Monday 18 July 2011

IE9 Kicks Malware Butt

A little while ago, NSS Labs released a report on how the different browsers (IE, Firefox, Chrome etc.) handled malware. And, it appears for the type of malware tested, Microsoft browsers (IE8 good, and IE9 best) kick some malware butt.

NSS Labs report found that IE (8/9) identified  and caught over 90% of the malware threats while the other competing browsers  Safari, Chrome and Firefox caught roughly 13% of the threats. The fact that these three browsers had similar results is not surprising as they all use the same filtering technology. 


Microsoft's IE8 and IE9 use a Smart Filtering technology that scans each URL and executable (EXE) to see if has a digital signature and whether it has been downloaded by other people previously. Though there is a potential for false positives, this system appears to be able to "react" quickly to new threats and block a significant profile of malware threats.  

You can read more about the Microsoft Browser Smart filtering technology here: http://blogs.msdn.com/b/ie/archive/2011/05/17/smartscreen-174-application-reputation-in-ie9.aspx

You can read more about how an add-in for Visual Studio fell foul of the Smart Filter rules here: http://www.itwriting.com/blog/4533-this-is-why-people-ignore-security-warnings-ie9-blocks-official-microsoft-update.html

The report is well presented and very accessible and the results clearly demonstrate one thing: the approach Microsoft has taken with IE and IE9 when dealing with malware clearly works as you can see by the following diagram on the response time to block a potential malware executable.



Straight from the source,  Microsoft heavily promotes the security features for IE9 with the following key features;


  • IE8 is the only browser to block XSS attacks “out-of-the-box.”
  • IE8 introduced the first “out-of-the-box” mechanism to allow sites to prevent ClickJacking attacks.
  • IE8 introduces new functions which allow sites to build more-secure mashups (toStaticHTML(), XDomainRequest) and supports new standards-based mechanisms (Native JSON support, postMessage()).
  • Safer default settings (DEP/NX, per-site AX) mean that users are better-protected than ever before.  Group Policy controls (for ActiveX management, enforced SmartScreen blocking, etc) allow IT administrators to reduce the number of trust decisions users face when using IE8.


I am looking forward to the industry response to this report. Will we see Google say that NSS Labs is in the pocket of MS? Will they dispute the source URL's or EXE's? Or, will they get their act together and implement a proper protection system - cloud based, collaborative, crowd-sourced or whatever... Something.

You can find the NSS Labs report in its entirety here:
http://www.nsslabs.com/assets/noreg-reports/2011/nss%20labs_q2_2011_browsersem_FINAL.pdf

Wednesday 13 July 2011

Microsoft Patch Tuesday July 12th 2011

With this July Microsoft Patch Tuesday update, we see a moderate set of updates in comparison to those lists of updates released by Microsoft for the months of April, May and June. In total there are 4 Microsoft Security Updates with the following rating; 1 rated as Critical, and 3 rated as Important by Microsoft. Given the scope and nature of this month's update, the ChangeBASE team does not expect to find a significant number of issues raised by the AOK Automated Patch Impact Assessment. The Microsoft Security Update M11-055 will require moderate testing prior to deployment due to the core operating system DLL's contained within this update.
Given the nature of the changes and updates included in each of these patches, most systems will require a reboot to successfully implement any and all of the patches and updates released in this July Patch Tuesday release cycle.
Sample Results for Microsoft Update MS11-055

Below this is a snap-shot of the AOK Summary Results report from a sample AOK database and the potential issues raised with each Microsoft Security Update.





Testing Summary
  • MS11-053 : Vulnerability in Bluetooth Stack Could Allow Remote Code Execution (2566220)
  • MS11-054 : Vulnerabilities in Windows Kernel-Mode Drivers Could Allow Elevation of Privilege (2555917)
  • MS11-055 : Vulnerability in Microsoft Visio Could Allow Remote Code Execution (2560847)?
  • MS11-056 : Vulnerabilities in Windows Client/Server Run-time Subsystem Could Allow Elevation of Privilege (2507938)?


Patch NameTotal
Issues
Matches
Affected
RebootRatingRAG
Microsoft Security Bulletin MS11-053<1%<1%YESGreen
Microsoft Security Bulletin MS11-054<1%<1%YESGreen
Microsoft Security Bulletin MS11-055<1%<1%YESGreen
Microsoft Security Bulletin MS11-056<1%<1%YESGreen

Legend:
No IssueNo Issues Detected
FixablePotentially fixable application Impact
SeriousSerious Compatibility Issue

Security Update Detailed Summary
MS11-053Vulnerability in Bluetooth Stack Could Allow Remote Code Execution (2566220)
DescriptionThis security update resolves a privately reported vulnerability in the Windows Bluetooth Stack. The vulnerability could allow remote code execution if an attacker sent a series of specially crafted Bluetooth packets to an affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. This vulnerability only affects systems with Bluetooth capability.
PayloadBthenum.sys, Bthport.sys, Bthusb.sys, Fsquirt.exe
ImpactCritical - Remote Code Execution

MS11-054Vulnerabilities in Windows Kernel-Mode Drivers Could Allow Elevation of Privilege (2555917)
DescriptionThis security update resolves 15 privately reported vulnerabilities in Microsoft Windows. The most severe of these vulnerabilities could allow elevation of privilege if an attacker logged on locally and ran a specially crafted application. An attacker must have valid logon credentials and be able to log on locally to exploit these vulnerabilities.
PayloadWin32k.sys, W32ksign.dll
ImpactImportant - Elevation of Privilege

MS11-055Vulnerability in Microsoft Visio Could Allow Remote Code Execution (2560847)?
DescriptionThis security update resolves a publicly disclosed vulnerability in Microsoft Visio. The vulnerability could allow remote code execution if a user opens a legitimate Visio file that is located in the same network directory as a specially crafted library file. An attacker who successfully exploited this vulnerability could gain the same user rights as the logged-on user. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights.
PayloadOmfc.dll, Omfcu.dll_0001
ImpactImportant - Remote Code Execution

MS11-056Vulnerabilities in Windows Client/Server Run-time Subsystem Could Allow Elevation of Privilege (2507938)?
DescriptionThis security update resolves five privately reported vulnerabilities in the Microsoft Windows Client/Server Run-time Subsystem (CSRSS). The vulnerabilities could allow elevation of privilege if an attacker logs on to a user's system and runs a specially crafted application. An attacker must have valid logon credentials and be able to log on locally to exploit the vulnerabilities.
PayloadCsrsrv.dll, Winsrv.dll
ImpactImportant - Elevation of Privilege

Monday 4 July 2011

ChangeBase Delivers Microsoft RDS Compatibility Offering

Microsoft and ChangeBase have teamed up to deliver cutting-edge application compatibility assessment for the Microsoft Remote Data Services Product (RDS).

Now you can assess your application portfolio for compatibility on Windows 7, Server 2008 R2 and Remote Data Services as well check compatibility on  virtualization (App-V) and browser platforms (IE8/9). This is great news as I think it's now a key requirement  for our customers to be able to report and manage the entire application stack from the;

  • Hardware level (64-bit)
  • OS (Windows 7)
  • Server (Server 2008R2 and RDS)
  • Virtualization layer (App-V) 
  • Browser level (IE8/9)
You can read about Microsoft's RDS offering  with a quick description here;
Remote Desktop Services (RDS) in Windows Server 2008 R2 with SP1 provides the ideal platform for companies to implement a centralized desktop strategy, helping organizations improve flexibility and compliance while improving data security and IT’s ability to manage desktops and applications.
Manlio Vecchiet, Director of Product Management, Windows Server and Virtualization at Microsoft. has this to say about this new AOK/Microsoft offering;
"As customers increasingly look at deploying RDS to meet their needs for session virtualization and VDI, new tools to help facilitate adoption are a welcome addition to the market."  "We believe that customers will benefit from tools such as the AOK Tool when addressing RDS application compatibility in the context of a desktop virtualization initiative."
One of my ChangeBase colleagues, Dawn Clifton was truly excited about this new AOK offering and had this to say, "It is always exciting working with the people at Microsoft and it was an absolute pleasure working with the Microsoft RDS team when developing our RDS plugins.  Due to the hard work of everyone involved the project ran smoothly and was completed on time. We are extremely excited about the launch of our new RDS assessment program to help clients with their virtualisation and VDI decision making process."

You can read more about Microsoft's RDS offering in detail here: http://www.microsoft.com/windowsserver2008/en/us/rds-product-home.aspx

And you read the ChangeBase Press Release RDS offering here: http://changebase.com/NewsPage.aspx?page=News/news_release_2011_6_30.xml&style=~/Style/PressRelease.xsl


Friday 1 July 2011

ChangeBase Wins Enterprise Application of the Year 2011

Well, well, well... What a surprise! And, I can't say that I am not more than a little pleased with this one. ChangeBASE AOK was selected as the winner of the TechWorld's Enterprise application of the year.

You can read about the event and the other categories here;
http://news.techworld.com/networking/3288763/techworld-awards-winners-announced/

Also, Here is a quick quote from Martin Brown our Sales Director;
We faced fierce competition in the category. To be nominated and then to win one of the most prestigious awards of the night is a real success in itself. Although TechWorld presented the award to me - I would like to dedicate the win to the whole ChangeBASE team who have been amazing.
I was personally pretty chuffed as the focus for the award was our Browse-It web compatibility assessment offering which was just put into production earlier this year.

You can read the whole ChangeBase Press release here; http://changebase.com/NewsPage.aspx?page=News/news_release_2011_6_30a.xml&style=~/Style/PressRelease.xsl

And, as my old boss used to say, "Now that the celebrations are over - It's back to work!"