Mozilla Stomps Out Ten Security Vulnerabilities with Firefox 2.0.0.13

March 28, 2008

Severity: Medium

27 March, 2008

Summary:

  • This vulnerability affects: Firefox 2.0.0.x for Windows, Linux, and Macintosh
  • How an attacker exploits it: Multiple vectors of attack, including enticing one of your users to visit a malicious web page
  • Impact: Various results; in the worst case, attacker executes code on your user’s computer, gaining complete control of it
  • What to do: Upgrade to Firefox 2.0.0.13

Exposure:

Yesterday, the Mozilla Foundation released Firefox 2.0.0.13, fixing ten security vulnerabilities (based on CVE-IDs) in the popular web browser. We summarize three of the more critical vulnerabilities below:

  • Memory corruption vulnerabilities (2008-015). Firefox suffers from several unspecified crash bugs, which corrupt memory. Mozilla presumes that, with enough effort, some of these memory corruption flaws could be exploited to run arbitrary code. To exploit these flaws, an attacker would first have to trick one of your users into visiting a maliciously crafted web page. If your user took the bait, the attacker could execute code on that user’s machine, with that user’s privileges. And if the user happened to be a local administrator or had root privileges, the attacker would gain total control of the victim’s computer.
    Mozilla Impact rating: Critical
  • JavaScript privilege elevation and code execution vulnerabilities (2008-014). Firefox suffers from various vulnerabilities involving the way it handles specially crafted JavaScript. By enticing one of your users to a web page containing malicious JavaScript, an attacker could exploit these flaws to elevate privileges, execute a Cross-Site Scripting (XSS) attack, or even execute code on your user’s machine, with your user’s privileges. Depending on your user’s level of privilege, an attacker could exploit this flaw to gain complete control of the user’s computer.
    Mozilla Impact rating: Critical
  • Java socket connection vulnerability (2008-018). Mozilla’s alert describes a security vulnerability that Sun has recently fixed. By enticing one of your users to a malicious web site containing specially crafted Java code, an attacker could exploit this JRE vulnerability to gain direct access to ports on your computer. Even if your firewall blocks access to those particular ports, the malicious web site’s code — which would travel over port 80 — could locally access any port on your user’s computer, bypassing your firewall policies. If you’ve already applied the JRE update we mentioned in our previous JRE alert, this vulnerability won’t affect you; for those who haven’t installed the JRE update yet, Mozilla’s update patches this flaw on Firefox’s side.
    Mozilla Impact rating: High

The remaining vulnerabilities include popup spoofing, information disclosure, and Cross-Site Request Forgery (CSRF) flaws. If you’d like to know more about them, check out Firefox’s known issues page. However, the vulnerabilities described above should be enough to convince you to upgrade your Firefox users to the fixed version at your earliest convenience.

Solution Path:

Mozilla has updated Firefox, correcting these security vulnerabilities. If you use Firefox in your network, we recommend that you download and deploy version 2.0.0.13 as soon as possible. Mozilla no longer supports the 1.5.x branch of Firefox; we recommend that 1.5.x users migrate to 2.0.0.13 now.

Note: The latest versions of Firefox 2.0 automatically inform you when a Firefox update is available. We highly recommend you keep this feature enabled so that Firefox receives its updates as soon as Mozilla releases them. To verify that you have Firefox configured to automatically check for updates, click Tools => Options => Advanced tab => Update tab. Make sure that “Firefox” is checked under “Automatically check for updates.” In this menu, you can configure Firefox to always download and install any update, or only to inform the user that the update exists.

For All WatchGuard Users:

Some of these attacks arrive as normal-looking HTTP traffic, which you must allow through your firewall if your network users need to access the World Wide Web. Therefore, the patches above are your best solution.

Status:

The Mozilla Foundation has released Firefox 2.0.0.13, fixing these security issues.

References:

Leave a Comment » | Apple, Apple Leopard, Apple OS X, Apple Safari, Apple Tiger, Business Computer Support, Firefox, Home Computer Support, Linux, Mac, Microsoft, Non-Profit Technology, OS X, Student Computing, Watchguard, Windows 2000, Windows Vista, Windows XP | Tagged: , , , , | Permalink
Posted by bardissi

Cisco’s Inaugural Patch Day: Five IOS Advisories

March 26, 2008

Severity: Medium

26 March, 2008

Summary:

  • These vulnerabilities affect: Many devices running Cisco IOS
  • How an attacker exploits them: Multiple vectors of attack; in the most common, the attacker sends specially crafted network packets
  • Impact: Various results; these include multiple Denial of Service (DoS) vulnerabilities and a minor data leakage vulnerability
  • What to do: Administrators who manage Cisco IOS devices should download, test, and deploy the appropriate Cisco updates as soon as possible

Exposure:

Earlier this month, Cisco announced plans to implement a regular, twice yearly patch cycle that would fall on the fourth Wednesday of March and September. To mark its own inaugural Patch Day, Cisco has just released five security advisories. All of these cover security vulnerabilities that affect devices running Cisco’s Internetwork Operating System (IOS) software. IOS is the operating system that runs on most Cisco routers and switches. The IOS operating system provides network services for managing and administering Cisco devices, and processes the network traffic passing through the device.

While these IOS advisories differ in technical ways, almost all of them cover vulnerabilities that attackers could exploit in Denial of Service (DoS) attacks. We summarize the five advisories below:

Cisco Document ID 97278: Two VPDN DoS vulnerabilities

According to Cisco, Virtual Private Dial-up Network (VPDN) allows a private network dial-in service to span across the Internet and connect to remote access servers. Cisco IOS devices with VPDN enabled, which are also configured to accept termination of PPTP sessions, suffer from two Denial of Service (DoS) vulnerabilities. By establishing and terminating PPTP sessions, an attacker could exploit these flaws either to cause memory leaks or to take up resources on your IOS device. By repeatedly exploiting these flaws, the attacker could fully deplete your IOS device’s memory or exhaust its resources, causing the device to become unresponsive. If your gateway router runs Cisco IOS, an attacker could potentially exploit this flaw to knock your whole network off the Internet.
Average CVSS Score: 5.2 (10 being the most severe)

Cisco Document ID 99758: Multiple DLSw DoS vulnerabilities

Data-link switching (DLSw) provides a means for transporting IBM Systems Network Architecture (SNA) and Network Basic Input/Output System (NetBIOS) traffic over an IP network. Cisco’s advisory warns that DLSw, as implemented in IOS, suffers from multiple unspecified vulnerabilities in how it processes the UDP and IP protocol 91 packets used for Fast Sequenced Transport (FST). By sending specially crafted packets to an IOS device that has DLSw enabled, an attacker could exploit these vulnerabilities to cause your IOS device to leak memory or to reload, leading to a DoS condition. If you use a Cisco IOS router to get to the Internet, an attacker could repeatedly exploit these vulnerabilities to knock your network offline.
Average CVSS Score: 7.1

Cisco Document ID 100638: UDP Delivery DoS vulnerability involving IPv6

Cisco IOS devices with both IPv6 and certain IPv4 UDP services enabled suffer from an unspecified DoS vulnerability (see the Affected Product section of Cisco’s advisory for a complete list of affected UDP services). By sending a specially crafted IPv6 packet directly to your IOS device, an attacker could exploit this vulnerability to crash it, or prevent it from receiving additional traffic. Attackers could repeatedly exploit this vulnerability to keep your IOS-based Internet gateway offline. However, if you haven’t specifically enabled IPv6, then attackers cannot exploit this vulnerability against your IOS device.
Average CVSS Score: 7.1

Cisco Document ID 100526: OSPF and MPLS DoS vulnerability affects specific IOS devices

When configured for both Multi Protocol Label Switching (MPLS) VPN and Open Shortest Path First (OSPF) sham-link, certain Cisco Catalyst 6500 Series and Cisco 7600 routers suffer from an unspecified DoS vulnerability. By sending specially crafted packets to your IOS device, an attacker could exploit this vulnerability to block interfaces, to cause a memory leak, or to cause your IOS device to restart — all of which lead to a DoS condition. An attacker could repeatedly exploit this vulnerability to keep your device offline for as long as he could sustain his attack.
Average CVSS Score: 7.0

Cisco Document ID 100374: MVPN data leak vulnerability

According to Cisco, the Multicast Virtual Private Network (MVPN) architecture introduces an additional set of protocols and procedures that help enable service providers to support multicast traffic in an MPLS VPN. Cisco IOS devices with MVPN enabled suffer from an unspecified data leak vulnerability. By sending a specially crafted version of something called a Multicast Distribution Tree (MDT) Data Join message, an attacker can exploit this vulnerability to create extra multicast states on your IOS device, or to leak multicast traffic from one MPLS VPN to another. This data leakage could help an attacker enumerate your internal network.
Average CVSS Score: 6.9

For much more detail on each of these vulnerabilities, check out the individual alerts linked above or refer to Cisco’s bundled security advisory for March 2008.

Solution Path:

Cisco has released patches to fix these vulnerabilities. If you use any Cisco device running IOS software, you should immediately consult the “Software Versions and Fixes” and “Obtaining Fixed Software” section of Cisco’s bundled security advisory for March 2008 to learn which fixes apply to your devices, and how to obtain them. You can also refer to the “Software Versions and Fixes” and “Obtaining Fixed Software” section of each of the individual alerts linked above.

For All WatchGuard Users:

Since these vulnerabilities can affect your router, which is typically in front of your WatchGuard firewall, the solutions above are your primary recourse.

Status:

Cisco has made fixes available.

References:

This alert was researched and written by Corey Nachreiner.

Leave a Comment » | Cisco, Watchguard | Permalink
Posted by bardissi

VoSKY Showcases Skype-enabled Business Applications at VoiceCon 2008

March 21, 2008

New value-added applications for award-winning VoSKY Exchange platformfurther reduce costs and enhance productivity in enterprise communications andcall centersOrlando, FL., March 17, 2008 – VoSKY, the market leader in developing Skype for business solutions, is launching valued-added business applications for its award-winning VoSKY Exchange VoIP application gateway at VoiceCon Orlando. VoSKY Exchange integrates a company’s phone system with Skype, enabling businesses to benefit from Skype’s cost savings and enhanced communication features.Among the new applications for VoiceCon, VoSKY’s Web Click-to-Call and PBX Remote Access give companies new opportunities to further reduce their telecom bill and benefit from useful call handling capabilities with Skype. VoSKY’s PBX Remote Access Application seamlessly connects remote employees and call agents to a corporate PBX through Skype’s VoIP network. VoSKY Web Click-to-Call optimizes online sales and marketing efforts, by incorporating both direct web click-to-call for Skype users and call back for non-Skype users. “From the SMB to the largest enterprise, companies are turning to VoIP to lower their telecom costs, improve productivity, increase employee availability, collaboration, and communication,”said David Tang, VP of Global Marketing at VoSKY. “VoSKY Exchange offers a business-class, proven platform that enables companies to get maximum value from Skype’s VoIP network with minimum costs and implementation headaches.”VoSKY Exchange Skype-enables a company’s existing phone system to allow businesses to take advantage of Internet Telephony without replacing their existing network infrastructure. With VoSKY Exchange, companies can make free Skype-to-Skype calls between company offices located anywhere in the world, free inbound calls to the PBX from remote and mobile Skype users, and inexpensive SkypeOUT rates for long-distance and international calls. The scalable, enterprise-grade gateway fully integrates Skype with the company system, so employees can make and receive Skype calls from their regular office phone – no Skype software, computers, or headsets are required. As the only enterprise-grade PBX-to-Skype gateway that has earned Skype certification and Skype’s co-brand, VoSKY Exchange ensuresseamless interoperability with Skype features and services. The plug-and-play appliance is also fully certified and endorsed by key PBX vendors.VoSKY is exhibiting its VoSKY Exchange platform at VoiceCon Orlando 2008 held at the Gaylord Palms Hotel in Orlando, Florida from March 17-20, in booth 306. About VoSKY Based in the heart of Silicon Valley, VoSKY is the global leader in empowering businesses to leverage Skype, the world’s largest VoIP community with more than 270 million registered users. The company’s proven, enterprise-grade solutions create new opportunities for small-to-medium size businesses (SMBs) and enterprises to reduce communications costs and improve productivity. VoSKY Exchange, the company’s flagship product, is an award-winning PBX-to-Skype application gateway that seamlessly integrates a company’s phone system with Skype.This plug-and-play platform is compatible with any existing TDM or IP PBX phone system.  VoSKY is a wholly owned subsidiary of Actiontec Electronics. In addition to its headquarters in Sunnyvale, CA, VoSKY maintains branch offices in Colorado Springs, CO; Basingstoke, United Kingdom; Beijing, China; Bogota, Colombia; Shanghai, China; and Taipei, Taiwan. For more information please visit the VoSKY website at www.vosky.com. Trademarks mentioned in this document are the property of their respective owners.

1 Comment | PBX, Skype, VoSky, VoiceCon 2008 | Tagged: , , , , , , , , , , , , , , , , , , , | Permalink
Posted by bardissi

Notable Changes in Windows Vista Service Pack 1

March 18, 2008
Microsoft continuously improves the Windows Vista® Operating System by providing ongoing updates while working with software and hardware vendors to help them to deliver improved compatibility, reliability and performance. These updates are provided to customers directly by our hardware and software partners, as well as from Microsoft in the form of hotfixes distributed on a regular basis using Windows Update. Updates to Windows are also delivered directly to some affected customers and preinstalled by PC manufacturers.

Windows Vista SP1 is an update to Windows Vista that, along with improvements delivered via these other channels, addresses feedback from our customers and partners. By providing these fixes integrated into a single service pack which will be thoroughly tested by Microsoft and by industry partners and customers during the beta cycle, Microsoft provides a single high quality update that minimizes deployment and testing complexity for customers.

In addition to all previously released updates, SP1 contains changes focused on addressing specific reliability and performance issues, supporting new types of hardware, and adding support for several emerging standards. SP1 also continues to make it easier for IT administrators to deploy and manage Windows Vista. Service Packs are not intended to be a vehicle for releasing significant new features or functionality; however some existing components do gain slightly enhanced functionality in SP1 to support industry standards and new requirements.

This document describes many of the notable changes in Windows Vista SP1. For additional information about the changes in SP1, please see the forthcoming Knowledge Base (KB) article 936332, which is a compendium of all prior KB articles documenting updates to Windows Vista. Many of these updates are already publicly available and have been released via the Microsoft Download Center or Windows Update. All of these updates are included in Windows Vista SP1. The full list of these updates can be read in Hotfixes and Security Updates included in Windows Vista Service Pack 1 if(typeof(IsPrinterFriendly) != “undefined”) { var l = “/WindowsVista/en/library/20184cb6-7038-4e82-a32c-4bc10ffe56ab1033.mspx”; var nl; var c = l.charAt(0); var o = document.getElementById(“EIC”); switch (c){ case “/”: nl=(“ [http://" + document.domain + l + "]“); break case “#”: nl=(“”); break default: nl=” [" + l + "]” } if(o != null) o.innerHTML = nl; } .

Setup Prerequisites

Windows Vista SP1 requires two prerequisite packages to install; a third is required for versions of Windows Vista that are BitLocker™ Drive Encryption capable (Window Vista Enterprise and Windows Vista Ultimate).

The first of the three prerequisite packages required for the service pack includes updates to the servicing stack—the component that handles installation and removal of software updates, language packs, and optional windows features. This update is necessary to successfully install and uninstall the service pack; it also improves the performance and reliability of the service pack installation.
The second of the three prerequisite packages includes updates required to reliably install or uninstall the service pack.
The third of the three prerequisite packages contains an update necessary for proper servicing of Windows BitLocker Drive Encryption capable PCs.

Service Pack 1 Size

In order to make the improvements detailed in this document, a large number of individual files and components have been updated for SP1. Also, the language-neutral design of Windows Vista necessitates that the service pack be able to update any possible combination of the basic languages supported by Windows Vista with a single installer, so language files for the 36 basic languages are included in the standalone installer.

These facts result in a large stand-alone package, which is the delivery vehicle typically used by system administrators. (See Table 1 below for an explanation of the different delivery mechanisms for Windows Vista SP1.) However, most home and small business users will receive SP1 via Windows Update, which utilizes an efficient transfer mechanism to download only the actual bytes changed, resulting in an approximately 65MB download. This is similar in size to many common software and driver updates delivered by other software vendors over the internet and will not be a problem for most customers.

Usage Download Size (x86)
Standalone Package · PCs without internet access

· System administrators

 About 450 MB (5 Language package)

About 550 MB (Full 36 language package)
Windows Update · Most home users

· Many business customers

 About 65 MB
Integrated DVD · New PCs

· Fresh Windows installations

 N/A

Table 1: Windows Vista SP1 Delivery Mechanisms

Hardware Ecosystem Support and Enhancements

Adds support for new UEFI (Unified Extensible Firmware Interface) industry standard PC firmware for 64-bit systems with functional parity with legacy BIOS firmware, which allows Windows Vista SP1 to install to GPT format disks, boot and resume from hibernate using UEFI firmware.
Adds support for x64 EFI network boot.
Adds support for the 64-bit version of MSDASQL, which acts as a “bridge” from OLEDB to a variety of ODBC drivers thus simplifying application migration from 32-bit platforms to 64-bit Windows Vista.
Adds support for Direct3D® 10.1, an update to Direct3D 10 that extends the API to support new hardware features, enabling 3D application and game developers to make more complete and efficient use of the upcoming generations of graphics hardware.
Adds support for exFAT, a new file system supporting larger overall capacity and larger files, which will be used in Flash memory storage and consumer devices.
Adds support for SD Advanced DMA (ADMA) on compliant SD standard host controllers. This new transfer mechanism, which is expected to be supported in SD controllers soon, will improve transfer performance and decrease CPU utilization.
Adds support for creating a single DVD media that boots on PCs with either BIOS or EFI.
Enhances support for high density drives by adding new icons and labels that will identify HD-DVD and Blu-ray Drives as high density drives.
Adds support to enable new types of Windows Media Center Extenders, such as digital televisions and networked DVD players, to connect to Windows Media Center PCs.
Enhances the MPEG-2 decoder to support content protection across a user accessible bus on Media Center systems configured with Digital Cable Tuner hardware. This also effectively enables higher levels of hardware decoder acceleration for commercial DVD playback on some hardware.
Enhances Netproj.exe to temporarily resize the desktop to accommodate custom projector resolutions when connecting to Windows Network Projectors.

Application Compatibility Improvements

Since the release of Windows Vista, the ecosystem has made great progress and the number of applications that have the “Works with Windows Vista” and “Certified for Windows Vista” logos has grown to well over 2000.

Thanks to the rich instrumentation capability of Windows Vista, we are able to understand the type of problems that our customers are experiencing (while respecting their personal information and privacy preferences). We use this information to focus improvements in Windows Vista, but we also share this information with our software vendor partners to help improve the reliability and compatibility of 3rd party applications.

It is our goal that applications that run on the Windows Vista Operating System today and are written using public APIs will continue to work as designed on Windows Vista SP1.

Microsoft has already released several application compatibility updates which will allow more applications to work seamlessly for the end user. These will appear in SP1, but are also available via Windows Update. For more information on previous compatibility updates, please refer to http://support.microsoft.com/kb/935280/ if(typeof(IsPrinterFriendly) != “undefined”) { var l = “http://support.microsoft.com/kb/935280/”; var nl; var c = l.charAt(0); var o = document.getElementById(“EFD”); switch (c){ case “/”: nl=(“ [http://" + document.domain + l + "]“); break case “#”: nl=(“”); break default: nl=” [" + l + "]” } if(o != null) o.innerHTML = nl; } . SP1 contains additional application compatibility fixes for individual applications.

Reliability Improvements

Reliability improvements vary from PC to PC based on hardware, environment, and usage. Customers will experience varying levels of benefit.

SP1 addresses issues many of the most common causes of crashes and hangs in Windows Vista, as reported by Windows Error Reporting. These include issues relating to Windows Calendar, Windows Media Player, and a number of drivers included with Windows Vista.
Improves reliability by preventing data-loss while ejecting NTFS-formatted removable-media.
Improves reliability of IPSec connections over IPv6 by ensuring by ensuring that all Neighbor Discovery RFC traffic is IPsec exempted.
Improves certain problem scenarios where a driver goes to sleep with incomplete packet transmissions by ensuring the driver is given enough time to transmit or discard any outstanding packets before going to sleep.
Improves wireless ad-hoc connection (computer-to-computer wireless connections) success rate
Improves the success of peer-to-peer connections, such as Windows Meeting Space or Remote Assistance applications, when both PCs are behind symmetric firewalls.
Improves Windows Vista’s built-in file backup solution to include EFS encrypted files in the backup.
An improved SRT (Startup Repair Tool), which is part of the Windows Recovery environment (WinRE), can now fix PCs unbootable due to certain missing OS files.
Users who did not opt-in to the Customer Experience Improvement Program (CEIP) will be prompted again to join after installing SP1. The experience will remain the same and the default will continue to be opt-out.

Performance and Power Consumption Improvements

Performance improvements vary from PC to PC based on hardware, environment, scenarios, and usage, so different customers will experience varying levels of benefits. About 20-25% of these improvements will be released separately via Windows update, prior to Windows Vista SP1.

Improves the performance of browsing network file shares by consuming less bandwidth.
Improves power consumption when the display is not changing by allowing the processor to remain in its sleep state which consumes less energy.
Addresses the problem of the Video chipset (VSync interrupt) not allowing the system to stay asleep.
Improves power consumption and battery life by addressing an issue that causes a hard disk to continue spinning when it should spin down, in certain circumstances.
Improves the speed of adding and extracting files to and from a compressed (zipped) folder.
Significantly improves the speed of moving a directory with many files underneath.
Improves performance while copying files using BITS (Background Intelligent Transfer Service).
Improves performance over Windows Vista’s current performance across the following scenarios:

25% faster when copying files locally on the same disk on the same machine
45% faster when copying files from a remote non-Windows Vista system to a SP1 system
50% faster when copying files from a remote SP1 system to a local SP1 system
Improves responsiveness when doing many kinds of file or media manipulations. For example, with Windows Vista today, copying files after deleting a different set of files can make the copy operation take longer than needed. In SP1, the file copy time is the same as if no files were initially deleted.
Improves the copy progress estimation when copying files within Windows Explorer to about two seconds.
Improves the time to read large images by approximately 50%.
Improves IE performance on certain Jscript intensive websites, bringing performance in line with previous IE releases.
Addresses a problem that caused a delay of up to 5 minutes after boot with specific ReadyDrive capable hard drives.
Improves the effectiveness of a Windows ReadyBoost™ device in reducing the time to resume from standby and hibernate by increasing the amount of data stored in the ReadyBoost device that can be used during a resume cycle.
Includes improvements to Windows Superfetch™ that help to further improve resume times, in many environments.
In specific scenarios, SP1 reduces the shutdown time by a few seconds by improving the Windows Vista utility designed to sync a mobile device.
Improves the time to resume from standby for a certain class of USB Hubs by approximately 18%.
Improves network connection scenarios by updating the logic that auto selects which network interface to use (e.g., should a laptop use wireless or wired networking when both are available).
Improves the performance of the user login experience on corporate PCs outside of corporate environments (e.g., a corporate laptop taken home for the evening), making it comparable with PCs within the corporate environment.
Reduces the time it takes to return to the user’s session when using the Photo screensaver, making it comparable to other screensavers.
Removes the delay that sometimes occurs when a user unlocks their PC.
Improves overall media performance by reducing many glitches.
In SP1, PC administrators are able to modify the network throttling index value for the MMCSS (Multimedia Class Scheduling Service), allowing them to determine the appropriate balance between network performance and audio/video playback quality.
Windows Vista SP1 includes a new compression algorithm for the RDP (Remote Desktop Protocol) that helps reduce network bandwidth required to send bitmaps or images via RDP. The compression, which can be selected by administrators via Group Policy settings, is transparent to all RDP traffic, and typically reduces the size of the RDP stream by as much as 25-60%, based on preliminary test results.
The Windows Vista SP1 install process clears the user-specific data that is used by Windows to optimize performance, which may make the system feel less responsive immediately after install. As the customer uses their SP1 PC, the system will be retrained over the course of a few hours or days and will return to the previous level of responsiveness.
SP1 addresses a number of customer performance concerns with new print driver technologies, including XPS-based printing.

Security Improvements

Windows Vista SP1 includes all previously released Security Bulletin fixes which affect Windows Vista.
SP1 includes Secure Development Lifecycle process updates, where Microsoft identifies the root cause of each security bulletin and improves our internal tools to eliminate code patterns that could lead to future vulnerabilities.
Service Pack 1 includes supported APIs by which third-party security and malicious software detection applications can work alongside Kernel Patch Protection on 64-bit versions of Windows Vista. These APIs have been designed to help security and non-security ISVs develop software that extends the functionality of the Windows kernel on 64-bit systems, in a documented and supported manner, and without disabling or weakening the protection offered by Kernel Patch Protection.
Improves the security of running RemoteApp™ programs and desktops by allowing RDP files to be signed. Administrators now have the control to differentiate the user experience based on the publisher’s identity.
Data Execution Protection (DEP) is a memory-protection feature available beginning with Windows XP and Server 2003. SP1 improves security with a new set of Win32 APIs to allow programmatic control over a process’s DEP policy. This will provide application developers with finer control on a process’s DEP settings for security, testability, compatibility, and reliability.
Improves the trustworthiness of data presented in Windows Security Center (WSC) by ensuring that only authenticated security applications can communicate with WSC.
Improves security on wired networks by enabling single sign on (SSO) for authenticated wired networks. The single sign on experience presents the user with a single point of credential entry rather than being double prompted for local and network logon.
For customers upgrading from Windows XP to Windows Vista SP1, the MSRT (Malicious Software Removal Tool) will not run as part of the upgrade. Rather the up-to-date MSRT offered monthly by Windows Update will help protect PCs.
The cryptographic random number generation is improved to gather seed entropy from more sources, including a Trusted Platform Module (TPM) when available, and replaces the general purpose pseudo-random number generator (PRNG) with an AES-256 counter mode PRNG for both user and kernel mode.
Improves security in smart card scenarios:

Introduction of a new PIN channel to securely collect smart card PINs via a PC. This new capability mitigates a number of attacks that today would require using an external PIN reader to prevent.
Enables smart cards that use biometric authentication instead of a PIN.
Improves security over Teredo interface by blocking unsolicited traffic by default. This has already been addressed in a Security Update for Windows Vista (KB935807).
Improves BitLocker Drive Encryption by offering an additional multi-factor authentication method that combines a key protected by the TPM (Trusted Platform Module) with a Startup Key stored on a USB storage device and a user-generated Personal Identification Number (PIN).
Enhances the BitLocker encryption support to volumes other than bootable volumes in Windows Vista (for Enterprise and Ultimate SKUs).
Improves the OCSP (Online Certificate Status Protocol) implementation such that it can be configured to work with OCSP responses that are signed by trusted OCSP signers, separate from the issuer of the certificate being validated.
Enables a standard user to invoke the CompletePC Backup application, provided that user can supply administrator credentials. Previously, only administrators could launch the application.
The Remote Desktop client in Windows Vista SP1 provides user interface improvements for user and server authentication. The RDP client streamlines the multiple steps end users must follow to providing their credentials to Windows Server 2003 (or earlier) Terminal Servers, and simplifies the management of previously saved credentials.

Support for New Technologies and Standards

Adds support for new strong cryptographic algorithms used in IPsec. SHA-256, AES-GCM, and AES-GMAC for ESP and AH, ECDSA, SHA-256, and SHA-384 for IKE and AuthIP.
Adds the NIST SP 800-90 Elliptical Curve Cryptography (ECC) pseudo-random number generator (PRNG) to the list of available PRNG in Windows Vista.
Adds support for SSTP (Secure Sockets Tunnel Protocol), a remote access VPN tunneling protocol that will be part of Microsoft’s RRAS (Routing and Remote Access Service) platform. SSTP helps provide full-network VPN remote access connections over SSL, removing some of the VPN connectivity challenges that other VPN tunnels face traversing NAT, web proxies, and firewalls.
Adds full support for the latest IEEE draft of 802.11n wireless networking.
Adds support for obtaining identity and invoke identity UI from an inner method via a new EAPHost runtime API as well as a configuration UI for tunnel methods. These APIs are useful for developers working on tunneling/multi-phased EAP authentication methods as well as those who implement networking supplicants which consume EAP authentications.
Adds support for Windows Smartcard Framework to enable compliance with the EU Digital Signature Directive and National ID / eID.
Adds support for the Parental Controls Games Restrictions for ratings from the Korean Game Rating Board (GRB).
Enhances TCP Chimney network card support so that a TCP Chimney network card can also support Compound TCP.
Adds support in the Wireless Client for a new FIPS (Federal Information Processing) compliant mode. This mode is FIPS 140-2 compliant because it moves the cryptographic processing from the wireless network card to an existing FIPS-approved cryptographic library.
Enhances Windows Firewall and IPsec to use the new cryptographic algorithms that are Suite B compliant.
Updated drivers are delivered primarily via Windows Update and directly from hardware vendors, not as part of a service pack. However, a small number of critical drivers are included as part of Windows Vista (e.g., display drivers, audio drivers) and some of these have been updated.

Desktop Administration and Management

Allows users and administrators to control which volumes the disk defragmenter runs on.
Allows users and administrators using Network Diagnostics to solve the most common file sharing problems, not just network connection problems.
Enables polling of RMS server at regular intervals to identify new templates and download them to the local template store. Previously these templates were pushed to clients via a combination of Group Policy and scripting. Additionally SP1 provides an API for applications to query and access template in the template store.
Windows Vista SP1 includes a new Security Policy (UAC: Allow UAccess), which allows applications to prompt for elevation without using the secure desktop. This allows a remote helper to enter administrative credentials during a Remote Assistance session.
Allows administrators to configure NAP Clients to:

Receive updates from Windows Update or Microsoft Update, in addition to WSUS (Windows Server Update Services), as is the case for Windows Vista today.
Define the time a client has to retrieve and submit Statements of Health. This allows the NAP client to respond in time when a particular connection has a timeout requirement.
Use DNS server records to discover health registration authority (HRA) servers when there are no HRA’s configured through local configuration or group policy.
Allow healthy clients used by the Help Desk to establish IPSec connections to unhealthy machines to help resolve problems. This improves the supportability of NAP by allowing Help Desk technicians with health compliant machines to establish connections (e.g. remote desktop, file share) to help resolve issues.
Allows administrators to add a WSD (Web Services for Devices) Print Device to remote Windows Vista or Windows Server 2008 machines. This can be accomplished by using the Print Management Console.
Allows the administrators to use a new admin flag to allow WMI scripted enumeration of all contents in the CSC cache. This will enhance WMI scripted administration for offline folders in Windows Vista. Previously this was available only through the COM API.
Improves printing to local printers from within a Terminal Server session.
Allows users to rename or delete folders while working offline with redirected folders. This functionality is important to users that use Folder Redirection and work in offline mode for extended periods of time. This functionality is disabled by default but can be enabled by enabling a registry setting.
Enhances the existing Vista EAPHost service by including an EAP (Extensible Authentication Protocol) Certification Program (ECP) Detection Mechanism. This mechanism makes delivery of EAP Methods submitted to the ECP available through Windows Update.
Adds a WMI interface as a replacement for the MoveUser.exe tool which was removed from Windows Vista. This allows customers to remap an existing workgroup or domain user account profile to a new domain user account profile.
Allows an administrator to configure properties of a network, such as the name, and deploy it network-wide via a Group Policy snap-in.
Allows KMS (Key Management Service) to run within a Virtual Machine environment.

Setup and Deployment Improvements

Enables global organizations to more easily deploy SP1 in a multi-lingual environment, as SP1 includes all 36 language packs. However, this change contributes to the increased size of the standalone package.
Enables users to get updated Help content via a separate downloadable package. This package will be released around SP1 release.
Enables support for hotpatching, a reboot-reduction servicing technology designed to maximize uptime. It works by allowing Windows components to be updated (or “patched”) while they are still in use by a running process. Hotpatch-enabled update packages are installed via the same methods as traditional update packages, and will not trigger a system reboot.
Improves migration and upgrade scenarios relating to the component that allows alternate text input “modalities” like speech, handwriting, and multi-byte character input editors in applications that were not written specifically to support them.
Improves OS deployment by enabling 64-bit versions of Windows Vista to be installed from a 32-bit OS. This will allow IT professionals to maintain just a single WinPE image.
Improves OS deployment by supporting the installation of offline boot critical storage drivers. WinPE will automatically look to a hidden partition for drivers. It will search that partition recursively, and if boot critical drivers are present they will be loaded. Non-boot critical drivers will be picked up and staged, but not loaded prior to the OS coming online.
Improves patch deployment by retrying failed updates in cases where multiple updates are pending and the failure of one update causes other updates to fail as well.
Enables reliable OS installation by optimizing OS installers so that they are run only when required during patch installation. Fewer installers operating results in fewer points of potential failure during installation, which leads to more robust and reliable installation.
Improves overall install time for updates by optimizing the query for installed OS updates.
Improves robustness during the patch installation by being resilient to transient errors such as sharing violations or access violations.
Improves robustness of transient failures during the disk cleanup of old OS files after install.
Improves the uninstallation experience for OS updates by improving the uninstallation routines in custom OS installation code.
Improves reliability of OS updates by making them more resilient to unexpected interruptions, such as power failure.
Improved instrumentation allows additional data to be sent to Microsoft via the CEIP (Customer Experience Improvement Program) when enabled. This telemetry data led to the identification of numerous issues that are addressed in SP1 and resulted in improvement in the reliability of OS servicing. (CEIP is respectful of personally identifiable information and adheres to terms discussed in the EULA.)
After the SP1 version of the OPK (OEM pre-installation kit) is installed, further OPK updates will not be required if a servicing stack update is issued. (The servicing stack is the underlying set of binaries used to update the system). Post SP1, offline images may be updated using the servicing stack binaries contained in the image rather than the servicing stack binaries in the OPK.

Interoperability Improvements

SP1 exposes Ideal Send Backlog (ISB) information to Winsock2 clients to enable better throughput over high bandwidth, high latency links when communicating with Windows Server 2008. Applications that are modified to use the new ISB info will provide better throughput when sending large amounts of data over such links to other Windows Vista or Windows Server 2008 machines. Applications not modified to take advantage of this change will function as before.
SP1 includes throughput improvements to Send in TransmitFile/TransmitPackets and ftp.exe, when communicating with Windows Server 2008 over high bandwidth, high latency links. Ftp.exe and other applications using TransmitFile/TransmitPackets on Windows Vista SP1 will achieve better throughput when sending files over such links to other Windows Vista or Windows Server 2008 machines.

Feature or API Changes

GPMC (Group Policy Management Console) will be uninstalled with Service Pack 1 and GPEdit will default to Local Group Policy editing. Following these changes, SP1 users can download an updated version of GPMC which will include new Group Policy capabilities including adding comments to GPOs or individual settings and searching for specific Group Policy settings.
The MSN Connection Center Dial-up Internet Access connector was removed from the Windows Vista Connection Wizard.
Includes a new Offline Files interface that exports the dirty byte count for a file that is modified offline. This interface is exposed both through the COM APIs and WMI provider for Offline Files.

General Improvements and Enhancements

SP1 includes a number of changes which allow computer manufacturers and consumers to select a default desktop search program similar to the way they currently select defaults for third-party web browsers and media players. That means that in addition to the numerous ways a user could access a third party search solution in Windows Vista, they can now get to their preferred search results from additional entry points in the Start Menu and Explorer Windows in Windows Vista with SP1. 3rd party software vendors simply need to register their search application using the newly provided protocol in Windows Vista SP1 to enable these options for their customers.
With SP1, Windows Vista will report the amount of system memory installed rather than report the amount of system memory available to the OS. Therefore 32-bit systems equipped with 4GB of RAM will report all 4GB in many places throughout the OS, such as the System Control Panel. However, this behavior is dependent on having a compatible BIOS, so not all users may notice this change.
SP1 reduces the number of UAC (User Account Control) prompts from 4 to 1 when creating or renaming a folder at a protected location.
Improvements in the Licensing User Interface and User Experience including more details in the help about activation and what happens if user does not activate; more detailed and descriptive dialog text; raw error codes replaced with easily comprehensible text.
SP1 modifies the text in the Ultimate Extras Control Panel to describe the Ultimate Extras program in more general terms.
Upon scanning a photo with the Vista scanning experience, SP1 will open Explorer rather than opening Windows Photo Gallery.
Users are now required to enter a password hint during the initial setup of Windows Vista SP1. This change was made based on feedback from top PC manufactures that many customers frequently do not remember their password and because the administrator account is turned off by default on Windows Vista, these users do not have a way to access to their PCs. A password hint helps avoid this frustrating scenario.
Improves compatibility with 3rd party diagnostic tools that rely on raw sockets by applying the same delivery logic to control (ICMP v4 and v6) and regular packages.
With SP1, Microsoft differentiates the experience customers have using non-genuine versions of our software. This is based on feedback we heard from volume license customers in particular as part of our Windows Genuine Advantage program. Further details can be found in an interview with Microsoft Corporate Vice President Mike Sievert at http://www.microsoft.com/presspass/features/2007/dec07/12-03wga.mspx if(typeof(IsPrinterFriendly) != “undefined”) { var l = “http://www.microsoft.com/presspass/features/2007/dec07/12-03wga.mspx”; var nl; var c = l.charAt(0); var o = document.getElementById(“EHEAC”); switch (c){ case “/”: nl=(“ [http://" + document.domain + l + "]“); break case “#”: nl=(“”); break default: nl=” [" + l + "]” } if(o != null) o.innerHTML = nl; } .
SP1 also includes updates that deal with two exploits we have seen, which can affect system stability for our customers.

The OEM Bios exploit, which involves modifying system files and the BIOS of the motherboard to mimic a type of product activation performed on copies of Windows that are pre-installed by OEMs in the factory.
The Grace Timer exploit, which attempts to reset the “grace time” limit between installation and activation to something like the year 2099 in some cases.

Windows Vista Alignment with Windows Server 2008

Windows Vista is aligned with Windows Server 2008, meaning that many files are common to both products. A result of this design is that there are cases where a common binary is modified to enable a server scenario that has limited or no effect on Windows Vista SP1 capabilities. Here are few examples:

File Sharing: The file sharing subsystem on Windows Vista only allows 10 concurrent inbound connections. Windows Server 2008 must scale to support thousands of concurrent connections. During the testing and customer feedback phase of Windows Server 2008 development, the file sharing subsystems are tuned and refined to optimize the file sharing stack for performance, scalability and reliability. This level of tuning and refinement are not typically applicable on a 10-connection limit client, but are critical to a file server role. Changes like this are done primarily for the server scenarios, although these changes may also benefit Windows Vista SP1.
IIS 7: IIS was included in some Windows Vista SKUs to enable web-based developers to write and test their applications. IIS in Windows Server 2008 is a significant server role which requires Internet-level scalability and performance requirements. The IIS7 components have gone through significant performance and reliability enhancements since Windows Vista originally shipped, in order to be a large-scale server component. These changes do not affect most Windows Vista users who do not even have the IIS7 components installed, however because Windows Vista and Windows Server are aligned, these changes are included in Windows Vista SP1.
Concurrent User Support: Key subsystems such as the Windows Logon process and the core kernel need only support user-switching scenarios on Windows Vista. However, on Windows Server 2008, where a Terminal Server may have thousands of users logged in simultaneously, these subsystems must be tuned for maximum performance and reliability. Changes like this are done primarily for the server scenarios, although they may also benefit Windows Vista SP1.

Leave a Comment » | Business Computer Support, Computer Security, Home Computer Support, Microsoft, Network Infrastructure, Non-Profit Technology, Windows Vista | Tagged: , , , | Permalink
Posted by bardissi

Gargantuan OS X Update Fixes Almost 100 Security Flaws

March 18, 2008

Severity: High

18 March, 2008

Summary:

  • These vulnerabilities affect: OS X 10.4.x (Tiger) and OS X 10.5.x (Leopard), both client and server versions
  • How an attacker exploits them: Multiple vectors of attack, including enticing one of your users into visiting a URL or web site
  • Impact: Various results; in the worst case, attacker executes code on your user’s computer, potentially gaining complete of your user’s computer
  • What to do: OS X administrators should download, test and install Security Update 2008-002

Exposure:

Today, Apple released a security update fixing over 95 (number based on CVE-IDs) security issues in software packages that ship as part of OS X, including Apache, Preview, and Help Viewer. Some of these vulnerabilities allow attackers to execute any code they choose on your OS X machines, so we rate this update Critical. Apply it as soon as you can. Three of the vulnerabilities fixed include:

  • Multiple integer overflow vulnerabilities in AppKit. AppKit is a OS X framework that helps developers implement graphical, event-driven user interfaces. According to Apple, Appkit suffers from integer overflow vulnerabilities involving the way it parses something called a “serialized property list.” By luring one of your users to a maliciously crafted web site, an attacker could exploit these flaws to execute code on your user’s computer, with that user’s privileges. The attacker could then leverage a separate vulnerability in AppKit — also described in Apple’s alert — to gain system privilege, thus giving the attacker complete control of that user’s Mac.
  • Foundation race condition vulnerability. Foundation is an OS X component that helps Safari handle web pages and URLs. According to Apple, Foundation suffers from a complicated race condition vulnerability. If an attacker can entice one of your users into visiting a malicious web site, he could exploit this vulnerability to execute code on the user’s computer, with that user’s privileges. Furthermore, the attacker could then leverage other vulnerabilities described in Apple’s alert to elevate privileges and gain complete control of your user’s computer.
  • Image Raw buffer overflow vulnerability. Image Raw is a component that allows OS X to handle the various RAW image formats that some digital cameras support. Image Raw suffers from a buffer overflow vulnerability involving the way it handles specially malformed Adobe Digital Negative (DNG) image files. By enticing one of your users into viewing a malicious image, an attacker can exploit this flaw to execute code on that user’s computer. By default, the attacker would only execute code with that user’s privileges. However, he could then leverage another vulnerability — also described in Apple’s alert — to gain complete control of your user’s computer.

Apple’s alert includes many, many more flaws, including other code execution flaws in addition to those described above. The remaining vulnerabilities also include Denial of Service (DoS) flaws, elevation of privilege flaws, and information disclosure vulnerabilities, plus others. Components patched by this security update include:

AFP Client AFP Server
Apache AppKit
Application Firewall CFNetwork
ClamAV CoreFoundation
Core Services CUPS
curl Emacs
file Foundation
Help Viewer Image Raw
Kerberos libc
mDNSResponder notifyd
OpenSSH pax archive utility
PHP Podcast Producer
Preview Printing
System Configuration UDF
Wiki Server X11

Refer to Apple’s alert for more details.

This is a huge update fixing many security vulnerabilities, some of which pose a critical security risk. If you manage OS X machines, we highly recommend you apply this update right away.

Solution Path:

Apple has released OS X Security Update 2008-002 to fix all these security issues. OS X administrators should download, test, and deploy Security Update 2008-002 as soon as they can.

Note: If you have trouble figuring out which of these patches corresponds to your version of OS X, we recommend you let OS X’s Software Update utility pick the correct update for you automatically.

For All Users:

These flaws support diverse exploitation methods. Some of the exploits are local, meaning that your perimeter firewall never encounters the attack (unless you use firewalls internally between departments). Installing these updates, therefore, is the most secure course of action.

Status:

Apple released updates to fix these issues.

References:

Apple’s March OS X Advisory

Leave a Comment » | Apple, Apple Leopard, Apple OS X, Apple Safari, Apple Tiger, Mac | Tagged: , , , | Permalink
Posted by bardissi

Thirteen Security Flaws Plague Safari 3 for OS X and Windows

March 18, 2008

Severity: Medium

18 March, 2008

Summary:

  • These vulnerabilities affect: Safari 3 for OS X and Windows
  • How an attacker exploits them: By enticing one of your users into visiting a malicious web site
  • Impact: Various results; in the worst case, attacker executes code on your user’s computer, with your user’s privileges
  • What to do: Install Safari 3.1

Exposure:

Today, Apple released a security update fixing thirteen security issues in Safari 3 for OS X and Windows. The worst of these vulnerabilities potentially allows attackers to execute malicious code on your Safari user’s machines. If you use Safari in your network — whether on a PC or Mac — you should update to version 3.1 as soon as you can. Some of the fixed vulnerabilities include:

  • Webkit buffer overflow vulnerability. Webkit, a component that ships with Safari, suffers from a buffer overflow vulnerability involving the way it handles JavaScript regular expressions. If an attacker can entice one of your users into visiting a malicious web site, he could exploit this vulnerability to execute code on the user’s computer, with that user’s privileges.
  • Safari certificate spoofing vulnerability. According to Apple, Safari suffers from an unspecified SSL certificate validation vulnerability. To exploit this vulnerability, an attacker must first entice your user to a legitimate web site that has a legitimate SSL certificate, then re-direct your user to a malicious web site. The malicious web site will appear to have the same SSL certificate as the legitimate site, and thus inherit the trust you give the legitimate site. An attacker could exploit this flaw to steal your login credentials or any other information associated with the legitimate site.
  • Multiple XSS vulnerabilities in Safari. Safari and some of its components (WebCore and WebKit) suffer from nine Cross-Site Scripting (XSS) vulnerabilities. Though the vulnerabilities differ technically, an attacker could exploit them in the same way, and with similar results. If an attacker can entice one of your users into clicking a malicious link, he can exploit these flaws to execute scripts on that user’s computer with that user’s privileges. These scripts could do anything from reading the user’s cookies to gaining complete control of his PC. For a more general understanding of XSS attacks, see our article, “Anatomy of a Cross-Site Scripting Attack.”

Apple’s alert includes a few more flaws, including a web site spoofing vulnerability and password disclosure flaw. For more details on these flaws, refer to Apple’s alert.

Solution Path:

Apple has released Safari 3.1 for OS X and Windows to correct these security vulnerabilities. Safari users should download and install version 3.1 as soon as possible.

Note: You can also use Apple and OS X’s Software Update utility to install the Safari 3.1 update for you automatically.

For All Users:

These attacks travel as normal-looking HTTP traffic, which you must allow if your network users need to access the World Wide Web. Therefore, the patches above are your best solution.

Status:

Apple released Safari 3.1 to fix these flaws.

References:

Leave a Comment » | Apple, Apple Leopard, Apple Safari, Apple Tiger, Business Computer Support, Home Computer Support, Mac, Non-Profit Technology, OS X, Student Computing, Watchguard, Windows Vista, Windows XP | Tagged: , , , , , | Permalink
Posted by bardissi

Bandwidth.com : IMPORTANT: Final update regarding Bandwidth.com VoIP Interruption

March 15, 2008

To Our Valued Customers-
Bandwidth.com’s primary server, 216.82.224.202 is now able to process inbound calls and outbound calls.   Please make the necessary changes to allow inbound traffic from 216.82.224.202 and your outbound VoIP traffic back to 216.82.224.202.
We apologize for the inconvenience.

Thank You-
Bandwidth.com
Customer Care 

Leave a Comment » | VoIP Phone | Tagged: , , | Permalink
Posted by bardissi

Bandwidth.com: IMPORTANT: Update regarding Bandwidth.com VoIP Interruption

March 14, 2008

To Our Valued Customers-
Currently Bandwidth.com’s primary server, 216.82.224.202 is unable to process inbound calls. It is however processing outbound calls.  Your inbound traffic will now be coming from 4.79.212.236, please allow traffic from this IP until further notice.   If you wish to email us at customercare@bandwidth.com we will be happy to open a ticket for you. Please be sure in the email that you give us a contact name, number and the location(s) that are affected.

We apologize for the inconvenience.

Thank You-
Bandwidth.com
Customer Care

Leave a Comment » | VoIP Phone | Tagged: , , | Permalink
Posted by bardissi

Bandwidth.com : IMPORTANT: UPDATE for Bandwidth.com VoIP Interruption

March 14, 2008

To Our Valued Customers- The issue we were experiencing affecting SIP/OT customers has been resolved.  The primary server, 216.82.224.202 is now able to process outbound calls.  Your inbound traffic will be moved back to primary server, 216.82.224.202 at 2:00PM EST.  If you are still experiencing issues please email customercare@bandwidth.com and we will be happy to open a ticket for you.  We will be following up with an official RFO. We apologize for the inconvenience.

Thank You-
Bandwidth.com
Customer Care

Leave a Comment » | Uncategorized | Tagged: , , | Permalink
Posted by bardissi

Bandwidth.com : IMPORTANT: ADDITIONAL VOIP OUTAGE INSTRUCTIONS ( INBOUND TRAFFIC)

March 14, 2008

To Our Valued Customers-We are experiencing a VoIP outage affecting SIP/OT customers and are working to resolve this issue.  Currently Bandwidth.com’s primary server, 216.82.224.202 is unable to process call.  Your inbound traffic will now be coming from 4.79.212.236, please allow traffic from this IP.   If you wish to email us at customercare@bandwidth.com we will be happy to open a ticket for you. Please be sure in the email that you give us a contact name, number and the location(s) that are affected.We apologize for the inconvenience.

Thank You-
Bandwidth.com
Customer Care

Leave a Comment » | Uncategorized | Tagged: , , | Permalink
Posted by bardissi

« Previous Entries