > that addresses an update for vulnerabilities
in Adobe Flash Player in Internet Explorer. As mentioned at the beginning of this newsletter, there have been
numerous reports of issues reported with several of the updates released this month. Most importantly, Microsoft
has removed MS14-045 < http://support.microsoft.com/kb/2982791 > due to reports of it causing stop errors (blue
screens) on Windows 7 64-bit platforms. If you’ve previously installed this update, Microsoft recommends
removing it. Removal instructions are included in the bulletin.

Security Articles of Interest
----------------------------------------------------------

1. This month Microsoft announced that the Enhanced Mitigation Experience Toolkit (EMET) v5.0 is now
generally available. This is a powerful and effective security mitigation tool that can be used to protect
against emerging threats and prevent known and unknown vulnerabilities from being exploited. If you’re not
already using it, be sure to download it now and begin your evaluation. There are few tools available that
provide the ability to dramatically improve the overall security posture of your organization like EMET can.

http://blogs.technet.com/b/security/archive/2014/07/31/now-available-enhanced-mitigation-experience-toolkit-emet-5-0.aspx

2. Microsoft goes a long way to protect the privacy of users of their public cloud applications,
platforms, and services. It is not uncommon for Microsoft to go to court to defend what it believes are
unwarranted requests for personal information and data for its users. In a recent case, Microsoft is
challenging U.S. federal prosecutors who are demanding access to data for a user whose data is stored in a
datacenter outside of the U.S. (in this case, Ireland). Microsoft has argued that since the data does not
physically reside in the U.S., the federal government doesn’t have jurisdiction. Microsoft’s appeal was
recently denied, but they continue to appeal further. This case has important implications for U.S.-based
public cloud service providers. If they fail, it will be extremely difficult to sell public cloud services
outside of the U.S.

http://bits.blogs.nytimes.com/2014/07/31/judge-rules-that-microsoft-must-turn-over-data-stored-in-ireland/

3. The Sender Policy Framework (SPF) is a mechanism that can be used to detect email spoofing. It is
implemented using TXT records hosted in public DNS, and the record will include a list of authorized sending
hosts for the domain. A receiving email system can reference the list to ensure that the sending host is
correct. If it is not, the receiving system can use this information to enforce anti-spam policies in a number
of different ways. As you can imagine, the Microsoft organization sends email from many different authorized
hosts. Defining that authorized list was challenging, but recently accomplished with great effort.

http://blogs.msdn.com/b/tzink/archive/2014/07/22/microsoft-com-now-publishes-an-spf-hard-fail-in-its-spf-record.aspx

4. Independent antimalware testing always produces interesting results. Often, the results from different
vendors result in drastically different results. Of course many security and antimalware vendors use whichever
test made their product look the best, and their competitors the worst, as fodder for their marketing campaigns.
As part of an effort to improve the accuracy and relevancy of independent antimalware testing, Microsoft is
offering guidance for the evaluation and testing of antimalware technologies. More details here:

http://blogs.technet.com/b/mmpc/archive/2014/08/01/the-future-of-independent-antimalware-tests.aspx

5. One of the updates released by Microsoft this month will now enable the blocking of outdated versions
of Java running in Internet Explorer. This is great news, as browser plug-ins have become a common target of
malware authors, and Java has proven to be the richest target.

http://blogs.msdn.com/b/ie/archive/2014/08/06/internet-explorer-begins-blocking-out-of-date-activex-controls.aspx

6. Last month in this newsletter I wrote about the security of Azure, Microsoft’s public cloud platform.
Also, I mentioned that Microsoft was making changes to encryption policies to improve security and privacy for
users of Outlook.com and OneDrive.com. This month Microsoft made additional announcements about improving
security and privacy, this time focusing on encryption improvements for guest virtual machines.

http://blogs.technet.com/b/trustworthycomputing/archive/2014/08/07/strengthening-encryption-for-microsoft-azure-customers.aspx

7. Cryptolocker is a particularly troublesome piece of malware, actually ransomware, that encrypts data
on an infected machine and offers to sell you the decryption key for a price. For users infected by this
ransomware, the alternative is to pay the price or lose your data. Thankfully, security researches at FireEye
and Fox-IT recently uncovered the encryption keys used by this malware and posted on a freely-available site
for users to access. If you or someone you know has been affected and is unable to recover their data (and
they haven’t already deleted it!) send them over to decryptcryptolocker.com to recover their files.

http://blogs.technet.com/b/mmpc/archive/2014/08/12/fireeye-and-fox-it-tool-can-help-recover-crilock-encrypted-files.aspx

8. Multipath TCP is an emerging technology that promises to add resilience and efficiency to networking.
It is, however, not without some serious security concerns. Since it allows TCP connections to move over
multiple networks, it has important implications for traditional network security solutions like stateful
firewalls and IDS/IPS.

http://threatpost.com/multipath-tcp-introduces-security-blind-spot/

9. What will security look like in 2025? Not surprisingly, it will be profoundly influenced by growth,
and the Internet-of-Things. With increasingly ubiquitous network connectivity and increased adoption in
emerging markets, there are some real challenges ahead in the coming years. The good news is that the future
doesn’t look all that bleak! With careful planning and consideration, and a deep understanding of the future
deployment scenarios, security can be addressed in an effective manner.

http://blogs.technet.com/b/security/archive/2014/08/20/what-will-cybersecurity-look-like-in-2025-part-2-microsoft-envisions-an-optimistic-future.aspx


10. Rogue antivirus software is most insidious, as it purports to be protecting a system while in fact,
it does just the opposite. Typically rogue antivirus software exists for the sole purpose of extracting money
from unsuspecting users who think they actually have a virus. The irony of course is that the fake antivirus
software is itself the virus! After being aggressively targeted by Microsoft and independent antimalware
solutions, rogue antivirus software is on the decline. It is, however, far from being completely eradicated.
In fact, existing forms of this malicious software are using clever techniques to trick their targets. More
details here:

http://blogs.technet.com/b/mmpc/archive/2014/08/19/the-fall-of-rogue-antivirus-software-brings-new-methods-to-light.aspx

11. Microsoft has announced the availability of the final release of their security baselines for Windows
8.1, Windows Server 2012 R2, and Internet Explorer. Systems administrators and security engineers will want to
download this guidance before deploying these platforms in a production environment.

http://blogs.technet.com/b/secguide/archive/2014/08/13/security-baselines-for-windows-8-1-windows-server-2012-r2-and-internet-explorer-11-final.aspx



WindowSecurity.com Articles of Interest
--------------------------------------------------------

Verifying Active Directory Delegation is Accurate
http://www.windowsecurity.com/articles-tutorials/windows_os_security/verifying-active-directory-delegation-accurate.html

Managing AppLocker in Windows Server 2012 and Windows 8/8.1 â€" Part 4
http://www.windowsecurity.com/articles-tutorials/Windows_Server_2012_Security/managing-applocker-windows-server-2012-and-windows-8-81-part4.html

Netwrix Auditor â€" Voted WindowSecurity.com Readers’ Choice Award Winner â€" Group Policy Management
http://www.windowsecurity.com/news/WindowSecurity-Readers-Choice-Award-Group-Policy-Management-Netwrix-Auditor-Jun14.html

Video: Generating Active Directory Group Members Recursively
http://www.windowsecurity.com/articles-tutorials/misc_network_security/video-generating-active-directory-group-members-recursively.html

Planning Considerations for BYOD and Consumerization of IT â€" Part 1
http://www.windowsecurity.com/articles-tutorials/Mobile_Device_Security/planning-considerations-byod-and-consumerization-it-part1.html

Pass-the-Hash: Protect Your Windows Computers! â€" Part 3
http://www.windowsecurity.com/articles-tutorials/viruses_trojans_malware/pass-hash-protect-your-windows-computers-part3.html


Windows Security Tip of the Month
--------------------------------------------------------

So you’ve just finished development of an in-house developed line of business application. Is it secure?
Do you know if it was built according to security best practices? Well, the BinScope Binary Analyzer from
Microsoft can shed some light on that for you! BinScope is a verification tool used to analyze binary files to
ensure that they have been prepared according to Microsoft’s Security Development Lifecycle (SDL) guidance and
recommendations. The tool can be installed and integrated with Visual Studio and used to perform assessments on
a project-wide level. Use of this tool can provide detailed visibility in to application development output and
provide a level of assurance that your code is SDL compliant. You can download the BinScope Analyzer here
< http://www.microsoft.com/en-us/download/details.aspx?id=11910 >


WindowSecurity.com Sections
-----------------------------------------------------------------
- Articles & Tutorials (http://www.windowsecurity.com/articles-tutorials/)
- Products (http://www.windowsecurity.com/software/)
- Reviews (http://www.windowsecurity.com/articles-tutorials/Product_Reviews/)
- Free Tools (http://www.windowsecurity.com/software/Free-Tools/)
- Blogs (http://www.windowsecurity.com/blogs/)
- Forums (http://forums.windowsecurity.com/)
- White Papers (http://www.windowsecurity.com/white-papers/)
- Contact Us (http://www.windowsecurity.com/pages/contact-us.html)



Techgenix Sites
-----------------------------------------------------------------
- MSExchange.org (http://www.msexchange.org/)
- WindowsNetworking.com (http://www.windowsnetworking.com/)
- VirtualizationAdmin.com (http://www.virtualizationadmin.com/)
- ISAserver.org (http://www.isaserver.org/)
- CloudComputingAdmin.com (http://www.cloudcomputingadmin.com/)
- WServerNews.com (http://www.wservernews.com/)


--
To unsubscribe: http://www.techgenix.com/newsletter/members.aspx?Task=OOS&SI=78504&E=security.world%40gmail.com&S=1&NL=39
To change your subscription settings: http://www.techgenix.com/newsletter/members.aspx?Task=US&SI=78504&E=security.world%40gmail.com&S=1
WindowSecurity.com
is in no way affiliated with Microsoft Corp.
For sponsorship information, contact us at advertising@WindowSecurity.com
TechGenix Ltd. Mriehel Bypass, Mriehel BKR 3000, Malta
Copyright WindowSecurity.com 2014. All rights reserved.

No comments:

Post a Comment