Microsoft Switzerland Security Blog

Based on some questions and feedback of our customers, I would like to give you an update on MS06-015.

If you install this update, there might be some problems that could look like the following:

• You cannot access special folders such as "My Documents" or "My Pictures." 
• Microsoft Office applications stop responding when you try to save or to open Office files in the "My Documents" folder.
• Office files that are located in the "My Documents" folder cannot be opened.
• If you open a file by clicking Open on the File menu, the application stops responding.
• When you type an address in the Address box in Microsoft Internet Explorer, nothing happens.
• When you right-click a file and then click Send To, nothing happens.
• When you expand a folder in Windows Explorer, nothing happens.
• Some third-party applications stop responding when you open or save data in the “My Documents” folder.

If you experience one of those issues, you most likely have either nVidia or HP software installed. We are working actively with those vendors to solve these issues.

If you need more information, please consult the corresponding KB article: http://support.microsoft.com/kb/918165/en-us

Roger

Microsoft is joining more than 36 companies in participating in the second annual Email Authentication Summit in Chicago. Microsoft announced "strong momentum" in its work with other technology industry leaders to help promote email safety. Included in this strong momentum is the heightened use of the Sender ID framework for e-mail authentication, as well as the launch of an enhanced MSN Postmaster Services program. The program is designed to assist email senders and ISPs to manage their outbound email infrastructures better.
http://www.securitypronews.com/news/securitynews/spn-45-20060419MicrosoftShowsStrongMomentuminEmailProtection.html

Microsoft/SenderID:
http://www.microsoft.com/mscorp/safety/technologies/senderid/default.mspx

Urs

You probably saw this already. There is the first proof of concept virus out there that seems to be able to cross the plattform boundaries and flip between Windows and Linux: http://www.viruslist.com/en/weblog?weblogid=183651915

I would be interestend in how you see this threat? Is it real? How big is the problem from your point of view? Do you expect an outbreak soon?

Roger

MS Research has released a paper on "Strider Typo-Patrol: Discovery and Analysis of Systematic Typo-Squatting" Typo-squatting refers to the practice of registering domain names that are typo variations of popular websites. We propose a new approach, called Strider Typo-Patrol, to discovering large-scale, systematic typo-squatters. We show that a large number of typo-squatting domains are active and a large percentage of them are parked with a handful of major domain parking services, which serve syndicated advertisements on these domains.

http://research.microsoft.com/research/pubs/view.aspx?type=technical+report&id=1084

Urs

Laptop Thieves get more and more agressive over time. Therfore think about protecting your information (e.g. Rights Management, Windows Vista)...

http://www.sfgate.com/cgi-bin/article.cgi?file=/c/a/2006/04/08/MNGE9I686K1.DTL

Roger

We all think about patching Windows, Office, the Backup Software, etc. Who of you thinks of the printers? Watch out: http://www.theinquirer.net/?article=30878

Roger

Windows registry contains lots of information that are of potential evidential value or helpful in aiding forensic examiners on other aspects of forensic analysis. This paper discusses the basics of Windows XP registry and its structure, data hiding techniques in registry, and analysis on potential Windows XP registry entries that are of forensic values.

http://www.forensicfocus.com/forensic-analysis-windows-registry

Urs

There are days, where a lot of companies will think: Glad it did not happen to us: http://www.computerworld.com/printthis/2006/0,4814,110142,00.html

Roger

A pretty cool quote from John Pescatore, Gartner on third-party patches:

My neighbor is a smart guy, and he designs medical machinery. However, I'm pretty sure I won't be using his homegrown remedy for bird flu. I'm also really sure I don't want my kids to think its OK to accept medicine from anywhere they find it. It is not a good idea for enterprises or consumers to get in the habit of accepting patches to software from anywhere other than the vendor of the software. Use the time you'd spend undoing them to pressure software vendors to reduce the time the spend talking about security and increase the time they spend reducing security vulnerabilities before they ship their products.

From SANS NewsByte

Roger

Mike Nash just published information about the ActiveX fix on the MSRC blog. The most important part is:

1. New machines that ship with Windows will include the ActiveX change. 
2. For our April IE cumulative security update, we will include the IE ActiveX change in the security update, but we will create a “compatibility patch” (deployed like a hotfix) that allows customers to turn off the change for a limited period of time through the June update cycle (2^nd Tuesday in June) to provide time for enterprise customers to resolve compatibility issuess. 

Read more at: http://blogs.technet.com/msrc/archive/2006/03/29/423560.aspx

Roger

There are at least two third party patches for the IE vulnerability out there. Please be aware of two things:

• They do not fix the actual vulnerability
• The application of a third-party-patch is not supported

At the end it is part of your risk assessement what you do but we strongly advise you to wait until we will release the update. At the moment we are going for April 11 unless the situation on the web changes dramatically.

Roger

Several times already we (Microsoft) infomred about a change we will ahve to make in the way we handle ActiveX. On February, 28 we published a Security Advisory to pre-warn about this change: http://www.microsoft.com/technet/security/advisory/912945.mspx.

Finally we infomred that we will include this change in the next Cumulative Security Update for Internet Explorer. As you may expect, the next Security Update cannot be far away.

Therefore I would really like you to test your applications that use ActiveX in order to make sure that you are able to roll this update out

Roger

This February I had to opportunity to meet our internal IT Threat Modelling team together with a customer and I was really impressed how our internal IT is doing threat modelling of applications they are buying and using in our network.

Now, they released the Beta 2 of the Application Threat Modelling Tool. Go and have a look at it at http://msdn.microsoft.com/security/securecode/threatmodeling/acetm/. Feedback wold be appreciated.

Roger

I get questions regarding the recently published vulnerability that might crash IE. The best information at the moment regarding this, you can find at the blog of the Microsoft Security Response Center: http://blogs.technet.com/msrc/default.aspx

Roger

I do not know whether you know John Pescatore, Gartner. He is definitely not, what you can call a Microsoft fan. Today he seems to have made the following statement:

"It [Vista] is going to remove the low-hanging fruit. It is going to make it that much harder for dumb spyware to work," said John Pescatore, an analyst with Gartner. "What it will really do is start forcing the threats further up the food chain," he added.

Read the full story here.

Roger