Intro
The aftermath of Tuesday the 13th does not include Jason but comes with some horror anyway.
The good news is that the zero day exploits against SMBv2 and MS FTP are fixed. That's the good news...
One of the new patches, MS09-056, fixes a design error that pretty much negates the usefulness of certificate verification. If you can get a trusted root CA to sign a certificate with a CN like www.goodsite.com\0www.badsite.com, you can fool some browsers/applications that the certificate for www.badsite.com is really for www.goodsite.com. To make it even clearer, that
https://www.badsite.com really is ... say ...
https://www.paypal.com. This vulnerability is present in many non-Microsoft products as well. \0 is a null byte, which fools the vulnerable applications to stop read the string even if there's more data to be read. So they see www.goodsite.com\0www.badsite.com as www.goodsite.com and that the root CA is trusted. And there you go.
Looks like someone already took advantage of that one:
http://news.softpedia.com/news/Rog…MS09-056 should NOT be applied to servers running Microsoft Office Communication server or Microsoft Live Communication server. More on this later on in the bulletin.
Other than that, I believe the really critical ones are MS09-061 and MS09-062. Some of the vulnerabilities in those bulletins are rated with a MS Exploitability Index of 1! Also note that MS09-062 affects Microsoft SQL server.
In other news: Adobe Acrobat and the Reader have a vulnerability that is not yet patched:
http://www.adobe.com/support/secur…October 2009 is something they call “Cyber Security Awareness Month”:
http://www.microsoft.com/protect/p….. and:
http://www.dhs.gov/files/programs/…Microsoft Security Bulletin Summary for October 2009
As per usual, Microsoft releases their security bulletins the second Tuesday every month. This month comes along with thirteen bulletins, where all thirteen are rated critical. Our advice is that you install them all as soon as possible.
Please note this:
MS09-056 - Vulnerabilities in Windows CryptoAPI Could Allow Spoofing (974571) should not be installed on servers running Microsoft Office Communication (OCS) Server or Microsoft Live Communication servers (LCS). Doing so will cause them to stop working. I still recommend installing this patch on other servers.
More here:
http://blogs.technet.com/dodeitte/…Critical
MS09-050 - Vulnerabilities in SMBv2 Could Allow Remote Code Execution (975517)
MS09-051 - Vulnerabilities in Windows Media Runtime Could Allow Remote Code Execution (975682)
MS09-052 - Vulnerability in Windows Media Player Could Allow Remote Code Execution (974112)
MS09-053 - Vulnerabilities in FTP Service for Internet Information Services Could Allow Remote Code Execution (975254)
MS09-054 - Cumulative Security Update for Internet Explorer (974455)
MS09-055 - Cumulative Security Update of ActiveX Kill Bits (973525)
MS09-056 - Vulnerabilities in Windows CryptoAPI Could Allow Spoofing (974571)
MS09-057 - Vulnerability in Indexing Service Could Allow Remote Code Execution (969059)
MS09-058 - Vulnerabilities in Windows Kernel Could Allow Elevation of Privilege (971486)
MS09-059 - Vulnerability in Local Security Authority Subsystem Service Could Allow Denial of Service (975467)
MS09-060 - Vulnerabilities in Microsoft Active Template Library (ATL) ActiveX Controls for Microsoft Office Could Allow Remote Code Execution (973965)
MS09-061 - Vulnerabilities in the Microsoft .NET Common Language Runtime Could Allow Remote Code Execution (974378)
MS09-062 - Vulnerabilities in GDI+ Could Allow Remote Code Execution (957488)
Windows 2008 R2 - A mini review
It's been a rule for many years that Disney puts out at least one feature movie each year. Microsoft seems to be on going the same way with their software releases. As a rule of the thumb, Microsoft are intent to release a new Windows release every second year. On the 22nd of October 2009, Windows 7 and Windows 2008 R2 hit the shelves. I've tested both of them since August, and here's a "mini-review" of Windows 2008 R2.
The R2 moniker hints us that this is a "second edition" of Windows 2008 rather than a totally new operating system. You might remember Windows 2003 R2 as 2003 with a few new tricks up its sleeves. In my opinion, this is also true for Windows 2008 R2 in relation to Windows 2008. And Microsoft got this release right! Windows 2008 R2 comes along with a number of very useful changes and a faster graphical interface. Here is some of the new stuff that R2 brings to the table.
What's new with Windows 2008 R2?
General
If you're working with a customer who has a number of small branch offices, you'll probably find the new "Branch cache" interesting. It adds the possibility of caching documents on local sites, without having to setup a dedicated fileserver onsite. You can either have a "cache server" that retains a copy of all documents the users download or you can use the local Windows 7-clients for this. Windows 7 can cache documents in a "peer-2-peer" fashion, which can implement a branch cache for sites that don’t have any onsite servers. Hyper-V
I find Hyper-V a bit lackluster compared to VMWare ESX/VSphere. Microsoft is clearly behind the curve here, but R2 somewhat closes the gap. One of the new features is the better-late-than-never function called "Live migration", which is what VMWare calls "VMotion". "Live migration" permits moving a virtual guest from one host to another. You should also be able to add disks to a guest that is running. I said "should", because I've not been able to make it work.
That said, I've tested the new Hyper-V, and you can't complain about the virtualization itself. It's fast and pretty trouble free. Microsoft now counters the free VMWAre ESXi-server by offering a free product called "Microsoft Hyper-V Server 2008 R2", which is a scaled down 2008 Core R2 with Hyper-V installed. It’s free and should not be confused with the Hyper-V role that can be installed on normal R2s.
More here:
http://www.microsoft.com/hyper-v-s…Cluster
Microsoft Cluster Services has always been a bit quirky, but R2 comes with a few very promising new features. “Cluster Shared Volumes” or “CSV” allows access to the clustered disk resources from all nodes. This technology was created to support "Live Migration" for Hyper-V, so I'm not sure if it can be used to allow for load balanced clustering in the future. I've not had the time to verify this: but the cluster service also supports Powershell and uses mount points so you don't risk running out of drive letters anymore.
Active Directory
Of the few new changes in R2, I find three of them really interesting.
"Managed Service Accounts" solves an age old problem with service accounts: password changes. Until now, changing the password of a service account could be really dangerous. Unless you really knew exactly which services that used an account, changing the password could cause a disruptions. Suddenly you found out that someone used the account to run an SQL service you had no idea even existed. So once the password is set, it's never changed. With "Managed Service Accounts", the passwords are changed automatically. This mechanism has been in place for domain computer accounts for many years now, so it's about time that we get it for service accounts as well.
"Authentication mechanism assurance" stores information about the methods used to authenticate in the Kerberos ticket. Say what? Ok, in plain English, this makes it possible to see if the administrator is logging in with just a password or with a smartcard. That way you can deny administrators not using a smartcard access to high security applications and still allow them access to less critical ones.
Recycle bin
(Sigh!) Remember Active Directory 2000? If you delete an object by mistake, you'll learn how to do an authorative restore pretty darn quick. And you will not like the experience. R2 allows you to deploy a "recycle bin", so minor mistakes can be undone. It will NOT be as easy as to click on an icon and select "Restore". But it exists and can be deployed to decrease the time needed to recover minor mistakes.
More on the recycle bin here:
http://technet.microsoft.com/en-us…All the new stuff in ADDS 2008 R2:
http://technet.microsoft.com/en-us…Core
Finally you can now use Powershell on the core edition of R2. This is a very nice addition, because it makes local administration useful and now that .Net framework (a requirement for Powershell) is included, you can actually use Core for your web front ends. And the list goes on. There are changes to most of the roles in Windows 2008 R2, so remember to check out what's new with the ones you want to use. This article only lists a few.
Verdict
The overall feeling I get from installing, testing and working with Windows 2008 R2 is that it addresses some of the irritations with Windows 2008 server. The GUI responds faster, well known quirks have been fixed and the newest hardware technologies are supported. Microsoft says that they've increased the performance of the iSCSI-initiator and there is indeed very little that feels half-baked when it comes to the roles and features. The exception is the rather lack luster built in backup, which is really rudimentary and, frankly put, useless. They way I see it, Microsoft's biggest enemy when they launched Windows 2008 was Windows 2003 server. It's hard to convince people to upgrade when Windows 2003 fills the needs of most customers. With Windows 2008 R2 the 2008 platform has reached the maturity, stability and ability that make an upgrade really worth considering.
It's no secret that Microsoft built the Windows server concept to work as a whole. If you only use Microsoft products in your environment for everything from messaging to workstation deployment, you get more features and capabilities. This is a bit sad, since it will make Windows server a less fully-featured product when deployed in a heterogeneous environment. In a competitive world, I believe this is how Microsoft tries to survive the declining role of their operating systems as a cash cow. But for those that want to be a "Microsoft only shop", this is good news. Windows 2008 R2 is a very good product in a time when Microsoft needs to convince buyers that the lessons have been learnt with Vista (and to a much lesser extent, Windows 2008).
Links and tricks
The official bulletins from Microsoft:
http://www.microsoft.com/technet/s…ISC Sans's monthly Microsoft-analysis is always a good read:
http://isc.sans.org/diary.html?sto…All back-issues of this newsletter can be found here:
https://secure.ericade.net/securit…A collection of useful security links:
https://secure.ericade.net/securit…A good site to check for known vulnerabilities for your favorite programs:
http://secunia.com/What's the general state of the Internet?:
http://isc.sans.org/OWASP Sweden's email list archive:
https://lists.owasp.org/pipermail/…Recommended for you developers out there:
http://www.owasp.org/index.php/Mai…My own, random knowledge base:
https://secure.ericade.net/securit…Regards
Erik Zalitis
System Specialist
CISSP
Certified Ethical Hacker
MCITP:EA
MCSE:Security 2003
MCSE:Messaging 2003
Citrix Certified Administrator for PS4.
VMware Certified Professional on VI3
ITIL Foundations