Home Tags BitLocker

Tag: BitLocker

SHIFT + F10, Linux gets you Windows 10’s cleartext BitLocker key

Don't panic, because this one's a bit esoteric. Do feel free to face-palm anyway Microsoft is working on a patch for a bug or feature in Windows 10 that allowed access to the command line and, using a live Linux .ISO, made it possible steal BitLocker keys during OS updates. The command line interface bypasses BitLocker grants permits access to local drives , simply by tapping the Shift and F10 keys. BitLocker encryption which is disabled as part of the Windows pre-installation environment. Exploitation scenarios are limited and users should not be overly alarmed, as attackers would need to have laptops in hand during the update, or be in a position to trigger an update in order to pop open the command line interface open. Noted Windows trainer and senior technical fellow with software house Adminize Sami Laiho reported the flaws to Microsoft and says Redmond is rushing out a fix. "There is a small but crazy bug in the way the feature update (formerly known as upgrade) is installed," Laiho says. "The installation of a new build is done by re-imaging the machine [via] Windows Pre-installation Environment [which] has a feature for troubleshooting that allows you to press SHIFT+F10 to get a command prompt.” “This sadly allows for access to the hard disk as during the upgrade Microsoft disables BitLocker.” Regular updates are not affected. Worryingly, a security operations tech for an international enterprise environment told <iThe Register attackers could use the mess to steal BitLocker's encryption keys by booting a live Linux image from the CLI. A BitLocker support chap known as @Nu11u5 on Reddit says BitLocker dumps its keys in cleartext during the process [PDF] allowing Linux tools like Dislocker to pull the codes. "There are a few layers to BitLocker encryption," Nu11u5 says. Disk volume data is encrypted using a Full Volume Encryption Key (FVEK), itself encrypted by the Volume Master Key (VMK). The Master Key is encrypted using a Protector, such as a TPM PIN or password. Additional copies of the VMK encrypted can exist with different Protectors for the purpose of a backup method of data access. BitLocker Protectors can be temporarily disabled so keys can be decrypted and data accessed. This works using a VMK copy known as a Clear Key that is written in cleartext to disk alongside other Protectors. The BitLocker unlock process immediately looks for these keys on boot and automatically uses those it finds. With Protectors disabled, Windows boots and accesses data from the volume as it if was not encrypted, warning users that BitLocker is disabled. Users can only create a Clear Key for this through the command line utility after the VMK is manually decrypted by someone who knows the password. manage-bde C: -protectors -disable Windows 8 and newer versions of Windows will re-enable the BitLocker Protectors and secure delete the Clear Key after one boot. The security tech says the function is handy for admins needing set and forget rebooting. “From a SysAdmin perspective disabling the Protectors is very useful for performing unattended reboots," they say. "[The attack] was done during an operating system upgrade that required the disk to be accessed by a pre-boot environment which otherwise would not be able to get the Protector keys released from TPM." A non-TPM Protector could be used instead, they say, but at a cost to user experience such as the 48-digit BitLocker volume Recovery Password, which could be easily misplaced as well. The only fix Laiho says works for now is to ensure Windows 10 boxes are physically secure during upgrades, which means doing next to nothing for the majority of users. Laiho has created a proof-of-concept video to demonstrate the bug. ® Youtube Video Sponsored: Customer Identity and Access Management

Group policies, meet EMM: New and old Windows 10 management unite

One of Windows 10's biggest internal changes is support for management and security APIs à la enterprise mobile management (EMM).
It uses APIs similar to those in iOS, Android, and MacOS.

But Windows 10's EMM policies are limited compared to what traditional Windows management tools can do.

Thus, a lot of what IT does to manage PCs today can't be done in Windows 10 via EMM, such as set up kiosk mode or enable local encryption.
Instead, old-school tools like System Center Configuration Manager (SCCM) must be used instead. EMM provider MobileIron has an answer: MobileIron Bridge, an add-on to its EMM tools that lets IT apply their familiar -- and often extensive -- group policy objects (GPOs) to Windows 10 PCs managed via EMM. Applying GPOs via EMM lets IT manage Windows 10 PCs using both legacy and modern techniques from one console (MobileIron's EMM), filling in the API gaps Windows 10 currently has. Some vendors let IT install listener apps on PCs to locally apply some GPOs, a technique that could be used with traditional Windows 10 tools in parallel with an EMM tool.

But MobileIron is the first to provide GPO support directly via EMM -- there's no local client app to install, and all the GPO settings go through the same channel as the other EMM policies. MobileIron Bridge's support of GPOs is done by supporting PowerShell, VBScript, and registry scripts.
IT can take existing scripts, as well as create new ones, and bundle them into policies that MobileIron Bridge then deploys like any EMM policy.  For example, Windows 10's EMM APIs can detect a PC where BitLocker encryption is disabled, rendering the PC noncompliant with corporate security policy.

But those APIs can't be used to enable BitLocker. With MobileIron Bridge, PowerShell-driven GPOs can be used to enable BitLocker remotely, so IT can detect noncompliant PCs, then turn them compliant -- all remotely. MobileIron Bridge lets IT run bundled scripts to implement group policy objects and other system management commands on Windows 10 PCs managed via EMM. Here, BitLocker encryption is enabled on a noncompliant PC. As another example, MobileIron Bridge can be used to run scripts to set up kiosk mode on Windows 10 PCs, which essentially locks a specified user to specified apps and can seal off their data from that of other people using the same PC.

A retailer might use kiosk mode for a shared Windows laptop or tablet, giving each employee a separate kiosk account and retiring the accounts as employees leave. Another scenario that MobileIron Bridge supports is setting up multiple user accounts on a PC, such as one used by contractors, for job-sharers, across shifts involving different departments in a "hoteling" workplace, or even by employees working from home on a personal PC. Working in concert with Azure Active Directory, IT can use MobileIron Bridge to remotely set up the multiple accounts, determine which accounts can share data with each other, and which accounts run in kiosk mode, then retire accounts as users leave. MobileIron Bridge also lets IT install .exe apps onto Windows 10 PCs; Microsoft's EMM APIs support installation only of .msi and .appx software, which means most legacy apps aren't supported for remote, policy-based installation. MobileIron comes with a graphical interface to install such .exe apps, but it also can install other binaries using a command-line interface, again using scripts as it does for GPO deployment. MobileIron Bridge can install legacy .exe apps onto Windows 10 PCs via EMM policies; example apps are highlighted here. Ojas Rege, MobileIron's chief strategy officer, notes that when iPhones entered the enterprise in the late 2000s, IT couldn't reuse any of the many policies they had painstakingly set up in BlackBerry Enterprise Service for their BlackBerrys.

Thus, they had to start from scratch. MobileIron Bridge's GPO support gives an IT an easier path to transition Windows 10 PCs from traditional management approaches to the EMM one used on other devices, he says. However, Rege suggests that IT shops not deploy all their existing GPOs as is on Windows 10 PCs; they should use the EMM transition to evaluate what policies they still really need -- BlackBerry shops soon realized they didn't need all 450 BES policies, for example -- and deploy those in a staged approach. "It should be done with a change-management process," he says. MobileIron Bridge will support Windows 10 Professional and Enterprise Editions, though some supported Windows 10 capabilities such as kiosk mode require the Enterprise Edition. Licenses will cost $3 per PC.
It's now in prerelease at some customers, and the company hopes to make it generally available by January 2017.

Lockdown! Harden Windows 10 for maximum security

You may have heard that Microsoft has made Windows 10 more secure than any of its predecessors, packing it with security goodies. What you might not know is that some of these vaunted security features aren’t available out of the box or they require additional hardware -- you may not be getting the level of security you bargained for. Features such as Credential Guard are available for only certain editions of Windows 10, while the advanced biometrics promised by Windows Hello require a hefty investment in third-party hardware. Windows 10 may be the most secure Windows operating system to date, but the security-savvy organization -- and individual user -- needs to keep the following hardware and Windows 10 edition requirements in mind in order to unlock the necessary features to achieve optimum security. Note: Presently, there are four desktop editions of Windows 10 -- Home, Pro, Enterprise, and Education -- along with multiple versions of each, offering varying levels of beta and preview software.
InfoWorld’s Woody Leonard breaks down which version of Windows 10 to use.

The following Windows 10 security guide focuses on standard Windows 10 installations -- not Insider Previews or Long Term Servicing Branch -- and includes Anniversary Update where relevant.
The right hardware Windows 10 casts a wide net, with minimum hardware requirements that are undemanding.

As long as you have the following, you’re good to upgrade from Win7/8.1 to Win10: 1GHz or faster processor, 2GB of memory (for Anniversary Update), 16GB (for 32-bit OS) or 20GB (64-bit OS) disk space, a DirectX 9 graphic card or later with WDDM 1.0 driver, and an 800-by-600-resolution (7-inch or larger screens) display.

That describes pretty much any computer from the past decade. But don’t expect your baseline machine to be fully secure, as the above minimum requirements won’t support many of the cryptography-based capabilities in Windows 10. Win10’s cryptography features require Trusted Platform Module 2.0, which provides a secure storage area for cryptographic keys and is used to encrypt passwords, authenticate smartcards, secure media playback to prevent piracy, protect VMs, and secure hardware and software updates against tampering, among other functions. Modern AMD and Intel processors (Intel Management Engine, Intel Converged Security Engine, AMD Security Processor) already support TPM 2.0, so most machines bought in the past few years have the necessary chip.
Intel’s vPro remote management service, for example, uses TPM to authorize remote PC repairs.

But it’s worth verifying whether TPM 2.0 exists on any system you upgrade, especially given that Anniversary Update requires TPM 2.0 support in the firmware or as a separate physical chip.

A new PC, or systems installing Windows 10 from scratch, must have TPM 2.0 from the get-go, which means having an endorsement key (EK) certificate preprovisioned by the hardware vendor as it is shipped.

Alternatively, the device can be configured to retrieve the certificate and store it in TPM the first time it boots up. Older systems that don’t support TPM 2.0 -- either because they don’t have the chip installed or are old enough that they have only TPM 1.2 -- will need to get a TPM 2.0-enabled chip installed. Otherwise, they will not be able to upgrade to Anniversary Update at all. While some of the security features work with TPM 1.2, it’s better to get TPM 2.0 whenever possible.

TPM 1.2 allows only for RSA and SHA-1 hashing algorithm, and considering the SHA-1 to SHA-2 migration is well under way, sticking with TPM 1.2 is problematic.

TPM 2.0 is much more flexible, as it supports SHA-256 and elliptical curve cryptography. Unified Extensible Firmware Interface (UEFI) BIOS is the next piece of must-have hardware for achieving the most secure Windows 10 experience.

The device needs to be shipped with UEFI BIOS enabled to allow Secure Boot, which ensures that only operating system software, kernels, and kernel modules signed with a known key can be executed during boot time.
Secure Boot blocks rootkits and BIOS-malware from executing malicious code.
Secure Boot requires firmware that supports UEFI v2.3.1 Errata B and has the Microsoft Windows Certification Authority in the UEFI signature database. While a boon from a security perspective, Microsoft designating Secure Boot mandatory for Windows 10 has run into controversy, as it makes it harder to run unsigned Linux distributions (such as Linux Mint) on Windows 10-capable hardware. Anniversary Update won’t install unless your device is UEFI 2.31-compliant or later. Beefing up authentication, identity Password security has been a significant issue in the past few years, and Windows Hello moves us closer to a password-free world as it integrates and extends biometric logins and two-factor authentication to "recognize" users without passwords. Windows Hello also manages to be simultaneously the most accessible and inaccessible security feature of Windows 10. Yes, it is available across all Win10 editions, but it requires significant hardware investment to get the most of what it has to offer. To protect credentials and keys, Hello requires TPM 1.2 or later.

But for devices where TPM is not installed or configured, Hello can use software-based protection to secure credentials and keys instead, so Windows Hello is accessible to pretty much any Windows 10 device. But the best way to use Hello is to store biometric data and other authentication information in the on-board TPM chip, as the hardware protection makes it more difficult for attackers to steal them.

Further, to take full advantage of biometric authentication, additional hardware -- such as a specialized illuminated infrared camera or a dedicated iris or fingerprint reader -- is necessary. Most business-class laptops and several lines of consumer laptops ship with fingerprint scanners, enabling businesses to get started with Hello under any edition of Windows 10.

But the marketplace is still limited when it comes to depth-sensing 3D cameras for facial recognition and retina scanners for iris-scanning, so Windows Hello’s more advanced biometrics is a future possibility for most, rather than a daily reality. Available for all Windows 10 editions, Windows Hello Companion Devices is a framework for allowing users to use an external device -- such as a phone, access card, or wearable -- as one or more authenticating factors for Hello. Users interested in working with Windows Hello Companion Device to roam with their Windows Hello credentials between multiple Windows 10 systems must have Pro or Enterprise installed on each one. Windows 10 formerly had Microsoft Passport, which enabled users to log in to trusted applications via Hello credentials. With Anniversary Update, Passport no longer exists as a separate feature but is incorporated into Hello.

Third-party applications that use the Fast Identity Online (FIDO) specification will be able to support single sign-on by way of Hello.

For example, the Dropbox app can be authenticated directly via Hello, and Microsoft’s Edge browser enables integration with Hello to extend to the web.
It’s possible to turn on the feature in a third-party mobile device management platform, as well. The password-less future is coming, but not quite yet. Keeping malware out Windows 10 also introduces Device Guard, technology that flips traditional antivirus on its head.

Device Guard locks down Windows 10 devices, relying on whitelists to let only trusted applications be installed. Programs aren’t allowed to run unless they are determined safe by checking the file’s cryptographic signature, which ensures all unsigned applications and malware cannot execute.

Device Guard relies on Microsoft’s own Hyper-V virtualization technology to store its whitelists in a shielded virtual machine that system administrators can’t access or tamper with.

To take advantage of Device Guard, machines must run Windows 10 Enterprise or Education and support TPM, hardware CPU virtualization, and I/O virtualization.

Device Guard relies on Windows hardening such as Secure Boot. AppLocker, available only for Enterprise and Education, can be used with Device Guard to set up code integrity policies.

For example, administrators can decide to limit which universal applications from the Windows Store can be installed on a device.  Configurable code integrity is another Windows component which verifies that the code running is trusted and sage. Kernel mode code integrity (KMCI) prevents the kernel from executing unsigned drivers.

Administrators can manage the policies at the certificate authority or publisher level as well as the individual hash values for each binary executable.
Since much of commodity malware tends to be unsigned, deploying code integrity policies lets organizations immediately protect against unsigned malware. Windows Defender, first released as standalone software for Windows XP, became Microsoft’s default malware protection suite, with antispyware and antivirus, in Windows 8.

Defender is automatically disabled when a third-party antimalware suite is installed.
If there is no competing antivirus or security product installed, make sure that Windows Defender, available across all editions and with no specific hardware requirements, is turned on. For Windows 10 Enterprise users, there is the Windows Defender Advanced Threat Protection, which offers real-time behavioral threat analysis to detect online attacks. Securing data BitLocker, which secures files in an encrypted container, has been around since Windows Vista and is better than ever in Windows 10. With Anniversary Update, the encryption tool is available for Pro, Enterprise, and Education editions. Much like Windows Hello, BitLocker works best if TPM is used to protect the encryption keys, but it can also use software-based key protection if TPM does not exist or is not configured. Protecting BitLocker with a password provides the most basic defense, but a better method is to use a smartcard or the Encrypting File System to create a file encryption certificate to protect associated files and folders. When BitLocker is enabled on the system drive and brute-force protection is enabled, Windows 10 can restart the PC and lock access to the hard drive after a specified number of incorrect password attempts. Users would have to type the 48-character BitLocker recovery key to start the device and access the disk.

To enable this feature, the system would need to have UEFI firmware version 2.3.1 or later. Windows Information Protection, formerly Enterprise Data Protection (EDP), is available only for Windows 10 Pro, Enterprise, or Education editions.
It provides persistent file-level encryption and basic rights management, while also integrating with Azure Active Directory and Rights Management services.
Information Protection requires some kind of mobile device management -- Microsoft Intune or a third-party platform such as VMware’s AirWatch -- or System Center Configuration Manager (SCCM) to manage the settings.

An admin can define a list of Windows Store or desktop applications that can access work data, or block them entirely. Windows Information Protection helps control who can access data to prevent accidental information leakage. Active Directory helps ease management but is not required to use Information Protection, according to Microsoft. Virtualizing security defenses Credential Guard, available only for Windows 10 Enterprise and Education, can isolate “secrets” using virtualization-based security (VBS) and restrict access to privileged system software.
It helps block pass-the-hash attacks, although security researchers have recently found ways to bypass the protections.

Even so, having Credential Guard is still better than not having it at all.
It runs only on x64 systems and requires UEFI 2.3.1 or greater.
Virtualization extensions such as Intel VT-x, AMD-V, and SLAT must be enabled, as well as IOMMU such as Intel VT-d, AMD-Vi, and BIOS Lockdown.

TPM 2.0 is recommended in order to enable Device Health Attestation for Credential Guard, but if TPM is not available, software-based protections can be used instead. Another Windows 10 Enterprise and Education feature is Virtual Secure Mode, which is a Hyper-V container that protects domain credentials saved on Windows. Other security goodies Windows 10 supports mobile device management across all editions, but needs to be integrated with a separate MDM platform, such as Microsoft Intune or a third-party platform such as VMware’s AirWatch.
If MDM is on the list, the best scenario would be to avoid Windows 10 Home, as not all capabilities are available in that edition. MDM and SCCM platforms can also use the Windows Device Health Attestation Service, available across all editions, to manage conditional access scenarios. Group Policy is a powerful tool for Windows administrators, but it is available with only Pro, Enterprise, and Education editions.

Domain join and Azure Active Directory Domain join, which enable single sign-on for cloud-hosted applications, are also powerful administrator tools available for Pro, Enterprise, and Education editions.

Azure Directory Domain join requires a separate Azure Active Directory. Though not strictly a security feature, Assigned Access lets administrators lock down the interface on Windows 10 devices so that users are limited to specific tasks.

Available only with an Enterprise E3 subscription (or Education), Assigned Access can restrict access to services; block access to Shut Down, Restart, Sleep, and Hibernate commands; and prevent changes to the Start menu, the taskbar, or the Start screen. Organizations that have deployed DirectAccess infrastructure for remote access will need Windows 10 Enterprise or Education to connect. Picking what you need While Windows 10 Home may be the most limited of the desktop editions when it comes to security, that doesn’t mean users have to shell out for Enterprise to get any of the new features. Regardless of edition, Windows 10 is Microsoft’s most secure operating system to date, and a constant release of security patches, feature updates, and version upgrades will keep it that way.

Everyone’s security needs are different. Make sure to buy the edition and establish the configuration that gives you the optimal security you are looking for. Related resources

MS16-100 – Important: Security Update for Secure Boot (3179577) – Version:...

Security Update for Secure Boot (3179577)Published: August 9, 2016Version: 1.0This security update resolves a vulnerability in Microsoft Windows.

The vulnerability could allow security feature bypass if an attacker installs an affected boot manager and bypasses Windows security features.This security update is rated Important for all supported editions of Windows 8.1, Windows Server 2012, Windows Server 2012 R2, Windows RT 8.1, and Windows 10.

For more information, see the Affected Software and Vulnerability Severity Ratings section.The security update addresses the vulnerability by blacklisting affected boot managers.

For more information about the vulnerability see the Vulnerability Information section.For more information about this update, see Microsoft Knowledge Base Article 3179577.The following software versions or editions are affected.
Versions or editions that are not listed are either past their support life cycle or are not affected.

To determine the support life cycle for your software version or edition, see Microsoft Support Lifecycle.The following severity ratings assume the potential maximum impact of the vulnerability.

For information regarding the likelihood, within 30 days of this security bulletin's release, of the exploitability of the vulnerability in relation to its severity rating and security impact, please see the Exploitability Index in the Aug bulletin summary.[1]This update is only available via Windows Update.[2]Windows 10 updates are cumulative.

The monthly security release includes all security fixes for vulnerabilities that affect Windows 10, in addition to non-security updates.

The updates are available via the Microsoft Update Catalog.*The Updates Replaced column shows only the latest update in any chain of superseded updates.

For a comprehensive list of updates replaced, go to the Microsoft Update Catalog, search for the update KB number, and then view update details (updates replaced information is provided on the Package Details tab).Note The vulnerability discussed in this bulletin affects Windows Server 2016 Technical Preview 5.

To be protected from the vulnerability, Microsoft recommends that customers running this operating system apply the current update, which is available from Windows Update. Secure Boot Security Feature Bypass Vulnerability – CVE-2016-3320A security feature bypass vulnerability exists when Windows Secure Boot improperly loads a boot manager that is affected by the vulnerability.

An attacker who successfully exploited this vulnerability could disable code integrity checks, allowing test-signed executables and drivers to be loaded onto a target device.

Furthermore, the attacker could bypass Secure Boot Integrity Validation for BitLocker and Device Encryption security features.To exploit the vulnerability, an attacker who has gained administrative privileges or who has physical access to a target device could install an affected boot manager.The security update addresses the vulnerability by blacklisting affected boot managers.The following table contains links to the standard entry for each vulnerability in the Common Vulnerabilities and Exposures list: Vulnerability title CVE number Publicly disclosed Exploited Secure Boot Security Feature Bypass Vulnerability CVE-2016-3320 No No Mitigating FactorsThe following mitigating factors may be helpful in your situation:To exploit the vulnerability, an attacker must have either administrative privileges or physical access to the target device. WorkaroundsThe following workarounds may be helpful in your situation:Configure BitLocker to use Trusted Platform Module (TPM)+PIN protection To enable TPM and PIN protector, enable the enhanced protection group policy as follows: Click Start, click Run, type gpedit.msc, and then click OK to open the Local Group Policy Editor. Under Local Computer Policy, navigate to Administrative Templates>Windows Components>BitLocker Drive Encryption>Operating Systems Drives. In the right-hand pane, double-click Require additional authentication at startup. In the dialog box that appears, click Enabled. Under Options, select Require TPM and Require startup PIN with TPM. Click Apply and exit the Local Group Policy Editor. Open the command prompt with Administrator privileges. Enter the following command: manage-bde -protectors -add c: <OR OS volume letter> -tpmandpin When prompted for a PIN, enter a 4 or 6-digit PIN. Restart the system. Impact of workaround.  The user will be required to enter the PIN every time the computer restarts. How to undo the workaround Click Start, click Run, type gpedit.msc, and then click OK to open the Local Group Policy Editor. Under Local Computer Policy, navigate to Administrative Templates>Windows Components>BitLocker Drive Encryption>Operating Systems Drives In the right-hand pane, double-click “Require additional authentication at startup” In the dialog box that appears, click Enabled. Under Options, select Allow TPM and Allow startup PIN with TPM. Click Apply and exit the Local Group Policy Editor. Restart the system. Disable Secure Boot integrity protection of BitLocker To disable Secure Boot, you must follow each of the steps in order. Disable BitLocker Open Control Panel and then click BitLocker Drive Encryption. Click Turn off BitLocker In the BitLocker Drive Encryption dialog box, click Turn off BitLocker. Exit Control Panel. Disable Secure Boot Click Start, click Run, type gpedit.msc, and then click OK to open the Local Group Policy Editor. Under Local Computer Policy, navigate to Administrative Templates>Windows Components>BitLocker Drive Encryption>Operating Systems Drives Double-click Allow Secure Boot for integrity validation. In the dialog box that appears, click Disabled. Click Apply and exit the Local Group Policy Editor. Re-enable BitLocker Open Control Panel, then click BitLocker Drive Encryption. Click Turn on BitLocker In the BitLocker Drive Encryption dialog box, click Turn on BitLocker. Exit Control Panel. Impact of workaround.  Disabling Secure Boot may cause systems to enter BitLocker recovery mode more often when you update firmware versions or BCD settings. How to undo the workaround.  Disable BitLocker Open Control Panel, then click BitLocker Drive Encryption. Click Turn off BitLocker In the BitLocker Drive Encryption dialog box, click Turn off BitLocker. Exit Control Panel. Enable Secure Boot Click Start, click Run, type gpedit.msc, and then click OK to open the Local Group Policy Editor. Under Local Computer Policy, navigate to Administrative Templates>Windows Components>BitLocker Drive Encryption>Operating Systems Drives Double-click Allow Secure Boot for integrity validation. In the dialog box that appears, click Enabled. Click Apply and exit the Local Group Policy Editor. Re-enable BitLocker Open Control Panel, then click BitLocker Drive Encryption. Click Turn on BitLocker In the BitLocker Drive Encryption dialog box, click Turn on BitLocker. Exit Control Panel. For Security Update Deployment information, see the Microsoft Knowledge Base article referenced here in the Executive Summary.Microsoft recognizes the efforts of those in the security community who help us protect customers through coordinated vulnerability disclosure.
See Acknowledgments for more information.The information provided in the Microsoft Knowledge Base is provided "as is" without warranty of any kind. Microsoft disclaims all warranties, either express or implied, including the warranties of merchantability and fitness for a particular purpose.
In no event shall Microsoft Corporation or its suppliers be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages, even if Microsoft Corporation or its suppliers have been advised of the possibility of such damages.
Some states do not allow the exclusion or limitation of liability for consequential or incidental damages so the foregoing limitation may not apply.V1.0 (August 9, 2016): Bulletin published. Page generated 2016-08-09 09:41-07:00.

Microsoft silently kills dev backdoor that lets you boot Linux on...

Patch Tuesday wasn't just about browser bugs Microsoft has quietly killed a vulnerability that can be exploited to unlock ARM-powered Windows RT tablets and boot non-Redmond-approved operating systems. The Register has learned that one of the security holes addressed this week in the July edition of Microsoft's Patch Tuesday closes a backdoor left in Windows RT by its programmers. That backdoor can be exploited to unlock the slab's bootloader and start up an operating system of your choice, such as GNU/Linux or Android, provided it supports the underlying hardware. Normally, Windows RT devices are locked down to only boot software cryptographically signed by Microsoft.

That's left some Windows RT owners frustrated because they're unable to switch to another OS: the firmware refuses to accept non-Microsoft code, and curious minds have been trying for years now to defeat these defenses and run whatever they want.

The bootloader cannot be unlocked even if you have administrator-level access on the device. Windows RT is essentially Windows 8.x ported to devices powered by 32-bit ARMv7-compatible processors.
It is a dead-end operating system, though: Microsoft has stopped developing it, and mainstream support for Surface RT tabs runs out in 2017 and Windows RT 8.1 in 2018. This is why a means to bypass its boot mechanisms is highly sought. Yet, one was right under everyone's noses in the operating system – and MS16-094 released this week closes that hole, according to computer security sources who asked to remain anonymous. So if you want to investigate how to unlock your Windows RT slab, hold off applying that particular patch, and study the changes it will make to the system to reveal where the backdoor lies and how to exploit it. We're told it doesn't involve editing the registry – an area some people have looked at – rather it involves applying a specially crafted policy. According to Microsoft's advisory on MS16-094, the fix blacklists that magic unlock policy: A security feature bypass vulnerability exists when Windows Secure Boot improperly applies an affected policy.

An attacker who successfully exploited this vulnerability could disable code integrity checks, allowing test-signed executables and drivers to be loaded on a target device.
In addition, an attacker could bypass the Secure Boot Integrity Validation for BitLocker and the Device Encryption security features. To exploit the vulnerability, an attacker must either gain administrative privileges or physical access to a target device to install an affected policy.

The security update addresses the vulnerability by blacklisting affected policies. Details on how to evade the Secure Boot defenses are not public.

Although, before unlocking the bootloader, we're told you should run manage-bde -protectors C: -disable to make sure BitLocker is disarmed, or your slab won't boot. We've asked Microsoft if it plans to open up RT devices and let users install other operating systems.

This is the response we got back: Microsoft released security update MS16-094, and customers who have Windows Update enabled and have applied the July security updates are protected automatically. So, that's a no, then. ® Sponsored: Global DDoS threat landscape report

Webpages, Word files, print servers menacing Windows PCs, and disk encryption...

Plus: 52 security bugs fixed in Adobe Flash Microsoft will fix critical holes in Internet Explorer, Edge, Office and Windows with this month's Patch Tuesday security bundle. Meanwhile, Adobe has patched dozens of exploitable vulnerabilities in its Flash player. Redmond's July release includes 11 sets of patches, six rated as "critical" and five classified as "important." The highlights are: a BitLocker device encryption bypass, evil print servers executing code on vulnerable machines, booby-trapped webpages and Office files injecting malware into PCs, and the usual clutch of privilege elevation flaws. Get patching now before miscreants develop and distribute code exploiting the programming blunders.

As far as we can tell, none of the bugs below are being exploited in the wild right now. MS16-084 is a cumulative fix for Internet Explorer that addresses 15 CVE-listed vulnerabilities, including five memory corruption bugs and four scripting engine memory corruption bugs that can be exploited to execute code remotely on vulnerable machines.
In other words, opening up a booby-trapped website that exploits these flaws could lead to malware infecting your PC. "The most severe of the vulnerabilities could allow remote code execution if a user views a specially crafted webpage using Internet Explorer.

An attacker who successfully exploited the vulnerabilities could gain the same user rights as the current user," said Microsoft. MS16-085 is also a cumulative browser fix, this time for the new Edge browser.

Among the 13 CVE-listed holes in Edge are five remote code execution flaws in the Chakra JavaScript engine.

Also patched are three information disclosure flaws, three spoofing vulnerabilities, and two other memory corruption flaws.

Again, a malicious webpage could use these security holes to infect PCs with software nasties. MS16-088 patches seven memory corruption vulnerabilities in Office.

The flaws could allow remote code execution if opened as local documents or information disclosure if targeted at SharePoint or Office Web Apps server. Office for Mac users will receive an update as well.

Basically, malicious software can be smuggled in Office documents and will infect computers when opened. MS16-094 remedies a security bypass flaw in Windows Secure Boot.

An attacker with admin or physical access – such as a thief or someone who has seized your PC – can exploit the vulnerability to install a policy that bypasses BitLocker and disk encryption. "A security feature bypass vulnerability exists when Windows Secure Boot improperly applies an affected policy," Microsoft explained. "An attacker who successfully exploited this vulnerability could disable code integrity checks, allowing test-signed executables and drivers to be loaded on a target device.
In addition, an attacker could bypass the Secure Boot Integrity Validation for BitLocker and the Device Encryption security features. "To exploit the vulnerability, an attacker must either gain administrative privileges or physical access to a target device to install an affected policy.

The security update addresses the vulnerability by blacklisting affected policies." MS16-093 is Microsoft's distribution of this month's Adobe Flash Player security fixes.
In all, 24 CVE-listed flaws are addressed, including remote code execution vulnerabilities. Users running Windows 8.1 and later and Server 2012 will get this update automatically. Older versions will need to get the update from Adobe (more details below). MS16-086 covers a single remote code execution flaw in the JScript and VBScript engines for Windows Vista and Server 2008. Later versions are not affected. "The vulnerability could allow remote code execution if a user visits a specially crafted website," admitted Microsoft. MS16-090 addresses six elevation of privilege vulnerabilities in all supported versions of Windows and Windows Server.

An attacker can run a specially crafted application that exploits the kernel-level flaws to increase their user permissions and take over the system. MS16-087 is an update for flaws in the print spooler component of Windows: a man-in-the-middle attacker on a network can execute code on a remote vulnerable machine, or elevate their privileges if already running code on a system.

Essentially, a rogue printer server on a network can inject malware into connected PCs.

All supported versions of Windows and Windows Server are vulnerable. "A remote code execution vulnerability exists when the Windows Print Spooler service does not properly validate print drivers while installing a printer from servers," Microsoft confessed. "An attacker who successfully exploited this vulnerability could use it to execute arbitrary code and take control of an affected system. "An elevation of privilege vulnerability exists when the Windows Print Spooler service improperly allows arbitrary writing to the file system.

An attacker who successfully exploited this vulnerability could run arbitrary code with elevated system privileges.

An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.

To exploit this vulnerability, an attacker would have to log on to an affected system and run a specially crafted script or application." MS16-089 fixes a single information disclosure flaw triggered when the Windows 10 kernel improperly handles objects in memory. MS16-091 is a patch for an information disclosure flaw in the .NET Framework triggered by running an XML file on a web application.

The bug is found in all supported versions of Windows and Windows Server. MS16-092 addresses two flaws in the Windows kernel, one that discloses information about the kernel and another bypassing security access checks.

All supported versions of Windows and Windows Server should be updated. Meanwhile, Adobe is applying a few more strips of duct tape to holes in the internet's screen door with the July Flash Player update. Windows, OS X, Linux, and ChromeOS users should check to make sure they have the latest version of the software. In total, this month's patch remedies 52 CVE-listed vulnerabilities.
If targeted, 49 of those would allow remote code execution, while the other three would allow information disclosure and memory leaks. Adobe has also released an update for Acrobat/Reader and XMP Toolkit for Java. ® Sponsored: 2016 Cyberthreat defense report

MS16-094 – Important: Security Update for Secure Boot (3177404) – Version:...

Security Update for Secure Boot (3177404)Published: July 12, 2016 | Updated: July 18, 2016Version: 1.1This security update resolves a vulnerability in Microsoft Windows.

The vulnerability could allow Secure Boot security features to be bypassed if an attacker installs an affected policy on a target device.

An attacker must have either administrative privileges or physical access to install a policy and bypass Secure Boot.This security update is rated Important for all supported editions of Windows 8.1, Windows RT 8.1, Windows Server 2012, Windows Server 2012 R2, and Windows 10.

For more information, see the Affected Software and Vulnerability Severity Ratings section.The security update addresses the vulnerability by blacklisting affected policies.

For more information about the vulnerabilities see the Vulnerability Information section.For more information about this update, see Microsoft Knowledge Base Article 3175677.The following software versions or editions are affected.
Versions or editions that are not listed are either past their support life cycle or are not affected.

To determine the support life cycle for your software version or edition, see Microsoft Support Lifecycle.The following severity ratings assume the potential maximum impact of the vulnerability.

For information regarding the likelihood, within 30 days of this security bulletin's release, of the exploitability of the vulnerability in relation to its severity rating and security impact, please see the Exploitability Index in the July bulletin summary.[1]This update is only available via Windows Update.[2]Windows 10 updates are cumulative.

The monthly security release includes all security fixes for vulnerabilities that affect Windows 10, in addition to non-security updates.

The updates are available via the Microsoft Update Catalog.Note The vulnerability discussed in this bulletin affects Windows Server 2016 Technical Preview 4 and Windows Server 2016 Technical Preview 5.

An update is available for Windows Server 2016 Technical Preview 5 via Windows Update. However, no update is available for Windows Server 2016 Technical Preview 4.

To be protected from the vulnerability, Microsoft recommends that customers running Windows Server 2016 Technical Preview 4 upgrade to Windows Server 2016 Technical Preview 5.*The Updates Replaced column shows only the latest update in any chain of superseded updates.

For a comprehensive list of updates replaced, go to the Microsoft Update Catalog, search for the update KB number, and then view update details (updates replaced information is provided on the Package Details tab).I am running Windows Server 2012.

Do I need to install the 3170377 and 3172727 updates in a particular order?
 No.

The 3170377 and 3172727 updates both contain the same components and can be installed in any order.
Installing one and then the other without a system restart in between is allowed; however, if you install the 3172727 update first and then restart the system, subsequent attempts to install the 3170377 update will display the message, “The update is not applicable to your computer." This is because the 3172727 update supersedes the 3170377 update by design.Secure Boot Security Feature Bypass Vulnerability – CVE-2016-3287A security feature bypass vulnerability exists when Windows Secure Boot improperly applies an affected policy.

An attacker who successfully exploited this vulnerability could disable code integrity checks, allowing test-signed executables and drivers to be loaded on a target device.
In addition, an attacker could bypass the Secure Boot Integrity Validation for BitLocker and the Device Encryption security features.To exploit the vulnerability, an attacker must either gain administrative privileges or physical access to a target device to install an affected policy.

The security update addresses the vulnerability by blacklisting affected policies.The following table contains links to the standard entry for each vulnerability in the Common Vulnerabilities and Exposures list: Vulnerability title CVE number Publicly disclosed Exploited Secure Boot Security Feature Bypass Vulnerability CVE-2016-3287 Yes No Mitigating FactorsThe following mitigating factors may be helpful in your situation:To exploit the vulnerability, an attacker must have either administrative privileges or physical access to the target device. WorkaroundsThe following workarounds may be helpful in your situation:Configure BitLocker to use Trusted Platform Module (TPM)+PIN protection To enable TPM and PIN protector, enable the enhanced protection group policy as follows: Click Start, click Run, type gpedit.msc, and then click OK to open the Local Group Policy Editor. Under Local Computer Policy, navigate to Administrative Templates>Windows Components>BitLocker Drive Encryption>Operating Systems Drives. In the right-hand pane, double-click Require additional authentication at startup. In the dialog box that appears, click Enabled. Under Options, select Require TPM and Require startup PIN with TPM. Click Apply and exit the Local Group Policy Editor. Open the command prompt with Administrator privileges. Enter the following command: manage-bde -protectors -add c: <OR OS volume letter> -tpmandpin When the command asks for a PIN, enter a 4- or 6-digit PIN. Restart the system. Impact of workaround.  The user will be required to enter the PIN every time the computer restarts. How to undo the workaround Click Start, click Run, type gpedit.msc, and then click OK to open the Local Group Policy Editor. Under Local Computer Policy, navigate to Administrative Templates>Windows Components>BitLocker Drive Encryption>Operating Systems Drives In the right-hand pane, double-click “Require additional authentication at startup” In the dialog box that appears, click Enabled. Under Options, select Allow TPM and Allow startup PIN with TPM. Click Apply and exit the Local Group Policy Editor. Restart the system. Disable Secure Boot integrity protection of BitLocker To disable Secure Boot, you must follow each of the steps in order. Disable BitLocker Open Control Panel, then click BitLocker Drive Encryption. Click Turn off BitLocker In the BitLocker Drive Encryption dialog box, click Turn off BitLocker. Exit Control Panel. Disable Secure Boot Click Start, click Run, type gpedit.msc, and then click OK to open the Local Group Policy Editor. Under Local Computer Policy, navigate to Administrative Templates>Windows Components>BitLocker Drive Encryption>Operating Systems Drives Double-click Allow Secure Boot for integrity validation. In the dialog box that appears, click Disabled. Click Apply and exit the Local Group Policy Editor. Re-enable BitLocker Open Control Panel, then click BitLocker Drive Encryption. Click Turn on BitLocker In the BitLocker Drive Encryption dialog box, click Turn on BitLocker. Exit Control Panel. Impact of workaround.  Disabling Secure Boot may cause systems to enter BitLocker recovery more often when you update firmware versions or BCD settings. How to undo the workaround.  Disable BitLocker Open Control Panel, then click BitLocker Drive Encryption. Click Turn off BitLocker In the BitLocker Drive Encryption dialog box, click Turn off BitLocker. Exit Control Panel. Enable Secure Boot Click Start, click Run, type gpedit.msc, and then click OK to open the Local Group Policy Editor. Under Local Computer Policy, navigate to Administrative Templates>Windows Components>BitLocker Drive Encryption>Operating Systems Drives Double-click Allow Secure Boot for integrity validation. In the dialog box that appears, click Enabled. Click Apply and exit the Local Group Policy Editor. Re-enable BitLocker Open Control Panel, then click BitLocker Drive Encryption. Click Turn on BitLocker In the BitLocker Drive Encryption dialog box, click Turn on BitLocker. Exit Control Panel. For Security Update Deployment information, see the Microsoft Knowledge Base article referenced here in the Executive Summary.Microsoft recognizes the efforts of those in the security community who help us protect customers through coordinated vulnerability disclosure.
See Acknowledgments for more information.The information provided in the Microsoft Knowledge Base is provided "as is" without warranty of any kind. Microsoft disclaims all warranties, either express or implied, including the warranties of merchantability and fitness for a particular purpose.
In no event shall Microsoft Corporation or its suppliers be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages, even if Microsoft Corporation or its suppliers have been advised of the possibility of such damages.
Some states do not allow the exclusion or limitation of liability for consequential or incidental damages so the foregoing limitation may not apply.V1.0 (July 12, 2016): Bulletin published. V1.1 (July 18, 2016): Bulletin revised to add an Update FAQ to inform customers running Windows Server 2012 that they do not need to install the 3170377 and 3172727 updates in a particular order. Page generated 2016-07-18 11:05-07:00.

Trend Micro Releases Free Heartbleed Scanners for PC, Mobile

Heartbleed Detector, a Chrome browser plug-in and an Android mobile app, are accessible in the Chrome Web Store and Google Play app store. Security specialist Trend Micro announced the release of two free Heartbleed scanners for computers and mobile devices designed to verify whether they are communicating with servers that have been compromised by the Heartbleed bug. The solutions, Heartbleed Detector, a Chrome browser plug-in and an Android mobile app, are accessible in the Chrome Web Store and Google Play app store. The Heartbleed security bug was found in the open-source OpenSSL cryptography library, which is widely used to implement the Internet's Transport Layer Security (TLS) protocol. A fixed version of OpenSSL was released on April 7, at the same time as Heartbleed was publicly disclosed, however, several security experts have cautioned against users changing passwords until more information about the nature and extent of the breach becomes available to consumers. At that time, some 17 percent (around half a million) of the Internet's secure Web servers certified by trusted authorities were believed to be vulnerable to the attack, allowing theft of the servers' private keys and users' session cookies and passwords. "Trend Micro has responded to the Heartbleed threat by offering tools to all Internet users as a solution to protect their personal data," Raimund Genes, chief technology officer at Trend Micro, said in a statement. "With in-app purchases and financial transactions on mobile devices becoming the norm, Trend Micro felt it was vital to offer users a solution designed to enable them to continue operating their devices without worry." Available for Mac and Windows-based computer users, the Trend Micro Heartbleed Detector is a multi-platform plug-in for Chrome that enables users to check for vulnerable URLs and installs with a single click. Trend Micro researchers have also discovered that mobile apps are just as vulnerable to the Heartbleed bug as Websites. To mitigate this threat, Trend Micro has developed the Heartbleed Detector to check apps on a user’s device and the servers they communicate with, to determine if installed apps are vulnerable to the OpenSSL bug. If vulnerable apps are found, the detector then prompts the user with the option to uninstall the app. "Heartbleed is a problem that may never entirely go away, but we are committed to providing and updating our solutions to best protect the data of our customers, and provide essential security on each device they use," Genes said. Earlier this week Trend Micro announced major upgrades to its Complete User Protection solution, which spans PC and mobile endpoints, email and collaboration, and Web security to enable integrated visibility and threat response. Refreshed vulnerability protection capabilities proactively protect against exploits directed at operating system and application vulnerabilities until patches can be deployed, while improved endpoint encryption includes preboot authentication and management for Windows Bitlocker and MacOS FileVault native disk encryption.

Wave Brings Encryption Management to the Cloud

Self-encrypting drives as well as Windows BitLocker and Mac FileVault encrypted devices can now all be managed from the cloud. Simply having an encrypted device is not enough to satisfy regulatory compliance requirements, enterprises need to also be able to manage encrypted devices. It's a challenge that encryption management vendor Wave Systems is tackling with its Wave Cloud solution. Wave Systems this week launched its Wave Cloud 2014 solution enabling enterprises to manage self-encrypting drives (SED) as well as Windows BitLocker and Mac FileVault devices. Most companies are deploying encryption to meet compliance requirements, and that requires proof that a given device is in fact encrypted, Wave Systems CEO Steven Sprague told eWEEK. "An enormous advantage of using a cloud service like ours to manage machines is that you can prove to the regulators that a device was encrypted when it was lost," Sprague said. "Because once a device is lost, you no longer have the device." Enterprises should think of Wave Cloud as an access control solution for encryption rather than thinking about it as a solution that manages encryption keys, Sprague said. "The keys never actually leave your local device," Sprague said. "In BitLocker and FileVault, the keys are held within the operating system, and with SEDs they are held within the drive controller silicon." What Wave Cloud is managing then are the credentials to gain access to a given machine or SED and then have that machine properly mount its own encryption keys. As such, with an SED for example, Wave Cloud controls the list of authorized users that can unlock the device. The other key capability that Wave Cloud provides is for lost passwords "What happens when you fire an employee at 5 o'clock, then at 6 o'clock, you realize you need to unlock his laptop," Sprague said. "Some mechanism for a recovery key is important." One feature that Wave Cloud does not provide is the ability to remotely wipe a device when lost. In Sprague's view, remote wipe is not an effective solution to the problem of lost or stolen encrypted devices. "If you lose your machine and the entire operating system is encrypted, the only time you would have the opportunity to wipe the machine is if a really dumb thief guesses your password and puts your machine on the Internet," Sprague said. "What's more important than remote wipe is the ability to remotely change a user's password." Sprague noted that if an administrator changes a user's password by mistake, they can roll back the change. Rolling back a device-wipe is not as easy. NSA Impact Recent revelations about the U.S. National Security Agency (NSA) being able to intercept and read encrypted data are actually increasing demand for Wave System's solutions, according to Sprague. "In Europe, the use of encryption will rise, since the effectiveness of network security is going down," Sprague said. Sprague argued that the NSA has done an effective job of network monitoring, which is why encryption is more important than ever before.

He added that the big question for many will be about where a given cloud is hosted.

The NSA could potentially get a court order to view material hosted by a U.S. cloud provider. What Sprague sees happening is individual enterprises and large corporations running their own managed encryption services. It's a model for which Wave Systems is also prepared. "Our service already supports the concept that an enterprise can get started quickly in the cloud and then can migrate to an on-premises enterprise solution," Sprague said. That said, while there are some concerns about government snooping, Sprague argued that's not the primary driver for encryption overall. "For the vast majority of users, it's not about encryption for the purposes of protecting data from a nation-state," Sprague said. "It's about being able to prove that a device was encrypted when lost." Sprague added, "So when a machine is lost, you can assert that all the records that were on the device were actually encrypted." Sean Michael Kerner is a senior editor at eWEEK and InternetNews.com. Follow him on Twitter @TechJournalist.

How to encrypt (almost) anything

It's all too easy to neglect data security, especially for a small business. While bigger organizations have IT departments, service contracts, and enterprise hardware, smaller...