Latest security bulletin addresses vulnerability in AD FS

The April 2015 Security Bulletin, Microsoft released an update for Active Directory Federation Service 3.0 which comes with Windows Server 2012 R2.

According to the documentation, the vulnerability would allow an attacker to gain access to an application – such as Office 365. Apparently the flaw is in the logoff process. As I understand it from the limited information available, although the user appears to have logged off, the logoff actually failed allowing an attacker to re-use the existing token to access the application as the user.

Although the bulletin mentions that Microsoft has no knowledge of any cases where this vulnerability was exploited, I personally wouldn’t wait for it to happen to me… 🙂

More information can be found here: https://technet.microsoft.com/library/security/MS15-040

ADFS Blog News Office 365

Microsoft rereleases MS13-061 Security Update for Exchange 2013

After last weeks debacle where the Security Update MS13-061 went (really) bad and had to be pulled, Microsoft rereleased the update today. This new version – let’s call it v2 for a change (notice the sarcasm here) – contains a minor change; albeit one that makes a huge difference…

The initial version caused some registry settings to be overwritten incorrectly whereas this version corrects that and keeps the registry settings (as it should). The details of these registry settings can be found here: KB 2879739

The update can be found below:

For more information, please consult the original announcement by the Exchange Product Team.

Exchange 2013

Microsoft releases a bunch of Rollup- and Security updates for Exchange

Moments ago, Microsoft released a bunch of Rollup Updates and (critical) security updates for Exchange:

  • Update Rollup 11 for Exchange Server 2007 SP3
  • Update Rollup 7 for Exchange Server 2010 SP2
  • Update Rollup 2 for Exchange Server 2010 SP3
  • Exchange Server 2013 RTM CU1 MSRC Security bulletin MS13-061
  • Exchange Server 2013 RTM CU2 MSRC Security bulletin MS13-061

By now, you should be familiar with the “traditional” way of how the Rollup Updates work for Exchange 2007 and 2010. New, however, are the security updates for Exchange 2013. As announced before, these security updates only have a limited scope within which they are supported.

As such, you’ll have to make sure that you are running either of the following Exchange 2013 versions:

  • Exchange 2013 RTM CU1
  • Exchange 2013 RTM CU2 v2

In case you’ve missed it: Yes, you need version 2 of CU2 for Exchange 2013 installed.

For more information on the updates, have a look at the original announcement here

Security Update MS13-061

It seems that Oracle is once to blame for the critical security update, which has already been announced a few days ago. As described on the Security Bulletin page, the vulnerability would allow to remotely execute code on your Exchange Servers.

In fact, there are multiple vulnerabilities of which 2 again have to do with WebReady Document viewing (just like earlier this year). The third vulnerability is because the feature called “Outside In” is used in DLP.

I haven’t had the opportunity to read more about it, but if you want the original announcement has been updated with more information:

Happy updating…!

Exchange 2013

Demo of spoofing attack shows that Android & IOS devices can be wiped due to Untrusted SSL certificates

Articles at Ars Technica and Tweakers.net (Dutch) reported that Peter Hannay, an Australian Security Expert, demoed at the Blackhat conference how Adroid and IOS devices could be wiped by spoofing the connections to the Exchange server using Untrusted SSL Certificates:

Android devices that connect to an Exchange server with a self-signed certificate will connect to any server at its designated address, even when its SSL credential has been spoofed or contains invalid data. iOS devices fared only slightly better in Hannay’s tests: They issued a warning, but allowed users to connect anyway. Microsoft Windows Phone handsets, by contrast, issued an error and refused to allow the end user to connect.

For the attacker to succeed, he must be able to spoof the connection. This could easily be achieved by setting up an unsecured Wi-Fi network. Past Blackhat conferences have proven that people tend to connect to unsecured Wi-Fi networks; even if they do not know it’s roots!

Hannay has developed an attack that uses a WiFi network to implement a rogue server with a self-signed certificate, rather than one issued by a trusted certificate authority. Vulnerable devices on the same network that try to connect to their regular Exchange server won’t reach that intended destination. Instead, it will initiate communications with Hannay’s imposter machine.

Although the problem doesn’t seem to lie with the Exchange Server, I agree with Paul Cunningham his point-of-view: I’m also curious to see how Microsoft will react to these findings.

ActiveSync in the future?

Crappy ActiveSync implementations have always been a thorn in the flesh of Microsoft. To “force” better implementations they launched the ActiveSync Logo Program. However, it seems however that the program somehow missed it’s target…

Although Exchange Server 2013 still supports ActiveSync, Dave Stork reported that Windows 8 still ships with version 14. This might point out that Microsoft is perhaps reducing it’s effort to further develop ActiveSync. I wouldn’t be surprise is Microsoft is trying to shift away from ActiveSync in the future: that way they don’t have to deal with problems that are introduced by the bad implementation of ActiveSync in mobile devices.

However, I haven’t come across a worthy replacement for it in the Release Preview of Exchange Server 2013 yet… Time will tell, but I’m watching closely to see what ‘s still to come.

Until later!

Blog Exchange