Mike's Security Blog

  • WMF Zero Day Exploit

    Happy New Year!

    There has been a lot of local (and International) coverage on the WMF zero day exploit that came to light during the Christmas holidays (Dec 27th).

     The vulnerability affects the graphics rendering engine in Windows and could potentially allow malicious code embedded in a Windows Meta File image to be executed resulting in complete compromise of a system. The vulnerability is not known to be wormable and to be infected, the user would have to visit the attacker's website to view the image. There is an immediate workaround for Winodws XP and Windows server 2003 users that can be achieved by unregistering the Windows Picture and Fax Viewer (details on how to do this are contained in the document linked below.

    The security centre in the US are currently testing the required update  and are now reasonably confident that the update will be released on Tuesday - Jan 10th. The delay is really down to the engineers testing and localising the update to make sure the update can be deployed effectively across all platforms with a minimum of downtime. Despite the press activity, we are seeing very low infection rates and this is why the update is being held for a full test cycle. There is a workaround immediately available at http://www.microsoft.com/technet/security/advisory/912840.mspx. There was a thrid party patch issued earlier in the week that has been endorsed by SANs however, our recommendation is to wait until the tested update is released next week

    Posted Wednesday, January 04, 2006 4:42 PM by Mike's Security Blog | 0 Comments

  • Patching patching patching

    Yesterday was December patch Tuesday in Microsoft world. Over a year ago now, we made the decision to make patching more predictable by only releasing security patches on the second Tuesday of each month. The idea was that if you knew that patches were coming, you could prepare yourself to test and deploy them and maybe build it into your own timetable. Coincidentally, I was looking through the local Irish customer satisfaction survey that we conducted during the Autumn. In the area of security, the issue that came up consistently was patch management. A few people thought that we had made leaps and bounds in how we handle security patches but the majority were dissatisfied with the perceived constant stream of security patches coming from us. My guess is that this is being driven by having the monthly patch release and  I suspect that by the time a series of patches are dowloaded, tested and deployed, the next set of critical patches have rolled around again. I'm genuinely interested in feedback on this - what do you hate about MS security patching? - do you use the technology such as Microsoft update and WSUS  to download and deploy them? Does any other vendor out there do it better than we do? Drop me a mail at mike.hughes@microsoft.com and let me know.

    Since it's christmas I'll leave with the (slightly) amusing joke someone emailed to me- I quote "If Microsoft ran Christmas: "each time you bought an ornament, you would have to buy the tree as well. You wouldn't have to take the tree but you would still have to pay for it anyway. Ornament 95 would weigh 1500Kg, would draw enough electricity to power a small town, take up 95% of the space in your living room and would claim to be the first ornamant to use the colours red and green together. It would interrogate your other ornaments to find out who made them. Everyone would hate Microsoft ornaments but would have to buy them since 99% of the other tree type only worked with their hooks...." Who says computer jokes aren't funny?

    Posted Wednesday, December 14, 2005 4:31 PM by Mike's Security Blog | 0 Comments

  • makeitsecure day and conspiracy theories

    Today was makeITsecure day 2005. There was a lot of activity including a 600k booklet drop through the national press, a ministerial briefing with the CEOs of the organisations involved and decent amout of PR activity and news pickup. We also had around 70 Microsoft and Dell security ambassadors out on the streets passing out guidance booklets and advice to anyone who needed any. I was pretty happy with the way the campaign has been received.

    Bizarrely, somebody sent me a copy of a discussion thread examining why we don't have any references to the firefox browser on the site and why we appear to be dissing p2p music share sites. The general consensus being that because some of the sponsors are big corporates, we're trying to push people towards our own products. The reality is that we talk about web browsers in general and the only instance where we mention Internet Explorer is in explaining how to change the security settings. A lot of P2P file share sites are rife with spyware and that's a simple fact of life. The idea behind the campaign is to provide awareness and advice to non-technical people about what the threats are and how to mitigate them. Over the past months, we've had 48,000 page views to the site by 18,000 unique users....somebody finds this stuff useful! Of course we could have just done nothing at all....... 

    Posted Thursday, November 17, 2005 5:12 PM by Mike's Security Blog | 0 Comments

  • makeITsecure Campaign 2005 - Ireland's National Security Day

    We  launched the makeITsecure 2005 campaign last Wednesday with Noel Dempsey Irish Minister for Communications. The initiative is a security awareness campaign targeted at Internet users in general with the aim of raising awareness about phishing, ID Theft, Spyware and Child Safety Online. It's funded by a consortium of partners too numerous to mention here - get the booklet on November 17th or visit the website at www.makeitsecure.ie if you're interested in seeing whos's involved.

    I project managed the initiative last year and this year - two of the most challenging things I've ever done! It has to become a  labour of love since you end up living with it night and day for two months. Last year, the campaign impressions were of the order of 30million (not bad for a population of 4M) and this year the addition of TV advertising has brought this up to 50million impressions.

    I'd be interested in any feedback on the TV, radio, press ads or on the site design itself. The biggest day of the campaign is on November 17th when we distribute over 1.3million booklets through Irish national press and other channels. We also hope to have over 100 volunteers on the streets of Dublin, Galway, Limerick, Sligo and Cork distributing the booklets and chatting about the issues in shoping centres and pedestrian precincts. It goes without saying that there is a team of people working fingers to the bone behind the scenes to make it happen and I'm going to call out two people specifically who made such major contributions to the campaign:

    Orla Power in 2004 and Aisling Kearns this year!

    If you interested in how we pulled this off two years in a row or if you want to start your own national campaign (!) and are looking for tips, drop me a mail.

    Posted Thursday, November 03, 2005 10:25 AM by Mike's Security Blog | 0 Comments

  • Busy Security Week for Microsoft

    The past week has been a busy week in security for us in Ireland. Last Friday, we had Rafal Lukawiecki present at one of our events to coincide with the visit of Microsoft's CEO, Steve Balmer to Ireland as part of our 20th anniversary celebrations. This is the second time Rafal has presented to audiences in Ireland. Both times, the satisfaction scores for the events have been amazing. He obviously has a deep understanding of what he's presenting since he can it make so understandable - even for non-technical audience members. I have been to security presentations where the speakers have lost me in jargon within a few minutes. I always suspected that they resorted  to obsfucation (no pun intended) because they didn't really understand what they were talking about ( but maybe that's just me). If you haven't seen Rafal present, you can pick him up on recording at http://www.microsoft.com/uk/technet/itsshowtime/sessionh.aspx?videoid=18 .

    The second big announcement of the week was that we are finally showing what we are doing with some of the technology that we have acquired over the past couple of years. We have now passed Antigen for Exchange, based on the Sybari technology we recently acquired, through the Security Development Lifecycle review process. This means that the product that will provide anti-spam and anti-virus protection for messaging and collaboration servers will be available in beta in the coming months. The second product announcement was Microsoft Client Protection that is designed to provide a one-stop shop for anti-spyware and anti-virus in a single package. The product won't be available until next year although their may be a beta in the next few months.

    Finally, last Tuesday was Patch Tuesday. Three critical patches on Windows...four important and three moderate. If you haven't deployed the patches, you can get them from www.microsoft.com/security and folow the links.

     

    Posted Thursday, October 13, 2005 10:13 PM by Mike's Security Blog | 0 Comments

  • Microsoft's Security Incident Response System

    As part of my role in Microsoft Ireland, I own  the Microsoft Security Incident Response Process. This is basically an early warning system that we activate if we are informed of a major security incident effecting the Internet, e.g. another blaster level type incident. The early warning system allows me to send emails with details of the incident and steps on how to mitigate the threat to whoever is on my emergency response list. Currently, I have approximately 2000 contacts on this list. If you would like to add your details to the list simply send me a mail with your details to Mike.hughes@microsoft.com
    Posted Wednesday, September 28, 2005 8:53 PM by Mike's Security Blog | 0 Comments

  • Ireland's Top Security Guy?

    On Friday, I handed over the prize of a Toshiba Tablet PC to the Ireland Gatekeeper Competition winner - Jason Guy.  The Gatekeeper was a security competition that tested the contestants knowledge of security issues. It was run in 19 countries throughout Europe during June. Each day during the competition, a muliple choice question  was posted on the Gatekeeper site. The contestant then had a limited time to answer the question and bonus points were awarded fow how quickly they answered it. The final and twentieth question was open ended and the answer judged by a panel of security experts. Jason, who works for IBM, scored the highest out of the 120 Irish contestants and was 330 (out of his total of ~ 3600) points ahead of his nearest rival. Jason's entry was then put up against the other winning contestants throughout Europe. The final winner though was a guy from Poland who was only 90 points ahead of Jason. The top 50 from Ireland will all recieve free magazine subscriptions to Win IT Pro Magazine - if they registered their details.

    So is Jason Ireland's top security expert? He doesn't claim to be so perhaps the others were too shy to enter.

    Mike

    Posted Sunday, September 18, 2005 12:53 PM by Mike's Security Blog | 0 Comments

  • Microsoft Ireland New Security Programme Kicks Off

    Welcome to Mike's Security Blog. This is where you can keep up to date on Microsoft Ireland's local security programme.

    I'm currently in the process of kicking off our new security programme for this year (Microsoft fiscal year's run from July to June). If you haven't come across the Microsoft Ireland security programme before; I run a mixture of free live event and live webcast training sessions on all aspects of IT secuturity as well as maintaining MS Ireland's security incident early warning programme and generally try to find as many ways as possible to get security guidance out to individuals and organisations throughout Ireland.

    The feedback from our event programme last year (thanks to everyone who participated in our session in July) was very clear in telling us that we need to provide a mix of fundamental security advice (what are the top 5 things I need to do right now and where can I get the tools to help me) and the much more technical topics (PKI, encryption, security in heteregeneous environments) delivered by security experts like Rafl Lukawiecki.

    So this year, I hope our team will deliver what you need and, of course, we're always receptive to feedback. The event programme starts on September 28th with the Seven Steps to Better Infrastructure Management ( I know I said 5 earlier but we came up with 2 bonus steps for the first event). If you're having real problems keeping your infrastructure patched and keeping track of identity and access management - this is the event for you. The event is free, places are limited etc...

    The event takes place from 8.30am - 12.30pm at the Morisson Hotel Dublin  and you can register at www.microsoft.com/ireland/security/events

    Posted Wednesday, September 14, 2005 5:46 PM by Mike's Security Blog | 1 Comments

This Blog

Syndication

Tags

No tags have been created or used yet.

© 2009 Microsoft Corporation. All rights reserved. Terms of Use  |  Trademarks  |  Privacy Statement
 Microsoft
Page view tracker