Tag: advice

Security Advisory 979352 Posted: Vulnerability in Internet Explorer Could Allow Remote Code Execution

Post author By M3 Sweatt
Post date 14/01/2010
2 Comments on Security Advisory 979352 Posted: Vulnerability in Internet Explorer Could Allow Remote Code Execution

As noted in Mike Reavey’s posts on The Microsoft blog and The Microsoft Security Response Center (MSRC) blog today, we have just released Security Advisory 979352. Here’s the detail from Mike Reavey’s post…

Based upon our investigations, we have determined that Internet Explorer was one of the vectors used in targeted and sophisticated attacks against Google and possibly other corporate networks. Today, Microsoft issued guidance to help customers mitigate a Remote Code Execution (RCE) vulnerability in Internet Explorer. Additionally, we are cooperating with Google and other companies, as well as authorities and other industry partners.

Microsoft remains committed to taking the appropriate action to help protect our customers. We released Security Advisory 979352 to provide customers with actionable guidance and tools to help with protections against exploit of this vulnerability. Microsoft has not seen widespread customer impact, rather only targeted and limited attacks exploiting IE 6 at this time. Our teams are currently working to develop an update and we will take appropriate action to protect customers when the update has met the quality bar for broad distribution. That may include releasing the update out of band.

It is important to note that complex attacks targeting specific corporate networks are becoming more prevalent in the threat landscape, therefore organizations should follow defense-in-depth best practices, and deploy multiple layers of protection to improve their security posture. In addition, Protected Mode in IE 7 on Windows Vista and later significantly reduces the ability of an attacker to impact data on a user’s machine. Customers should also enable Data Execution Prevention (DEP) which helps mitigate online attacks. DEP is enabled by default in IE 8 but must be manually enabled in prior versions.

Customers can also set Internet and Local intranet security zone settings to "High" to prompt before running ActiveX Controls and Active Scripting in these zones or configure Internet Explorer to prompt before running Active Scripting or to disable Active Scripting in the Internet and Local intranet security zone. You can find details on implementing these settings in the advisory.

Anyone believed to have been affected can visit: http://www.microsoft.com/protect/support/default.mspx and should contact the national law enforcement agency in their country. Those in the United States can contact Customer Service and Support at no charge using the PC Safety hotline at 1-866-727-2338 (PCSAFETY). Additionally, customers in the United States should contact their local FBI office or report their situation at: www.ic3.gov. Customers should follow the guidance in the advisory and our Protect Your PC guidance of enabling a firewall, getting software updates, and installing antivirus software (learn more by visiting the Protect Your PC web site). International customers can find their Regional Customer Service Representative http://support.microsoft.com/common/international.aspx.

We are also working with our Microsoft Active Protections Program (MAPP), the Microsoft Security Response Alliance (MSRA), authorities and other industry partners to help provide broader protections for customers. Together with our partners, we will continue to monitor the threat landscape and will take action against any web sites that seek to exploit this vulnerability.

The Security Advisory will be updated with any new developments so if you are not already subscribed to our comprehensive alerts, please do so in order to be alerted by email when new information is added.

-Mike Reavey

This from our Security Advisories page on TechNet…

Microsoft Security Advisory (979352) – Vulnerability in Internet Explorer Could Allow Remote Code Execution, Published: January 14, 2010

Executive Summary

Microsoft is investigating a report of a publicly exploited vulnerability in Internet Explorer. This advisory contains information about which versions of Internet Explorer are vulnerable as well as workarounds and mitigations for this issue.

Our investigation so far has shown that Internet Explorer 5.01 Service Pack 4 on Microsoft Windows 2000 Service Pack 4 is not affected, and that Internet Explorer 6 Service Pack 1 on Microsoft Windows 2000 Service Pack 4, and Internet Explorer 6, Internet Explorer 7 and Internet Explorer 8 on supported editions of Windows XP, Windows Server 2003, Windows Vista, Windows Server 2008, Windows 7, and Windows Server 2008 R2 are affected.

The vulnerability exists as an invalid pointer reference within Internet Explorer. It is possible under certain conditions for the invalid pointer to be accessed after an object is deleted. In a specially-crafted attack, in attempting to access a freed object, Internet Explorer can be caused to allow remote code execution.

At this time, we are aware of limited, active attacks attempting to use this vulnerability against Internet Explorer 6. We have not seen attacks against other affected versions of Internet Explorer. We will continue to monitor the threat environment and update this advisory if this situation changes. On completion of this investigation, Microsoft will take the appropriate action to protect our customers, which may include providing a solution through our monthly security update release process, or an out-of-cycle security update, depending on customer needs.

We are actively working with partners in our Microsoft Active Protections Program (MAPP) and our Microsoft Security Response Alliance (MSRA) programs to provide information that they can use to provide broader protections to customers. In addition, we’re actively working with partners to monitor the threat landscape and take action against malicious sites that attempt to exploit this vulnerability.

Microsoft continues to encourage customers to follow the "Protect Your Computer" guidance of enabling a firewall, applying all software updates and installing anti-virus and anti-spyware software. Additional information can be found at Security at home.

Mitigating Factors:

Protected Mode in Internet Explorer on Windows Vista and later Windows operating systems limits the impact of the vulnerability.

In a Web-based attack scenario, an attacker could host a Web site that contains a Web page that is used to exploit this vulnerability. In addition, compromised Web sites and Web sites that accept or host user-provided content or advertisements could contain specially crafted content that could exploit this vulnerability. In all cases, however, an attacker would have no way to force users to visit these Web sites. Instead, an attacker would have to convince users to visit the Web site, typically by getting them to click a link in an e-mail message or Instant Messenger message that takes users to the attacker’s Web site.

An attacker who successfully exploited this vulnerability could gain the same user rights as the local user. Users whose accounts are configured to have fewer user rights on the system could be less affected than users who operate with administrative user rights.

By default, Internet Explorer on Windows Server 2003 and Windows Server 2008 runs in a restricted mode that is known as Enhanced Security Configuration. This mode sets the security level for the Internet zone to High. This is a mitigating factor for Web sites that you have not added to the Internet Explorer Trusted sites zone.

By default, all supported versions of Microsoft Outlook, Microsoft Outlook Express, and Windows Mail open HTML e-mail messages in the Restricted sites zone. The Restricted sites zone helps mitigate attacks that could try to exploit this vulnerability by preventing Active Scripting and ActiveX controls from being used when reading HTML e-mail messages. However, if a user clicks a link in an e-mail message, the user could still be vulnerable to exploitation of this vulnerability through the Web-based attack scenario.

Tags: IE, Security, what I read, Internet Explorer, twitter, Microsoft, Windows 7.

Clubhouse Tags: Clubhouse, how-to, Windows 7, Security, IE, Internet Explorer (IE)

MSRC references: Security Advisory, Internet Explorer (IE), Workarounds, Defense-in-depth, Exploitability, Zero-Day Exploit

Bookmark this on Delicious

Also available via http://bit.ly/4F3tgX

Tags advice, Announcements, IE, Microsoft, security

Uncategorized

Surviving CES in Las Vegas: A few helpful hints

Post author By M3 Sweatt
Post date 05/01/2010
1 Comment on Surviving CES in Las Vegas: A few helpful hints

As you may already know, CES 2010 begins this week in Las Vegas (officially, CES is January 7-10). Yes, it’s true that researchers have determined that stress may cause the brain to become disconnected, but you don’t have to be disconnected at when traveling to Las Vegas.

Once again, I was asked not once, not twice but a half dozen times in the last day for a couple of restaurant recommendations and a link to my past, popular post, “Surviving CES in Las Vegas: A few helpful hints“. So with a tip of the hat to my old friends and definite foodies at Rogers (love Aureole), I offer a few tips for those heading off to Vegas this week for the event, recycling the bits in the blog post

Surviving CES in Las Vegas: A few helpful hints

Tags: Microsoft, Xbox 360, CES 2010, CES, travel tips .

Bookmark this on Delicious

Also available via http://bit.ly/fpfL4J

Tags advice, CES, conferences, food, tips, travel, Your Questions

Uncategorized

Your questions: “What do people read on your blog?” Stuff about Time, Bill Gates, Kids and shopping for a new PC. Here are some of the most popular posts.

Jenn asks today…

"What do people read the most on your blog? I found your article on how to choose a new computer and found lots more stuff."

Good question, Jenn. I didn’t really know until I looked today.

Here are the top recent posts from my blog in the last couple of weeks. Seems that the most popular are the historical pieces on daylight saving time, with one of the most popular in the last couple of months my post on "Microsoft Windows August 2009 Updates to Daylight Saving Time and Time Zones" with details on Microsoft KnowledgeBase Article 970653, "August 2009 cumulative time zone update for Microsoft Windows operating systems". (Note that details on the December 2009 cumulative time zone update will be posted next week.)

One of the most popular posts in the last quarter was "Be careful: Why getting Windows 7 "RTM" today can be like a box of chocolates" advising our customers to "be careful and don’t download something from a less than trusted source. As noted in my post here on the Windows 7 Release Candidate, please don’t use torrents or P2P to get Windows 7 bits, as has been noted in the in the news. (Also available via http://bit.ly/L9PaO.)So many people eager to get Windows 7 but may subject themselves to malware."

On the content side, the top post in the last year ((and still popular today) is the collection of articles titled "Halloween, Daylight Saving Time, Bill Gates’ new company and other mysterious things I’ve read this week" – "Here’s a blast from the past (December 2006): What do candy, Microsoft products and Congress have in common? You can read more about this in the latest news on the subject. If you thought tracking the machinations of various daylight saving time and time zone changes around the world was tough, Paul Tennant of the Eagle-Tribune reports that in Haverhill (MA), trick-or-treating is Saturday night this (and every) year rather than on Friday, October 31."

If the connection here is Bill Gates Halloween Masks, then you really want to read the article in Forbes (click the link on this link to the Halloween Masks article) from Matthew Herper back in 2003 (masks designed by Nina Gould)…

"He created a monster. In his younger days, Bill Gates was accused of being a monopolist. Microsoft is maturing, and now pays a dividend. The world’s richest man is trying to remake himself as a philanthropist who uses his vast fortune to fight the scourge of AIDS in Africa. Which is the real Gates? Ask FrankenBill." Click on image for mask.

One of the all time most popular posts is this one on Your questions: ‘If we installed the December 2007 Microsoft daylight saving time updates, are we covered for the changes this Fall?’

Recently, I received a question similar to one I answered last year on daylight saving time and time zone updates to Windows:

"We updated our systems earlier this year for daylight saving time [the rules for the US and Canada]. Is there anything we need to do? Should we also update our systems with the last DST update? [referring to the August 2008 cumulative update]

Generally, the answer is yes. As I noted earlier here, it depends.

Next, on the top list of posts is this how-to covering one of the most popular questions: "How do I make Internet Explorer my default web browser?"

As I work in the Windows division, a letter made its way to my office: a customer mail sent to one of our senior leaders that asked…

"How do I set up Internet Explorer to be my default web browser?"

Simple question you may say, but unfortunately in this case, the customer noted that they were unable to find the information on our web sites or using online help. So, after first apologizing for the difficulty the customer had in locating the information, I then provided the following steps on how to configure your PC to use Internet Explorer your default web browser.

But I digress…

Here are a few of the most popular posts from the blog in the last month or so. Seems that most of the info I share is via my feed on twitter, which I update a few times a day.

The link to the video on migrating from Windows XP to Windows 7 using the User State Migration Tool is one of the top posts: "Of interest is the TechNet information on Migrating from Windows XP to Windows 7 using the User State Migration Tool (aka USMT). With it, you can migrate your files and settings from your Windows XP computer to a new Windows 7 installation."
Next is this post on "Being foolish about customer and partner satisfaction at Microsoft" – "I recalled tonight an old quote: Fortuna favet fatuis. If you know me, you’ll likely understand my personal, off-hours affinity for such a quote and my penchant for Monty Python humour. But in all seriousness, I’m reminded of a past post in which I noted that fools may find fault with ease. It takes the persistent to note that the customer experience isn’t a commodity, and to course correct when we find fault…"
"I’m a PC and Windows 7 was my idea." Perhaps, but the look-and-feel of Windows 7 was done in Redmond – "Brandon over in Windows (interesting to write it like that, having recently moved from building 26) posted here about how we really designed the look-and-feel of Windows 7, in contrast to a quote in a short interview from a Microsoft employee not involved in designing Windows 7."
From Windows 7 to working with product groups customer satisfaction – "With this move comes a move from my office in the Windows division and later this week across campus to my new home. Sad to leave Windows but excited to move to this new role on the heels of one of the most successful product launches the company has seen in some time."
Your questions: "How did you collect cool items for the Microsoft Giving Campaign Auction?" I just asked. – More than almost any item on the blog save my articles on daylight saving time and more recently the arrival of my Windows 7 Party Pack is the interest in the items I provided to benefit the Microsoft Giving Campaign this year. I received more email this week on these posts than any other post this month." Also see the related post "A couple of choice items benefitting the Microsoft Giving Campaign this year" and "Wonder what’s up at the Microsoft Giving Campaign? Here’s a look at few auction items generating interest". In all, these items added several thousand dollars to the total Giving Campaign auction.
My Windows 7 Party Pack Arrives – "The package may’ve been a little rough, but the contents are all intact, including the copy of Windows 7 Ultimate Signature Edition, various party favours and decorations and instructions on how to throw a successful house party. (We’re throwing ours to friends with kids to look at the family safety features and home applications, along with plenty of pop and pizza, ‘though I’d love to show some of the more advanced management features.)"
Free download: Microsoft Security Essentials suite available now – "Now available (US and Canada) is the new Microsoft Security Essentials suite, available for free, providing protection from viruses, spyware, and other malicious software for your PCs at home. Just installed the release version on my home PCs today. (Security Essentials will replace Windows Live OneCare, as I noted here this summer.)"
Reminder: Microsoft Windows 2009 Daylight Saving Time and Time Zones Hotfix available for Egypt, Western Australia – "In case you missed the announcement, there is a new Microsoft Windows 2009 Daylight Saving Time and Time Zones Hotfix available for Egypt and Western Australia. See my original post here."
More help and tips in finding that perfect laptop computer, this time from Rob Pegoraro of the Washington Post – "Over swim lessons today, I read Rob Pegoraro‘s article "Tips to boot up your laptop hunt" (which was picked up in today’s local paper) for users looking for new laptops (as I Tweeted today)…"
Also see the related post "It’s nearly back to school time: here’s info on buying a new PC" – "As I posted on Twitter today, Joel Santo Domingo over at PC Magazine has published a new article, How to Buy a Back-to-School PC. He covers what you should consider when shopping for a new PC for back to school or for you home." It’s helpful and timely information given the article I recently read from Jonathan Starkey on How to clamp down on spending for college, given how expensive tuition and housing are these days. Starkey said that "It all can add up quickly, but there are ways to stretch a family’s college budget."
This reminds me of my prior post, "What kind of a computer should I buy?" from late last year.
Windows 7 flying high in the skies above Redmond – "Last week a few of the folks got together and enjoyed a cool but fun afternoon on main campus. A fun time was had by all celebrating the RTM Engineering Milestone. And one of the signed Windows 7 flags was on display for all to see."
Ed Bott offers up his update to the Windows 7 upgrade chart in Walt Mossberg’s blog – "As I noted on Twitter, a quick nod of the head to Ed Bott for his post on the Windows 7 upgrade chart published in Walt Mossberg’s blog this week. Ed took a few moments and updated the Windows 7 Upgrade chart with a more simplified look and feel…"

Last but not least, I’m not sure why, but my humourous post "Apologies for my ode on the Day Before Christmas" (http://tinyurl.com/64uu5f) remains one of the top posts in the last year. My guess is that pictures of snow and kids always get folks online.

Tags: shopping, RSS, Microsoft, New PC, articles, blogs, Microsoft, Windows 7, what I read, twitter, FAQ, your questions.

Clubhouse Tags: Clubhouse, Windows Vista, Windows 7, computers, hardware, how-to

Bookmark this on Delicious

Also available via tp://bit.ly/5Nb3ud

Tags advice, articles, blogs, tips, Twitter, what i read, Windows 7, Your Questions

Uncategorized

Your questions: “Will Office 2003 work with Windows 7?”

Post author By M3 Sweatt
Post date 19/11/2009
1 Comment on Your questions: “Will Office 2003 work with Windows 7?”

On today’s WSJ.com in Mossberg’s Mailbox from Nov. 18, 2009 on the allthingsd.com/ site (the blog where venerable technology columnist Walt Mossberg answers readers’ questions) Mr. Mossberg answers several reader questions, including one on Microsoft Office 2003 and Windows 7. This must be a popular topic, because I received emails this week (thanks, April and Josh) with essentially the same question.

Q: Will Office 2003 work with the new Windows 7 operating system?

A: Microsoft, which makes both products, says the answer is yes, though I haven’t tested it.

I have. It works. I used it until recently at home (one machine recently moved to Office 2007). But you want more than anecdotal information from me.

Well, there’s a web page for that ;).

As I initially reported here, you can find more information on the Microsoft Windows 7 Compatibility Center. Perhaps folks could include a reference to this helpful site when wondering online about Windows 7 application compatibility (aka "appcompat" at Microsoft). Just a thought.

With respect to Office 2003, we have tested it and you can see the results for yourself on the Windows 7 Compatibility Center, specifically on these pages for the Office 2003 Suites (and be sure to get Office 2003 Service Pack 3 provides the latest updates).

You can get information on more products on the Windows 7 Compatibility Center, and by using the Windows 7 Upgrade Advisor. A few weeks ago, Katie Boehret (a reporter for the Wall Street Journal who pens the weekly Mossberg Solution column), talked about this Windows 7 Upgrade Made Easy just before we released Windows 7 on October 22:

"Windows 7 Upgrade Advisor Beta [my note: it’s released now], Microsoft’s own tool, analyzes what will and won’t work properly when the newest version of Windows installs."

More info: if you’ve got questions about Windows 7, look thru the posts from community experts on the Microsoft Answers site about Windows 7 (in 11 languages!) at http://bit.ly/ZbSp6.

Tags: Windows Vista, what I read, twitter, Microsoft, Windows 7, FAQ, your questions.

Clubhouse Tags: Clubhouse, how-to, upgrade, Windows 7, Office.

Bookmark this on Delicious

Also available via http://bit.ly/4itwVB

Tags advice, customer service, customer support, Microsoft, Office, Windows 7, Your Questions

Uncategorized

When it comes to PC security, don’t be a victim… be a participant in your own rescue. Windows 7 can help, too.

Post author By M3 Sweatt
Post date 10/11/2009

As I Tweeted today, over the weekend I read Paul Cooke’s Windows Security Blog post on Windows 7 Vulnerability Claims. (I’ve added a few links if the terms are unfamiliar to you.)

"…most people don’t knowingly have and run known malware on their system. Malware typically makes it onto a system through other avenues like the browser or email program. So while I absolutely agree that anti-virus software is essential to protecting your PC, there are other defenses as well.

"Let me recap some of the Windows 7 security basics. Windows 7 is built upon the security platform of Windows Vista, which included a defense-in-depth approach to help protect customers from malware. This includes features like User Account Control (UAC), Kernel Patch Protection, Windows Service Hardening, Address Space Layout Randomization (ASLR), and Data Execution Prevention (DEP) to name just a few. The result, Windows 7 retains and refines the development processes, including going through the Security Development Lifecycle, and technologies that made Windows Vista the most secure Windows operating system ever released.

"Beyond the core security of Windows 7, we have also done a lot of work with Windows 7 to make it harder for malware to reach a user’s PCs in the first place. One of my favorite new features is the SmartScreen Filter in Internet Explorer 8. The SmartScreen Filter was built upon the phishing protection in Internet Explorer 7 and (among other new benefits) adds protection from malware. The SmartScreen Filter will notify you when you attempt to download software that is unsafe…"

I agree with Paul and that you should run anti-virus software on Windows 7; our Microsoft Security Essentials is one such way to help keep your PC free of such issues and is available for free.

But you also need to remember: don’t be a victim… be a participant in your own rescue. (So says our COO Kevin Turner, paraphrased ;).

As I noted in an post from 2006, no matter what OS you run, it doesn’t matter: be prepared. Make you that you have the latest updates to all of your software. Generally, consumers should set up their computers install updates automatically: Windows users may do this by ensuring Automatic Update (AU) is turned on to get the latest updates. (In managed environments (like corporations where an IT Pro manages your machine), talk to your administrator to learn about your updates.) You can also visit Windows Update for the latest updates, but the easiest way is to turn on AU.

"In a comment I received to a recent blog posting on being careful when it comes to viruses, I wanted to mention something when it comes to computer security: whether you have a PC or a Mac, you will have to be concerned about security and protect yourself.

If you own a computer – PC or Mac (and we have both at home) – you should run AV software, have a firewall on your internet connection and practice "safe computing."

"But we have to be careful to reach broad-based conclusions. It’s better to anticipate an attack and be prepared and protected rather than hope that you won’t be the victim of an attack. As I said in a past post, see our Security at home site for more ideas on how to protect your computer. It has info on avoiding online scams with the Microsoft Phishing Filter, anti-virus, anti-spyware, security updates, Office and Windows update tools… well worth your time. Mac users can look here on Apple’s site for more info on protecting your Mac."

For Mac users, of interest is eWeek’s Larry Seltzer’s article on "What Will Apple Do When the Malware Comes?"

As noted in my post earlier this year, follow these six tips for staying safe online, as provided in this article in the Seattle Times on cybersafety:

Protect your privacy and personal information
Be alert online
Delete junk e-mail
Use strong passwords
Use antivirus software and a firewall
Be smart about downloading

Pay particular attention to that last item. As I wrote here, you should only download software from a trusted source – for example, via Microsoft for our products and service – and avoid peer to peer to save yourself an additional security risk.

Additional information and guidance:

Visit the Microsoft Security at Home Web site and the Microsoft Security site
Consider installing the free Microsoft Security Essentials
Install the free Windows Defender software to help protect your computer against pop-ups, slow performance, and security threats caused by spyware and other unwanted software by detecting and removing known spyware
Concerned about malware? Run the free Microsoft Windows Malicious Software Removal Tool
Run the latest version of Internet Explorer (currently IE8) which includes added malware protection with its SmartScreen filter.

Tags: Windows Vista, Security, what I read, twitter, Microsoft, Windows 7, Microsoft Security Essentials.

Clubhouse Tags: Clubhouse, how-to, Security, download, Microsoft Security Essentials.

Bookmark this on Delicious

Also available via http://bit.ly/3ip7YF

Tags advice, articles, Privacy, products, security, what i read, Windows 7, Your Questions