Microsoft Security Articles

Microsoft Malware Protection Center  Website | RSS Feed
Hold on to your keys!  - 17-Sep-2010
MSRT sets its sights on FakeCog  - 14-Sep-2010

Microsoft Security Response Center MSRC  Website | RSS Feed
Security Advisory 2416728 Released  - 18-Sep-2010
Q&A from the September 2010 Security Release Bulletin Webcast  - 17-Sep-2010
September 2010 Security Bulletin Release  - 13-Sep-2010

MSRC Ecosystem Strategy  Website | RSS Feed
Internet troubles in Korea? E-call center 118 is there to help.  - 17-Sep-2010

Security Bulletins Advisories  Website | RSS Feed
Microsoft Security Advisory (2416728): Vulnerability in ASP.NET Could Allow Information Disclosure - 9/17/2010  - 17-Sep-2010
Microsoft Security Advisory (973811): Extended Protection for Authentication - 9/14/2010  - 14-Sep-2010
Microsoft Security Advisory (2401593): Vulnerability in Outlook Web Access Could Allow Elevation of Privilege - 9/14/2010  - 14-Sep-2010

Security Bulletins Comprehensive  Website | RSS Feed
MS10-050 - Important: Vulnerability in Windows Movie Maker Could Allow Remote Code Execution (981997) - Version:1.2  - 15-Sep-2010
Microsoft Security Advisory (973811): Extended Protection for Authentication  - 14-Sep-2010
Microsoft Security Bulletin Summary for September 2010  - 14-Sep-2010
MS10-069 - Important: Vulnerability in Windows Client/Server Runtime Subsystem Could Allow Elevation of Privilege (2121546) - Version:1.0  - 14-Sep-2010
MS10-068 - Important: Vulnerability in Local Security Authority Subsystem Service Could Allow Elevation of Privilege (983539) - Version:1.0  - 14-Sep-2010
MS10-067 - Important: Vulnerability in WordPad Text Converters Could Allow Remote Code Execution (2259922) - Version:1.0  - 14-Sep-2010
MS10-066 - Important: Vulnerability in Remote Procedure Call Could Allow Remote Code Execution (982802) - Version:1.0  - 14-Sep-2010
MS10-065 - Important: Vulnerabilities in Microsoft Internet Information Services (IIS) Could Allow Remote Code Execution (2267960) - Version:1.0  - 14-Sep-2010
MS10-064 - Critical: Vulnerability in Microsoft Outlook Could Allow Remote Code Execution (2315011) - Version:1.0  - 14-Sep-2010
MS10-063 - Critical: Vulnerability in Unicode Scripts Processor Could Allow Remote Code Execution (2320113) - Version:1.0  - 14-Sep-2010
MS10-062 - Critical: Vulnerability in MPEG-4 Codec Could Allow Remote Code Execution (975558) - Version:1.0  - 14-Sep-2010
MS10-061 - Critical: Vulnerability in Print Spooler Service Could Allow Remote Code Execution (2347290) - Version:1.0  - 14-Sep-2010
Microsoft Security Advisory (2401593): Vulnerability in Outlook Web Access Could Allow Elevation of Privilege  - 14-Sep-2010

The Security Development Lifecycle  Website | RSS Feed
Congratulations to Steve Lipner  - 17-Sep-2010

Forefront Client Security  Website | RSS Feed
Understanding how Forefront Client Security responds to potentially unwanted software  - 17-Sep-2010
Using a script to automate UNC definition updates  - 16-Sep-2010
Announcing the Forefront Endpoint Protection Community Evaluation Program  - 14-Sep-2010
New notification resource…  - 14-Sep-2010

Forefront Server Security  Website | RSS Feed
Problems downloading updates for the Kaspersky 8 antivirus engine after installing FSSMC Hotfix Rollup 5 and FSE Service Pack 2 Rollup 2  - 15-Sep-2010

Forefront Threat Management Gateway ISA Server  Website | RSS Feed
Unable to download files larger than 4GB through ISA 200x – works fine in TMG  - 16-Sep-2010
Forefront TMG/UAG Help Wanted at Microsoft in Stockholm  - 15-Sep-2010
TMG Quick Tip: Unable to Join a TMG to an Existing Array  - 14-Sep-2010

Forefront Unified Application Gateway UAG  Website | RSS Feed
How to enable Remote Desktop Sharing (RDS/RDP) from corporate machines to DirectAccess connected machines  - 14-Sep-2010

Important: ASP.NET Security Vulnerability

This post has been shared by Scott Guthrie

Thanks Scott for posting this workaround.

Important: ASP.NET Security Vulnerability

A few hours ago we released a Microsoft Security Advisory about a security vulnerability in ASP.NET.  This vulnerability exists in all versions of ASP.NET.

This vulnerability was publically disclosed late Friday at a security conference.  We recommend that all customers immediately apply a workaround (described below) to prevent attackers from using this vulnerability against your ASP.NET applications.

What does the vulnerability enable?

An attacker using this vulnerability can request and download files within an ASP.NET Application like the web.config file (which often contains sensitive data).

At attacker exploiting this vulnerability can also decrypt data sent to the client in an encrypted state (like ViewState data within a page).

How the Vulnerability Works

To understand how this vulnerability works, you need to know about cryptographic oracles. An oracle in the context of cryptography is a system which provides hints as you ask it questions. In this case, there is a vulnerability in ASP.NET which acts as a padding oracle. This allows an attacker to send cipher text to the web server and learn if it was decrypted properly by examining which error code was returned by the web server.  By making many such requests (and watching what errors are returned) the attacker can learn enough to successfully decrypt the rest of the cipher text.

How to Workaround The Vulnerability

A workaround you can use to prevent this vulnerability is to enable the <customErrors> feature of ASP.NET, and explicitly configure your applications to always return the same error page - regardless of the error encountered on the server. By mapping all error pages to a single error page, you prevent a hacker from distinguishing between the different types of errors that occur on a server.

Important: It is not enough to simply turn on CustomErrors or have it set to RemoteOnly. You also need to make sure that all errors are configured to return the same error page.  This requires you to explicitly set the “defaultRedirect” attribute on the <customErrors> section and ensure that no per-status codes are set.

Enabling the Workaround on ASP.NET V1.0 to V3.5

If you are using ASP.NET 1.0, ASP.NET 1.1, ASP.NET 2.0, or ASP.NET 3.5 then you should follow the below steps to enable <customErrors> and map all errors to a single error page:

1) Edit your ASP.NET Application’s root Web.Config file.  If the file doesn’t exist, then create one in the root directory of the application.

2) Create or modify the <customErrors> section of the web.config file to have the below settings:

<configuration>        

   <system.web>

      <customErrors mode="On" defaultRedirect="~/error.html" />

   </system.web>        

</configuration>

3) You can then add an error.html file to your application that contains an appropriate error page of your choosing (containing whatever content you like).  This file will be displayed anytime an error occurs within the web application.

Notes: The important things to note above is that customErrors is set to “on”, and that all errors are handled by the defaultRedirect error page.  There are not any per-status code error pages defined – which means that there are no <error> sub-elements within the <customErrors> section.  This avoids an attacker being able to differentiate why an error occurred on the server, and prevents information disclosure.

Enabling the Workaround on ASP.NET V3.5 SP1 and ASP.NET 4.0

If you are using ASP.NET 3.5 SP1 or ASP.NET 4.0 then you should follow the below steps to enable <customErrors> and map all errors to a single error page:

1) Edit your ASP.NET Application’s root Web.Config file.  If the file doesn’t exist, then create one in the root directory of the application.

2) Create or modify the <customErrors> section of the web.config file to have the below settings.  Note the use of redirectMode=”ResponseRewrite” with .NET 3.5 SP1 and .NET 4.0:

<configuration>

   <system.web>

     <customErrors mode="On" redirectMode="ResponseRewrite" defaultRedirect="~/error.aspx" />

   </system.web>

</configuration>

3) You can then add an Error.aspx to your application that contains an appropriate error page of your choosing (containing whatever content you like).  This file will be displayed anytime an error occurs within the web application.

4) We recommend adding the below code to the Page_Load() server event handler within the Error.aspx file to add a random, small sleep delay. This will help to further obfuscate errors.

VB Version

Below is a VB version of an Error.aspx file that you can use, and which has a random, small sleep delay in it.  You do not need to compile this into an application – you can optionally just save this Error.aspx file into the application directory on your web-server:

<%@ Page Language="VB" AutoEventWireup="true" %>

<%@ Import Namespace="System.Security.Cryptography" %>

<%@ Import Namespace="System.Threading" %>

<script runat="server">

    Sub Page_Load()

        Dim delay As Byte() = New Byte(0) {}

        Dim prng As RandomNumberGenerator = New RNGCryptoServiceProvider()

        prng.GetBytes(delay)

        Thread.Sleep(CType(delay(0), Integer))

        Dim disposable As IDisposable = TryCast(prng, IDisposable)

        If Not disposable Is Nothing Then

            disposable.Dispose()

        End If

    End Sub

</script>

<html>

<head runat="server">

    <title>Error</title>

</head>

<body>

    <div>

        Sorry - an error occured

    </div>

</body>

</html>

C# Version

Below is a C# version of an Error.aspx file that you can use, and which has a random, small sleep delay in it.  You do not need to compile this into an application – you can optionally just save it into the application directory on your web-server:

<%@ Page Language="C#" AutoEventWireup="true" %>

<%@ Import Namespace="System.Security.Cryptography" %>

<%@ Import Namespace="System.Threading" %>

<script runat="server">

   void Page_Load() {

      byte[] delay = new byte[1];

      RandomNumberGenerator prng = new RNGCryptoServiceProvider();

      prng.GetBytes(delay);

      Thread.Sleep((int)delay[0]);

      IDisposable disposable = prng as IDisposable;

      if (disposable != null) { disposable.Dispose(); }

    }

</script>

<html>

<head runat="server">

    <title>Error</title>

</head>

<body>

    <div>

        An error occurred while processing your request.

    </div>

</body>

</html>

How to Verify if the Workaround is Enabled

Once you have applied the above workaround, you can test to make sure the <customErrors> section is correctly configured by requesting a URL like this from your site: http://mysite.com/pagethatdoesnotexist.aspx

If you see the custom error page appear (because the file you requested doesn’t exist) then your configuration should be setup correctly.  If you see a standard ASP.NET error then it is likely that you missed one of the steps above.  To see more information about what might be the cause of the problem, you can try setting <customErrors mode=”remoteOnly”/> – which will enable you to see the error message if you are connecting to the site from a local browser.

How to Find Vulnerable ASP.NET Applications on Your Web Server

We have published a .vbs script that you can save and run on your web-server to determine if there are ASP.NET applications installed on it that either have <customErrors> turned off, or which differentiate error messages depending on status codes.

You can download the .vbs script here.  Simply copy/paste the script into a text file called “DetectCustomErrors.vbs” and save it to disk.  Then launch a command window that is elevated as admin and run “cscript DetectCustomErrors.vbs” to run it against your local web-server.  It will enumerate all of the applications within your web server and verify that the correct <customErrors> configuration has been specified.

It will flag any application where it finds that an application’s web.config file doesn’t have the <customErrors> section (in which case you need to add it), or doesn’t have it set correctly to workaround this attack (in which case you need to update it).  It will print “ok” for each application web.config file it finds that is fine.  This should hopefully make it easier to locate issues.

Note: We have developed this detection script over the last few hours, and will be refining it further in the future.  I will post an update in this section each time we make a change to it.

How to Find More Information about this Vulnerability

You can learn more about this vulnerability from:

• Microsoft Security Advisory 2416728
• Understanding the ASP.NET Vulnerability
• Microsoft Security Response Center Blog Post

Microsoft will be releasing a patch that can be used to correct the root cause of the issue (and avoid the need for the above workaround).

Until then, please apply the above workaround to all of your ASP.NET applications to prevent attackers from exploiting it.

Spyware and Viruses: What's the Difference?

 

Sign up for other newsletters | Unsubscribe | Update your profile

Spyware and viruses: What's the difference? Spyware and viruses are both malicious software, but they're different. Learn how, and how Microsoft Security Essentials can help protect you from both. Then find answers to these common questions about Microsoft Security Essentials: Do I still need Windows Defender? Do I need another antivirus program, too? Suspect you have a virus? Get help fast at our new Virus and Security Solution Center, and learn steps that you can take to help remove it. Security updates for September 14, 2010 The bulletin for September includes 9 security updates: 7 for the Windows operating system, 1 for Microsoft Office, and 1 for Microsoft Internet Information Services. Get updates from Microsoft Update See a summary of the updates Microsoft security news   Fraud alert: "Your Hotmail account will be deleted" A new scam email claiming to be from Microsoft asks for personal information to avoid suspension of your Windows Live Hotmail account. Do not reply! This email message is a scam.   Fraud alert: UPS package scam In recent newsletters, we told you about a phishing email message purporting to be from UPS. A reader recently brought another UPS-related scam to our attention.   Worried about ID theft? You're not alone A recent study by the National Cyber Security Alliance and the Anti-Phishing Working Group found Americans are as concerned about ID theft as they are of job loss.   Microsoft to lead Family Online Safety Institute A group manager from Microsoft's Trustworthy Computing group recently assumed the chair of the Family Online Safety Institute (FOSI) board of directors. Learn more about FOSI and its charter to make the Internet safer for families.   Operation b49: Microsoft takes on the bots In February, Microsoft helped take down the Waledac botnet in an effort known internally as "Operation b49." Now in phase two, Operation b49 can help you clean out your PC if you think it's been infected by a bot. Protect your computer More ways that spammers can get your email address In last month's newsletter, we told you about four ways that spammers can get your email address. Here are more great tips from our readers. Is pirated software putting you at risk? If a deal for software seems too good to be true, it probably is. See how to check for a Certificate of Authenticity label to ensure that you have genuine Microsoft software. Watch videos on online safety If you prefer to learn by watching rather than reading, take a look at our new how-to videos on computer security, privacy, and Internet safety. Protect yourself and your family Free ebook for online teens Help teens protect themselves online with a free, downloadable ebook from Microsoft that covers topics including cyberbullying, social networking, hackers, and more. 5 steps to help keep your passwords secret These five guidelines will help you protect yourself when you log on to your computer or any site where you enter personal or financial information. Donate to Pakistan flood victims safely If you want to donate to flood relief efforts in Pakistan, make sure you do so safely. Here are tips to avoid donation scams, plus links to legitimate relief organizations. Security resources Microsoft Online Safety: online safety and privacy education Microsoft Security: the latest in computer security Security Tips & Talk blog Microsoft Consumer Security Support Center About this newsletter Microsoft Security for Home Computer Users is a monthly newsletter bringing security news, guidance, updates, and community resources directly to your inbox. If you would like to receive more technical security information, see the Microsoft Security Newsletter.

© 2010 Microsoft Corporation Terms of Use | Trademarks

Consumer Threat Alert: New "Here You Have" Worm Delivers Unwanted Gift

 

 

Share this on:     Security Advice Center  |  Products   New "Here You Have" Worm Delivers Unwanted Gift Global mass mailing worm masquerades as business message but links to malware, McAfee Labs warns A new Internet worm dubbed "Here You Have" is streaming into worldwide inboxes, offering a dangerous payload, according to McAfee Labs. The worm, which travels via spam email with the subject line of "Here you have," or "Just for you," masquerades as an email with a link to a video or an attached document file. However, the email actually contains a link to a malicious program that can disable security software and send itself to all the contacts in the recipient's address book. Corporations around the world were particularly affected by the worm on Thursday as it clogged up their email systems. Consumers could be affected as they go home and log onto their machines. For this reason, McAfee Labs has labeled the worm as a "medium" risk, and warns all computer users to delete any email with the "Here you have," or "Just for you," subject line. Although the dangerous link has been taken down, neutralizing the threat, it can still spread through remote machines, mapped drives and removable media, Labs warns. If you have an up-to-date and properly configured McAfee security software product then you are protected against this threat. The Hook: You receive a spam email with the subject line "Here you have," or "Just for you," and a link or attachment that looks like it leads to a video or document file. It may appear that the email comes from someone you know. The Methods: The email invites you to click on the link, and once you do it prompts you to download a file. This file is actually malware that disables the security software on your machine and sends itself to everyone listed as a contact in your address book. The Dangers: Once you are infected, your computer has diminished security protection. Your machine is also being used to spam your friends and contacts. If you are on a corporate network, the network could be clogged as the worm works its way through address books. Bottom Line: Do not click on the link in any email with the subject header "Here you have," or "Just for you," even if it appears to be from someone you know. Tips to Avoid Becoming a Victim: 1.     Never click on a link in a spam email or IM from someone you don't know. Be suspicious of strange emails from family or friends: their accounts may have been compromised. 2.     Use comprehensive security software, like McAfee Total Protection™ software, to protect you from viruses, spam, and other Internet threats, and keep the software up-to-date. Save on McAfee Total Protection or try it free for 30 days. 3.     Set your operating system and browser to automatically apply updates.