Anton RSS Feeds

It's called Squid.

As usual, you can also use this squid post to talk about the security stories in the news that I haven't covered.

Funny. Fake, but funny.

Edited to add (2/3): The rest of the story.

Reuters discovered the information:

The VeriSign attacks were revealed in a quarterly U.S. Securities and Exchange Commission filing in October that followed new guidelines on reporting security breaches to investors. It was the most striking disclosure to emerge in a review by Reuters of more than 2,000 documents mentioning breach risks since the SEC guidance was published.

The company, unsurprisingly, is saying nothing.

VeriSign declined multiple interview requests, and senior employees said privately that they had not been given any more details than were in the filing. One said it was impossible to tell if the breach was the result of a concerted effort by a national power, though that was a possibility. "It's an ugly, slim sliver of facts. It's not enough," he said.

The problem for all of us, naturally, is if the certificate system was hacked, allowing the bad guys to forge certificates. (This has, of course, happened before.)

Are we finally ready to accept that the certificate system is completely broken?

Really good article on the huge incarceration rate in the U.S., its causes, its effects, and its value:

Over all, there are now more people under "correctional supervision" in America -- more than six million -- than were in the Gulag Archipelago under Stalin at its height. That city of the confined and the controlled, Lockuptown, is now the second largest in the United States.

The accelerating rate of incarceration over the past few decades is just as startling as the number of people jailed: in 1980, there were about two hundred and twenty people incarcerated for every hundred thousand Americans; by 2010, the number had more than tripled, to seven hundred and thirty-one. No other country even approaches that. In the past two decades, the money that states spend on prisons has risen at six times the rate of spending on higher education.

[...]

The trouble with the Bill of Rights, he argues, is that it emphasizes process and procedure rather than principles. The Declaration of the Rights of Man says, Be just! The Bill of Rights says, Be fair! Instead of announcing general principles­ -- no one should be accused of something that wasn't a crime when he did it; cruel punishments are always wrong; the goal of justice is, above all, that justice be done­ -- it talks procedurally. You can't search someone without a reason; you can't accuse him without allowing him to see the evidence; and so on. This emphasis, Stuntz thinks, has led to the current mess, where accused criminals get laboriously articulated protection against procedural errors and no protection at all against outrageous and obvious violations of simple justice. You can get off if the cops looked in the wrong car with the wrong warrant when they found your joint, but you have no recourse if owning the joint gets you locked up for life. You may be spared the death penalty if you can show a problem with your appointed defender, but it is much harder if there is merely enormous accumulated evidence that you weren't guilty in the first place and the jury got it wrong. Even clauses that Americans are taught to revere are, Stuntz maintains, unworthy of reverence: the ban on "cruel and unusual punishment" was designed to protect cruel punishments -- flogging and branding -- that were not at that time unusual.

The author mentions the rise of for-profit businesses increasingly running prisons in the U.S., but I don't think he makes the point strongly enough. There is now a corporate interest in the U.S. lobbying for such things as mandatory minimum sentencing.

Brian C. Kalt (2005), "The Perfect Crime," Georgetown Law Journal, Vol. 93, No. 2.

Abstract: This article argues that there is a 50-square-mile swath of Idaho in which one can commit felonies with impunity. This is because of the intersection of a poorly drafted statute with a clear but neglected constitutional provision: the Sixth Amendment's Vicinage Clause. Although lesser criminal charges and civil liability still loom, the remaining possibility of criminals going free over a needless technical failure by Congress is difficult to stomach. No criminal defendant has ever broached the subject, let alone faced the numerous (though unconvincing) counterarguments. This shows that vicinage is not taken seriously by lawyers or judges. Still, Congress should close the Idaho loophole, not pretend it does not exist.

The storyline:

1. TSA screener finds two pipes in passenger's bags.

2. Screener determines that they're not a threat.

3. Screener confiscates them anyway, because of their "material and appearance."

4. Because they're not actually a threat, screener leaves them at the checkpoint.

5. Everyone forgets about them.

6. Six hours later, the next shift of TSA screeners notices the pipes and -- not being able to explain how they got there and, presumably, because of their "material and appearance" -- calls the police bomb squad to remove the pipes.

7. TSA does not evacuate the airport, or even close the checkpoint, because -- well, we don't know why.

I don't even know where to begin.

Some errors in forensic science may be the result of the biases of the examiners:

Though they cannot prove it, Dr Dror and Dr Hampikian suspect the difference in contextual information given to the examiners was the cause of the different results. The original pair may have subliminally interpreted ambiguous information in a way helpful to the prosecution, even though they did not consciously realise what they were doing.

[...]

This one example does not prove the existence of a systematic problem. But it does point to a sloppy approach to science. According to Norah Rudin, a forensic-DNA consultant in Mountain View, California, forensic scientists are beginning to accept that cognitive bias exists, but there is still a lot of resistance to the idea, because examiners take the criticism personally and feel they are being accused of doing bad science. According to Dr Rudin, the attitude that cognitive bias can somehow be willed away, by education, training or good intentions, is still pervasive.

In its 10-Q filing with the Securities and Exchange Commission (SEC), Verisign acknowledged having suffered several data security breaches in 2010, but notes that management did not learn about the incidents until September 2011, nearly a year after they occurred.......

Police in Romania have arrested a man who allegedly broke into US government websites, including those of NASA and the Pentagon.......

Google has deployed technology that will allow it to block blogs on its free Blogger platform in specific countries to comply with local rules.......

David Kernell, the Tennessee college student who was found guilty on hacking into then-vice presidential candidate Sarah Palin's Yahoo email account has lost an appeal to have his conviction for obstruction of justice thrown out.......

Apple released its first security update of 2012 for Mac OS X, patching more than 50 vulnerabilities.......

The Kelihos botnet, which Microsoft was instrumental in helping take down last year, appears to be regaining its foothold.......

A recently detected, sophisticated spear phishing attack disguises itself as conference invitations.......

Thirteen apps that have been identified as containing adware known as Counterclank will remain available in Google's Android Market.......

Mozilla has released a new version of its flagship browser, Firefox 10.......

Symantec has released hotfixes for its pcAnywhere software.......

The Federal Deposit Insurance Corporation (FDIC) has issued guidance for banks and other financial services institutions, warning that certain third-party payment processors could prove to be security liabilities.......

Sweden's Supreme Court has refused to hear an appeal of the prison sentences for The Pirate Bay founders that were meted out by the Swedish Court of Appeals more than a year ago.......

Category: Widely Deployed Software

Affected:

• Mozilla Firefox prior to 10.0
• Mozilla Firefox 3.6.x prior to 3.6.26

Category: Widely Deployed Software

Affected:

• Symantec pcAnywhere 12.0.x and 12.1.x prior to 12.5.3

CVEs: CVE: CVE-2012-0395

Platform: Cross Platform

CVEs: CVE: CVE-2011-4703

Platform: Cross Platform

CVEs: CVE: CVE-2012-0068,CVE-2012-0067,CVE-2012-0066

Platform: Cross Platform

CVEs: CVE: CVE-2012-0817

Platform: Cross Platform

CVEs: CVE:CVE-2011-3952,CVE-2011-3951,CVE-2011-3950,CVE-2011-3949,CVE-2011-3947,CVE-2011-3946,CVE-2011-3945,CVE-2011-3944,CVE-2011-3941,CVE-2011-3940,CVE-2011-3937,CVE-2011-3936,CVE-2011-3935,CVE-2011-3934,CVE-2011-3929

Platform: Cross Platform

CVEs: CVE: CVE-2011-4790

Platform: Cross Platform

CVEs: CVE: CVE-2012-0818

Platform: Cross Platform

CVEs: CVE:CVE-2012-0445,CVE-2012-0447,CVE-2011-3659,CVE-2012-0442,CVE-2012-0443,CVE-2012-0444,CVE-2012-0449,CVE-2012-0446

Platform: Cross Platform

CVEs: CVE: CVE

Platform: Cross Platform

CVEs: CVE: Not Available

Platform: Hardware

CVEs: CVE: Not Available

Platform: Hardware

CVEs: CVE: CVE-2012-0814

Platform: Linux

CVEs: CVE: CVE-2012-0813

Platform: Linux

CVEs: CVE: CVE-2011-4821

Platform: Network Device

CVEs: CVE: Not Available

Platform: Third Party Windows Apps

CVEs: CVE: CVE-2011-4143

Platform: Third Party Windows Apps

CVEs: CVE: Not Available

Platform: Third Party Windows Apps

CVEs: CVE: CVE-2012-0021

Platform: Web Application

CVEs: CVE: Not Available

Platform: Web Application

CVEs: CVE: Not Available

Platform: Web Application

CVEs: CVE: Not Available

Platform: Web Application

CVEs: CVE: Not Available

Platform: Web Application

CVEs: CVE: Not Available

Platform: Web Application - Cross Site Scripting

CVEs: CVE: Not Available

Platform: Web Application - Cross Site Scripting

CVEs: CVE: Not Available

Platform: Web Application - SQL Injection

A friend of mine asked if he should also install Google Chrome when updating DivX Plus Player.  I told him "no, it's not necessary. Uncheck all boxes for Chrome installation and other modification on the browser by Chrome".  I told him also to always do this action to other software updater or installer that will try to install a program that he don't want or require.

Since I have a DivX Plus Player that I haven't update myself (because I disabled automatic checking of DivX updates) and yup, there was an update:.  It is v8.1.3:

When I clicked "Next" button, I'm offered Google Chrome browser, as well.

Just uncheck those guys, unless you want to have Google Chrome, but I doubt you do because if you want it, you know where and how to get it yourself (by visiting Google Chrome website).  It's so sad that some software developers are doing the above "update practices".  It's just an UPDATE but there you are... offering another program that is not necessary to update a program.

Bright Hub have lots of new quizzes to test your knowledge.  Check out some of the quizzes :)

Example quizzes in Bright Hub:

Computer Security

• Do You Know Computer Viruses?
• How Safe Is Your Wi-Fi Connection?
• How Secure is Your Computer?
• Test Your Computer Security Skills With the Malware Open Challenge

Windows

• A Quiz for Microsoft Word Professionals
• Are You a Windows Expert? See How Much You Know
• Are You an MS Office Expert? Test Your Knowledge
• Think You Know Your Windows Computer?
• New to Microsoft Word? Find Out How Much You Know!
• So You Think You Can Use Microsoft Excel? A General Knowledge Quiz
• Test Your Microsoft History Knowledge

Mac

• Are You Up to Speed in Lion?
• Test Your Knowledge of Apple History
• Steve Jobs Said What?
• Take the Mac Challenge: How Much Do You Know?
• Test Your Computer Chops with Our Macintosh Guru Quiz
• Test Your Steve Jobs Fandom: A Quiz

iPhone

• Think you Know your iPhone? Take our iPhone quiz & find out
• iPhone Games Quiz
• There's an App For That
• Apple and the iPhone

Good luck or shall I say, hope you'll get perfect score!

Quoted below is an unsolicited email with malware attached:

Subject:  Uniform Traffic Ticket (ID: 31534)

From:  New York State Department of Motor Vehicles

New York State ? Department of Motor Vehicles

UNIFORM TRAFFIC TICKET (ID:77810),

---

POLICE AGENCY
NEW YORK STATE POLICE
Local Police Code 3

THE PERSON DESCRIBED ABOVE IS CHARGED AS FOLLOWS
Time: 7:25 AM
Date of Offense: 07/02/2011
IN VIOLATION OF NYS V AND T LAW

---

4 Description of Violation

SPEED OVER 55 ZONE

TO PLEAD, PRINT OUT THE ENCLOSED TICKET AND SEND IT TO TOWN COURT, CHATAM HALL., PO BOX 117

Screenshot of the spam:

This type of email is NOT new at all because I've seen similar spam last August.  The problem is the following:

• End-users of popular web-based email services that only depend on free virus email scanner aren't always protected from downloading unsafe file.  An example is Yahoo! email which is using Norton Antivirus.  It failed to detect the malware attachment: 

• Less than 50% of virus scanners will detect the malware.  AntiVir, ClamAV, eTrust, PC Tools, PrevX, SUPERAntiSpyware, Symantec, Trend Micro and VirusBuster are among the antivirus vendors that will fail to detect the malware, to date:

Hopefully, people won't fall into executing the Uniform traffic ticket.zip or extract and execute the uniform traffic ticket.exe file.

Or else, they will have to remove Win32/Gamarue.B, a computer worm that can also spread through removable drives e.g. AutoRun virus, communicate to attackers server and download some files to the affected computer.

As you know already, Microsoft found out that their Malicious Software Removal Tool have detected 26.0% malware propagated through USB Autorun, 17.2% of malware have propagated through Network Autorun and 44.8% through user interaction.  More information of malware propagation in Volume 11 of Microsoft Security Intelligence report, released this month. 

The above email is one of the methods that a computer worm infects a computer and then spread to your network (home or office network).

Be very careful when receiving such email especially if you are in New York.  People who don't live in New York or U.S.A have more reasons to delete this type of email.

Finally.. I find time to download Windows 8 Preview.  Going to install it tomorrow and hope to see it work.  Will provide feedback, of course (if it's not reported yet). If you haven't download it and wish to try, get it at MSDN.

Are you using Windows XP? Get the Windows XP End Of Support Countdown Gadget.  Today, I have it installed as a sidebar gadget.  XP users still have many months to use XP :)  If your PC is still OK, keep using it but ensure it's up-to-date with available security fixes.  If you want a new PC, get Windows 7 or wait for Windows 8.

Even though I don't have an Apple product (except installing Safari browser when I need to write or test something about it in a Windows computer.  Some family members are using iPad or iPhone and I find it as cool gadgets but don't need or requite it right now), I'm sad to hear that Mr. Steve Jobs passed away that soon.  I mean, not only he was only 56 years old but he bid his goodbye as CEO only in August 24, 2011.  That's only a month and 11 days ago :(

This post is to remember you, Mr. Jobs and to thank you for contributing to the world -- some great and cool gadgets -- that my family members are happy (also they loved it) using.  Even a 3 year old boy in the family loves your iPad.  He just can't stop playing games, non-stop viewing his birthday photos/videos and also sketching anything after school or dinner (he is not allowed to use the iPad until he finished his dinner!).

If we want free antivirus program, we seems to only have few choices now --- Microsoft Security Essentials and Avast.. simply because the simple and great Avira AntiVir has gone to the dark-side by adding the unwanted ASK toolbar.  What is worst is it mislead users by saying it is "Avira Toolbar".  Glad my team and members at Calendarofupdates.com are fast to find it out last June and immediately stopped posting updates on Avira. 

Time to logon to my Windows 7 computer and remove Avira.  Will install MSE! 

Done reviewing Avast Internet Security program that includes SafeZone desktop (also known as SafeZone browser).  It's not cool because it will only use Google Chrome browser to browse the net.  It should not be "called as SafeZone desktop" but SafeZone browser only.  Google Chrome browser is integrated and I personally don't use or like Google Chrome.  Avast Internet Security doesn't install standalone Google Chrome browser on Windows but will be the browser if you bring up SafeZone feature. 

Read more at http://www.brighthub.com/computing/smb-security/reviews/112570.aspx so you'll know what else I don't like with SafeZone in Internet security program by Avast.  I think people who are using Google Chrome will have no problem with it.  I just hope Avast team will make that SafeZone browser feature to work to whatever is the default browser.  I know you can use Sandbox feature to virtualize other browser or application but it's not the Sandbox I'm talking about but the SafeZone.  I guess it has to do with their "partnership" by pushing Google Chrome (piggybacking in free Avast antivirus by bundling third-party installer on Avast installation package... and now it's integrated in paid software of Avast).  Geez.

Anyhoo, the AV of Avast has improved.

I downloaded the trial version of Avast Internet Security because I need to review it.  The test system didn't have that program before but the new trial version (supposedly 30 days) says the program has expired on March 19, 2011.  Today is March 26, 2011 which is is the day I install the trial version right after the download has finished.  I reproduced the issue by restoring my computer to previous "backup image".

Note that the backup image doesn't have or never had any antivirus program by any vendor because it's my test system's image.  The only security software on it is the built-in Windows Defender.

Alwil need to check their licensing server for their trial version users soon or you are trying to trick people to buy?  I hope it's not the latter. 

This is what I get the first try:

The second try (after I put restored the system from the backup image -- yup, formatted the C: drive before applying the backup image):

I tried clicking update for defs or program hoping that will sync correctly to their server but no joy.

So to anyone trying Avast Internet security program for 30 days and you get the above issue, you're not alone.  Don't simply buy if you only want to try or test.

BTW, the setup file was downloaded from Avast website which was served by http://www.avast.com/download-thank-you.php?src=http://files.avast.com/iavs5x/setup_ais.exe&product=IS&page=internet-security&locale=en-ww&avast=0 or http://files.avast.com/iavs5x/setup_ais.exe (don't click unless you want to download the file).

I tried also the setup file from CNET Download.com but it's same result.

UPDATE - March 27, 9PM GMT +8:  After another try (last try), the trial license is working now:

And it is now showing correct date of expiration.  I did nothing but to put back again the old system image (backup) just like what I did earlier and install the trial version.

I know that I have not enter any blog entry here for few months already.  I can explain but most stuff is due to personal and work related.  Been writing still at Bright Hub, I moved home and you know, attending on the new home.  I call it home because it feels like home (I say feels like home only because there's a bit of issue that is coming again.. see below).  Also attending on small business that I need to face full time now (at least, after doing what I got to do at home and writing).  BTW, check out the newest review I submitted -- Diskeeper 2011 review :p

I know that I have not release an update to IP blocklist for Outpost, Online Armor, Kaspersky and IE programs but it's still here on my to do list.  Sorry about the long delay but I'll be on it by April and will make sure that it'll be updated once a month from now on.

I know I have not been in forums but my you are all always on my mind.  I'll be there to apologize of course and interact with you again.  I just don't want to promise anymore on when...because it will only disappoint some friends and I don't want to disappoint them again and again.

I know that Windows 7 Service Pack 1 has been released but I have not install it because there's no time yet.  I'm not afraid to try installing Windows 7 SP1 since I have backup of entire drives, just in case anything goes south, north, east or west.  It's not offered to me anyway since I have not install many other updates for Windows especially the pre-requisite.  When to install Windows 7 SP1? This weekend, I think.

I know Comodo certificates have issue again.  All I want to say is "why there's no major account executive that only handles major and critical accounts?" Geez.. I thought most company knows how to handle major accounts and not simply allowing anyone or third-party to handle important domains/accounts that can put millions of users' data AT RISK.  Yeah, they revoked it soon but that's not the question here but the one I already asked.  Even security experts question the way they allow affiliates or resellers to issue cert.  Nice story here about another Comodo fraudulent certs again.

This one.. I don't know when but it seem... going to happen:  moving to South Korea or the Philippines.  Whatever.... I'm just tired of moving.

And there is this.. blinking blue thingy which is so cool because it seems a bluetooth-enabled device or it is only the signal that the device is on.  Anyway, head over at http://iosafe.com/blog/uncategorized/win-our-new-product-easy-part-deux/ and start commenting even if you work as miner! :D

ioSafe, the maker of fireproof and waterproof hard-drives is going to unveil another gadget.  They are asking people to guess what it will be.  A clue was posted in the company's blog.

My guess is it's a 3.0 USB external hard-drive! FP and WF also, but I'm not sure.  I guess.. that's how guessing game/contest works.  Good luck to all and Congrats to ioSafe for the upcoming product!

Security researchers have demonstrated how it might be possible to place backdoor rootkit software on a network card.

Guillaume Delugré, a reverse engineer at French security firm Sogeti ESEC, was able to develop proof-of-concept code after studying the firmware from Broadcom Ethernet NetExtreme PCI Ethernet cards.

He used publicly available documentations and open source tools to develop a firmware debugger. He also reverse-engineered the format of the EEPROM where firmware code is stored, as well as the bootstrap process of the device.

Using the knowledge gained from this process, Delugré was able to develop custom firmware code and flash the device so that his proof-of-concept code ran on the CPU of the network card. The technique opens the possibility of planting a stealthy rootkit that lives within the network card, an approach that gives potential miscreants several advantages over conventional backdoors.

Chief among these is that there will be no trace of the rootkit on the operating system, as it is being hidden inside the network interface card. [...]

Delugré gave a presentation on his research at the hack.lu conference last month. A write-up of his research, along with slides on his presentation and a demo, was published on Sunday here.

http://www.theregister.co.uk/2010/11/23/network_card_rootkit/

Research In Motion denied reports in Indian media that it had received information from an Indian government official questioned by police Monday during an investigation into the leaking of information to telecommunications companies.

Ravi Inder Singh, a senior official in the country's Ministry of Home Affairs, was taken in for questioning on Monday, Delhi police sources said.

Special Commissioner of Police P.N. Aggarwal said on Tuesday that Singh had not been arrested, and investigations were still going on in the case. He declined to comment on the line of investigation.

RIM is currently in difficult negotiations with the Indian government, which has been demanding that law enforcement agencies be given the ability to intercept communications on RIM's network.

The government has given RIM until January to provide total access to communications on its BlackBerry Messenger service. It has also demanded access to RIM's corporate email and communications service, BlackBerry Enterprise Server

http://www.computerworld.com/s/article/9197779/RIM_denies_reports_that_Indian_official_snooped_for_it

Trend Micro researchers recently discovered attacks on the social networking site Multiply. The cybercriminals behind the said attack created new Multiply user accounts then sent malicious personal messages to other site users.

The personal message contains a greeting with the target?s Multiply user name and a video that the recipient is supposed to watch. Clicking the play button redirects users to the malicious URL http://yourtube.{BLOCKED}loring.com/video2/video.php?q=1289224873.

The page then asks the recipient to download a codec to view the video.

These sorts of attacks have been occurring for some time. Users should avoid downloading new codecs to watch videos posted online, as these are frequently malicious.

Screenshots in http://blog.trendmicro.com/malicious-video-spreads-via-multiply/

Cross-Border Korean Shelling Leads to FAKEAV

News outlets all over the world are talking about the recent cross-border clash between North and South Korea. The shelling, one of the worst incidents between the two countries in years, is naturally being used by the usual criminals behind fake antivirus malware.

Within hours of the incident, certain Korea-related search terms were already poisoned.

Note that the Google preview of the page shows the supposed content of the page. However, if the user clicks on the offered search result, they see these (familiar) pages.

http://blog.trendmicro.com/cross-border-korean-shelling-leads-to-fakeav/

A computer hacker who accessed personal data and photos from his mother's front room in a major e-mail scam has been jailed.  Father-of-five Matthew Anderson, 33, of Drummuir, Moray, who was part of an international gang, was caught after a Scotland Yard investigation.

He sent millions of worldwide e-mails which released a virus when opened, allowing remote control of computers.  Anderson was jailed for 18 months at Southwark Crown Court.

He admitted the Computer Misuse Act crime.  He was able to access private images, wills and confidential medical reports and CVs.

http://www.bbc.co.uk/news/uk-scotland-north-east-orkney-shetland-11818671  via Sophos.

Mozilla has fixed a bug in the way that its Bugzilla Web site and others handled certain errors, which could have been exploited to execute a man-in-the-middle attack against an unsuspecting user.

The bug was related to the way that the sites responded to certain requests from client machines when the clients specify an incorrect HTTP host header. The Bugzilla site holds a wild card SSL certificate that also is valid on Mozilla.org, and as a result when the sites respond to the request with the incorrect header, clients can be redirected to a non-HTTPS site for an error message.

"As a result, a network attacker can divert a client connection bound for any *.mozilla.org site to one of these servers and cause the client to receive an incorrect redirect. This is already a breach of the integrity that SSL is supposed to provide. But what is worse, since the redirect is to http://, the attacker can substitute arbitrary content and thereby perform XSS," Matt McCutchen wrote in an explanation of the certificate problem on Bugzilla.

More on attack scenario at http://threatpost.com/en_us/blogs/mozilla-fixes-site-error-handling-bug-112210

Introducing Anonymizer Nevercookie?, a FREE Firefox plugin that protects against the Evercookie API. The plugin extends Firefox?s private browsing mode by preventing Evercookies from identifying and tracking users.

Evercookie is a new, more persistent cookie form that enables the storage of cookie data in a number of different locations, such as Flash cookies and various locations of HTML5 storage. This allows websites to track user behavior even when users have enabled private browsing. Because an Evercookie stores data in locations outside of where standard cookies are stored, an Evercookie can rebuild itself unless users go through a number of steps to completely clear and reset their local storage.

Anonymizer Nevercookie simplifies this process and eliminates the manual steps required to completely remove Evercookies. And it does so without also removing all of the necessary cookies that a user actually wants to keep, such as those for browsing history and remembered logins. When Anonymizer Nevercookie is engaged along with Firefox?s private browsing mode, it quarantines an Evercookie and removes it after the browsing session.

Anonymizer Nevercookie was developed by Geoffrey Abbott, Lead Researcher at Anonymizer Labs.

http://nevercookie.anonymizer.com/

The plugin is currently in BETA.  Use at your own risk.

Google's new "Instant Previews" search tool is skewing traffic stats for sites using Google Analytics, creating page views before pages are actually viewed.

Rolled out across Google's search engine earlier this month, Instant Previews lets searchers, yes, preview sites before they visit them. Users click on a small icon that appears beside a search result, and this launches an image of the site in question on the right-hand-side of Google's results page.

As Google pointed out when "Instant Previews" was launched, Google is ? in some cases ? fetching these previews in real time. Soon after the tool's launch, webmasters posting to Google's help forums noticed that these pre-fetches were skewing Google Anayltics numbers. And as noticed by Search Engine Land, a Google employee later confirmed this with a post of his own.

The employee confirms that these real-time fetches are executing JavaScript used by Google Analytics, the company's own web analytics tool, and this is skewing traffic numbers. But he indicates that a fix is on the way. "We're working on a solution for this, to prevent Google Instant Preview on-demand fetches from executing Analytics JavaScript," the Google employee says. "I'm not sure about the timeframe, but I'll drop a note here when I have more to share. Thanks for your patience."

http://www.theregister.co.uk/2010/11/22/google_instant_previews_skew_web_analytics/

Electronic Communications Privacy Act violation alleged

A Texas man has fired a legal broadside against Gmail in a federal lawsuit that claims the Google service violates the Electronic Communications Privacy Act of 1986.

Keith Dunbar of Bowie County, Texas, claims that emails he sent from a non-Gmail service to Gmail users were scanned by Google algorithms without his consent. The algorithms are designed to serve Gmail users targeted ads based on the content of messages they receive.

?No consent from non-Gmail account holders is given prior to Google using the content of non-Gmail account holders for the purpose of delivering targeted ads and other related information to Gmail account holders,? the complaint, filed in US District court in Texarkana, Texas, stated. ?Google does not inform non-Gmail account holders that it scans the content of their emails for the purpose of delivering targeted text ads and other related information to Gmail account holders.?

The complaint is seeking class-action status so other non-Gmail users may also joint the action. It seeks damages of $100 a day for each violation or $10,000, whichever is greater, and the disgorgement of profits made by Google as a result of the Gmail scanning.

?We haven't received a formal complaint and can't comment on specifics,? a Google spokesman wrote in an email on Monday. ?To be clear though, Gmail ? like most webmail providers ? uses automatic scanning to fight against spam and viruses. We use similar technology to show advertisements that help keep our services free.  This is how Gmail has always worked.?

Indeed, internet law expert Eric Goldman, a professor at Santa Clara University School of Law, told InformationWeek that there were numerous calls to investigate Google for such behavior in 2004. ?Frankly, after all the furor died down a half-decade ago, I had assumed everyone had moved on long ago,? he told the publication.

http://www.theregister.co.uk/2010/11/23/gmail_privacy_lawsuit/

A Trojan that pulls a sly performance of now-you-see-me-now-you-don?t disguises itself on an infected system as the Adobe Updater, a real program that?s installed alongside such mainstay applications as the Adobe Reader. This method of hiding in plain sight means the downloader, Trojan-Downloader-Karagany, may remain active on an infected system for an extended period of time, reinfecting PCs even after the more obvious payloads have been cleared up.

During the initial infection, subtlety is this Karagany?s strong suit. When executed, it pulls an act I find slightly more interesting than the conventional file copies itself from one place to another, then deletes the original behavior that is so common among contemporary malware.

In this case, the malware app (which uses an Adobe icon) does copy itself to another location ? the \Application Data\Adobe folder under the currently logged-in user?s account, using the filename AdobeUpdater.exe ? but leaves behind a benign program afterward, in exactly the same place as the original, and with the same filename as the original.

Details with video clip at http://blog.webroot.com/2010/11/22/karagany-isnt-a-doctor-but-plays-one-on-your-pc/

# cutter 192.168.2.55 3400

What do you think of your antivirus company, the one that didn't notice Sony's rootkit as it infected half a million computers? And this isn't one of those lightning-fast internet worms; this one has been spreading since mid-2004. Because it spread through infected CDs, not through internet connections, they didn't notice? This is exactly the kind of thing we're paying those companies to detect -- especially because the rootkit was phoning home.

But much worse than not detecting it before Russinovich's discovery was the deafening silence that followed. When a new piece of malware is found, security companies fall over themselves to clean our computers and inoculate our networks. Not in this case.

Forget the outdated hacker image of a spotty anarchic teenager holed up in his bedroom defacing the Web sites of global organisations, today's hackers are not only older but more determined than ever to claim your cash and identity.

...ran a heroin distribution ring that was violent and tightly knit, making it difficult for informers to penetrate it, federal authorities say.

The gang also had a secret weapon: It cultivated a police officer to dig into a law enforcement database to figure out which of its customers might be undercover informers...

"This case personifies exactly the effectiveness of the system," the chief said. "We had intelligence that somebody was running people's names involved in narcotics cases without a legitimate reason, and we ran those names and found out who it was, and took the appropriate action."

Mokwa said officers use REJIS on a daily basis, and tightening security would be burdensome. "You have to rely upon the integrity of officers to use the system properly," he said. "To change it, you would have to restrict their access."

Michael Lynn, the hacker who hit the headlines in July for exposing a Cisco router flaw is now employed by arch-rival Juniper, according to the vendor. Juniper declined to reveal what role Lynn is occupying.

The security researcher was dramatically sued by Cisco earlier in the year after he discovered a Cisco router IOS flaw and defied the networking giant and then-employer ISS to publicise the flaw at a hacking convention in Las Vegas.

Lynn was widely regarded as a hero by many in the internet community in the wake of the scandal but many doubted if he could again find gainful employment as a security researcher.

For its part, Cisco was widely castigated for its heavy-handed tactics in stopping Lynn from further publicising his findings, with some commentators suggesting that the internet could be at threat if similar whistle-blowers are discouraged to come clean on flaws.

Here's an interesting thing for you security types to be aware of.  Many of you probably are careful to screen attachment types to make sure that you don't unintentionally execute code that might be malicious.

Malware authors have discovered that by embedding a unicode control character in file names, they can cause the file name to read right-to-left (instead of the normal English left-to-right) and therefore obfuscate file extensions.

For example, "innocuous_cod.exe" could have the RLO character inserted after the underscore, and then it would read as "innocuous_exe.doc" (everything after the "_" is read right-to-left).

Here's a write-up with links to detected variants: http://blog.commtouch.com/cafe/malware/exe-read-backwards-spells-malware/

I was browsing around looking for logging regulations and stumbled across this.  It's the United State's federal regulation on EDRs - Event Data Recorders - installed in automobiles.

EDRs are little log engines, like the "black box" flight data recorders on commercial airliners.  They are typically part of the airbag system on an automobile. They record specific data about the operation of the vehicle including speed, etc., and they record incident data like airbag sensor activation or airbag deployment.

Anyway, if you want to see an example of a really different kind of logging, the PDF document of NHTSA rule 2006-25666 describes what data must be logged, and how often (sampling rate), and retention policy.

Sample logs are available here.

In Windows Vista, Windows Server 2008, Windows 7, and Windows Server 2008 R2, there are four events that contain a user account control (UAC) flags value:

• 4720 - user account creation
• 4738 - user account change
• 4741 - computer account creation
• 4742 - computer account change

This value is a bitmask value, and it's represented in textual format as a hexadecimal value, e.g. 0x1234.

The "decoder key" for this value is in Knowledge Base article 305144.  If you're a developer type, the actual declaration is in IADS.H in the Windows SDK.

Ned points out that the article is missing an entry:

0x04000000 - PARTIAL_SECRETS_ACCOUNT  (i.e. "Read-Only Domain Controller")

I also want to point out that Windows will set the undeclared value 0x4.  I don't know what this value does, if anything.

To decode this value, you can go through the property value definitions in the KB article from largest to smallest.  Compare each property value to the flags value in the event.  If the flags value in the event is greater than or equal to the property value, then the property is "set" and applies to that event.  Subtract the property value from the flags value in the event and note that the flag applies and then go on to the next flag.  Here's an example:

Flags value from event: 0x15

Decoding:

• PASSWD_NOTREQD 0x0020
• LOCKOUT 0x0010
• HOMEDIR_REQUIRED 0x0008
• (undeclared) 0x0004
• ACCOUNTDISABLE  0x0002
• SCRIPT 0x0001

0x0020 > 0x15, so PASSWD_NOTREQD does not apply to this event

0x10 < 0x15, so LOCKOUT applies to this event.   0x15 - 0x10 = 0x5

0x4 < 0x5, so the undeclared value is set.  We'll pretend it doesn't mean anything.   0x5 - 0x4 = 0x1

0x2 > 0x1, so ACCOUNTDISABLE does not apply to this event

0x1 = 0x1, so SCRIPT applies to this event.  0x1 - 0x1 = 0x0, we're done.

So this UAC flags value decodes to: LOCKOUT and SCRIPT.

Mitsuru, one of our support engineers in Japan, actually did some excellent research recently into exactly what our behavior is for auditing audit policy and I wanted to share that with you.

In Windows, we've always had auditing for changes to security policy.  Audit policy has always been one aspect of that policy.

However, it's not so clear how to audit changes to audit policy.  The reason is, because the change itself might affect whether or not the audit is generated.  Usually in Windows, we generate audit after the operation that we are auditing, is performed.  When we generate audit, we always check audit policy to see if we need to generate an event.

So what would happen if you turned off the setting "audit changes to audit policy"?  Well, if we implemented it in the way we generally implement audit policy, nothing would happen- no event.  As described above, if we checked audit policy after we disabled audit policy, then the effective policy would say "don't generate audit".

But consider the case where a malicious audit or system administrator wants to cover their tracks.  One thing such a person might do, to not leave as much of a trace, is to disable audit policy before they do the bad thing, and re-enable it afterwards.  If we implemented audit normally, then there would be no trace of this.

To avoid this undesirable case, we changed around the instrumentation a little so that we always generate audit for certain audit policy change events.  This means that you might not get EXACTLY what you intended, but it also ensures that you can always find the significant events when someone disables  audit policy.

Anyway, to sum up, the following events are always audited when audit policy is disabled regardless of the "Audit Policy Change" subcategory setting in Windows Vista+:

4715 The audit policy (SACL) on an object was changed.
4719 System audit policy was changed.
4906 The CrashOnAuditFail value has changed.
4908 Special Groups Logon table modified.
4912 Per User Audit Policy was changed.

The following events are only audited when success auditing is enabled for the "Audit Policy Change" subcategory:
4902 The Per-user audit policy table was created.
4904 An attempt was made to register a security event source.
4905 An attempt was made to unregister a security event source.
4907 Auditing settings on object were changed.

Special thanks to Mitsuru for documenting this.

Hi Everyone,

Sas sent me an email complaining that I am not posting as often as I should- sorry about that.  I am working on a different project now but I am still in close touch with the auditing team and I'll try to do better.

Anyway a question that I hear regularly is, "how do I find all the NTLM authentications on my network"?

Other than running a network trace, the best way I have found (ok invented :-)  to do this is to look at the logon events in the audit log.

One of the changes we made to the logon events in Windows Vista (and therefore subsequent releases of Windows) was to include the NTLM protocol level in the logon events, if the NTLM auth package was used.

Now, with the new EventLog ecosystem, it's easy to generate some XPath to find just these events.

Here's the query:

*[System    [Provider      [@Name='Microsoft-Windows-Security-Auditing']        and Task = 12544        and (band(Keywords,9007199254740992))        and (EventID=4624)    ]    and    EventData      [Data        [@Name='LmPackageName'] != '-'      ]  ]

To use this in Event Viewer:

1. Find the Security log under Windows Logs in the tree pane.
2. Right-click the Security log, and choose "Filter Current Log..."
3. Select the "XML" tab.
4. Check the "Edit query manually" box.
5. Replace the default query ("*", or everything in the "<Select>" element), with the text in the box above.  I've formatted it for readability.
6. Click OK

The event view will now be filtered and you'll only see NTLM logon events.  Additionally, each filtered event will contain a "Detailed Authentication Information" section containing the protocol level (e.g. LM, NTLM, NTLM V2) in the "Package Name" field, and the session key length, if one was negotiated.

Detailed Authentication Information:             Logon Process: NtLmSsp             Authentication Package: NTLM             Transited Services: -             Package Name (NTLM only): NTLM V2             Key Length: 128

UPDATE 2010-06-06 (EricF) - Fixed Vista+ architecture image; link was broken on migration to new blog platform

I get questions from time to time, such as my recent offline question from Steve, about what performance impact auditing has on the system as a whole.

To answer this you need to understand a couple of things:

1. Auditable activity is implemented as instrumentation (e.g. a function call to the auditing system) inside the code that does something auditable.
2. The auditing system in Windows has two sets of programmatic interfaces for introducing an event, one in kernel mode and one in user mode - so the component generating audit does not need to switch between kernel and user modes.
3. Although audit policy is stored in user mode, we cache a copy of the relevant policy for kernel-mode components, in kernel mode.  This means that no mode switch is necessary to check audit policy to decide whether to generate an event.
4. There are user-mode and kernel-mode queues for audit events.  The call to generate an audit event actually just queues the event, assuming the queue is not full.  So from the perspective of the component generating audit, audit has an "asynchronous" flavor under light-medium loads.  Under heavy loads when the queues fill, audit blocks the component raising the audit until the event can be queued, showing its true synchronous behavior.
5. Dequeuing audit events always occurs on a separate thread than enqueueing so that raising audit events and writing them to the log don't affect each other's perf under light to moderate load.
6. The pre-Vista auditing system in the kernel delivers events to LSA.  The Vista+ auditing system in the kernel delivers most events directly to ETW, the kernel mode event trace engine, which means that most of the kernel audit (including the potentially perf impacting object access events) doesn't require a mode switch at all.
7. The LSA formats events and then delivers them to the event log.  In WS03, events are batched in the RPC call to eventlog.  In Vista+, delivery is done by means of ETW in almost all cases.
8. ETW queues events and spools them to the Windows eventlog service as fast as the service will accept them.
9. The eventlog service writes the events to the log file as they arrive.

I have uploaded graphics of the Windows XP/Windows Server 2003 auditing architecture, and the Windows Vista/WS08/Windows 7 architecture, to make this process more clear:

Windows Vista+ Auditing Architecture

So now back to the original question- what is the impact of auditing on performance?

At low auditing loads, auditing generally has no discernable impact on perf.  If you were hardcode with a profiler and iterated an auditable activity a million times I am sure you'd be able to measure it, but for reasonable audit policies you won't notice a significant difference.

At high auditing loads, auditing has a significant performance impact.  This is more true of pre-Vista multiprocessor systems than of systems with the new eventlog system.

For example, a multi-processor domain controller (say a 32-processor box) running Windows Server 2003, might run into problems under extreme load.  Why is that?  Because ultimately the limiting factor on event rate is how fast you can write the events to disk.  Pre-Vista eventlog has a single thread writing events to disk.  So even though you might have 32 threads servicing authentication requests (an auditable activity), each of them is queueing to a single audit queue which is ultimately despooling to eventlog via RPC on a single thread, and eventlog is only writing to the security log with a single thread.  What we observe in practice in this case is that a single processor on the system goes to 85-100% utilization, and the other processors drop to a very low utilization as the authentication threads are blocked waiting for the audit function call to return.  This call won't return until the queue is not full, and the queue is waiting on RPC which is waiting on eventlog...  so eventlog governs the rate.

In Windows Server 2003, we added a particular optimization only for the security event log, which batches events in the RPC call to eventlog.  This means that you can get more event throughput in the security log than in other logs on the system.  It didn't eliminate the bottleneck, but it pushed back the limit, so WS03 on typical hardware should be able to log several thousand events per second to the security event log.  Previous versions were only able to log about 1000 events per second.

Note that the change in performance characteristics occurs all at once.  So the impact tends to be trivial until the queues fill, at which point the impact is severe.  It does not scale linearly, there's a discrete behavior change.  What this means realistically is that if you ever encounter a performance problem with auditing, then you probably just need to turn it down a little and you won't have a problem any more. 

In Vista and subsequent releases, audit queues events via ETW.  ETW was designed for high-performance kernel tracing, and in the auditing team we tested it to over 10,000 (10.000 for you folks in Germany :-) events per second before we decided that we had hit our scale targets.  We never tested exactly how high it would go, but we were satisfied that the eventlog service was no longer a bottleneck in realistic scenarios.

There are some edge cases where you might run into performance problems by trying to audit too much in a critical path.  For instance, it is a really really bad idea to put SACLs on your entire registry.  If you monitor registry activity with a tool like Process Monitor, you will notice that when a system is not idle, there are often hundreds or thousands of registry accesses per second.  If you impose an auditing tax on each of those activities you will notice a degradation in performance.  Not to mention that the resultant mountain of events is probably not very valuable.  Of course you can tune SACLs as I have mentioned before, but I doubt that it's useful to take the time to tune SACLs for the entire registry.

One last point is that the eventlog is writing the events somewhere.  Wherever it is writing events, it is consuming disk I/Os and competing with anything else writing to the same volume.  If you have a disk performance problem on that disk, it can result in an auditing performance problem, as everything else will back up if the eventlog can't write events to disk fast enough.  So one thing you can do is ensure that the disk where your log is placed has enough I/Os.

In summary audit has very minimal impact unless you do a whole lot of it, in which case it can have severe impact on your system.  The change happens suddenly, not gradually, so you can do a lot of auditing with no problem.  If you run into a problem, turn it down just a little (or little by little) and at some point the behavior will change such that you won't have any significant perf impact anymore.

I've written twice (here and here) about the relationship between the "old" event IDs (5xx-6xx) in WS03 and earlier versions of Windows, and between the "new" security event IDs (4xxx-5xxx) in Vista and beyond.

In short, EventID(WS03) + 4096 = EventID(WS08) for almost all security events in WS03.

The exceptions are the logon events.  The logon success events (540, 528) were collapsed into a single event 4624 (=528 + 4096).  The logon failure events (529-537, 539) were collapsed into a single event 4625 (=529+4096).

Other than that, there are cases where old events were deprecated (IPsec IIRC), and there are cases where new events were added (DS Change).  These are all new instrumentation and there is no ?mapping? possible- e.g. the new DS Change audit events are complementary to the old DS Access events; they record something different than the old events so you can?t say that the old event xxx = the new event yyy because they aren?t equivalent.  The old event means one thing and the new event means another thing; they represent different points of instrumentation in the OS, not just formatting changes in the event representation in the log.

Of course I explained earlier why we renumbered the events, and (in the same place) why the difference is "+4096" instead of something more human-friendly like "+1000".  The bottom line is that the event schema is different, so by changing the event IDs (and not re-using any), we force existing automation to be updated rather than just misinterpreting events when the automation doesn't know the version of Windows that produced the event.  We realized it would be painful but it is nowhere near as painful as if every event consumer had to be aware of, and have special casing for, pre-Vista events and post-Vista events with the same IDs but different schema.

So if you happen to know the pre-Vista security events, then you can quickly translate your existing knowledge to Vista by adding 4000, adding 100, and subtracting 4.  You can do this in your head.

However if you're trying to implement some automation, you should avoid trying to make a chart with "<Vista" and ">=Vista" columns of event ID numbers, because this will likely result in mis-parsing one set of events, and because you'll find it frustrating that there is not a 1:1 mapping (and in some cases no mapping at all).

Eric

I've written before on noise reduction in the Windows security event log.  I've also written to describe how object access auditing works.  But, I still get questions on how to reduce noise from object access events.  The other day I got that question, specific to Directory Service objects, on an internal discussion list so I thought I'd clean up the answer a bit and share it with the world.  In general the same is true for any type of object, although there are a few more knobs to control for DS objects.

Object access audit is generated when the system access control list (SACL) on the object matches the access that was performed on ALL of the following conditions:

1. Object - the object that was accessed must have either an explicit or inherited SACL.  The access performed is compared against the ACEs in that SACL.
   
2. Success or failure of activity - every audit access control entry (ACE) in a SACL will be either of type AUDIT_SUCCESS or AUDIT_FAILURE.  The access performed must match the access type of the ACE for the rest of the ACE to be considered.
   
3. User account - the accessing user's token is compared against each ACE matching the access type.  If the user, or a group the user belongs to, matches the SID in the ACE, then an audit might be generated.
   
4. Access - the access being performed must match the audited accesses in the access mask in an otherwise matching ACE.

The specific auditing algorithm is discussed here.

So the way to reduce the number of audit events (566 on Windows Server 2003, 4662 on Windows Server 2008, or one of the new DS Change events on Windows Server 2008) is to cause one or more of those conditions to fail, except in the specific cases that you care about.

The SACL which will generate the most audit events is "Everyone:Success & Failure:All accesses" on the domain head with OI,CI (object inherit & container inherit flags) for all object types.  This SACL matches all of the above conditions in all cases.  (Incidentally I think that this is pretty close to the default SACL- with the exception of failures- for Windows 2000 Active Directory installations, and SACLs are not updated when DCs are upgraded from version to version.  Windows Server 2003 has much more conservative SACLs for new installations of AD.)

To reduce noise, I offer the following suggestions, addressing each of the above conditions:

1. Audit only the objects that you care about.  User accounts and groups already are well-audited with "Account Management" auditing, so don't audit them with DS access.  Perhaps audit OUs, or other DS objects.  Use the Object Type and attribute type restrictions that you have in DS Access auditing.  Also, in Windows Server 2008, you can affect auditing on a per-object basis by adjusting the SearchFlags attribute in the AD schema for the object.  SACLs are more easily reversed so are probably a more acceptable method of controlling audit for most organizations.
   
2. Audit successful accesses only.  Failed accesses are common and are NOT indicative of any security problem; in fact many failures are not even explicit requests by the user but are just normal requests made by the OS, and the OS will re-try with less access if the operation fails.  In my experience failure auditing is primarily useful for troubleshooting, not for security.
   
3. Audit the "Everyone" group.  Although this matches any user, you will not accidentally miss any accesses that you care about due to failing to audit a user account who has access to the objects in question.  The only time that you would NOT audit "Everyone" is if you had an application or service account which was very noisy; in that case you'd need to create a group with all accounts EXCEPT the noisy accounts, and audit that group.
   
4. Audit only the accesses that you care about.  Specifically, read accesses occur much more often (in my experience, a conservative estimate is about a 100:1 ratio) than write accesses.  If you restrict your auditing to "write" type accesses (including change, delete, change permissions, create, etc.) then you will end up generating far fewer events.  Auditing for read access is very noisy.  If you must audit for reads, consider auditing fewer objects, perhaps only auditing reads on the container object instead of the objects in the container, or on one "interesting" object in any given container as a "canary".

I get the question fairly often, how to use the logon events in the audit log to track how long a user was using their computer and when they logged off.

As I have written about previously, this method of user activity tracking is unreliable.  It works in trivial cases (e.g. single machine where the user doesn't have physical access to the power switch or power cord), and it works most of the time in simple cases where there is good network connectivy and the user is not trying to evade detection.  If the user has physical access to the machine-- for example, can pull out the network or power cables or push the reset button-- and if the user is actively trying to evade time tracking, then the only reliable solution is to surreptitiously put a video camera (subject to local laws) in a place that can monitor the user's presence in front of the keyboard (yes I am aware of research done to track sound of keyboard clicks, etc.).

There is no way to instrument the OS to account for someone who just backs away from the keyboard and walks away.  The screen saver, if configured, will come on after a configurable delay since the last keypress or mouse movement.  Yes, if you know the SS delay then you could just work that into your calculations.  However the workstation does not lock until the screen saver is dismissed (some of you might have noticed that when you bump the mouse to dismiss the screensaver, sometimes you see your desktop for a fraction of a second- that?s because your machine isn?t locked while the screen saver is being displayed).  And the events don't tell you whether the workstation was locked or auto-locked so you don't really know whether to add in the screen saver delay factor.  Plus, prior to Windows Vista, there is no workstation lock event at all, only an unlock event, which is constructed in a way which makes it difficult to correlate with the original logon event.

So the bottom line is, I don't advocate or recommend this method for tracking the time a user spends at the keyboard.  If I were hypothetically called as an expert witness, I would testify that such a method is unreliable and trivially circumvented.  You have been warned, I've beaten that dead horse enough I guess.

Given that you are disregarding all my contrary advice, how are you going to accomplish this?

First, we need a general algorithm.

Use time (for a given logon session) = Logoff time - logon time

Now, what about the cases where the user powers off the machine, or it bluescreens, or a token leak prevents the logoff event from being generated, etc.?  We can use the BEGIN_LOGOFF event to handle token leak cases.  We can use the shutdown event in cases where the user does not log off.  And in case of crashes, the only event we can use is the startup event.  Note that each of these introduces increasing levels of uncertainty.

Logoff time = (logoff time | begin_logoff time | shutdown time | startup time)

This is good, but what about the time the workstation was locked?

Workstation lock time = unlock time - lock time
Total workstation lock time (for a given logon session) = SUM(workstation lock time)

How about remote desktop & terminal server sessions, and fast user switching?  You can connect and disconnect from logon sessions, during which time the user technically isn't using the computer.

Session idle time = session connect time - session disconnect time
Total session idle time (for a given logon session) = SUM(session idle time)

How about times when the machine was idle?  We can estimate that by looking at the time the screen saver was in place and adding the screen saver timeout.

Console idle time = (screen saver dismiss time - screen saver invoke time + screen saver delay)
Total console idle time = SUM(console idle time)

Putting all of this together and modifying our original formula, we get:

Use time (for a given logon session) =
   Logoff time - logon time
      - SUM(workstation lock time)
      - SUM(session idle time)
      - SUM(console idle time)

When we expand it, it is not quite so pretty: 

Use time (for a given logon session) =
   ( (logoff time | begin_logoff time | shutdown time | startup time) - logon time )
      - SUM(unlock time - lock time)
      - SUM(session connect time - session disconnect time)
      - SUM(screen saver dismiss time - screen saver invoke time + screen saver delay)

You have to be very careful that you only look at events that are properly contained chronologically between two other appropriate events, to avoid accidentally pairing the wrong logon and logoff events, or pairing a lock workstation event from one logon session with a different logon session.  The best correlation field is the Logon ID field, the next best are timestamp and user name.  At various times you need to examine all of these fields.

Now, which event IDs correspond to all of these real-world events?

They are all found in the Security event log.  The pre-Vista events (ID=5xx) all have event source=Security.  The Vista/WS08 events (ID=4xxx) all have event source=Microsoft-Windows-Security-Auditing.

512 / 4608  STARTUP
513 / 4609  SHUTDOWN
528 / 4624  LOGON
538 / 4634  LOGOFF
551 / 4647  BEGIN_LOGOFF
N/A / 4778  SESSION_RECONNECTED
N/A / 4779  SESSION_DISCONNECTED
N/A / 4800  WORKSTATION_LOCKED
* / 4801    WORKSTATION_UNLOCKED
N/A / 4802  SCREENSAVER_INVOKED
N/A / 4803  SCREENSAVER_DISMISSED

* prior to Windows Vista, there was no event for locking the workstation.  Unlocking the workstation generated a pair of events, a logon event and a logoff event (528/538) with logon type 7.  These events had the same user name as the "original" logon session and were completely enclosed chronologically by the logon/logoff events for the "real" logon session, but did not contain the Logon ID of the original logon session or other unambiguous correlator.  This makes correlation of these events difficult.

All of these events are generated in the Logon/Logoff audit policy category, although on Windows Vista and Windows Server 2008 they are scattered among the various subcategories in this audit policy category.  The audit event spreadsheet that Ned wrote has all the policy subcategory mappings as well as the event descriptions.

Sorry that this is more of a do-it-yourself than a solution-in-a-box, but this is pretty difficult to script and so far I haven't worked on a project that required this.

Eric

I get a lot of questions about how ACS event retention works.  So here you go, I'm blogging it so I can just answer with a link :-)

There are two DWORD registry values which affect backlog transmission.  Both are on the collector machine under HKLM\System\CurrentControlSet\Services\AdtServer\Parameters.

EventRetentionPeriod, if present, is expressed in hours (I forget the default).  It takes precedence over MaximumEventAge, which is in days (default=1).  Both of these values control the backlog of events that will be sent from agents to the collector on agent connect, but as mentioned, EventRetentionPeriod wins any conflict.  MaximumEventAge used to control database retention in early beta builds but does not anymore, since the database moved to a partitioning mechanism.  You might encounter MaximumEventAge if you are migrating from ACS beta to Operations Manager 2007 ACS.

Grooming is now governed entirely by the grooming algorithm.  The grooming algorithm is simple: partitions will be deleted by the next grooming job as soon as they are eligible for deletion.

Eligible for deletion means:

• dtPartition.Status == 2 AND
• dtPartition.LastCreationTime < (now() - (partitionDuration * numPartitions))

Think of (partitionDuration * numPartitions) as the retention period before data is groomed from the database. 

• partitionDuration = dtConfig[5]
• numPartitions = dtConfig[6]

Note that dtPartition[<partitionId>].LastCreationTime defaults to 12:00am 1/1/2000 (collector local time).  After successful execution of the close partition script, this field?s value is set to max(dtEvent_<partitionId>.CreationTime) for the partition in question.  There is an implication here that if you update status to 2 without updating LastCreationTime, then the partition is immediately eligible for grooming assuming your clock is accurate.

The partition switch offset (time of day to switch partitions) value in dtConfig has no effect on grooming, other than that grooming will not occur during a partition switch.

Grooming runs at startup and immediately after checkpointing.  The default checkpoint interval is 198 seconds but this interval can be configured  by the DWORD registry value CheckPointInterval on the collector, in the same location as the other registry values.  A successful checkpoint logs an event in the database, event ID 0 with a source of ?_acs? (you might have seen these on an ?idle? ACS and wondered how they got there?)

We got several reports recently of a bug in ACS that certain DS Access events, primarily for dnsNode and dnsZone objects, don't properly get looked up.

Some background: the event log in Windows prefers to log invariants such as message IDs, parameter message IDs, SIDs (security IDs which represent users and groups, etc.), and GUIDs (globally unique IDs which represent objects in Active Directory), rather than the actual names of the objects.  At view time the viewing application is expected to look up the name associated with the invariant and display it to the user.

The reasons that Windows does this are (1) that it enables localization, so that English speakers can see "Administrator" and French speakers can see "Administrateur", and (2) that it provides rename safefy- many objects are rename-able, such as domain accounts and other AD objects.

Anyway in ACS we had to solve the problem of how to store mountains of log data in a database, make it queryable in meaningful ways, preserve original format, present to users in a recognizable/understandable format, etc.

The way we chose to solve our several problems was to take strings that contained an invariant and append the translated name or string.

For example:
%{e0fa1e8c-9b45-11d0-afdd-00c04fd930c9}
would be translated to:
%{e0fa1e8c-9b45-11d0-afdd-00c04fd930c9}=?dnsNode?

and
%%7685
becomes:
%%7685=?Write Property?

As I mentioned, though, we ran into a problem recently.  Some of our customers were monitoring AD objects with ACS and noticed that ACS was not translating the GUIDs for certain objects.  When they manually looked up the GUIDs they noticed that they were for AD-integrated DNS objects.

After investigation, we found that AD was logging certain audit events for the objects, before all the attributes of the objects had been populated- DNS was populating the objects in multiple operations per object and each operation causes a separate event.  So ACS, which operates as close to real-time as we could get, was actually noticing the first event and asking AD "what's this?" before DNS had finished updating AD with things like the object's name.  The difference in time was literally only milliseconds.

Anyway I didn't really feel it was an ACS bug and wanted to file a bug against Windows DNS Server.  However the Operations Manager team has prototyped a configurable behavior for the ACS agent that lets it wait a very short time (configurable number of ms) and retry, when it fails to look up an AD object because the object doesn't exist.  This might be released as a public patch and/or in a future Service Pack.

I thought you might appreciate stories of the kinds of weirdness we run into.

A judge in New Zealand declined to convict the admitted (guilty plea) botherder of a million-bot botnet, citing the negative consequences a conviction would have on the young man's future prospects.  See the story here.

Well duh.  The whole theory of crime and punishment is that if you do something bad, you get punished, and punishment is something that is unpleasant, so you try to avoid it, hopefully by not doing the crime.  See?  One would hope that a judge would understand this concept.

I could understand if the judge said "this is just a stupid kid, he doesn't deserve to do 20 years", and gave the kid probation, community service and a big fine.  I don't know if New Zealand has such options, or if the judge has latitude in sentencing.  There is probably more to the story than is being told.  But you don't take over a million computers that don't belong to you, personally making tens of thousands of dollars, and not realize that you're doing something wrong.  Unless you're a sociopath.  And in either case, you either need punishment (for doing something you know is wrong) or separation from society for the protection of society while you get treatment (if you are a sociopath).  So whatever the case, the judge got it wrong, and as a result is practically encouraging future behavior of the same sort.

If you haven't used wevtutil.exe to script event log tasks in Windows Vista or Windows Server 2008, you're missing out.  The new tool makes getting events out of the log pretty easy, but the main thing is that it doesn't suffer from any of the drawbacks around getting field delimiting correct.

The tool's command to query events from a log is "qe", and takes a log name as a parameter.

If you want to specify a query expression, then you can use XPath with the /q switch.  The easiest way to do this is to use Event Viewer to build a filter for just the events that you want, and then copy just the XPath expression out of the XML tab of the filter dialog in Event Viewer.  Be careful to copy only the filter expression and not the XML that surrounds it. 

Finally, the default output format of wevtutil is XML.  However it dumps each event as XML, but does not include a root element- in other words it's not well-formed XML by default.  To include a root element you need to include the /e switch and a root element name.

I put this all together in a batch file, with an example XPath filter that just gathers interactive logon events (event ID=4624, logon type=2).  You can save this as a .cmd file and run it as an administrator on Vista or WS08 and it will pull up a list of your interactive logons in Internet Explorer (or your default XML handler application if you've changed the registration).  It has to run as admin because it accesses the security event log.

If you're really good (better than me, which is not hard) you could write an XSL style sheet and put this into a report format.

Good luck!

@echo off   REM (C) 2008 Microsoft Corporation REM All Rights Reserved set outputfile=%temp%\interactive-logon-events.xml if "%1" NEQ "" set outputfile=%1   REM The next command is all one line and has no carriage returns REM The only spaces in the XPath are around the AND keywords wevtutil qe Security /q:"*[System[Provider[@Name='Microsoft-Windows-Security-Auditing'] and Task=12544 and (EventID=4624)] and EventData[Data[@Name='LogonType']='2']]" /e:Events > %outputfile% start %outputfile% set outputfile=

I often talk about Ned, who is the current subject matter expert in Microsoft product support for the auditing feature in the US (Fadi is your guy in the Middle East and we have a couple of guys in Europe).  Well, Ned has a blog and I thought I'd point you guys there.  His recent posts on auditing include a description of how to deploy the special groups logon auditing feature with group policy.

Fadi, Ned and Brian of the auditing team have documented all the auditing events by audit policy category and subcategory for your reference.

Check it out in the Knowledge Base.

Even better, they documented all the events in spreadsheet format, and that's propagating to the Microsoft Download Center.  I'll publish the link when it's online.

2008-04-17 UPDATE:  Brian just sent me the link: here is the spreadsheet.

2010-04-01 UPDATE:  Here is the link to the updated spreadsheet for Windows 7 and Windows Server 2008 R2.

There's one topic that I know is on everyone's mind- no, not American Idol- it's "What's new in Auditing in Windows Server 2008?"

Well, funny that you brought that up.  My friend Jesper Johanssen just wrote a new book, the Windows Server 2008 Security Resource Kit, and he invited me to write a chapter about auditing for it, which I did.  So you, dear reader, are getting information straight from the horse's mouth, so to speak.

Anyway I think the book hits store shelves on March the 10th.  A number of distinguished individuals contributed to the book: Susan Bradley, Darren Canavor, Kurt Dillard, Roger Grimes, Brian Komar, Alun Jones and others.

I'd also like to send out special props to my auditing posse: Raghu (who was the primary developer for auditing for Vista & WS08) and Ned (who is the resident guru for auditing in Microsoft Customer Support Services), both of whom made significant contributions.  Raghu introduces the new "special group logon tracking" feature, and Ned contributed a spreadsheet mapping all the events (360-ish) to the policy category and subcategory and giving other key information about each event; this is included on the CD bundled with the book, along with an XML file defining the schema for all the events and event messages.  Ned's also working on getting a version of the spreadsheet available for download from the Microsoft download site.

In other news, the Windows Server 2008 Security Guide is also out, and yes, yours truly contributed in small part to the auditing guidance in there too, although I seem to have been overlooked in the credits (in all fairness my work delta from the Vista Security Guide was really small so maybe it did not meet their "credits bar").

Anyway, download the security guide and buy a copy of the book.  Buy more than one copy of the book, and give copies to your friends and loved ones.  Nothing says "Happy Anniversary, Honey" quite like a book or white paper about computer security.  OK, so maybe I should stick to computer security and stay away from relationship advice.  Flowers work well in my experience.

I've decided to start dumping my knowledge of ACS for posterity's sake.  My first installment is here, and it's an excerpt from an external email I put together which describes how event transformation works on ACS.

Transformation is performed on the agent (using instructions provided at connect time by the collector) and on the collector.  Transformation instructions are all stored on the collector in a file called EventSchema.xml which is in the AdtServer directory (%windir%\system32\security\adtserver).  This file is pointed to in the collector?s registry and is read during startup of the collector service; failure to successfully read and parse this file at startup is a fatal error for the collector (the debug log will complain about parsing).

The collector reads EventSchema.xml and builds in-memory binary tables of event transformation instructions and event string types by OS version/event log/event source.

The collector (as explained elsewhere) also reads AcsConfig.xml to get its persistent state and configuration for all known agents, to know what logs/sources to collect for each agent/agent group, etc.  This is all read into in-memory state for each agent.

At connect time, the agent sends version information- what the OS and agent version and service pack are, etc.  The collector first looks in its in-memory agent state to see what configuration applies to the agent.  Then it looks in its transformation tables and extracts the appropriate version-specific transformation instructions for the events that the collector is configured to collect from that agent.  Then it packages these instructions and sends them to the agent.

The agent starts reading events, transforming them according to its instructions from the collector, and sending the transformed events to the collector.  The collector finishes the transformation, services real-time subscriptions and loads the events into the database as appropriate.

If the agent encounters an event that is it configured to send (by log/source) but does not have transformation instructions for, then it simply builds a copy the event string for string and sends the copy of the event to the collector as an ?unschematized? event.  The collector will handle this event without problems but will not extract non-header user fields (no primary/client/target user fields) and will not add string type information.

I?ll take Windows Server 2003 (build 3790), Event Log: Security, Event Source: Security, Event ID: 644 as an example.

 

Here?s the WS03 schema for 644 (excerpt from %systemroot%\system32\security\adtserver\EventSchema.xml in the path ?Schema\Log[@Name=?Security?\Source[@Name=?Security?]\Version[@MinBuild=?3790?]\Event[@SourceId=?644?]?).

 

                        <Event SourceId="644" SourceName="SE_AUDITID_ACCOUNT_AUTO_LOCKED">

                              <Call Name="AppendString" Param1="1" Param2="0" />

                              <Call Name="AppendString" Param1="3" Param2="0" />

                              <Call Name="AppendString" Param1="2" Param2="0" />

                              <Call Name="AppendString" Param1="4" Param2="0" />

                              <Call Name="AppendString" Param1="5" Param2="0" />

                              <Call Name="AppendString" Param1="6" Param2="0" />

                              <Call Name="AppendSidFromNames" Param1="4" Param2="5" />

                              <Call Name="AppendNamesFromSid" Param1="3" Param2="0" />

                              <Param TypeName="typeUserDn" />

                              <Param TypeName="typeComputerName" />

                              <Param TypeName="typeTargetSid" />

                              <Param TypeName="typeClientUser" />

                              <Param TypeName="typeClientDomain" />

                              <Param TypeName="typeClientLogonId" />

                              <Param TypeName="typeClientSid" />

                              <Param TypeName="typeTargetUser" />

                              <Param TypeName="typeTargetDomain" />

                        </Event>

 

The instructions are all applied in order.  ?Call? instructions are executed agent-side; ?Param? instructions are executed server-side.

 

These instructions can be translated as:

 

·         Take string 1 from the original event and make it string 1 in the new event.  It is of type ?typeUserDn?.

·         Take string 3 from the original event and make it string 2 in the new event.  It is of type ?typeComputerName?.  Note that we are doing reordering here by appending original string #3 before original string #2.  Nifty, eh?

·         Take string 2 from the original event and make it string 3 in the new event.  It is of type ?typeTargetSid?.

·         Take string 4 from the original event and make it string 4 in the new event.  It is of type ?typeClientUser?.

·         Take string 5 from the original event and make it string 5 in the new event.  It is of type ?typeClientDomain?.

·         Take string 6 from the original event and make it string 6 in the new event.  It is of type ?typeClientLogonId?.

·         Take string 4 from the original event and treat is as a user name, and take string 5 from the original event and treat it as a domain name, look up the associated SID and make it string 7 in the new event.  The new string is of type ?typeClientSid?.

·         Take string 3 from the new event, treat it as a SID, look up the user/domain name associated with it and append the user name as string 8 to the new event and the domain name as string 9 to the new event.  String 8 is of type ?typeTargetUser? and String 9 is of type ?typeTargetDomain?.

 

See the reordering?  Now here is an instance of the event with the original event data.  If you?re not familiar with the XML, it?s the XML output of Crimson, the new eventlog service introduced in Vista/WS08, but this is a WS03 [pre-Crimson] machine; we're looking at a saved event log (evt) file.

 

<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">

  <System>

    <Provider Name="Security" />

    <EventID Qualifiers="0">644</EventID>

    <Level>0</Level>

    <Task>7</Task>

    <Keywords>0xa0000000000000</Keywords>

    <TimeCreated SystemTime="2007-12-17T15:50:14.000Z" />

    <EventRecordID>28003981</EventRecordID>

    <Channel>C:\Users\ericf\AppData\Local\Temp\SERVER34_SecEvts.evt</Channel>

    <Computer>SERVER34</Computer>

    <Security UserID="S-1-5-18" />

  </System>

  <EventData>

    <Data>user09</Data>                                                                                             // String 1 ? user name

    <Data>SERVER34</Data>                                                                                       // String 2 ? looks like a machine name, confirmed by string 4

    <Data>%{S-1-5-21-5998314728-109421381-169156293-611111}</Data>            // String 3 ? definitely a SID

    <Data>SERVER34$</Data>                                                                                     // String 4 ? definitely an account name (machine account)

    <Data>CONTOSO</Data>                                                                                       // String 5 ? looks like a domain name

    <Data>(0x0,0x3E7)</Data>                                                                                     // String 6 ? definitely a logon ID

    <Data>-</Data>                                                                                                       // String 7 ? empty null string at the end of the event (ignored by ACS)

  </EventData>

</Event>

 

When the event arrives at the collector, type information is applied, and then the user fields (typePrimary*, typeClient*, typeTarget*) are extracted from the string data section and the strings that are left are re-numbered starting at 1 (no reordering occurs).

 

Here?s a chart of what the event looks like at the various points in the system.  The changes at each step are shown in red.

 

Original Event in Event Log		Client-Side Transformation at Agent		Server-Side Normalization (WMI/SQL output)
Field	Content Description (implicit)	Field	Content Description (implicit)	Field	Content Description (explicit)
		Client User		Client User	typeClientUser
		Client Domain		Client Domain	typeClientDomain
		Client Sid		Client Sid	typeClientSid
		Client Login Id		Client Login Id	typeClientLogonId
		Target User		Target User	typeTargetUser
		Target Domain		Target Domain	typeTargetDomain
		Target Sid		Target Sid	typeTargetSid
String01	typeUserDn	String01	typeUserDn	String01	typeUserDn
String02	typeTargetSid	String02	typeComputerName	String02	typeComputerName
String03	typeComputerName	String03	typeTargetSid	String03
String04	typeClientUser	String04	typeClientUser	String04
String05	typeClientDomain	String05	typeClientDomain	String05
String06	typeClientLogonId	String06	typeClientLogonId	String06
String07		String07	typeClientSid	String07
String08		String08	typeTargetUser	String08
String09		String09	typeTargetDomain	String09

 

To finish off a description of transformation, there are 7 transformation functions, each of which can optionally take 2 integers as parameters.  Note that there is no ?destination event? field specifier; all references are only to the original event.  That?s because when constructing the destination event, any data added to the event is always appended- it is constructed from beginning to end- so the implicit destination field is ?at the end of the event as it is now?.

 

Function	Parameter 1	Parameter 2	Description
AppendString	Reference to a string parameter in the source event in the event log	Unused	Appends the referenced string to the event which will be sent to the collector
AppendStringFromTable	Reference to a constant string in the statically defined <Strings> table (1-based) in the relevant Source\Version element in EventSchema.xml	Unused	Appends the referenced constant string to the event which will be sent to the collector
AppendProcessNameFromPid	Reference to a string parameter in the source event in the event log (source string is expected to be a numeric process ID)	Unused	Looks up the process image path name for the referenced PID and appends it to the event which will be sent to the collector
AppendTimeFromDatetime	Unused	Unused	Not Implemented/No Action
AppendSidFromNames	Reference to a string parameter in the source event in the event log (source string is expected to be a user name)	Reference to a string parameter in the source event in the event log (source string is expected to be a domain name)	Looks up the SID for the account represented by the specified user and domain names, and appends the SID to the event which will be sent to the collector
AppendNamesFromSid	Reference to a string parameter in the source event in the event log (source string is expected to be a security ID)	Unused	Looks up the user name and domain name for the account represented by the specified SID, and appends the user name and the domain name as separate strings to the event which will be sent to the collector
AppendNumber	Unused	Unused	Not Implemented/No Action

 

Out of range params cause the transformation instruction to be ignored and skipped.  Non-integer params or other XML formatting/malformation problem (including non-UTF8 formatting) cause an EventSchema.xml parsing error at collector startup which in turn causes collector startup failure.

 

So that?s ACS transformation in a nutshell.  I hope this helps you guys understand ACS functionality a little better.

 

Shortly I will finish my write-up on AcsConfig.xml but that is a simple file and not too hard to figure out if you are into experimentation.

 

Here are some cool things that you can try with the event schema file if you are adventurous:

 

1.       Drop fields.  We have modified eventschema.xml successfully to cause it not to collect certain fields (e.g. logon GUIDs) of certain events:

                              <Call Name="AppendString" Param1="1" Param2="0" />

                              <Call Name="AppendString" Param1="2" Param2="0" />

                              <Call Name="AppendString" Param1="3" Param2="0" />

// try deleting a line here

// or, to preserve ordering of subsequent strings

// try replacing ?AppendString? with ?AppendStringFromTable (param1=1)?

                              <Call Name="AppendString" Param1="4" Param2="0" />

                              <Call Name="AppendString" Param1="5" Param2="0" />

                              <Call Name="AppendString" Param1="6" Param2="0" />

2. Add an event source.  Some caveats are:

·         You must have a unique, well-formed GUID for the new source

·         You have to get events of the new source into the log (try ?AuthzReportSecurityEvent? from MSDN)

·         You have to modify AcsConfig.xml to tell the agent(s) to collect the new source

 

 

NB I have used the C/C++ comment syntax throughout this post but note that ACS does not support either C/C++ nor XML style comments in the XML config files it uses

Today I encountered something new in the logon event- I thought that was old hat and I knew all there was to know about that but I guess I was wrong.

The logon event (528/540 prior to Windows Vista, 4624 in Vista and Windows Server 2008) has a field called a Logon Type.  This is a code that is passed into the logon API that tells the authentication system in Windows which policy to check the logon against.  Windows has separate policy checks for network logons, interactive logons, etc., so that you can allow users to access a system in some ways but not in others.

The logon type code is, in C/C++ parlance, an enumerated value- it's an ordered list of numeric values, each with an associated name, and these are defined in a publicly available file in the source code (ntsecapi.h).  In the source code, the values are always referenced by name.

Today on one of the internal aliases someone actually found a logon event with a logon type of 0- I have never personally seen one of these before and 0 is not defined in the SECURITY_LOGON_TYPE enumeration, so I would have assumed that it was a bug- but it turns out that we are aware of this case and use it occasionally for system logons.

So there you are.

Well there has been a lot happening on my old project, ACS (Audit Collection Services, a feature of SystemCenter Operations Manager 2007).

Two more of our partners, Enterprise Certified and NetPro, have released compliance solutions on top of ACS.

Another of our partners with ACS-based compliance solutions, SecureVantage, has started a new blog where ACS is a frequent topic.

Anyway I'm pleased to see that ACS is becoming a successful platform and I'm happy to answer ACS questions!  To you ISV's out there, Joseph and I welcome your questions as well (if we aren't already talking to you).  Let us know who you are so we can stay in touch with you!

OK here's something I just remembered today.  I may be the last person who remembers this so it's important that I record this somewhere.

In the RTM bits of Windows NT 4.0, for the German language release only, someone snuck in a string resource into the auditing message file.  I'm guessing that it was one of our localization engineers, but I don't know- I was over in the support side of things at the time.  I stumbled across the message one day while looking at source code.

Here's Björn's momentous message:  "Björn grüßt den rest der welt".  Basically Björn says hi to everyone.  He's a friendly guy.

This is string resource zero in the message table resource- it's not a code resource, it's properly formed and it's not used by the code anywhere.  You would not know it exists unless you slog through source code (like me) or use a hex editor or string dumper to analyze binaries AND happen to be so bored that you pull out an NT 4.0 RTM German CD and examine msaudite.dll.  NT4 RTM CD's are pretty rare, btw, because we replaced them with slipstream SP1 CD's very shortly after release.

If I remember correctly somebody else came along in a later service pack and changed Björn's name to their own (maybe it was Ulli?  I can't remember and I'm too lazy to find the source- it requires a lot of effort to dig that far back).  I do remember that shortly thereafter there was a huge Easter Egg crackdown here at Microsoft probably brought to a head by the Excel 97 Flight Simulator.  Björn's message of goodwill to mankind was erased forever. 

I did a search using the Officially Santioned Search Engine and the other one too; evidently the internet has forgotten Björn's message.  But I still remember, Björn.

Anyway I thought you might like this bit of arcana.  If you are bored, have a hex editor and a German NT4 CD, knock yourself out...

I got the question last week, why there are so many logon failure events on Windows XP when it is not domain joined.

The short answer is, by design.  (Yes, bad design.)

The longer answer is that the shell team is working around the fact that there is no "tell me if this user account has a blank password" API.

When in a workgroup (not domain joined), Windows XP displays a welcome screen that has little pictures (called "tiles") for each user who is permitted to log on to the computer.

The shell team wanted the experience that when you click on a tile, that you will immediately be logged on if your password is blank (we have good data that a large percentage of home users have blank passwords).  They only want you to be prompted for a password if you actually have a password.  Fair enough, and it also helps with accessibility for people for whom typing is challenging.

The XP Welcome Screen, when it is initialized each time it is to be displayed, attempts to log on each user for which a tile will be displayed, using a blank password.  Users with non-blank passwords will cause failures in this case (other users will cause logon success events followed by logoff success events). [2007-11-21 correction]

The Welcome Screen uses the result of these logon attempts to decide whether to display a password box when you select a user's tile.  If the user has a blank password, they will be logged on instead of being prompted for a password.

Why are they logging on the account?  Well it turns out to be the easiest way to tell if your password is blank.  We don't have a "is your password blank" API- that would be a security disaster- and we would prefer that the shell team not go mucking about in the SAM, retrieving hashes and computing the blank password hash for each account so that it could compare them. 

I asked for this behavior to be changed prior to XP's release.  Specifically I asked that the blank password check be moved from Welcome screen initialization to tile selection- this would still cause logon failures but many fewer of them.  I was declined.  I asked for fixes to it in SP1 and SP2 and was declined.  At this point we will not be revisiting this "feature"; the Welcome Screen was redesigned to eliminate this problem.

The shell team who designed the Welcome Screen did not feel that auditing was a common scenario for workgroup machines, and I didn't (and still don't) have any business case to dispute that.

So a long time ago, back in my days of providing technical support for Windows NT 4.0, I published "Security Event Descriptions".  This article was the "schema" so to speak, for the Windows NT 4.0 security event log events.

Technically Windows events are not schematized until Windows Vista; or put another way the schema is implicit based on the instrumentation in the code- since the event is raised by some function in the code, the "schema" could be interpreted as the parameter order in the call to that function.

Anyway security monitoring types love that article, but I hate it.  It's just better than nothing.  It doesn't state which events map to which audit policy categories.  It does tell you whether the event is a succss or failure event but it doesn't alert you to the cases where the same event is used for success and failure (e.g. event 560).

When Windows 2000 came around and we added two new audit policy categories (DS Access and Account Logon [which was a huge naming blunder]), I wrote an article for the Windows 2000 security events.  However it was so large I broke it into two articles.

I didn't write an article for Windows Server 2003.  At first I didn't think it was necessary because we propagated all the WS03 events to the Technet Events & Errors Message Center web site.  I wrote custom content for the top 30 or so events by volume of searches

(On a side note, did you ever wonder what happens when you click the "More Information" link at the bottom of the Event Viewer event description?  We send the event source, event ID, OS version and so forth to the Technet E&E site and display the content that is returned.  We count the number of hits for each OS Version/Source/Event ID combination and then our writing teams pester the component owners to populate that content.)

Anyway, I was making excu^h^h er, explaining why I didn't write the KB articles for Windows Server 2003 security events.  So I thought the E&E message center would be all that anyone needed.  It didn't strike me as that important that you had to have seen the event (or at least know it exists) before you could use the site.  However since then I have received a large number of requests for the event definitions, mainly from people who were creating security event management solutions.

So here's what I have for you, courtesy of Ned, one of the audit log posse here at Microsoft.  If you want a complete list of WS03 security events, then I suggest you look at chapter 4 of the Windows Server 2003 Security Guide.  This documents the event IDs of all the security events on Windows Server 2003.  Plus, it groups them by policy category, in case you ever wanted to know what you are in for if you enable one of the categories for audit.  If you want the layout of the event (what data is in the description field, and in what order) then just look for that specific event on the Technet E&E site or click the link in the bottom of the event description in Event Viewer.

I've already described how the Vista and Windows Server 2008 (and subsequent releases) event systems are self-documenting, so I won't go into that further here.

One last tip: If you own Microsoft System Center Operations Manager 2007, then you can search for a file called EventSchema.xml on the media.  It is an XML document that describes one possible normalization all the security events from Windows 2000 forward, and the semantic content of the normalized events.

2007-10-31 UPDATE: There is also an event-id-to-audit-policy-category map here.

A German court has ruled that a government web site may not retain IP addresses and other personally identifiable information (PII) in their logs for any longer than the user is actually using the site.

The judges pointed out that in many cases it was simple to map an IP address to an identity with the help of 3rd parties, and declared that logging IP addresses was a "violation of the right to informational self-determination."

OK whatever.

Germany does not seem to be of one mind regarding logging.  On the one hand their draconian privacy laws (how's that for an oxymoron?) are pretty much in opposition to any meaningful user activity logging.  On the other hand, their law enforcement folks at least seem to know the value of logs, even if they are a little draconian in the other direction.  Finally the article above notes that even the Bundestag, the lower house of the German Parliament, doesn't comply with with the privacy laws that body created- the web site logs and retains PII.

Attention Germany: the privacy horse has left the barn.  Technology has far outpaced the capability of an individual to control where his or her information flows.  Expecting to both receive service from an online provider, and to remain "private" (whatever that means) from the provider, is unreasonable- and in fact denying the provider the right to log prevents the provider from systematically improving service to you.  Logging is a best practice for administrative activity, including maintenance-related activities, marketing & service planning, and security-related activities such as forensics.  Everything generates logs nowadays.  It would probably be better to write laws restricting what can be done with logs rather than to outlaw logging.  In this manner you could mitigate abuses such as those by the ambulance chasers but still provide organizations of all sorts, including the government itself, the information they need to do their jobs.

As I wrote about earlier, TorrentSpy, a file-sharing search engine, was ordered by a U.S. magistrate to enable logging on its servers and to subsequently make those logs available to the MPAA, the plaintiff in an illegal file-sharing lawsuit against TorrentSpy.  They have lost their appeals and as a result have decided to block US IP addresses from their web servers (which will effectively ensure that no information interesting to the MPAA will reach their logs).  This ruling also puts copyright law squarely at odds with privacy rights, as pointed out by the Electronic Frontier Foundation.  The whole case seems to hinge on the fact that the judge interpreted the fact that information such as IP addresses temporarily reside in a computer's RAM as meaning that information is "stored" by the computer and therefore discoverable; many computer experts reject that argument.  More analysis of the implications of the ruling are found here.

Researchers in the state of Ohio in the United States have discovered that by analyzing the logs produced (by law) from e-voting machines used in certain counties, they can determine the vote(s) each voter made.  Further, the logs, by law, must be produced on demand, as part of our open elections process.

I haven't read the in-depth reports and analysis.  It appears to me that the manufacturers of the voting machine anticipated the risk of vote correlation with voters and tried to mitigate it by separating the vote log from the voter log.  However they mitigated this very poorly as (1) only one voter can apparently use the machine at a time and (2) every thing the machine does is logged and (3) every log entry is timestamped.  So simply separating the "Voter X logged on" records into one log, and the "Vote cast for candidate Y" records into another log seems to be a pretty naive solution.

I normally try to stay away from politics and commentary on my blog, because I don't want to alienate anyone.  But this is not a political issue.  Here in the United States we have problems with elections.  It doesn't matter which party you are in, there are things to be unhappy about.  The machines we have built to make elections easier seem to have made things much harder- from the "hanging chads" we had in the 2000 elections to the current pain we're having with voting machine certification.

The audit trail problem with voting machines is daunting.  How do you simultaneously accomplish the goals of (1) allowing only authorized individuals to vote (2) exactly once per election, regardless of location (4) the votes cannot be tampered with after being cast (or at least tampering is evident), (5) the votes can be tallied quickly (in a matter of only a few hours, (6) all of these steps can be accomplished in such a way that even if he voter wishes it, the vote cannot be correlated with the voter, and (5) a recount can reproduce all the same results with these same election characteristics (maybe we can relax the time window) without the voters physically being present.

Punch card and optical scan systems opt for auditing the voter before handing them the ballot, and the ballots themselves are the audit trail of the votes (and are not numerically linked with the voter).  These systems would seem to be pretty foolproof but there are systemic problems with both: the hanging chads and butterfly ballot problems were with punch card systems, and optical scan systems in general have a fairly high error rate, and all of these problems are largely due to users who fail to follow instructions which are critical to accurate operation of the machines which tally the votes.

Coupled with the fact that many e-voting systems are getting poor reviews from security researchers, I would be much more comfortable as a voter slowing down on e-voting until we work out the kinks.

Hello,

Today we published the January Security Bulletin Webcast Questions & Answers page. We fielded nine questions on various topics during the webcast, including bulletins released, deployment tools, and update detection tools. There were two questions during the webcast that we were unable to answer and we have included those questions and answers on the Q&A page.

We invite our customers to join us for the next public webcast on Wednesday, February 15 at 11am PST (UTC -8), when we will go into detail about the February bulletin release and answer questions live on the air.

Customers can register to attend at the link below:
Date: Wednesday, February 15, 2012
Time: 11:00 a.m. PST (UTC -8)
Register: Attendee Registration

Thanks,
Angela Gunn
Trustworthy Computing

Hello. As I previously mentioned in the Advance Notification Service blog post on Thursday, today we are releasing seven security bulletins, one of which is rated Critical in severity, with the remaining six classified as Important.

These bulletins will address eight vulnerabilities in Microsoft products. Customers should plan to install all of these updates as soon as possible. For those who must prioritize deployment, we recommend focusing first on the sole critical update:

• MS12-004 (Windows Media Player): Vulnerabilities in Windows Media Player Could Cause Remote Code Execution. This bulletin – the only one in January’s set to include multiple CVEs – addresses two issues that could arise if a would-be attacker sent a malicious MIDI or DirectShow file to a targeted user. Both of these issues were cooperatively disclosed to Microsoft, and we know of no active exploitation in the wild. Still, we recommend that customers read through the bulletin information concerning MS12-004 and apply it as soon as possible.

In the video at the bottom of this post, Pete Voss discusses this month's bulletins in further detail.

As always, we recommend that customers deploy all security updates as soon as possible. Below is our deployment priority guidance to further assist customers in their deployment planning (click for larger view).

Our risk and impact graph shows an aggregate view of this month's severity and exploitability index (click for larger view).

You can find more information about this month's security updates on the Microsoft Security Bulletin Summary web page.

As you may remember, last month we announced a bulletin addressing the SSL issue we described in Security Advisory 2588513. Days before release, we noted a compatibility problem that might have affected certain users of third-party products, and decided to hold that bulletin until we could complete further investigation. We’re-releasing that bulletin today as MS12-006; we’re also providing further information and guidance to customers with a Knowledge Base article and a Fix-it that will be useful in certain installation circumstances.

As usual, our colleagues in SRD have prepared blog posts that delve more deeply into technical details of this month’s releases. In addition to a discussion of this month’s deployment priorities, SRD has a post examining some of the finer points of MS12-001, which addresses an Important-class issue affecting the SafeSEH security mitigation, and an overview of the aforementioned MS12-004.

Per our usual process, we’ll offer the monthly technical webcast on Wednesday, hosted by Pete Voss and Dustin Childs. I invite you to tune in and learn more about the January security bulletins, as well as other announcements made today. The webcast is scheduled for tomorrow, January 11, 2012, at 11 A.M. PST. Click here to register.

Thanks,
Angela Gunn
Trustworthy Computing.

Hello. Today we’re releasing our advance notification for the January security bulletin release, which is scheduled for Tuesday, January 10. This month’s release includes seven bulletins addressing eight vulnerabilities in Microsoft Windows and Microsoft Developer Tools And Software. As always, we recommend that customers review the ANS summary page for more information and prepare for the testing and deployment of these bulletins as soon as possible.

We’ll release all seven bulletins on Tuesday, January 10 at approximately 10 a.m. PST. Revisit this blog on Tuesday for our official risk and impact analysis, along with deployment guidance and a video overview of the release.

In addition, eagle-eyed readers of the summary page will notice an unusual vulnerability classification, “Security Feature Bypass,” for one of our Important-severity bulletins. SFB-class issues in themselves can’t be leveraged by an attacker; rather, a would-be attacker would use them to facilitate use of another exploit. For those interested in learning more, we expect the SRD blog to publish a detailed analysis of the matter on Tuesday.

Please join Dustin Childs and Pete Voss for a webcast on Wednesday. They’ll go into detail about the bulletins and answer questions live on the air. See below for registration information.

Date: Wednesday, January 11
Time: 11:00 a.m. PST (UTC -8)
Click Here To Register

Thanks,
Angela Gunn
Trustworthy Computing

Hello,

Today we published the December 2011 Out-of-Band Security Bulletin Webcast Questions & Answers page. We fielded 41 questions on the subject of MS11-100 . There were four questions during the webcast that we were unable to answer and we have included those questions and answers on the Q&A page.

We invite our customers to join us for the next public webcast scheduled for Wednesday, January 11, 2012 at 11 a.m. PST (UTC -8), when we will go into detail about the January 2012 bulletin release and answer questions live on the air.

Customers can register to attend at the link below:
Date: Wednesday, January 11, 2012
Time: 11:00 a.m. PDT (UTC -8)
Register: Attendee Registration

Thanks,
Pete Voss
Sr. Response Communications Manager
Microsoft Trustworthy Computing

Hosts:              Jonathan Ness, Security Development Manager, MSRC

                          Pete Voss, Sr. Response Communications Manager, Trustworthy Computing

Website:         TechNet/Security

Chat Topic:     December 2011 Out-Of-Band Security Bulletin Release

Date:               Thursday, December 29, 2011

Q: How are Denial of Service, Tampering, Information Disclosure orSpoofing issues rated?
A: The Exploitability Index only attempts to rate vulnerabilities that can be leveraged for code execution. Vulnerabilities that could allow denial of service, tampering, information disclosure or spoofing will receive an Exploitability Index rating of "3." The notes for that particular CVE will also reflect the nature of the vulnerability.

Q: One angle I'm interested in is those Microsoft products that might use forms authentication, such as Exchange 2010 or TMG 2010. If we're using forms authentication there, does that mean we're vulnerable?
A: Any products that are using ASP.NET forms authentication will be secured with this update. This includes SharePoint and Exchange, when they are using ASP.NET forms authentication. If these products are using a Forms Authentication module other than the one provided by ASP.NET, then the issue addressed in this bulletin does not apply to you. 

Q: Why does Windows Update on Windows 2008 servers show this update, but the check-box next to it is un-checked? What is the difference between patches that are checked by default and those that are not checked?
A: In the case of "Important Updates", an update that is in the "PENDING" state will be unchecked when you view it in Windows Update. This means it is already queued for downloading. You can manually override this to start the download manually by checking the box next to the update. 

Q: Please confirm that if an IIS instance is installed that we are at risk for one of the CVE's and therefore we should patch ASAP. The assumption is that the server has IIS without .NET components.
A: By default, IIS is not installed with .NET and by default, .NET is not installed by ASP.NET. Customers would first need to have installed .NET framework with ASP.NET in order to be vulnerable to the vulnerabilities documented by MS11-100.

Q: What level of testing or specific tests is recommended for applications using ASP.NET? Is it highly likely that the hashing change will impact applications using the framework?
A: Microsoft recommends that customers test this update before deploying. There is a change in how forms authentication occurs and will require updates to be deployed at the same time across server environments. Click here for more about forms authentication.  

Q: Can sample DoS requests be provided to allow us to understand what the DOS signature may look like so we can test the patch as well as monitor our production environments until the patching is completed?
A: For more technical information regarding MS11-100, please see the SRD blog, where we have shared a short signature detecting this issue.

Q: Is this critical to environments where there are no Internet-facing systems? And what if there is no IIS installed on the workstation -- is it atrisk?
A: Exploitation requires ASP.NET installed and to be exposed to input from unauthenticated users. Typically this is through IIS. If workstations do not have ASP.NET or IIS installed, then those systems are not exposed. 

Q: In the Critical Elevation of Privilege can the attacker elevate is privilege only if they have the username without having the password? Can we have machines with the fix and without the fix working with each other?
A: Yes, the attacker only needs the username to carry out the attack. The fix involves changing the format of the forms authentication ticket, so that unpatched and patched machines cannot work with each other. So after patching you cannot have machines with the fix and without it working together, unless you set a configuration setting on the patched machines. For details, please read the FAQ for this CVE for more information on applying updates to web farms.

Q: For CVE-2011-3414, is there a requirement of authentication to exploit the DoS vulnerability successfully?
A: No, CVE-2011-3414 is anunauthenticated Denial of Service.

Q: What could be a potential impact on server running IIS with custom code? In short, can this update impact server or service to go down after installation? Do you have any suggestions on installation on web servers running custom code?
A: This update is specifically for ASP.NET, but the issue that was disclosed is an industry-wide issue concerning hash collisions. So, it is possible for your custom code to be affected, but you will need to investigate what kind of hash-tables your custom code uses and if it operates on untrusted user data.

Q: Is there a client-side patch that will protect users that fall for phishing attacks and visit websites that have not patched?
A: As clients are not affected by server-sided vulnerability, the security update does need to be installed on the server. 

Q: If the main target is Internet facing systems with IIS & ASP.NET installed, should I concentrate on patching my webservers first before patching client systems?
A: Prioritization for this update would be specific to users’ environments, but servers that are internet-facing and accept input from unauthenticated or untrusted user-provided content are most affected and should be prioritized. Likewise, clients are typically not in a web server role, and so systems that are running a web server role should be prioritized. 

Q: What steps can I take to reproduce and see if/how my site is affected, and so I can confirm the issue is gone after applying the patch?
A: For the protection of customers, Microsoft does not disclose proof of concept code (POC). The technical details of this issue are however public.

Q: If Microsoft .NET Framework is installed on an IIS Server, does this mean that ASP.NET is also installed but possibly not enabled?
A: Whether you have the .NET Framework (and ASP.NET) installed on a machine will depend upon the specific OS platform. Windows Server 2008, Windows Server 2008 SP2, Windows Server 2008 R2 and Windows Server 2008 R2 SP1 all ship with the .NET Framework 2.0 or higher, which includes ASP.NET, and you should install the corresponding patches listed in the security bulletin. If you are using an older Server OS such as Windows Server 2003 SP2 x86, then that platform includes .NET Framework 1.1 SP1, and you should install the corresponding patch listed in the security bulletin. 

Q: From a desktop browsing experience, this update will patch Windows XP, Vista and 7. If machines do not have IIS installed and enabled, as well as ASP.NET enabled, is the criticality of this update reduced? For example if the user goes to an internet site, would their desktop PC be vulnerable? It seems to be mostly if you have IIS and ASP.net installed and acting as a web server.
A: If you have a client machine with no ASP.NET installed, then your desktop PC would not be vulnerable to the particular security issues that are being addressed in this update.

Q: ASP.Net has been identified for the DoS. How about classic ASP/ISAPI applications? Is it just a .Net hash-table issue? And has the Microsoft Foundation Class / ATL / Visual Basic 6.0 been checked?
A: This is an industry-wide issue that could affect a broad spectrum of technologies. Since ASP.NET was at the greatest risk because of the public disclosure, we have focused our efforts so far on making sure we secure ASP.NET. We are actively investigating other technologies where this could be vulnerable and so far we do not think that classic ASP is vulnerable. Information on other affected technologies will be revealed as the issue develops.

Q: So just to be clear, Exchange 2010 Outlook Web Access isn't vulnerable to the privilege of escalation? Just to the DOS?
A: OWA 2010 can be configured for forms-based authentication. Based on this, it should be considered vulnerable. If there is any doubt, Microsoft KB Article 2638420 discusses parameters you can check for to verify if an application is using forms auth. Specifically, to determine whether your application uses forms authentication,
examine the System.web file. Applications that use forms authentication use the following entry in System.web file: <authentication mode="Forms">

Q: What tools are available to remotely scan systems to see if they’re vulnerable -- that is, that IIS and ASP are installed and active?
A: The Detection and Deployment Tools and Guidance section in the security bulletin provides information on how to identify systems to which this update applies. If you want to identify whether a system has IIS installed with ASP.NET enabled, the answer depends on the operating system that each system is running.

Q: Are only webservers vulnerable? We have limited personnel this weekend for QA and deployment. Are we pretty much covered if we just deploy to systems in our DMZ this weekend and then rest of the enterprise next week?
A: Prioritization for this update would be specific to users’ environments, but servers that are internet-facing and accept input from unauthenticated or untrusted user provided content may be at greater risk than internal servers. 

Q: Sites that disallow "application/x-www-form-urlencoded” or “multipart/form-data” HTTP content types are not vulnerable. Is this set to disallow by default? How do we verify if it is set to disallow?
A: No, application/x-www-form-urlencoded or multipart/form-data are not disallowed by default. Customers will need to explicitly disallow these. Customers can do this by using IIS request filtering. 

Q: Forms authorization login from TMG/ISA doesn't use ASP.NET. Is it still vulnerable?
A: TMG is not exposed and is not related to the ASP.NET issue described in the bulletin.

Q: Do you suggest immediate patching of all servers (internal/external) or just of externally available servers and allow internal servers to be patched during the next patching cycle?
A: Once again, prioritization for this update would be specific to each user’s environment, but servers that are internet-facing and accept input from unauthenticated or untrusted user provided content may be at greater risk than internal servers. 

Q: Is the critical CVE related to forms authentication only an issue if the site is configured to support forms authentication without cookies? Or, are all forms authentication implementations impacted?
A: No, this issue applies to all types of ASP.NET forms authentication, cookie and cookie-less.

Q: For CVE 2011-3414, does the patch change the size of request header accepted, place controls on the amount of CPU that can be used, or change the hashing functions used?
A:The security update addresses this issue by limiting the number of inputs ASP.NET accepts from clients.

Q: Does this patch limit the number of parameters passed in the post request? If so, what is the new limit? I am trying to determine what application problems may arise after applying the update.
A: The security update addresses this issue by limiting the number of inputs ASP.NET accepts from clients. If you are interested in changing the number of parameters passed in the post request, please see the section of the bulletin titled Workarounds for Collisions in HashTable May Cause DoS Vulnerability - CVE-2011-3414. 

Q: Can the normally scheduled January bulletins be installed independently of the critical one?
A: Yes, Future security updates can be installed independently of this issue. Microsoft does recommend all customers always read security updates to ensure they fully understand any known issues that may be documented in the security bulletin.

Q: Is the attack vector based on the server or the client? Do we concentrate on server or desktop side first?
A: The vulnerabilities in the bulletins are primarily focused on systems operating in a Web server role that use ASP.NET. Clients are typically not in a web server role.

Q: Could you provide more detail around the 3rd mitigation factor -- specifically the account registration procedure?
A: I am assuming this question is about the first mitigating factor for CVE-2011-3416: forms authentication bypass. Essentially, to pull off an Elevation of Privilege attack, the attacker would need a valid account on the system they are trying to compromise and the user name of the target of the attack.

Q: Can an ASP.NET site (e.g. SharePoint 2010 site) using authentication (NTLM/Kerberos) come under the DoS attack as described in CVE-2011-3414 by an unauthenticated user?
A: NTLM/Kerberos authentication changes the attack vector of the vulnerability. An ASP.NET site can come under a DOS attack – however, the attacker would then need to be authenticated. 

Q: Will this affect -- or will I need to be aware of -- this update impacting ASP.NET session and machine key settings in IIS for a load balanced environment, where all machine keys are matches to make sure sessions are the same across a server farm?
A: This update changes the way in which forms authentication tickets are created, so all servers would need to use the old or the new ticket format in order to maintain compatibility. Please refer to Knowledge Base Article 2659968 for deployment guidance for this update.

Q: What about servers that have IP address access limitations? Since we are resource-limited, we'd like to skip these servers that are only allowing certain IPs to access IIS.
A: As we’ve mentioned, prioritization for this update would be specific to users environments, but servers that are Internet-facing and can accept input from unauthenticated or untrusted user provided content may be at greater risk than internal servers. Servers that have additional protections may reduce the potential attack risk of these vulnerabilities. Customers are encouraged to analyze their own environments.

Q: We have ASP.NET prohibited in in our Web Service Extensions -- IIS 6. Are we still vulnerable?
A: No. If ASP.NET is not enabled, you are not vulnerable.

Q: The Section Workarounds for Collisions in HashTable May Cause DoS Vulnerability - CVE-2011-3414 in the bulletin is confusing. Is it required to put this script and then install the update? 
A: Workaround refers to a setting or configuration change that does not correct the underlying vulnerability, but would help block known attack vectors before you apply the update. Microsoft has tested the following workarounds and states in the discussion whether a workaround reduces functionality. Customers are always encouraged to apply the security update. The workarounds are not a prerequisite for installing the security update.

Q: If TMG is not affected then, if TMG is protecting an Exchange 2010 server and the TMG is handling the forum authorization, would the patch for an Exchange server be necessary?
A: Although firewall solutions could protect systems behind the firewall it is important to understand the types of traffic that that FW may proxy to servers behind it. Systems behind the firewall are still vulnerable to internal attacks and have vulnerable code and should be updated to be properly protected.

Q: Is AppSettings.MaxHttpCollectionKeys the new parameter that contains the maximum number of form entries?
A: Yes it is.

Q: For ASP.NET on Internet-facing systems requiring authentication, does an attacker have to have a valid user name AND the valid password to carry out an attack?
A: No. The only requirement is to have the target's username, and *any* valid account on the system.

Q: Will any forms authentication tickets generated before the patch is applied be rendered invalid once the patch is applied? 
A: Yes. The change in the forms authentication ticket format will render all pre-patch tickets invalid once the update is applied.

Q: Our ASP.NET application requires large file uploads and requires our <httpRuntime maxRequestLength="200”/> to be set to 102400. How will we be able to handle that and not remain vulnerable?
A: The maxRequestLength setting is just a workaround. You will not need to worry about this after applying the security update and can remove any previously set workaround configurations.

Q: These updates run on Windows clients whether or not IIS or ASP is installed. Are the updates not effective in this case?
A: By default, IIS is not installed with .NET and by default, .NET is not installed by ASP.NET. Customers would first need to installed .NET framework with ASP.NET in order to be vulnerable to the vulnerabilities documented in MS11-100.

Q: Will there be changes to WSUS to only show the patch needed when ASP.NET is installed?
A: Updates that shipped in the security bulletin today are updates for the .NET Framework component. As such, the detection logic for these updates scans for different versions of the .NET Framework and offers the appropriate patch. The patches will be offered as long as the .NET Framework (which contains ASP.NET) is installed and irrespective of whether ASP.NET is registered and in use or not.

Q: For CVE-2011-3414, would one machine perform a denial of service based on the hash algorithms the server hosting the page has to consume?
A: Yes, one machine could effectively perform a denial of service, should it launch the correct type of attack.

Q: How much of live client-side authentication is vulnerable? Or is it server-side only (patch your servers, and client side is only vulnerable to the redirected site)?
A: The LiveID authentication system is not forms-based.  Therefore, the forms-based authentication vulnerabilities do not affect LiveID.  Further, it is all server-side and at this point we have applied the security update to our LiveID servers.

Hello,

Today we released Security Update MS11-100 to address the issue described in Security Advisory 2659883.

The security update has a severity rating of Critical and resolves a publicly disclosed remote unauthenticated Denial of Service issue in ASP.NET versions 1.1 and above on all supported versions of .NET Framework. Of note, the new method of hash collision attacks used to exploit this vulnerability is an industry-wide issue affecting various Web platforms, including ASP.NET.

While we have seen no attacks attempting to exploit this vulnerability, we encourage affected customers to test and deploy the update as soon as possible. Consumers are not vulnerable unless they are running a Web server from their computer. More technical details can be found at the Security Research & Defense Blog.

For all the latest information, you can also follow the MSRC team on Twitter at @MSFTSecResponse.

Thanks,
Dave Forstrom
Director
Microsoft Trustworthy Computing

Hello,

Today we’re providing advance notification for an out-of-band security update to address the publicly disclosed issue described in Security Advisory 2659883. The release is scheduled for tomorrow, December 29, at approximately 10 a.m. PST.

The bulletin has a severity rating of Critical and addresses a publicly disclosed vulnerability in ASP.NET that affects all versions of the .NET Framework. While we’re currently unaware of any attacks targeting ASP.NET, we encourage all customers to test and deploy the update when it is available.

We will also hold a special edition webcast on Thursday, December 29 at 1 p.m. PST. Click here to register.

For all the latest information, you can also follow the MSRC team on Twitter at @MSFTSecResponse.

Thanks,

Dave Forstrom

Director

Microsoft Trustworthy Computing

Hello,

Today we published Security Advisory 2659883 to provide a workaround to help protect ASP.NET customers from a publicly disclosed vulnerability that affects various Web platforms industry-wide. We are not aware of any attacks using this vulnerability, which affects all supported versions of .NET Framework, however we recommend customers use the mitigation and workaround described in the Advisory to help protect sites against this new method to exploit hash tables.

Our teams are working around the clock worldwide to develop a security update of appropriate quality to address this issue. Meanwhile, our Security Research & Defense team has written a blog post to explain how to know if you are vulnerable and detect exploitation, as well as background on the workaround. We are also working closely with our Microsoft Active Protections Program (MAPP) to help our partners build protections when and where possible. We will continue to update customers with new information as it becomes available.

For all the latest information, you can also follow the MSRC team on Twitter at @MSFTSecResponse.

Thanks,
Dave Forstrom
Director
Microsoft Trustworthy Computing

Hello,

Today we published the December Security Bulletin Webcast Questions & Answers page. We fielded six questions on various topics during the webcast, including bulletins released, deployment tools, and update detection tools.

For more details on this month’s bulletins, click here to view the slide deck used in the webcast. See below to view the webcast.

We invite our customers to join us for the next public webcast on Wednesday, January 11, 2012 at 11am PST (UTC -8), when we will go into detail about the January bulletin release and answer questions live on the air.

Customers can register to attend at the link below:
Date: Wednesday, January 11, 2012
Time: 11:00 a.m. PST (UTC -8)
Register: Attendee Registration

Thanks,
Jerry Bryant
Group Manager, Response Communications
Microsoft Trustworthy Computing

Hosts:             Jonathan Ness, Security Development Manager, MSRC
                        Jerry Bryant, Group Manager, Trustworthy Computing Communications

Website:         TechNet/Security

Chat Topic:     December 2011 Security Bulletin Release

Date:               Wednesday, December 14, 2011 

Q: Some of my users had issues with text being deleted from Word documents. Is this an issue with the Office security bulletin? 
A: We are not aware of any issues ofwords being removed from the document. If this continues, please contact support at 1-866-PC-SAFETY.

Q: You said that MS11-090 only applied to Windows XP and Windows Server 2003, but my WSUS is showing it needed for my Windows 7 and Windows Server 2008 & 2008 R2 machines.
A: The MS11-090 bulletin is a Cumulative Security Update of ActiveX Kill Bits. It addresses a new CVE that only affects Windows XP and Windows Server 2003, but also contains kill bits for various third party software, and affects a broader set of platforms than just Windows XP and Server 2003. 

Q: Will raising the Excel macro security level to high and ensuring that all macro code is digitally signed mitigate the Excel risks for this month?
A: The December Excel update fixes a vulnerability in the document parsing functionality in excel. This functionality is invoked when an Excel document is loaded into the Excel Application. While limiting macros execution in Excel is good security practice, it will not help you if trying to use it to mitigate the issue addressed by the December Excel update.

Q: Is there a link to the work-around fix for the Duqu-type open font vulnerability that you discussed?
A: The Workaround section for the CVE-2011-3402 in the MS11-087 bulletin explains how to apply and undo the workaround, and it also contains links to Fix It related to these operations.

Q: Once Office File Validation updates are installed, we have had some instances of Excel and Word documents opening very slowly across our network. You mentioned that Office File Validation can help reduce attack vectors. Can you share any information on the effects of installing Office File Validation?
A: We released a fix to increase the performance of opening across the network.The fix is documented in KB2570623.

Q: On my WSUS server, I searched MS11-088 and KB2596511 was found but KB2647540 was not found. As the Detection & Deployment indicates through the Download Center, should KB2596511 be approved through WSUS and KB2647540 be manually applied? Is KB2596511 complete on WSUS?
A: KB2647540 is currently only available via the Download Center. The update will also be provided through our other standard distribution methods once testing has been completed to ensure distribution will be successful through these channels. 

Hi everyone – Mike Reavey here. Today, we’re releasing our December set of security updates. As we do every month, we're providing a heads-up on what’s coming in this month’s release as well as offering links to more information so you can plan your deployment. However, since this is the last set of regular monthly security updates this year, I thought I’d take a minute to look back at some of the discoveries the MSRC made in the process of issuing the year’s bulletins.

Decrease in Critical Issues and Bulletins

As far as individual issues, Critical-class CVEs accounted for less than a third of the issues we addressed in bulletin releases for the first time since we began our monthly bulletin-release cadence in 2004. And in absolute numbers, Critical-class CVEs are at their lowest levels since 2005. The fact that we’re seeing lower percentages of Critical issues and bulletins year-over-year demonstrates progress made by the product groups in creating more secure software.

With this regularly scheduled monthly release, our bulletin count for 2011 is 99, with 13 released today. Of those, we determined 10 to be Important-class bulletins, with only three classified as Critical in severity. In 2011, Critical-class bulletins represented just 32 percent of all bulletins – the lowest percentage since we began our monthly bulletin-release cadence in 2004 and, again, the lowest absolute number since 2005. Interestingly, for the second half of the year the numbers are even lower, with under 20 percent of bulletins released in the last six months rated Critical in severity.

Even though there are fewer Critical-class security updates year-over-year, we know that any update has the potential to be disruptive for customers. And so we work hard to make our update process as smooth and transparent as possible for customers – with no surprises. As part of that commitment, in 2011 we were able to address reported security issues effectively without resorting to emergency releases outside of the regular scheduled monthly releases. We understand the disruption that these “out-of-cycle” releases create for customers, and we take the decision to release an update out of cycle very seriously. Effective coordination with product teams, greater use of threat telemetry, the ability to release workarounds, and the ability to release defenses through partners like those in Microsoft’s Active Protection Program (MAPP) have all helped us to release all our 2011 bulletins in the usual monthly process. We’re glad about that, even though we will always reserve the right to release out-of-cycle if the situation merits it.

We also know that a large part of addressing security issues effectively and quickly is dependent on how we work with the community that finds and reports vulnerabilities to us. In 2011, over 80 percent of the issues we addressed were disclosed in a coordinated process. During the second half of the year that rose to over 85 percent. We believe that reporting vulnerabilities in a coordinated manner helps better protect customers and the broader Internet ecosystem and we’re glad that so many in the industry share this sentiment.

However, we didn’t rest on just those numbers.  We continued our work with the community, and in the summer of 2011 we made a series of announcements culminating in the kickoff of our first-ever Blue Hat Prize, which will award over a quarter of a million dollars to researchers breaking ground on defensive technologies. This initiative encourages researchers to bring to life mitigations that could potentially address entire classes of vulnerabilities. It’s a big project and we’re incredibly excited about the contest entrants we’ve seen so far. We’ll have more information on the Blue Hat Prize in 2012...we don’t want to spoil the excitement for anyone just yet.

Defensive Technology at Play
2011 also brought strong examples of how defensive technologies can increase the security of the software people use every day. For example, two of the more exciting developments of the year here at the MSRC centered on new and improved mitigations for older versions of Windows and Office. After announcing it in December, we launched Office File Validation (OFV) in April. OFV extends our “Gatekeeper” technology -- effective at detecting and blocking potentially dangerous binary-format files from opening in Office 2010 -- to the 2007 and 2003 editions of Microsoft Office.  Since release, approximately 200 million machines have added OFV to their protection arsenal.

And in February, we made an unprecedented change to how Autorun behaves when you insert a USB key on Windows XP and Vista systems. The change reduced the number of infections that rely on Autorun by 59 percent on Windows XP machines and by 74 percent on Windows Vista machines, in comparison to 2010, with a 68 percent year-to-year overall decline in infections for all PCs running all versions of Windows. That’s a staggering change for the better.

As we approach 2012, we’ll continue to deliver the best-tested, highest-quality bulletins possible while facing the security challenges the new year poses. Whatever’s ahead, we’ll continue to work internally, and with the researchers and partners, to find new approaches to security response while keeping customer protection, as always, as our first priority.

Thanks --

Mike Reavey
Senior Director, MSRC

Hello. As I previously mentioned in the Advance Notification Service blog post on Thursday, today we are releasing 13 security bulletins, three of which are rated Critical in severity, and 10 Important.

These bulletins will increase protection by addressing 19 unique vulnerabilities in Microsoft products. Customers should plan to install all of these updates as soon as possible. For those who must prioritize deployment, we recommend focusing first on these critical updates:

• MS11-092 – Windows Media: Vulnerability In Windows Media Could Allow Remote Code Execution
• MS11-087 – Windows: Vulnerability in Windows Kernel-Mode Drivers Could Allow Remote Code Execution

Why 13 bulletins and not 14, as we stated in the ANS announcement on Thursday? After that announcement, we discovered an apps-compatibility issue between one bulletin-candidate and a major third-party vendor. We’re currently working with that vendor to address the issue on their platform, after which we’ll issue the bulletin as appropriate. As ever, we’d much rather withdraw a potential bulletin than ship something that might inconvenience customers, however limited that inconvenience in scope. The issue addressed in that bulletin, which we have been monitoring and against which we have seen no active attacks in the wild, was discussed in Security Advisory 2588513.

In the video below, Jerry Bryant discusses this month's bulletins in further detail.

As always, we recommend that customers deploy all security updates as soon as possible. Below is our deployment priority guidance to further assist customers in their deployment planning (click for larger view).

Our risk and impact graph shows an aggregate view of this month's severity and exploitability index (click for larger view).

You can find more information about this month's security updates on the Microsoft Security Bulletin Summary web page.

Per our usual process, we’ll offer the monthly technical webcast on Wednesday, hosted by Jerry Bryant and Jonathan Ness. I invite you to tune in and learn more about the December security bulletins, as well as other announcements made today. The webcast is scheduled for Wednesday, December 14, 2011 at 11 A.M. PST. Click here to register.

Thanks,
Angela Gunn
Trustworthy Computing.

Hello all. Before we look at next week’s bulletin release, we’d like to point out an update to our Microsoft Active Protections Program (MAPP) that should provide customers with greater transparency as to how MAPP partners use the information we share with them when we release security advisories.

As you know, we work closely with our MAPP partners to share information on issues as they arise, thus extending protections to the greatest possible number of computers on the Internet. As of our most recent Security Advisory, we’ve started a new process of listing the partners who have confirmed that they released protection within 96 hours after the advisory release on a special Web page.   Naturally not every Advisory applies to every partner, so we do not expect them all to report protections in place for every individual Advisory.   

Meanwhile, in a minor procedural note, those of you who prefer to print out the bulletins and have missed that functionality in recent months will be pleased to hear it’s back. Look for the small grey printer icon at the upper right corner of the bulletin.

Today we’re releasing our advance notification for the December security bulletin release, which is scheduled for Tuesday, December 13. This month’s release comprises 14 bulletins addressing 20 vulnerabilities in Microsoft Windows, Office, Internet Explorer, Microsoft Publisher, and Windows Media Player. All 14 bulletins will be released on Tuesday, December 13 at around 10 a.m. PST. Revisit this blog on Tuesday for our official risk and impact analysis, along with deployment guidance and a video overview of the release. We’ll also be looking at some interesting trends in bulletin releases over the course of 2011, with insight on those from MSRC Senior Director Mike Reavey.

As always, we recommend that customers review the ANS summary page for more information and prepare for the testing and deployment of these bulletins as soon as possible.

Please join Jonathan Ness and Jerry Bryant for our public webcast on Wednesday. They’ll go into detail about the bulletins and answer questions live on the air. Register at the link below:

Date: Wednesday, December 14
Time: 11:00 a.m. PST (UTC –8)
Registration:  https://msevents.microsoft.com/CUI/EventDetail.aspx?EventID=1032487961&culture=en-us

Thanks,

Angela Gunn
Trustworthy Computing.

Follow us on Twitter: @MSFTSecResponse

Hi everyone,

As a follow-up to Friday’s blog post, today we released Security Advisory 2641690 to notify customers that we revoked the trust of DigiCert Sdn.Bhd in an update that moves two Intermediate Certificate Authorities (CA) certificates to the Microsoft Untrusted Certificate Store.

We made this decision after Entrust, Inc., a CA in the Microsoft Root Certificate Program, notified us that one of its subordinate CAs issued 22 certificates with weak 512 bit keys, a violation of Microsoft’s Root Certificate Program requirements. At this time, there is no indication that the certificates were issued fraudulently but with this update, we are proactively protecting customers from potential issues.

There is no action for customers who have enabled Automatic Updates as the update, which applies to all supported versions of Microsoft Windows, will be downloaded and installed automatically.

The two certificates include:

• Digisign Server ID – (Enrich) issued by Entrust.net Certification Authority (2048)
• Digisign Server ID (Enrich) issued by GTE CyberTrust Global Root

DigiCert Sdn. Bhd (Digicert Malaysia) is a Malaysian subordinate CA under Entrust and Verizon (GTE CyberTrust), and is not related to DigiCert Inc., which is a member of the Windows Root Certificate Program.

For more information, please see Security Advisory 2641690.

Thanks --
Jerry Bryant
Group Manager, Response Communications
Trustworthy Computing Group

Hello,

On this November Update Tuesday, we’re recapping the BlueHat conference, which Microsoft hosted in Redmond last week. We are also releasing four security updates, so please read on for details.

Microsoft hosted its 11th installment of the BlueHat conference Nov. 2-4. The event featured presentations from hand-picked security researchers about current and emerging security threats. By fostering dialogue, and constantly engaging with the security researcher community, we’ve learned that, for the most part, we share one common goal; to provide protection. Here’s a short video showing what attendees had to say about this year’s event.

To protect customers, as I mentioned in the Advance Notification Service blog post this month, we are releasing four security updates, which will increase protection by addressing four privately reported CVEs in Microsoft Windows. As always, customers should plan to install all of these updates as soon as possible. There is one bulletin, however, that we want to call out as a priority for our customers:

• MS11-083 (TCP/IP): This security update resolves a privately reported vulnerability in Microsoft Windows. The vulnerability could allow Remote Code Execution if an attacker sends a continuous flow of specifically crafted UDP packets to a closed port on a target system.

Again, we encourage all customers prioritize MS11-083 this month.

In the video below, Jerry Bryant discusses this month's bulletins in further detail.

As always, we recommend that customers deploy all security updates as soon as possible. Below is our deployment priority guidance to further assist customers in their deployment planning (click for larger view).

Our risk and impact graph shows an aggregate view of this month's severity and exploitability index (click for larger view).

You can find more information about this month's security updates on the Microsoft Security Bulletin Summary web page.

Per our usual process, we’ll offer the monthly technical webcast on Wednesday, hosted by Jerry Bryant and Dustin Childs. I invite you to tune in and learn more about the November security bulletins, as well as other announcements made today. The webcast is scheduled for Wednesday, November 9, 2011 at 11 A.M. PT. Click here to register.

You can also follow the MSRC team on Twitter at @MSFTSecResponse for all the latest information.

Thanks,
Pete Voss
Sr. Response Communications Manager
Microsoft Trustworthy Computing

Hi everyone,

Today we released Security Advisory 2639568 to provide customer guidance for the Windows kernel issue related to the Duqu malware. I would like to provide you information on how to protect your system(s), how we are addressing the issue, and insight into our threat landscape monitoring capabilities.

The security advisory provides a workaround that can be applied to any Windows system. To make it easy for customers to install, we have released a Fix it that will allow one-click installation of the workaround and an easy way for enterprises to deploy.

To further protect customers, we provided our partners in the Microsoft Active Protections Program (MAPP) detailed information on how to build detection for their security products. This means that within hours, anti-malware firms will roll out new signatures that detect and block attempts to exploit this vulnerability. Therefore we encourage customers to ensure their antivirus software is up-to-date.

Additionally, our engineering teams determined the root cause of this vulnerability, and we are working to produce a high-quality security update to address it. At this time, we plan to release the security update through our security bulletin process, although it will not be ready for this month’s bulletin release.

Finally, given our ability to detect exploit attempts for this issue, we are able to closely monitor the threat landscape and will notify customers if we see any indication of increased risk. As previously stated, the risk for customers remains low. However, that is subject to change so we encourage customers to either apply the workaround or ensure their anti-malware vendor has added new signatures based on the information we’ve provided them to ensure protections are in place for this issue.

Thanks --
Jerry Bryant
Group Manager, Response Communications
Trustworthy Computing Group

Hi everyone,

This post is to notify customers that Microsoft will revoke trust in an Intermediate Certificate Authority, DigiCert Sdn. Bhd. (Digicert Malaysia) in an update to be released through Windows Update.

DigiCert Sdn. Bhd is a Malaysian subordinate CA under Entrust and Verizon (GTE CyberTrust).  There is no relationship between DigiCert Malaysia and DigiCert Inc., which is a member of the Windows Root Certificate Program.

Microsoft was notified by Entrust, Inc, a certificate authority in the Microsoft Root program, that a Malaysian subordinate CA, DigiCert Sdn. Bhd issued 22 certificates with weak 512 bit keys.  Additionally, this subordinate CA has issued certificates without the appropriate usage extensions or revocation information.  This is a violation of the Microsoft Root Program requirements (http://technet.microsoft.com/en-us/library/cc751157.aspx).

There is no indication that any certificates were issued fraudulently, however, these weak keys have allowed some of the certificates to be compromised.  These compromised certificates could allow an attacker to impersonate the legitimate owner and make a user believe they are trusting a website or signed software that was created for malicious use.

The subordinate CA has clearly demonstrated poor CA security practices and Microsoft intends to revoke trust in the intermediate certificates. 

Thanks,

Jerry Bryant

Group manager, Response Communications, Trustworthy Computing

Hello,

As we do each month, we're providing advance notification on the release of four security bulletins, one Critical, two Important, and one Moderate, to address four CVEs in Windows.

As usual, the bulletin release is scheduled for the second Tuesday of the month, Nov. 8, at approximately 10 a.m. PT.

For all the latest information, you can also follow the MSRC team on Twitter at @MSFTSecResponse.

Thanks,
Pete Voss
Sr. Response Communications Manager
Microsoft Trustworthy Computing

Hello,

Today we published the October Security Bulletin Webcast Questions & Answers page. We fielded eight questions across all bulletins. There was one question that we were unable to answer during the webcast due to time constraints, and we have included all questions and answers on the Q&A page.

We invite our customers to join us for the next public webcast on Wednesday, November 9th at 11am PDT (UTC -7), when we will go into detail about the November bulletin release and answer questions live on the air.

Customers can register to attend at the link below:
Date: Wednesday, November 9th, 2011
Time: 11:00 a.m. PST (UTC -7)
Register: Attendee Registration

Thanks,
Jerry Bryant
Group Manager, Response Communications
Microsoft Trustworthy Computing

Hello,

On this October Update Tuesday, we are releasing the 11th volume of the Security Intelligence Report, SIRv11, which puts zero-day vulnerabilities into context against other global threats. We are also releasing eight security updates so please read on for details.

A new method of analyzing malware distribution indicates that in the first half of 2011 zero-day issues account for a very small percentage of actual infections. The results from our analysis concluded that none of the top malware families in the first half of 2011 were known to be distributed through the use of 0-days, and while some smaller families did take advantage of 0-day vulnerabilities, less than 1 percent of all exploit attempts were against zero-day issues.

The key takeaway from SIRv11 is how malware is actually being distributed – social engineering, Autorun feature abuse, file-infection, exploits (with updates available) and brute force password attacks. Many of these attacks can be avoided with fundamental security practices, such as downloading security updates once available or ensuring that you have Automatic Updates enabled on your system. Automatic Updates help to ensure that computers are protected against new and ongoing security threats and that Windows continues to function smoothly.

Speaking of which, as we do each month, today we are releasing security updates to help protect customers. As I mentioned in the Advance Notification Service blog on Thursday, today we are releasing eight security bulletins, two of which are rated Critical, the remaining rated Important.

These bulletins will increase protection by addressing 23 unique CVEs in Microsoft products. As always, customers should plan to install all of these updates as soon as possible. There are two bulletins that we want to call out as priorities for our customers:

• MS11-081 (Internet Explorer): This security update resolves eight privately reported vulnerabilities in Internet Explorer. The most severe vulnerabilities could allow remote code execution if a user views a specially crafted Web page using Internet Explorer.
• MS11-078 (.NET Framework & Silverlight): This security update resolves a privately reported vulnerability in Microsoft .NET Framework and Microsoft Silverlight. The vulnerability could allow remote code execution on a client system if a user views a specially crafted Web page using a Web browser that can run XAML Browser Applications (XBAPs) or Silverlight applications. The vulnerability could also allow remote code execution on a server system running IIS, if that server allows processing ASP.NET pages and an attacker succeeds in uploading a specially crafted ASP.NET page to that server and then executes the page, as could also be used by Windows .NET applications to bypass Code Access Security (CAS) restrictions.

We encourage all customers prioritize these bulletins this month.

In this video, Jerry Bryant discusses this month's bulletins in further detail:

As noted above, we recommend that customers deploy all security updates as soon as possible. Below is our deployment priority guidance to further assist customers in their deployment planning (click for larger view).

Our risk and impact graph shows an aggregate view of this month's severity and exploitability index (click for larger view).

More information about this month's security updates can be found on the Microsoft Security Bulletin Summary web page.

Per our usual process, we’ll offer the monthly technical webcast on Wednesday, hosted by Jerry Bryant and Jonathan Ness. I invite you to tune in and learn more about the October security bulletins, as well as other announcements made today. The webcast is scheduled for Wednesday, October 12, 2011 at 11 a.m. PDT, and the registration can be found here.

For all the latest information, you can also follow the MSRC team on Twitter at @MSFTSecResponse.

Thanks,
Pete Voss
Sr. Response Communications Manager
Microsoft Trustworthy Computing

Hello,

As we do each month, we're providing advanced notification on the release of eight security bulletins, two Critical and six Important, to address 23 vulnerabilities across Internet Explorer, .NET Framework & Silverlight, Microsoft Windows, Microsoft Forefront UAG, and Microsoft Host Integration Server.

As usual, the bulletin release is scheduled for the second Tuesday of the month, October 11, at approximately 10 a.m. PDT.

For all the latest information, you can also follow the MSRC team on Twitter at @MSFTSecResponse.

Thanks,
Pete Voss
Sr. Response Communications Manager
Microsoft Trustworthy Computing

Hello. Today we released Security Advisory 2588513, addressing an information-disclosure issue in SSL (Secure Sockets Layer) 3.0 and TLS (Transport Layer Security) 1.0 to provide guidance for customers. This is an industry-wide issue with limited impact that affects the Internet ecosystem as a whole rather than any specific platform. Our Advisory addresses the issue via the Windows operating system.

We are not aware of a way to exploit this issue in other protocols or components, and we have no reports of exploitation in the wild at this time; our investigation continues, but our research so far indicates that customers are at minimal risk. To successfully exploit this issue, the would-be attacker must meet several conditions:

• The targeted user must be in an active HTTPS session;
• The malicious code the attacker needs to decrypt the HTTPS traffic must be injected and run in the user’s browser session; and,
• The attacker’s malicious code must be treated as from the same origin as the HTTPS server in order to it to be allowed to piggyback the existing HTTPS connection.

In addition, due to the fashion in which this man-in-the-middle exploit operates, a would-be attacker would need a fairly high-bandwidth connection to the target.  Later versions of TLS (1.1 and 1.2) are not susceptible to this approach; our Security Advisory gives guidance on how to enable TLS 1.1 and 1.2 for customers who believe themselves to be at significant risk from this issue.

For further information on the nature of the issue, please see “Is SSL broken? – More about Security Advisory 2588513” on the SRD blog.

If you haven’t done so already, we suggest that you register for our security alerts (via email or RSS) on the Microsoft Technical Security Notifications page.

Thanks --
Jerry Bryant
Group Manager, Response Communications
Trustworthy Computing Group

Today, Microsoft re-released KB2616676 non-security update for customers using Microsoft Windows XP and Windows Server 2003, which addresses an issue described in the “known issues” section of KB2616676.  Customers who have enabled automatic updates are already protected and no further action is required, and others are recommended to download the cumulative version of the KB2616676 to protect themselves from the fraudulent certificates listed in Security Advisory 2607712.

Thanks,

Dave Forstrom,

Director, Trustworthy Computing

Hello,

Today we published the September Security Bulletin Webcast Questions & Answers page. We fielded 15 questions primarily regarding the Diginotar Certificate compromise and the associated Security Advisory. There was one question that we were unable to answer during the webcast due to time constraints, and we have included all questions and answers on the Q&A page.

We invite our customers to join us for the next public webcast on Wednesday, October 12th at 11 a.m. PDT (-8 UTC), when we will go into detail about the September bulletin release and answer questions live on the air.

Customers can register to attend at the link below:

Date: Wednesday, October 12, 2011
Time: 11:00 a.m. PDT (UTC -8)
Register: Attendee Registration

Thanks -

Jerry Bryant

Group Manager, Response Communications
Trustworthy Computing Group

In an effort to protect customers, last week we released Security Advisory 2607712 along with a non-security update to add fraudulent DigiNotar certificates to the Windows Untrusted Certificate Store. Today, we are releasing another update (2616676), adding six additional DigiNotar root certificates that are cross-signed by Entrust and GTE, to the Untrusted Certificate Store. Update 2616676 supersedes 2607712 and contains the full list of certificates which are:

• DigiNotar Root CA
• DigiNotar Root CA G2
• DigiNotar PKIoverheid CA Overheid
• DigiNotar PKIoverheid CA Organisatie - G2
• DigiNotar PKIoverheid CA Overheid en Bedrijven
• DigiNotar Root CA Issued by Entrust (2 certificates)*
• DigiNotar Services 1024 CA Issued by Entrust*
• Diginotar Cyber CA Issued by GTE CyberTrust (3 certificates)*

Today, we are also releasing five Important security bulletins as part of our regular monthly release cycle to help protect customers using Microsoft Windows and Microsoft Office. As always, we encourage that customers test and deploy all security updates as soon as possible to protect their systems, but because we did not rate any of September’s updates Critical, we are not giving any a level 1 deployment priority.

In this video, Jerry Bryant discusses this month's bulletins in further detail:

Below is our deployment priority guidance to further assist customers in their deployment planning (click for larger view).

Our risk and impact graph shows an aggregate view of this month's severity and exploitability index ratings (click for larger view).

You can find more information about this month's security updates on the Microsoft Security Bulletin Summary web page.

Per our usual process, we’ll offer the monthly technical webcast on Wednesday, hosted by Jerry Bryant and Dustin Childs. We invite you to tune in and learn more about the September security bulletins, and ask any questions you might have. We’ve scheduled the webcast for Wednesday, September 14, 2011 at 11 a.m. PDT and you can register here.

You can also follow the MSRC team on Twitter at @MSFTSecResponse  for all the latest information.

Thank you,

Pete Voss
Trustworthy Computing

UPDATE: We have updated the Known Issues section of KB 2616676 to notify customers using Windows XP and Windows Server 2003 who downloaded update 2616676, that the update only contains the latest six digital certificates that are cross-signed by GTE and Entrust. These update versions do not also contain the digital certificates that were included in update 2607712. Customers who install update 2607712, and then install update 2616676, will be protected against the fraudulent certificates described in Security Advisory 2607712.