Microsoft is warning of a zero-day exploit and other Microsoft news

On Tuesday, the company posted a security advisory stating Microsoft is investigating public reports of a vulnerability targeting Internet Explorer 8 and 9. Microsoft is aware of targeted attacks that attempt to exploit this vulnerability.

The vulnerability is a remote code execution vulnerability. The vulnerability exists in the way that Internet Explorer accesses an object in memory that has been deleted or has not been properly allocated. The vulnerability may corrupt memory in a way that could allow an attacker to execute arbitrary code in the context of the current user within Internet ZERO-DAY ATTACKS: Explorer. An attacker could host a specially crafted website that is designed to exploit this vulnerability through Internet Explorer and then convince a user to view the website.

All supported versions of Microsoft Outlook, Microsoft Outlook Express, and Windows Mail open HTML email messages in the Restricted sites zone,” but “if a user clicks a link in an email message, the user could still be vulnerable to exploitation of this vulnerability through the web-based attack scenario.

With cyber crime hitting more than 500 million victims globally and costing $100 billion annually, it’s clear that security breaches are a problem very far from being solved.

Zero-days are just one part of the overall threat landscape, however virtually everyone is at risk from a zero-day attack. And the threat from zero-day vulnerabilities occurs long before vendor or public discovery, and remains active long after patches are released.

A zero-day vulnerability is a vulnerability that has only been discovered by hackers. The vendor does not yet know of the vulnerability and therefore has not developed a patch for it. In contrast, a general vulnerability is disclosed by the vendor who typically has a patch ready.

Other Microsoft news:

Last week, four of the 13 Microsoft-issued updates were yanked for causing nasty retargeting loop headaches for some customers. After installing the updates, some users were notified to install updates again, and then again, in a vicious circle, as if they had not previously installed them. Microsoft said there were also cases “where updates were not offered via Windows Server Update Services (WSUS) or System Center Configuration Manager (SCCM).” The company fixed the flawed patches and released new updates.

In the Microsoft good news category, Windows Phone 8 was given the FIPS 140-2 security thumbs up by the government. “FIPS 140-2 is a U.S. government security standard used to accredit the cryptographic algorithms that protect sensitive data inside products like smartphones. In all, Windows Phone 8 received accreditation for nine cryptographic certificates. If things go according to Microsoft’s plans, then Windows Phones will have a new virtual assistant in 2014. The Microsoft-flavored Siri is code-named “Cortana,” after “an artificially intelligent character in Microsoft’s Halo series who can learn and adapt.

Microsoft announced that Bing is moving on to “the next phase,” which is more than a new logo and user interface. “Bing is now an important service layer for Microsoft, and we wanted to create a new brand identity to reflect Bing’s company-wide role. The new look integrates the ‘One Microsoft’ vision both from a product perspective and visually.” This seems to squash rumors that Microsoft might kick Bing to the curb. You can preview the modern Bing here – http://www.bing.com/explore/newbing

 

BYOD Risks & Rewards

Whether you’re an end user or an IT administrator, Bring Your Own Device (BYOD) is becoming the rule rather than the exception in today’s workplace. Although BYOD may be a convenience to your employees, you need to think about its impact on corporate security models.

What BYOD means for business

Today’s IT leaders face many security challenges and rapid changes, all while having to do more with less. They must provide end users with the latest, most advanced technologies to remain competitive. And they have to protect company, customer and employee data while thwarting attacks from cybercriminals.

New technology brings more ways to access data, new types of devices and alternatives to the traditional PC platform. Apple CEO Tim Cook appropriately called this the “post-PC era.”

These dynamics have created a shift toward BYOD, a trend in the workplace that’s rapidly becoming the rule rather than the exception.

BYOD encompasses more than personal computers. It means employees using smartphones, tablets, BlackBerrys, ultralight books and more for their work. The concept of BYOD broadens to include software and services, as employees use cloud services and other tools on the web.

The shortcomings of technology which made BYOD unrealistic a few years ago have given way to broad popularity and use of these tools.

These include: 1.Web: Today’s web is the singular way to access any application—business, financial, customer support, sales or technology. 2.Wireless: No matter where you are or what device you’re using, you have access to the back office infrastructure through extensive Wi-Fi networks. 3.Mobile devices: Device form factors have become more sophisticated, cheaper and more portable, with more robust memory and battery life.

Implemented properly, a BYOD program can reduce cost while increasing productivity and revenue. As BYOD goes mainstream in IT departments, security should be front and center for users and IT administrators alike.

What BYOD means for security

It’s risky to assume that prohibiting personal devices solves the problem, because employees end up using their own devices anyway, unmonitored and undeterred by your security policies.

Whatever you think of BYOD and however you choose to implement it, IT managers should treat it the same way as any introduction of new technology: with a controlled and predictable deployment.

Ask yourself: 1.Who owns the device? That’s a question that has changed over time. In the past, the company owned the devices. With BYOD the devices are owned by the user. 2.Who manages the device? Previously this was an easy question to answer. Today it could be either the company or the end user. 3.Who secures the device? Accountability is not something that goes away for a user just because they personally own the device. After all, the data carried on it is company-owned.

Answering these questions is fundamental to both understanding the risks and taking advantage of the rewards of BYOD.

All organizations have the flexibility, based on their corporate culture and regulatory requirements, to embrace BYOD as much as they deem reasonable. For example, there are companies who have decided the risk is too great and choose not to implement a BYOD program.

In May 2012, IBM banned its 400,000 employees from using two popular consumer applications over concerns about data security. The company banned cloud storage service Dropbox, as well as Apple’s personal assistant for the iPhone, Siri. Siri listens to spoken requests and sends the queries to Apple’s servers where they are deciphered into text. Siri can also create text messages and emails on voice command, but some of these messages could contain sensitive, proprietary information.

Ultimately, the success of your BYOD program is measured by your employees’ willingness to use their personal devices within the rules you set for them. Your organization’s security procedures and policies should determine whether and how you adopt BYOD.

You need to have the ability to enforce security policies on a device level and protect your intellectual property if that device is ever lost or stolen.

What is BYOS

The same technologies driving the turn to BYOD also allow users to access non-company software. This effect is known as Bring Your Own Software (BYOS).

End users may be using free public cloud storage providers as way to collaborate on and transfer large documents. Those documents, however, could contain data that falls into scope of regulatory guidelines, which could place your data at risk.

You should evaluate how cloud storage providers transport and store your company’s files.

Consider these questions: 1.How are they encrypting the data? 2.Are they using a single key for all of their customers? 3.Who has access to the key to decrypt the data? 4.Will they surrender the data to authorities if it is subpoenaed? 5.In which countries are the servers located that are housing the data? 6.Does your organization have an agreement with customers that their data won’t be stored in certain countries?

How to secure BYODs

The first and best defense in securing BYODs begins with the same requirements you apply to devices that are already on your network. These security measures include: 1.Enforcing strong passcodes on all devices 2.Antivirus protection and data loss prevention (DLP) 3.Full-disk encryption for disk, removable media and cloud storage 4.Mobile device management (MDM) to wipe sensitive data when devices are lost or stolen 5.Application control

You should always extend encryption to both data in transit and data at rest. Protecting your devices with strong passwords means you make it incredibly difficult for someone to break in and steal data. But if somehow your device-level password is compromised, encrypting the data stored on the device provides a second level of security a hacker must get through in order to steal your data.

You should encourage users to think of the extra layers of security as helpful tools that give them the ability to use their own devices within the workplace. By password protecting devices, a user acknowledges accountability and responsibility for protecting their data.

In addition to applying passcodes and antivirus prevention to your devices, you should apply a custom level of application control to BYODs. If applications are available to employees on the internal network, they should be able to access them offsite through a VPN or email software.

A successful BYOD program allows your users to be productive outside of their scheduled work hours while also giving them the flexibility to do the things they like to do when they’re not working—like update their status or enjoy playing an interactive game.

Whatever decision you make for your BYOD policy, be sure that it’s enforceable and enables IT to deploy software remotely.

How to set policy and compliance standards

You need to formalize policies specifically around BYOD. For example, will your policy include any and all devices currently available? Or will you limit use of personal devices to specific hardware and software platforms? What about devices that aren’t yet available but could reach consumer markets in the next few years?

The handheld mobile device market is evolving rapidly with new versions and new manufacturers. Keeping that in mind, your BYOD policy should be adaptable. You should maintain written strategic policies based on what you know today and what you think will generally be available tomorrow. And you must apply technology that enforces your written policies to provide management, audit proof modeling, control and security.

Implementing a solution designed to verify that devices can be remotely managed can help you in the ongoing battle to keep security policies relevant and reliable, especially if you’re in an industry with strict compliance and auditing standards.

Additionally, being aware of the service plans your employees have can help you offer the best services while reducing cost. Using a data plan’s hotspot or tethered options can result in an overall better experience for end users. Consider data-only plans for personal Wi-Fi devices in place of maintaining a home office long distance and ISP service plans.

7 steps to a BYOD security plan

Your company’s security and BYOD can co-exist. And it starts with planning. Here’s how:

1. Identify the risk elements that BYOD introduces Measure how the risk can impact your business Map the risk elements to regulations, where applicable

2. Form a committee to embrace BYOD and understand the risks, including: Business stakeholders IT stakeholders Information security stakeholders

3. Decide how to enforce policies for devices connecting to your network Mobile devices (smartphones) Tablets (e.g., iPad, Surface, Android) Portable computers (laptops, netbooks, ultrabooks)

4. Build a project plan to include these capabilities: Remote device management Application control Policy compliance and audit reports Data and device encryption Augmenting cloud storage security Wiping devices when retired Revoking access to devices when end-user relationship changes from employee to guest Revoking access to devices when employees are terminated by the company

5. Evaluate solutions Consider the impact on your existing network Consider how to enhance existing technologies prior to next step

6. Implement solutions Begin with a pilot group from each of the stakeholders departments Expand pilot to departments based on your organizational criteria Open BYOD program to all employees

7. Periodically reassess solutions Include vendors and trusted advisors Look at roadmaps entering your next assessment period Consider cost-saving group plans if practical

Implemented properly, a BYOD program can reduce cost while increasing productivity and revenue. As BYOD goes mainstream in IT departments, security should be front and center for users and IT administrators alike.

How to Disable Java in Three Common Browsers

The ongoing security problems with Java mean that many people will want to disable the

Java plug-in for their web browsers. Here is how to do it for the most common browsers.

Google Chrome

  1. In the Chrome address bar enter: chrome://plugins
  2. Find the entry for the Java plug-in and click “Disable”

Firefox

  1. Open the Firefox menu
  2. Click “Add-ons”
  3. On the left side of the Add-ons manager that opens, select “ Plugins”
  4. Click “Disable” by the entry for Java   Firefox may have already done the disabling automatically

Internet Explorer

Disabling Java in the various versions of Internet Explorer (IE) is more complicated than it seems at first. You can use the IE Add-ons manager to disable  “Java(tm) Plug-in 2 SSV Helper” and “Sun Microsystems -Deployment Toolkit ” but that isn’t sufficient. There are apparently multiple ways that Java can be invoked from IE. It is sufficiently complicated that Microsoft has a special article on how to disable the Java plug-in for Internet Explorer. It isn’t pretty. The article involves Registry editing and its gory details are at this link – http://support.microsoft.com/kb/2751647. You can also check out this Homelands Security bulletin about IE – http://www.kb.cert.org/vuls/id/636312#disable_java_in_IE

Fix Troublesome Wireless Connections by Removing their Profile

It can happen that you start having problems with a wireless network which worked well in the past. This might be due to the fact that the its settings may have been changed accidentally or its network profile, as saved on your computer, got corrupted for some reason. In such scenarios it helps to delete the profile of your wireless network and start fresh: have Windows 7 detect it again, introduce your connection details, etc. This tutorial will show how to delete the network profile of a troublesome wireless connection.

Removing the Troublesome Network Profile   Open the Network and Sharing Center. There, on the left side column, click on “Manage wireless networks”.

networks

In the Manage Wireless Networks window, you can see the profiles of all the wireless networks to which you connected to in the past.

Select the network with which you are having trouble, and click Remove.

Networks2

Confirm that you want to remove the network profile.

networks3

The profile of the wireless network is now deleted. Windows will detect that network as if it was a new discovery and you will be able to enter all the details again and connect to it.

Windows 8 Compatibility Check – Issues we have discovered

Recently, we’ve had a couple of users ask us to upgrade their laptops to Windows 8. During the process, a couple of compatibility issues have appeared and seem to be common issues. I am listing the most common, what they mean and what you can do.

DVD Player Applications

Windows 8 is not compatible with certain versions of DVD player software. These include WinDVD, CyberDVD and other programs usually bundled with your laptop. If you don’t need a fancy DVD player or have used VLC Media player, this is the solution for you.

Secure Boot isn’t compatible with your PC

Let me explain what Secure Boot is and why this is only available on newer system. Secure boot attempts to protect the PC against boot loader attacks, which can compromise a system before the OS even loads. Secure boot is actually a feature of Unified Extensible Firmware Interface (UEFI), a new type of boot environment that has gradually been replacing the standard BIOS process. Windows 8 taps into UEFI’s secure boot to ensure that the pre-OS environment is safe and secure.

Secure Boot should not be used if you plan on having a dual-boot environment, i.e. selecting Windows or Linux when you start your computer. You are also limited to using certified drivers for your hardware. If you get a message saying your driver is not signed by Microsoft, as some 3rd party and beta drivers are, you cannot use Secure Boot.

Screen Resolution is not compatible with Snap

If your screen does not support a 1366 x 768 resolution, you cannot use Snap. This resolution is typical of a wide-screen monitor and some laptops do not have support for this size. Snap is the ability to pin your applications to the left side of the screen to quickly switch and access them, a great feature given the tablet nature of Windows 8. If you have used an iPhone or iPad, you know switching from one app to another requires returning to the home screen to load the other app. While you can easily see running apps by pressing the home button twice, you still have to leave the app to see running apps. For example switching between email and your browser, for example, requires you to return to the home screen to launch apps each time you want to switch between them. With Snap, you swipe the left side of your screen (with mouse or finger) to see and switch to any running app.

Bluetooth Software is not compatible

Most installed software is not compatible and has to be upgraded or removed until an update is made available.

Symantec Endpoint Protection is not compatible

While Norton single user/home product has released a compatible version for Windows 8, corporate users and enterprise users will have to wait for Symantec’s version of its popular Endpoint Protection.

If you use Endpoint Protection, and you are willing to purchase a home use product (or are allowed to by corporate policy), go ahead and remove Endpoint Protection and install Windows 8. Otherwise, you will have to wait until they release a compatible version.

So that’s it! These are the most common issues we have seen so far.

How to prepare your PC for Windows 8

If you’re planning to upgrade to Microsoft’s latest OS, now might be a good time to begin preparing your PC.

Windows 8 has been released to consumers on October 26. Priced at just $39.99, the upgrade is surprisingly affordable. If you’re thinking about upgrading to Microsoft’s latest operating system, now might be a great time to start your preparations. Having an upgrade plan can help mitigate many of the risks involved with a major OS upgrade. Here are some suggestions to help your upgrade go as smoothly as possible: Check your system for compatibility

The first thing you’ll want to do is to check your PC to see if it can run Windows 8 properly. The Windows 8 system requirements are:

  • Processor: 1GHz CPU or faster
  • RAM: 1GB (32-bit) or 2GB (64-bit)
  • Disk space: 16GB (32-bit) or 20GB (64-bit)
  • Graphics: DirectX 9-capable video card with WDDM driver

To use the new Windows Store, you’ll need a screen resolution of at least 1024×768 pixels. Also, to snap apps, a resolution of at least 1,366×768 pixels is required. Be sure to run the Windows 8 Upgrade Assistant as well, to check your system for Windows 8 readiness. You can also check the Windows 8 Compatibility Center to manually look up your software and hardware. (http://windows.microsoft.com/en-US/windows-8/upgrade-to-windows-8)

Gather your hardware drivers

Windows 8 may not have proper drivers for your PC’s hardware, especially if the components are really old. If the Windows Upgrade Assistant flagged items, check your system manufacturer’s Web site for the latest drivers on things like, printers, touch pads, graphics cards, and audio cards. If you can find at least Vista drivers, they have a good chance of working in Windows 8.

Freshen up your PC

Giving your system a once-over will help the upgrade go faster and allow your new Windows 8 system to run smoothly from the get-go. Free up disk space, check Windows system security, and even physically clean your hardware. Check out our Windows PC spring cleaning tips for more maintenance tasks you can perform to freshen up your PC.

Back up your personal files

Don’t risk losing your personal data during the upgrade. Back up all your documents, pictures, music, and videos to an external hard drive and make sure the drive is disconnected during the upgrade. Don’t forget to back up your e-mail too, if you’re using a desktop e-mail client. Though Chrome and Firefox can sync your bookmarks, it wouldn’t hurt to save a local copy of your bookmarks too.

Collect your software and license keys

If you’re upgrading from Windows XP or Vista, you’ll have to reinstall your software programs. Make a list of the programs you want to reinstall and make sure you have the installation files available. Also, gather up the license keys for those programs. If you can’t find your license keys, Belarc Advisor might be able to pull them for you. After you’ve collected all your software, place them all on an external hard drive or USB flash drive for quick and easy installation.

Deauthorize/deactivate programs

Some programs, like iTunes and Adobe full license products, require you to deauthorize your PC or deactivate your license, before you’re allowed to install them again. Make sure to deauthorize your PC and deactivate licenses to make sure you can reinstall those programs, hassle-free.

Make note of your Wi-Fi password

It’s easy to forget your Wi-Fi password if you haven’t needed it in a while or if someone else set it up for you. Make sure you know what it is before you begin upgrading, so you’re not fumbling for an Internet connection afterward. Some routers, like those from AT&T and Netgear, have unique passwords printed on the router itself. You can also try using WirelessKeyView to help you find your Wi-Fi password, or just use an Ethernet cable until you can figure it out.

Clone your system before you upgrade

If for some reason, your upgrade turns into a nightmare, reverting back to your old version of Windows might become your only choice. Clone your system with Norton Ghost, Acronis True Image, or Clonezilla, so you can go back to your old version of Windows, just in case.

That’s it. Next up, step by step upgrades process.

Microsoft confirms hackers exploiting critical IE bug

Microsoft issued a security advisory that confirmed in-the-wild attacks are exploiting an unpatched bug in Internet Explorer. The software maker is working on a fix.

The advisory addressed the “zero-day” vulnerability — meaning it was discovered and exploited before a patch was available.

All but one supported edition of IE are affected: 2001’s IE6, 2006’s IE7, 2009’s IE8 and last year’s IE9. Together, those browsers accounted for 53% of all browsers used worldwide in August. The only exception was IE10, the browser bundled with the new Windows 8, which does not contain the bug.

The bug exploits the flaw allows hackers to execute code — in other words, plant malware on a machine — and opens Windows XP, Vista and Windows 7 to drive-by attacks that only require getting victims to visit a malicious or compromised website.   Until a patch is available, Microsoft recommended that users block attacks with EMET 3.0 (Exploit Mitigation Experience Toolkit), boosting IE’s security zone settings to “high,” and configuring the browser to display a warning before executing scripts.

We recommend, at a minimum, the last two steps – boost the security zone to high and having the browser prompt for scripts. The patch is expected this week.