Security (MS)

This update causes ISA Server to use random source ports for UDP sessions created by access rules which serve hosts in networks for which ISA Server defines a network address translation (NAT) relationship.

This update resolves the issue described in Microsoft Article 956910, DNS queries that are sent across a firewall do not use random source ports after you install security update 953230 (MS08-037). With this update, ISA Server allocates a large set of random UDP ports and then selects a port from this set for use in new UDP sessions. You can disable it programmatically (there is no user interface).

There is now an end user created Forefront Client Security v1 Group Policy Object (GPO) available for use for setting Forefront Client settings without a back-end management server involved. Most commonly called a '/nomom' installation because the client is installed without a management server specified on the command line. This is also ideal for non-domain joined computers and you want to lock down settings locally.

Originally spotted here talking about a Technet message forum post here. You can download the .ADM file here.

Buffer underflow in Microsoft Windows 2000 SP4, XP SP2 and SP3, Server 2003 SP1 and SP2, Vista Gold and SP1, and Server 2008 allows remote attackers to execute arbitrary code via a Server Message Block (SMB) request that contains a filename with a crafted length, aka "SMB Buffer Underflow Vulnerability."

It is unusual to see the amount of attention given to this update and the speed at which it was released, especially out-of-band.

Thankfully for Server 2008 and Vista, the attacker has to be an authenticated user, but Server 2003 and XP users are not so lucky.

Most firewalls already block RPC traffic from external sources, so that attack vector is somewhat mitigated, but what I am worried about is the possibility of a 0-day worm getting inside an organization and worming around the entire network due to internal/client firewall rules.

It is particularly interesting that they released an update for Windows 7 pre-beta, build 6801, which I believe is going to be the build version given out at the PDC.

If you are running the beta builds of the Forefront Stirling TMG that have the GAPA protection enabled, you are already protected at the firewall level from the exploit due to the updated definitions already released by Microsoft. You can sort of think of it like Snort signatures.

I haven't seen Active-eXploits out in the wild yet, but it is only a matter of time.

You can read the Homeland Security National Vulnerability Database report on it here.

You can read a more in-depth report from the Microsoft Security Vulnerability Research and Defense team on the update here.

Direct download links to the patch, per OS:
Win 2K SP4
Win XP x86 SP2/SP3 / x64 RTM/SP2
Win 2003 x86 SP1/SP2 / x64 RTM/SP2
Win Vista RTM/SP1 x86/x64
Win Server 2008 x86/x64

Other sites with additional information on the exploit:
SecurityFocus
FRSIRT
SecurityTracker
Secunia
XForce (1 of 2)
XForce (2 of 2)

If you care about security, I suggest installing Flash player 10 because of the security enhancements that come along with it.

You can download the final (non-beta!) binary for Adobe Flash 10 here.

Still no 64-bit support. Shameful. I wonder if CNN's site works with Flash 10 yet or not. Last time I checked, last week, it still blocked Adobe Flash 10.

Update: Here is a good idea to do it right now - there won't be a security fix for Adobe 9 until mid-november on a known security exploit. It is already fixed in 10.

Data Execution Prevention (DEP) is a security feature included in modern Microsoft Windows operating systems that is intended to prevent an application or service from executing code from a non-executable memory region.

Hardware and software data execution protection (DEP) is a good thing to have enabled for all processes when you can get away with it.

Money 2007 and Money Plus shipped with the inability to launch if you have DEP enabled.

Now, I admit, many programs out there are not DEP-clean yet, but with the security push MS has had ever since Windows XP, you would think they would not ship a product that crashes on launch with DEP enabled. Money SP1 fixes this problem, but you still need to disable DEP in order to auto-update to SP1 from RTM.

Other somewhat recent DEP offenders: The Adobe Flash IE plug-in - only newer versions allow DEP to be enabled without taking out your browser with it.

If you want a command-line way of disabling DEP with an Admin command prompt, use this, with a reboot:
bcdedit /set {current} nx AlwaysOff

Once you have updated to Money SP1 and want to re-enable DEP (for everything):
bcdedit /set {current} nx AlwaysOn

Forefront Client Security SP1 adds support for:
Agent protection on Windows Server 2008 – both Server and Core.
Server role support on Windows Server 2008 (server only) for FCS server components.
FCS Enterprise Manager on Windows Server 2008 (server only).

Read more about the announcement here. Originally announced here.

Soon (not live yet as of 08-26-2008), KB 951951 will have more technical information about FCS SP1.

Even though the hotfix refers to WiMax connections having trouble renewing DHCP client leases, I have seen this exact behavior within network traces using my Novatel U720 USB EVDO modem that is connected to my home's Forefront TMG server. For those that don't know, Forefront Threat Management Gateway is the 'renamed' ISA Server which is part of the Forefront "Stirling" release (Forefront v.Next).

Since my Forefront TMG server is Server 2008 based, it would make sense that this hotfix should help the inconsistent/quirky behavior after maintaining a connection for 24 hours. At that point, DHCP attempts to renew and 9 times out of a 10, goes into a "coma" and stays "stuck" in the "connecting" state.

I can work around that bug by disabling the NDIS support on the U720 and using a 'normal' PPP connection, but that comes with its own set of limitations, especially if I want to do multi-ISP bonding or any of the other fancy features that being in NDIS mode enables.

If you have had trouble with Vista/Server 2008 renewing DHCP leases on WiMax/3G connections, request and try out KB 955352.

The cause:
"This problem occurs because the Windows Vista-based DHCP client computer does not comply with RFC2131 when the client computer tries to renew an IP address that was previously used. When a DHCPNACK packet is received from the DHCP server, the client must invalidate its previous configuration for the interface. Then, the client must return to the initial state to start the renew process."

Helps prevent SQL injection attacks to IIS sites, among other new features:

1. W3C formatted logging: UrlScan v3.0 RTW has W3C formatted logs so that analyzing log files is more accessible by writing queries against them using Log Parser.

2. Allow rules for URLs and query strings: UrlScan v3.0 RTW gives you the ability to specify a "safe" list of URLs and query strings that will by pass all UrlScan checks. This gives administrators the ability to configure UrlScan to allow certain URLs that would otherwise trigger a UrlScan check.

Download it here. This is a newer release than the beta that came out a few months ago.

Although there doesn't seem to be a download link or KB article number available yet, Rollup 3 for SP1 of Forefront for Exchange is available by request, according to the Forefront Blog.

Fixes include (the ones in bold I consider important):
The scan engines are not updated in Forefront Security for Exchange Server SP1, and a Dr. Watson event is logged.

Sender notifications are not sent in Forefront Security for Exchange Server Service Pack 1 if the "From" field in the original e-mail message header has multiple lines.

Rollup version not displayed in the Forefront Help menu - About Forefront.

The General Options screen goes blank in Forefront for Exchange when you use the Tab key to scroll through the options.

The Forefront Administrator crashes when attempting to close it while the "License Information" pop-up is open.

The FSCController service cannot start-up successfully if a corrupt .fdb configuration file is loaded.

Engine Updates taking more than 5 minutes to download do not complete.

FSCDiag.exe now collects process and PID information from your Forefront server.

Forefront for Exchange may see the following issue: ADGetStorage - Could not bind to Active Directory configuration context. Error code: 80005000.

Forefront for Exchange will now scan for WMV files that have had their extensions renamed.

Forefront for Exchange does not manually scan Public Folders if non-MAPI Public Folders are in the organization.

The Start menu shortcut that points to Forefront for Exchange does not work in the German version of Windows Server 2008.

Nested .msg attachments are not detected as nested attachments in e-mail messages in Forefront Security for Exchange Server Service Pack 1.

The Filter List order is not updated on scan jobs when you delete and recreate a filter list of the same name.

Forefront for Exchange may corrupt messages when attaching messages whose subject lines match a file filter set to Delete/Remove.

You are unable to update scan engines through a proxy on a computer that is running Forefront Security for Exchange Server SP1.

FSCDiag does not collect engine version info in the verForeFront.csv file when installed on a cluster.

E-mail messages are not sent when you are running Forefront Security for Exchange Server Service Pack 1.

Added a log message upon failure of setting up an active/passive Forefront cluster.

A scan job fails on a computer that is running Forefront Security for Exchange Server Service Pack 1.

E-mail messages start to build into a queue and the Fsctransportscanner.exe process uses lots of memory when Forefront Security for Exchange Server SP1 is running.

Forefront for Exchange falsely detecting winmail.dat files as corruptedcompressedfile virus (some may argue winmail.dat is a virus anyway )

You cannot collect data when you try to use the Forefront Server Security Management Console on an SCC cluster that has Forefront for Exchange with Service Pack 1 installed.

The FSCDiag.exe utility does not collect the correct data in Forefront Security for Exchange Server Service Pack 1.

Update: KB 951629 documents Rollup 3 and you can request the hotfix here.

I'm not sure why there was a design decision to reserve so many UDP ports to take care of the DNS security fix (KB 953230). Thankfully, you can reserve ports that you know a service will need after the DNS Service starts up and you can also specify how many ports are reserved. I'm surprised a few of these well known ports aren't already reserved by default.

You can read how to work around this issue here at KB 956188. So far I have seen and heard it affecting ISA 200x, Exchange and a few other products that need well known UDP ports to operate correctly. I highly suspect but haven't confirmed that an OCS A/V Edge server will need reservations to avoid DNS stealing from its pool. Considering most edge installations are in a DMZ and/or a security hardened install, 99.99% of the installs out there will not be running the DNS Server service anyway.

This sounds a lot like the Home Server bug that was finally fixed in the Power Pack 1 release.

SYMPTOMS
Data corruption may occur on a computer that has Microsoft Forefront Client Security (FCS) installed. When this data corruption occurs, you may experience the following symptoms.

CAUSE
This problem occurs because of a known issue of cache coherency between mapped I/O requests and non-cached I/O requests. Forefront Client Security real-time protection uses memory mapped I/O requests for scanning files. This problem affects non-cached I/O requests. It may cause data corruption or cause truncation operations to be unsuccessful.

Special note to Server 2008 core installations: You need to install this manually - read more about it here.

Although I will admit I am biased against ZoneAlarm due to prior problems I've had with the product in the past, the July 2008 MS Security patch related to a DNS exploit does not 'play well' with the ZoneAlarm software. It is highly recommended that you download the updated version of ZoneAlarm from here before installing the security patch from KB 951748.

The initial knee jerk reaction to this problem might be to uninstall KB 951748, but I would advise against that due to the fact that there is an updated version of ZoneAlarm available.

Personally I am more of a fan of ESET's security suite and I have also had good experiences with Comodo's personal firewall, which is free. Of course, despite having a bit of a bad reputation in the past, the built in Windows Firewall isn't half bad these days either. You can even do per-process outbound blocking with Windows Live OneCare and the updated firewall in Vista and Server 2008 is much more feature-ful than what was included in XP.

Currently I'm "dogfooding" builds of the Forefront Threat Management Gateway at home on my EVDO connection and all the devices in our home are the clients. It is what would normally be called ISA 2008 or ISA 2009, renamed. The differences between ISA 2004 and ISA 2006 were pretty minimal, overall, for a compelling reason to upgrade from 2004 to 2006, but this version has a lot going for it, including Snort-like blocking signatures and other additions.

Microsoft Source Code Analyzer for SQL Injection is a static code analysis tool for finding SQL Injection vulnerabilities in ASP code. Customers can run the tool on their ASP source code to help identify code paths that are vulnerable to SQL Injection attacks.

A handy tool to use to check over code to help prevent the nasty automated attacks that have been occurring against sites on the Internet.

Grab it from here.

New features and feature improvements:

Configuration Change Tracking - Registers all configuration changes applied to ISA Server to help you assess issues that may occur as a result of these changes.

Test Button - Tests the consistency of a Web publishing rule between the published server and ISA Server.

Traffic Simulator - Simulates network traffic in accordance with specified request parameters, such as an internal user and the Web server, providing information about firewall policy rules evaluated for the request.

Diagnostic Logging Viewer - Now integrated as a tab into the ISA Server Management console, this feature displays detailed events on packet progress and provides information about handling and rule matching.
Improvements for existing features, including:

Support for integrated NLB mode in all three modes, including unicast, multicast, and multicast with Internet Group Management Protocol (IGMP). Previously, ISA Server integrated NLB-supported unicast mode only.

Support for use of server certificates containing multiple Subject Alternative Name (SAN) entries. Previously, ISA Server was able to use either only either the subject name (common name) of a server certificate, or the first entry in the SAN list.

Support for Kerberos Constrained Delegation cross-domain authentication. Credentials from users located in a different domain than the ISA Server, but in the same forest, can now be delegated to an internal published Web site by using KCD.

Support for client certificate authentication in a workgroup deployment. This removes the requirement to map each client certificate to an Active Directory directory user account.

For more information about this service pack, see KB 943462.

Many sites have been victims of SQL injection lately and this updated URLScan for IIS is a nice way to help prevent the attacks until the underlying code can be fixed. Here are a few excerpts from the 3.0 Beta release:

As our next measure, we are today releasing a beta for a new version of UrlScan - version 3.0 - that can reach these SQL requests and block them. This release includes a GoLive license, so you can deploy it on your production servers. UrlScan version 3 is compatible with the configuration files for the existing UrlScan version 2.5, so you if you are already running UrlScan, everything will still work as it did - except you'll have new options. Also, since its been just over 5 years since UrlScan 2.5 shipped, we've taken the opportunity to add some frequently requested features. The new set of features in version 3 are:

1. Support for query string scanning, including an option to scan an unescaped version of the query string.
2. Change notification for configuration (no more restarts for most settings)
3. UrlScan can be installed as a site filter. Different sites can have their own copy, with their own configuration.
4. Escape sequences can be used in the configuration file to express CRLF, a semicolon (normally a comment delimiter) or unprintable characters in rules.
5. Custom rules can be created to scan the URL, query string, a particular header, all headers or combination of these. The rules can be applied based on the type of file requested.

We also have plans to update the IIS 7 request filter to add these features. In the interim, UrlScan 3 is fully supported on IIS 7.

You can read more about it and download it from here.

Download the x86 version here and x64 version here.