Sunday, April 27, 2008

Large Exploit of MS07-004

It seems there is a widespread attack around s/w missing MS07-004

From WebSense:

"This mass injection is remarkably similar to the attack we saw earlier this month. ...  Once loaded, the file attempts 8 different exploits (the attack last April utilised 12). The exploits target Microsoft applications, specifically browsers not patched against the VML exploit MS07-004 as well as other applications"

From News.com "Javascript injection claims UN and UK government sites"

Friday, April 25, 2008

InfoSec Europe vs. RSA 2008

Img00713 We just got back from a week in London to attend InfoSec Europe, the biggest computer security show in EMEA.  Much like RSA is in the States InfoSec Europe is the show of the year for security people.

The attendance at InfoSec Europe was strong, our 20x30 booth was full for 3 days straight and the show runs long hours, in short it was busy.  RSA has similar traffic but we all agreed that the crowd in the UK was much more buyer focused than the RSA crowd which was more people walking around the show floor vs. seeking products to use.  Thus I would rate InfoSec Europe as the stronger show  at least from a vendor perspective.

Its not clear what this exactly means other than the people at InfoSec were there to find solutions vs. maybe people at RSA attend to go to security training sessions and are not as much there to find products to use.

I am also finding that industry, not just the security industry, is starting to bring security into the fold much more than in the past. Its becoming part of the IT culture now, which leads to a maturing of products to meet the needs of the corporation vs. all of us ISVs trying to create the new cool thing to attract the attention of the security experts.  It is also becoming very clear that industry wants stand-alone security products instead of having security added to existing management products, security is not just milk & sugar with your tea and people are now realizing that having been burnt by making the assumption that it is.  Just as there is Web 2.0 we are now in Security 2.0 - security as a key and independent part of IT.

One other item that came out very clearly in both shows, and we talked to 1000s of people over them, is WSUS is just not cutting it.  Customers need patching beyond the basics, and the patches missed by WSUS are critical and plentiful. 

These two  shows are back to back now with just a week in between, and they are about 8 time zones apart, making it hard for companies like ours to attend both in full force but we did it and our crew did a great job.  I got the sense other vendors send separate teams as I did not see the sample people at both shows, other than us.  Next year they are moving the shows even closer which seems a bit unfair, but at the end of the day it gives us in the industry at release month to shoot for, to assure we have our latest ready to show, much like we used to do at Comdex a while back.

Cheers

Wednesday, April 16, 2008

Eric Schultze at RSA 2008 video

Eric talks Patch Smack at RSA video

A bit more on RSA 2008

This article in Baseline Mag notes that the security markets are mature, much like I noted in my previous entry.  They have a different take which is interesting in that they claim the maturity means we have a seat the the CEO table, which is of course something security folk have been pushing for over the years.

On part of the article that does not seem to be occurring is that the big platform companies are taking over security.  Far from it, the big platform security solutions are disasters, security is too hard to get right to make it an under-managed add-on from a large vendor.  The markets are more likely heading to the case where there are two solutions, that cooperate, one does full management and the other does great security.  Things should be shared around reporting and remediation possibly and standards like SCAP are driving that, but right now there are no signs that the security industry is being absorbed by the large system vendors (HP, IBM etc.) In fact, Microsoft continues to create security products vs. just adding security features to their management products (SCCM/MOM/SMS).

Monday, April 14, 2008

RSA show 2008

EMC's RSA security show was last week, I believe its the largest security trade show in the world.  From my perspective the show was massive based on the number of vendor booths, it was not possible to learn what each vendor did - there was just too many booths and many of the booth people were not technical so they just pointed me to their brochures (ouch). 

Vendors ranged from Microsoft and other general s/w vendors who provide security add-ons and solutions, to the traditional security vendors such as Symantec and of course us.Img00656 I talked to a number of security industry veterans, some of have being in the industry for well over 10 years, I also talked with a number of large companies (ISVs) who are adding security to their current offerings - both groups are driving a very practical level of security innovation into products vs. creating new ideas.

If I had to pick one take away from the show was that all vendors were driving solid, practical, somewhat basic solutions to meet security needs vs. create new ways to do things. In the near term this is good as the industry needs such solutions, but in the longer term a lack of the more crazy innovation will start to hurt the industry.  Any industry needs new ideas to be put into it all the time, with most new ideas failing but key ones catch on and drive change. 

I recently read that Henry Ford did not work with finance people because he felt they were anti-innovation, and maybe what we are seeing occurring is heavily funded companies who at this time are looking for safe returns and large companies who need to take care of large customer bases are taking over the trade show floors, and possibly the industry which could limit innovation.

The included show photo Img00651 is not a very good photo, but its the best I have.  The show floor was much larger than this picture shows. I also attached a shot of crowd waiting for the Olympic Torch which was supposed to travel very close to the RSA show, with the torch re-route I am not sure it did, I had to get back to work so I could not wait around for it...

Friday, April 04, 2008

Server 2008 patch

Thursday, April 03, 2008

Network Configuration

As well noted in this SearchSecurity article:

There's a perpetual buzz around software flaws and exploits researchers disclose daily, but security experts say it often distracts IT pros from a growing and more serious problem -- networks so sloppily configured and maintained that the bad guys can drive a virtual bulldozer through them without attracting attention.”

Having systems properly configured is a tenant of good security, certainly as key as patching, AV and firewalls are when focused on securing systems from outside access.  But if a system is not properly configured and the network becomes infected by malware, these defenses become ineffective.  What good is a firewall once the malicious code is running on your network, due to an attacker gaining insider access to the network?  Basic things like easy passwords, unsecured shares, over-used administrator accounts and user rights are easy to fix and even more easy to break.  When there is a time crunch, or when someone just needs something to work, it’s convenient for users to turn off the desktop firewall to get a business critical application running, or to open the Share to everyone to distribute a report, making a software developer an admin so they can test their software – the list goes on, and it’s done by both administrators and end-users.  Of course, this is not the right thing to do from a security perspective because this is how malware finds its way onto the network, and unfortunately it happens all the time. 

GPO can help, but it lacks a double check and it’s not easy to tell if things were setup right.  Much like WSUS, GPO can help the problem, with a fair amount of effort applied by the IT staff, but it does not go far enough.  What is needed is something that automatically double checks (we all make mistakes so double checks are a good thing) and automatically enforces IT security settings in accordance with policies, which creates both a cost savings (automation equals saving money when properly done), and it gives all of us a much needed second pair of eyes.  An added plus is we can report to the C-level staff that things are being continually fixed if they fall out of compliance with company policy.  These are very practical solutions.

As technical people we all know things are continually being changed on the network, and we know exactly where on our own networks.  The problem that often arises in companies is that the boss also knows things are being continually broken, but may not know where on the network, and a lack of proper reporting can make his or her job very difficult – it’s impossible to manage what you do not know.  If automated security configuration tools that include reporting capabilities are used this will eliminate the information gap.  The boss can do his or her job, we can do our job, and our networks are secured.

As the article notes, as we start to run patching software we will soon learn that we also need to run automated security configuration software, it just makes sense.  This is something I myself have been working on in one way or another since 1983, 25 years already, and maybe soon the problem will start to be solved!

Sunday, March 30, 2008

security problems on upswing?

Security is very much in the headlines this week, nothing new really but in the near past it seemed the IT industry was moving security down its priority list and when ever that happens security becomes the news pretty quickly it seems.

For example news.com has 3 articles today:

RedmondMag:

Microsoft Issues Critical Out-of-Cycle Patch for Word, Excel Flaws - Late Wednesday, Microsoft released an out-of-cycle critical patch revision in the form of Security Bulletin MSO7-025 in an effort to stave off a barrage of remote code execution (RCE) exploits that popped up less than two weeks after Redmond's March patch rollout.

InformationWeek's home page:

  • CA Patch - "This vulnerability is a big deal by itself, first because of the huge install-base of the affected products, and second because of the nature of these applications. Being able to compromise one of these systems in a corporation could make a quick stepping-stone to more crucial servers – especially considering how mushy-gushy most corporate network security is deep behind the DMZ.
  • MacBook Hacked in Two Minutes "Security researchers from Independent Security Evaluators managed to hack a MacBook Air using a zero-day vulnerability in Apple's Safari 3.1 Web browser."

Thursday, March 27, 2008

RSA show

Just back from vacation in NYC, and its nice to not have to pay someone every time I step out of a car...

Please stop by and visit us at the RSA show this year, we will have presenters from VMware, Juniper and of course best of all Mike Rothman from Security Incite and our own Eric Schultze.  We will cover the latest in security from all of us and our customers, including our new work in the Federal areas with SCAP and FDCC, cool new VM security management, and Juniper's integration with our line.

On other notes it seems Apple is pushing a copy of its Safari browser out to Windows users of iTunes, and with missing patches no less.  We are working on removing and patching this s/w shortly via Protect. 

Tuesday, March 11, 2008

New Patches

Update:

Here is a good overview of patch day from Bill Sisk at SearchSecurity.  One very big key, and I noted this below in regards to MBSA already:  "Most of the affected products in this particular bulletin are not detected by Microsoft Baseline Security Analyzer (MBSA) 2.0.1. However, Microsoft has worked with Shavlik Technologies to provide support for legacy security update detection. Please refer to the main MBSA website for additional information."  Or you can just to go http://www.shavlik.com/pDownloadForm4.aspx and get trial of our s/w to scan for these patches (and buy our product of course)

Microsoft has released four critical security bulletins this month, all in Office.  Sometimes Office is hard to patch with Altirus and SMS so be sure to use patching products (!) and be aware that tools like MBSA do not even do remote scans for Office patches (MBSA is not really a scanner tany more anyway but that is a different topic)

MS08-014: Vulnerabilities in Microsoft Excel Could Allow Remote Code Execution (949029)

Severity: Critical

http://www.microsoft.com/technet/security/bulletin/MS08-014.mspx

MS08-015: Vulnerability in Microsoft Outlook Could Allow Remote Code Execution (949031)

Severity: Critical

http://www.microsoft.com/technet/security/bulletin/MS08-015.mspx

MS08-016: Vulnerabilities in Microsoft Office Could Allow Remote Code Execution (949030)

Severity: Critical

http://www.microsoft.com/technet/security/bulletin/MS08-016.mspx

MS08-017: Vulnerabilities in Microsoft Office Web Components Could Allow Remote Code Execution (933103)

Severity: Critical

http://www.microsoft.com/technet/security/bulletin/MS08-017.mspx

Monday, March 10, 2008

Brett Favre

Since I am from Green Bay, WI(i) it was nice to see the post from Mike about Brett Favre.  I was at Favre's first game in '91 (Bengals with Boomer at QB) which was shortly after my brother and I watched Favre in practice in summer camp, all we knew was Favre liked to drink, was like 3-5 passing in his 1st season in the NFL, plus we gave a 1st round pick to Atl (rolled our eyes) for the guy, then we saw his great arm and it made us think, or better said hope.

Of coursr I still do not believe the NYG championship game is over, and it took me this long to even write on note on Favre's leaving the game. Its all a healing process.

Cancel Patch Tuesday?

Modern patch management products can patch about 1000 computers per hour via one person without requiring setup such as an agent, or if you are already using an agent that works too.  Products like SMS, Altirus and others are likely to take longer when unsupported products need to be patched as packages will need to be hand built and detection does not work, but again focused patching products take care of all this so its not really a problem, at least for those using them.

So -- with the right products now available could Microsoft now release patches as they exit test to shrink the vuln. window? Is it worth it?  What about known vulns that MS does not patch for months, this problem would not go away.  Its an interesting thought.

Dennis Fisher mentions a new way to look at Patch Tuesday (actually the old way as he notes)

Instead of leaving flaws unpatched for weeks between cycles, Microsoft should use its resources to produce high-quality patches shortly after vulnerabilities are discovered.

...

Patch Tuesday is perhaps the most anticipated and feared day of the month for network administrators and security managers. They wait eagerly for the next batch of patches from Redmond, glad to have some protection against attacks on the vulnerabilities that have popped up since the previous month's release. But they dread it too, and with good reason, given the massive amount of work involved in rolling out a dozen or more patches to thousands of systems.

Saturday, March 08, 2008

Security Research for VMs just getting started

With all the changes VM management is going to bring to data centers and IT ops in general we can surely expect to see a rapid increase is research being done around VM security.

This artice about Core Security's lastest work in researching VM security gives a great example, and the research will of course lead to the need for security configuration and patching for all the VMs on networks

Core Security co-founder and CTO Iván Arce, “it’s wrong to think that just by spreading virtualization all over your organization you will be more secure.”

Wednesday, March 05, 2008

VM's brave new world

The world of VM security is just getting started, some say it’s the next big wave of security and I tend to agree.  In the pre-VM days you had to get a fairly big budget to buy a new server which created a fair amount of resistance to adding servers, which in turn made it easier to manage the servers you had since their number was limited.  You also only brought a server on line after taking the time to stage it. And for the most part it was running 7x24 so you could check on it whenever you wanted.  At the time it seemed hard, and it was, but compared the VM-based world it was easy.

Fast forward to today. Its now very easy to add a server. You do not need to buy nearly as much hardware, VMs are easy to setup, and guess what? Vendors will deliver software on a VM, all you need to do is install and start it and you have a new product running on your network.  No need for a vendor to ship you a blade, they just need to send you a VM to load.

One day you have 1,000 Servers and a few weeks later you have 5,000.  While that’s good for storage vendors, it’s not good for you as you try to keep them secured and stable.  Of these 5,000 VMs several hundred are probably offlineticking security time bombs and a problem you never had to worry about before.

Never mind all the desktops and mobile devices out there in your wild wild wild west. Never mind the crazy end-users downloading and installing software from the Internet. You have bigger problems now. Your data center is exploding with new servers, and people are running  servers all over the place, off-line, on-line everywhere.  And each of those virtual servers needs to be secured.

This brave new world is an area where we are working hard to help customers. From us being integrated into VMware, to us adding the full stack of security management solutions to our products so you can manage all your new servers. Offline, online, VMs from Microsoft, from VMware it doesnt matter. You push the big green button and you secure your virtual world  the same you way you secure your physical servers today.

Thursday, February 28, 2008

New Shavlik NetChk 6.0 release

We have released our latest, version 6.0 (thanks to our team, our partners and the customers we worked with to create, market and sell this release)- here is some customer feed-back, http://www.shavlik.com/products/testimonials.aspx  this is a shameless plug bog and maybe I am feeling a bit feisty today, but I guess if I do not talk about our products in a positive light why would any one else?

a few key items are the additional agent features along with more on-going network management user interface feature-adds.  We still find most of our customers use our agent-less for most tasks, like pushing a key patch to 1,000 servers per hour, or scanning 8,000 computers in about 2 hours, all without need to manage an additional infrastructure, the same is true for our malware management.  So why do we continue to work on our agent management?  Good question, one is the market perception that an agent is required -- but once users start going with agent-less they do not bother with agents, however some customers want to run our product on traveling computers or in DMZs so we continue to blend both agent and agent-less support in all our products.

Our agent and UI is multi-purpose, doing both patch and malware management, but I also like to say we also require on ZERO agents and one UI, or if your imbed our technology like Dell, Symantec, VMware, Juniper, Microsoft, Quest Software, BMC and others (hey, it must work) do you can even go with no UI... this flexibility is key

Another key driver for us is very accurate product coverage, I still get a smile when a WSUS user says they are patched when they are just covering some of Microsoft products when things work out -- the best case is not secure.  WSUS of course misses out on Java, Adobe, Flash, Blackberry Servers and others.  Get a demo version of our product and scan your key servers and desktops, if you do not find any missing critical patches please let me know. Our use the demo to shed some light on products keeping you in the dark while claiming otherwise.

What's next? more VM support in the near and long term, more work around malware and unwanted software which continues to be a big area of growth for us, and a new release of Shavlik NetChk Compliance with new general features along with a number of Federal Government standards such as SCAP being supported.  Beyond that is a more security and network management, more ease of use in which the Big Green Button can be pushed to solve problems, all managed with one UI and zero or one agent.  And as always - the best Microsoft focused solutions available

Monday, November 19, 2007

Microsoft patch managment - missing key items

I noticed this article in eweek with summary of "Opinion: Old and insecure third-party applications are the vector in more and more compromised systems. Here are some radical ideas for addressing the problem. " and I thought great; people are realizing the security risks in using WSUS as your only patching solution. 

Then I read the "radical" (in the fingers of the writer only) posed question of "What if third-party application vendors could design their applications to update through Windows Update?" and I immediately thought of how out of touch the writer is with the industry because building a security system that depends on vendors adding their own patches to a 3rd party system such as WSUS on their own is never going to happen. 

There are far too many patches coming from too many vendors to depend on such a system, if just a few vendors do not add in their patches we do not gain anything in the way of security as the bad guys will just keep looking for the missing patches not provided.  Instead, the industry needs an active 3rd party ISV community like those from us and other companies like us.  We search out for and support patches from vendors, some of which are placed deeply on product support sites where they are hard to find, then our customers just push a button and they get the patches installed on a regular basis, much like AV and Spyware vendors update signatures on a frequent basis.  We do not need "radical" ideas, we just need writers to look a little bit beyond Microsoft to let their readers know they have options that are widely available today.

At least the article's point of "That's why it's increasingly likely these days that successful attacks happen through old third-party applications with old vulnerabilities in them." was presented and its great to see more writers creating awareness around this issue.  Now if we can just get them to talk about solutions available today.

Tuesday, November 13, 2007

short sample of what MBSA 1.2.1's death leaves behind

From Eric Schultze (aka mr. patch), below is just a short list of security patches not supported by people still using the now dead MBSA 1.2.1, we only went back a few patch days.  The complete list is much larger, so as I noted in a blog from an hour a so ago, do not use mbsa 1.2.1 any more.

MS07-061 is the Critical patch released today by Microsoft for the URI issue.  It is not supported by MBSA 1.2.1  (not supported because the mssecure.xml file is no longer being updated)

Other recent bulletins not supported by MBSA 1.2:

Vulnerability in Windows SharePoint Services 3.0 and Office SharePoint Server 2007 Could Result in Elevation of Privilege Within the SharePoint Site (942017): MS07-059

Security Update for Outlook Express and Windows Mail (941202): MS07-056

Vulnerability in MSN Messenger and Windows Live Messenger Could Allow Remote Code Execution (942099): MS07-054

Vulnerability in Windows Services for UNIX Could Allow Elevation of Privilege (939778): MS07-053

Vulnerability in Crystal Reports for Visual Studio Could Allow Remote Code Execution (941522): MS07-052

Vulnerability in Virtual PC and Virtual Server Could Allow Elevation of Privilege (937986): MS07-049

Vulnerabilities in Windows Gadgets Could Allow Remote Code Execution (938123): MS07-048

Vulnerabilities in Windows Media Player Could Allow Remote Code Execution (936782): MS07-047 (for WMP 10+11)

Vulnerability in Microsoft XML Core Services Could Allow Remote Code Execution (936227): MS07-042

Vulnerabilities in .NET Framework Could Allow Remote Code Execution (931212): MS07-040

Vulnerability in Windows Vista Firewall Could Allow Information Disclosure (935807): MS07-038

For Internet Explorer patches, MBSA 1.2 only does Win2K and XP (not WS03 or Vista or IE7 flavors of IE)

thanks for the props to Doug Barney

http://redmondmag.com/reports/article.asp?EditorialsID=605

An Almost Patch-Free Patch Tuesday
Last week, a computer luminary (let's call him Mark Shavlik) asked me over a lunch of chowder and butterfish (we live well here at Redmond magazine) what was going on with security. I dabbed the cream and clam juice from my beard, which gave me time to think (I was stalling).

I know security is the biggest issue but, like with the 9/11 attackers, we just aren't afraid anymore. On the Microsoft side, the older products are becoming legacy and have been patched so many times they look like a Three Stooges car tire. The newer products, so far as I can see, are more secure out of the box.

MBSA 1.2.1 is now dead

As of this patch day (Nov 2007) the agent-less security patch scanner, basically hfnetchk under the name of MBSA 1.2.1 is now dead and there is no direct replacement from Microsoft, They do recommend one of our products to help out but its not a full solution by itself.  MBSA 1.2.1 was the most widely used agent-less patch scanner ever released, and for good reason - it quickly helped people secure networks.

(As a disclosure or marketing notification, depending on your perspective: Shavlik Tech continues to provide a state-of-the-art agent-less security patch command line scanner based on hfnetchk and mbsa 1.2.1, we wrote both of them with and for Microsoft. Be aware that this is the only one available in the security markets with current patch support and true agent-less support, many vendors are using the word agent-less when they require agents, or they only run locally meaning they cannot be used to scan networks -- possibly a slight failure in truth in advertising but that is for you to decide. More info is at http://www.shavlik.com/netchk_analyzer.aspx).

What does this mean? first - you need to stop using MBSA 1.2.1 at once, its dead, pull it from your scripts, remove it from your tool kits.  Use our products or other products but do not use MBSA 1.2.1.  If you go with just the free WSUS be aware that it does not even support all of Microsoft's products, much-less other products like itunes, real-player etc that have security patches, and WSUS only works on computers that are running WSUS, there is no more agent-less scanning from Microsoft unless you use the product Microsoft recommends, which is of course our product to close the gap.  You may be happy knowing WSUS says you are secure, but the bad guys are even more happy because they will use agent-less scanners to find the missing patches on your network, and finding a machine w/o a WSUS agent is easy to do, and finding one with a WSUS agent that is not doing full patching is also easy to do.

As a short history we wrote MBSA for Microsoft so many years ago now, with a core value of agent-less and deep, full product scanning, something now missing in the free products from Microsoft.  1000s of companies use (or used it) MBSA 1.2.1 to secure millions of computers. They did this because agent-less scanners find all the computers on your networks then do deep scans looking for all products, not just a few.

Why do I care so much about an old, somewhat out dated free product?  Of course my preference is people buy our products and the death of MBSA 1.2.1 helps us there, but for those that do not buy from us, or someone else, it was nice knowing MBSA 1.2.1 was out there working away. Another concern I have is that no one seems to realize what the death of MBSA 1.2.1 means, yes, you can buy our products and others, but it also means there is no more free agent-less patch scanners from Microsoft, a big reason companies are now able to patch, and to double check they are doing a good job at it.  It also may mean people will become less patched, and less secure and not know it because they do not have a way to double check things in a reliably way, and worse they will run MBSA 2.0 and get less information than MBSA 1.2.1 + MBSA 2.0  + Enterprise Update Scan Tool (the old way) gave.

MBSA 1.2.1 Obit examples: there are more examples, these are just two I quickly copied into this post

(http://www.microsoft.com/technet/security/bulletin/ms07-049.mspx)

MBSA 1.2.1 does not support detection for this security update. The Enterprise Update Scan Tool does (MARK: I do not think this scans beyond the machine its running on so be ware), and is what customers can use instead of MBSA 1.2.1. For download links and more information about the version of EST that is being released this month, see Microsoft Knowledge Base Article 894193. SMS customers should also see the heading, Systems Management Server, for more information about SMS and EST.

The following table provides the MBSA and EST detection summary for this security update.

Software MBSA 1.2.1 EST MBSA 2.0.1

Microsoft Virtual PC 2004

No

Yes

Yes

Microsoft Virtual Server 2005

No

Yes

Yes

Microsoft Virtual Server 2005 R2

No

Yes

Yes

Microsoft Virtual PC for Mac Version 6.1

No

No

No

Microsoft Virtual PC for Mac Version 7

No

No

No

icrosoft Baseline Security Analyzer

Microsoft Baseline Security Analyzer (MBSA) allows administrators to scan local and remote systems for missing security updates as well as common security misconfigurations. For more information about MBSA, visit Microsoft Baseline Security Analyzer.

The following table provides the MBSA (MARK: no MBSA 1.2.1 support) detection summary for this security update.

Software MBSA 2.0.1

Windows XP Service Pack 2

Yes

Windows XP Professional x64 Edition and Windows XP Professional x64 Edition Service Pack 2

Yes

Windows Server 2003 Service Pack 1 and Windows Server 2003 Service Pack 2

Yes

Windows Server 2003 x64 Edition and Windows 2003 Server x64 Edition Service Pack 2

Yes

Windows Server 2003 with SP1 for Itanium based systems and Windows Server 2003 with SP2 for Itanium based systems

Yes

Wednesday, October 31, 2007

new location for xml.shavlik.com - FYI

WHO MAY BE AFFECTED: Shavlik customers who have modified their firewalls for outbound access to xml.shavlik.com

Dear Shavlik Customers:

In order to continue to provide you with the highest service levels possible, Shavlik has upgraded its xml server web farm.  This upgrade will help ensure that Shavlik data files are always available to you when you need them.

As a result of this upgrade, the Internet Protocol (IP) address for xml.shavlik.com will be changing.  Beginning on Saturday, December 1st, the DNS entry for the xml.shavlik.com server farm will be changed to 66.179.200.146. 

For most customers, this change will not impact normal Shavlik product usage.  However, for customers who have modified their firewalls for outbound IP access to xml.shavlik.com, a change may be required on the firewall to enable connectivity to this new IP address.

To assist customers with this transition, the xml.shavlik.com servers at their current IP address (216.182.10.4) will be updated and available through December 31st, 2007.  From today through December 31st 2007, XML files will be available from both the new and the old IP addresses.

Shavlik encourages customers who have opened outbound firewall access to xml.shavlik.com to modify their firewalls to allow access to this new IP address before the DNS change is made on December 1st.

If you have any questions about the XML server farm move or the IP address switch, please contact Shavlik support at support@shavlik.com or 866-407-5279 (intl: +1-651-407-5279).

Friday, October 26, 2007

Linux and MS server markets

I thought this trend was interesting (assuming IDC got it right), I was not aware that Microsoft has 70% of the server markets and Linux markes may be shrinking

http://www.eweek.com/article2/0,1759,2207368,00.asp

"The annual rate at which Linux is growing in the x86 server space has fallen from around 53 percent in 2003, when Windows Server growth was in the mid-20 percent range, to a negative 4 percent growth in calendar year 2006, IDC Quarterly Server Tracker figures show."

“In 2000, Windows comprised about half of the server operating system market, followed by Unix and Netware at about 17 percent each and Linux reaching towards 10 percent, she said, noting that today Windows owns about 70 percent, Linux about 20 percent, with Unix below 10 percent and Netware barely registering.”

Friday, September 21, 2007

New patches and malware

From the Shavlik Data Team:

Shavlik Technologies has released updated patch and spyware XML files for Shavlik HFNetChkPro and Shavlik NetChk Protect.

[Patch]
XML data version = 1.1.3.3804 Last modified on 9/20/2007

This update includes the following changes:

- Added security update FF07-006 (QFF2070, QFF2071). Mozilla has released Firefox version 2.0.0.7.

- Added security update AI07-001 (QAI0742). Apple has released iTunes version 7.4.2.

- Added security update TB07-001 (QTB2006). Mozilla has released Thunderbird 2.0.0.6 which fixes multiple security vulnerabilities.

- Modified MS07-052. Fixed an issue where MS07-052 may not be properly detected as installed if Visual Studio 2003 and Visual Studio are installed on the same system.

- Added support for Office 2003 Service Pack 3.

- Added support for Project 2003 Service Pack 3.

- Added support for Visio 2003 Service Pack 3.

- Added support for Apple iTunes. ***

- Added support for Mozilla Thunderbird. ***

*** Note: Support for iTunes and Thunderbird are in console version 5.9 only.

[Spyware]
Version 5.6/5.8.1/5.9
XML Date: 09/20/2007
XML Version: 1.0.2.1572
XML Object Count: 112,558

Version 5.5
XML Date: 09/20/2007
XML Version: 1.0.2.1573
XML Object Count: 112,201

-Added Ultimate Fixer

-Added ErrClean

-Added Antispy Storm

-Added Dio Cleaner

-Added MenanceRescue

-Added Antiworm2008

-Added GoldenAntiSpy

-Added AntiSpywareSuite

-Added TrojansFilter

-Added new version of Perfect Cleaner

-Updated AVSystemCare
- Certain registry keys from similar Nonbizware programs could have created false positives


How to obtain the new Shavlik XML files:
The new XML files will be automatically downloaded to your NetChk console the next time a scan is performed. Alternatively, you may initiate a refresh of all Shavlik files, including the XML files, by selecting 'Tools-Refresh Files' from the menu bar in the NetChk console. For additional information on Shavlik data files, please visit http://forum.shavlik.com/viewtopic.php?t=4923

- The Shavlik XML Team

Thursday, September 13, 2007

Exploit for MS07-051

There is an exploit out for the Microsoft Agent, MS07-051, out apparently just a few days after the patch

http://www.eweek.com/article2/0,1895,2183048,00.asp

Good WU story

This seems to be getting lots of air time, much like the NE Pats camera:

http://www.eweek.com/article2/0,1895,2182967,00.asp

"What the Hell Is Microsoft Doing with My Computer? "

Monday, August 27, 2007

Shavlik NetChk Compliance 3.0 release

We have received a solid response from our customers about the product since the January 2006 launch of our compliance solution Shavlik NetChk Compliance, which automates the management of critical system and security configurations for both assessment and remediation, The feedback we are getting is how it helps them lower operational costs and reduce their risk of exposure by automating many of the tasks required to assess system health and prepare for IT audits. 

We have also learned a number of key things about where the industry is at in regards to security compliance enforcement - in short we are just getting started at automating this, or for some even doing it at all.  The industry needs to head in this direction because w/o a properly configured computer security is just not possible, and a lot of money is spent to prove its not possible.  Like Edison said when he worked to commercialize the light bulb - he learned 1000s of ways to not make a long lasting bulb, its the same for security - as an industry we are still learning what does not work, but I do believe a solid automation around compliance does work, assuming it includes Patch Management and the removal of unwanted s/w of course!

We  listened to our customers about some desired new features for NetChk Compliance, and we incorporated those into NetChk Compliance 3.0, our latest version, this release is mostly built around adding what our customers asked us for, so the markets are starting to mature for Compliance management - which is good news.  We will be announcing general availability soon but I wanted to put a note out now.

We are always committed to providing a simplified, automated and flexible approach to compliance and security management as we are in all our products. We are finding that while managing networks from a policy compliance is hard work and time consuming, products like ours do help and are a great foundation to build from.  One key item in our release is the ability of customers to add in their own low, and lower, level checks so its easy to make specific policies such as which AV is running, or having the desktop F/W enabled if that F/W is not the MS F/W which we have built in support for.  Every company seems to want to focus on different aspects to create and enforce policy for, so while we provide a large number of built in items, the ability to add more is key since no matter how many we add, someone will need the one we do not have.  There is something like 2,000 possible things to create a security policy for on the Microsoft platform, its best to pick the top 10 to start with, and once that is well underway go to your top 100 etc. 

If you find that you are facing similar challenges keeping your environment in compliance or have found solutions that work for you, I would really like to hear about it.  Click my email link on the right

Tuesday, August 14, 2007

patch day

Microsoft has released nine new security bulletins today, six of them critical.  Shavlik is currently testing these patches and will release updated XML files shortly.

MS07-042: Vulnerability in Microsoft XML Core Services Could Allow Remote Code Execution (936227)
Severity: Critical
http://www.microsoft.com/technet/security/Bulletin/MS07-042.mspx

MS07-043: Vulnerability in OLE Automation Could Allow Remote Code Execution (921503)
Severity: Critical
http://www.microsoft.com/technet/security/Bulletin/MS07-043.mspx

MS07-044: Vulnerability in Microsoft Excel Could Allow Remote Code Execution (940965)
Severity: Critical
http://www.microsoft.com/technet/security/Bulletin/MS07-044.mspx

MS07-045: Cumulative Security Update for Internet Explorer (937143)
Severity: Critical
http://www.microsoft.com/technet/security/Bulletin/MS07-045.mspx

MS07-046: Vulnerability in GDI Could Allow Remote Code Execution
(938829)
Severity: Critical
http://www.microsoft.com/technet/security/Bulletin/MS07-046.mspx

MS07-047: Vulnerabilities in Windows Media Player Could Allow Remote Code Execution (936782)
Severity: Important
http://www.microsoft.com/technet/security/Bulletin/MS07-047.mspx

MS07-048: Vulnerabilities in Windows Gadgets Could Allow Remote Code Execution (938123)
Severity: Important
http://www.microsoft.com/technet/security/Bulletin/MS07-048.mspx

MS07-049: Vulnerability in Virtual PC and Virtual Server Could Allow Elevation of Privilege (937986)
Severity: Important
http://www.microsoft.com/technet/security/Bulletin/MS07-049.mspx

MS07-050: Vulnerability in Vector Markup Language Could Allow Remote Code Execution (938127)
Severity: Critical
http://www.microsoft.com/technet/security/Bulletin/MS07-050.mspx

Thursday, August 09, 2007

Testing patches article

Here is an article we recently published on the importance of patch testing.

"Information technology personnel have grown accustomed to the virtual onslaught of security updates, or patches, released monthly, weekly and sometimes even daily for the key operating systems on their networks. With each of these security updates, a thousand questions need answering: “What does this patch fix?” “Does the risk actually impact my environment?” and more importantly “Will this update break my systems?”

It is inevitable — a security update will break something, or force network administrators to find a work-around to make a core application on their network function properly again. Knowing what security updates will affect the network is essential to ensure network uptime and minimize that technology demon known as “unscheduled downtime"

Wednesday, August 01, 2007

Patch, malware updates

Shavlik Technologies has released updated patch and spyware XML files for Shavlik HFNetChkPro and Shavlik NetChk Protect.

[Patch]
XML data version = 1.1.3.3694  Last modified on 7/31/2007

This update includes the following changes:

- Added FF07-005 Firefox 2.0.0.6
- Added MSWU-145 Intel patch (already present for 5.9 customers, this patch has now been added for customers using NetChk version 5.8.1)
- Added MSWU-146 (KB936529) Some Interix-related functions do not work, and you cannot open a command shell after you upgrade computers to Windows Server 2003 with Service Pack 2 (versions 5.81 and 5.9 only)
- Added MSWU-149 Update for Windows XP (KB938828)
- Updated detection logic for Services for Unix

[Spyware]
Version 5.6/5.8.1/5.9
XML Date:  07/27/2007
XML Version:  1.0.2.1552
XML Object Count:  109,321

Version 5.5
XML Date:  07/27/2007
XML Version:  1.0.2.1553
XML Object Count:  108,964

Added ErrorProtector
Added LinkedIn Outlook Toolbar
Added LinkedIn Internet Explorer Toolbar Added ErrorSafe

Thursday, July 19, 2007

Firefox 2.0.0.5

The Data team added security update FF07-004 (QFF2050, QFF2051): Added Firefox 2.0.0.5 as both a security update and software distribution.

Monday, July 16, 2007

From Shavlik data team

(From our security data team)

[Patch]

XML data version = 1.1.3.3654 Last modified on 7/13/2007

This update includes the following changes:

- Added update AQ07-702 (QAQ7200, QAQ7201) - Apple QuickTime 7.2 has been released. This fixes a number of security vulnerabilities.

- Added update APSB-0712 (QAF0947, QAF1947, QAF2947) - Flash Player update available to address security vulnerabilities.

- Modified MS06-078 - Modified downloads for x64 re-release.

- Modified MS07-040 - Added Tablet PC 2005 version of .NET Framework patch.

[Spyware]

Version 5.6/5.8.1/5.9

XML Date: 07/13/2007

XML Version: 1.0.2.1546

XML Object Count: 108,874

Version 5.5

XML Date: 07/13/2007

XML Version: 1.0.2.1547

XML Object Count: 108,517

Added Golden Eye

Added ADS Adware Remover

Added Antivirus Solution

Updated VirtualGirl2

- Certain registry keys were causing this signature to present false positive detections

Updated WebSnitch

- The file exeshl.dll was incorrectly being detected as Spyware when the Websnitch program was not installed

Updated Dr Antispy

- Certain registry keys were causing this signature to present false positive detections

Wednesday, July 11, 2007

July microsoft patches

Shavlik Technologies has released updated patch XML files for Shavlik HFNetChkPro and Shavlik NetChk Protect.

XML data version = 1.1.3.3638 Last modified on 7/10/2007

This update includes the following additions:

Microsoft Security Bulletin  MS07-036
Vulnerabilities in Microsoft Excel Could Allow Remote Code Execution (936542)                  
Max Severity: Critical
http://www.microsoft.com/technet/security/Bulletin/MS07-036.mspx

Microsoft Security Bulletin MS07-037
Vulnerability in Microsoft Office Publisher 2007 Could Allow Remote Code Execution (936548)                  
Max Severity: Important
http://www.microsoft.com/technet/security/Bulletin/MS07-037.mspx
*** Note: Office 2007 is only supported in Shavlik HFNetchkPro 5.8.1 and 5.9

Microsoft Security Bulletin MS07-038
Vulnerability in Windows Vista Firewall Could Allow Information Disclosure (935807)                  
Max Severity: Moderate
http://www.microsoft.com/technet/security/Bulletin/MS07-038.mspx

Microsoft Security Bulletin MS07-039
Vulnerability in Windows Active Directory Could Allow Remote Code Execution (926122)                  
Max Severity: Critical
http://www.microsoft.com/technet/security/Bulletin/MS07-039.mspx

Microsoft Security Bulletin MS07-040
Vulnerabilities in .NET Framework Could Allow Remote Code Execution (931212)                  
Max Severity: Critical
http://www.microsoft.com/technet/security/Bulletin/MS07-040.mspx

Microsoft Security Bulletin MS07-041
Important Vulnerability in Microsoft Internet Information Services Could Allow Remote Code Execution (939373)                  
Max Severity: Important
http://www.microsoft.com/technet/security/Bulletin/MS07-041.mspx

Re-Released:
Microsoft Security Bulletin MS06-078
Vulnerability in Windows Media Format Could Allow Remote Code Execution (923689)                  
Max Severity: Critical
http://www.microsoft.com/technet/security/Bulletin/MS06-078.mspx

Added Update AQ07-006 (QAQ7006) - Security Update (QuickTime 7.1.6)
*** Note: Update AQ07-006 is only supported in Shavlik HFNetchkPro 5.9 only

How to obtain the new Shavlik XML files:
The new XML files will be automatically downloaded to your NetChk console the next time a scan is performed.  Alternatively, you may initiate a refresh of all Shavlik files, including the XML files, by selecting 'Tools-Refresh Files' from the menu bar in the NetChk console.  For additional information on Shavlik data files, please visit http://forum.shavlik.com/viewtopic.php?t=4923

- The Shavlik XML Team

Thursday, July 05, 2007

UpdateExpert

UpdateEXPERT Database Notification from Shavlik Technologies's data team:

Shavlik Technologies has released updated files for the UpdateEXPERT patch database.

Database version = 2323 Last modified on 7/5/2007

This update includes the following changes:

New components (English):

- Microsoft Office Compatibility Pack for Word, Excel, and PowerPoint 2007 File Formats

New components (German):

- Image Mastering API v2.0 (IMAPIv2.0) for Windows Server 2003 x64 Edition (KB932716)

- Windows Server 2003 may not start when the Volume Shadow Copy Service is enabled (KB931312)

- Background Intelligent Transfer Service (BITS) 2.5 for Windows Server 2003 (KB923845)

- The JScript version 5.6 Date object reports time in standard time instead of in daylight saving time after you apply the updates in Microsoft Knowledge Base articles 928388 and 932590 on a computer that is running Windows XP or Windows Server 2003 (KB933811)

- An update is available that improves the stability of the Windows Management Instrumentation repository in Windows XP (KB933062)

Please contact Shavlik Technologies Technical Support at support@shavlik.com if additional information is needed regarding updates to the UpdateEXPERT Database.

Thank you for using UpdateEXPERT as your patch management tool.

Tuesday, July 03, 2007

Teams of Microsoft Security Response Center employees toil 365 days a year to fix the kinks in Windows, Internet Explorer, Office and all the behemoth’s other products. It’s tedious work.

MS' Security Response Center is one of the top Worst Jobs according to Popular Science

Each product can have multiple versions in multiple languages, and each needs its own repairs (by one estimate, Explorer alone has 300 different configurations).

Wednesday, June 13, 2007

More June Patch information

June 13, 2007 • Microsoft Patch Day Information

Microsoft Releases Six New Security Bulletins

Microsoft released 6 new security bulletins in June and updated 2 prior security bulletins. Of the 6 June bulletins, 4 are rated Critical on Microsoft's severity rating system, though Shavlik believes that another bulletin (MS07-032) should also be rated Critical. 

Five of the six bulletins deal with client side vulnerabilities, meaning the end user would need to initiate an action on their computer such as visiting a malicious website, opening malformed files, or reading evil emails in order for an exploit to occur. 

For customers running Windows XP, Shavlik recommends patching MS07-031 first. This is a flaw in the Operating System that can allow an attacker to execute code on an XP system when a user visits an evil website using https (SSL). Hours after release of the security bulletin, exploit code for this vulnerability was released to the Internet.

For customers running Windows Vista, Shavlik recommends patching MS07-032 (Vista) and MS07-034 (Outlook Express) as soon as possible, followed closely by MS07-033 (Internet Explorer). Shavlik believes that MS07-032 should be rated Critical as it could allow unprivileged Vista users to obtain the administrative username and password for the Vista administrator. Contrary to Microsoft's bulletin, Shavlik also believes that this data can be retrieved remotely when combined with another Vista exploit (such as 07-033 or 07-044).

The following patches have been added to the Shavlik XML file:

Critical
MS07-031
Vulnerability in the Windows Schannel Security Package Could Allow Remote Code Execution (935840)
MS07-033
Cumulative Security Update for Internet Explorer (933566)
MS07-034
Cumulative Security Update for Outlook Express and Windows Mail (929123)
MS07-035
Vulnerability in Win 32 API Could Allow Remote Code Execution (935839)

Important

MS07-030
Vulnerabilities in Microsoft Visio Could Allow Remote Code Execution (927051)

Moderate

MS07-032
Vulnerability in Windows Vista Could Allow Information Disclosure (931213)  

Re-Released:
MS07-018
Patch for Content Management Server 2002 SP2 has been updated to address problems with the original patch.
MS07-012
Patches for Windows XP (x64) and Windows Server 2003 (all) have been updated to include Windows Server 2003 SP2 as an affected product.

Additional information about these new security bulletins can be found on
Microsoft’s TechNet Web site.

Shavlik's Bulletin Analysis

MS07-030: Vulnerabilities in Microsoft Visio Could Allow Remote Code Execution (927051)
http://www.microsoft.com/technet/security/Bulletin/MS07-030.mspx
Severity: Important

This is a client side vulnerability that impacts users running Visio 2002 and Visio 2003. If the user opens an attacker's evil Visio file, an attacker can take control of the user's computer. However, the attacker will only have the same level of permissions on the system as the currently logged on user.

MS07-031: Vulnerability in the Windows Schannel Security Package Could Allow Remote Code Execution (935840)
http://www.microsoft.com/technet/security/Bulletin/MS07-031.mspx
Severity: Critical

If a user visits an evil website using https (SSL), the evil website may be able to crash the browser, crash the computer, or execute code on the system. Windows 2000 and Windows Server 2003 systems are less vulnerable as the attack would not be able to execute code on these systems. Windows XP systems, however, are more vulnerable as the attacker would be able to execute code. Shavlik recommends patching Windows XP systems as soon as possible.

MS07-032: Vulnerability in Windows Vista Could Allow Information Disclosure (931213)
http://www.microsoft.com/technet/security/Bulletin/MS07-032.mspx
Severity: Moderate

A logged on user on a Vista system may be able to access sensitive information on the Vista system, including the administrator's username and password or password equivalent. Microsoft states that systems which have been upgraded from Windows XP may offer more sensitive information than systems that performed fresh installations of Vista. The patch secures the 'information store' so that lower privileged users won't have access to this data.

While Microsoft claims this is of Moderate severity, Shavlik believes this should be rated Critical for Vista systems. Further, Shavlik believes it may be possible for attackers to retrieve this information remotely when combined with another Vista exploit. Shavlik recommends installing this patch immediately to all Vista systems.

MS07-033: Cumulative Security Update for Internet Explorer (933566)
http://www.microsoft.com/technet/security/Bulletin/MS07-033.mspx

Severity: Critical

This Internet Explorer patch impacts all Operating Systems (Windows 2000 through Vista) and addresses 6 flaws in the browser. The patch is applicable to all current browser releases, including Internet Explorer 7.

Of the 6 vulnerabilities, one of these vulnerabilities was publicly known prior to the patch release. Like prior IE vulnerabilities, if a user visits an attacker's web page, the attacker may execute evil code on the user's computer. Shavlik recommends installing this patch as soon as possible on client systems.

MS07-034: Cumulative Security Update for Outlook Express and Windows Mail (929123)
http://www.microsoft.com/technet/security/Bulletin/MS07-034.mspx
Severity: Critical

This patch corrects several vulnerabilities in Outlook Express (part of Internet Explorer) that could allow an attacker complete control of ther user's system. Users running Vista are at greatest risk - clicking on a received email in Outlook Express could allow the attacker to execute code on the Vista system. Users on earlier Operating Systems that click on a malicious email may allow an attacker to access information from their system, but are safe from evil code execution.

MS07-035: Vulnerability in Win 32 API Could Allow Remote Code Execution (935839)
http://www.microsoft.com/technet/security/Bulletin/MS07-035.mspx

Severity: Critical

An Operating System vulnerability exists on Windows 2000, XP, and Windows Server 2003 systems that would allow an attacker to execute code on a user's system. In this instance, the user would need to either visit the attacker's website or execute a custom (evil) application on their local system. Microsoft is not aware of any public exploits for this vulnerability.

How to Obtain the New Shavlik XML File

The new XML file will be automatically downloaded to your NetChk console the next time a scan is performed. Alternatively, you may initiate a refresh of all Shavlik files, including the XML files, by selecting 'Tools-Refresh Files' from the menu bar in the NetChk console.  For additional information on Shavlik data files, please visit http://forum.shavlik.com/viewtopic.php?t=4923

Shavlik Resources

Receive an email each time Shavlik releases updated patch and/or spyware data files. Also receive an immediate notification when Microsoft releases new patches.  Subscribe to http://www.shavlik.com/support/xmlsubscribe.aspx

Stay up to date with patch management topics. Subscribe to
http://www.patchmanagement.org

New Microsoft Patches

From our data team (who stays up all night to test these ASAP, in all languages for all our customers -- thanks again to them)

Shavlik Technologies has released updated patch XML files for Shavlik HFNetChkPro and Shavlik NetChk Protect.

XML data version = 1.1.3.3604  Last modified on 6/12/2007

This update includes the following additions:

Microsoft Security Bulletin MS07-030
Vulnerabilities in Microsoft Visio Could Allow Remote Code Execution (927051)
Severity: Important
http://www.microsoft.com/technet/security/Bulletin/MS07-030.mspx

Microsoft Security Bulletin MS07-031
Vulnerability in the Windows Schanne