Home Tags Microsoft Security

Tag: Microsoft Security

Microsoft Security Updates Include Windows XP, Server 2003

Microsoft extends its monthly security updates to respond to a rise in cyberattacks and fix serious flaws in Windows XP and Windows Server 2003.

WannaCry FAQ: What you need to know today

Friday May 12th marked the start of the dizzying madness that has been ‘WannaCryrsquo;, the largest ransomware infection in history.

Defenders have been running around trying to understand the malwarersquo;s capabilities.
In the process, a lot of wires have gotten crossed and we figured itrsquo;s time to sit down and set the record straight on what we know, what we wish we knew, and what the near future might hold for us going forward.

Microsoft’s New Security Update Guides Get Mixed Reviews

Microsoft gets a lukewarm response with its new Microsoft Security Guides that replaced Security Bulletins.

Massive vulnerability in Windows Defender leaves most Windows PCs vulnerable

PCs can be compromised when Defender scans an e-mail or IM; patch has been issued.

Here’s how to check if your PC got Microsoft’s fix for...

It’s like Pepsi declaring that Coke just won a taste test: Google Project Zero security researchers discovered a security hole in Microsoft’s Malware Protection Engine, and two days later the Microsoft Security Response Center not only fixed the bug but also rolled out the update through the usual Windows Defender update mechanism.The bug in the main Windows Defender program was described in Security Advisory 4022344.

Chances are good your Windows computer got the fix last night.[ InfoWorld’s deep look: Why (and how) you should manage Windows 10 PCs like iPhones. | The essentials for Windows 10 installation: Download the Windows 10 Installation Superguide today. ]Google Project Zero security researchers Tavis Ormandy and Natalie Silvanovich are credited with discovering the vulnerability. Ormandy tweeted that the security hole was “the worst Windows remote code exec in recent memory… crazy bad.”To read this article in full or to leave a comment, please click here

Microsoft rushes emergency fix for critical antivirus bug

The point of antivirus is to keep malware off the system.

A particularly nasty software flaw in Microsoft’s antivirus engine could do the exact opposite and let attackers install malware on vulnerable systems. The critical security vulnerability in the Microsoft Malware Protection Engine affects a number of Microsoft products, including Windows Defender, Windows Intune Endpoint Protection, Microsoft Security Essentials, Microsoft System Center Endpoint Protection, Microsoft Forefront Security for SharePoint, Microsoft Endpoint Protection, and Microsoft Forefront Endpoint Protection.

These tools are enabled by default in Windows 8, 8.1, 10, and Windows Server 2012.To read this article in full or to leave a comment, please click here

Microsoft patches most NSA Windows exploits, but vulnerabilities remain

Microsoft on Friday said it had patched most of the Windows vulnerabilities purportedly exploited by the National Security Agency (NSA) using tools that were leaked last week.The Windows flaws were disclosed by the hacking gang Shadow Brokers in a l...

VU#921560: Microsoft OLE URL Moniker improperly handles remotely-linked HTA data

Microsoft OLE uses the URL Moniker to open application data based on the server-provided MIME type,which can allow an unauthenticated remote attacker to execute arbitrary code on a vulnerable system.

Microsoft Friday false positive: Bluber-A ballsup makes sysadmins blub

Benign and fine but alarms do double-time Enterprises were faced with all sorts of inconvenience on Friday after a Microsoft security tool incorrectly flagged up benign files as infected with a worm.…

Security fixes delayed as Microsoft postpones Patch Tuesday

A surprise announcement yesterday afternoon rattled Microsoft customers: Patch Tuesday is officially being delayed for a month.Microsoft is being close-mouthed.

A curt, unsigned post on the Microsoft Security Resource Center TechNet blog simply states: "UPDATE: 2/15/17: We will deliver updates as part of the planned March Update Tuesday, March 14, 2017."[ InfoWorld's deep look: Why (and how) you should manage Windows 10 PCs like iPhones. | The essentials for Windows 10 installation: Download the Windows 10 Installation Superguide today. ]Microsoft started documenting its security patches with Security Bulletins in 1998, but the patches arrived at random.
Steve Ballmer announced the Patch Tuesday protocol on Oct. 9, 2003 to “reduce the burden on IT administrators by adding a level of increased predictability and manageability.” Starting with MS03-041, security patches were generally held until the second -- sometimes third or fourth -- Tuesday of the month.To read this article in full or to leave a comment, please click here

VU#867968: Microsoft Windows SMB Tree Connect Response denial of service vulnerability

Microsoft Windows contains a memory corruption bug in the handling of SMB traffic,which may allow a remote,unauthenticated attacker to cause a denial of service on a vulnerable system.

Chrome dev explains how modern browsers make secure UI just about...

The 'LINE OF DEATH' between safe content and untrustworthy stuff is receding every year Google Chrome engineer Eric Lawrence has described the battle of browser barons against the 'line of death', an ever-diminishing demarcation between trusted content and the no-man's land where phishers dangle their poison. The line, Lawrence (@ericlaw) says, is a conceptual barrier between content that browser developers control, such as areas around the address bar, and untrusted content like browser windows where attackers can serve malicious material. "If a user trusts pixels above the line of death, the thinking goes, they’ll be safe, but if they can be convinced to trust the pixels below the line, they’re gonna die," Lawrence says. But the line is receding because untrusted content now appears above the line in tabs where attackers can enter their chosen web page title and icon. Chevrons that open small windows can display extended information on usage of HTTPS, requests for location information, and so on extend below the line and send trusted data into untrusted territory. Chevrons with trusted data breach the line.
Image: Lawrence. Those subtle intrusions across the line open avenues for phishers; chevron popups can be faked and 'block' and 'allow' buttons turned into malicious clickable links, for example. In 2005, a remote code execution flaw affecting Firefox was dug up which abused favicons, the untrusted icons websites set that appear in tabs and bookmarks. The line of death deteriorated in 2012 when Microsoft moved Windows 8 Internet Explorer to its full screen minimalistic immersive mode. Lawrence, then program lead for Internet Explorer with Microsoft, opposed the move and says it made the line of death indistinguishable from content, . "... because it (Internet Explorer) was designed with a philosophy of 'content over chrome', there were no reliable trustworthy pixels," he says. "I begged for a persistent trust badge to adorn the bottom-right of the screen - showing a security origin and a lock - but was overruled." He says one Microsoft security wonk built a "visually-perfect" Paypal phishing site that duped the browser and threw fake indicators. "It was terrifying stuff, mitigated only by the hope that no one would use the new mode." The breaching of the line of death is a boon to picture-in-picture phishing attacks, in which attackers create what appear to be fully functional browsers within a browser.
Immaculate reproductions of browsers including the trusted sections above the line of death have been created that fool even eagle-eyed researchers. Microsoft's own security researchers in 2007 would find picture-in-picture attacks to be virtually perfect.

The team of four wrote, in a paper titled An Evaluation of Extended Validation and Picture-in-Picture Phishing Attacks wrote in the paper [PDF] that the attack vector was so compelling it beat all other phishing techniques including homograph tricks in which letters of legitimate URLs are replaced with visually similar equivalents from, for example, the Cyrillic alphabet. Everything is untrusted: The line of death dies in HTML5.
Image: Lawrence. Picture-in-picture attacks also rendered ineffective the then-new extended validation SSL certificate scheme for determining malicious sites.

Extended validation, now mainstream, displays a green address bar padlock for participating and verified sites.

The inconvenient research spooked one large certificate vendor then in talks with Redmond over buddying up for the then new certificates. The line of death receded further with the advent of HTML 5, which brought with it the ability for websites, and phishers, to push browsers into fullscreen mode which wiped any line between trusted and untrusted content. And the line is all-but-absent on mobile devices, where simplicity and minimalism is king. "We are seeing a lot more hits on phishing links in mobile because it is so much harder to extract necessary information," Sophos senior technology consultant Sean Richmond tells El Reg . "Expanding the URLs is more difficult and it is harder to get the information users need to make decisions, so security awareness can suffer." Email apps are similarly breaching the line of death. Outlook's modern versions place a trusted message of "this message is from a trusted sender" within the untrusted email contents window, allowing phishers to replicate the notice. "Security UI is hard," Lawrence says. ® Sponsored: Customer Identity and Access Management