September 2010 - Posts

• Security Bulletins for the Regular IT Guy–September 28th - Out Of Band

  Over pints Pierre Roman, Bruce Cowper and Rick Claus decided they would put together a concise and timely podcast each “Update Tuesday”. The object is to keep it simple by letting you know in plain non technical language what the updates are, what they resolve and why you should care. As always - if you have suggestions on making it better - please pass on your comments. Mail Rick directly  – rick.claus@microsoft.com Direct Download: Subscribe to the podcast: (so you don't miss an episode)   Disclaimer: This podcast was produced with the best information available to us at the time of recording. Your primary source for all things Security Bulletin related should always be the Microsoft Security Response Center blog. In Depth Webcast on this bulletin will take place: Tuesday, September 28th – 1:00 PM PDT (UTC -7). (Registration link): Bulletins discussed for September 28th, 2010: MS10-070 - Vulnerability in ASP.NET Could Allow Information Disclosure (KB 2418042) Podcast Participants: Rick Claus – just me and my cup of tea.  I Audio Conferenced Pierre in at the last minute. Additional Technical Show Notes: Recorded at Rick's Home Office. Pierre was at the Microsoft Office in Ottawa Direct Download Link for Security Updates for this month. Sort by date – look for your OS version and framework version dated September 27th, 2010. PodSafe music from PodSafe Music Network @ http://music.podshow.com/. Artist: Derek K Miller, song - “You’re the Big Sky - rock guitar instrumental” IT Pro Team Blog | IT Managers Blog |Twitter | Facebook | LinkedIn Posted Tuesday, September 28, 2010 11:12 AM from Canadian IT Professionals | 0 Comments Filed under: Security, Rick Claus, Security Bulletins Podcast, Podcasts

• Out Of Band Security Update for ASP.NET

  Today, as part of Microsoft’s ongoing commitment to protect its customers with security updates and the latest guidance on the threat landscape, the company is releasing MS10-070 as an out-of-band security update. The update addresses a vulnerability in ASP.NET, as described in Security Advisory 2416728, and carries a maximum severity rating of Important and an Exploitability Index rating of 1. As outlined in the advisory, the vulnerability affects ASP.NET framework on Windows XP, Windows Vista, Windows 7, and Windows Server 2003 and 2008 and Windows Server 2008 R2.   Microsoft recommends that its customers deploy the update as soon as possible to help protect their computers from criminal attacks. Please see the Microsoft Security Response Center (MSRC) blog for more details.   As always, please let us know if you have any questions!    What is the purpose of this alert?   This alert is to provide you with an overview of the new security bulletin being released (out-of-band) on September 28, 2010.   New Security Bulletin Overview   Microsoft is releasing one new security bulletin (out-of-band) for newly discovered vulnerabilities:   Bulletin ID Bulletin Title Maximum Severity Rating Vulnerability Impact Restart Requirement Affected Software MS10-070 Vulnerability in ASP.NET Could Allow Information Disclosure (2418042) Important Information Disclosure May require a restart Windows XP, Windows Server 2003, Windows Vista, Windows Server 2008, Windows 7, and Windows Server 2008 R2. Note: Affected software listed above is an abstract. Please see the “Affected Software” section of the bulletin at the link in the left column above for complete details.   Executive Summary   This security update resolves a publicly disclosed vulnerability in ASP.NET. The vulnerability could allow information disclosure. An attacker who successfully exploited this vulnerability could read data, such as the view state, which was encrypted by the server. This vulnerability can also be used for data tampering, which, if successfully exploited, could be used to decrypt and tamper with the data encrypted by the server. Microsoft .NET Framework versions prior to Microsoft .NET Framework 3.5 Service Pack 1 are not affected by the file content disclosure portion of this vulnerability.   This security update is rated Important for all supported editions of ASP.NET except Microsoft .NET Framework 1.0 Service Pack 3. The security update addresses the vulnerability by additionally signing all data that is encrypted by ASP.NET.   This security update also addresses the vulnerability first described in Microsoft Security Advisory 2416728.   Public Bulletin Webcast   Microsoft will host a webcast to address customer questions on this bulletin: Title: Information about Microsoft’s September 2010 (OOB) Security Bulletin Release (Level 200) Date: Tuesday, September 28, 2010, 1:00 P.M. Pacific Time (U.S. and Canada) URL: https://msevents.microsoft.com/CUI/WebCastEventDetails.aspx?culture=en-US&EventID=1032464130   Public Resources Related to This Alert   ·         Security Bulletin MS10-070 – Vulnerability in ASP.NET Could Allow Information Disclosure (2418042): http://www.microsoft.com/technet/security/bulletin/MS10-070.mspx    ·         Security Advisory 2416728 – Vulnerability in ASP.NET Could Allow Information Disclosure:  http://www.microsoft.com/technet/security/advisory/2416728.mspx        ·         Microsoft Security Response Center (MSRC) Blog: http://blogs.technet.com/msrc/   ·         Microsoft Security Research & Defense (SRD) Blog: http://blogs.technet.com/srd/   ·         Microsoft Malware Protection Center (MMPC) Blog: http://blogs.technet.com/mmpc/   New Security Bulletin Technical Details   In the following tables of affected and non-affected software, software editions that are not listed are past their support lifecycle. To determine the support lifecycle for your product and edition, visit the Microsoft Support Lifecycle web site at http://support.microsoft.com/lifecycle/.   Bulletin Identifier Microsoft Security Bulletin MS10-070 Bulletin Title Vulnerability in ASP.NET Could Allow Information Disclosure (2418042) Executive Summary This security update resolves a publicly disclosed vulnerability in ASP.NET. The vulnerability could allow information disclosure. An attacker who successfully exploited this vulnerability could read data, such as the view state, which was encrypted by the server. This vulnerability can also be used for data tampering, which, if successfully exploited, could be used to decrypt and tamper with the data encrypted by the server.   Note that this vulnerability would not allow an attacker to execute code or to elevate their user rights directly, but it could be used to produce information that could be used to try to further compromise the affected system. In Microsoft .NET Framework 3.5 Service Pack 1 and above, this vulnerability can also be used by an attacker to retrieve the contents of any file within the ASP.NET application, including web.config.   The security update addresses the vulnerability by additionally signing all data that is encrypted by ASP.NET. Severity Ratings and Affected Software This security update is rated Important for all supported editions of ASP.NET except Microsoft .NET Framework 1.0 Service Pack 3. CVE CVE-2010-3332 - ASP.NET Padding Oracle Vulnerability Attack Vectors To exploit this vulnerability, an attacker would send cipher text via a Web request to an affected server to determine whether the text was decrypted properly by examining the error code returned by the website. An attacker who made enough of these requests could learn enough information to read or tamper with the encrypted data.   Mitigating Factors Microsoft .NET Framework versions prior to Microsoft .NET Framework 3.5 Service Pack 1 are not affected by the file content disclosure portion of this vulnerability.   Workarounds Enable a UrlScan or Request Filtering rule, enable ASP.NET custom errors, and map all error codes to the same error page. For specific steps, see the “Workaround” section of the bulletin at the link below. Restart Requirement This update may require a restart. Bulletins Replaced by This Update MS10-041 and MS09-036 on specific versions of Microsoft .NET Framework on specific operating systems. For specific details, see the “Affected Software” section of the bulletin at the link below. Disclosure Status: Exploit Status: This vulnerability was publicly disclosed prior to release. More information is contained in Microsoft Security Advisory 2416728. This vulnerability has been exploited in the wild at release. Full Details http://www.microsoft.com/technet/security/bulletin/MS10-070.mspx    Posted Tuesday, September 28, 2010 10:59 AM from Canadian IT Professionals | 1 Comments

• Reminder: IE6 on XP to IE8 on Win7 Virtual Roundtable Discussion–09/30/2010

  You are not alone . There are many organizations that have to keep IE 6 kickin’ around because they have apps that were written for the browser that are still in use.  Now you want to roll out Windows 7 and get back the last 9 years of your life in computing history and join the modern desktop. Think of all the time you could save by not having to support XP in your environment anymore. But you have one small hitch – those applications that just don’t render or work correctly unless they are viewed and used in IE 6. Kind of a catch 22, right? You are in luck. On Thursday September 30th at 12:00 EDT - Microsoft is hosting a Virtual Round Table discussion on Migration strategies, standards and support for organizations moving from IE6 to IE8. Join a panel of IT Professionals, Microsoft specialists and technical experts to discuss best practices to simplify and accelerate the migration to Internet Explorer 8. Topics will include an explanation of the causes of and solutions for application compatibility issues (including policy, code, and virtualization solutions), an introduction to tools, and a review of best practices. Ask your questions live during the event with our online tool - or submit your questions in advance to vrtable@microsoft.com. Visit the Springboard Series “SaveTheDate” page for more information. I’ll be there. Posted Tuesday, September 28, 2010 6:34 AM from Canadian IT Professionals | 0 Comments Filed under: Webcast, Internet Explorer, Rick Claus, Springboard

• Security Bulletins for the Regular IT Guy–episode #21–September 2010

  NOTE: Due to a combination of publishing platform issues and a crazy travel schedule that came together into a perfect storm – we’re three days delayed in getting this out to you. Sorry about that – we’ve got steps in place to ensure it doesn’t happen again. Over pints Pierre Roman, Bruce Cowper and Rick Claus decided they would put together a concise and timely podcast each “Update Tuesday”. The object is to keep it simple by letting you know in plain non technical language what the updates are, what they resolve and why you should care. As always - if you have suggestions on making it better - please pass on your comments. Mail Rick directly  – rick.claus@microsoft.com Direct Download: Subscribe to the podcast: (so you don't miss an episode)   Disclaimer: This podcast was produced with the best information available to us at the time of recording. Your primary source for all things Security Bulletin related should always be the Microsoft Security Response Center blog. In Depth Webcast on this bulletin will take place: Wednesday, September 15th - 11:00 a.m. PST (UTC -7). (Registration link): Bulletins discussed for September 15th, 2010: MS10-061 - addresses a vulnerability in Microsoft Windows (KB 2347290) MS10-062 - Vulnerability in MPEG-4 Codec Could Allow Remote Code Execution (975558) MS10-063 - Vulnerability in Unicode Scripts Processor Could Allow Remote Code Execution (2320113) MS10-064 - Vulnerability in Microsoft Outlook Could Allow Remote Code Execution (2315011) MS10-065 - Vulnerabilities in Microsoft Internet Information Services (IIS) Could Allow Remote Code Execution (2267960) MS10-066 - Vulnerability in Remote Procedure Call Could Allow Remote Code Execution (982802) MS10-067 - Vulnerability in WordPad Text Converters Could Allow Remote Code Execution (2259922) MS10-068 - Vulnerability in Local Security Authority Subsystem Service Could Allow Elevation of Privilege (983539) MS10-069 - Vulnerability in Windows Client/Server Runtime Subsystem Could Allow Elevation of Privilege (2121546) Podcast Participants: Rick Claus (without my Green Tilley Hat) and Pierre Roman Additional Technical Show Notes: Recorded at Rick's Home Office and Pierre’s home office with LiveCommunicationsServer videoconferencing software. PodSafe music from PodSafe Music Network @ http://music.podshow.com/. Artist: Derek K Miller, song - “You’re the Big Sky - rock guitar instrumental” IT Pro Team Blog | IT Managers Blog |Twitter | Facebook | LinkedIn Posted Thursday, September 16, 2010 8:54 AM from Canadian IT Professionals | 0 Comments Filed under: Podcast, Rick Claus, Pierre Roman, Security Bulletins Podcast

• Scenes from TechDays Vancouver, Part 1

  (originally appears on Canadian DevBlog) Hello from Vancouver! I’m here at the first stop of TechDays, Microsoft' Canada’s 8-city cross-country conference series for developers and IT pros. It’s a gorgeous, sunny and almost cloudless day, a nice change from the gloomy weather we had this weekend. The sunshine is perfect for our new TechDays Vancouver venue, the Vancouver Convention Centre’s new west building, whose glass walls provide a spectacular view of the harbour, as seen below: We’ve been here since 7 a.m., and the conference centre crew were here even earlier. The crowd started arriving around 8, with much of them arriving about 8:30. A little hint, folks: an early arrival means you get registered quickly, and you get enough time to enjoy a free breakfast to boot! With the clock approaching nine came the scramble for the session rooms. Vancouver Convention Centre’s West Building is a huge place, and out attendees are going to get a fair bit of exercise getting from session to session. C’mon, people, it’s good for your cardiovascular systems! Here’s Miguel Carrasco from Imaginet delivering the opening talk for the “Developing for Three Screens and the Cloud” track: And in the “Optimizing the Development Process” track, here’s Bruce Johnston talking about real-world patterns for cloud computing: This article also appears in Global Nerdy. Posted Tuesday, September 14, 2010 4:37 PM from Canadian IT Professionals | 0 Comments Filed under: TechDays_ca, TechDays, Vancouver, Conferences

• Leaving on a Jet Plane… TechDays Vancouver (T-4 days)

  We’re heading to Vancouver! TechDays 2010 is about to start. (…intro sappy music) All my bags are packed, I'm ready to go I'm standin' here outside your door I hate to wake you up to say goodbye… - John Denver, 1966 (I’ve already started packin’ my bag, I’m not quite ready to go just yet – but the song is fitting none the less. ) It’s the start of TechDays season on our team. It’s a little something that we’ve been working on over the last few months - hand in hand with members of the Technical Community across Canada.  The Vancouver track of speakers are primed and ready to go, “the truck” of stuff we ship from location to location left last week to meet us in Vancouver. We’re dotting the i(s) and crossing the t(s). You’ve heard about the marketing stuff (60 sessions, local experts, networking opportunities, special offers from partners, collaboration lounge) – that’s all said and done.  Now it’s show time! Some Advice… (Photo taken by Bobak Ha'Eri, on June 4, 2009) I put up the lovely picture from Bobak on Wikipedia of the West building – because that is where it’s all going down this year. DON’T GO TO THE OLD BUILDING – WE WON’T BE THERE. If you haven’t already done so – go back to the TechDays.ca site and look at the schedule builder to pre-plan your sessions. Figure out which ones you want to go to AND ALSO ALTERNATES. Why the alternates? Some proactive planning – in case your primary choice is not your cup of tea – you will know where to go. We’ll have printed agendas/guides (and a cool pen) that you can use to take notes and find your way, complete with session details and partner offerings. I say this every year and I will say it again. Use the “non session time” to make new networking connections. Seriously. Introduce yourself to people in the session you are attending – there is a good chance THEY share similar technical interests and could become valuable resources FOR YOU in the future. TALK WITH THE SPEAKERS. we won’t bite! Just don’t take offense if we’re busy immediately after the session ends or just before it starts. Take the time to “book” us to talk in the Experts Area, during lunch or during breaks. Check out the Collaboration Lounge. I am very stoked about this – very well received the last couple of years we did it. This time around the focus is on Windows 7, alternate interfaces (touch experiences and different form factors) and cool devices (Windows Phone 7). It will even have and xBox Kinect – so get ready to get up and MOVE in a controller-less world. We’re around before, during and after TechDays.  The team will be in Vancouver until mid day on Friday. We’re going to be doing a “coffee and code” in every city where you can get some hands on time with Windows Phone 7 or grab a cup’a joe and chat with one of us. If you want to keep in touch with all the “official” and “unofficial” activities – follow the #TechDays_ca hashtag on twitter. you never know where we’ll end up. Oh yeah – in case I forgot - Have Fun! Make sure to stop me in the hallways and tell me how it’s going and what we can do to make it better, eh? I’ll be the one wearing the green hat. IT Pro Team Blog |Twitter | Facebook | LinkedIn Posted Friday, September 10, 2010 1:41 PM from Canadian IT Professionals | 0 Comments Filed under: Events, Rick Claus, TechDays

• Techdays 2010 – A Recipe for Success and One Nearby YOU!

  Right around the corner near a major Canadian City near you is Microsoft Techdays Canada 2010 And unbelievable chance to improve your skills exponentially.    It’s a true recipe for success!  Wondering what’s in the mix? Let’s check out the recipe for this delicious delight! 2 Days 6 Tracks 8 Cities 55+ Sessions 1 Batch of Community Support Three Dozen Plus Session Leads 10,000 Kilos of Speakers 1 Dedicated Team from Microsoft 1 Dash of Inspiration Take Microsoft Team, sprinkle on a little Inspiration.  Blend in some research from the Community along with support from Session leads and volunteer speakers.    Mix batch up and bake for approximately six months with some spice across the country.   When thoughts meld together from Community, Session Leads and Microsoft Team let cool and begin to slice up into Sessions.    Organize sessions into six uniquely crafted tracks.   Spread tracks across the 8 cities and pull together Speakers and Session Leads as well as additional Community Specialists for Local flavour. Ensure each track and session has a little coating of each city and send out to the Country cut into days each. Mmmmmm…… Sounds like a recipe for success to me!  An invaluable treat to be had too!  The price can’t be beat either.  Early bird registration is $349.99 if you hurry!  Vancouver is right around the corner, with Edmonton and Toronto following soon after! It’s make a GREAT early gift for yourself for the Holiday season too!  Step up to that next level.   Get ahead of the competition! Dive in and Enjoy a healthy serving of Microsoft Techdays Canada.   Your mind will thank you for it. :)   Sean The Energized Tech – I’ll see YOU at Techdays! Posted Tuesday, September 07, 2010 11:03 AM from Canadian IT Professionals | 0 Comments Filed under: Guest Bloggers, TechDays_ca