Out-of-Band Update MS15-078: Vulnerability in Microsoft font driver could allow remote code execution: July 16, 2015 – KB3079904

This morning at work, with a cup of coffee, I was glancing over the e-mail and was greeted by “ADVANCE NOTIFICATION – Microsoft Out of Band Security Bulletin Release July 20, 2015”

image

So Microsoft will release an emergency Out-of-Band (OOB) security update today that is valid for all windows versions and deals with a remote code execution vulnerability. It’s marked as critical but there is very little other information for the moment.

Just now it became available via MS15-078: Vulnerability in Microsoft font driver could allow remote code execution: July 16, 2015.

This security update resolves a vulnerability in Windows that could allow remote code execution if a user opens a specially crafted document or goes to an untrusted webpage that contains embedded OpenType fonts. To learn more about the vulnerability, see Microsoft Security Bulletin MS15-078.

This security update is rated Critical for all supported releases of Microsoft Windows. For more information, see the Affected Software section.

Windows Server 2012 R2 Datacenter
Windows Server 2012 R2 Standard
Windows Server 2012 R2 Essentials
Windows Server 2012 R2 Foundation
Windows 8.1 Enterprise
Windows 8.1 Pro
Windows 8.1
Windows RT 8.1
Windows Server 2012 Datacenter
Windows Server 2012 Standard
Windows Server 2012 Essentials
Windows Server 2012 Foundation
Windows 8 Enterprise
Windows 8 Pro
Windows 8
Windows RT
Windows Server 2008 R2 Service Pack 1
Windows 7 Service Pack 1
Windows Server 2008 Service Pack 2
Windows Vista Service Pack 2

The funny thing is that is shows up as important and not as critical in Windows Update.

image

Get you’re due diligence done before rolling it out but don’t delay it for to long! It’s a critical one!

Microsoft & Bromium Make Windows 10 Most Secure Endpoint Available

There was some very interesting news last week at the Microsoft World Partner Conference (WPC). Bromium and Microsoft announced a strategic partnership, Microsoft is now endorsing Bromium micro-virtualization and is aligning with Bromium in adopting a security architecture based on isolating critical information on the endpoint in Windows 10. The combination of Bromium and Windows 10 results in the most secure PC available today. You can read all about it here Bromium Partners to Bring Micro-virtualization to Windows 10

Bromium has been around for a while and I have always like the concept. Instead of trying to aim for a 100 percent secure system they acknowledge this is impossible. This means they realize that systems will get malware, zero day exploits, etc. Trying to provide complete protection is impossible. Try and you will fail. This means that we can play with a popular saying and state that “failure is not It’s a certainty”.

Just like any secured system, like a ship for example, the idea is to accept that there will be unavoidable breaches. To mitigate the risk you need to minimize the impact of these breaches. That’s what the water tight doors, the compartmentalization and isolation in ships are for. Banking on a 100 % success rate in avoiding breaches is just unrealistic. Bromium uses this same concept.

When breached It will limit the damage to as small and isolated environment. A temporary environment for that matter, something ships can’t do. Bromium runs every process on the machine in a hardware isolated micro VM, which is based on hardware virtualization technology (minimally VT-x or AMD-V).

innovations-micro-virtualization

Figure courtesy of Bromium

This goes pretty far. Not the internet browser level or e-mail client but every tab and every e-mail you open is isolated this way. If your browser tab gets compromised by a zero day exploit the infection and damage is limited to that browser tab. Or your e-mail message or you word document. All your other documents, browser tabs and word documents are protected. You get the idea. Even better when you close that word document or browser tab, the isolated micro VM in which it existed disappears together with the infection.

Figure courtesy of Bromium

This fits in well with Microsoft its own initiatives. Windows 10 leverages hardware security features such as UEFI secure boot, a Trusted Platform Module (TPM) and virtualization to provide a more secure computing environment already. Windows Server 2016 leverages the combination of hard ware technologies and the hypervisor to create a “Virtual Secure Mode” (VSM) to deliver shielded virtual machines.

While nothing is perfect it is an interesting approach as it protects against the unknown, isolates, minimizes impact and discards malware infections. It buys time to react and respond more long term to threats once they’re known while providing protection even when still unknown. Whereas anti malware only protects against known threats and is very reactive in nature.

Read more here http://www.bromium.com/products/our-technology.html and have a look here How does Bromium protect you?

MS15-068: Vulnerability in Windows Hyper-V could allow remote code execution: July 14, 2015

Hi people, Hyper-V has been blessed with a very good security track record. The few security issues that did arise over the years have always been resolved quickly. Today it’s

time to act fast once again and make sure you have your security & patch process act together.

Note the following:

  • Microsoft has not identified any mitigating factors for this vulnerability.
  • Microsoft has not identified any workarounds for this vulnerability.

This security update resolves vulnerabilities in Windows that could allow remote code execution in a host context if a specially crafted application is run by an authenticated and privileged user on a guest virtual machine that is hosted by Hyper-V. An attacker must have valid logon credentials for a guest virtual machine to exploit this vulnerability.

To learn more about the vulnerability, see Microsoft Security Bulletin MS15-068

This one is critical. So do not delay long after your smoke testing of this patch.You have some time to act but don’t wait too long:

Microsoft received information about this vulnerability through coordinated vulnerability disclosure. When this security bulletin was originally issued Microsoft had not received any information to indicate that this vulnerability had been publicly used to attack customers.

Go and secure your environment wisely and effectively now.

Migrate A Windows 2003 RADIUS–IAS Server to Windows Server 2012 R2

Some days you walk into environments were legacy services that have been left running for 10 years as:

  1. They do what they need to do
  2. No one dares touch it
  3. Have been forgotten, yet they provide a much used service

Recently I had the honor of migrating IAS that was still running on Windows Server 2003 R2 x86, which was still there for reason 1. Fair enough but with W2K3 going it’s high time to replace it. The good news was it had already been virtualized (P2V) and is running on Hyper-V.

Since Windows 2008 the RADIUS service is provided by Network Policy Server (NPS) role. Note that they do not use SQL for logging.

Now in W2K3 there is no export/import functionality for the configuration in IAS. So are we stuck? Well no, a tool has been provided!

Install a brand new virtual machine with W2K12R2 and update it. Navigate to C:WindowsSysWOW64 folder and grab a copy of IasMigReader.exe.

image

Place IasMigReader.exe in the C:WindowsSystem32 path on the source W2K3 IAS server as that’s configured in the %path% environment variable and it will be available anywhere from the command prompt.

  • Open a elevated command prompt
  • Run IasMigReader.exe

image

  • Copy the resulting ias.txt file from the  C:WindowsSystem32IASfolder. Please keep this file secure it contains password. TIP: As a side effect you can migrate your RADIUS even if no one remembers the shared secrets and you now have them again Winking smile

image

Note: The good news is that in W2K12 (R2) the problem with IasMigReader.exe generating a bad parameter in ias.txt is fixed ((The EAP method is configured incorrectly during the migration process from a 32-bit or 64-bit version of Windows Server 2003 to Windows Server 2008 R2). So no need to mess around in there.

  • Copy the ias.tx file to a folder on your target NPS server & run the following command from an elevated prompt:

netsh nps import <path>ias.txt

image

  • Open the NPS MMC and check if this went well, normally you’ll have all your settings there.

image

When Network Policy Server (NPS) is a member of an Active Directory® Domain Services (AD DS) domain, NPS performs authentication by comparing user credentials that it receives from network access servers with the credentials that are stored for the user account in AD DS. In addition, NPS authorizes connection requests by using network policy and by checking user account dial-in properties in AD DS.

For NPS to have permission to access user account credentials and dial-in properties in AD DS, the server running NPS must be registered in AD DS.

Membership in Domain Admins , or equivalent, is the minimum required to complete this procedure.

  • All that’s left to do now is pointing the WAPs (or switches & other RADIUS Clients) to the new radius servers. On decent WAPs this is easy as either one of them acts as a controller or you have a dedicated controller device in place.
  • TIP: Most decent WAPS & switches will allow for 2 Radius servers to be configured. So if you want you can repeat this to create a second NPS server with the option of load balancing. This provides redundancy & load balancing very easily. Only in larger environments multiple NPS proxies pointing to a number of NPS servers make sense.Here’s a DELL PowerConnect W-AP105 (Aruba) example of this.

image