Microsoft yesterday has opened registrations for the next version of Microsoft Security Essentials. Users who sign up early enough will get a chance to test the beta version of the security software before anyone else can do. Beta spots are limited according to the announcement on the Technet site and served on a first in first out (fifo) basis.

The beta will be released soon, considering that it will be made publicly available at the end of the year. More interesting to a wider audience, especially those who run Microsoft Security Essentials, are the planned improvements and new features that Microsoft is currently working on.

The new version of Microsoft Security Essentials comes with a new protection engine offering enhanced detection and cleanup capabilities. One of the improvements in this regard is automatic malware remediation, which basically means that the security application can clean “high-impact malware infections automatically” without user interaction.

Add to that better performance to avoid negativ performance impacts on PCs running Microsoft Security Essentials and a simplified user interface. It will be interesting to see how the simplified UI looks like, considering that many consider the current MSE interface bare-bones.

The improvements all make sense, especially the new protection engine with its updated detection and cleanup capabilities could improve the application significantly.

Users who want to sign up for the beta program need to have a Windows Live account. It is possible to create one on the sign up page or use an existing one.

It does not make much sense for most Windows users to sign up for the beta, considering that it will be available later this year for the general public.

Regardless of that, it is good to see that Microsoft is improving the free security software continuously. (via)

Microsoft today has releases a security advisory to give customers “guidance for the Windows kernel issue related to the Duqu malware”.

The advisory describes a vulnerability in TrueType font parsing that could allow elevation of privileges. Attackers who manage to exploit the vulnerability can run arbitrary code in kernel mode which would allow them to install programs, “view, change or delete data” and create new accounts with “full user rights”.

Microsoft confirms that targeted attacks are carried out currently that use the vulnerability. The overall impact is however rated as low.

Microsoft is offering a manual workaround for affected versions of Windows on the security advisory page:

On Windows XP and Windows Server 2003:

For 32-bit systems, enter the following command at an administrative command prompt:

Echo y| cacls “%windir%\system32\t2embed.dll” /E /P everyone:N

For 64-bit systems, enter the following command from an administrative command prompt:

Echo y| cacls “%windir%\system32\t2embed.dll” /E /P everyone:N

Echo y| cacls “%windir%\syswow64\t2embed.dll” /E /P everyone:N

On Windows Vista, Windows 7, Windows Server 2008, and Windows Server 2008 R2:

For 32-bit systems, enter the following command at an administrative command prompt:
Takeown.exe /f “%windir%\system32\t2embed.dll”

Icacls.exe “%windir%\system32\t2embed.dll” /deny everyone:(F)

For 64-bit systems, enter the following command at an administrative command prompt:
Takeown.exe /f “%windir%\system32\t2embed.dll”

Icacls.exe “%windir%\system32\t2embed.dll” /deny everyone:(F)

Takeown.exe /f “%windir%\syswow64\t2embed.dll”

Icacls.exe “%windir%\syswow64\t2embed.dll” /deny everyone:(F)

The workaround may impact applications that “rely on embedded font technologies”.

The workaround can be undone again the following way:

On Windows XP and Windows Server 2003:

For 32-bit systems, enter the following command at an administrative command prompt:
cacls “%windir%\system32\t2embed.dll” /E /R everyone

For 64-bit systems, enter the following command at an administrative command prompt:
cacls “%windir%\system32\t2embed.dll” /E /R everyone

cacls “%windir%\syswow64\t2embed.dll” /E /R everyone

On Windows Vista, Windows 7, Windows Server 2008, and Windows Server 2008 R2:

For 32-bit systems, enter the following command at an administrative command prompt:
Icacls.exe %WINDIR%\system32\t2embed.DLL /remove:d everyone

For 64-bit systems, enter the following command at an administrative command prompt:
Icacls.exe %WINDIR%\system32\t2embed.DLL /remove:d everyone

Icacls.exe %WINDIR%\syswow64\t2embed.DLL /remove:d everyone

Microsoft furthermore has released a fix it solution that users can run on their system to protect it from the security vulnerability

The fix it can be downloaded from the following Microsoft Knowledge Base article.

It is recommended to apply the workaround on computer systems until Microsoft releases a security patch that resolves the issue without side effects.

Please note that there is a fix-it for enabling and one for disabling the workaround.

Rootkit.Duqu.A is digitally signed (with a stolen and revoked certificate) which means that it targets not only 32-bit Windows systems but also 64-bit editions of the Microsoft Windows operating system. According to information posted by Bitdefender, Duqu runs for 36 days on a computer collecting information entered via the keyboard. This may include passwords, emails, conversations, logins on popular sites and even banking and credit card information.

Symantec has posted additional information about Duqu’s installer. According to Symantec’s information, Duqu is spread as a Microsoft Word document that exploits a Windows kernel vulnerability that allows code execution. When a user opens the Word document the malicious code is executed and Duqu is installed on the system.

Duqu infections have already been confirmed in countries such as France, Switzerland, India, the United Kingdom, Austria and the Netherlands.

Symantec has released a whitepaper in pdf format that contains all known details up to this point.

Windows users who want to make sure that their system is clean and not infected by the Duqu rootkit can use Bitdefender’s Removal Tool to scan the system and if necessary disinfect it.

The portable rootkit remover can be downloaded from an official Bitdefender website. All that Windows users need to do is to click on the Scan button to start the scan. The program will list any files that have been identified to be part of the Duqu rootkit. Please note that the program may require elevated rights on some machines.

Is there a way to protect your computer in the meantime? Yes, do not open Word documents locally. Use an online document viewer like Google Docs or Docs.com for that. (via)

The remote desktop protocol drives Remote Desktop Services through Port 3389 by default. Any Remote Desktop connections are made through Port 3389. This is the case for every user reading this unless you have already changed the port. Basically, this means that this port is an easy target. By changing the RDP port, security is enhanced because bots and kiddies are designed to target RDP Port 3389. Change the port!

For this to be truly effective, implement a strong account lockout policy. This defends against the use of RDP protocol to obtain the administrator password. If the password is attainable due to the absence of an account lockout policy, then the RDP Port can be found regardless of what it has been changed to.

Changing the default RDP port is achieved through a simple registry hack. Another method is to change the RDP port with a third-party utility. Always set a restore point before making changes to the registry.

The Registry Hack

Run regedit from the start menu to open the Registry Editor. Navigate to HKEY_LOCAL_MACHINE, SYSTEM, CurrentControlSet, Control, Terminal Server, WinStations and RDP_Tcp. Find the PortNumber dword and right-click.

Select Modify. Alter the base to Decimal and enter the new port number with a value between 1025 and 65535, as long as the port is not in use. Click OK.

The Software Hack

The Microsoft Fix It Wizard can be used to change the RDP Port. It is available through the Microsoft website. Here is the download link: http://go.microsoft.com/?linkid=9759545. Click this link and download the free utility. Click Next to initiate the Wizard. A PortNumber screen will be presented. Enter the value of an unused port that you want to use as the new RDP Port. Again, the value must be between 1025 and 65535. Click Next and you are done.

Reboot the system to put the changes into effect.
The next time you connect to your system with RDP you are going to have to provide the new port number. Be sure that you write it down in a safe place so you do not forget. From the Remote Desktop client, append a colon after the ip address or after the host name and enter the port number after the colon. This will set everything up to operate normally.

This may be a simple task, but it certainly is an effective step to avoid security problems with Remote Desktop operations. A good account lockout policy and changing the RDP Port goes a long way to keep the PC bad guys at bay.

Windows users who do not use Remote Desktop can alternatively disable the service completely to close down access completely. This is done with a click on the Start button and the selection of Control Panel.

There you need to open the System Control Panel applet and select Remote Settings from the options.

Uncheck “allow remote assistance connections to this computer” and activate “don’t allow connections to this computer” under Remote Desktop.

The basic rule is that if you are running a good anti-malware program, other anti-malware programs conflict with it in certain ways so you only run one, not two or three. In this case, the PC being used as an example is running excellent anti-malware software and, as it turns out, Windows Defender has disabled the manual scan option for that security software. This is how you can disable Windows Defender easily and potentially remedy such problems.

Open Windows Defender by typing the name in the search box at the Start menu and then press enter. Again, do not disable this if this is your only protection and you are not using other anti-malware.

Go to Tools at the top menu and click Options. Click Administrator. You will have to be using the Administrator account. If prompted for an administrator password, provide it.

Uncheck the box next to “Use this program” and then click the Save button. You will now see a message that the program has been turned off.

That is all there is to it. If you want to turn Windows Defender on again, simply open the program the same way and click on the “click here to turn it on” link in the “this program is turned off” window on startup.. If you want to ensure that it never gets turned on again, open the Services panel through the Control Panel and find Windows Defender. You may also type “services.msc” in the start menu and then find Windows Defender in the list and double-click it. Now change the Startup type to Disabled.

Next, click Apply and Windows Defender will not turn on by default for any reason. You can reset this in the future if you need to. Remember, this article is in no way stating that this is something you have to do, just that you can do it. The decision is yours. Be certain that your computer is protected against malware with a high quality, Windows 7 compatible anti-malware suite. To learn more about compatible security programs for Windows 7, visit the Microsoft website.

The first program you need is called RogueKiller, which is free to download and run. You can download this by going to your browser and typing http://tigzy.geekstogo.com/Tools/RogueKiller.exe Don’t worry if you get some pop-ups generated by the malware when you open IE because it’s been hijacked, just close them until you get to your browser and copy and paste that link in. You’ll find the browser won’t block a direct link. Go ahead and save that file to your desktop. Before you save it however, change the name of the file from RogueKiller to Winlogon. If your browser really isn’t happy because of all the bugs, you can also paste that link into a run window. Go to start and then run, and paste the link. This will again open your browser and you may have to close a few windows before you can save the file.

Run the file on your desktop called Winlogon, and you’ll be presented with a DOS screen with some information and six options. RogueKiller will already have identified the process that is causing the problem, so the option you want is number two, for delete. This deletes the process that is locking up your computer. You’ll see a few screens flash by, and you’ll be presented with a report. You don’t need to view the report, it’s just for information, and so close it and you’ll be back at the desktop.

The next piece of free software you need is called Malwarebytes. You can download this by going to http://www.myantispyware.com/mbam You should find you have the use of your browser back, so go ahead and copy and past this into the address bar of IE and download the software. Again, copy it to your desktop, as this is a logical place to find it easily. Run the installation program and just follow the prompts, as it’s all fairly self-explanatory. When you get to two checkboxes at the end asking if you want to run the program and do an update, leave them checked and click finish. You may be asked if you want to buy the full version of Malwarebytes. At this point just decline and you can continue to use the free version.

Once the update has completed, you can go ahead and do a full scan. It will ask which drives to scan, uncheck everything except the C drive and run the scan. This may take some time, so go and do something else. Once it’s finished though, you can reboot your computer, and with fingers crossed your computer will be back to normal. Now’s a great time to update your antivirus software!!

All in all, the bulletins address 22 vulnerabilities in Microsoft products. The two critical updates address issues in Internet Explorer and DNS Server.

Microsoft has released deployment priorities and the severity and exploitability index. (click on the images for full size)

• MS11-057 – Cumulative Security Update for Internet Explorer (2559049) – This security update resolves five privately reported vulnerabilities and two publicly disclosed vulnerabilities in Internet Explorer. The most severe vulnerabilities could allow remote code execution if a user views a specially crafted Web page using Internet Explorer. An attacker who successfully exploited any of these vulnerabilities could gain the same user rights as the local user. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights.
• MS11-058 – Vulnerabilities in DNS Server Could Allow Remote Code Execution (2562485) – This security update resolves two privately reported vulnerabilities in Windows DNS server. The more severe of these vulnerabilities could allow remote code execution if an attacker registers a domain, creates an NAPTR DNS resource record, and then sends a specially crafted NAPTR query to the target DNS server. Servers that do not have the DNS role enabled are not at risk.

The bulletins that fix important issues.

• MS11-059 – Vulnerability in Data Access Components Could Allow Remote Code Execution (2560656) – This security update resolves a privately reported vulnerability in Microsoft Windows. The vulnerability could allow remote code execution if a user opens a legitimate Excel file (such as a .xlsx file) that is located in the same network directory as a specially crafted library file. An attacker who successfully exploited this vulnerability could gain the same user rights as the logged-on user. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights.
• MS11-060 – Vulnerabilities in Microsoft Visio Could Allow Remote Code Execution (2560978) – This security update resolves two privately reported vulnerabilities in Microsoft Visio. The vulnerabilities could allow remote code execution if a user opens a specially crafted Visio file. An attacker who successfully exploited this vulnerability could gain the same user rights as the logged-on user. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights.
• MS11-061 – Vulnerability in Remote Desktop Web Access Could Allow Elevation of Privilege (2546250) – This security update resolves a privately reported vulnerability in Remote Desktop Web Access. The vulnerability is a cross-site scripting (XSS) vulnerability that could allow elevation of privilege, enabling an attacker to execute arbitrary commands on the site in the context of the target user. The XSS Filter in Internet Explorer 8 and Internet Explorer 9 prevents this attack for its users when browsing to a Remote Desktop Web Access server in the Internet Zone. The XSS Filter in Internet Explorer 8 and Internet Explorer 9 is not enabled by default in the Intranet Zone.
• MS11-062 – Vulnerability in Remote Access Service NDISTAPI Driver Could Allow Elevation of Privilege (2566454) –
  This security update resolves a privately reported vulnerability in all supported editions of Windows XP and Windows Server 2003. This security update is rated Important for all supported editions of Windows XP and Windows Server 2003. Windows Vista, Windows Server 2008, Windows 7, and Windows Server 2008 R2 are not affected by the vulnerability.

  The vulnerability could allow elevation of privilege if an attacker logs on to an affected system and runs a specially crafted application designed to exploit the vulnerability and take complete control over the affected system. An attacker must have valid logon credentials and be able to log on locally to exploit this vulnerability.

• MS11-063 – Vulnerability in Windows Client/Server Run-time Subsystem Could Allow Elevation of Privilege (2567680) –
  This security update resolves a privately reported vulnerability in Microsoft Windows. The vulnerability could allow elevation of privilege if an attacker logs on to an affected system and runs a specially crafted application designed to send a device event message to a higher-integrity process. An attacker must have valid logon credentials and be able to log on locally to exploit this vulnerability.
• MS11-064 – Vulnerabilities in TCP/IP Stack Could Allow Denial of Service (2563894) – This security update resolves two privately reported vulnerabilities in Microsoft Windows. The vulnerabilities could allow denial of service if an attacker sends a sequence of specially crafted Internet Control Message Protocol (ICMP) messages to a target system or sends a specially crafted URL request to a server that is serving Web content and has the URL-based Quality of Service (QoS) feature enabled.
• MS11-065 – Vulnerability in Remote Desktop Protocol Could Allow Denial of Service (2570222) – This security update resolves a privately reported vulnerability in the Remote Desktop Protocol. The vulnerability could allow denial of service if an affected system received a sequence of specially crafted RDP packets. Microsoft has also received reports of limited, targeted attacks attempting to exploit this vulnerability. By default, the Remote Desktop Protocol (RDP) is not enabled on any Windows operating system.
• MS11-066 – Vulnerability in Microsoft Chart Control Could Allow Information Disclosure (2567943) – This security update resolves a privately reported vulnerability in ASP.NET Chart controls. The vulnerability could allow information disclosure if an attacker sent a specially crafted GET request to an affected server hosting the Chart controls. Note that this vulnerability would not allow an attacker to execute code or to elevate the attacker’s user rights directly, but it could be used to retrieve information that could be used to further compromise the affected system. Only web applications using Microsoft Chart Control are affected by this issue. Default installations of the .NET Framework are not affected.
• MS11-067 – Vulnerability in Microsoft Report Viewer Could Allow Information Disclosure (2578230) – This security update resolves a privately reported vulnerability in Microsoft Report Viewer. The vulnerability could allow information disclosure if a user views a specially crafted Web page. In all cases, however, an attacker would have no way to force a user to visit the Web site. Instead, an attacker would have to persuade a user to visit the Web site, typically by getting them to click a link in an e-mail message or Instant Messenger message that takes the user to the vulnerable Web site.

And finally the moderate bulletins.

• MS11-068 – Vulnerability in Windows Kernel Could Allow Denial of Service (2556532) – This security update resolves a privately reported vulnerability in Microsoft Windows. The vulnerability could allow denial of service if a user visits a network share (or visits a Web site that points to a network share) containing a specially crafted file. In all cases, however, an attacker would have no way to force a user to visit such a network share or Web site. Instead, an attacker would have to convince a user to do so, typically by getting the user to click a link in an e-mail message or Instant Messenger message.
• MS11-069 – Vulnerability in .NET Framework Could Allow Information Disclosure (2567951) – This security update resolves a privately reported vulnerability in Microsoft .NET Framework. The vulnerability could allow information disclosure if a user views a specially crafted Web page using a Web browser that can run XAML Browser Applications (XBAPs). In a Web-based attack scenario, an attacker could host a Web site that contains a Web page that is used to exploit this vulnerability. In addition, compromised Web sites and Web sites that accept or host user-provided content or advertisements could contain specially crafted content that could exploit this vulnerability. In all cases, however, an attacker would have no way to force users to visit these Web sites. Instead, an attacker would have to convince users to visit the Web site, typically by getting them to click a link in an e-mail message or Instant Messenger message that takes users to the attacker’s Web site. This vulnerability could also be used by Windows .NET applications to bypass Code Access Security (CAS) restrictions.

The updates are as usually available via Windows Update and Microsoft’s Download Center (even though I would not recommend using this at this time as it is a mess).

While one could argue that the figures are also explainable by the factors time and the fact that most rootkits target 32-bit systems, it is undeniable that rootkits pose a serious security risk.

The two free rootkit scanners Avast aswMBR and Sophos Anti-Rootkit can be used to scan a PC system for rootkits. There are other tools that can be used for the purpose, like the previously reviewed Codewalker, AVG Anti-Rootkit Free or the incredibly useful TDSSKiller by Kaspersky.

Avast aswMBR is a portable program for Windows. The program offers to download the latest antivirus definitions from Avast servers on first start. Those definitions are then used to scan and identify potentially dangerous files that have been discovered by the rootkit scanner.

A click on the Scan button starts the scan of the system. Potentially dangerous files are highlighted in yellow and red colors on the screen. Suspicious or infected files are declared as those directly in the interface. The Fix or Fix MBR buttons are used to disinfect the system and remove the rootkit from it. Avast aswMBR can be downloaded directly from the Avast website. The rootkit module is part of all Avast antivirus solutions.

Sophos Anti-Rootkit is another portable rootkit scanner for Windows. The download becomes available after filling out a two page form on the Sophos website. The rootkit scanner comes as a rar archive that you need to unpack on the system. The program displays a minimalistic interface on startup. The Windows Registry and local hard drives are automatically selected for the scan next to the running processes. A click on Start Scan opens a new window that highlights the scan progress.

The anti-rootkit software lists all suspicious or unknown hidden files in the log. Not all those files are rootkits, and it pays to scan the listed files with another rootkit scanner or an online scanner such as Virus Total.

Both rootkit scanners are portable and free for personal use. This makes them ideal for a admin toolset on DVD or USB stick.

Simply download and unzip Autoruns from the link below. It is a standalone utility that does not require installation. Add it to a flash drive for portable use and easy access.

http://technet.microsoft.com/en-au/sysinternals/bb963902.aspx

From the Zip file, double-click the autoruns.exe Application listed first. The application opens quickly, and you should see a tabbed interface.

This is the main window for Autoruns. The list shows all software that will run when you start your PC. Most of the programs presented are legitimate and are not malware. It takes some practice to identify malware processes. To disable a program from launching temporarily, uncheck the box next to the entry. To permanently prevent a program from launching, highlight and delete it. You will have to uninstall the program from your computer, as this deletion does NOT remove the software. If you recognize the software name, it is most likely legitimate. Check the Logon tab, as this is where malware will most typically appear. You may want to check the Hide Microsoft and Windows entry setting under Options to hide operating system files from being displayed. This reduces the list you have to go through significantly.

It should be noted that malware will adopt recognizable software names. One way to spot malware is by looking under the Publisher column. If there is no entry or if the publisher’s name is something that you do not recognize, then it is probably malware. If you suspect a recent infection, open the EXE or DLL file for the software and look at the “last modified” date. If it is a recent date and you have not installed any software recently, that is malware. Updates will have a Publisher clearly listed and are confined to operating system updates. These will have recent dates but are not malware. Generally, malware can be found in the C:\Windows folder or the C:\Windows\System32 folder.

This is what a malware entry will look like. In this case, Diskfix and SearchHelper are the culprits. These were not intentionally installed; they were installed by a Trojan downloader. Note that they have generic icons and the filenames are random characters. This is the mark of malware.

These two executable files were found in the C:\Windows\System32 folder using Autoruns.

Once the malware has been identified, you can temporarily disable them, permanently delete them, find them in Task Manager to terminate the processes, delete the files from your hard drive, or move them to a folder that will confine them from restarting. Do all of the above if you are sure that it is malware. Once you have made the changes, reboot the computer and start Autoruns again to see if the programs are still listed there. Next, check the Task Manager to see if they are running. If everything is clear on those fronts, you have succeeded in manually cleaning your PC of hidden malware and your locked antivirus program should be running well again.

If you are not sure about a specific program or file listed in Autoruns, you could use an online virus scanner like Virus Total to scan it. Another option is to research the file name on the Internet.

Rkill is a free utility offered by bleepingcomputers.com. Here are the links to give you the different versions:

• http://download.bleepingcomputer.com/grinler/rkill.com
• http://download.bleepingcomputer.com/grinler/rkill.exe
• http://download.bleepingcomputer.com/grinler/rkill.scr
• http://download.bleepingcomputer.com/grinler/eXplorer.exe
• http://download.bleepingcomputer.com/grinler/iExplore.exe

The different versions are offered as many malware processes will execute through various paths. You will need it at some point when operating a PC. This will not remove malware or repair damage caused by malware. This will simply stop the processes from running. Once you download, you can save the file and run a security scan. It is doubtful that you will find any security risks, but just stay on the safe side and check before running the utility. Once you start Rkill, this screen will open:

This process can take a long time to complete. You can temporarily disable antivirus and anti-spyware programs as they will often recognize Rkill as a threat and disable it. It may sound crazy to disable antivirus software and it is not a move without risk. It is better to go into your antivirus software and create an exception for the Rkill version that you use and leave the rest of the antivirus running as is. After Rkill is prepared, it will indicate that it is terminating malware processes.

Close applications to make this faster. The “Please be patient” message is no joke. You might wait 30 minutes and you might also wait for hours. The wait is worth it. When Rkill has completed its task, it will show a screen like this:

Please note that Rkill’s main purpose is to prepare the system for the disinfection of malicious software. That’s why you see Chrome and rundll32.exe in the list above. It does not mean that those processes are malicious.

The next thing to do is open your antivirus software and run a scan. A prior scan did not pick those cookies up before running Rkill. The advantage is obvious. Select all and delete from quarantine. It is a good idea to use MalwareBytes, another free utility to run a basic malware scan. This can be run in conjunction with the antivirus scan on Windows 7 as long as your PC processor can handle the load. The general rule is to run MalwareBytes separately to avoid confusion. It has been found favorable to run a good antivirus scan first and then run MalwareBytes. Obtain the free download for MalwareBytes here:

Use the free download or purchase the full version. The free download is sufficient as long as your antivirus is up to date. After following the prompts, MalwareBytes will open and you should just run a quick scan. It will detect any remaining malware that your antivirus may have missed. By running the antivirus before MalwareBytes, everything was removed. When MalwareBytes completes a scan, it shows a screen with the results. Nothing was found here because my resident malware protection removed the malware already.

That is all there is to it. If in doubt about malware, try Rkill and see what is actually going on in the background.

Please note that Malwarebytes is just a suggestion. There are other free tools out there that you can use to scan your system, Dr. Web Cure It for instance.

The Malware Prevention Fix-It belongs to that category. While it still comes with an option to check and repair everything automatically, it can also be run manually to give the user the option to accept or deny suggested actions.

The program runs a series of security related checks on the system to find possible security issues. It can fix a variety of settings and tools, including Windows Firewall, Antivirus protection, User Account Control, Data Execution Prevention or the system’s phishing and smartscreen filters.

Users get the option to let the Fix-It tool detect the problems and apply the fixes, or to do that manually. The manual option is suggested for experienced users, and users who want to know about the changes that are made to the system.

Users who select the manual option get a list of possible security issues that have been found on the system. All issues are displayed with checkboxes to enable or disable their fixes.

Additional information are displayed in a mouse over popup. These can be handy for users who want to know more about a specific tool, feature or service listed there. There is also an option to display a detailed report which lists all issues that have been checked on the system.

The Fix-It then tries to resolve the issues on the Windows operating system. It displays a status report in the end listing the issues and their fix status.

The Windows Security Fix-It can be handy for users who are recovering from a malware attack on their system. Malware sometimes makes changes to the system’s security, and this tool can be used to revert possible changes. It can also be used if you want to check your system’s default security settings, for instance during regular security assessments.

Windows users can download the Fix-It from the Microsoft Support website. (via)

If you look at the maximum severity rating you notice that the Windows vulnerabilities have received a severity rating of critical, the highest possible rating. The Office bulletin on the other hand received a rating of important, the second highest rating.

Microsoft Security Bulletin MS11-035 offers detailed information about the Windows vulnerability. It affects only Windows Server products, from Windows Server 2003 to Windows Server 2008 R2. Not affected are all client operating systems of Microsoft.

If you look at Microsoft Security Bulletin MS11-036 you notice that Office XP, 2003 and 2007 are affected on Windows. Furthermore affected are Microsoft Office 2004 and 2008 for Mac, the Open XML File Format Converter for Mac and the Microsoft Office Compatibility Pack for Word, Excel, and PowerPoint 2007 File Formats Service Pack 2.

Why is not Office 2010 affected by the vulnerability? Because Office File Validation mitigates the risk of the vulnerability.

• MS11-035 – Vulnerability in WINS Could Allow Remote Code Execution (2524426) – This security update resolves a privately reported vulnerability in the Windows Internet Name Service (WINS). The vulnerability could allow remote code execution if a user received a specially crafted WINS replication packet on an affected system running the WINS service. By default, WINS is not installed on any affected operating system. Only customers who manually installed this component are affected by this issue.
• MS11-036 – Vulnerabilities in Microsoft PowerPoint Could Allow Remote Code Execution (2545814) – This security update resolves two privately reported vulnerabilities in Microsoft PowerPoint. The vulnerabilities could allow remote code execution if a user opens a specially crafted PowerPoint file. An attacker who successfully exploited either of these vulnerabilities could gain the same user rights as the logged-on user. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights. Installing and configuring Office File Validation (OFV) to prevent the opening of suspicious files blocks the attack vectors for exploiting the vulnerabilities described in CVE-2011-1269 and CVE-2011-1270.

Additional information on both vulnerabilities are available at the MSRC Technet Blog.

The patches are available via Windows Update or the Microsoft Download Center. The May Security Release ISO image is available there as well.

Microsoft is currently pushing out a Windows Update that addresses the situation on Windows. Lets take a closer look at what actually happened before we go into details about that.

Comodo, a certification authority, notified Microsoft and other companies on March 16 that “nine certificates had been signed on behalf of a third party without sufficiently validating its identity”.

The following domains are affected by the certificates:

• login.live.com
• mail.google.com
• www.google.com
• login.yahoo.com
• login.skype.com
• addons.mozilla.org
• Global Trustee

These domains are some of the most visited domains on the Internet.

Microsoft notes that “these certificates may be used to spoof content, perform phishing attacks, or perform man-in-the-middle attacks against all Web browser users including users of Internet Explorer”.

Comodo has revoked the certificates in the meantime. Microsoft has released a security update for all versions of Windows that moves the fraudulent certificates into the untrusted certificate store of Microsoft Windows.

The update is provided via Windows Update and Microsoft Download. Users with automatic updating enabled will receive the update automatically, a restart of the system is not required after the update has been installed.

• Microsoft Security Advisory: Fraudulent Digital Certificates could allow spoofing at Microsoft Download [link] for direct downloading.
• Security Advisory [link]

Here is how you can verify that the certificates are blocked after you have installed the update. Open an elevated command prompt. Windows 7 users click on Start, select All Programs > Accessories, right-click the Command Prompt program link and select Run as Administrator.

Enter mmc in the command prompt window to launch the Microsoft Management Console. Now follow these steps:

• Press Ctrl-m or select File > Add / Remove Snap In
• Find Certificates in the listing, select it with a left-click and click on Add.

• Select Computer Account on the next window and press Finish
• Click the ok button to leave the Add or Remove Snap-ins configuration window.
• Expand the certificates listing under Console Root and then the Untrusted Certificates sub-listing. Click on the Certificates folder there.

You should now see the affected domain names in the listing. Issued by should read UTN-USERFirst-Hardware.

Individual options are displayed with checkboxes to activate or deactivate them. Each entry offers a description of its impact when it is selected. Take a look at the screenshot below for an example of how this looks like in the application.

It can take well over an hour to go through all settings available. Here are a few example security settings offered by the application:

• Disable the network connection wizard
• Disable drag and drop in the start menu
• Do not move deleted files to the Windows Recycle Bin
• Disable adding and deleting printers
• Disable the Windows Task Manager

The tool seems to be largely designed to control these settings for other users of the system. While it is possible to enable or disable them via Group Policies or the Registry, it often is an easier task to use a software like True System Security Tweaker for it.

It is possible to set an administrator password to prevent unauthorized access and tampering with settings. A reset all settings to their default values is available as well.

A prompt is displayed when the application is closed if the changes should be saved for the logged in user.

True System Security Tweaker is available for 32-bit and 64-bit editions of the Windows operating system. The application is available for direct download. Interested users can request the Delphi source code from the developer.

Windows users can check for the updates by opening Windows Update which is linked from the Windows start menu. There it is possible to check for new updates which needs to be done if the PC has been running for some time today.

The security bulletin summary for February 2011 offers in depth information about the updates and the affected applications.

All individual security bulletins are listed and linked below as well.

• MS11-003 – Cumulative Security Update for Internet Explorer (2482017) – This security update resolves two privately reported vulnerabilities and two publicly disclosed vulnerabilities in Internet Explorer. The vulnerabilities could allow remote code execution if a user views a specially crafted Web page using Internet Explorer or if a user opens a legitimate HTML file that loads a specially crafted library file. An attacker who successfully exploited any of these vulnerabilities could gain the same user rights as the local user. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights.
• MS11-006 – Vulnerability in Windows Shell Graphics Processing Could Allow Remote Code Execution (2483185) – This security update resolves a publicly disclosed vulnerability in the Windows Shell graphics processor. The vulnerability could allow remote code execution if a user views a specially crafted thumbnail image. An attacker who successfully exploited this vulnerability could gain the same user rights as the logged-on user. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights.
• MS11-007 – Vulnerability in the OpenType Compact Font Format (CFF) Driver Could Allow Remote Code Execution (2485376) – This security update resolves a privately reported vulnerability in the Windows OpenType Compact Font Format (CFF) driver. The vulnerability could allow remote code execution if a user views content rendered in a specially crafted CFF font. In all cases, an attacker would have no way to force users to view the specially crafted content. Instead, an attacker would have to convince users to visit a Web site, typically by getting them to click a link in an e-mail message or Instant Messenger message that takes users to the attacker’s Web site.
• MS11-004 – Vulnerability in Internet Information Services (IIS) FTP Service Could Allow Remote Code Execution (2489256) – This security update resolves a publicly disclosed vulnerability in Microsoft Internet Information Services (IIS) FTP Service. The vulnerability could allow remote code execution if an FTP server receives a specially crafted FTP command. FTP Service is not installed by default on IIS.
• MS11-005 – Vulnerability in Active Directory Could Allow Denial of Service (2478953) – This security update resolves a publicly disclosed vulnerability in Active Directory. The vulnerability could allow denial of service if an attacker sent a specially crafted packet to an affected Active Directory server. The attacker must have valid local administrator privileges on the domain-joined computer in order to exploit this vulnerability.
• MS11-008 – Vulnerabilities in Microsoft Visio Could Allow Remote Code Execution (2451879) – This security update resolves two privately reported vulnerabilities in Microsoft Visio. The vulnerabilities could allow remote code execution if a user opens a specially crafted Visio file. An attacker who successfully exploited either of these vulnerabilities could gain the same user rights as the logged-on user. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights.
• MS11-009 – Vulnerability in JScript and VBScript Scripting Engines Could Allow Information Disclosure (2475792) – This security update resolves a privately reported vulnerability in the JScript and VBScript scripting engines. The vulnerability could allow information disclosure if a user visited a specially crafted Web site. An attacker would have no way to force users to visit these Web sites. Instead, an attacker would have to convince users to visit the Web site, typically by getting them to click a link in an e-mail message or Instant Messenger message that takes users to the attacker’s Web site.
• MS11-010 – Vulnerability in Windows Client/Server Run-time Subsystem Could Allow Elevation of Privilege (2476687) – This security update resolves a privately reported vulnerability in the Microsoft Windows Client/Server Run-time Subsystem (CSRSS) in Windows XP and Windows Server 2003. The vulnerability could allow elevation of privilege if an attacker logs on to a user’s system and starts a specially crafted application that continues running after the attacker logs off in order to obtain the logon credentials of subsequent users. An attacker must have valid logon credentials and be able to log on locally to exploit this vulnerability. The vulnerability could not be exploited remotely or by anonymous users.
• MS11-011 – Vulnerabilities in Windows Kernel Could Allow Elevation of Privilege (2393802) – This security update resolves one publicly disclosed vulnerability and one privately reported vulnerability in Microsoft Windows. The vulnerabilities could allow elevation of privilege if an attacker logged on locally and ran a specially crafted application. An attacker must have valid logon credentials and be able to log on locally to exploit these vulnerabilities. The vulnerabilities could not be exploited remotely or by anonymous users.
• MS11-012 – Vulnerabilities in Windows Kernel-Mode Drivers Could Allow Elevation of Privilege (2479628) – This security update resolves five privately reported vulnerabilities in Microsoft Windows. The vulnerabilities could allow elevation of privilege if an attacker logged on locally and ran a specially crafted application. An attacker must have valid logon credentials and be able to log on locally to exploit these vulnerabilities. The vulnerabilities could not be exploited remotely or by anonymous users.
• MS11-013 – Vulnerabilities in Kerberos Could Allow Elevation of Privilege (2496930) – This security update resolves one privately reported vulnerability and one publicly disclosed vulnerability in Microsoft Windows. The more severe of these vulnerabilities could allow elevation of privilege if a local, authenticated attacker installs a malicious service on a domain-joined computer.
• MS11-014 – Vulnerability in Local Security Authority Subsystem Service Could Allow Local Elevation of Privilege (2478960) – This security update resolves a privately reported vulnerability in the Local Security Authority Subsystem Service (LSASS) in Windows XP and Windows Server 2003.

  The vulnerability could allow elevation of privilege if an attacker logs on to a system and runs a specially crafted application. An attacker must have valid logon credentials and be able to log on locally to exploit this vulnerability. The vulnerability could not be exploited remotely or by anonymous users.

The updates can also be downloaded directly and individually from the Microsoft Download Center. Check out our detailed Windows Update guide for additional information and tips.

The developers have designed it with mobile Windows PCs, such as laptops and netbooks, in mind as they usually pose a greater risk of being accessed by third parties.

The program displays one screen after installation and startup that displays all options. Options are activated with a click on the corresponding checkbox.

The Am I Secure button analyses the system and checks the active settings automatically. It is possible to uncheck options and to check new options that should be applied.

Here is an overview of the available options:

• Remove LM cypher
• Remove pagefile.sys on shut down
• Remove username when logging in
• Activate screensaver password
• Removes autorun in usb, cd, etc…
• User’s password is present
• Check password complexity
• Install / Uninstall context menu wiper
• Password in recovery console
• Disable password caching in Internet Explorer
• Disable hibernation (hibernation.sys)
• Disable administrator and guest user accounts
• Cipher “my documents” folder

It is furthermore possible to export the file encryption certificates which are necessary to access the files.

The available items are not explained in the application itself, only on the developer homepage. Some should be self-explanatory while some require explanation.

A click on the Secure Me button performs the selected setting changes. Many of the options available can also be set manually by a system administrator. Regular users on the other hand will have a hard time discovering and finding those settings in the operating system.

Lap Sec has been designed as a run-once tool after installation of the operating system.

The free application can be downloaded from the developer website.

Security Advisory 2501696 reveals that the “vulnerability exists due to the way MHTML interprets MIME-formatted requests for content blocks within a document” and that it “could allow an attacker to cause a victim to run malicious scripts when visiting various Web sites, resulting in information disclosure”.

The vulnerability exists due to the way MHTML interprets MIME-formatted requests for content blocks within a document. It is possible under certain conditions for this vulnerability to allow an attacker to inject a client-side script in the response of a Web request run in the context of the victim’s Internet Explorer. The script could spoof content, disclose information, or take any action that the user could take on the affected Web site on behalf of the targeted user.

An example of a possible attack is given by Angela Gunn at the MSRC blog:

For instance, an attacker could construct an HTML link designed to trigger a malicious script and somehow convince the targeted user to click it. When the user clicked that link, the malicious script would run on the user’s computer for the rest of the current Internet Explorer session. Such a script might collect user information (eg., email), spoof content displayed in the browser, or otherwise interfere with the user’s experience.

Microsoft admits that proof-of-concept code has been published but mentions that they are not aware of active exploitations of the issue.

A workaround has been posted on the Security Advisory page. It basically locks down the MHTML protocol to protect the Windows operating system from possible exploits. Users need to modify the Windows Registry if they follow the suggested actions on the Security Advisory page. Administrators find information on how to apply it across domains by using Group Policy there as well.

Another option is to change the Internet Explorer security settings to high to block ActiveX Controls and Active Scripting. This may have an impact on websites and services that make use of the technologies.

A Fix-It solution has been created as well which makes the patching more comfortable.

The tool takes two snapshots of the system, one before the installation and one after the installation. It compares the two snapshots to identify the changes. It looks in particular for “classes of security weaknesses as applications are installed on the Windows operating system”.

In addition, Microsoft Attack Surface Analyzer “gives an overview of the changes to the system Microsoft considers important to the security of the platform and highlights these in the attack surface report”.

The program stores the report in a cab file. The start page offers to run a new scan or to generated a report by comparing a previous scan with a new scan.

Each scan performs several tasks, like enumerating files, handles or services. Some operations may take a while or show up as pending if they have not been started by the application.

The report is launched in the default web browser, a short explanation is available as well.

Attack Surface Analyzer is available as a 32-bit and 64-bit application at Microsoft.com. Please note that the application has been released as beta. Reports can be generated on Windows Vista, Windows 7 and Windows Server 2008 R1 and R2. The analysis of the data and report generation requires the Microsoft .NET Framework 3.5 in addition.

A closer look at the security vulnerability reveals that is is rated critical for all 32-bit and 64-bit Windows client operating systems from Windows XP to Windows 7. The same vulnerability is rated as important for all server based operating systems.

The second vulnerability, MS11-001, has a maximum severity rating of important. It fixes a vulnerability in the Windows Backup Manager that could allow remote code execution. The vulnerability affects only the Windows Vista operating system.

• MS11-002 – Vulnerabilities in Microsoft Data Access Components Could Allow Remote Code Execution (2451910) – This security update resolves two privately reported vulnerabilities in Microsoft Data Access Components. The vulnerabilities could allow remote code execution if a user views a specially crafted Web page. An attacker who successfully exploited this vulnerability could gain the same user rights as the local user. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights.
• MS11-001 – Vulnerability in Windows Backup Manager Could Allow Remote Code Execution (2478935) – This security update resolves a publicly disclosed vulnerability in Windows Backup Manager. The vulnerability could allow remote code execution if a user opens a legitimate Windows Backup Manager file that is located in the same network directory as a specially crafted library file. For an attack to be successful, a user must visit an untrusted remote file system location or WebDAV share and open the legitimate file from that location, which in turn could cause Windows Backup Manager to load the specially crafted library file.

Severity and Exploitability Index

Bulletin Deployment Priority

The images have been taken from the Technet announcement which offers further information about the vulnerabilities and patch deployment.

Windows users are advised to apply the patches as soon as possible to protect their system from possible exploits. The patches can be applied directly via Windows Update or directly from Microsoft Download.

The first vulnerability affects Internet Explorer 6 to Internet Explorer 8 on all versions of the Windows operating system starting with Windows XP and ending at Windows 7 and Windows Server 2008 R2. Carlene Chmaj confirms that Microsoft has “started to see targeted attacks” and that customers should check the mitigating factors outlined in the security advisory.

The mitigating factors however describe that it is possible to reduce the impact of a successful exploit on the system but that it is not possible to block exploits completely which means that Internet Explorer users, with the exception of Internet Explorer 9 users, are vulnerable to this attack whenever they use the browser on the Internet. The Internet Explorer user needs to visit a specifically crafted web page to trigger the vulnerability which means that it is recommended to stay away from untrustworthy websites.

The second vulnerability that Chmaj mentioned in the announcement affects the graphics rendering engine which could allow remote code execution as well. The issue affects only some Microsoft operating systems, namely Windows XP, Windows Vista and their server variants Windows Server 2003 and Windows Server 2008. The latest operating systems Windows 7 and Windows Server 2008 R2 are not affected.

Microsoft at this time is not aware of attacks exploiting the vulnerability. The issue can only be exploited on a specifically prepared website or with email attachments that need to be opened by the user. A workaround was posted on the security advisory page that requires an administrator to issue commands on the command line (a Fix It solution is also available)

Modify the Access Control List (ACL) on shimgvw.dll

Note See Microsoft Knowledge Base Article 2490606 to use the automated Microsoft Fix it solution to enable or disable this workaround.

To modify the ACL on shimgvw.dll to be more restrictive, run the following commands from a command prompt as an administrator:

For 32-bit editions of Windows XP and Windows Server 2003:

Echo y| cacls %WINDIR%\SYSTEM32\shimgvw.dll /E /P everyone:N

For 64-bit editions of Windows XP and Windows Server 2003:

Echo y| cacls %WINDIR%\SYSTEM32\shimgvw.dll /E /P everyone:N
Echo y| cacls %WINDIR%\SYSWOW64\shimgvw.dll /E /P everyone:N

For 32-bit editions of Windows Vista and Windows Server 2008:

takeown /f %WINDIR%\SYSTEM32\SHIMGVW.DLL
icacls %WINDIR%\SYSTEM32\SHIMGVW.DLL /save %TEMP%\SHIMGVW_ACL.TXT
icacls %WINDIR%\SYSTEM32\SHIMGVW.DLL /deny everyone:(F)

For 64-bit editions of Windows Vista and Windows Server 2008:

takeown /f %WINDIR%\SYSTEM32\SHIMGVW.DLL
takeown /f %WINDIR%\SYSWOW64\SHIMGVW.DLL
icacls %WINDIR%\SYSTEM32\SHIMGVW.DLL /save %TEMP%\SHIMGVW_ACL32.TXT
icacls %WINDIR%\SYSWOW64\SHIMGVW.DLL /save %TEMP%\SHIMGVW_ACL64.TXT
icacls %WINDIR%\SYSTEM32\SHIMGVW.DLL /deny everyone:(F)
icacls %WINDIR%\SYSWOW64\SHIMGVW.DLL /deny everyone:(F)

Impact of Workaround: Media files typically handled by the Graphics Rendering Engine will not be displayed properly.

How to undo the workaround:

Run the following commands from a command prompt as an administrator:

For 32-bit editions of Windows XP and Windows Server 2003:

cacls %WINDIR%\SYSTEM32\shimgvw.dll /E /R everyone

For 64-bit editions of Windows XP and Windows Server 2003:
cacls %WINDIR%\SYSTEM32\shimgvw.dll /E /R everyone
cacls %WINDIR%\SYSWOW64\shimgvw.dll /E /R everyone

For 32-bit editions of Windows Vista and Windows Server 2008:

icacls %WINDIR%\SYSTEM32 /restore %TEMP%\SHIMGVW_ACL.TXT

For 64-bit editions of Windows Vista and Windows Server 2008:

icacls %WINDIR%\SYSTEM32 /restore %TEMP%\SHIMGVW_ACL32.TXT
icacls %WINDIR%\SYSWOW64 /restore %TEMP%\SHIMGVW_ACL64.TXT

The last vulnerability, or set of, was discovered by Michal Zalewski. Browser vendors were contacted in July 2010 and as of now all have not completely managed to resolve the issues reported to them.