MalwareInfo.Org Blog

This blog has been discontinued...

2011-04-18T00:58:00.000+05:30

This blog has been discontinued. Please click on the link on the top right pannel to visit Malwareinfo.Org Blog

Microsoft Security Updates - April 2011

2011-04-07T07:50:00.001+05:30

Operation b107 - Rustock Botnet Takedown - Using the knowledge gained during its takedown of the botnet Waledac just over a year ago, the Microsoft Digital Crimes Unit (DCU) has successfully taken down a larger, more notorious and complex botnet known as Rustock, which had an estimated infection count above one million computers and was capable of sending billions of spam messages per day. Learn more more on The Official Microsoft Blog

Earthquake in Japan- How to Help While Avoiding Donation Fraud - When we hear about a disaster like the earthquake in Japan, many of us try to think of ways we can help. Read this Security Tips & Talk blog post for valuable tips you can pass on to your end users to help them avoid online donation scams.

Microsoft Security Bulletin Summary for March, 2011
http://www.microsoft.com/technet/security/bulletin/ms11-mar.mspx
Security Bulletin Overview for March 2011
Microsoft Security Response Center (MSRC) Blog Post http://go.microsoft.com/?linkid=9683067

Forefront Security TechCenter - http://technet.microsoft.com/en-gb/forefront/default.aspx
Please note that if you have feedback on documentation or wish to request new documents - email isadocs@microsoft.com

Forefront Threat Management Gateway 2010 homepage
http://technet.microsoft.com/en-gb/forefront/ee807302.aspx

The ISA Server Product Team Blog (http://blogs.technet.com/isablog/) is updated on a regular basis. Latest entries include:
New WIKI Article by Yuri Diogenes–”Forefront TMG 2010 Survival Guide”
http://blogs.technet.com/b/isablog/archive/2011/02/27/new-wiki-article-by-yuri-diogenes-forefront-tmg-2010-survival-guide.aspx

Forefront Unified Access Gateway 2010 Technical Resources
http://technet.microsoft.com/en-gb/forefront/edgesecurity/ee907407.aspx
For comments, feedback, and requests, contact the Forefront UAG User Assistance team at uagdocs@microsoft.com.
Forefront Unified Access Gateway Product Team Blog
The UAG Product Team Blog (http://blogs.technet.com/edgeaccessblog) is updated on a regular basis. Latest entries include:
No place like HOD
http://blogs.technet.com/b/edgeaccessblog/archive/2011/03/15/no-place-like-hod.aspx

Security Tip of the Month- Improving Security Using Attack Surface Analyzer - Learn how to use Attack Surface Analyzer, a free tool from Microsoft, to better understand the aggregate attack surface change that may result from the introduction of line-of-business (LOB) applications to the Windows platform.

Microsoft Security Compliance Manager - The Microsoft Security Compliance Manager (SCM) will help you plan, deploy, operate, and manage your security baselines for the most widely used Microsoft technologies. Learn more about this free tool—which includes security baselines for Windows Server 2008 R2, Microsoft Office 2010, Windows 7, and Internet Explorer8—then check out tips for getting started and answers to answers to frequently asked questions.

Infrastructure Planning and Design Guide for Malware Response - Looking to limit the risk of malware infection? This new guide can help your organization determine the best and most cost-effective response strategy for malware outbreaks. Learn how your quick decisions can return systems to operation while limiting your exposure then download the guide.

Malicious Software Removal Tool - Need to check your computers for malware infection? Download the Microsoft Windows Malicious Software Removal Tool. Updated monthly and available in x86 and x64 versions, the tool checks Windows Vista, Windows 7, Windows XP, Windows 2000, and Windows Server 2003 computers for, and helps remove, infections by specific, prevalent malicious software-including Blaster, Sasser, and Mydoom. When the detection and removal process is complete, the tool displays a report describing the outcome including which, if any, malicious software was detected and removed.

Getting Started with the SDL Threat Modeling Tool - Find tips to help you get started with the Microsoft Security Development Lifecycle (SDL) threat modeling approach and learn how to use the tool to develop great threat models as a backbone of your security process. Available as a free download, the SDL SDL Threat Modeling Tool helps engineers analyze the security of their systems to find and address design issues early in the software lifecycle.

Microsoft Baseline Security Analyzer- Frequently Asked Questions - Get answers to frequently asked questions about Microsoft Baseline Security Analyzer (MBSA) 2.2 including system requirements, configuration, scanning, and reporting. MBSA 2.2 provides a streamlined method for IT pros to identify missing security updates and common security misconfigurations.

Detecting Security Bulletins with the Extended Security Update Inventory Tool - The Extended Security Update Inventory Tool is designed to help IT pros identify Microsoft Systems Management Server (SMS) client computers that may need security updates that are not detectable using the existing SMS Security Update Inventory Tool built on MBSA.

Downloads

Keeping Enterprise Data Safe with Office 2010
Keeping Enterprise Data Safe with Office 2010 - Office 2010 Security Whitepaper
http://www.microsoft.com/downloads/en/details.aspx?FamilyID=4a9e2382-f375-43bf-b5d6-dcf9df5c3e37

Business Intelligence Competency Center (BICC) Core System Documentation: Encoding and Unicode Considerations
Describes what you need to know when dealing with Encoding and Unicode in applications built on top of Microsoft solutions.
http://www.microsoft.com/downloads/en/details.aspx?FamilyID=4b8c3058-0821-492a-ad3d-5e8ad9a5e9d1

Microsoft Forefront Online Protection for Exchange Service Level Agreement (SLA)
This document has been moved. Please update your links and bookmarks with the new location, listed below.
http://www.microsoft.com/downloads/en/details.aspx?FamilyID=f5714ed7-f14d-499e-b7d9-3365c9008113

NTFS Chkdsk Best Practices and Performance
This document provides best practices for using NTFS Chkdsk.
http://www.microsoft.com/downloads/en/details.aspx?FamilyID=35a658cb-5dc7-4c46-b54c-8f3089ac097a

QFE Rollup Package 2 for System Center Data Protection Manager 2010
This download fixes issues in Microsoft System Center Data Protection Manager (DPM) 2010
Please read KB article 2465832 for complete information.
http://www.microsoft.com/downloads/en/details.aspx?FamilyID=d3fabb18-1adb-4c87-a95d-d3c3826d5bfb

Microsoft Exchange Hosted Archive Service Level Agreement (SLA)
This document has been moved. Please update your links and bookmarks with the new location, listed below.
http://www.microsoft.com/downloads/en/details.aspx?FamilyID=01c1168f-8f59-4746-9b42-f1166bb7142d

AD CS Step-By-Step Guide
This document describes the steps needed to set up a basic public key infrastructure.
http://www.microsoft.com/downloads/en/details.aspx?FamilyID=44315bff-b744-4637-a66b-e69b4955ee45

Update for Windows Mail Junk E-mail Filter [March 2011] (KB905866)
Install this update for Windows Mail to revise the definition files that are used to detect e-mail messages that should be considered junk e-mail or that may contain phishing content.
http://www.microsoft.com/downloads/en/details.aspx?FamilyID=aa029fde-f341-44fc-8b85-0c6f3d3c2d69

Microsoft® Windows® Malicious Software Removal Tool (KB890830)
This tool checks your computer for infection by specific, prevalent malicious software (including Blaster, Sasser, and Mydoom) and helps to remove the infection if it is found. Microsoft will release an updated version of this tool on the second Tuesday of each month.
http://www.microsoft.com/downloads/en/details.aspx?FamilyID=ad724ae0-e72d-4f54-9ab3-75b8eb148356

Microsoft® Windows® Malicious Software Removal Tool (KB890830) x64
This tool checks your computer for infection by specific, prevalent malicious software (including Blaster, Sasser, and Mydoom) and helps to remove the infection if it is found. Microsoft will release an updated version of this tool on the second Tuesday of each month.
http://www.microsoft.com/downloads/en/details.aspx?FamilyID=585d2bde-367f-495e-94e7-6349f4effc74

March 2011 Security Release ISO Image
This DVD5 ISO image file contains the security updates for Windows released on Windows Update on March 11th, 2011.
http://www.microsoft.com/downloads/en/details.aspx?FamilyID=ab55654c-c685-4316-93fc-e3a80cccac71

Suite B PKI in Windows Server 2008
This document provides guidance for the planning and implementation of a Microsoft Windows Server 2008 and Windows Server 2008 R2 public key infrastructure (PKI) using Suite B compliant cryptographic algorithms
http://www.microsoft.com/downloads/en/details.aspx?FamilyID=6f319ffa-739e-4fe8-bac3-92547baef7a9

Cross-forest Certificate Enrollment with Windows Server 2008 R2.doc
This paper explains how cross-forest certificate enrollment works. It also provides deployment guidance for cross-forest certificate enrollment in new and existing Active Directory Certificate Services (AD CS) deployments.
http://www.microsoft.com/downloads/en/details.aspx?FamilyID=d408be72-7c74-4b19-a2de-fa11858c30b2

Configuring and Troubleshooting Certification Authority Clustering in Windows Server 2008 and Windows Server 2008 R2
This guide describes how to install, configure, and troubleshoot failover clustering with Active Directory Certificate Services in Windows Server 2008 and Windows Server 2008 R2.
http://www.microsoft.com/downloads/en/details.aspx?FamilyID=15c75333-be26-4955-a32c-03077daf1631

Certificate Enrollment Web Services in Windows Server 2008 R2
This paper explains how certificate enrollment Web services work in Windows Server 2008 R2. It also provides deployment guidance for certificate enrollment Web services in new and existing Active Directory Certificate Services (AD CS) deployments.
http://www.microsoft.com/downloads/en/details.aspx?FamilyID=28b910f8-6374-48dd-a897-11fff62ab795

Active Directory Certificate Services (AD CS)
This download center location contains information related to administering Active Directory Certificate Services (AD CS)
http://www.microsoft.com/downloads/en/details.aspx?FamilyID=d9cbaab9-552b-45f0-a8ac-b3cb4009f068

Microsoft SCEP Implementation Whitepaper.
This whitepaper provides an overview of Microsoft implementation for SCEP in the Windows Server 2008 R2
http://www.microsoft.com/downloads/en/details.aspx?FamilyID=e11780de-819f-40d7-8b8e-10845bc8d446

Active Directory Certificate Services Upgrade and Migration Guidance
This document discusses the planning and implementation of a Windows Server 2008 Active Directory Certificate Services (AD CS) upgrade and migration from an existing Windows public key infrastructure (PKI), including scenarios and step-by-step instruction.
http://www.microsoft.com/downloads/en/details.aspx?FamilyID=c70bd7cd-9f03-484b-8c4b-279bc29a3413

Webapps_Webcast_series_Jan_2011_videos
http://www.microsoft.com/downloads/en/details.aspx?FamilyID=a33b795b-f529-4a20-9335-ae2281e756cf

Microsoft IT CISO Perspective on Cloud Security
In this session, you will hear directly from Microsoft’s CISO as he shares his perspective on cloud security.
http://www.microsoft.com/downloads/en/details.aspx?FamilyID=d48897ce-e0f5-4bde-a480-c1d6378578b8

Microsoft Forefront Endpoint Protection 2012 Privacy Statement
Microsoft Forefront Endpoint Protection 2012 Privacy Statement
http://www.microsoft.com/downloads/en/details.aspx?FamilyID=e72065f9-c08d-4c50-b785-b98416b530e3

SharePoint Server 2010 site and content security worksheet
Use this worksheet to record inherited and unique permissions, and record which groups need what level of access.
http://www.microsoft.com/downloads/en/details.aspx?FamilyID=478a6cdf-8b3c-4b2e-993f-be07715466a6

SharePoint Foundation 2010 site and content security worksheet
Use this worksheet to record inherited and unique permissions, and record which groups need what level of access.
http://www.microsoft.com/downloads/en/details.aspx?FamilyID=3ce0858d-0d59-4f70-8a55-1e493ea7c742

Events/WebCasts

Security Webcast Calendar http://go.microsoft.com/fwlink/?LinkId=37910
Find security webcasts listed in an easy-to-use calendar format.

Upcoming Security Webcasts
http://www.microsoft.com/events/security/upcoming.mspx

MSDN Webcast: Security Talk: Using the Attack Surface Analyzer (Level 200)
Thursday, April 07, 2011 1:00 P.M.-2:00 P.M. Pacific Time
TechNet Webcast: Information About Microsoft April Security Bulletins (Level 200)
Wednesday, April 13, 2011 11:00 A.M.-12:00 P.M. Pacific Time

On-Demand Security Webcasts
http://www.microsoft.com/events/security/ondemand.mspx

News

Windows Internet Explorer 9 Released to Web
You can now download Internet Explorer 9. Check out the latest features for IT professionals, and get guidance to help you pilot and deploy this enterprise-ready browser in your organization with the Springboard Series for Internet Explorer 9.
http://windows.microsoft.com/en-US/internet-explorer/products/ie/home
http://technet.microsoft.com/en-us/ie/default

Visual Studio 2010 Service Pack 1 now available
Visual Studio 2010 Service Pack 1 includes a host of improvements and fixes based on your feedback, including a local Help Viewer, Silverlight performance tuning, .NET 3.5 unit testing, IntelliTrace for 64-bit and SharePoint, and much, much more.
http://www.microsoft.com/downloads/en/details.aspx?FamilyID=75568aa6-8107-475d-948a-ef22627e57a5&displaylang=en

Microsoft App-V 4.6 Service Pack 1 and MED-V 2.0 Released
Microsoft Desktop Optimization Pack (MDOP) 2011, featuring Microsoft App-V 4.6 Service Pack 1 (SP1) and MED-V 2.0, is now available. App-V 4.6 SP1 makes App-V packaging easy, fast, and predictable, and MED-V 2.0 is easier to use than ever, with no dedicated infrastructure required
http://blogs.technet.com/b/mdop/archive/2011/03/09/app-v-4-6-sp1-and-med-v-2-0-are-available-as-part-of-mdop-2011.aspx

Downloads

Group Policy Settings Reference Windows Internet Explorer 9
This spreadsheet lists the policy settings for computer and user configurations included in the administrative template files (admx/adml) delivered with Windows Internet Explorer 9.
http://www.microsoft.com/downloads/en/details.aspx?FamilyID=21e84c24-b967-4d6d-850a-5eb554d18447

VMM 2012 Beta Eval (VHD)
System Center Virtual Machine Manager 2012 delivers industry leading fabric managment, virtual machine management and services deployment in private cloud environments.
http://www.microsoft.com/downloads/en/details.aspx?FamilyID=76002803-4fe8-4573-a76d-6b2b11adfe58

System Center Virtual Machine Manager (VMM) 2012 Beta Documentation
This download provides technical documentation for the Beta release of VMM 2012.
http://www.microsoft.com/downloads/en/details.aspx?FamilyID=f7c174f2-1d39-4fed-9778-3f41b84f744b

Server App-V Beta Documentation
The beta documentation for Microsoft Server Application Virtualization (Server App-V) is available in this download.
http://www.microsoft.com/downloads/en/details.aspx?FamilyID=d24bbf9b-9d9c-4966-90e5-575852c9258b

Microsoft Windows Server 2008 Hyper-V Common Criteria Guide
This is the supplemental administrator guidance documentation that was used in the Common Criteria evaluation of Microsoft Windows Server 2008 Hyper-V.
http://www.microsoft.com/downloads/en/details.aspx?FamilyID=cb19538d-9e13-4ab6-af38-8f48abfdad08

System Center Virtual Machine Manager 2008 R2 Service Pack 1 – Evaluation
System Center Virtual Machine Manager 2008 R2 SP1 (VMM) is a comprehensive management solution for the virtualized data center. It enables increased physical server utilization, centralized management of virtual machine infrastructure, and rapid provisioning of new virtual machines by the administrator, delegated administrator, and authorized end users.
http://www.microsoft.com/downloads/en/details.aspx?FamilyID=9189bbce-d970-4c6c-9dd3-9e65798ecd70

BranchCache Learning Roadmap
This learning roadmap provides you with links to prerequisite information you need to understand and deploy BranchCache, and also provides links to BranchCache information from level 100 to level 300. In addition there are links to optional information that will enhance your ability to expand and manage your BranchCache deployment.
http://www.microsoft.com/downloads/en/details.aspx?FamilyID=cda652cf-c954-4b78-9e1b-7a660dc3b867

Microsoft Desktop Virtualization Data Sheets
Learn how Microsoft Desktop Virtualization Solutions can empower organizations to provide employees with the flexibility to work everywhere on a range of devices, while simplifying compliance and business continuity through a centralized and unified management infrastructure.
http://www.microsoft.com/downloads/en/details.aspx?FamilyID=81d1d1b8-e0e2-43c1-be91-6a5382f8ac39

Managing Microsoft Desktop Virtualization
Learn about managing desktop virtualization solutions with Microsoft technologies..
http://www.microsoft.com/downloads/en/details.aspx?FamilyID=59e220ee-e7a1-4f8e-a86a-538b854c5e18

Microsoft RemoteFX for Remote Desktop Virtualization Host Capacity Planning Guide for Windows Server 2008 R2 Service Pack 1
This white paper is intended as a guide for capacity planning of Microsoft RemoteFX in Windows Server 2008 R2 Service Pack 1.
http://www.microsoft.com/downloads/en/details.aspx?FamilyID=679193cb-9b74-4590-a2be-00bde429c990

Remote Desktop Session Host Capacity Planning in Windows Server 2008 R2 and Microsoft RemoteFX in Windows Server 2008 R2 with Service Pack 1
This white paper is intended as a guide for capacity planning of RD Session Host in Windows Server 2008 R2 and RemoteFX in Windows Server 2008 R2 with Service Pack 1 (SP1).
http://www.microsoft.com/downloads/en/details.aspx?FamilyID=ca837962-4128-4680-b1c0-ad0985939063

Events/Webcasts
Full list can be found at: http://www.microsoft.com/events/default.mspx

Interactive Webcast Calendar
The interactive calendar will help you quickly find live webcasts that fit your schedule as well as on-demand webcasts to view at your convenience. You can choose your time zone and filter this list by audience, webcast series, product or topic, and presenter.
http://www.microsoft.com/events/webcasts/calendar/monthview.aspx

Monthly Archived Webcasts:
http://www.microsoft.com/events/webcasts/library/default.mspx

April WebCast Calendar
http://www.microsoft.com/events/webcasts/calendar/MonthView.aspx?stdate=4/1/2011&audience=0&series=0&product=0&presenter=0&tz=0

New KB's
Problems with Windows 7 parsing MCCS information - http://support.microsoft.com/kb/2515532
“Access Denied” error trying to rename a file on share available offline -
http://support.microsoft.com/kb/2457622
Event ID 7000 or 7026 may be logged in the System log on a computer that is running Windows 7, Windows Vista, Windows Server 2008 R2, or Windows Server 2008 - http://support.microsoft.com/kb/933757
Error message when installing RSAT: 'This update is not applicable to your computer' - http://support.microsoft.com/kb/2517239
Display Changes Resolution on Windows 7 While Pressing Win+P Hot Key and Select Duplicate When Only One Monitor is Connected -
http://support.microsoft.com/kb/2518084
The GetGlyphOutline() function incorrectly returns glyphs from the GulimChe font in Windows 7 - http://support.microsoft.com/kb/2447659
A DNS Update is recorded as failed: Event ID 5774, 1196, or 1578 - http://support.microsoft.com/kb/977158
Windows 7 stops responding when you print to a Bluetooth printer - http://support.microsoft.com/kb/2461648
[SDP 3][506d1864-dc2a-493c-be61-defc84fbcd60] Volume License Activation - Windows 7 and Windows Server 2008 R2 - http://support.microsoft.com/kb/2518799
[SDP 3][10678477-8f52-4968-8848-01305cbcc3c1] Performance - Windows 7 and Server 2008 R2 - http://support.microsoft.com/kb/2516512
Microsoft inbox DSM may not perform well on system with many processors - http://support.microsoft.com/kb/2517251
Using Hyper-V with large sector drives on Windows Server 2008 and Windows Server 2008 R2 - http://support.microsoft.com/kb/2515143
Remote Desktop or RemoteApp session does not terminate due to spawned splwow64.exe process - http://support.microsoft.com/kb/2513330
Physical Memory Limits in Crash Dump files for Windows 7 and Windows 2008 R2 - http://support.microsoft.com/kb/2510168
Group Policy Editor incorrectly displays value for drop-down box data in Group Policy settings if opened maximized - http://support.microsoft.com/kb/2494205
The DNS Zone Transfer setting is not retained in Windows Server 2008 - http://support.microsoft.com/kb/2514953
You cannot manage a remote DNS server by using RSAT or the DNS MMC on Window Server-based computers - http://support.microsoft.com/kb/2514936
A static record is not updated to a dynamic record as expected in the Windows Server MMC - http://support.microsoft.com/kb/2514994
Directory Services - Windows 7 and Server 2008 R2 - http://support.microsoft.com/kb/2515358
A hotfix is available to update the Daylight Saving Time for Chile for Windows Operating Systems - http://support.microsoft.com/kb/2519231
MS11-015: Description of the security update for Windows XP Media Center Edition 2005: March 8, 2011 - http://support.microsoft.com/kb/2502898
MS11-017: Description of the security update for Remote Desktop client 5.2: March 8, 2011 - http://support.microsoft.com/kb/2483618
Offline File Synchronization – In Windows 7 the "Work Offline/Work Online" option button disappears from Windows Explorer after an offline / online transition and the Client Side Cache remains offline until the next restart of the computer - http://support.microsoft.com/kb/2512089
A device may be displayed as the default icon on the network map when the network has more than 10 hosts - http://support.microsoft.com/kb/2506718
Keys in the CNG user interface are always described as having no description in Windows 7 or in Windows Server 2008 R2 - http://support.microsoft.com/kb/2507840
A black screen is displayed when a Windows 7 SP1-based or Windows Server 2008 R2 SP1-based computer tries to enter hibernation - http://support.microsoft.com/kb/2496744
MS11-017: Vulnerability in Remote Desktop client could allow remote code execution: March 8, 2011 - http://support.microsoft.com/kb/2508062
MS11-017: Description of the security update for Remote Desktop client 7.0: March 8, 2011 - http://support.microsoft.com/kb/2483614

Microsoft Security updates for December

2010-12-18T08:32:00.001+05:30

Our top 10 security stories of 2010

What computer security topics do our readers care about most? Take a look at our most popular articles and blog posts from the past year.

Security updates for December 14, 2010
The bulletin for December includes 17 security updates, including updates for the Windows operating system, Microsoft Office, and the Windows Internet Explorer browser.

Microsoft security news

Watch out for fake "Security Essentials 2011"

Fake security software that claims to protect your PC from malicious software, but instead infects your PC with it, is on the rise. Watch out for fake "Microsoft Security Essentials 2011."

Preview the new Internet Explorer 9 privacy feature

With "Tracking Protection" in the next version of Internet Explorer, you can prevent companies from tracking your behavior online. Learn more about the new feature in this interview with two Microsoft security executives.

See the results of a recent Microsoft survey on cyberbullying

New research by Microsoft shows that parents and educators are concerned about cyberbullying, but it's still not a top priority for schools. Read the complete findings.

Check out the Microsoft Safer Online team on Facebook

If you're on Facebook and want to keep up with the latest security news, check out our Safer Online page. It's full of great tips to help you and your family be safer online.

Protect your computer

Using the family PC to shop for a gift?

Cover your tracks with InPrivate Browsing in Internet Explorer 8, which removes all evidence of your browsing and search history.

Windows XP users: Avoid "Free Public Wifi" rogue software

If you use Windows XP and have tried to connect to a public wireless network, you might have seen a "Free Public Wifi" network available. Don't connect - this is malicious software that will infect Windows XP-based computers without the latest security updates.

How to create strong passwords

Get the secrets to creating passwords that cybercriminals can't crack - and you can remember. Plus, learn common password pitfalls to avoid.

Protect yourself and your family

6 rules for safer financial transactions online

Finishing up your holiday shopping online? Remember to follow these six basic rules to minimize the risks and help protect your credit card information.

Keep an eye on your kids' Internet use

Your kids are online and you're busy. Windows Live Family Safety can help. This free download lets you monitor your kids' online activities, choose which websites they can visit, and even set time periods when they can use the computer.

Xbox 360 and Kinect: Your questions answered

Is your child using the new Kinect sensor to control the Xbox 360 entertainment system? Are you wondering about your child's privacy and online safety when using the technology? This list of frequently asked questions and answers can address your concerns.

Security resources

About this Microsoft newsletter
Microsoft Security for Home Computer Users is a monthly newsletter bringing security news, guidance, updates, and community resources directly to your inbox. If you would like to receive more technical security information, see the Microsoft Security Newsletter.

The fight against botnets: Are we winning?

2010-11-13T12:44:00.001+05:30

Are you using an older operating system? If you are, your computer is more susceptible to infections from bot-related malicious software. That's according to the just-released Microsoft Security Intelligence Report covering the first half of 2010.

Read about this and other key findings in the report, which focuses on the battle against botnets. The report outlines the progress that Microsoft and others have made, but indicates there is still much work to do.

Security updates for November 9, 2010
The bulletin for November includes three security updates: two for Microsoft Office and one for Microsoft Forefront Unified Access Gateway.

Microsoft security news

Online safety conference going on now
Microsoft is the top sponsor of the annual Family Online Safety Institute conference - the preeminent online safety conference of its kind - which is going on now in Washington, D.C. Peter Cullen, Chief Privacy Strategist at Microsoft, is delivering the keynote address today.

Free virus protection for your small business
Security Essentials, the no-cost antivirus and antispyware software from Microsoft, is now available for small businesses. Learn more and download today.

Bullying Prevention Conference to be held in Seattle
The seventh annual International Bullying Prevention Association conference will take place in Seattle November 15-17. Jacqueline Beauchere, Director of Privacy and Online Safety Communications in the Microsoft Trustworthy Computing group, will deliver the keynote address.

Microsoft Digital Crimes Unit versus the cybercriminal
Can cybercriminals be caught and prosecuted? That was a question posed by one of our readers. Get the answer, and learn more about the Microsoft Digital Crimes Unit.

Protect your computer

Firewalls in versions of Windows
Depending on which operating system is on your PC, you might already have a firewall and it might already be turned on for you. Learn how to check your firewall settings.

How to uninstall Security Essentials
If you want to uninstall Microsoft Security Essentials antivirus software, here's how to do it.

Misplaced your Windows Phone? Easily find and secure it
Do you have a new Windows Phone? See how to use the new Find My Phone feature to track down your phone if it's missing and help protect your data until you can retrieve the phone.

Protect yourself and your family

Do your holiday shopping safely online
Avoiding the crowds and shopping online this holiday season? Use these tips to make sure you're shopping at secure and trustworthy websites.

How to report possible fraud
Have you received an email message that you suspect is a scam or visited a website that seems fake? Find out how to report these and other potential phishing scams.

"I've been mugged! Send money!"
If your friends are getting scam email messages that are supposedly from you, your email address has likely been hijacked. Here's what to do.

Security resources

About this newsletter
Microsoft Security for Home Computer Users is a monthly newsletter bringing security news, guidance, updates, and community resources directly to your inbox. If you would like to receive more technical security information, see the Microsoft Security Newsletter.

Internet Explorer 9 - Webcast Series

2010-10-18T22:10:00.001+05:30

Internet Explorer 9: Designed to help the web development community create rich, interoperable, standards-compliant web applications by providing the platform, tools, and features for the future web. Tune in to this exclusive webcast series on Internet Explorer 9 to explore cool new features of this next generation browser and to create the next big thing on the web.

Do Join the webcast sessions between 18th October & 22nd October, 2010 at 2:30 pm.

Date & Time

Webcast Topic

October 18, 2010
(2:30 pm - 3:45 pm)

Internet Explorer 9: Cool New Features of the Next Generation Browser
By Saranya Sriram

This is the first session of the IE9 webcast series aimed at giving an all up view of IE for end users and developers. We will talk about the top new features in IE9 including the hardware accelerated graphics and text, HTML 5 support, UI innovations, Windows 7 integration, fast, clean & trusted performance, private one box, site mode , new JavaScript engine and many more. The key take away from this session will be to gain an insight to the various new additions and support provided by IE9. Join us to get a glimpse of IE9 and take back power.

Click here on the day of the event to join the session!

October 19, 2010
(2:30 pm - 3:45 pm)

Chakra - The New Javascript Engine in Internet Explorer9
Aditee Rele/ Sandeep J Alur

Internet Explorer 9 is powered by a new Javascript engine called 'Chakra'. The engine takes browsing experience to new heights and provide great experience to end users. Join this session to explore the technical building blocks of IE 9 & Find out the how IE 9 provides power browsing experience to end users.

Click here on the day of the event to join the session!

October 20, 2010
(2:30 pm-3:45 pm)

Internet Explorer 9: Improved Interoperability through Standards Support
Aditee Rele/ Sandeep J Alur

Abstract: What you see is what you get (WYSIWYG) is the most desired end result when a developer builds a website targeting multiple browsers. With increased focus on user experience and evolving standards, it becomes overtly complex for developers in lighting up websites for multiple browsers. This session focuses on how IE 9 compliments interoperability and promotes 'same mark-up across browsers' strategy.

Click here on the day of the event to join the session!

October 21, 2010
(2:30 pm - 3:45 pm)

Internet Explorer 9 & Windows 7: A Unique Browsing Experience
Aditee Rele/ Sandeep J Alur

Jumplists are a unique capability of Windows 7 which enables users to directly access a specific feature of an application. Internet Explorer 9 provides a unique browsing experience by enabling a site to be treated like any other application on Windows 7. Find out how to light up a site for Windows 7 using IE 9

Click here on the day of the event to join the session!

October 22, 2010
(2:30 pm - 3:45 pm)

New Tools for Developers in Internet Explorer 9
Harish Ranganathan

Internet Explorer 9.0 provides built-in developer tools to aid developers in rapid prototyping, testing, and debugging webpages. In addition, IE 9 is equipped with tools like user-agent switching tool, a network traffic inspector, an improved JavaScript profiler, and integrated support for new web standards. This session will show some of the cool F12 developers tools and Windows Live integration.

Click here on the day of the event to join the session!

Please note:

Audio Issues: Please follow these steps to resolve any audio issues if you face during the session:

1. Click on Voice and Video button in the Live Meeting Console and then un-mute the speaker's icon from there.

	If the speaker's icon is greyed out, please close the session and join the meeting again.
	If you see Join Audio under Voice & Video tab, then click on it to connect to the audio.

2. In case the Speaker Icon on the top menu bar is disabled, then exit the current session and re-join. Please ensure that you have:

	Windows Media Player 9 or above, you have Windows Live Meeting 2007 installed and you are not trying to view the session on Internet Explorer.
	Please ensure that you have adequate bandwidth.
	Also, the computer Audio controls should not be set to 'mute'.

Conference Centre: If you are still unable to troubleshoot the audio problem, you have the option to connect to the conference centre and hear the session broadcast.

Dial 1-203-4808000 or 1-866-500-6738 (Toll-Free through Skype) and enter 2989570 (this passcode will be same for all the Internet Explorer 9 webcast sessions) as participant passcode to connect to the Webcast session.

Microsoft News Letter - Has your browser been hijacked?

2010-10-15T21:44:00.000+05:30

Has your browser been hijacked?
If your home page or other settings on your web browser have suddenly changed, your browser may have been hijacked. (If you use Microsoft Security Essentials or other antimalware software from Microsoft, the tool might have detected browser hijacking software on your computer and changed your home page to protect you.

Learn what browser hijacking is and how to tell if your browser has been affected. If you think your browser has been hijacked, take these six steps to help restore it.

Security updates for October 12, 2010

The bulletin for October includes 16 security updates: 10 for the Windows operating system, 2 for Microsoft Office, 1 for Windows Media Player, 1 for the Windows Internet Explorer browser, 1 for the Microsoft .NET Framework, and 1 for Microsoft server software.

Microsoft security news

October is National Cyber Security Awareness Month
This year Microsoft is teaming up again with the National Cyber Security Alliance and the U.S. Department of Homeland Security to promote safer Internet use. Find out how to strengthen your computer's defenses.

Microsoft works with Demi and Ashton on new initiative to protect children
Learn how Microsoft is collaborating with Demi Moore and Ashton Kutcher, actors and founders of the Demi and Ashton Foundation, to find new ways to use technology to help protect children from sexual exploitation and abuse.

See the latest findings from Microsoft online safety research
Did you know that 70 percent of U.S. hiring managers have rejected a job candidate based on information found online about that candidate? Read about this and other findings from online safety research commissioned by Microsoft.

Microsoft security chief outlines a future for protecting PCs
In a recent blog post, Scott Charney, corporate vice president of trustworthy computing at Microsoft, called for a collective technology policy to certify the health of computers and restrict the Internet access of PCs infected with malware.

Protect your computer

Botnets: Are you protected?
Criminals can use malicious software called bots to make your PC perform automated tasks over the Internet without you knowing it. When many PCs are infected, they form a network called a "botnet." Find out how to help protect your PC.

Safety tips for using gadgets
Gadgets are free mini programs that offer quick desktop access to your favorite information. Here's how to download and use them more safely.

Fix computer problems remotely
Is someone you know having a PC issue? You don't need to be there to fix it. Learn how to use Windows Live Messenger and the Windows Live safety scanner to diagnose and fix problems remotely.

Protect yourself and your family

Identity theft: Myth vs. fact
Identity theft usually happens on the Internet - true or false? Get the facts about this common misconception, and learn how to help protect your identity both online and offline.

Free tools to help increase your safety online
Microsoft recently released several free tools and resources to help you increase your safety and privacy online. See what they are and find links to download them.

Surf more safely with SmartScreen
The SmartScreen Filter is a feature in Internet Explorer that helps detect fraudulent websites. Learn how to use SmartScreen to surf more safely.

Security resources

Security Articles from MS this month

2010-10-12T11:39:00.001+05:30

Security

Microsoft Malware Protection Center  Website | RSS Feed
Prehistoric Virtual Machines  - 08-Oct-2010

Microsoft Security Response Center MSRC  Website | RSS Feed
Advance Notification Service for October 2010 Security Bulletin  - 07-Oct-2010

Security Bulletins Comprehensive  Website | RSS Feed
Microsoft Security Bulletin Advance Notification for October 2010  - 07-Oct-2010

Security Products Forefront

Forefront Product Suite  Website | RSS Feed
Microsoft acquires AVIcode Inc. to extend application management to the cloud  - 07-Oct-2010

Forefront Server Security  Website | RSS Feed
Hotfix rollup 3 for Forefront Security for Exchange Server SP2 and hotfix rollup 3 for Forefront Security for SharePoint SP3 are now available   - 08-Oct-2010

Forefront Threat Management Gateway ISA Server  Website | RSS Feed
TMG Reports stop working after installing TMG 2010 SP1  - 05-Oct-2010

Out-of-band Security Update for ASP.NET Security Vulnerability

2010-09-28T22:14:00.001+05:30

ASP.NET Security Update Shipping Tuesday, Sept 28th

An hour ago Microsoft released an advance notification security bulletin announcing that we are releasing an out-of-band security update to address the ASP.NET Security Vulnerability that Scott has blogged about this past week. The security update is fully tested, and is scheduled for release tomorrow - Tuesday September 28th – at approximately 10:00 AM PDT. The advance notice bulletin is intended to ensure administrators know it is coming, and are better prepared to apply it once the update is available.

We’ll release the update tomorrow via the Microsoft Download Center (He will blog links to the individual downloads for each version of .NET). We will then release the update via Windows Update and the Windows Server Update Service in a few days as we complete final distribution testing via these channels.

Applying the update addresses the ASP.NET Security vulnerability, and once the update is applied to your system the workarounds we have previously blogged about will no longer be required. Until you have installed the update, though, please do make sure to continue using the workarounds.

You can learn more about tomorrow’s security update release from this Microsoft Security Response Center Blog Post as well as the official Advance Notification Bulletin. We will also hold a special webcast for the bulletin release on Tuesday, September 28, 2010 at 1:00 PM PDT, where we will present information on the bulletin and take customer questions. If you are interested in attending the webcast, click here to sign up.

http://blogs.technet.com/b/msrc/archive/2010/09/27/out-of-band-release-to-address-microsoft-security-advisory-2416728.aspx

http://weblogs.asp.net/scottgu/archive/2010/09/27/asp-net-security-update-shipping-tuesday-sept-28th.aspx

Once again great job MS. We have faith in you… :)

How to manually check if the ASP.Net application is vulnerable to ASP.Net Padding Exploitation

2010-09-26T13:55:00.001+05:30

Before I begin, I would like to say that, the actual reason behind the hue and cry about this vulnerability is the fact that the Microsoft Security Advisory 2416728 quoted that this vulnerability can be "further exploited to view data, such as the View State, which was encrypted by the target server, or even read data from files on the target server, such as the web.config file".

Though, there is no available exploit code in the internet that allows us to check the legitimacy of the above statement but it is true that a vulnerability and exploit code that has been disclosed in such a professional manner would definitely not be released to the public. Although, there are tools and scripts such as POET, PadBuster, AspNetPaddingOracleDetector etc. but they fail to justify what Microsoft has quoted in their Security Advisory and it is acceptable that a public release of the actual exploit code will trigger a sudden burst of malicious activities. Seeing the issue from this perspective lets see, how even without the exploit code in place, we can still try to identify if our ASP.Net applications are vulnerable or not.

Before I move on to the steps, let me quickly give a brief idea about one of the most important factors that aid this exploitation mechanism as this will be the key to our manual judgemental skills.

When we send a request to the ASP.Net application, it carries ciphertext (__VIEWSTATE parameter, Cookie parameter etc) with it. For some reason, if the ciphertext is invalid, an exception will be thrown, and the system may act according to one of the following scenarios:
Returns a 500 Internal Server Error
Returns a 404 Not Found Error
Return the ASP.Net Yellow Screen Of Death (YSOD) Exception page with or without Stack Trace depending on customErrors settings in the web.config
Return a page stating only the exception’s message
Return a constant page, stating there was an error, without providing detail. This is actually the Microsoft’s workaround
The default ASP.Net way of taking the user to the login page and swallowing the exception completely without displaying any error

Now, it is these behaviors that will help us to identify if our ASP.Net application is vulnerable or not and if the workaround proposed my Microsoft is helping our application to refrain itself from giving hints of its vulnerability to the attacker. Though, the vulnerability would still remain, but it would take the sting off by at first not letting the attacker know of its vulnerability.

The below image shows the requests made on a sample ASP.Net blog application. I would explain each of these requests and responses.

Request 1 to Request 3 is highlited in red and Request 4 to Request 8 is highlited in green. The requests highlited as red means the application's web.config was not set in the way that Microsoft recommended and the requests highlited as green means the application's web.config was set as per Microsoft's recommendation.

Explanation:

Condition 1: Web.Config doesn’t redirect to a single error page. CustomErrors section reads <customErrors mode="On"/> or <customErrors mode="RemoteOnly"/>

Request 1: When we made a request to the application with a valid ciphertext "GET /Blog/WebResource.axd?d=R7QyY48orpGSFdUDj4AslA2" the application gave the response "200 OK"

Request 2: When we made a request to the application with an invalid ciphertext "GET /Blog/WebResource.axd?d=test" the application gave the the response "500 Internal Server Error" because its an invalid ciphertext.

Request 3: When we made a request to the application with no ciphertext "GET /Blog/WebResource.axd?d=" the application gave the the response "404 Not Found" and also said that " The resource cannot be found" because our request didn’t had a resource request encrypted as a ciphertext.

So we see that the application has behaved in three different ways for three different GET requests.

Condition 2: Web.Config redirect to a single error page. CustomErrors section reads <customErrors mode="On" defaultRedirect="error.aspx"/>

Request 4: Same as Request 1. Since it’s a valid request, the application responds with the response "200 OK"

Request 5: The request is same as Request 2 and since its an invalid ciphertext, it triggers an error "500 Internal Server Error" in the server, but since we have the customErrors module in the Web.Config to handle this, it sees that there is the error.aspx that it should serve, however, for redirection to that resource, it sends the response "302 Found" and also adds the Location header "Location: /blog/error.aspx?aspxerrorpath=/Blog/WebResource.axd" to the response so that the client knows its current location. Thus, what it has done is, it has supressed the "500 Internal Server Error" error.

Request 6: The client makes a request for the new resource that came with the previous response. In our case, it’s the "GET /blog/error.aspx?aspxerrorpath=/Blog/WebResource.axd". This request is processed and the error.aspx page served resulting in a "200 OK" response from the server.

Request 7: Similar way, when we request to the application with no ciphertext, it triggers an error "404 Not Found" in the server, but again we have the customErrors module in the Web.Config to handle this, it sees that there is the error.aspx that it should serve, however, for redirection to that resource, it sends the response "302 Found" and also adds the Location header "Location: /blog/error.aspx?aspxerrorpath=/Blog/WebResource.axd" to the response so that the client knows its current location. Thus, what it has done is, it has supressed the "404 Not Found" error.

Request 8: The client makes a request for the new resource that came with the previous response. In our case, it’s the "GET /blog/error.aspx?aspxerrorpath=/Blog/WebResource.axd". This request is processed and the error.aspx page served resulting in a "200 OK" response from the server.

What we have seen is, in simple words, if the application is throwing different errors for different scenarios then it reveals the vulnerability because, on the basis of the different error code that is returned by the web server the atacker can guess if the ciphertext was decrypted properly. By making many such requests (and watching what errors are returned) the attacker can learn enough to successfully decrypt the rest of the cipher text. Thus, if the application is showing different errors like the above three requests (Request 1 to Request 3) then its revealing its vulnerability.

Furthermore, for added safety, it is recommended that the error.aspx should have a random, small sleep delay. This will obfuscate the time required to serve the error.aspx on even of an error, thus obfuscating the nature of the error further.

The code of the error.aspx with the random sleep delay can be found on the Microsoft Security Advisory 2416728 page.

Exception event that shows signs of the padding oracle exploitation attack

2010-09-25T21:12:00.001+05:30

The below post shows the exception event that shows signs of the attack in progress. Also, found some Dynamic IP Restriction module for IIS 7 that can be used to block this attack.

Exception event that this attack would triger:

What would an attack look like on the network or in my logs?

The publicly disclosed exploit would cause the web server to generate thousands (or more likely tens of thousands) of HTTP 500 and 404 error responses to requests from a malicious client.

We can use stateful filters in the firewall, application or network, or intrusion detection systems on the network to detect such patterns and block such clients. The Dynamic IP Restrictions module supported by IIS 7 can also be used to block these types of attacks.

An attack attempt like this should also generate thousands of warnings in the application event log of your server similar to:

Event code: 3005
Event message: An unhandled exception has occurred.
Event time: 11/11/1111 11:11:11 AM
Event time (UTC): 11/11/1111 11:11:11 AM
Event ID: 28e71767f3484d1faa90026f0947e945
Event sequence: 133482
Event occurrence: 44273
Event detail code: 0

Application information:
Application domain: c1db5830-1-129291000036654651
Trust level: Full
Application Virtual Path: /
Application Path: C:\foo\TargetWebApplication\
Machine name: FOO

Process information:
Process ID: 3784
Process name: WebDev.WebServer40.exe
Account name: foo

Exception information:
Exception type: CryptographicException
Exception message: Padding is invalid and cannot be removed.

The highlighted exception detail is the most important piece of information in the event log entry to look for. It is possible to hit this error while developing new ASP.NET website code, and it can happen in certain production environments. However, if it did not appear on your production servers until recently, it is possible that it indicates an attack. Verifying that the time of these exceptions corresponds to the large number of requests described above would increase the confidence that this entry was caused by an attack.

Note that there are non-attack reasons to see this error as well (including cases where you have mismatched keys on a web-farm, or a search engine is following links incorrectly, etc), so its presence does not always necessarily indicate an attack, however, we can take preventive measures.

The exception also does not mean that an attack was successful. Implementing the <customErrors> workaround we have provided can protect your application from the public exploit, and ensure that these exceptions do not disclose information that an attacker can use against the application.

Complete description of why we should follow this workaround:

Well, while the workaround contains a really valuable information, relevant for every system (as for not disclosing the real error), and it will prevent the automated tool released by the researchers to hack your system, it will, by far, NOT protect you from a potential attack!

How so? The workaround assumes that the potential attacker will look for an HTTP error response status (500), or for an error page containing a specific exception message. However, it is enough for attacker to recognize an abnormal, or just different system behavior on certain requests.

Let’s get back to our ASP.NET system that stores an encrypted sensitive information in a cookie. Each request, the system will probably decrypt this information and use it. In case the ciphertext in a cookie is invalid, an exception will be thrown, and the system may act according to one of the following scenarios:

· Return a 500 error response - very user unfriendly!

· Return a default ASP.NET YSOD exception page - extremely bad in production environment!

· Return a page stating only the exception’s message - also very bad!

· Return a constant page, stating there was an error, without providing details– a good practice, this is actually the Microsoft’s workaround

· “Swallow” the exception, and behave like the cookie does not exist. The response may be a redirect to another pager, or just a a slightly changed HTML (instead of user’s name, a “login” link) – This is the way ASP.NET Forms Authentication works.

Note that every one of the possible responses is different from the normal one. Even the last scenario described above, as clean as it is, still returns a distinctively different response. Therefore, an attacker can take advantage of it, and write a simple script that infers this abnormal behavior to an Invalid Oracle’s answer. It is that simple!

Some useful links related to this attack:

Dynamic IP Restriction: http://www.iis.net/download/DynamicIPRestrictions

URLScan - IIS 6.0 and lesser: http://weblogs.asp.net/scottgu/archive/2010/09/24/update-on-asp-net-vulnerability.aspx

RequestFiltering - IIS 7.0 and above: http://www.iis.net/ConfigReference/system.webServer/security/requestFiltering

Sharepoint Workaround: http://blogs.msdn.com/b/sharepoint/archive/2010/09/21/security-advisory-2416728-vulnerability-in-asp-net-and-sharepoint.aspx

Microsoft Security Articles

2010-09-21T11:21:00.001+05:30

Forefront Client Security  Website | RSS Feed
Understanding how Forefront Client Security responds to potentially unwanted software  - 17-Sep-2010
Using a script to automate UNC definition updates  - 16-Sep-2010
Announcing the Forefront Endpoint Protection Community Evaluation Program  - 14-Sep-2010
New notification resource…  - 14-Sep-2010

Forefront Server Security  Website | RSS Feed
Problems downloading updates for the Kaspersky 8 antivirus engine after installing FSSMC Hotfix Rollup 5 and FSE Service Pack 2 Rollup 2  - 15-Sep-2010

Forefront Threat Management Gateway ISA Server  Website | RSS Feed
Unable to download files larger than 4GB through ISA 200x – works fine in TMG  - 16-Sep-2010
Forefront TMG/UAG Help Wanted at Microsoft in Stockholm  - 15-Sep-2010
TMG Quick Tip: Unable to Join a TMG to an Existing Array  - 14-Sep-2010

Forefront Unified Application Gateway UAG  Website | RSS Feed
How to enable Remote Desktop Sharing (RDS/RDP) from corporate machines to DirectAccess connected machines  - 14-Sep-2010

Important: ASP.NET Security Vulnerability

2010-09-19T09:47:00.001+05:30

This post has been shared by Scott Guthrie

Thanks Scott for posting this workaround.

Important: ASP.NET Security Vulnerability

A few hours ago we released a Microsoft Security Advisory about a security vulnerability in ASP.NET. This vulnerability exists in all versions of ASP.NET.

This vulnerability was publically disclosed late Friday at a security conference. We recommend that all customers immediately apply a workaround (described below) to prevent attackers from using this vulnerability against your ASP.NET applications.

What does the vulnerability enable?

An attacker using this vulnerability can request and download files within an ASP.NET Application like the web.config file (which often contains sensitive data).

At attacker exploiting this vulnerability can also decrypt data sent to the client in an encrypted state (like ViewState data within a page).

How the Vulnerability Works

To understand how this vulnerability works, you need to know about cryptographic oracles. An oracle in the context of cryptography is a system which provides hints as you ask it questions. In this case, there is a vulnerability in ASP.NET which acts as a padding oracle. This allows an attacker to send cipher text to the web server and learn if it was decrypted properly by examining which error code was returned by the web server. By making many such requests (and watching what errors are returned) the attacker can learn enough to successfully decrypt the rest of the cipher text.

How to Workaround The Vulnerability

A workaround you can use to prevent this vulnerability is to enable the <customErrors> feature of ASP.NET, and explicitly configure your applications to always return the same error page - regardless of the error encountered on the server. By mapping all error pages to a single error page, you prevent a hacker from distinguishing between the different types of errors that occur on a server.

Important: It is not enough to simply turn on CustomErrors or have it set to RemoteOnly. You also need to make sure that all errors are configured to return the same error page. This requires you to explicitly set the “defaultRedirect” attribute on the <customErrors> section and ensure that no per-status codes are set.

Enabling the Workaround on ASP.NET V1.0 to V3.5

If you are using ASP.NET 1.0, ASP.NET 1.1, ASP.NET 2.0, or ASP.NET 3.5 then you should follow the below steps to enable <customErrors> and map all errors to a single error page:

1) Edit your ASP.NET Application’s root Web.Config file. If the file doesn’t exist, then create one in the root directory of the application.

2) Create or modify the <customErrors> section of the web.config file to have the below settings:

<configuration>

   <system.web>

      <customErrors mode="On" defaultRedirect="~/error.html" />

   </system.web>

</configuration>

3) You can then add an error.html file to your application that contains an appropriate error page of your choosing (containing whatever content you like). This file will be displayed anytime an error occurs within the web application.

Notes: The important things to note above is that customErrors is set to “on”, and that all errors are handled by the defaultRedirect error page. There are not any per-status code error pages defined – which means that there are no <error> sub-elements within the <customErrors> section. This avoids an attacker being able to differentiate why an error occurred on the server, and prevents information disclosure.

Enabling the Workaround on ASP.NET V3.5 SP1 and ASP.NET 4.0

If you are using ASP.NET 3.5 SP1 or ASP.NET 4.0 then you should follow the below steps to enable <customErrors> and map all errors to a single error page:

1) Edit your ASP.NET Application’s root Web.Config file. If the file doesn’t exist, then create one in the root directory of the application.

2) Create or modify the <customErrors> section of the web.config file to have the below settings. Note the use of redirectMode=”ResponseRewrite” with .NET 3.5 SP1 and .NET 4.0:

<configuration>

   <system.web>

     <customErrors mode="On" redirectMode="ResponseRewrite" defaultRedirect="~/error.aspx" />

   </system.web>

</configuration>

3) You can then add an Error.aspx to your application that contains an appropriate error page of your choosing (containing whatever content you like). This file will be displayed anytime an error occurs within the web application.

4) We recommend adding the below code to the Page_Load() server event handler within the Error.aspx file to add a random, small sleep delay. This will help to further obfuscate errors.

VB Version

Below is a VB version of an Error.aspx file that you can use, and which has a random, small sleep delay in it. You do not need to compile this into an application – you can optionally just save this Error.aspx file into the application directory on your web-server:

<%@ Page Language="VB" AutoEventWireup="true" %>

<%@ Import Namespace="System.Security.Cryptography" %>

<%@ Import Namespace="System.Threading" %>

<script runat="server">

    Sub Page_Load()

        Dim delay As Byte() = New Byte(0) {}

        Dim prng As RandomNumberGenerator = New RNGCryptoServiceProvider()

        prng.GetBytes(delay)

        Thread.Sleep(CType(delay(0), Integer))

        Dim disposable As IDisposable = TryCast(prng, IDisposable)

        If Not disposable Is Nothing Then

            disposable.Dispose()

        End If

    End Sub

</script>

<html>

<head runat="server">

    <title>Error</title>

</head>

<body>

    <div>

        Sorry - an error occured

    </div>

</body>

</html>

C# Version

Below is a C# version of an Error.aspx file that you can use, and which has a random, small sleep delay in it. You do not need to compile this into an application – you can optionally just save it into the application directory on your web-server:

<%@ Page Language="C#" AutoEventWireup="true" %>

<%@ Import Namespace="System.Security.Cryptography" %>

<%@ Import Namespace="System.Threading" %>

<script runat="server">

   void Page_Load() {

      byte[] delay = new byte[1];

      RandomNumberGenerator prng = new RNGCryptoServiceProvider();

      prng.GetBytes(delay);

      Thread.Sleep((int)delay[0]);

      IDisposable disposable = prng as IDisposable;

      if (disposable != null) { disposable.Dispose(); }

</script>

<html>

<head runat="server">

    <title>Error</title>

</head>

<body>

    <div>

        An error occurred while processing your request.

    </div>

</body>

</html>

How to Verify if the Workaround is Enabled

Once you have applied the above workaround, you can test to make sure the <customErrors> section is correctly configured by requesting a URL like this from your site: http://mysite.com/pagethatdoesnotexist.aspx

If you see the custom error page appear (because the file you requested doesn’t exist) then your configuration should be setup correctly. If you see a standard ASP.NET error then it is likely that you missed one of the steps above. To see more information about what might be the cause of the problem, you can try setting <customErrors mode=”remoteOnly”/> – which will enable you to see the error message if you are connecting to the site from a local browser.

How to Find Vulnerable ASP.NET Applications on Your Web Server

We have published a .vbs script that you can save and run on your web-server to determine if there are ASP.NET applications installed on it that either have <customErrors> turned off, or which differentiate error messages depending on status codes.

You can download the .vbs script here. Simply copy/paste the script into a text file called “DetectCustomErrors.vbs” and save it to disk. Then launch a command window that is elevated as admin and run “cscript DetectCustomErrors.vbs” to run it against your local web-server. It will enumerate all of the applications within your web server and verify that the correct <customErrors> configuration has been specified.

It will flag any application where it finds that an application’s web.config file doesn’t have the <customErrors> section (in which case you need to add it), or doesn’t have it set correctly to workaround this attack (in which case you need to update it). It will print “ok” for each application web.config file it finds that is fine. This should hopefully make it easier to locate issues.

Note: We have developed this detection script over the last few hours, and will be refining it further in the future. I will post an update in this section each time we make a change to it.

How to Find More Information about this Vulnerability

You can learn more about this vulnerability from:

Microsoft will be releasing a patch that can be used to correct the root cause of the issue (and avoid the need for the above workaround).

Until then, please apply the above workaround to all of your ASP.NET applications to prevent attackers from exploiting it.

Spyware and Viruses: What's the Difference?

2010-09-16T22:12:00.001+05:30

Spyware and viruses: What's the difference?
Spyware and viruses are both malicious software, but they're different. Learn how, and how Microsoft Security Essentials can help protect you from both. Then find answers to these common questions about Microsoft Security Essentials:

Suspect you have a virus? Get help fast at our new Virus and Security Solution Center, and learn steps that you can take to help remove it.

Security updates for September 14, 2010

The bulletin for September includes 9 security updates: 7 for the Windows operating system, 1 for Microsoft Office, and 1 for Microsoft Internet Information Services.

Microsoft security news

Fraud alert: "Your Hotmail account will be deleted"
A new scam email claiming to be from Microsoft asks for personal information to avoid suspension of your Windows Live Hotmail account. Do not reply! This email message is a scam.

Fraud alert: UPS package scam
In recent newsletters, we told you about a phishing email message purporting to be from UPS. A reader recently brought another UPS-related scam to our attention.

Worried about ID theft? You're not alone
A recent study by the National Cyber Security Alliance and the Anti-Phishing Working Group found Americans are as concerned about ID theft as they are of job loss.

Microsoft to lead Family Online Safety Institute
A group manager from Microsoft's Trustworthy Computing group recently assumed the chair of the Family Online Safety Institute (FOSI) board of directors. Learn more about FOSI and its charter to make the Internet safer for families.

Operation b49: Microsoft takes on the bots
In February, Microsoft helped take down the Waledac botnet in an effort known internally as "Operation b49." Now in phase two, Operation b49 can help you clean out your PC if you think it's been infected by a bot.

Protect your computer

More ways that spammers can get your email address
In last month's newsletter, we told you about four ways that spammers can get your email address. Here are more great tips from our readers.

Is pirated software putting you at risk?
If a deal for software seems too good to be true, it probably is. See how to check for a Certificate of Authenticity label to ensure that you have genuine Microsoft software.

Watch videos on online safety
If you prefer to learn by watching rather than reading, take a look at our new how-to videos on computer security, privacy, and Internet safety.

Protect yourself and your family

Free ebook for online teens
Help teens protect themselves online with a free, downloadable ebook from Microsoft that covers topics including cyberbullying, social networking, hackers, and more.

5 steps to help keep your passwords secret
These five guidelines will help you protect yourself when you log on to your computer or any site where you enter personal or financial information.

Donate to Pakistan flood victims safely
If you want to donate to flood relief efforts in Pakistan, make sure you do so safely. Here are tips to avoid donation scams, plus links to legitimate relief organizations.

Security resources

Consumer Threat Alert: New "Here You Have" Worm Delivers Unwanted Gift

2010-09-12T09:53:00.001+05:30


Share this on:

Security Advice Center | Products

New "Here You Have" Worm Delivers Unwanted Gift

Global mass mailing worm masquerades as business message
but links to malware, McAfee Labs warns

A new Internet worm dubbed "Here You Have" is streaming into worldwide inboxes, offering a dangerous payload, according to McAfee Labs. The worm, which travels via spam email with the subject line of "Here you have," or "Just for you," masquerades as an email with a link to a video or an attached document file. However, the email actually contains a link to a malicious program that can disable security software and send itself to all the contacts in the recipient's address book.

Corporations around the world were particularly affected by the worm on Thursday as it clogged up their email systems. Consumers could be affected as they go home and log onto their machines. For this reason, McAfee Labs has labeled the worm as a "medium" risk, and warns all computer users to delete any email with the "Here you have," or "Just for you," subject line.

Although the dangerous link has been taken down, neutralizing the threat, it can still spread through remote machines, mapped drives and removable media, Labs warns.

If you have an up-to-date and properly configured McAfee security software product then you are protected against this threat.

The Hook: You receive a spam email with the subject line "Here you have," or "Just for you," and a link or attachment that looks like it leads to a video or document file. It may appear that the email comes from someone you know.

The Methods: The email invites you to click on the link, and once you do it prompts you to download a file. This file is actually malware that disables the security software on your machine and sends itself to everyone listed as a contact in your address book.

The Dangers: Once you are infected, your computer has diminished security protection. Your machine is also being used to spam your friends and contacts. If you are on a corporate network, the network could be clogged as the worm works its way through address books.

Bottom Line: Do not click on the link in any email with the subject header "Here you have," or "Just for you," even if it appears to be from someone you know.

Tips to Avoid Becoming a Victim:

1. Never click on a link in a spam email or IM from someone you don't know. Be suspicious of strange emails from family or friends: their accounts may have been compromised.

2. Use comprehensive security software, like McAfee Total Protection^™ software, to protect you from viruses, spam, and other Internet threats, and keep the software up-to-date. Save on McAfee Total Protection or try it free for 30 days.

3. Set your operating system and browser to automatically apply updates.

Microsoft Security Articles

2010-05-25T10:47:00.001+05:30

Security  Articles

Microsoft Malware Protection Center  Website | RSS Feed
MSRT May Threat Reports and Alureon  - 22-May-2010
MSRT May Threat Reports and Alureon   - 22-May-2010

Microsoft Security Response Center MSRC  Website | RSS Feed
Security Advisory 2028859 Released  - 18-May-2010

MSRC Ecosystem Strategy  Website | RSS Feed
Strengthening the Security Cooperation Program  - 17-May-2010
Project Omega Launch at AusCERT  - 17-May-2010

Security Bulletins Advisories  Website | RSS Feed
Microsoft Security Advisory (2028859): Vulnerability in Canonical Display Driver Could Allow Remote Code Execution - 5/18/2010  - 18-May-2010

Security Bulletins Comprehensive  Website | RSS Feed
Microsoft Security Bulletin Summary for May 2010  - 19-May-2010
MS10-030 - Critical: Vulnerability in Outlook Express and Windows Mail Could Allow Remote Code Execution (978542) - Version:1.2  - 19-May-2010
MS10-031 - Critical: Vulnerability in Microsoft Visual Basic for Applications Could Allow Remote Code Execution (978213) - Version:1.1  - 19-May-2010

Security Products Forefront

Forefront Client Security  Website | RSS Feed
Pardon our dust….  - 17-May-2010
Pardon our dust….  - 17-May-2010

Forefront Product Suite  Website | RSS Feed
Issuing information cards with AD FS 2.0: Community Technology Review released  - 21-May-2010

Forefront Server Security  Website | RSS Feed
Introducing the Forefront Protection 2010 for Exchange Server capacity planning tool  - 21-May-2010
Check out this new video overview of Forefront Protection 2010 for SharePoint  - 20-May-2010

Forefront Threat Management Gateway ISA Server  Website | RSS Feed
Announcing the availability of the new MRS (V1.1) release  - 18-May-2010

Forefront Unified Application Gateway UAG  Website | RSS Feed
DirectAccess and Teredo Adapter Behavior  - 21-May-2010
UAG DirectAccess Test Lab Guide CRL Check Update  - 20-May-2010
Introduction to “The Edge Man”  - 18-May-2010
Configuring an External Load Balanced UAG DirectAccess Array for an IPv4 Only Network  - 17-May-2010

No-Cost Antivirus and Antispyware Tools from Microsoft

2010-05-12T10:35:00.001+05:30

Get no-cost antivirus,
antispyware, and other security tools

Concerned about your computer becoming infected with a virus, spyware, or other malicious software? Who isn't? One quick, easy way that you can help protect your PC is by downloading Microsoft Security Essentials. It provides real-time protection against malicious software, and it's easy to install, simple to use, and free. Learn more about Microsoft Security Essentials, plus discover other free security tools from Microsoft for additional protection.

Security updates for May 11, 2010
The bulletin for May includes two security updates: one for the Windows operating system and one for Microsoft Visual Basic.

Microsoft security news

Support for Windows XP with Service Pack 2 ends July 13, 2010
Support is ending for some versions of Windows. Learn how to determine which version and service pack you're running, and what end of support means for you.

Microsoft releases new Security Intelligence Report
Get Microsoft's latest analysis of the leading security threats to your PC. Download Security Intelligence Report Volume 8 or see a summary of key findings.

"Rethinking the Cyber Threat"
Microsoft Corporate Vice President of Trustworthy Computing Scott Charney outlines a framework for creating more effective cyberattack responses. Read Charney's message or download the full paper.

Protect your computer

Get virus help from a local security expert
If you think your computer is infected with a virus or spyware, you can call Microsoft support or even find a local computer expert to help you. Here's how.

See if your Windows operating system has protection built in
There are four basic steps to help protect your computer. Check to see if your version of Windows has these features built in.

Protect yourself and your family

How to reduce your risk of online fraud
This article offers the basics on protecting yourself from identity theft online. Learn three common online scams, where you might see them, and six telltale signs of a scam. Plus, find advice on how to avoid scams and where to report possible fraud.

You've inherited money! Or not
We try to keep you alerted to the latest Internet scams. Last month it was the MSN Auto Protection scam and the UPS package delivery scam. This month it's the windfall inheritance scam.

Should I surf the web in Protected Mode?
To help protect against spyware, make sure that you surf the web in Protected Mode in Internet Explorer. Learn what Protected Mode does and how to ensure it's on.

Security resources

Security Tools and Guidance for Managers

2010-05-11T22:06:00.001+05:30

This link provides a central site for comprehensive reference to MS offerings on Security Perspective and Guidance

http://www.microsoft.com/security/manager/

Guidance

The Effective Security Practices Whitepaper Series

	Risk Management Frameworks
	Justifying Security Spend
	Mobility and Security - Policies and Practices
	Effective Practices for Cloud Security
	Social Networks and Enterprise Security

The Microsoft Security Intelligence Report

Provides an in-depth perspective on the changing threat landscape including software vulnerability disclosures and exploits, malicious software (malware), and potentially unwanted software.

The Microsoft Security Update Guide

Designed to help IT professionals better understand and use Microsoft security update release information, processes, communications, and tools.

Privacy and Governance

	Choosing a Cloud Computing Services Provider: Data Privacy and Security Questions for IT Professionals
	Microsoft and Data Governance
	Microsoft and Data Retention
	Microsoft and Data Breach Notification
	FAQ : Data Governance for Security and Privacy
	A Guide to Data Governance for Privacy, Confidentiality, and Compliance Part 1: The Case for Data Governance
	MOF to COBIT/Val IT Comparison and Cross-Implementation Guide
	Cross Reference ITIL v3 and MOF 4.0
	MOF Companion Guide: Using MOF for ISO/IES 20000

Security Program Building Blocks

Microsoft Security Awareness Toolkit

Provides guidance, sample awareness and training materials, checklists, templates, and examples from Microsoft IT to help security managers quickly build an awareness and training program that will achieve results.

	Planning Materials
	Program Development
	Delivery
	Sample Awareness Campaigns from Microsoft Information Security

Microsoft SDL - Developer Starter Kit

This kit offers content, labs, and training to help you establish a standardized approach to rolling out the Microsoft Security Development Lifecycle (SDL) in your organization.

Online Safety Toolkit for Enterprise and Organizations

This kit offers tools that you can use to help your employees learn the skills they need to work more safely on the Internet and better defend company, customer, and their own personal information

MVP Announce: Alert - McAfee Update Causing Windows XP Machines to Shut Down

2010-04-22T10:53:00.001+05:30

What is the purpose of this alert?

Microsoft has been made aware of an issue with a McAfee DAT file update - released Wednesday, April 21, 2010 - that has been causing stability issues on Windows XP client systems. The symptom is caused by a false-positive detection on a core Windows file (svchost.exe). Once the file is quarantined by McAfee, the system may encounter one of the following symptoms:

· The computer shuts down when a DCOM error or a RPC error occurs

· The computer continues to run without network connectivity.

· The computer triggers a Bugcheck (Blue Screen).

The DAT file version that that caused the problem is McAfee DAT 5958. This file was propagated to client machines that conduct automatic updates of definition files. McAfee updated the DAT file soon after the problem was identified with a new version that does not cause the problem.

Resolution Steps

Please review the following KB Articles for specific steps to resolve the issue on systems that are affected.

McAfee KB Article:

https://kc.mcafee.com/corporate/index?page=content&id=KB68780

Microsoft KB Article:

http://support.microsoft.com/kb/2025695

Recommendations

We recommend customers affected by this symptom first review the McAfee KB Article referenced above. For further assistance, customers should contact McAfee. Customers who are unable to resolve the issue through these means can contact Microsoft for technical support using resources found on this Web page: http://support.microsoft.com/.

Regarding Information Consistency

We strive to provide you with accurate information in static (this mail) and dynamic (Web-based) content. Microsoft’s security content posted to the Web is occasionally updated to reflect late-breaking information. If this results in an inconsistency between the information here and the information in Microsoft’s Web-based security content, the information in Microsoft’s Web-based security content is authoritative.

My Article in January 2010 Edition of the Hakin9 Magazine

2010-02-25T22:10:00.002+05:30

One of my articles have been published in the January 2010 edition of the Hakin9 International IT Security Magazine. The articles title is The Fear Factor - Study of a new genre of malwares called "Scarewares" Edition Link: http://hakin9.org/magazine/995-hardware-keylogger-a-serious-threat

Merry Christmas!!

2009-12-25T19:11:00.001+05:30

Every time we love, every time we give, it’s Christmas time!!

Increase in Web Malware Activity

2009-11-07T16:36:00.001+05:30

There have been many discussions in various Forums, Blogs and Message Boards that the Web has now become the primary vehicle for the Malwares to enter our networks. For more details about such a presentation, please refer to the WebCast “Web Attacks: How Hackers Create and Spread Malware”, presented by Chris McCormack (Web Security Expert - Sophos) and Fraser Howard (Principal Researcher - Sophos). It is very scary, as pointed out in this WebCast, that there is no such thing as a trusted website. Even the most legal site can become the epicenter of spreading out Malware infections. From the popular social networking sites to private/public discussion boards, web sites and blogs, anything can become the harboring ground of these Web Malwares. The table below, taken from Kaspersky Security Bulletin (Statistics 2008), shows the number of Web Malwares detected in some of the popular social networking site. This statistics is compiled by comparing the number of malicious programs that attacked users of different social networking sites.

Social Networking Site	Malwares Detected (2008)	Registered Users (2008)
Odnoklassniki (www.odnoklassniki.ru)	3302 Malwares	22000000 Users
Orkut (www.orkut.com)	5984 Malwares	67000000 Users
Bebo (www.bebo.com)	2375 Malwares	40000000 Users
Livejournal (www.livejournal.com)	846 Malwares	18000000 Users
Friendster (www.friendster.com)	2835 Malwares	90000000 Users
Myspace (www.myspace.com)	7487 Malwares	253000000 Users
Facebook (www.facebook.com)	3620 Malwares	140000000 Users
Cyworld (us.cyworld.com)	301 Malwares	20000000 Users
Skyblog (www.skyblog.com)	28 Malwares	2200000 Users

Source: Kaspersky Security Bulletin (Statistics 2008)

Similarly, the below graph shows the sudden increase of Web Malwares activity related with some of the popular social networking sites.

Source: Kaspersky Security Bulletin (Statistics 2008)

Recently it was discovered that social networking sites were getting used as botnet command control. Arbor Network Security reported that, they have identified a Twitter account that was being used as part of an update server for infected systems that were part of a botnet. This account was issuing base 64 encoded tweets that pointed to links where the infected computers could receive malware updates from. Almost similar kinds of botnet command control mechanism were also detected in Tumblr & Jaiku as well. These bots were using RSS feed to get the status updates.

It was pointed out by Google that ‘1% of all search results contained at least one result that point to malicious content and the trend seems to be increasing’. Of the billions of web pages that they have investigated, more than 3 million unique URLs on over 180,000 web sites automatically install Malwares by drive-by download. Shown below are some of the interesting statistics of Malware activity identified in the Web. These interesting trends were observed by the Google Security Team.

Source: Google Online Security Blog

The above graph shows the percentage of daily queries that contain at least one search result identified as Malicious.

Source: Google Online Security Blog

The above graph shows the number of entries in the Google Safe Browsing Malware List. It becomes obvious from these graphs that in the last few years there has been a constant increase of Web related Malwares. The Google research paper on this increasing trend of Web Malware activity, as observed by the Google Security Team, can be referred to from the URL mentioned below in the reference section of this article (Google Research).

Taken from Kaspersky Monthly Malware Statistics, the below table shows the top twenty Web Malwares with new infections detected (highlighted in yellow) and the number of infected web pages.

Position	Malware Name	Infected Web Pages
1	Trojan-Downloader.JS.Gumblar.a	8538
2	Trojan-Clicker.HTML.IFrame.kr	7805
3	Trojan-Downloader.HTML.IFrame.sz	5213
4	Trojan-Downloader.JS.LuckySploit.q	4719
5	Trojan-Downloader.HTML.FraudLoad.a	4626
6	Trojan-Downloader.JS.Major.c	3778
7	Trojan-GameThief.Win32.Magania.biht	2911
8	Trojan-Downloader.JS.ShellCode.i	2652
9	Trojan-Clicker.HTML.IFrame.mq	2576
10	Exploit.JS.DirektShow.o	2476
11	Trojan.JS.Agent.aat	2402
12	Exploit.JS.DirektShow.j	2367
13	Exploit.HTML.CodeBaseExec	2266
14	Exploit.JS.Pdfka.gu	2194
15	Trojan-Downloader.VBS.Psyme.ga	2007
16	Exploit.JS.DirektShow.a	1988
17	Trojan-Downloader.Win32.Agent.cdam	1947
18	Trojan-Downloader.JS.Agent.czm	1815
19	Trojan-Downloader.JS.Iframe.ayt	1810
20	Trojan-Downloader.JS.Iframe.bew	1766

Source: Kaspersky Monthly Malware Statistics

Web Malwares have become a major contributor to this growing Malware menace. According to ScanSafe's Annual Threat Report, on an analysis of 200 billion web requests they came to a conclussion that web malware infection surged 582 percent last year, with a significant increase visible toward the last quater of 2008. Security researchers at AVG Technologies have observed that the number of new infected Web sites has grow by 66 percent, from 100,000 to 200,000 per day to 200,000 to 300,000 per day it is expected that this trend would continue in days to come.

Since 2006, the number of Malware signatures of most of the Antivirus vendors has doubled. But with new variants getting created, newer methods of infection and increase in the numbers of distribution points, which are mainly compromised websites, this has resulted in a situation where the Antivirus vendors are now finding it difficult to block these threats, hence, resulting in misses in Malware detection. Earlier Antivirus companies were blocking a major portion of these Malwares with dedicated and generic signatures. However today, it has become literally impossible to block these Malwares with older methodologies. The below statistics (Jan-Jun 2009) shows the misses by some of the major Antivirus engines to detect Malwares and this trend has increased off late.

Source: CommTouch Labs

After calculating an average daily detection rate of some of the major Antivirus vendors, it was revealed by Cyveillance, a cyber-intelligence gathering company, that none of these Antiviruses were going over the 50% mark as far as successful detection is concerned. The top five scores came from McAfee (44 percent), Sophos (38 percent), Dr. Web (36 percent), Symantec (35 percent) and Trend Micro (34 percent). The list also had details of AVG (31 percent), F-Secure (28 percent), ESET (27 percent), Sunbelt (26 percent), F-Prot (23 percent), Norman (23 percent), Kaspersky (18 percent) and VirusBuster (16 percent). Similarly, Panda Security Research also reported that, out of 1.5 million home computers they looked into, only 37.45 percent were correctly protected with an active anti-malware solution with the latest signature database and out of these protected computers, 22.97 percent had active malware infections which were undetected by the anti-malware solution. This is because, more than 52 percent of the Malwares will get reconfigured within 24 hours of its first release so that they can evade signature-based scanners. They also audited a total of 1,206 companies' network. These networks were protected by a variety of different security vendors and in 69.34 percent of the cases they were correctly protected. However they still found thay 71.79 percent systems of these networks were actively infected with Malware.

Heap Spraying

2009-11-07T16:31:00.001+05:30

Heap spraying is a technique which is implemented using Javascript and the sole purpose is arbitrary code execution. Although heap spray exploits has been in use since 2001 but since 2005 a more widespread use of this technique is seen in exploits targeted for web malwares. Let us now see what actually heap spraying is and how it is done.

A vulnerable application (in this case, browsers like IE or Firefox), because of certain illegal operation due to badly coded error handling modules, can jump into invalid memory addresses. Once it jumps to those memory addresses it is unable to read data from that invalid memory address resulting in an application crash. When the application crashes it throws a popup as shown below:

Now, depending on the nature of the vulnerablity in the application, we can inject the heap with "nop + shellcode", as much as possible, untill the invalid memory address gets overwritten with "nop + shellcode" and becomes a valid memory. By this we can create a scenario where we can ensure that our custom "shellcode" gets executed the next time a similar illegal operation happens and the application tries to reference that invalid address again. Once we control this behavior with a properly written exploit code, we can successfully use the vulnerability to our advantage to achieve arbitrary code execution. Please refer to the below image for a better understanding of the concepts mentioned above.

However, to successfully achieve arbitrary code exection using heap spray, there is one important things that we need to keep in mind. That is, as per the Windows Memory Layout, address higher than 0x7FFFFFFF falls in the KERNEL ADDRESS SPACE and address lower than 0x7FFFFFFF falls in the USER ADDRESS SPACE. The address of a program heap falls within this USER ADDRESS SPACE i.e the address is less than 0x7FFFFFFF. So during the overwriting of the heap and the invalid memory address, we must keep in mind that we are overwriting memory addresses that fall within the USER ADDRESS SPACE, not the KERNEL ADDRESS SPACE. If we write in memory locations that belong to the KERNEL ADDRESS SPACE, there will be a system crash.

New Sysinternals Tool - Disk2vhd

2009-10-08T21:12:00.001+05:30

A new Sysinternals tool, Disk2vhd, was released yesterday by Mark Russinovich and Bryce Cogswell.

Disk2vhd is a utility that creates VHD (Virtual Hard Disk - Microsoft’s Virtual Machine disk format) versions of physical disks for use in Microsoft Virtual PC or Microsoft Hyper-V virtual machines (VMs). The difference between Disk2vhd and other physical-to-virtual tools is that you can run Disk2vhd on a system that’s online. Disk2vhd uses Windows’ Volume Snapshot capability, introduced in Windows XP, to create consistent point-in-time snapshots of the volumes you want to include in a conversion. You can even have Disk2vhd create the VHDs on local volumes, even ones being converted (though performance is better when the VHD is on a disk different than ones being converted).

You can download Disk2vhd from the Sysinternals website. Please refer to the link mentioned at the bottom of this post.

Some screenshots of Disk2vhd

Read more from the Sysinternals site (link provided below).

http://technet.microsoft.com/en-us/sysinternals/ee656415.aspx

Cheers Mark!!, once again you gave us an amazing tool.

The Bong Connection

2009-09-30T08:58:00.001+05:30

Microsoft Security Articles (Sep14-Sep20)

2009-09-22T20:32:00.001+05:30

Article Topics & Links:

Microsoft Information Security Tools Team Website | RSS Feed
Anti-XSS Library v3.1 Released! - 17-Sep-2009
Introducing the Connected Information Security Framework and Risk Tracker - 16-Sep-2009
Want to Develop Software Security Tools? - 16-Sep-2009
Want to Shape Great Security Tools ? - 15-Sep-2009
CISF Security Portal Architecture - 15-Sep-2009
Automating Windows Firewall settings with C# (part 2) - 14-Sep-2009
Microsoft Malware Protection Center Website | RSS Feed
The modern rogue - a timely subject - 18-Sep-2009
I can’t go back to yesterday - see you in Geneva - 16-Sep-2009
September in Geneva - 15-Sep-2009
MSRC Ecosystem Strategy Website | RSS Feed
Announcing BlueHat v9: Through the Looking Glass - 14-Sep-2009
Security Bulletins Advisories Website | RSS Feed
Microsoft Security Advisory (975497): Vulnerabilities in SMB Could Allow Remote Code Execution - 9/17/2009 - 17-Sep-2009
Security Bulletins Comprehensive Website | RSS Feed
Microsoft Security Advisory (975497): Vulnerabilities in SMB Could Allow Remote Code Execution - 17-Sep-2009
MS09-047 - Critical: Vulnerabilities in Windows Media Format Could Allow Remote Code Execution (973812) - Version:1.1 - 16-Sep-2009
Security Vulnerability Research and Defense Website | RSS Feed
Update on the SMB vulnerability situation - 18-Sep-2009
OffVis updated, Office file format training video created - 14-Sep-2009
The Security Development Lifecycle Website | RSS Feed
Two New Security Tools for your SDL tool belt (Bonus: a “7-easy-steps” whitepaper) - 16-Sep-2009

Source: Microsoft Blogs