Posts Tagged ‘microsoft’

Immediately Patch Microsoft 0 day vulnerabilities being used to spread SPYWARE!

Thursday, September 14th, 2017

 

Windows 0-Day Flaw

Get ready to install a fairly large batch of security patches onto your Windows computers.

As part of its September Patch Tuesday, Microsoft has released a large batch of security updates to patch a total of 81 CVE-listed vulnerabilities, on all supported versions of Windows and other MS products.

 The latest security update addresses 27 critical and 54 important vulnerabilities in severity, of which 38 vulnerabilities are impacting Windows, 39 could lead to Remote Code Execution (RCE).

Affected Microsoft products include:

  • Internet Explorer
  • Microsoft Edge
  • Microsoft Windows
  • .NET Framework
  • Skype for Business and Lync
  • Microsoft Exchange Server
  • Microsoft Office, Services and Web Apps
  • Adobe Flash Player

.NET 0-Day Flaw Under Active Attack

According to the company, four of the patched vulnerabilities are publicly known, one of which has already been actively exploited by the attackers in the wild.

Here’s the list of publically known flaws and their impact:

Windows .NET Framework RCE (CVE-2017-8759)—A zero-day flaw, discovered by researchers at cybersecurity firm FireEye and privately reported it to Microsoft, resides in the way Microsoft .NET Framework processes untrusted input data.

Microsoft says the flaw could allow an attacker to take control of an affected system, install programs, view, change, or delete data by tricking victims into opening a specially crafted document or application sent over an email.

The flaw could even allow an attacker to create new accounts with full user rights. Therefore users with fewer user rights on the system are less impacted than users who operate with admin rights.

According to FireEye, this zero-day flaw has actively been exploited by a well-funded cyber espionage group to deliver FinFisher Spyware (FinSpy) to a Russian-speaking “entity” via malicious Microsoft Office RTF files in July this year.

FinSpy is a highly secret surveillance software that has previously been associated with British company Gamma Group, a company that legally sells surveillance and espionage software to government agencies.

Once infected, FinSpy can perform a large number of secret tasks on victims computer, including secretly monitoring computers by turning ON webcams, recording everything the user types with a keylogger, intercepting Skype calls, copying files, and much more.

“The [new variant of FINSPY]…leverages heavily obfuscated code that employs a built-in virtual machine – among other anti-analysis techniques – to make reversing more difficult,” researchers at FireEye said.

“As likely another unique anti-analysis technique, it parses its own full path and searches for the string representation of its own MD5 hash. Many resources, such as analysis tools and sandboxes, rename files/samples to their MD5 hash in order to ensure unique filenames.”

Three Publicly Disclosed Vulnerabilities

The remaining three publicly known vulnerabilities affecting the Windows 10 platform include:

  • Device Guard Security Feature Bypass Vulnerability (CVE-2017-8746): This flaw could allow an attacker to inject malicious code into a Windows PowerShell session by bypassing the Device Guard Code Integrity policy.
  • Microsoft Edge Security Feature Bypass Vulnerability (CVE-2017-8723): This flaw resides in Edge where the Content Security Policy (CSP) fails to properly validate certain specially crafted documents, allowing attackers to trick users into visiting a website hosting malware.
  • Broadcom BCM43xx Remote Code Execution Vulnerability (CVE-2017-9417): this flaw exists in the Broadcom chipset in HoloLens, which could be exploited by attackers to send a specially crafted WiFi packet, enabling them to install programs, view, change, or delete data, even create new accounts with full admin rights.

BlueBorne Attack: Another Reason to Install Patches Immediately

Also, the recently disclosed Bluetooth vulnerabilities known as “BlueBorne” (that affected more than 5 Million Bluetooth-enabled devices, including Windows, was silently patched by Microsoft in July, but details of this flaw have only been released now.

BlueBorne is a series of flaws in the implementation of Bluetooth that could allow attackers to take over Bluetooth-enabled devices, spread malware completely, or even establish a “man-in-the-middle” connection to gain access to devices’ critical data and networks without requiring any victim interaction.

So, users have another important reason to apply September security patches as soon as possible in order to keep hackers and cyber criminals away from taking control over their computers.

Other flaws patched this month include five information disclosure and one denial of service flaws in Windows Hyper-V, two cross-site scripting (XSS) flaws in SharePoint, as well as four memory corruption and two remote code execution vulnerabilities in MS Office.

For installing security updates, simply head on to Settings → Update & security → Windows Update → Check for updates, or you can install the updates manually.

Source:
Mohit Kumar - Hacking News
Entrepreneur, Hacker, Speaker, Founder and CEO — The Hacker News and The Hackers Conference.

Microsoft (SFB/O365) Dropping Support for PBX Connections leaving Legacy Platforms behind

Wednesday, July 26th, 2017

Microsoft recently announced that it will no longer provide session border controller (SBC) support for PBX systems accessing Office 365.

Essentially, the news means that starting July 2018, users of Exchange Online Unified Messaging (UM) will have to use an alternative method of connecting voicemail with Outlook. Microsoft won’t support PBX connections using SBCs for that purpose.

In its announcement, Microsoft suggested that only “a small number of customers are affected by this change” and that it was making it to “provide a higher quality of service for voicemail.” Microsoft also offered four alternative options, though they likely won’t be cheap or simple for affected organizations, said Paul Cunningham, a Microsoft Most Valuable Professional, commenting in a Practical 365 blog post. The move could simplify things for Microsoft, though, he suggested.

“I see this simply as part of Microsoft’s grand strategy to jettison legacy platforms and solutions that are complex and not highly profitable, and focus on services like Cloud PBX that they can deliver more efficiently,” Cunningham added.

Microsoft is discontinuing its SBC support on the Office 365 side so that it won’t have to rely on “a third-party system” that’s difficult to manage, suggested Jeff Guillet, a Microsoft certified solutions master and Microsoft MVP. He explained the technical aspects of Microsoft’s move in this blog post, adding that giving companies just one year to move is “asking a lot,” since the switchover likely will affect large companies.

Some Help for Orgs
Meanwhile, AVST, a Microsoft Gold partner on Skype for Business and Exchange, and a voicemail pioneer, is indicating that it has the means to support organizations faced with Microsoft’s one-year deadline.

The company’s CX-E Unified Communications platform offers a quick solution that can integrate with leading PBX systems, such as systems from Avaya, Cisco, Microsoft and others. The platform permits organizations to continue to use Outlook forms to link voicemail with e-mail. Because of the potential pain involved in such moves, it’s currently offering discounts via its Value-Added Reseller partners.

How AVST can address the issue was explained by Tom Minifie, AVST’s chief technology officer, as well as Denny Michael, senior vice president of sales and marketing at AVST, in a phone interview last week.

AVST has been addressing the unified communications space for decades.

“The company goes back over 30 years and we were one of the folks that brought voicemail to the marketplace,” Michael said. “We’ve been around for a long time, and we primarily service the enterprise space. We’re very strong in healthcare, state and local government, regulated industries, higher education and other horizontal industries as well.”

Minifie explained that organizations with third-party (or non-Microsoft) PBX systems using Office 365, or thinking about moving to Office 365, will be affected by Microsoft’s change. Most options, of the four listed by Microsoft, will require moving to Skype for Business and scrapping PBX systems. It’ll be “disruptive,” he said.

“Clearly, from Microsoft’s position, they want that alternative to be ‘Get rid of your PBX and use Skype for Business,'” Minifie said. “So, for customers that have already been planning for that, that’s a good option for them. They move to Skype for Business and continue to use the Exchange [Online] UM component. But for customers that aren’t interested in doing that or aren’t ready to do that, then this is pretty disruptive because it’s not something that they’ve planned for already.”

AVST, with its CX-E Unified Communications platform, specializes in the fourth option presented by Microsoft.

“And what that is, it’s really saying is that instead of directly connecting the Exchange [Online] UM environment to the PBX, I’m going to have a different unified messaging solution that performs that same functionality, and that’s how we approach it,” Minifie said. “Because of our history, we evolved the integrations into the various phone systems, so whatever phone system or PBX the customer is using, we’ll be able to integrate into that, but then we also integrate into the Exchange environment so that we can provide unified messaging through Exchange.”

End users also get the same familiar Outlook look and feel with AVST’s platform.

“In our eyes, we’re providing the best of both worlds,” Minifie said. “We’re solving the problem, which is you can no longer connect Exchange [Online] UM into your PBX. So we take care of that PBX connection. But you get to continue to use the familiar Outlook interface that the end users are used to.”

Minifie affirmed that Microsoft was essentially eliminating the SBC on its end. The change was aimed at improving the quality of service of voicemail, according to Microsoft.

The Time Factor
AVST and its partners validate phone systems and architectures. They perform application discovery to address any functionalities that organization may want. The time it takes to deploy will depend on the solution chosen.

“As far as the amount of time, that kind of depends on the solution,” Minifie said. “Ours is quick because you really aren’t changing anything. Your phone system doesn’t change. Your Exchange doesn’t change. We just get put in the middle of it. And so that can be deployed very quickly.”

Other approaches can get delayed.

“With the other solutions, you’re getting into having to order telecom things,” Minifie said. “You need SIP trunking and have to order from the carrier, and there are whatever delays for that to get delivered.”

AVST’s solution can be installed on premises or it’s provided as a hosted software-as-a-service solution via subscription. More information about AVST’s replacement offerings for Exchange Online UM can be found at this page.

By Kurt Mackie

About the Author

Kurt Mackie is senior news producer for the 1105 Enterprise Computing Group.

Source: Microsoft Dropping Support for PBX Connections Using SBCs — Redmond Channel Partner

​Why has SQL Server come to Linux? Windows-only cloud makes no sense | ZDNet

Tuesday, March 8th, 2016

Some people are asking why. After all, with MySQL, MariaDB, postgreSQL, and Oracle Database 12c Linux, there’s no shortage of RDBMS servers on Linux.Part of the reason is simple enough. Scott Guthrie, head of Microsoft’s Cloud & Enterprise business, said “This will enable SQL Server to deliver a consistent data platform across Windows Server and Linux, as well as on-premises and cloud.The more complex answer is that Microsoft’s fortune is no longer based on Windows. True, SQL Server will be available on Red Hat Enterprise Linux (RHEL) and Canonical’s Ubuntu Linux as a standalone server applications, that’s not where it’s meant to run. As Ed Bott recently uncovered, Microsoft’s new cash cows are Azure and server applications. In particular, “Microsoft Azure is growing rapidly and is reported in the same group as traditional server products (SQL Server is up, Windows Server is down). Collectively, that pair is at the top of the list.”And what operating systems run on Azure? Mark Russinovich, CTO of Microsoft Azure, Microsoft’s cloud program, said last fall that open source and Linux make great financial and technical sense for Microsoft. “It’s obvious, if we don’t support Linux, we’ll be Windows only and that’s not practical.” Then, one in four Azure operating systems instances were Linux. And that number has only been increasing.ADVERTISINGFor Microsoft to continue to grow as a cloud and services company it must become a Linux company.And, in particular, Microsoft wants to be a Linux cloud power. Today, Azure is certainly the primary way Microsoft monetizes Linux, so it’s only logical that SQL Server would be added to Linux.Al Gillen, IDC’s group vice president, sees this. “By taking this key product to Linux, Microsoft is proving its commitment to being a cross platform solution provider. This gives customers choice and reduces the concerns for lock-in. We would expect this will also accelerate the overall adoption of SQL Server.”

Source: ​Why has SQL Server come to Linux? Windows-only cloud makes no sense | ZDNet

Tech and religion intersect at ‘Code for the Kingdom’ hackathon

Wednesday, October 7th, 2015
Aaron Stockton, whose team last year built a gaming app last year that won $2500 for best original code, works in the Impact Hub spaces (Will Mari / Geekwire).
Aaron Stockton, whose team last year built a gaming app last year that won $2500 for best original
code, works in the Impact Hub spaces (Will Mari / Geekwire).

All over the world technologists are increasingly using the hackathon model to solve societal problems. Whether it’s to fight government corruption or to help feed the homeless or to enhance education, hackathons for a higher purpose are going strong.

Here in the Northwest, a group of faith-motivated programmers echoed that idea. They assembled for the second time at Pioneer Square’s Impact Hub for Code for the Kingdom Seattle, part of a network of religious hackathons happening across the globe in the U.S., Canada, Indonesia, the United Kingdom, Kenya and Ethiopia.

The event, now in its second year, was sponsored by the Deaf Bible Society, the Leadership Network and World Vision. The latter is a huge international NGO based in Federal Way that routinely partners with the Gates Foundation. Other sponsors included Seattle startup TheoTech and Bellingham-based Faithlife.

Over this past weekend about 80 people, many of whom work by day as developers and engineers for local tech giants (or tech giants with local offices), including Amazon, Google and Microsoft, coded through Friday night, Saturday and in some cases Saturday night. They focused on issues such as mental illness, strengthening families, human trafficking, helping the deaf community and connecting NGO’s to their supporters. Others worked on Android versions of apps that debuted last year, including one that’s designed to connect one’s prayer life online.

The winners

VisionCaster, the runner-up for best new code, included World Vision staff and volunteers. Inspired by an app built by the UN to increase awareness of what’s going on in Syria (via Samsung’s Milk VR video service), it uses Google Cardboard to immerse viewers in the NGO’s field projects. The idea is to replicate experiences in the field, like seeing clean water access at work or ongoing disaster response efforts.

Aaron Stockton, whose team last year built a gaming app last year that won $2500 for best original code, works in the Impact Hub spaces (Will Mari / Geekwire).
Aaron Stockton, whose team last year built a gaming app last year that won $2500 for best original
code, works in the Impact Hub spaces (Will Mari).

In addition to solving problems during the hackathon, Worldvision was eager to connect to potential future hires, according to Leslie Annis, who recruits tech staff for the NGO.

“We want to get in front of technologists and let them know that we’re here in this area and we need them to join us in the work that we do,” she said. “It was really fun to see that many technologists together in a room creating really cool things for purposeful, missional work.”

Steadfast, an app to encourage spouses to concretize their support for each other, won the people’s choice and best new code awards. The app reminds people to do kind things for their spouse, like sending flowers or notes of encouragement.

StudyChurch won for best existing code. An online e-learning platform, it’s intended for use by weekly “small groups” that meet in homes and coffee shops, allowing collaboration and conversation over a shared text and eventually through video and audio content.

A common motive

Although more than $1,200 in prizes was on the line, the chance to sit down and write code with others for a good cause was the primary draw for many of the participants.

“There’s no limitations, really, any idea can be the best idea,” said Allen Wong, a graduate student at Northeastern and a contractor at Google. Wong, who works on the Google Maps team, was filming a vodcast from the hackathon.

Wong’s passion is creating vodcasts and podcasts that talk about the intersection between faith and technology in applied ways. “To actually see people take a shot at these things – you don’t see that often.”

A team that did not place among the prize-winners but was still regarded as important was Seattle Against Slavery (SAS)’s pilot project. SAS, an anti-human-trafficking nonprofit, has collected data on people, mostly men, who seek sex online. Their goal is to intervene early in the process and keep buyers from connecting with sex workers, who are often underage, migrants or otherwise exploited. By working with former users and survivors of trafficking, and with support for ad buys from Google, SAS is revising its messages to make them more effective and empathetic.

By finding more about the typical user in King County, and targeting them with ads that persuade them to think twice, the idea is to reduce the supply and thus the demand, said Robert Beiser, SAS’ executive director. SAS participated for the first time in a hackathon specifically to get help from software engineers like Kirsten Stark.

“I wanted to be in a place where there’s a stronger connection between my work and my faith,” said Stark, an engineer at Midfin Systems in Redmond.

“We love Jesus and other people and want to help them.” Helping the users and offering them alternatives by showing that others care for their underlying needs is a ‘very Christian approach’ to intervention,” she said.

Sarah Williams, whose team won a $2,500 prize last year for best original code at the inaugural event in Seattle, was back this year as a mentor and volunteer.

Calvin Freitas, a senior front-end engineer at Amazon, works on Ceaseless, at the second-annual Code for the Kingdom Seattle (Will Mari / Geekwire).
Calvin Freitas, a senior front-end engineer at Amazon, works on Ceaseless, at the second-annual Code for the Kingdom Seattle (Will Mari / Geekwire).

Now a manager at Amazon, she’s valued the colleagues and connections that came from last year and continue into the present.

“Now more people know about it… and know what I’m talking about,” she said, of sharing the event with her network.

A common community

Event organizers hope that the hackathon’s participants can continue to meet monthly to code and collaborate. To that end, they maintain an active Meetup.com group and Facebook page and invite interested Seattle-area coders to join. An upcoming conference in November will also tackle faith and tech from a more academic perspective.

Meeting together for a common cause – and creating and sustaining community – is part of the ongoing legacy of niche hackathons.

Wendy Stevens, a health specialist at a small Tumwater-based company, N2N and Associates, was at the hackathon on Saturday working on an online-based system for crisis management.

To her, the fact that programmers from rival companies were working together was part of what made the event inspiring.

Their faith was a “point of reference,” she said.

Geeks Give Back

What happens when Geeks Give Back?

Bank of America and GeekWire are joining forces to help raise $500,000 for the Washington State Opportunity Scholarship – providing local students interested in STEM with scholarships to fund their higher education goals. Support the next generation of scientists, engineers and mathematicians by clicking here to learn more and give back!

Meet KeySweeper, the $10 USB charger that steals MS keyboard strokes | Ars Technica

Thursday, January 15th, 2015

keysweeper

It sounds like the stuff of a James Bond flick or something described in documents leaked by former NSA subcontractor Edward Snowden. In fact, the highly stealthy keystroke logger can be built by someone with only slightly above-average technical skills for as little as $10. Called KeySweeper, it’s a device disguised as a functioning USB wall charger that sniffs, decrypts, logs, and transmits all input typed into a Microsoft wireless keyboard.

KeySweeper is the brainchild of Samy Kamkar, a hacker who has a track record of devising clever exploits that are off the beaten path. The namesake of the Samy worm that inadvertently knocked MySpace out of commission in 2005, Kamkar has concocted drones that seek out and hack other drones and devised exploits that use Google Streetview and Google Wi-Fi location data to stalk targets. His hacks underscore the darker side of the connected world that makes it possible for bad guys to monitor our most private communications and everyday comings and goings.

KeySweeper follows the same path. Unveiled on Monday, it provides the software and hardware specifications for building a highly stealthy sniffing device that plucks out every keystroke inputted to a Microsoft wireless keyboard. The device can either log the input on a chip for physical retrieval later, or it can use an optional GSM chip to transmit the keystrokes wirelessly to the attacker. For maximum efficiency, it can be programmed to send the operator SMS messages whenever certain keywords—think “bankofamerica.com,” “confidential,” or “password”—are entered. The entire sniffing device can be stashed inside an AC USB charger that powers the device. It recharges when plugged in and runs off of battery when not connected to a power source. To people being spied on, it looks like just another USB charger plugged into a wall socket.

Meet KeySweeper, the $10 USB charger that steals MS keyboard strokes | Ars Technica.

Google and Microsoft step in to oppose Marriott Hotels’ Wi-Fi blocking petition | The Verge

Wednesday, December 24th, 2014

Marriot Hotels
A petition to grant hoteliers the right to block personal Wi-Fi on their premises is being met with staunch opposition from the biggest technology companies. Google and Microsoft are among those who have filed objections, noting the illegality of any devices capable of interfering with radio signals.

Marriott has been fined for blocking wi-fi connections before

Recode writes that hotel company Marriott International and the American Hospitality & Lodging Association had petitioned the FCC to allow hotel operators to utilize equipment to manage their networks, regardless of whether it may result “in interference with or cause interference to” devices used by guests. This followed a $600,000 settlement case in October, when it was discovered that the employees of Marriott’s Gaylord Opryland Hotel & Convention Center were using a jammer to block off internet access.

Microsoft laid out its arguments against the petition in the filing, stating that a Wi-Fi hotspot set up by a hotel guest is authorized to operate in the unlicensed spectrum, and pointing out that “wilfully excluding these other authorized devices from using that unlicensed spectrum, under the guise of mitigating so-called threats to the reliability (performance) of an operator’s own network, violates Section 333,” which bars “wilful or malicious interference” to radio signals.” The company also pointed out that by restricting the ability to set up their own connections, Marriott would be forcing the customer to pay to access the hotel’s own Wi-Fi, having already paid their mobile operator for the ability to set up a hotspot anywhere.

The hotel chain had argued that it wasn’t breaking the law, but was protecting its guests from “rogue wireless hotspots that can cause degraded service, insidious cyber attacks and identity theft.” But Marriott’s arguments are weak, as there are several examples that show guests are far safer jumping onto their own personal Wi-Fi hotspots than they are connecting to a potentially compromised hotel Wi-Fi network. In November, for example, Kaspersky Labs discovered a group of hackers targeting high-profile business executives who were working from luxury hotels.

via Google and Microsoft step in to oppose Marriott Hotels’ Wi-Fi blocking petition | The Verge.

How bad is the SCHANNEL vulnerability (CVE-2014-6321)?

Friday, November 14th, 2014

We had a number of users suggesting that we should have labeled MS14-066 as “Patch Now” instead of just critical. This particular vulnerability probably has the largest potential impact among all of the vulnerabilities patched this Tuesday, and should be considered the first patch to apply, in particular on servers.

Just like OpenSSL implements SSL on many Unix systems, SCHANNEL is the standard SSL library that ships with Windows. Expect most Windows software that takes advantage of SSL to use SCHANNEL .

Microsoft stated that this vulnerability will allow remote code execution and that it can be used to exploit servers. Microsoft also assigned this vulnerability an exploitability of “1”, indicating that an exploit is likely going to be developed soon. But other then that, very little has been released publicly about the nature of the vulnerability.

There is some conflicting information if the bug was found internally or by a third party. The bulletin states: “This security update resolves a privately reported vulnerability” [1] . A blog post about the vulnerability states: “Internally found during a proactive security assessment.” [2] . Finally, Microsoft’s “Acknowledgement” page does not list a source for the vulnerability [3]. It is not clear how far outside of Microsoft the vulnerability was known prior to the patch release.

However, as soon as a patch was released, it can be used to learn more about the vulnerability. It is very hard these days to obfuscate a patch sufficiently to hide the nature of a vulnerability.

So what does this mean for you? 

My guess is that you probably have a week, maybe less, to patch your systems before an exploit is released. You got a good inventory of your systems? Then you are in good shape to make this work. For the rest (vast majority?): While you patch, also figure out counter measures and alternative emergency configurations.

The most likely target are SSL services that are reachable from the outside: Web and Mail Servers would be on the top of my list. But it can’t hurt to check the report from your last external scan of your infrastructure to see if you got anything else. Probably a good idea to repeat this scan if you haven’t scheduled it regularly.

Next move on to internal servers. They are a bit harder to reach, but remember that you only need one internal infected workstation to expose them. 

Third: Traveling laptops and the like that leave your perimeter. They should already be locked down, and are unlikely to listen for inbound SSL connections, but can’t hurt to double check. Some odd SSL VPN? Maybe some instant messenger software? A quick port scan should tell you more.

You are doing great if you can get these three groups out of the way by the end of the week. Internal clients are less of an issue, but just like “traveling laptops”, they may run some software that listens for inbound SSL connections. 

Stick with my old advice: Patching is only in part about speed. Don’t let speed get in the way of good operations and procedures. It is at least as important to patch in a controlled, verifiable and reproducible way. Anything else will leave you open to attack due to incomplete patching. Don’t forget to reboot the system or the patch may not take affect.  

Microsoft didn’t mention any workarounds. But this may change as we learn more about the issue. So make sure that you know how to disable certain ciphers or certain SSL modes of operations. And please take this as an other opportunity to get your inventory of hardware and software sorted out.

Patch Now? Maybe better: Patch first / Patch soon. This vulnerability could turn into a worm like “slapper”, an OpenSSL worm exploiting Apache back in the day.

I am not aware of any public IDS signatures for this problem so far, but it may make sense to check for SSL error even on non-Windows servers to spot possible exploit attempts. 

To make things more interesting (confusing?), the Cisco Talos blog states that “[w]hile it is covered by only a single CVE, there’s actually multiple vulnerabilities, ranging from buffer overflows to certificate validation bypasses”. [4] It would be really odd from Microsoft to only use a single CVE number for various vulnerabilities only related by the common library they happen to be found in. But I do give Cisco some credibility here as they are working closely with Microsoft and may have gotten more details from Microsoft then what was published in the bulletin.

Cisco also published a number of Snort rules for MS14-066. If you have a VRT subscription, you should see these rules with an SID from 32404 through 32423.

PLEASE SHARE ANY ATTACK DATA / EXPLOIT SIGHTINGS YOU MAY HAVE ! ( handlers -at- sans.edu or our contact form)

[1] https://technet.microsoft.com/library/security/MS14-066
[2] http://blogs.technet.com/b/srd/archive/2014/11/11/assessing-risk-for-the-november-2014-security-updates.aspx
[3] https://technet.microsoft.com/library/security/dn820091.aspx
[4] http://blogs.cisco.com/security/talos/ms-tuesday-nov-2014


Johannes B. Ullrich, Ph.D.

https://isc.sans.edu/diary/How+bad+is+the+SCHANNEL+vulnerability+%28CVE-2014-6321%29+patched+in+MS14-066%3F/18947

Microsoft Open Sources .NET, Saying It Will Run On Linux and Mac | WIRED

Wednesday, November 12th, 2014

Satya Nadella’s rapid reinvention of Microsoft continues.

In yet another bid to make up lost ground in the long march to the future of computing, Microsoft is now open sourcing the very foundation of .NET—the software that millions of developers use to build and operate websites and other large online applications—and it says this free code will eventually run not only on computer servers that use its own Windows operating system, but also atop machines equipped with Linux or Apple’s Mac OS, Microsoft’s two main operating system rivals.

“We want to have a developer offering that is relevant and attractive and valuable to any developer working on any kind of application,” says S. “Soma” Somasegar, the 25-year Microsoft veteran oversees the company’s wide range of tools for software developers.

With the move, Microsoft is embracing the reality that modern software and online services run atop a variety of operating systems—and that Windows no longer dominates the market the way it once did. At least tacitly, the software giant is acknowledging that so many businesses and developers now choose to run their software atop computer servers loaded with the open source Linux operating system, which, in recent years, has evolved in ways that Windows has not. Most notably, it offers what’s called containers, a new means of streamlining the way applications are built and operated.

“Today, people who are stuck on the .NET platform have to use a server environment that doesn’t have what Linux does,” says James Watters, who, at a company called Pivotal, works hand-and-hand with a wide range of developers and companies as they build large online software applications. “They’re stuck with a generation-behind technology.”

For Watters, Microsoft has ample ground to make up. But in opening sourcing what’s called the .NET Core runtime—freely sharing it with the world at large—the company at least gives itself a fighting chance as it seeks to maintain a hold on the way the world builds and runs software.

In theory, an open source .NET that runs on Linux and Mac OS will expand the use of Microsoft’s developer tools. Then the company can pull in revenue through other channels—through premium versions of its developer tools and through its cloud computing service, Microsoft Azure, a means of building and running software without setting up your own servers.

The move is just the latest in a long line of rather large changes Microsoft has made since Nadella took over as CEO in January—all with an eye towards the rise of rival operating systems and open source software. The company now offers free versions of its Office applications for Apple iPhones and iPads. It provides a free version of Windows for phones and other small devices, hoping to catch up with Google’s open source Android operating system. And it says that the next version of Windows for computer servers will run Docker, a hugely important container technology that was originally built on Linux.

All this seemed unlikely under previous CEO Steve Ballmer—and all can help Microsoft find new relevance in the ever-changing world of online computing.

Chasing Java

Among developers and businesses building websites and other large online services, .NET is one of the primary competitors to Java. It’s widely used among companies that rely heavily on Microsoft software —the company says .NET was installed more than 1.8 billion times over the last year—but according to most estimates, Java is still the more popular tool. And many consider it the more powerful.

According to Watters, about 60 percent of Pivotal’s customers built their apps atop Java, about 40 percent on .NET. “Java is the go-to, and .NET is the legacy,” he says.

via Microsoft Open Sources .NET, Saying It Will Run On Linux and Mac | WIRED.

Microsoft Patches 3 Zero-day Vulnerabilities actively being Exploited in the Wild

Wednesday, October 15th, 2014

As part of monthly patch update, Microsoft released eight security bulletins on Tuesday that address dozens of vulnerabilities including a zero-day flaw reportedly being exploited by Russian hackers to target NATO computers and a pair of zero-day Windows vulnerabilities that attackers have been exploiting to penetrate major corporations’ networks.Just a day before yesterday, our team reported you about a Zero-day vulnerability discovered by the cyber intelligence firm iSight Partners affecting all supported versions of Microsoft Windows and is being exploited in a five-year old cyber-espionage campaign against the Ukrainian government and U.S organisations.Researchers at FireEye found two zero-day flaws, used in separate, unrelated attacks involving exploitation of Windows kernel, just a day after iSight partners disclosed zero-day in Windows. The pair of zero-day vulnerabilities could allow an attacker to access a victim’s entire system.

via Microsoft Patches 3 Zero-day Vulnerabilities actively being Exploited in the Wild.

Microsoft must hand over overseas data, US court rules | IT PRO

Friday, August 1st, 2014

datacenter

Microsoft has lost another bid to have a US government warrant demanding access to emails stored in its Dublin-based datacentre overturned.

The company has been ordered to hand over the emails to law enforcers in the US as part of a criminal investigation, the details of which have not been disclosed at this time.

US district judge Loretta Preska has ruled that Microsoft must hand over the data, even though it’s stored in a country outside of US jurisdiction.

However, Preska has put a delay on when the order comes into effect to give Microsoft time to lodge an appeal with the 2nd US Circuit Court of Appeals.

The software giant has been locked in a legal battle in the US on the matter since December 2013, and has vowed to appeal against the latest ruling.

In a blog post, Brad Smith, executive vice president and general counsel for Microsoft, said: “The only issue that was certain… was that the District Court’s decision would not represent the final step in this process.

“We will appeal promptly and continue to advocate that people’s email deserves strong privacy protection in the US and around the world,” Smith concluded.

This isn’t the first time Microsoft has challenged the ruling, after New York judge James Francis declared in April 2014 that the investigative powers of law enforcers would be “seriously impeded” if they were unable to access data stored overseas, considered out of their jurisdiction.

The outcome of the case has far-reaching implications for the technology industry, and Microsoft’s unerring stance on the matter has won the backing of Apple, Cisco, Verizon and others.

If Microsoft loses its appeal, other tech firms could be forced to hand over customer data stored overseas.

via Microsoft must hand over overseas data, US court rules | IT PRO.