New Security Bulletins

Microsoft is releasing the following 17 new security bulletins for newly discovered vulnerabilities:

 

Bulletin ID

Bulletin Title

Maximum Severity Rating

Vulnerability Impact

Restart Requirement

Affected Software

MS11-018

Cumulative Security Update for Internet Explorer (2497640)

Critical

Remote Code Execution

Requires restart

...

On April 12, 2011, Microsoft is planning to release 17 new security bulletins. Below is a summary.

 

New Bulletin Summary

 

Bulletin ID

Maximum Severity Rating

Vulnerability Impact

Restart Requirement

Affected Software*

Bulletin 1

Critical

Remote Code Execution

Requires restart

Internet Explorer on Microsoft Windows XP, Windows Server 2003, Windows Vista, Windows Server 2008, Windows 7, and Windows Server 2008 R2.

Bulletin 2

...

Many of time I have had to figure out what caused a process to dump and had to analyze a mini dump (mdmp) or a full dump (dmp) from a crash or BSOD. I was at a new customers shop the other day and they said their server rebooted mysteriously sometimes. Well, its never mysterious. I copied the dump to my  usb stick and took it offline to analyze it. Ran the mini dump through win debug and low and behold, another dump caused by......SEP.  Filter drivers are nortorious for this and apparently they had not kept up on their updates. If they would have done their updates they would not have had to be billed for the analysis.

Just how do you do a dump analysis.

1. download the proper version of Windbg (http://msdn.microsoft.com/en-us/windows/hardware/gg463009.aspx) to a machine of preferably the same architecture. If not then just load it on your laptop.

2. Copy the dump file to the analysis machine

3. Open Windbg...

Occasionally a company should perform disaster recovery (DR) on their most important IT systems (especially here in Florida) to make sure business continuity is swift in the event of a disaster.

I was performing a mock DR on Sharepoint for a company. They did not have a DR document or original install information.  The production scenario was a standard setup. A clustered SQL2008R2 server, load balanced WFE\SSRS servers, and a CA\Search server. The mock DR was combining all functionalities onto one Windows 2008R2 box.

These are some of the out of the normal steps I had to perform.

After installing the database server and performing recovery I added a tcp alias for the old database servername and also a dns entry in the local host file for the old servername with the new servers ip address. I also did a drop server\add server after I recovered the master db and all the user db's.

Added dns entries in the local host file for the CA\Search server so that the Admin site would come up properly.

...

I found out about a new "FEATURE" in SSAS 2008. The new feature is a server level lock. This lock will effectively stop clients from connecting to SSAS until the situation clears. Just what may this be? It seems that if you are doing any processing and it gets queued up behind another query that feels it is not obligated to yield.  Its failure to be able to take a write lock forces all the requests for read locks to queue up behind it. And what does that do to your server? Interesting enough is that it will not only kill incoming requests but also chew up the memory on the server since it is not recycling the requests for a read lock as shown below.

 

 

Bulletin ID	Bulletin Title	Max Severity Rating	Vulnerability Impact	Restart Requirement	Affected Software
MS11-015	Vulnerabilities in Windows Media Could Allow Remote Code Execution (2510030)	Critical	Remote Code Execution	May require restart	Microsoft Windows XP, Windows Vista, Windows 7, Windows Server 2008 R2, and Windows Media Center TV Pack for Windows Vista.
MS11-016	Vulnerability in Microsoft Groove Could Allow Remote Code Execution (2494047)	Important	Remote Code Execution	May require restart	Microsoft Groove 2007
MS11-017	Vulnerability in Remote Desktop Client Could Allow Remote Code Execution (2508062)	Important	Remote Code Execution	May require restart	Microsoft Windows XP, Windows Server 2003, Windows Vista, Windows Server 2008, Windows 7, and Windows Server 2008 R2.

Bulletin Identifier	Microsoft Security Bulletin MS11-015
Bulletin Title	Vulnerabilities in Windows Media Could Allow Remote Code Execution (2510030)
Executive Summary	This security update resolves one publicly disclosed vulnerability in DirectShow and one privately reported vulnerability in Windows Media Player and Windows Media Center. The more severe of these vulnerabilities could allow remote code execution if a user opens a specially crafted Microsoft Digital Video Recording (.dvr-ms) file.   The security update addresses the vulnerabilities by modifying the way library files and Windows media files are opened.
Severity Ratings and Affected Software	This security update is rated Critical for affected editions of Windows XP (including Windows XP Media Center Edition 2005); all supported editions of Windows Vista and Windows 7; and Windows Media Center TV Pack for Windows Vista. This security update is also rated Important for all supported editions of Windows Server 2008 R2 for x64-based systems.
Attack Vectors	·         A specially crafted .dvr-ms file. ·         A legitimate WMP file that is located in the same directory as a specially crafted dynamic link library (DLL) file. ·         A maliciously crafted DLL.
Mitigating Factors	·         A user must visit a remote file system location or WebDAV share and open a WMP file. ·         SMB is commonly disabled on perimeter firewalls. ·         Users must be persuaded to visit a malicious site. ·         Exploit only gains the logged-on account user rights. ·         Cannot be exploited automatically through email, because a user must open an attachment that is sent in an email message.
Restart Requirement	May require restart.
Bulletins Replaced by This Update	None
Full Details	http://www.microsoft.com/technet/security/bulletin/MS11-015.mspx

Bulletin Identifier	Microsoft Security Bulletin MS11-016
Bulletin Title	Vulnerability in Microsoft Groove Could Allow Remote Code Execution (2494047)
Executive Summary	This security update resolves a publicly disclosed vulnerability in Microsoft Groove that could allow remote code execution if a user opens a legitimate Groove-related file that is located in the same network directory as a specially crafted library file.   The update addresses this vulnerability by correcting the manner in which Microsoft Groove 2007 loads external libraries.
Severity Ratings and Affected Software	This security update is rated Important for Microsoft Groove 2007 Service Pack 2.
Attack Vectors	·         A legitimate Groove-related file (such as a .vcg or .gta file) that is located in the same directory as a specially crafted dynamic link library (DLL) file. ·         A maliciously crafted DLL.
Mitigating Factors	·         Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights. ·         For an attack to be successful, a user must visit an untrusted remote file system location or WebDAV share and open a Groove-related file (such as a .vcg or .gta file). ·         SMB is commonly disabled on the perimeter firewall.
Restart Requirement	May require restart.
Bulletins Replaced by This Update	None
Full Details	http://www.microsoft.com/technet/security/bulletin/MS11-016.mspx

Bulletin Identifier	Microsoft Security Bulletin MS11-017
Bulletin Title	Vulnerability in Remote Desktop Client Could Allow Remote Code Execution (2508062)
Executive Summary	This security update resolves a privately reported vulnerability in Windows Remote Desktop Client. The vulnerability could allow remote code execution if a user opens a legitimate Remote Desktop configuration (.rdp) file located in the same network folder as a specially crafted library file.   The security update addresses the vulnerability by correcting the manner in which the Windows Remote Desktop Client loads external libraries.
Severity Ratings and Affected Software	This security update is rated Important for Remote Desktop Connection 5.2 Client, Remote Desktop Connection 6.0 Client, Remote Desktop Connection 6.1 Client, and Remote Desktop Connection 7.0 Client.
Attack Vectors	·         A legitimate Remote Desktop configuration file (.rdp) that is located in the same directory as a specially crafted dynamic link library (DLL) file. ·         A maliciously crafted DLL.
Mitigating Factors	·         For an attack to be successful, a user must visit an untrusted remote file system location or WebDAV share and open a Remote Desktop configuration file (.rdp). ·         SMB is commonly disabled on the perimeter firewall.
Restart Requirement	May require restart.
Bulletins Replaced by This Update	None
Full Details	http://www.microsoft.com/technet/security/bulletin/MS11-017.mspx

Microsoft has choosen to discontinue the web service on SQL server. It was such a nice feature to have. Although as much as I like the WCF data services (formerly ADO.Net Data Services), it was much quicker and gave better performance for small apps to use the built in web serives in SQL. Maybe the decoupling and the loosely associated objects went a step to far. I think the REST philosophy is good but that sometimes you need better performance at the sake of decoupling.

A similiar discontinuity happenend with C++\CLI. Microsoft was pushing developers toward moving the code base to managed code. They then kind of reversed that and said that it should be used to interop with your C++ code.  The never enabled it for ASP.NET and it does not do WPF. Maybe we should listen to Bjarne Stroustrup and ask why YAPL?

Most organizations, including Enterim, have front end SMTP servers that collect incoming mail and then relay it back to the appropriate mail server be it Exchange, Domino, or other enterprise email servers. A performance problem may occur if a spam attack occurs that the emails rejected by the enterprise email servers keep rejecting the emails and sending them back to the inbound smtp servers. The volume of NDRs generated will basically double the load on the server. There are several ways around this if you use Microsoft products.

1. Create a secondary smtp server and forward all undeliverable mail to it from the enterprise server. Create event sinks on the secondary smtp server that delete it or have a file watcher service come in and delete it out of the folder.

2. Create a catch all email box that stores all the unknown recepient email and set up rules to delete them.

3. Create a custom event sink of your own design.

Microsoft has published several KBs on this and there are many...

 

TAM Newsletter – February 2011



 Microsoft news and product information from microsoft.com and product team blogs

 

How Microsoft does IT

·         Deploying the Office 2010 Client at Microsoft Microsoft IT (MSIT) developed a testing and deployment strategy to deliver Office 2010 to more than 100,000 desktop computers at Microsoft. The testing strategy resulted in a robust product that has been rigorously tested in a production environment. Learn about the best practices that MSIT developed, the deployment tools that MSIT used, how MSIT tested Line of Business applications, and the key communications and training that MSIT created for the Microsoft user community.

·         IT Showcase on: Windows Azure...