I Hope You Patch Adobe Products Like All The Others

Yesterday I quoted a Microsoft security report based on information they gather from numerous sources:

“Detections of exploits targeting Adobe Flash, although uncommon in comparison to some other types of exploits, increased in 2Q11 to more than 40 times the volume seen in 1Q11 … Two vulnerabilities accounted for the bulk of zero-day exploit activity … Both vulnerabilities affect Adobe Flash Player”.

In other words, hackers have found a new sweet spot.  Most (not all) companies have copped on when it comes to patching Microsoft products.  But:

  1. Other companies make software
  2. Pretty much all software has vulnerabilities
  3. Hackers aren’t stupid.  I’m reading a book called Kingpin and it illustrates how hackers will move from one attack vector to another to find a soft underbelly.  Adobe is that new point of attack.

And there is a high profile example of that.  The Inquirer website reports that (and there is no evidence because RSA have not publicly documented this):

“Criminals used a zero-day vulnerability in Adobe Flash player to penetrate RSA defences through an embedded Flash file in an Excel email attachment. A spear phishing attack, it targeted regular employees of RSA Security disguised as a recruitment form. It breached the RSA systems, even though it first went to Microsoft Outlook’s spam folder”.

OK, it was a zero day attack.  We know this was a very organised attack, possibly sponsored by a nation.  They found a hole in Flash (allegedly) that wasn’t yet reported and crafted an email attachment to attack it, knowing that the recipient would get stung by it, thus allowing the hacker to 0wn the PC.  Unlucky. 

But even if it wasn’t a zero day attack would they have patched Adobe?  (we learned that less than 1% of attacks are zero day) I bet the answer is no.  Most companies focus just on Microsoft software.  Adobe products do automatically prompt for upgrades, but they are seriously click heavy and frequent, so most people probably disable the auto-check for upgrades, and the PCs probably go years without updating.  And that leaves those PCs vulnerable to:

  • Drive by attacks where a user navigates to an innocent website that has either been hacked (malware uploaded) or has a compromised advert that is hosted elsewhere.
  • When a user reads a document/email with a crafted attachment for attacking an Adobe product vulnerability.

In other words, patch Adobe products too, and not just Microsoft ones.  Unfortunately, that isn’t too easy (or supported) in WSUS.  However, you can do it using System Center Essentials (that’s what we use in our office) or System Center Configuration Manager.

Interesting Analysis on Patching and Attacks

Microsoft produces a document called the Security Intelligence Report on a regular basis.  Some of it hit the news today so I decided to take a peek.  The report doesn’t restrict itself to exploits of Microsoft products and is based on data that they gather from a number of sources.

“In this supplemental analysis, zero-day exploitation accounted for about 0.12 percent of all exploit activity in 1H11, reaching a peak of 0.37 percent in June”.

OK, so that tells us that the vast majority of exploits take advantage of old vulnerabilities that have had patches available previously.

“Of the attacks attributed to exploits in the 1H11 MSRT data, less than half of them targeted vulnerabilities disclosed within the previous year, and none targeted vulnerabilities that were zero-day during the first half of 2011”.

People aren’t patching like they should be. That explains this:

Conficker is still (STILL!!!!) the leading infection on domain joined computers. Seriously!?!?!? It is not in the top 10 of non-domain joined PCs.

And it explains this:

“Exploits that target CVE-2010-2568, a vulnerability in Windows Shell, increased significantly in 2Q11, and were responsible for the entire 2Q11 increase in operating system exploits. The vulnerability was first discovered being used by the family Win32/Stuxnet in mid-2010”.

This report covers up to H2 2011 and MS10-046 is still being exploited because people haven’t deployed the patch.

“Detections of exploits targeting Adobe Flash, although uncommon in comparison to some other types of exploits, increased in 2Q11 to more than 40 times the volume seen in 1Q11 … Two vulnerabilities accounted for the bulk of zero-day exploit activity … Both vulnerabilities affect Adobe Flash Player”.

Adobe Flash is one of those products that is constantly badgering me to get updated at home.  I leave this turned on because Flash is a real target for attackers. 

“The most commonly observed types of exploits in 1H11 were those targeting vulnerabilities in the Oracle (formerly Sun) Java Runtime Environment (JRE), Java Virtual Machine (JVM), and Java SE in the Java Development Kit (JDK). Java exploits were responsible for between one-third and one-half of all exploits observed in each of the four most recent quarters”.

Other products like Java and Adobe Reader are nice targets too because they have vulnerabilities and are rarely patched.  At work, we patch the Adobe products via System Center Essentials.  You can also use ConfigMgr 2007 to do this.

“As in previous periods, infection rates for more recently released operating systems and service packs are consistently lower than earlier ones, for both client and server platforms. Windows 7 and Windows Server 2008 R2, the most recently released Windows client and server versions, respectively, have the lowest infection rates”.

A) Newer products always do more under the hood to protect themselves.  B) Newer home PCs will have current AV.  C) Newer business deployments will have had a fresh installation of patching/security systems that some more mature environments have lacked, e.g. lack of WSUS, etc.

Interestingly, in the regional analysis, Italy appears to lead the pack at minimizing most malware infections (congrats!) but is second worst when it comes to adware infections (boo!). 

Don’t be so quick to blame Microsoft: 44.8% of exploits are because of the weakness that is found between the keyboard and the chair, where the user is handing over some piece of information or OK-ing something bad. 

Drive by attack download sites (innocent web sites that have been compromised, e.g. adspace that was sold and contains a Flash exploit) are on the rise.

There’s a lot of good info in the Security Intelligence Report.  You should give it a read if considering the security of your business.

Results & Report on The Great Big Hyper-V Survey of 2011


I am pleased to present the results and a report on The Great Big Hyper-V Survey of 2011, that was conducted by myself, Hans Vredvoort, and Damian Flynn.  We conducted this report over the last few weeks, asking people from around the world to answer 80 questions on:

  • Their Hyper-V project
  • Their Hyper-V installations
  • Systems management
  • Private cloud
  • Their future plans

Note that this survey had no outside influences.  Microsoft found out about this survey by reading blog or twitter posts at the same time as the respondents.  I have deliberately chosed not to try get a sponsor for my report to further illustrate its independence.

Some of the results were as expected, and some of them were quiet an education.  Thank you to all who completed the survey, and to all who helped to spread the word.  And now, here’s what you have been waiting for:

  • Here is a report that I have written over the last 2 days.  I dig into each of the 80 questions, analysing the results of each and every question that we asked.
  • For those of you who want to dig a little deeper, here is a zip file with all of the raw data from the survey.  You will find reports and spread sheets with different views and selections of data.  I also created an additional spread sheet that was used to create the report.

Whether you are a sales person, a Hyper-V customer, a potential customer, or an enthusiast, I think there is something here for you.

Now the conversations and debates can begin.  Have a read of the report and then go over to see what Hans Vredvoort, and Damian Flynn thought of the data.  We have deliberately not shared our opinions with each other; this means we can all have unique view points, and possibly see something that others don’t.  For example, I work in the software sales channel with a background in consulting and engineering, Damian is an enterprise systems administrator/engineer, and Hans is an enterprise consultant.  We each have a different view of the IT world.  And after you read their opinions, it’ll be your turn: we want to hear what you think.  Post comments, tweet (#GBHVS2011), blog, or whatever.

Great Big Hyper-V Survey 2011 Is Now Closed

I closed the Great Big Hyper-V Survey of 2011 this morning at 10:05 (Dublin time, 11:05 CET, 5:05 EST).  Thank you to all who completed the survey.  Myself, Damian Flynn (another Hyper-V MVP), and Hans Vredevoort (Failover Clustering MVP) will be sharing the results on this Wednesday (7th September, 2011) at 10:00 Dublin time, 11:00 Amsterdam time (05:00 EST, 19:00 Sydney).

Cannot Install Office 2010 to Windows 7 Using SCE 2010

Microsoft released KB2607070 to resolve a software deployment issue with SCE 2010 managed Windows 7 SP1 PCs.  I first noticed this with Office 2010, and it appears to have affected the distribution of other software packages.

An update has been released to resolve issues where System Center Essentials updating Windows 7 SP1-based computers with locally published content may fail with error 0x80070570.

When you locally publish updates through System Center Essentials and then attempt to download and install those updates to a Windows 7 SP1-based computer, those updates may fail with error code 0x80070570.

Before You Install System Center … Clean Up Those Computer Accounts

First, I hope you’ve done some planning/architecture/proof of concept.  Next, clean up the environment.  Products that deploy agents, such as System Center Essentials (SCE), Configuration Manager (SCCM/ConfigMgr), and Operations Manager (SCOM/OpsMgr), will allow you to track the success of agent deployment.  And if your network is like most others I’ve encountered over the years, nobody has bothered to clean up the inactive/obsolete computer accounts.  The computer discovery process will use some sort of discovery process, most likely based on computer accounts found in Active Directory.  It may find computer accounts that have been there since 2000 and no longer are valid.  It may find 50% more computer accounts than actually exist.

Before you deploy agents you need to do some spring cleaning.

Computer Accounts

My favourite tool for this in the past was oldcmp.  The page doesn’t list Windows 2008 or 2008 R2.  I last used it with Windows Server 2008 in a lab and it worked fine.  It allowed you to work with user and computer accounts:

  • Report only
  • Disable
  • Move and disable (to a “disabled” OU)
  • Delete

The last time I was an admin of a large environment I was very fussy about inactive accounts.  We used to run oldcmp as a scheduled task on a monthly basis.

If you want something that is supported then try this.  Identify & disable computer accounts that were inactive for the last 4 weeks:

dsquery computer -inactive 4 | dsmod computer -disabled yes

Then you can identify and delete computer account that have been inactive for the last 8 weeks:

dsquery computer -inactive 8 | dsrm computer

Put that in a script and run it every month and you’ll automate the cleanup nicely.  Inactive machines for the last 4 weeks will be disabled and you can re-enable them if a user complains.  After 8 weeks, they get completely removed.  If you have people away for longer periods then you can extend this, e.g. disable after 26 weeks and delete after 52 weeks.  Or you might bundle that caution about deleting with a secure mindset, e.g. disable after 4 weeks and delete after 52 weeks.

Note: dsquery, dsmod, and dsrm can be easily used for lots more, e.g. user accounts. Check the help (at command prompt) and test-test-test before putting it into use.  You probably can do all of this with PowerShell and the useful –whatif flag.

DNS Records

I hate stale DNS records because they can lead to all sorts of false positives when there is IP address re-use, especially when trying to remotely manage/connect to PCs in a DHCP environment.  You can configure DNS scavenging of stale records on a DHCP server (for all zones) or on a per zone basis.


Be careful with this one.  I’ve been especially careful with the intervals since the 2003 days when I had a Premier support call open.  Scavenging didn’t like me using smaller intervals, even if they were correctly configured.

Once you have the environment cleaned up, you can start deploying agents.  Now when you see a “failed” message, you know you can take it seriously and schedule a human visit.

Note: I don’t think I’ve ever used ConfigMgr to build collections of users.  Users roam and I don’t want to install software needlessly.  But ConfigMgr 2012 will have a more reliable user-centric approach that detects a user’s primary PC.  Therefore, you’ll want to do a user clean up before deploying it … and that should be standard security practice anyway.

How HM Treasury Was Allegedly Attacked & How to Defend Against It

I was listening to The Guardian’s Tech Weekly podcast on the way into work this morning and they were discussing some of the recent announcements from the British government about the cyberwar research that the MoD/GCHQ is doing.  In the discussion they mentioned that there was a recent attempted attack on HM Treasury (department of finance), and that the attacks allegedly came in two forms:

  • Drive-by browsing: this is where a user innocently goes onto a legitimate website, but an outsourced advert uses a browser vulnerability to inject some software onto the user’s computer.
  • Malware attachments: Some piece of dodgy software is sent as a normal looking attachment in an email.  This file has some sort of built in attack, like a trojan downloader, and the PC becomes a bot (something the attacker can remotely control by commands that the downloader will pull down from a service or website running on the Internet).

I am not a security expert.  In fact, most of the self-proclaimed security experts that you meet are not security experts.  I have met real security experts.  They speak a whole other language that we IT Pros don’t understand.  I’ve also met “security experts” with their recently downloaded checklists who do more damage than good.  The good news is that there is lots that you can do to protect yourself from attacks such as the above.  The bad news is that there is no 100% perfect defence.  For example, antivirus scanners detect already known threats.  Someone has to get hit somewhere before a threat becomes known.  Let’s stay positive and see what could be done to protect against the above two attacks.

Defending Against Drive-By Browsing

Drive-by browsing has been around for some time.  I’ve attended presentations by Microsoft’s Roger Grimes (serious security dude), where he talked about the website of a certain conservative news broadcaster.  They sold advertising space on their website.  Other than the space, they had no control over content.  That was done by the online advertiser.  And they probably did more outsourcing or bidding.  Allegedly, browsing this website could cause you to become a victim of an attack that was built into one of these outsourced adverts.  You’d just browse the site and *BANG* your PC downloaded a trojan downloader.  In other words, it was 0wned.

The most basic defence against drive-by attacks is to keep your browser up to date with security fixes.  Don’t be a fanboy sheep: all browsers are vulnerable.  I remember listening to another podcast (TWiT Windows Weekly) a few months ago where they discussed how Safari took seconds to smash, and Chrome/IE lasted a bit longer but eventually gave in at some hack-athon.  Google and Microsoft are constantly releasing updates.  Google do it via new versions of Chrome.  Microsoft do it through security hotfixes.

If you run anything but the smallest business then you need to manage these updates.  This is one of IE’s strengths because it can be updated immediately (or after internal testing) via Windows Updates, WSUS, and System Center (Configuration Manager 2007 or System Center Essentials 2010).  There really is no excuse for a business not to be doing this, monitoring patch update levels, and remediating any deployment issues.

This adverts are effectively downloading a trojan installer.  A proxy malware scanner can help defend against this.  Forefront Threat Management Gateway (TMG) includes a Malware Inspection Filter, as do many other firewall and proxy products.  I’ve always like the ISA (now TMG) family because they are AD integrated, and I can reuse security groups and user accounts for rules and exceptions.

Malware Attachment

The problem with email is that is pretty open, and trusting.  If I know the name or IP address of your SMTP gateway then there’s nothing to stop me from creating a malformed email that appears to come from someone you know and trust, and attaching a piece of malware to do bad things to your PC (and then your network).

Last night I read about some executive of a large corporation who sent out a memo to all employees to instruct that they should confirm the source of all emails before opening them. That certainly is one way to prevent the opening of an attachment. I just wonder if this executive answered the 20,000+ phone calls from his employees when they called to confirm that he really sent that email. Let’s get real – people have jobs to do and they cannot spend 3/4 of the day calling people to see if so’n’so really sent an email. Why would we have email at all in that case?

Sure we can do a bit of user education.  I don’t need to open an attachment with a .EXE file extension.  I don’t need to read an email from the wife of some deposed king.  And I really don’t need pills for you-know-what Smile  Common sense education helps.  But as Steve Riley has said in presentations in the past: the vulnerability lies in the meat that sits between the chair and the keyboard.  If we cannot fix that. then maybe we need to wrap our email system in defences to counter those weaknesses.

Lets start with the mail server.  Stick some malware scanning on there, like Forefront for Exchange (or another solution).  That will protect the server against external threats.  I know you’ll interject here with another suggestion (and I’ll get there).  Think about how IT is changing.  Consumerisation of IT has caused users to bring all sorts of devices onto our networks.  Lord knows what they connect to when they are not on our network.  And those same devices will be used to connect to the company’s mail services.  You need to protect the company’s email (and reputation) against those internal threats.

Next up is the online malware scanning service, such as Forefront Online Protection for Exchange (FOPE) or others.  The company’s MX record points to this, all incoming email is scanned for spam and malware, and then sent on to the company’s SMTP gateway.  You’re in complete control – you can even integrate the management of Forefront for Exchange with FOPE via a free (I believe) management console (it also can manage Forefront for SharePoint).  Now you can filter out the incoming rubbish before it gets to the company’s expensive Internet connection, and you have a layered defence.

Third Party Update Catalog

We aren’t finished yet.  Antivirus scanners are not perfect, especially when it comes to custom written or brand new threats.  The more serious attacks out there are not done by script kiddies in a basement; they’re done by organised crime, your competitors, and state agencies.  They have the time and money to create new programs to leverage discovered vulnerabilities.  For example, it’s one thing to scan for Conficker, it’s another thing to fix the vulnerability that it attacks so you can prevent anyone else from attacking it.

So you can use Windows Update, WSUS, ConfigMgr, or SCE to patch Windows.  Great!  The attachment that was used in the allegedly attack on HM Treasury was allegedly based on an Adobe product.  How often do you see Adobe products looking to update themselves to fix some security issue?  It feels to me like it happens a few times a week.  I bet most of you, and your users, disable these annoying updates – and that’s what the attacker is betting on!  They can write a custom attack, build it into a PDF (or whatever), send it to a user in your organisation using a crafted email that appears innocent enough, it’ll sail through the scanners (because it is an unknown attack), the attachment is opened in a vulnerable reader, and *badda bing* the attacker now has control of a PC on your network.

*PANIC* This is where you uninstall Adobe Reader, Flash, etc, and use third party alternatives – not so fast, my friend! (Why do I keep quoting Lee Corso?).  Adobe products, like every other, has vulnerabilities.  If you think those other readers don’t then you’re fooling yourself.  If you’re a big enough target, then an attacker will figure out what third party reader you use via social engineering, and craft an attack for that.  With Adobe, you at least have a way to force updates for your users.

No, we cannot trust users to run Adobe updates by themselves, just like we cannot trust them to run Microsoft updates for themselves.  Adobe has created software update catalogues that we can use in System Center Configuration Manager (MSFT’s main way to adopt/control consumerisation of IT) and System Center Essentials.  This will allow you to centrally download, test, approve, and deploy updates to relevant machines in an automated, and scheduled manner, with deployment deadlines.  Now you can force those vulnerable PCs to update, and secure your network against those vulnerabilities.


With all this you get layered defences.  Is it 100% secure?  No.  Like I said, I’m honest enough to say that I’m not a security expert but I know that with the above systems, you could protect yourself against the same attack that allegedly targeted HM Treasury (based on the information that I heard this morning).  Combine this with protection for PCs, servers, SharePoint, Lync, and so on, and you’ll have a nice fortress.  You can’t rely on people to protect the castle, and that’s why you need an automated portcullis approach like this.  The responsibility then falls on you as the gatekeeper to ensure that the gate is built correctly.

Note: I don’t know why some people always assume that virtual machines (on any hypervisor) assume that security should be any different for them.  The virtualised workloads still need the same levels of protection that they physical alternative would.

Veeam ESX Monitoring for SCOM

At yesterday’s VMware event, I wandered over to the Veeam stand to get myself a demo of their nworks Management Pack for VMware.  This allows OpsMgr (System Center Operations Manager 2007) to natively monitor ESX(i) without installing an agent on the host, with or without vSphere.  They fired up an RDP session and gave me a guided tour.  I was impressed with the solution.  It had all you would expect from an OpsMgr monitored object: alerts, knowledge base, diagrams, and reports.

This reinforces the fact that even if you do deploy ESXi then this does not rule out the use of what I believe to be the best monitoring solution out there (even if it is my job to convince you of that!).  With the nworks management pack and OpsMgr, you can include the mainframe-important-like virtualisation layer in the management of your hardware, operating system, services, application, and SLA stack.

BTW, if you are an SME then you can also use this management pack with System Center Essentials.

Operations Manager 2007 R2 Resource Kit

OK, it’s only 2 years too late and OpsMgr 2012 is around the corner, but it’s out and let’s just enjoy that.  Microsoft has just released a resource kit including tools for OpsMgr 2007 R2.  Best of all, it includes the ability to schedule maintenance mode for a group!  Yay!  No more hack-scripting to get this done during automated patching windows.

System Center Update Catalogs for Third Party Products

Ever notice how many problems are caused by drivers or firmware?  Ever notice how often Adobe releases a new version of Reader or Flash to solve a security issue, and how many legacy versions are running on your network – thus making your Windows Updates process pretty irrelevant?  Ever wish you had a way to centrally deploy fixes for those problems?

One of the nice things about System Center Configuration Manager and System Center Essentials is that up can potentially distribute updates for just about anything.  For example, SCE 2010 has a wizard for adding catalogs for Dell, HP and Adobe products.  That means their system updates become something that can be distributed via Windows Updates!

Note: You would not want to do this for Hyper-V hosts – remember to treat them like change controlled mainframes.  Use your ability to filter update approvals using groups to control which machines will receive these updates automatically via Windows Update.

You are not limited to catalogs from the above companies.  You can even create your own catalog using the System Center Updates Publisher.  And some companies like IBM provide catalogs that you can add using their provided URLs.