Trustworthy Computing Security and Privacy Blogs./blogs/default.aspxThis page consolidates and features blogs from Microsoft’s Trustworthy Computing (TwC) group, The team charged with working to deliver more secure, private and reliable computing experiences to customers and the globe. Drop by to read about Microsoft’s long-term vision and strategy, for computing privacy and security.Protection metrics trends – First quarter 2014 resultshttp://blogs.technet.com/b/mmpc/archive/2014/04/17/protection-metrics-trends-first-quarter-2014-results.aspxThu, 17 Apr 2014 22:14:25 GMTd5e57398-b9ef-4490-9955-07cbb4e4a80d:9f0c7fd0-13b1-48db-9eba-f4bada8c0db5msft-mmpc0http://blogs.technet.com/b/mmpc/archive/2014/04/17/protection-metrics-trends-first-quarter-2014-results.aspx#comments<p>​It&#39;s been a few months since our last post on our metrics. I wanted to give you an update on families that are declining, new ones that are moving in, and on the way we&#39;re calculating our protection metrics to make them more accurate.</p> <p>Overall, our infection impact (0.29% for January to March) has remained consistently low since December. A few families have declined, but others have moved into their place. Our incorrect detections have stayed under 0.001% and our performance metrics remain fairly consistent.</p> <p><strong>Declining families</strong></p> <p>The &quot;Sefnit trio&quot;, mentioned in several of our <a href="http://blogs.technet.com/b/mmpc/archive/2014/01/14/protection-metrics-december-results.aspx"> prior blog posts</a>, have declined significantly (although Sefnit itself has picked up in March through exploring new distribution methods). At the peak in October 2013, these families were contributing to nearly one-fifth of the customer infections we saw that month. Now they are down to 7%.</p> <p><strong>New families</strong></p> <p>Spacekito and Clikug are recent additions. <a href="http://www.microsoft.com/security/portal/threat/encyclopedia/entry.aspx?Name=MSIL/Spacekito#tab=2"> Spacekito</a> is distributed through a software bundler and claims to be a &quot;browser protector.&quot; It exfiltrates data about the system upon which it&#39;s installed, serves ads, and aggressively reinstalls itself, so it&#39;s difficult for our customers to remove if they don&#39;t want it anymore.</p> <p><a href="http://www.microsoft.com/security/portal/threat/encyclopedia/entry.aspx?Name=TrojanDownloader:Win32/Clikug.A"> Clikug</a> uses your computer for click-fraud, which happens in the background. You may simply notice that your computer is sluggish.</p> <p><a href="http://www.microsoft.com/security/portal/threat/encyclopedia/entry.aspx?Name=Win32/Zbot"> Zbot</a> isn&#39;t new, but since late last year it has been aggressively distributed by <a href="http://www.microsoft.com/en-us/search/results.aspx?q=Upatre+site:http://www.microsoft.com/security/portal"> Upatre</a> (through spam), which is another family that is edging up the ranks in our top 20 list impacting our customers.</p> <p><a href="http://www.microsoft.com/security/portal/threat/encyclopedia/entry.aspx?Name=Win32/Wysotot"> Wysotot</a>, which we first mentioned in our <a href="http://blogs.technet.com/b/mmpc/archive/2013/12/23/protection-metrics-november-results.aspx"> Nov results</a>, is also still a top player in terms of customer impact. Wysotot is typically installed on your computer through software bundlers that advertise free software or games.</p> <p><strong>Protection metrics update</strong></p> <p>You may notice a few changes on the <a href="http://www.microsoft.com/security/portal/mmpc/shared/protection.aspx"> Evaluating our protection performance and capabilities page</a>: we&#39;ve updated the way we calculate our infection and incorrect detection impact. In the past, we counted the number of computers that downloaded an update for one of our real-time protection products. Although most of our customers opt in to report threat telemetry to us, some don&#39;t.</p> <p>In the past, our products weren&#39;t instrumented to give us accurate counts of people that opted to share their&nbsp;telemetry, and thus the potential population that could report a threat wasn&#39;t easy to discern &ndash; we had to rely on our update numbers.</p> <p>In 2013, we shipped a new feature to alleviate this. Essentially, on regular intervals, computers running Microsoft antimalware that have opted to provide this information&nbsp;will send a signal that lets us know they&#39;re still protected and helps us count the true number of computers that could report a threat to us.</p> <p>The feature was deployed to all of our customers starting in July, so our new trends on the <a href="http://www.microsoft.com/security/portal/mmpc/shared/protection.aspx"> Evaluating our protection performance and capabilities page</a> start in Aug 2013. This new denominator provides a much more accurate figure for our infection and incorrect detection impact.</p> <p>In our upcoming <a href="http://www.microsoft.com/security/sir/"> Security Intelligence Report</a> (SIRv16), we&#39;ll also be using this same denominator to report the malware encounter rate.</p> <p>I hope this post provides you with insight into how we&#39;re measuring our protection and performance for our customers that choose us for protection. We truly strive to be transparent in how we measure ourselves, and also to&nbsp;provide our customers with an optimal balance of protection and performance.</p> <p>&nbsp;</p> <p>-Holly Stewart<br />MMPC</p><div style="clear:both;"></div><img src="http://blogs.technet.com/aggbug.aspx?PostID=3627566&AppID=6258&AppType=Weblog&ContentType=0" width="1" height="1"> New Association of Accessibility Professionals Kicks Off Work with New Members and Great Supporthttp://blogs.msdn.com/b/accessibility/archive/2014/04/17/iaap-kicks-off.aspxThu, 17 Apr 2014 14:00:00 GMT91d46819-8472-40ad-a661-2c78acb4018c:10518126Daniel Hubbell - MSFT0http://blogs.msdn.com/b/accessibility/rsscomments.aspx?WeblogPostID=10518126http://blogs.msdn.com/b/accessibility/archive/2014/04/17/iaap-kicks-off.aspx#commentsThis blog post was written by Rob Sinclair, Microsoft&rsquo;s Chief Accessibility Officer. Rob is responsible for the company's worldwide strategy to develop software and services that make it easier for people of all ages and abilities to see, hear,...(<a href="http://blogs.msdn.com/b/accessibility/archive/2014/04/17/iaap-kicks-off.aspx">read more</a>)<img src="http://blogs.msdn.com/aggbug.aspx?PostID=10518126" width="1" height="1"> The Evolving Pursuit of Privacyhttp://blogs.technet.com/b/trustworthycomputing/archive/2014/04/15/the-evolving-pursuit-of-privacy.aspxTue, 15 Apr 2014 18:07:50 GMTd5e57398-b9ef-4490-9955-07cbb4e4a80d:3f8f9512-8186-45f6-832b-dcc0ffc046cfTrusted Cloud Team0<p><strong>By Brendon Lynch, Chief Privacy Officer, Microsoft</strong></p> <p>In my role, I have the opportunity to discuss privacy with a wide variety of people &ndash; Microsoft&rsquo;s customers and partners, policymakers, advocates and industry colleagues. In recent weeks, I participated in many such conversations at the RSA Conference and the International Association of Privacy Professionals (IAPP) Global Privacy Summit.&nbsp; <a href="/b/trustworthycomputing/archive/2014/04/14/the-evolving-pursuit-of-privacy.aspx">See more&gt;&gt;</a></p>...(<a href="http://blogs.technet.com/b/trustworthycomputing/archive/2014/04/15/the-evolving-pursuit-of-privacy.aspx">read more</a>)<img src="http://blogs.technet.com/aggbug.aspx?PostID=3627406&AppID=9044&AppType=Weblog&ContentType=0" width="1" height="1">practicesBrendon Lynchscott charneyprivacy and reliabilityStandardsTrustworthy Computingpersonal dataDataPrivacy New Microsoft Threat Modeling Tool 2014 Now Availablehttp://blogs.technet.com/b/security/archive/2014/04/15/new-microsoft-threat-modeling-tool-2014-now-available.aspxTue, 15 Apr 2014 17:09:58 GMTd5e57398-b9ef-4490-9955-07cbb4e4a80d:80c56b15-b720-4dfe-a3b3-d4e8a81c59feTim Rains - Microsoft0http://blogs.technet.com/b/security/rsscomments.aspx?WeblogPostID=3627470http://blogs.technet.com/b/security/commentapi.aspx?WeblogPostID=3627470http://blogs.technet.com/b/security/archive/2014/04/15/new-microsoft-threat-modeling-tool-2014-now-available.aspx#comments<p>Today we&rsquo;re announcing the release of the&nbsp;<strong><a href="http://download.microsoft.com/download/3/8/0/3800050D-2BE7-4222-8B22-AF91D073C4FA/MSThreatModelingTool2014.msi">Microsoft Threat Modeling Tool 2014</a></strong>. This is the latest version of the free&nbsp;<a href="/b/security/archive/2012/08/23/microsoft-s-free-security-tools-threat-modeling.aspx">Security Development Lifecycle Threat Modeling Tool&nbsp;</a>that was previously released back in 2011.</p> <p>More and more of the customers I have been talking to have been leveraging threat modeling as a systematic way to find design-level security and privacy weaknesses in systems they are building and operating. Threat modeling is also used to help identify mitigations that can reduce the overall risk to a system and the data it processes. Once customers try threat modeling, they typically find it to be a useful addition to their approach to risk management.&nbsp;&nbsp;</p> <p>We have been threat modeling at Microsoft for more than 10 years. It is a key piece of the design phase of the&nbsp;<a href="http://www.microsoft.com/security/sdl/default.aspx">Microsoft Security Development Lifecycle&nbsp;</a>(SDL).&nbsp; In 2011 we released the SDL Threat Modeling Tool, free of charge, to make it easier for customers and partners to threat model as part of their software development processes. The tool has been very popular and we have received a lot of positive customer feedback in addition to suggestions for improvement.&nbsp;<a href="/b/security/archive/2014/04/15/new-microsoft-threat-modeling-tool-2014-now-available.aspx">Read more</a></p>...(<a href="http://blogs.technet.com/b/security/archive/2014/04/15/new-microsoft-threat-modeling-tool-2014-now-available.aspx">read more</a>)<img src="http://blogs.technet.com/aggbug.aspx?PostID=3627470&AppID=5043&AppType=Weblog&ContentType=0" width="1" height="1">threat modeling toolTMTSDLSecurity Development Lifecycle Introducing Microsoft Threat Modeling Tool 2014http://blogs.msdn.com/b/sdl/archive/2014/04/15/introducing-microsoft-threat-modeling-tool-2014.aspxTue, 15 Apr 2014 17:00:00 GMT91d46819-8472-40ad-a661-2c78acb4018c:10517297SDL Team0http://blogs.msdn.com/b/sdl/rsscomments.aspx?WeblogPostID=10517297http://blogs.msdn.com/b/sdl/archive/2014/04/15/introducing-microsoft-threat-modeling-tool-2014.aspx#comments<p>Today, we are excited to announce the general availability of a new version of a very popular Security Development Lifecycle tool &ndash;<a href="http://download.microsoft.com/download/3/8/0/3800050D-2BE7-4222-8B22-AF91D073C4FA/MSThreatModelingTool2014.msi"> Microsoft Threat Modeling Tool 2014</a>. It&rsquo;s available as a free download from Microsoft Download Center <a href="http://download.microsoft.com/download/3/8/0/3800050D-2BE7-4222-8B22-AF91D073C4FA/MSThreatModelingTool2014.msi">here</a>.</p> <p>Threat modeling is an invaluable part of the <a href="http://www.microsoft.com/security/sdl">Security Development Lifecycle</a> (SDL) process. We have discussed in the past how applying a structured approach to threat scenarios during the design phase of development helps teams more effectively and less expensively identify security vulnerabilities, determine risks from those threats, and establish appropriate mitigations.</p> <p>For those who would like more of an introduction to threat modeling, please visit <a href="http://msdn.microsoft.com/en-us/magazine/cc163519.aspx">Threat Modeling: Uncover Security Design Flaws Using the STRIDE Approach</a>. But, without further ado, let&rsquo;s dig into the fun stuff &ndash; the new features of Threat Modeling Tool 2014.</p> <p><span style="font-size: medium;"><strong>Microsoft Threat Modeling Tool 2014 - Changes and New Features</strong></span></p> <p>Microsoft announced the general availability of the SDL Threat Modeling Tool v3.1.8 in 2011, which gave software development teams an approach to design their security systems following the threat modeling process. <a href="http://download.microsoft.com/download/3/8/0/3800050D-2BE7-4222-8B22-AF91D073C4FA/MSThreatModelingTool2014.msi">Microsoft Threat Modeling Tool 2014</a> introduces many improvements and new features, see the highlights below.</p> <p><span style="font-size: x-small;"><strong>&nbsp;Figure 1. Microsoft Threat Modeling Tool 2014 Home Screen</strong></span></p> <p><a href="http://blogs.msdn.com/cfs-file.ashx/__key/communityserver-blogs-components-weblogfiles/00-00-00-79-43/2626.1.png"><img src="http://blogs.msdn.com/resized-image.ashx/__size/550x0/__key/communityserver-blogs-components-weblogfiles/00-00-00-79-43/2626.1.png" alt="" border="0" /></a></p> <p><span style="font-size: x-small;"><strong><br /></strong></span></p> <p><span style="text-decoration: underline;"><span style="font-size: small;"><strong>NEW DRAWING SURFACE</strong></span></span><br />One of our goals with this release is to provide a simplified workflow for building a threat model and help remove existing dependencies. You&rsquo;ll find intuitive user interface with easy navigation between different modes. The new version of the tool has a new drawing surface and <strong>Microsoft Visio is no longer required</strong> to create new threat models. Using the Design View of the tool, you can create your data flow diagram using the included stencil set (see&nbsp;<strong>Figure 2</strong>).</p> <p><span style="font-size: x-small;"><strong>Figure 2. Microsoft Threat Modeling Tool 2014 - Design View</strong></span></p> <p><a href="http://blogs.msdn.com/cfs-file.ashx/__key/communityserver-blogs-components-weblogfiles/00-00-00-79-43/0268.2.png"><img src="http://blogs.msdn.com/resized-image.ashx/__size/550x0/__key/communityserver-blogs-components-weblogfiles/00-00-00-79-43/0268.2.png" alt="" border="0" /></a></p> <p><span style="font-size: x-small;"><strong><br /></strong></span></p> <p><strong><span style="text-decoration: underline;">MIGRATION FOR V3 THREAT MODELS</span></strong><br />Threat modeling is an iterative process. Development teams create threat models which evolve over time as systems and threats change. We wanted to make sure the new tool supports this flow. Microsoft Threat Modeling Tool 2014 offers migration of threat models created with version 3.1.8, which allows an easy update to existing threat models of security system designs. (NOTE: For migrating threat models from v3.1.8 only, Microsoft Visio 2007 or later is required). Threat models created with v3 version of the tool (.tms format) can be migrated to new format (.tm4) (see&nbsp;<strong>Figure 3</strong>).</p> <p><span style="font-size: x-small;"><strong>Figure 3. Migrating v3 Threat Models</strong></span></p> <p><span style="font-size: x-small;"><strong><a href="http://blogs.msdn.com/cfs-file.ashx/__key/communityserver-blogs-components-weblogfiles/00-00-00-79-43/3426.3.png"><img src="http://blogs.msdn.com/resized-image.ashx/__size/550x0/__key/communityserver-blogs-components-weblogfiles/00-00-00-79-43/3426.3.png" alt="" border="0" /></a><br /></strong></span></p> <p>&nbsp;</p> <p><strong><span style="text-decoration: underline;">STRIDE PER INTERACTION</span></strong><br />One of the key changes we are introducing is the update to threat generation logic. With previous versions of the tool we have taken the approach of using STRIDE per element. Microsoft Threat Modeling Tool 2014 uses STRIDE categories and generates threats based on the interaction between elements.&nbsp; We take into consideration the type of elements used on the diagram (e.g. processes, data stores etc.) and what type of data flows connect these elements. When in Analysis View, the tool will show the suggested threats for your data flow diagram in a simple grid (see&nbsp;<strong>Figure 4</strong>).</p> <p><span style="font-size: x-small;"><strong>Figure 4. Microsoft Threat Modeling Tool 2014 &ndash; Analysis View</strong></span></p> <p><span style="font-size: x-small;"><strong><a href="http://blogs.msdn.com/cfs-file.ashx/__key/communityserver-blogs-components-weblogfiles/00-00-00-79-43/6557.4.png"><img src="http://blogs.msdn.com/resized-image.ashx/__size/550x0/__key/communityserver-blogs-components-weblogfiles/00-00-00-79-43/6557.4.png" alt="" border="0" /></a></strong></span></p> <p><span style="text-decoration: underline;"><strong><br />DEFINE YOUR OWN THREATS</strong></span><br />Microsoft Threat Modeling Tool 2014 comes with a base set of threat definitions using STRIDE categories. This set includes only suggested threat definitions and mitigations which are automatically generated to show potential security vulnerabilities for your data flow diagram. You should analyze your threat model with your team to ensure you have addressed all potential security pitfalls. To offer more flexibility, Microsoft Threat Modeling Tool 2014 gives users the option to add their own threats related to their specific domain. This means users can extend the base set of threat definitions by authoring the provided XML format. For details on adding your own threats, see the Threat Modeling tool SDK. With this feature, we have higher confidence that our users can get the best possible picture of their threat landscape (see&nbsp;<strong>Figure 5</strong>).&nbsp;</p> <p><span style="font-size: x-small;"><strong>Figure 5. Threat Model Definitions Grammar in Backus-Naur Form (BNF)</strong></span></p> <p><a href="http://blogs.msdn.com/cfs-file.ashx/__key/communityserver-blogs-components-weblogfiles/00-00-00-79-43/0243.5.png"><img src="http://blogs.msdn.com/resized-image.ashx/__size/550x0/__key/communityserver-blogs-components-weblogfiles/00-00-00-79-43/0243.5.png" alt="" border="0" /></a></p> <p><br />We hope these new enhancements in <a href="http://download.microsoft.com/download/3/8/0/3800050D-2BE7-4222-8B22-AF91D073C4FA/MSThreatModelingTool2014.msi">Microsoft Threat Modeling Tool 2014</a> will provide greater flexibility and help enable you to effectively implement the SDL process in your organization.</p> <p>Thank you to all who helped shipping this release through internal and external feedback. Your input was critical to improving the tool and customer experience.</p> <p><strong>For more information and additional resources, visit:</strong></p> <ul> <li><span style="font-size: small;"><a href="http://www.microsoft.com/security/sdl">Microsoft Security Development Lifecycle (SDL)</a></span></li> <li><a href="http://msdn.microsoft.com/en-us/magazine/cc163519.aspx">Uncover Security Design Flaws Using the STRIDE Approach</a></li> <li><span style="font-size: small;"><a href="http://www.microsoft.com/security/sdl/adopt/eop.aspx">Getting Started with Threat Modeling: Elevation of Privilege (EoP) Game</a></span></li> <li><span style="font-size: small;"><a href="http://msdn.microsoft.com/en-us/magazine/cc700352.aspx">Reinvigorate your Threat Modeling Process</a></span></li> <li><span style="font-size: small;"><a href="http://msdn.microsoft.com/en-us/magazine/dd148644.aspx">Threat Models Improve Your Security Process</a></span></li> <li><span style="font-size: small;"><a href="http://threatmodelingbook.com/">Threat Modeling: Designing for Security (BOOK)</a></span></li> </ul> <p>&nbsp;</p> <p><strong>Emil Karafezov</strong> is a Program Manager on the Secure Development Tools and Policies team at Microsoft. He&rsquo;s responsible for the Threat Modeling component of the Security Development Lifecycle (SDL).</p><div style="clear:both;"></div><img src="http://blogs.msdn.com/aggbug.aspx?PostID=10517297" width="1" height="1">Threat Modeling ToolSTRIDETMTThreat Modeling Tool 2014 SDL Process Templates for Visual Studio Team Foundation Server 2013http://blogs.msdn.com/b/sdl/archive/2014/04/15/sdl-process-templates-for-visual-studio-team-foundation-server-2013.aspxTue, 15 Apr 2014 17:00:00 GMT91d46819-8472-40ad-a661-2c78acb4018c:10517311SDL Team0http://blogs.msdn.com/b/sdl/rsscomments.aspx?WeblogPostID=10517311http://blogs.msdn.com/b/sdl/archive/2014/04/15/sdl-process-templates-for-visual-studio-team-foundation-server-2013.aspx#comments<p><span style="font-family: verdana, geneva;">Today, we are excited to announce the general availability of a new version SDL process templates:</span></p> <ul> <li><span style="font-family: verdana, geneva; font-size: small;"><a href="http://download.microsoft.com/download/6/B/1/6B17D961-2207-4AA7-B043-019C041E9966/MSF for Agile 2013 plus Security Development Lifecycle.msi">Microsoft Solutions Framework (MSF) for&nbsp;Agile 2013 plus Security Development Lifecycle (SDL)&nbsp;</a></span></li> <li><span style="font-family: verdana, geneva; font-size: small;"><a href="http://download.microsoft.com/download/F/C/C/FCC3BD51-AAB4-4AF2-A628-4197492C67CD/MSF for CMMI 2013 plus Security Development Lifecycle.msi">Microsoft Solutions Framework (MSF) for Capability Maturity Model Integration (CMMI) 2013 plus Security Development Lifecycle (SDL)</a>&nbsp;&nbsp;</span></li> </ul> <p><span style="font-family: verdana, geneva;">This version of the SDL Process Templates is specific to the </span><a style="font-family: verdana, geneva;" href="http://msdn.microsoft.com/en-us/security/cc420639.aspx">Microsoft Security Development Lifecycle version 5.2</a><span style="font-family: verdana, geneva;">.&nbsp;</span></p> <p><span style="font-family: verdana, geneva;">The SDL Process Templates automatically integrate policy, process and tools associated with the Microsoft Security Development Lifecycle (SDL) in <a href="http://www.visualstudio.com/en-us/visual-studio-homepage-vs.aspx">Visual Studio 2013</a> and <a href="http://msdn.microsoft.com/en-us/vstudio/ff637362.aspx">Visual Studio Team Foundation Server</a> (TFS). With the process templates code checked into the Visual Studio TFS source repository by the developer is analyzed to ensure that it complies with SDL secure development practices. The templates also create security workflow tracking items for manual SDL processes such as threat modeling to ensure that these important security activities are not accidentally skipped or forgotten.</span></p> <p><span style="font-family: verdana, geneva;">The SDL Process Templates include:&nbsp;</span></p> <ul> <li><span style="font-family: verdana, geneva; font-size: small;">SDL-based customized check-in policies</span></li> <li><span style="font-family: verdana, geneva; font-size: small;">Security work items</span></li> <li><span style="font-family: verdana, geneva; font-size: small;">Security dashboard</span></li> <li><span style="font-family: verdana, geneva; font-size: small;">Integration with SDL process guidance</span></li> <li><span style="font-family: verdana, geneva; font-size: small;">Customized security queries</span></li> </ul> <p><span style="font-size: x-small; font-family: verdana, geneva;"><strong>Figure 1 Visual Studio 2013 Team Foundation Server Security Dashboard</strong></span></p> <p><a href="http://blogs.msdn.com/cfs-file.ashx/__key/communityserver-blogs-components-weblogfiles/00-00-00-79-43/7522.6.png"><img src="http://blogs.msdn.com/resized-image.ashx/__size/550x0/__key/communityserver-blogs-components-weblogfiles/00-00-00-79-43/7522.6.png" alt="" border="0" /></a></p> <p><span style="font-size: medium; font-family: verdana, geneva;"><strong><br /></strong></span></p> <p><span style="font-size: medium; font-family: verdana, geneva;"><strong>Eases the adoption of the SDL</strong></span><br /><span style="font-family: verdana, geneva;">The SDL Process Templates automate the creation of SDL requirements and enables development teams to begin adopting the SDL process without having to be fully trained on the SDL. It integrates the SDL into everyday tasks by leveraging the existing development environment (Visual Studio) and the project-wide framework (TFS) in a way that is familiar to program managers and testers, as well as developers.</span><br /><span style="font-size: medium; font-family: verdana, geneva;"><strong><br /></strong></span></p> <p><span style="font-size: medium; font-family: verdana, geneva;"><strong>Provides auditable security requirements and status</strong></span><br /><span style="font-family: verdana, geneva;">The SDL Process Templates include the Security Dashboard which provides an up-to-the- minute overview of security issues and status for all security requirements associated with a project. This report allows management to document and verify that SDL requirements were met prior to a product&rsquo;s release.</span><br /><span style="font-size: medium; font-family: verdana, geneva;"><strong><br /></strong></span></p> <p><span style="font-size: medium; font-family: verdana, geneva;"><strong>Demonstrates security return on investment</strong></span><br /><span style="font-family: verdana, geneva;">The SDL Process Templates allow for the integration of third-party tools that work with TFS. Through reporting, the template provides data that allows you to assess the effectiveness of your security tools. In addition, the template enables you to experience the benefits of the SDL by discovering security issues early in your development lifecycle, reducing the total cost of development.</span><br /><br /><br /></p><div style="clear:both;"></div><img src="http://blogs.msdn.com/aggbug.aspx?PostID=10517311" width="1" height="1">Process Templates for Visual Studio New Story Explores Braille’s Role and Use in Accessible Technology and the Digital Agehttp://blogs.msdn.com/b/accessibility/archive/2014/04/15/new-story-explores-braille-s-role-and-use-in-accessible-technology-and-the-digital-age.aspxTue, 15 Apr 2014 16:18:00 GMT91d46819-8472-40ad-a661-2c78acb4018c:10518129Daniel Hubbell - MSFT0http://blogs.msdn.com/b/accessibility/rsscomments.aspx?WeblogPostID=10518129http://blogs.msdn.com/b/accessibility/archive/2014/04/15/new-story-explores-braille-s-role-and-use-in-accessible-technology-and-the-digital-age.aspx#commentsIn some ways Braille was one of the original accessible technologies, one that opened up a universe of books and reading material to blind readers. The explosion of modern technology, though, is changing how Braille is used. A new story by NPR explores...(<a href="http://blogs.msdn.com/b/accessibility/archive/2014/04/15/new-story-explores-braille-s-role-and-use-in-accessible-technology-and-the-digital-age.aspx">read more</a>)<img src="http://blogs.msdn.com/aggbug.aspx?PostID=10518129" width="1" height="1"> Security improvements in Windows 8http://blogs.msdn.com/b/securitytipstalk/archive/2014/04/15/security-improvements-in-windows-8.aspxTue, 15 Apr 2014 16:13:00 GMT91d46819-8472-40ad-a661-2c78acb4018c:10517169Eve Blakemore0http://blogs.msdn.com/b/securitytipstalk/rsscomments.aspx?WeblogPostID=10517169http://blogs.msdn.com/b/securitytipstalk/archive/2014/04/15/security-improvements-in-windows-8.aspx#comments<p><a href="http://blogs.msdn.com/b/securitytipstalk/archive/2014/04/08/get-security-updates-for-april-2014.aspx">Support ended for Windows XP</a> last week. That means technical assistance for Windows&nbsp;XP is no longer available, including automatic updates that help protect your PC.</p> <p>To stay protected, you can upgrade your current computer or buy a new one. Windows&nbsp;8.1 Update runs on a wider variety of devices, so you'll have more to choose from, including budget-friendly laptops and tablets.</p> <p style="text-align: center;"><a href="http://blogs.msdn.com/cfs-file.ashx/__key/communityserver-blogs-components-weblogfiles/00-00-00-72-21/4478.defenderlogo.jpg"><img src="http://blogs.msdn.com/resized-image.ashx/__size/50x0/__key/communityserver-blogs-components-weblogfiles/00-00-00-72-21/4478.defenderlogo.jpg" alt="" border="0" /></a><a href="http://blogs.msdn.com/cfs-file.ashx/__key/communityserver-blogs-components-weblogfiles/00-00-00-72-21/3644.shieldlogo.jpg"><img src="http://blogs.msdn.com/resized-image.ashx/__size/50x0/__key/communityserver-blogs-components-weblogfiles/00-00-00-72-21/3644.shieldlogo.jpg" alt="" border="0" /></a><a href="http://blogs.msdn.com/cfs-file.ashx/__key/communityserver-blogs-components-weblogfiles/00-00-00-72-21/0003.flaglogo.jpg"><img src="http://blogs.msdn.com/resized-image.ashx/__size/50x0/__key/communityserver-blogs-components-weblogfiles/00-00-00-72-21/0003.flaglogo.jpg" alt="" border="0" /></a></p> <p style="text-align: left;"><span style="font-size: 2em;">Windows 8 security and safety features</span></p> <p style="text-align: left;"><strong>Windows Update installs important updates as they become available.</strong> Windows 8 turns on automatic updating as part of the initial setup process. Keep in mind that Windows Update won't add any applications to your computer without asking for your permission. Get more <a href="http://windows.microsoft.com/en-us/windows-8/windows-update-faq#1TC=t1">answers to your Windows Update questions</a>.</p> <p style="text-align: left;"><strong style="text-align: center;">Help keep your family safer. </strong><span style="text-align: center;">With Windows 8, you can monitor your children&rsquo;s Internet use, choose which games or apps they can access, and block or allow access to certain websites.&nbsp;</span><a style="text-align: center;" href="http://www.microsoft.com/security/pc-security/windows8.aspx#family">Keep track of your kids online</a><span style="text-align: center;">.</span></p> <p style="text-align: left;"><strong>Antivirus protection is now included for your PC.</strong> <a href="http://windows.microsoft.com/en-us/windows-8/how-find-remove-virus#1TC=t1">Windows Defender, which is built in to Windows 8</a>, replaces Microsoft Security Essentials. It runs in the background and notifies you when you need to take specific action.</p> <p style="text-align: left;"><a style="text-align: center;" href="http://windows.microsoft.com/en-us/windows-8/security-checklist-windows">Learn about other ways to keep your PC safer from viruses with Windows 8</a></p> <p style="text-align: left;"><a style="text-align: center;" href="http://www.microsoftstore.com/store/msusa/en_US/cat/categoryID.67770000/offerID.42494569909?siteID=Emv4RLEHREc-zzWiHukG3X4YHaoVYBzXZQ#shop-computers&amp;siteID=Emv4RLEHREc-auRvW0feiBW8W8bQaqaCSg">Buying a new PC? Save $100 when you buy any Surface Pro 2 or select PCs over $599</a></p><div style="clear:both;"></div><img src="http://blogs.msdn.com/aggbug.aspx?PostID=10517169" width="1" height="1">Windows Defenderchild safetyfamilyautomatic updatingAutomatic Updatesantivirus softwareMicrosoftWindows 8 April 2014 Security Bulletin Webcast and Q&Ahttp://blogs.technet.com/b/msrc/archive/2014/04/11/april-2014-security-bulletin-webcast-and-q-amp-a.aspxFri, 11 Apr 2014 20:40:00 GMTd5e57398-b9ef-4490-9955-07cbb4e4a80d:c5d107dc-d9da-48c6-925c-9706fa86c319Dustin C. Childs0<p>Today we published the <a href="http://blogs.technet.com/b/msrc/p/april-2014-security-bulletin-q-a.aspx">April 2013 Security Bulletin Webcast Questions &amp; Answers page</a>. We answered 13 questions in total, with the majority focusing on the update for Internet Explorer (<a href="https://technet.microsoft.com/security/bulletin/ms14-018">MS14-018</a>) and the Windows 8.1 Update (<a href="http://support.microsoft.com/kb/2919355">KB2919355</a>). Two questions that were not answered on air have been included on the Q&amp;A page.</p> <p>Here is the video replay.</p> <p><object width="500" height="281"><param name="movie" value="//www.youtube.com/v/DpKwsISWMjA?version=3&amp;hl=en_US" /><param name="allowFullScreen" value="true" /><param name="allowscriptaccess" value="always" /><embed width="500" height="281" src="http://www.youtube.com/v/DpKwsISWMjA?version=3&amp;hl=en_US" type="application/x-shockwave-flash" /></object></p> <p>For those of you following the ongoing investigation around the industry-wide issue known as &ldquo;Heartbleed,&rdquo; please refer to <a href="http://blogs.technet.com/b/security/archive/2014/04/10/microsoft-devices-and-services-and-the-openssl-heartbleed-vulnerability.aspx">this post</a> on the Microsoft Security Blog for the status of our investigation.</p> <p>We invite you to join us for the next scheduled webcast on Wednesday, May 14, 2014, at 11 a.m. PDT (UTC -7), when we will go into detail about the May bulletin release and answer your bulletin deployment questions live on the air.</p> <p>You can register to attend the webcast at the link below:</p> <p><b>Date: Wednesday, May 14, 2014<br /> Time: 11:00 a.m. PDT (UTC -7)<br /> Register: </b><a href="https://msevents.microsoft.com/CUI/EventDetail.aspx?EventID=1032572979&amp;Culture=en-US"><b>Attendee Registration</b></a></p> <p>I look forward to seeing you next month.</p> <p>Thanks,<br /> <a href="http://blogs.technet.com/b/msrc/about.aspx#Dustin_Childs">Dustin Childs</a><br /> Group Manager, Response Communications<br /> Microsoft Trustworthy Computing</p><div style="clear:both;"></div><img src="http://blogs.technet.com/aggbug.aspx?PostID=3627283&AppID=4571&AppType=Weblog&ContentType=0" width="1" height="1">Microsoft WindowsBulletin WebcastSecurity Bulletin WebcastInternet Explorer (IE)Microsoft Office Microsoft Services unaffected by OpenSSL "Heartbleed" vulnerabilityhttp://blogs.technet.com/b/security/archive/2014/04/10/microsoft-devices-and-services-and-the-openssl-heartbleed-vulnerability.aspxThu, 10 Apr 2014 21:03:00 GMTd5e57398-b9ef-4490-9955-07cbb4e4a80d:c992c01c-b557-4eab-bcc9-c2ea05234614Microsoft Security Staff0http://blogs.technet.com/b/security/rsscomments.aspx?WeblogPostID=3627193http://blogs.technet.com/b/security/commentapi.aspx?WeblogPostID=3627193http://blogs.technet.com/b/security/archive/2014/04/10/microsoft-devices-and-services-and-the-openssl-heartbleed-vulnerability.aspx#comments<p>Posted by:&nbsp;<strong>Tracey Pretorius,</strong>&nbsp;Director, Trustworthy Computing</p> <p>On April 8, 2014, security researchers announced a flaw in the OpenSSL encryption software library used by many websites to protect customers&rsquo; data. The vulnerability, known as &ldquo;Heartbleed,&rdquo; could potentially allow a cyberattacker to access a website&rsquo;s customer data along with traffic encryption keys.&nbsp;</p> <p>After a thorough investigation, Microsoft determined that Microsoft Account, Microsoft Azure, Office 365, Yammer and Skype, along with most Microsoft Services, are not impacted by the OpenSSL &ldquo;Heartbleed&rdquo; vulnerability. Windows&rsquo; implementation of SSL/TLS is also not impacted. A few Services continue to be reviewed and updated with further protections. <a href="/b/security/archive/2014/04/10/microsoft-devices-and-services-and-the-openssl-heartbleed-vulnerability.aspx">Read more</a></p>...(<a href="http://blogs.technet.com/b/security/archive/2014/04/10/microsoft-devices-and-services-and-the-openssl-heartbleed-vulnerability.aspx">read more</a>)<img src="http://blogs.technet.com/aggbug.aspx?PostID=3627193&AppID=5043&AppType=Weblog&ContentType=0" width="1" height="1">Microsoft SecurityOpenSSLencryption keysHeartbleedOpenSSL encryption software library Heartbleed: What you need to knowhttp://blogs.msdn.com/b/securitytipstalk/archive/2014/04/10/heartbleed-what-you-need-to-know.aspxThu, 10 Apr 2014 21:00:00 GMT91d46819-8472-40ad-a661-2c78acb4018c:10516237Eve Blakemore13http://blogs.msdn.com/b/securitytipstalk/rsscomments.aspx?WeblogPostID=10516237http://blogs.msdn.com/b/securitytipstalk/archive/2014/04/10/heartbleed-what-you-need-to-know.aspx#comments<p>On April 8, 2014, security researchers announced a flaw in the software that is used to protect your information on the web. The vulnerability, known as &ldquo;Heartbleed,&rdquo; could potentially allow a cyberattacker to access personal information.</p> <p>After a thorough investigation, Microsoft determined that Microsoft Account, Microsoft Azure, Office 365, Yammer, and Skype, along with most Microsoft Services, are not impacted by the &ldquo;Heartbleed&rdquo; vulnerability. A few services continue to be reviewed and updated with further protections.</p> <p>We encourage you to <a href="http://www.microsoft.com/security/online-privacy/finances-rules.aspx">be careful what information you&nbsp;provide to websites</a> and help protect the security of your online accounts by using different passwords for different websites, changing your passwords often, and making your passwords <a href="https://www.microsoft.com/security/pc-security/password-checker.aspx">as complex as possible</a>.</p> <p>For more information, see<a href="http://blogs.technet.com/b/security/archive/2014/04/10/microsoft-devices-and-services-and-the-openssl-heartbleed-vulnerability.aspx"> Microsoft Services unaffected by Open SSL "Heartbleed" vulnerability</a>.</p><div style="clear:both;"></div><img src="http://blogs.msdn.com/aggbug.aspx?PostID=10516237" width="1" height="1">fraudid theftprivacyInternet ExplorersecuritypasswordsMicrosoftHTTPSHeartbleed TechNet Radio: IT Time - The Risk of Running Windows XP After Support Endshttp://blogs.technet.com/b/security/archive/2014/04/10/technet-radio-it-time-the-risk-of-running-windows-xp-after-support-ends2.aspxThu, 10 Apr 2014 20:42:00 GMTd5e57398-b9ef-4490-9955-07cbb4e4a80d:23cd2f89-12f0-497c-b8f4-8d5c88fce0d2Microsoft Security Staff0http://blogs.technet.com/b/security/rsscomments.aspx?WeblogPostID=3627191http://blogs.technet.com/b/security/commentapi.aspx?WeblogPostID=3627191http://blogs.technet.com/b/security/archive/2014/04/10/technet-radio-it-time-the-risk-of-running-windows-xp-after-support-ends2.aspx#comments<p>On Monday, Tim Rains was featured on TechNet Radio in which he discussed &ldquo;The Risk of Running Windows XP After Support Ends&rdquo; with Blain Barton, Senior Technical Evangelist at Microsoft.&nbsp; This is a recommended video for any IT Professionals currently using Windows XP today in their environment.&nbsp; Questions covered in the discussion include:</p> <ul> <li><span style="font-size:small;">[<a href="http://channel9.msdn.com/Shows/TechNet+Radio/TechNet-Radio-IT-Time-The-Risk-of-Running-Windows-XP-After-Support-Ends#time=3m44s">3:44</a>] What are the kind of security risks folks may face as support of XP ends?</span></li> <li><span style="font-size:small;">[<a href="http://channel9.msdn.com/Shows/TechNet+Radio/TechNet-Radio-IT-Time-The-Risk-of-Running-Windows-XP-After-Support-Ends#time=4m48s">4:48</a>] How does Microsoft protect its customers from security threats?</span></li> <li><span style="font-size:small;">[<a href="http://channel9.msdn.com/Shows/TechNet+Radio/TechNet-Radio-IT-Time-The-Risk-of-Running-Windows-XP-After-Support-Ends#time=6m11s">6:11</a>] What exactly does Windows XP end of support mean?</span></li> <li><span style="font-size:small;">[<a href="http://channel9.msdn.com/Shows/TechNet+Radio/TechNet-Radio-IT-Time-The-Risk-of-Running-Windows-XP-After-Support-Ends#time=8m38s">8:38</a>] What is risk of continuing to run XP?</span></li> <li><span style="font-size:small;">[<a href="http://channel9.msdn.com/Shows/TechNet+Radio/TechNet-Radio-IT-Time-The-Risk-of-Running-Windows-XP-After-Support-Ends#time=14m48s">14:48</a>] What motivates cyber attackers?</span></li> <li><span style="font-size:small;">[<a href="http://channel9.msdn.com/Shows/TechNet+Radio/TechNet-Radio-IT-Time-The-Risk-of-Running-Windows-XP-After-Support-Ends#time=18m17s">18:17</a>] What is ransomware?</span></li> <li><span style="font-size:small;">[<a href="http://channel9.msdn.com/Shows/TechNet+Radio/TechNet-Radio-IT-Time-The-Risk-of-Running-Windows-XP-After-Support-Ends#time=21m48s">21:48</a>] What are some typical threats users should expect against Windows XP?</span></li> <li><span style="font-size:small;">[<a href="http://channel9.msdn.com/Shows/TechNet+Radio/TechNet-Radio-IT-Time-The-Risk-of-Running-Windows-XP-After-Support-Ends#time=30m26s">30:26</a>] What should people do if they&rsquo;re running Windows XP?</span></li> </ul> <p><a href="/b/security/archive/2014/04/10/technet-radio-it-time-the-risk-of-running-windows-xp-after-support-ends2.aspx">Read more</a></p>...(<a href="http://blogs.technet.com/b/security/archive/2014/04/10/technet-radio-it-time-the-risk-of-running-windows-xp-after-support-ends2.aspx">read more</a>)<img src="http://blogs.technet.com/aggbug.aspx?PostID=3627191&AppID=5043&AppType=Weblog&ContentType=0" width="1" height="1">TechNet Radio: IT TimeWindows XP End of SupportThe risk of running Windows XP after support ends Microsoft's cloud contracts approved by European privacy authorities http://blogs.technet.com/b/trustworthycomputing/archive/2014/04/10/article-29-working-group-says-microsoft-cloud-in-line-with-eu-data-protection-law.aspxThu, 10 Apr 2014 20:03:53 GMTd5e57398-b9ef-4490-9955-07cbb4e4a80d:c2d94518-e2d5-4a6a-b5f0-70d5f4a11b97Trusted Cloud Team0<p><strong>By Brendon Lynch, Chief Privacy Officer, Microsoft</strong></p> <p>A big milestone was achieved this week.&nbsp; The <a href="http://ec.europa.eu/justice/data-protection/article-29/index_en.htm" target="_blank">Article 29 Working Party,</a> a collection of 28 European Union data protection authorities, announced that Microsoft&rsquo;s contractual approach to enterprise cloud services is in line with EU data protection law.&nbsp;&nbsp; <a href="/b/trustworthycomputing/archive/2014/04/04/article-29-working-group-says-microsoft-cloud-in-line-with-eu-data-protection-law.aspx" target="_blank">See more &gt;&gt;</a></p> <p></p>...(<a href="http://blogs.technet.com/b/trustworthycomputing/archive/2014/04/10/article-29-working-group-says-microsoft-cloud-in-line-with-eu-data-protection-law.aspx">read more</a>)<img src="http://blogs.technet.com/aggbug.aspx?PostID=3626738&AppID=9044&AppType=Weblog&ContentType=0" width="1" height="1">Brendon LynchCloudTrustBig DataStandardsCloud Computingcloud servicesMicrosoftpersonal dataDataEuropePrivacyMicrosoft Cloud Solutions Assistive Technology Helps Workers with Dyslexia on the Jobhttp://blogs.msdn.com/b/accessibility/archive/2014/04/10/assistive-technology-helps-workers-with-dyslexia-on-the-job.aspxThu, 10 Apr 2014 14:43:00 GMT91d46819-8472-40ad-a661-2c78acb4018c:10514222Daniel Hubbell - MSFT1http://blogs.msdn.com/b/accessibility/rsscomments.aspx?WeblogPostID=10514222http://blogs.msdn.com/b/accessibility/archive/2014/04/10/assistive-technology-helps-workers-with-dyslexia-on-the-job.aspx#commentsThe following blog post was written by Erin Beneteau, a senior learning and development strategist for accessibility at Microsoft. Erin has worked in the field of assistive technology for over 15 years. (Note: This story is based on my experience, but...(<a href="http://blogs.msdn.com/b/accessibility/archive/2014/04/10/assistive-technology-helps-workers-with-dyslexia-on-the-job.aspx">read more</a>)<img src="http://blogs.msdn.com/aggbug.aspx?PostID=10514222" width="1" height="1"> Protecting Point of Sale Devices from Targeted Attackshttp://blogs.technet.com/b/security/archive/2014/04/09/protecting-point-of-sale-devices-from-targeted-attack.aspxWed, 09 Apr 2014 15:59:00 GMTd5e57398-b9ef-4490-9955-07cbb4e4a80d:3e4441dc-6d7a-49d5-81ba-a1ff2db36b89Microsoft Security Staff0http://blogs.technet.com/b/security/rsscomments.aspx?WeblogPostID=3626103http://blogs.technet.com/b/security/commentapi.aspx?WeblogPostID=3626103http://blogs.technet.com/b/security/archive/2014/04/09/protecting-point-of-sale-devices-from-targeted-attack.aspx#comments<p>Posted by: <strong>Sean Finnegan</strong> Director, Cybersecurity</p> <p>Last week, we published a paper on &ldquo;<a href="http://enterprise.blob.core.windows.net/whitepapers/Retail-Threat-Modeling.pdf">Threat Modeling a Retail Environment</a>.&rdquo; The intent of this paper was to help provide the retail industry with risk and mitigation guidance that could be applied in their environment where there is a unique set of requirements and challenges.&nbsp; As a follow on to that information, today we published a new paper focused on &ldquo;<strong><a href="http://aka.ms/protectingpos">Protecting Point of Sale Devices from Targeted Attacks</a></strong>.&rdquo;&nbsp; Given point of sale (POS) devices were the focus of many recent targeted attacks in the retail industry, we thought this guidance would be helpful.&nbsp;<a href="/b/security/archive/2014/04/01/protecting-point-of-sale-devices-from-targeted-attack.aspx">Read more</a></p>...(<a href="http://blogs.technet.com/b/security/archive/2014/04/09/protecting-point-of-sale-devices-from-targeted-attack.aspx">read more</a>)<img src="http://blogs.technet.com/aggbug.aspx?PostID=3626103&AppID=5043&AppType=Weblog&ContentType=0" width="1" height="1">Threat modeling retailRetail and SecurityTargeted AttacksPoint of Sale attacks Get the latest security updates and find out what to do if your computer is running Windows XPhttp://blogs.msdn.com/b/securitytipstalk/archive/2014/04/08/get-security-updates-for-april-2014.aspxTue, 08 Apr 2014 17:32:00 GMT91d46819-8472-40ad-a661-2c78acb4018c:10509555Eve Blakemore75http://blogs.msdn.com/b/securitytipstalk/rsscomments.aspx?WeblogPostID=10509555http://blogs.msdn.com/b/securitytipstalk/archive/2014/04/08/get-security-updates-for-april-2014.aspx#comments<p>Microsoft releases security updates on the second Tuesday of every month.</p> <ul> <li><a href="http://www.microsoft.com/security/pc-security/updates.aspx">Learn how to get security updates automatically</a></li> <li><a href="http://technet.microsoft.com/en-us/security/bulletin/ms14-apr">For IT Pros: Microsoft Security Bulletin Summary for April 2014</a></li> </ul> <h1>Support for Windows XP has ended</h1> <p>Microsoft has provided support for Windows&nbsp;XP for the past 12 years. But the time has come for us, along with our hardware and software partners, to invest our resources toward supporting more recent technologies so that we can continue to deliver great new experiences.</p> <p>As a result, technical assistance for Windows&nbsp;XP will no longer be available, including automatic updates that help protect your PC. Microsoft will also stop providing&nbsp;<a href="http://windows.microsoft.com/en-us/windows/security-essentials-download">Microsoft Security Essentials</a>&nbsp;for download on Windows&nbsp;XP on this date. (If you already have Microsoft Security Essentials installed, you will continue to receive antimalware signature updates for a limited time, but this does not mean that your PC will be secure because Microsoft will no longer provide security updates to help protect your PC.)</p> <p><strong>More information</strong></p> <ul> <li><a href="http://blogs.technet.com/b/security/archive/2014/03/24/cyber-threats-to-windows-xp-and-guidance-for-small-businesses-and-individual-consumers.aspx">Learn about cyber threats that can affect computers that are still running Windows XP</a>.</li> <li><a href="http://windows.microsoft.com/en-us/windows-8/meet">Get more information about upgrading to Windows 8.</a></li> <li><a href="http://www.microsoftstore.com/store/msusa/en_US/cat/categoryID.67770000/offerID.42494569909?siteID=Emv4RLEHREc-zzWiHukG3X4YHaoVYBzXZQ#shop-computers&amp;siteID=Emv4RLEHREc-auRvW0feiBW8W8bQaqaCSg">Buying a new PC? Save $100 when you buy any Surface Pro 2 or select PCs over $599</a>.</li> </ul><div style="clear:both;"></div><img src="http://blogs.msdn.com/aggbug.aspx?PostID=10509555" width="1" height="1">updatesspywareWindows DefendervirusInternet Explorerautomatic updatingAutomatic UpdatessecurityWindows 7Windows Updateantivirus softwarepatch Tuesdaycybersecuritytech supportWindows XPWindows 8Surface Pro 2 Microsoft’s Ann Marie Rohaly Wins National Broadcasting Award for Her Closed Captioning Work http://blogs.msdn.com/b/accessibility/archive/2014/04/08/national-broadcasting-award.aspxTue, 08 Apr 2014 17:21:00 GMT91d46819-8472-40ad-a661-2c78acb4018c:10514213Daniel Hubbell - MSFT0http://blogs.msdn.com/b/accessibility/rsscomments.aspx?WeblogPostID=10514213http://blogs.msdn.com/b/accessibility/archive/2014/04/08/national-broadcasting-award.aspx#commentsThe following blog post was written by Paul Nyhan, a staff writer with the Microsoft Accessibility Blog. Paul is a 20-year journalism veteran who has written extensively about disability issues. ----- One of Microsoft&rsquo;s leaders in accessibility...(<a href="http://blogs.msdn.com/b/accessibility/archive/2014/04/08/national-broadcasting-award.aspx">read more</a>)<img src="http://blogs.msdn.com/aggbug.aspx?PostID=10514213" width="1" height="1"> MS14-019 – Fixing a binary hijacking via .cmd or .bat filehttp://blogs.technet.com/b/srd/archive/2014/04/08/ms14-019-fixing-a-binary-hijacking-via-cmd-or-bat-file.aspxTue, 08 Apr 2014 17:10:03 GMTd5e57398-b9ef-4490-9955-07cbb4e4a80d:037a8636-d816-470d-b8f4-5bad8e479ebcswiat0<p style="text-align:justify;"><span style="color:black;font-family:&#39;Calibri&#39;,&#39;sans-serif&#39;;font-size:11pt;">Command (.cmd) and batch (.bat) files can be directly provided as input to the </span><a href="http://msdn.microsoft.com/en-us/library/windows/desktop/ms682425(v=vs.85).aspx"><span style="font-family:&#39;Calibri&#39;,&#39;sans-serif&#39;;font-size:11pt;"><span style="color:#0000ff;">CreateProcess</span></span></a><span style="color:black;font-family:&#39;Calibri&#39;,&#39;sans-serif&#39;;font-size:11pt;"> as if it is an executable. </span><a href="http://msdn.microsoft.com/en-us/library/windows/desktop/ms682425(v=vs.85).aspx"><span style="font-family:&#39;Calibri&#39;,&#39;sans-serif&#39;;font-size:11pt;"><span style="color:#0000ff;">CreateProcess</span></span></a><span style="color:black;font-family:&#39;Calibri&#39;,&#39;sans-serif&#39;;font-size:11pt;"> uses the cmd.exe automatically to run the input .cmd or .bat.</span></p> <p style="margin:0in 0in 0pt;text-align:justify;"><span style="color:black;font-family:&#39;Calibri&#39;,&#39;sans-serif&#39;;font-size:11pt;">&nbsp;</span></p> <p style="margin:0in 0in 0pt;text-align:justify;"><span style="color:black;font-family:&#39;Calibri&#39;,&#39;sans-serif&#39;;font-size:11pt;">Today, with the bulletin <a href="http://technet.microsoft.com/security/bulletin/MS14-019">MS14-019</a> we are fixing a vulnerability, where in particular scenario it is possible to hijack the cmd.exe with a copy present in the attacker controlled current working directory (CWD) of an affected application. </span></p> <p style="margin:0in 0in 0pt;text-align:justify;"><span style="color:black;font-family:&#39;Calibri&#39;,&#39;sans-serif&#39;;font-size:11pt;">&nbsp;</span></p> <p style="margin:0in 0in 0pt;text-align:justify;"><span style="color:black;font-family:&#39;Calibri&#39;,&#39;sans-serif&#39;;font-size:11pt;">The typical attack vector for this vulnerability is same as the DLL hijacking, i.e., via opening an application specific file in a WebDav/SMB share invoking the targeted application automatically because of file association. The targeted application will be vulnerable only if they ever do </span><a href="http://msdn.microsoft.com/en-us/library/windows/desktop/ms682425(v=vs.85).aspx"><span style="font-family:&#39;Calibri&#39;,&#39;sans-serif&#39;;font-size:11pt;"><span style="color:#0000ff;">CreateProcess</span></span></a><span style="color:black;font-family:&#39;Calibri&#39;,&#39;sans-serif&#39;;font-size:11pt;"> on .cmd or .bat file irrespective of where the file is located. That means attacker need not control the .cmd or .bat file. Another important thing for exploiting this vulnerability, is that the application should set the directory from where the associated file was opened as its CWD. </span></p> <p style="margin:0in 0in 0pt;text-align:justify;"><span style="color:black;font-family:&#39;Calibri&#39;,&#39;sans-serif&#39;;font-size:11pt;">&nbsp;</span></p> <p style="margin:0in 0in 0pt;text-align:justify;"><span style="color:black;font-family:&#39;Calibri&#39;,&#39;sans-serif&#39;;font-size:11pt;">As such we are not aware of any application that is affected by this vulnerability. But we understand the security issue this vulnerability can pose to some of the applications, so we are addressing this as an important severity bulletin. </span></p> <p style="margin:0in 0in 0pt;text-align:justify;"><span style="color:black;font-family:&#39;Calibri&#39;,&#39;sans-serif&#39;;font-size:11pt;">&nbsp;</span></p> <p style="margin:0in 0in 0pt;text-align:justify;"><span style="color:black;font-family:&#39;Calibri&#39;,&#39;sans-serif&#39;;font-size:11pt;">The way we are fixing this issue is to always invoke the system version of the cmd.exe for the input .cmd or .bat file during process creation. This fix could affect applications which does </span><a href="http://msdn.microsoft.com/en-us/library/windows/desktop/ms682425(v=vs.85).aspx"><span style="font-family:&#39;Calibri&#39;,&#39;sans-serif&#39;;font-size:11pt;"><span style="color:#0000ff;">CreateProcess</span></span></a><span style="color:black;font-family:&#39;Calibri&#39;,&#39;sans-serif&#39;;font-size:11pt;"> on .bat or .cmd file directly and depend on a different version of the cmd.exe other than the one present in Sytem directory by copying them in either application directory or CWD. Such applications should pass fully qualified path to the version of cmd.exe as input while performing </span><a href="http://msdn.microsoft.com/en-us/library/windows/desktop/ms682425(v=vs.85).aspx"><span style="font-family:&#39;Calibri&#39;,&#39;sans-serif&#39;;font-size:11pt;"><span style="color:#0000ff;">CreateProcess</span></span></a><span style="color:black;font-family:&#39;Calibri&#39;,&#39;sans-serif&#39;;font-size:11pt;">, and pass .cmd or .bat as input parameters. </span></p> <p style="margin:0in 0in 0pt;text-align:justify;"><span style="color:black;font-family:&#39;Calibri&#39;,&#39;sans-serif&#39;;font-size:11pt;">&nbsp;</span></p> <p style="margin:0in 0in 0pt;text-align:justify;"><span style="color:black;font-family:&#39;Calibri&#39;,&#39;sans-serif&#39;;font-size:11pt;">Applications passing just cmd.exe to the </span><a href="http://msdn.microsoft.com/en-us/library/windows/desktop/ms682425(v=vs.85).aspx"><span style="font-family:&#39;Calibri&#39;,&#39;sans-serif&#39;;font-size:11pt;"><span style="color:#0000ff;">CreateProcess</span></span></a><span style="color:black;font-family:&#39;Calibri&#39;,&#39;sans-serif&#39;;font-size:11pt;"> to run the .cmd or .bat as input could also be vulnerable for similar binary hijacking. This bulletin is not to address such vulnerable usage since it is application specific problem as they are not passing fully qualified system path to cmd.exe. Such application should fixed to pass fully qualified cmd.exe path or just passing .cmd or .bat file as input.</span></p> <p style="margin:0in 0in 8pt;text-align:justify;"><span style="font-family:Calibri;font-size:medium;">&nbsp;</span></p> <p style="text-align:justify;">- Swamy Shivaganga Nagaraju, MSRC engineering team</p> <p style="text-align:justify;"></p><div style="clear:both;"></div><img src="http://blogs.technet.com/aggbug.aspx?PostID=3626892&AppID=6147&AppType=Weblog&ContentType=0" width="1" height="1">MS14-019 CMD BAT CreateProcess Assessing risk for the April 2014 security updates http://blogs.technet.com/b/srd/archive/2014/04/08/assessing-risk-for-the-april-2014-security-updates.aspxTue, 08 Apr 2014 17:09:51 GMTd5e57398-b9ef-4490-9955-07cbb4e4a80d:82e7006c-ed10-40fe-b947-6cb57fa1dee1swiat0<p style="text-align:justify;"><span style="font-family:Calibri;font-size:medium;">Today we released four security bulletins addressing 11 unique CVE&rsquo;s.&nbsp; Two bulletins have a maximum severity rating of Critical while the other two have a maximum severity rating of Important. We hope that the table below helps you prioritize the deployment of the updates appropriately for your environment.</span></p> <p><span style="font-family:Calibri;font-size:medium;">&nbsp;</span></p> <table style="border-width:1px;border-style:solid;width:669px;height:82px;" border="1"> <tbody> <tr> <td><span style="font-size:medium;"><strong>Bulletin</strong></span></td> <td><span style="font-size:medium;"><strong>Most likely attack vector</strong></span></td> <td><span style="font-size:medium;"><strong>Max Bulletin Severity</strong></span></td> <td><span style="font-size:medium;"><strong>Max exploitability</strong></span></td> <td><span style="font-size:medium;"><strong>Likely first 30 days impact</strong></span></td> <td><span style="font-size:medium;"><strong>Platform mitigations and key notes</strong></span></td> </tr> <tr> <td> <p><span style="font-size:medium;"><a href="http://technet.microsoft.com/security/bulletin/MS14-017">MS14-017</a></span></p> <span style="font-family:Times New Roman;font-size:medium;"></span> <p><span style="font-size:medium;">(Word)</span></p> </td> <td><span style="font-size:medium;">Victim opens a malicious RTF or DOC/DOCX file.</span></td> <td><span style="font-size:medium;">Critical</span></td> <td>1</td> <td><span style="font-size:medium;">Likely to continue to see RTF and DOC based exploits for CVE-2014-1761.</span></td> <td><span style="font-size:medium;">Addresses vulnerability described by <a href="http://technet.microsoft.com/en-us/security/advisory/2953095">Security Advisory 2953095</a>, an issue under targeted attack.</span></td> </tr> <tr> <td> <p><span style="font-size:medium;"><a href="http://technet.microsoft.com/security/bulletin/MS14-018">MS14-018</a></span></p> <span style="font-family:Times New Roman;font-size:medium;"></span> <p><span style="font-size:medium;">(Internet Explorer)</span></p> </td> <td><span style="font-size:medium;">Victim browses to a malicious webpage.</span></td> <td><span style="font-size:medium;">Critical</span></td> <td>1</td> <td><span style="font-size:medium;">Likely to see reliable exploits developed within next 30 days.</span></td> <td></td> </tr> <tr> <td> <p><span style="font-size:medium;"><a href="http://technet.microsoft.com/security/bulletin/MS14-020">MS14-020</a></span></p> <span style="font-family:Times New Roman;font-size:medium;"></span> <p><span style="font-size:medium;">(Publisher)</span></p> </td> <td><span style="font-size:medium;">Victim opens malicious Publisher (.PUB) file.</span></td> <td><span style="font-size:medium;">Important</span></td> <td>1</td> <td><span style="font-size:medium;">While we may see reliable exploits developed within the next 30 days, unlikely to see widespread exploitation due to limited deployment of Publisher.</span></td> <td></td> </tr> <tr> <td> <p><span style="font-size:medium;"><a href="http://technet.microsoft.com/security/bulletin/MS14-019">MS14-019</a></span></p> <span style="font-family:Times New Roman;font-size:medium;"></span> <p><span style="font-size:medium;">(Windows File Handling)</span></p> </td> <td><span style="font-size:medium;">Attacker places malicious .bat and/or .cmd file on a network share from which a victim launches an application that calls CreateProcess in an unsafe manner.&nbsp; Similar attack vector as DLL preloading.</span></td> <td><span style="font-size:medium;">Important</span></td> <td>1</td> <td><span style="font-size:medium;">While this is an exploitable vulnerability, we have historically not seen widespread exploitation of this type of vulnerability.</span></td> <td><span style="font-size:medium;">More details about this vulnerability in <a href="http://blogs.technet.com/b/srd/archive/2014/04/08/ms14-019-fixing-a-binary-hijacking-via-cmd-or-bat-file.aspx">this SRD blog</a> post today.</span></td> </tr> </tbody> </table> <p><span style="font-family:Calibri;font-size:medium;">&nbsp;</span></p> <p>- Jonathan Ness, MSRC engineering team</p><div style="clear:both;"></div><img src="http://blogs.technet.com/aggbug.aspx?PostID=3626889&AppID=6147&AppType=Weblog&ContentType=0" width="1" height="1">Attack VectorRisk Asessment The April 2014 Security Updateshttp://blogs.technet.com/b/msrc/archive/2014/04/08/the-april-2014-security-updates.aspxTue, 08 Apr 2014 17:00:52 GMTd5e57398-b9ef-4490-9955-07cbb4e4a80d:22479505-9a1d-485c-90a9-03d8c32b47fcDustin C. Childs0<p><span style="font-size:medium;">T. S. Elliot once said, &ldquo;What we call the beginning is often the end. And to make an end is to make a beginning. The end is where we start from.&rdquo; So as we put one season to bed, let&rsquo;s start another by looking at the </span><a href="http://technet.microsoft.com/security/bulletin/MS14-apr"><span style="color:#0563c1;font-size:medium;">April security updates</span></a><span style="font-size:medium;">. Today, we release four bulletins to address 11 CVEs in Microsoft Windows, Internet Explorer and Microsoft Office. The update for </span><a href="http://technet.microsoft.com/security/bulletin/ms14-017"><span style="color:#0563c1;font-size:medium;">Microsoft Word</span></a><span style="font-size:medium;"> addresses the issues described in </span><a href="http://technet.microsoft.com/security/advisory/2953095"><span style="color:#0563c1;font-size:medium;">Microsoft Security Advisory 2953095</span></a><span style="font-size:medium;">. For those who prioritize, we recommend this bulletin as well as the update for Internet Explorer be on the top of your list.</span></p> <p><span style="font-size:medium;">We would be remiss if we did not mention another end; the end of support for Windows XP and Office 2003. The updates provided by MS14-018 and MS14-019 will be the final security updates for Windows XP; MS14-017 and MS14-020 are the final update for Office 2003. &nbsp;For those who haven&rsquo;t migrated yet, I recommend visiting the </span><a href="http://blogs.technet.com/b/security/archive/2014/03/24/cyber-threats-to-windows-xp-and-guidance-for-small-businesses-and-individual-consumers.aspx"><span style="color:#0563c1;font-size:medium;">Microsoft Security Blog</span></a><span style="font-size:medium;">, where my colleague Tim Rains provides guidance for consumers and small businesses who may have questions about how end of support affects them. Enterprise administrators will also find this a worthwhile read. </span></p> <p><span style="font-size:medium;">Here&rsquo;s an overview of all the updates released this month:</span></p> <p><i><span style="font-size:medium;">Click to enlarge</span></i></p> <p><i><span style="font-size:medium;"><a href="http://blogs.technet.com/cfs-file.ashx/__key/communityserver-blogs-components-weblogfiles/00-00-00-45-71/deployment.jpg"><img alt=" " src="http://blogs.technet.com/resized-image.ashx/__size/550x0/__key/communityserver-blogs-components-weblogfiles/00-00-00-45-71/deployment.jpg" border="0" /></a><br /></span></i></p> <p><span style="font-size:medium;">Our top priorities for this month are MS14-018 and MS14-017, which address issues in Internet Explorer and Microsoft Word respectively.</span></p> <p><a href="http://technet.microsoft.com/security/bulletin/ms14-018"><span style="color:#0563c1;font-size:medium;">MS14-018 | Cumulative Update for Internet Explorer</span></a></p> <p><span style="font-size:medium;">This security update resolves six privately reported vulnerabilities in Internet Explorer. These vulnerabilities could allow remote code execution if a user views a specially crafted webpage using Internet Explorer. While the issues addressed by this bulletin are very straightforward, I wanted to specifically call your attention to the updates for Internet Explorer 11 on Windows 8.1 and Windows Server 2012 R2. For these platforms, the update is not cumulative &ndash; it only addresses this issues described in this bulletin. You also have the option of installing KB2919355, which is a cumulative update for Windows 8.1, Windows RT 8.1, and Windows Server 2012 R2. In addition to previous updates for these operating systems, it includes enhancements such as improved Internet Explorer 11 compatibility for enterprise applications, usability improvements, extended mobile device management, and improved hardware support. Additionally, for Windows Server 2012 R2, it includes support for clustering configurations for hosters. For more information about this update, see </span><a href="http://support.microsoft.com/kb/2919355"><span style="color:#0563c1;font-size:medium;">Microsoft Knowledge Base Article 2919355</span></a><span style="font-size:medium;">.</span></p> <p><span style="font-size:medium;">Similarly, customers running Internet Explorer 11 on Windows 7 and Windows Server 2008 R2 also can choose a cumulative update: </span><a href="http://support.microsoft.com/kb/2929437"><span style="color:#0563c1;font-size:medium;">KB2929437</span></a><span style="font-size:medium;">. In addition to previous updates for Internet Explorer 11 on these operating systems, it includes enhancements such as improved Internet Explorer 11 compatibility for enterprise applications. If you install this cumulative update, you will not need to install the KB2936068 update offered through MS14-018. There may also be some who overlook the update for Internet Explorer 10. For this version of the browser, the update is non-security. The issues addressed by this bulletin do not impact Internet Explorer 10, but the update does include non-security related changes. For more information about the non-security-related fixes that are included in this update, see&nbsp;<a href="http://support.microsoft.com/kb/2936068">Microsoft Knowledge Base Article 2936068</a></span><span style="font-size:medium;">.</span></p> <p><a href="http://technet.microsoft.com/security/bulletin/ms14-017"><span style="color:#0563c1;font-size:medium;">MS14-017 | Vulnerabilities in Microsoft Word and Office Web Apps Could Allow Remote Code Execution</span></a></p> <p><span style="font-size:medium;">This security update resolves one publicly disclosed vulnerability and two privately reported vulnerabilities in Microsoft Word. The most severe of these vulnerabilities could allow remote code execution if a specially crafted file is opened in an affected version of Microsoft Office software. This security update also addresses the vulnerability first described in </span><a href="http://technet.microsoft.com/security/advisory/2953095"><span style="color:#0563c1;font-size:medium;">Microsoft Security Advisory 2953095</span></a><span style="font-size:medium;">. If you have installed the Fix it provided through this advisory, you should remove it once you apply the update to ensure RTF files open correctly. </span></p> <p><span style="font-size:medium;">Finally, we are revising <a href="http://technet.microsoft.com/security/advisory/2755801"><span style="color:#0563c1;">Security Advisory 2755801</span></a> with the latest update for Adobe Flash Player in Internet Explorer. The update addresses the vulnerabilities described in Adobe Security bulletin APSB14-09 For more information about this update, including download links, see Microsoft Knowledge Base Article 2942844.</span></p> <p><span style="font-size:medium;">Watch the bulletin overview video below for a brief summary of today&#39;s releases.</span></p> <p><span style="font-size:medium;"><object width="500" height="281"><param name="movie" value="//www.youtube.com/v/jz55QSOaFbI?version=3&amp;hl=en_US" /><param name="allowFullScreen" value="true" /><param name="allowscriptaccess" value="always" /><embed width="500" height="281" src="http://www.youtube.com/v/jz55QSOaFbI?version=3&amp;hl=en_US" type="application/x-shockwave-flash" /></object></span></p> <p><span style="font-size:medium;">For more information about this month&rsquo;s security updates, including the detailed view of the Exploit Index broken down by CVE, visit the <a href="http://technet.microsoft.com/security/bulletin/MS14-apr"><span style="color:#0563c1;">Microsoft Bulletin Summary Web page</span></a>. </span></p> <p><span style="font-size:medium;">William Peteroy and I will host the monthly bulletin webcast, scheduled for Wednesday, April 9, 2014, at 11 a.m. PDT. I invite you to register <a href="https://msevents.microsoft.com/CUI/EventDetail.aspx?EventID=1032572978&amp;Culture=en-US"><span style="color:#0563c1;">here</span></a>, and tune in to learn more about this month&rsquo;s security bulletins and advisories. </span></p> <p><span style="font-size:medium;">For all the latest information, you can also follow us at <a href="http://www.twitter.com/msftsecresponse"><span style="color:#0563c1;">@MSFTSecResponse</span></a>. </span></p> <p><span style="font-size:medium;">Please join me in wishing Windows XP and Office 2003 a fond farewell as they head towards the sunset of their lives. I look forward to hearing your questions about this month&rsquo;s release in our webcast tomorrow.</span></p> <p><span style="font-size:medium;">Thanks, <br /> <a href="http://blogs.technet.com/b/msrc/about.aspx#Dustin_Childs"><span style="color:#0563c1;">Dustin Childs</span></a></span><span style="font-size:medium;"> <br /> Group Manager, Response Communications<br /> Microsoft Trustworthy Computing</span></p><div style="clear:both;"></div><img src="http://blogs.technet.com/aggbug.aspx?PostID=3626672&AppID=4571&AppType=Weblog&ContentType=0" width="1" height="1">Microsoft Windowsmonthly bulletin releaseSecurity BulletinBulletinsInternet Explorer (IE)Microsoft Office MSRT April 2014 – Ramdohttp://blogs.technet.com/b/mmpc/archive/2014/04/08/msrt-april-2014-ramdo.aspxTue, 08 Apr 2014 16:00:00 GMTd5e57398-b9ef-4490-9955-07cbb4e4a80d:de99ef72-d34b-4299-8f69-3122f0d8ba9bmsft-mmpc0http://blogs.technet.com/b/mmpc/archive/2014/04/08/msrt-april-2014-ramdo.aspx#comments<div class="ExternalClass7ACCDACE2EE447D5AAA088FB98DDF72D"> <p>This month we added <a href="http://www.microsoft.com/security/portal/threat/encyclopedia/Entry.aspx?Name=Win32/Ramdo">Win32/Ramdo</a> and <a href="http://www.microsoft.com/security/portal/threat/encyclopedia/Entry.aspx?Name=Win32/Kilim">Win32/Kilim</a> to the Microsoft Malicious Software Removal Tool. In this blog, we will focus on Ramdo and some of what we have since found out about this relatively new trojan family. Ramdo, a click-fraud bot with built-in antisinkhole and antivirtualization code, was first found in the wild in December 2013.</p> <h3>Telemetry</h3> <p>Compared to other big families, Win32/Ramdo&rsquo;s impact is relatively small in terms of the number of infected machines. However, when one of our customers gets infected with it, the impact is big on that machine: bandwidth and CPU power are exhausted to generate profit for the malware authors, and exploits can be deployed to install additional malware. We aim to resolve this problem for our customers by adding this family to the MSRT.</p> <p><a href="http://www.microsoft.com/security/portal/blog-images/a/Ramdo1.png"><img width="500" alt="Machine count" src="http://www.microsoft.com/security/portal/blog-images/a/Ramdo1.png" border="0" /></a>&nbsp;</p> <em>Figure 1: Ramdo infected machines during February and March 2014</em><br /> <h3>Infection</h3> <p>Ramdo has been deployed by exploit kits such as <a href="http://www.microsoft.com/security/portal/threat/encyclopedia/Entry.aspx?Name=Exploit:HTML/Pangimop.C"> HTML/Pangimop</a> (also known as Magnitude) as well as the <a href="http://www.microsoft.com/security/portal/threat/encyclopedia/Entry.aspx?Name=Win32/Vobfus">Vobfus</a> and <a href="http://www.microsoft.com/security/portal/threat/encyclopedia/Entry.aspx?Name=Win32/Beebone">Beebone</a> families. It is usually installed in the background without being noticed, and immediately copies itself into the <a href="http://www.microsoft.com/security/portal/mmpc/shared/variables.aspx#startupfolder">&lt;startup&gt;</a> folder with one of following names:</p> <ul> <li><em>EPUHelp.exe</em></li> <li><em>HpM3Util.exe</em></li> </ul> <p>An additional DLL is also created by setting the IMAGE_FILE_DLL flag in the PE file header&rsquo;s characteristics. It is then dropped to one of the following paths:</p> <ul> <li><em> <a href="http://www.microsoft.com/security/portal/mmpc/shared/variables.aspx#appdata">%AppData%</a>\version.dll</em></li> <li><em> <a href="http://www.microsoft.com/security/portal/mmpc/shared/variables.aspx#appdata">%AppData%</a>\Adobe\acupx217.dll</em></li> </ul> <p>The DLL is encrypted by the <em>EncryptFileW </em>API and is injected into the newly created system process (<em>services.exe </em>or <em>taskhost.exe</em>) as the trojan&rsquo;s payload.</p> <h3>Payload</h3> <p>Ramdo stores its configuration data in the registry, encrypted with RC4. Depending on the variant, one of the following registry values is used to store configuration related to the command and control (C&amp;C) component (for example, the bot version, or the seed to generate the&nbsp;C&amp;C domain):</p> <ul> <li><em>HKCU\SOFTWARE\Adobe\Adobe ARM\1.0\ARM\tLast_ReadedSpec</em></li> <li><em>HKCU\SOFTWARE\Adobe\Acrobat Reader\10.0\IPM\iTestPropulsion</em></li> </ul> <p>Also depending on the variants, one of the&nbsp;following values is used to store configuration related to click-fraud (for example, the click interval, which websites to click, or the user-agent string):</p> <ul> <li> <div><em>HKCU\SOFTWARE\Adobe\Adobe ARM\1.0\ARM\tLastCollab_doc</em></div> </li> <li> <div><em>HKCU\SOFTWARE\Adobe\Acrobat Reader\10.0\IPM\iTestShears</em></div> </li> </ul> <p>The RC4 key used in the decryption of data received from the C&amp;C, and the configuration stored in the registry, is generated in this way:</p> <ul> <li> <div><em>ReadRegStringValue(&ldquo;HKLM\Software\Microsoft\Cryptography\MachineGuid&rdquo;) + &ldquo;iU&rdquo;</em></div> </li> </ul> <p>The key is sent to the C&amp;C along with the&nbsp;following information about the infected PC in the initial phone-home request:</p> <ul> <li>Operating system version.</li> <li>Whether the machine is running in a virtualization environment (Hyper-V, VMWARE, VirtualBox).</li> <li>The installed Flash Player version.</li> <li>The number of processors.</li> <li>The RC4 key to decrypt response.</li> </ul> <p>The request sent to the C&amp;C is encrypted with another embedded public key (it can be imported with the CryptImportKey API).&nbsp; A recent example extracted (base64 encoded) is:</p> <ul> <li><em>BgIAAACkAABSU0ExAAQAAAEAAQDJ9Nl4XvlyD9PmguEaeUt2auCZm2994FcdY2aCGMuYvc71sqLkOyf3Q1Cp4q/s3CXgXr5ifomWiF4D22eWsEPqoI1RyZ8LwYaCVD11WrwtoST4BPwMPARLvNJGvAKzcXpn1adDvprXsfGW1r3YeKPw6KZLPdCfvLBl3U9xTJ8lrg==</em></li> </ul> <p>The C&amp;C domain is generated by a Domain Generation Algorithm (DGA) that avoids storing the C&amp;C domain as plain text. However, unlike other DGAs that use date/time as a seed, Ramdo uses a fixed seed value and is initially embedded in the executable, but can be updated by the C&amp;C server later. The DGA can be written in C# like this:</p> <p><a href="http://www.microsoft.com/security/portal/blog-images/a/Ramdo2.png"><img width="500" alt="DGA" src="http://www.microsoft.com/security/portal/blog-images/a/Ramdo2.png" border="0" /></a>&nbsp;</p> <em>Figure 2: Ramdo uses a DGA to generate the C&amp;C domain</em> <p>With this code, seed value <em>0x90002B44C </em>can generate the domain <em>ceigqweqwaywiqgu.org.</em></p> <h3>Click-fraud</h3> <p>To do click-fraud, Win32/Ramdo starts one or more new instances of one of the following system processes:</p> <ul> <li> <div><em>iexplore.exe</em></div> </li> <li> <div><em>twunk_32.exe</em></div> </li> <li> <div><em>winhlp32.exe</em></div> </li> </ul> <p>It injects the payload DLL there to start hidden clicks. The click websites are first returned from the C&amp;C and then stored in the registry as mentioned above.&nbsp; After RC4 decryption, the configuration may look like this:</p> <p><a href="http://www.microsoft.com/security/portal/blog-images/a/Ramdo3.png"><img style="width:1200px;height:22px;" alt="RC4" src="http://www.microsoft.com/security/portal/blog-images/a/Ramdo3.png" border="0" /></a>&nbsp;</p> <em>Figure 3: The click websites&nbsp;stored in the registry after RC4 decryption - where <em>searchliiter.com </em>and <em>searchwander.com </em>are the websites to start clicking with</em><br /> <p>Like many click-fraud bots, Ramdo creates WebBrowser control with CLSID {8856f961-340a-11d0-a96b-00c04fd705a2}, parses through the HTML content retrieved, and follows the href found in the document to simulate human clicks. The exception for Ramdo is that it will skip the href if it contains the following strings:</p> <ul> <li><em>.pdf</em></li> <li><em>.xml</em></li> <li><em>/contact</em></li> <li><em>/faq</em></li> <li><em>/feed</em></li> <li><em>/flagcontent</em></li> <li><em>/forgotpassword</em></li> <li><em>/login</em></li> <li><em>/password</em></li> <li><em>/register</em></li> <li><em>/rss</em></li> <li><em>/terms</em></li> <li><em>/tweet</em></li> <li><em>action=embed-flash</em></li> <li><em>javascript:</em></li> <li><em>mailto:</em></li> <li><em>registration</em></li> </ul> <p>It makes sense that Ramdo wants to avoid clicking on these strings as they are likely not related to advertisements and can be very noisy. The clicks are all done in background, to make sure users won&rsquo;t notice the click.</p> <p>Ramdo also hooks following APIs:</p> <ul> <li> <div><em>CoCreateInstance</em></div> </li> <li> <div><em>DialogBoxIndirectParamAorW</em></div> </li> <li> <div><em>waveOutOpen</em></div> </li> <li> <div><em>waveOutSetVolume</em></div> </li> </ul> <p>It also disables sounds, popup dialog/message boxes, and file download dialogs by changing their behaviors inside the click process.</p> <p>When loaded in a web browser, one of the clicked websites can look like this:</p> <p><a href="http://www.microsoft.com/security/portal/blog-images/a/Ramdo4.png"><img width="500" alt="sponsored links" src="http://www.microsoft.com/security/portal/blog-images/a/Ramdo4.png" border="0" /></a>&nbsp;</p> <em>Figure 4: An example of a web page showing the &quot;sponsored links&quot; clicked by Ramdo</em> <p>It is also interesting to note that the traffic was sold to exploit kit owners, and one of the clicks was redirected to <em>sketch.texture.victimizedppxv.org/praising.php</em> which loaded exploits targeting Adobe Flash Player.</p> <h3>Antisecurity measures</h3> <p>Ramdo authors put in a lot of effort to&nbsp;make analysis more difficult. As well as common tricks like dynamically resolving APIs and decrypting strings to make reverse engineering harder, Ramdo also checks if it&rsquo;s running under a&nbsp;virtualization guest OS and sends that information to the C&amp;C. If virtualization is detected, instead of exiting the bot immediately the C&amp;C server returns with error 404 or 502.&nbsp;The bot keeps running so that it looks like the C&amp;C is not available, although nothing is wrong on the bot side.</p> <p>Another trick the authors included was that the trojan tries to detect if the C&amp;C servers get sinkholed or redirected. Look at this function:</p> <p><a href="http://www.microsoft.com/security/portal/blog-images/a/Ramdo5.png"><img width="500" alt="Check C&amp;C" src="http://www.microsoft.com/security/portal/blog-images/a/Ramdo5.png" border="0" /></a>&nbsp;</p> <em>Figure 5: Ramdo tires to detect whether&nbsp;its C&amp;C servers get sinkholed or redirected</em> <p>It&rsquo;s called right before sending a request to the C&amp;C server. The &quot;Cnc&quot; parameter contains the DGA-generated domain, it first gets resolved to the IP address and then Ramdo calls <em>gethostbyaddr </em>to do a reverse DNS lookup on the resolved IP to get the actual host name. It checks for one of these strings:</p> <ul> <li><em>sinkhole</em></li> <li><em>malware</em></li> <li><em>suspended</em></li> </ul> <p>If the host name contains one of these strings then the request will not be sent to the C&amp;C, in an attempt to avoid server-side analysis. We can only assume the author expects Ramdo to survive from takedown with this method.</p> <h3>Final words</h3> <p>Ramdo has simple functionality but with many techniques that make analysis harder. Despite the efforts of the malware author to avoid detection, the MSRT is ready to clean it up . As usual, the best protection from this and other malware and potentially unwanted software is an up-to-date, real-time security product, such as <a href="http://windows.microsoft.com/en-us/windows/security-essentials-download">Microsoft Security Essentials</a>.</p> <p><em>Shawn Wang</em><br /><em>MMPC</em></p> </div><div style="clear:both;"></div><img src="http://blogs.technet.com/aggbug.aspx?PostID=3626552&AppID=6258&AppType=Weblog&ContentType=0" width="1" height="1"> Adrienne’s View: Cloud security benefits belie pre-deployment doubtshttp://blogs.technet.com/b/trustworthycomputing/archive/2014/04/07/adrienne-s-view-cloud-security-benefits-belie-pre-deployment-doubts.aspxMon, 07 Apr 2014 20:46:48 GMTd5e57398-b9ef-4490-9955-07cbb4e4a80d:25b2feb6-24fe-47b1-9dee-8d065f7dca96Trusted Cloud Team0<p><strong>By Adrienne Hall, General Manager, Trustworthy Computing</strong></p> <p>Cloud security is often better than customers expect it to be. I&rsquo;ve blogged about that trend before, including the <a target="_blank" href="/b/trustworthycomputing/archive/2013/06/11/cloud-trust-study-security-privacy-and-reliability-benefits-for-smbs-in-the-u-s.aspx">Cloud Trust Study</a> (commissioned by Microsoft and conducted by comScore) showing high percentages of small to mid-sized businesses (SMBs) seeing improved security after moving to the cloud.</p> <p>Two recent studies add further evidence that security apprehensions persist -- but prove unwarranted for many cloud customers after rolling out the cloud service.&nbsp; <a target="_blank" href="/b/trustworthycomputing/archive/2014/04/07/adrienne-s-view-cloud-security-benefits-belie-pre-deployment-doubts.aspx">See more &gt;&gt;</a></p>...(<a href="http://blogs.technet.com/b/trustworthycomputing/archive/2014/04/07/adrienne-s-view-cloud-security-benefits-belie-pre-deployment-doubts.aspx">read more</a>)<img src="http://blogs.technet.com/aggbug.aspx?PostID=3626852&AppID=9044&AppType=Weblog&ContentType=0" width="1" height="1">cloud securityAdrienne HallCloudSMBsSMBTrustcloud trust studyCloud Computingcloud servicesMicrosoftDatacomScorePrivacy Adware: A new approachhttp://blogs.technet.com/b/mmpc/archive/2014/04/03/adware-a-new-approach.aspxThu, 03 Apr 2014 20:00:00 GMTd5e57398-b9ef-4490-9955-07cbb4e4a80d:e398809b-8c90-42bd-ae70-38c714970c05msft-mmpc0http://blogs.technet.com/b/mmpc/archive/2014/04/03/adware-a-new-approach.aspx#comments<div class="ExternalClassD02F60C1F6694AA4B3BC037B0EF737CC"> <p>​Here at the Microsoft Malware Protection Center (MMPC) we understand advertising is part of the modern computing experience. However, we want to give our customers choice and control regarding what happens with their computers. To that end we have recently undergone some changes to both the criteria we use to classify a program as adware and how we remediate it when we find it. This blog will help explain the new criteria and how it affects some programs.</p> <p>Our updated <a href="http://www.microsoft.com/security/portal/mmpc/shared/objectivecriteria.aspx">objective criteria</a> also explains how advertising software can provide users with&nbsp;choice and control. Programs that do not follow these rules will be detected as adware and immediately removed from the user&rsquo;s machine:</p> <blockquote> <p><em>Programs that promote a product or service outside of their own program can interfere with your computing experience. You should have clear choice and control when installing programs that open advertisements.</em></p> <p><em>The advertisements that are opened by these programs must:</em></p> <ul> <li> <div><em>Include an obvious way to close the ad.</em></div> </li> <li> <div><em>Include the name of the program that created the ad.</em></div> </li> </ul> <em></em> <p><em>The program that creates these advertisements must:</em></p> <ul> <li> <div><em>Provide a standard uninstall method for the program using the same name as shown in the ads it produces.</em></div> </li> </ul> </blockquote> <p>It is important that both developers and our customers understand this criteria. I will look at each of the points individually. But first, let&rsquo;s look at which programs can qualify as adware.</p> <h2>What can be classified as adware</h2> <p>We only consider classifying a program as adware if it runs on the user&rsquo;s machine and produces notifications promoting goods or services in programs other than itself. If the program shows advertisements within its own borders it will not be assessed any further.</p> <p>Many programs use advertising as a form of payment for the program and that is also an acceptable practice. We are more concerned with the advertising that interferes with our customer&rsquo;s Windows experience without giving them choice and control over it. To that end, programs that produce notifications promoting goods and services in programs other than themselves must adhere to the following rules:</p> <h3>A method to close the ad</h3> <p>As part of the advertisement there must be a method to close the ad. This must be a clear and obvious method. Suggested methods are an &lsquo;X&rsquo; or the word &lsquo;close&rsquo; in the corner of the ad.</p> <p><a href="http://www.microsoft.com/security/portal/blog-images/a/adware1.png"><img width="500" alt="Visible ads" src="http://www.microsoft.com/security/portal/blog-images/a/adware1.png" border="0" /></a>&nbsp;</p> <p><em>Figure 1: Our new objective criteria states that the ads must have a visible close button</em></p> <p>If you are going to have a group of ads, it is acceptable to have a single close button as long as the ads are clearly grouped together. If the ads are not grouped each ad will need its own close button. Some of the better groupings we have seen are lines around all of the ads or a different colour background for the ads.</p> <p><a href="http://www.microsoft.com/security/portal/blog-images/a/adware2.png"><img width="500" alt="Single close" src="http://www.microsoft.com/security/portal/blog-images/a/adware2.png" border="0" /></a>&nbsp;</p> <p><em>Figure 2: A single close button is acceptable for ads that are clearly grouped</em></p> <p>In the case of pop-up advertisements, a working close button on the window is acceptable.</p> <p><a href="http://www.microsoft.com/security/portal/blog-images/a/adware3.png"><img width="500" alt="Window close" src="http://www.microsoft.com/security/portal/blog-images/a/adware3.png" border="0" /></a>&nbsp;</p> <p><em>Figure 3: Pop-up ads must have a working window close button </em></p> <h3>The name of the program that is creating the ad</h3> <p>It is important for the user to know that these ads are being shown by a specific program and would not be there if it was not for this program. To tell the user that your program is making the ads, you need to make it clearly known in the advertisement. For example, some of the clearer ways that we see this done are phrases like &ldquo;Ads by &hellip;&rdquo;, &ldquo;&hellip; ads&rdquo;, &ldquo;Powered by &hellip;&rdquo;, &ldquo;This ad served &hellip;&rdquo;, or &ldquo;This ad is from &hellip;&rdquo;.</p> <p><a href="http://www.microsoft.com/security/portal/blog-images/a/adware4.png"><img width="500" alt="Ad identification" src="http://www.microsoft.com/security/portal/blog-images/a/adware4.png" border="0" /></a>&nbsp;</p> <p><em>Figure 4: Our new objective criteria states that the ads must clearly mention which program is producing the ads</em></p> <p>These methods all meet our updated objective criteria by clearly informing users which program is showing the ads. Using abbreviations or company logos alone are not considered clear enough. Also, only using &ldquo;Ads not by this site&rdquo; does not meet our criteria, because the user does not know which program created the ad.</p> <h3>A way to uninstall the program that is making the ads</h3> <p>The final part of giving a user choice and control is giving them a way to uninstall the program that is making the ads. For example, candidate programs that produce independent promotion notifications or promotion notifications in Internet Explorer must have an uninstall entry in the Windows control panel. It is very important that the name of the program in the uninstall entry exactly matches the name shown in the advertisement.</p> <p><a href="http://www.microsoft.com/security/portal/blog-images/a/adware5.png"><img width="500" alt="uninstall entry" src="http://www.microsoft.com/security/portal/blog-images/a/adware5.png" border="0" /></a>&nbsp;</p> <p><em>Figure 5: There must be an uninstall entry for the program producing the ads and the name in the entry must match that on the ads</em></p> <p>We know that for some browsers extensions are only removable through the browser&rsquo;s own controls. This is considered a standard uninstall method and meets our objective criteria as long as the name still matches the name in the ad.</p> <h2>What happens to detected adware</h2> <p>Currently, when our security products detect a program as adware they alert the user and offer them a recommended action. If they don&rsquo;t respond, the security product will let the program run until the user makes a decision.&nbsp;</p> <p>With our updated objective criteria, this is going to change. Now, when one of our products detects adware it will immediately stop the program and the user will be notified. The user then then has the ability to restore the program if they wish.</p> <h2>When is this going to happen?</h2> <p>Changes to our objective criteria for classifying adware will come into effect on July 1, 2014. This gives developers three months to comply with the new rules. </p> <p>We have already started reassessing our current adware detections against this new criteria. If your program is still being detected as adware but meets the new criteria you can let us know through the <a href="http://www.microsoft.com/security/portal/mmpc/vendor/resources.aspx">Developer Contact form</a>. </p> <p>We are very excited by all of these changes. We believe that it will make it easy for software developers to utilize advertising while at the same time empowering users to control their experience.</p> <p><em>Michael Johnson</em><br /><em>MMPC</em></p> </div><div style="clear:both;"></div><img src="http://blogs.technet.com/aggbug.aspx?PostID=3626559&AppID=6258&AppType=Weblog&ContentType=0" width="1" height="1"> Get advance notice about April 2014 security updateshttp://blogs.msdn.com/b/securitytipstalk/archive/2014/04/03/get-advance-notice-about-april-2014-security-updates.aspxThu, 03 Apr 2014 17:06:00 GMT91d46819-8472-40ad-a661-2c78acb4018c:10509549Eve Blakemore2http://blogs.msdn.com/b/securitytipstalk/rsscomments.aspx?WeblogPostID=10509549http://blogs.msdn.com/b/securitytipstalk/archive/2014/04/03/get-advance-notice-about-april-2014-security-updates.aspx#comments<p>Today, the Microsoft Security Response Center (MSRC) posted&nbsp;details&nbsp;about the&nbsp;<a href="http://technet.microsoft.com/en-us/security/bulletin/ms14-apr">April security updates</a>.</p> <p>If you have automatic updating turned on, most of these updates will download and install on their own. Sometimes you may need to provide input for Windows Update during an installation. In this case, you'll see an alert in the notification area at the far right of the taskbar&mdash;be sure to click it.</p> <p>In Windows 8, Windows will turn on automatic updating during setup unless you choose to turn it off. To check this setting and turn on automatic updating, open the<span class="apple-converted-space">&nbsp;</span><a href="http://windows.microsoft.com/en-us/windows-8/charms" target="_blank"><strong>Search charm</strong></a>, enter<span class="apple-converted-space">&nbsp;</span><strong>Turn automatic updating on or off</strong>, and tap or click<span class="apple-converted-space">&nbsp;</span><strong>Settings</strong><span class="apple-converted-space">&nbsp;</span>to find it.&nbsp;</p> <p><a href="http://windows.microsoft.com/en-us/windows7/install-windows-updates">Learn how to install Windows Updates in Windows 7</a>.</p> <p><strong>Note:</strong> Support for Windows XP ends next week on April 8, 2014.&nbsp;As a result, technical assistance for Windows&nbsp;XP will no longer be available, including automatic updates that help protect your PC. Microsoft will also stop providing&nbsp;<a href="http://windows.microsoft.com/en-us/windows/security-essentials-download"><strong>Microsoft Security Essentials</strong></a>&nbsp;for download on Windows&nbsp;XP on this date. (If you already have Microsoft Security Essentials installed, you will continue to receive antimalware signature updates for a limited time, but this does not mean that your PC will be secure because Microsoft will no longer provide security updates to help protect it.) <a href="http://windows.microsoft.com/en-us/windows/end-support-help">Learn how to help stay protected</a>.</p> <p><strong>If you are a technical professional</strong></p> <p>The&nbsp;<a href="http://www.microsoft.com/technet/security/Bulletin/advance.mspx">Microsoft Security Bulletin Advance Notification Service</a>&nbsp;offers details about security updates approximately three business days before they are released. We do this to enable customers (especially IT professionals) to plan for effective deployment of security updates.</p> <p><a title="Sign up for security notifications" href="http://technet.microsoft.com/en-us/security/dd252948">Sign up for security notifications</a></p><div style="clear:both;"></div><img src="http://blogs.msdn.com/aggbug.aspx?PostID=10509549" width="1" height="1"> Advance Notification Service for the April 2014 Security Bulletin Releasehttp://blogs.technet.com/b/msrc/archive/2014/04/03/advance-notification-service-for-the-april-2014-security-bulletin-release.aspxThu, 03 Apr 2014 17:00:22 GMTd5e57398-b9ef-4490-9955-07cbb4e4a80d:4255d489-07db-4fa8-a763-7c54d18d8a56Dustin C. Childs0<p><span style="font-size:medium;">Today we provide </span><a href="http://technet.microsoft.com/security/bulletin/MS14-apr"><span style="color:#0563c1;font-size:medium;">advance notification</span></a><span style="font-size:medium;"> for the release of four bulletins, two rated Critical and two rated Important in severity. These updates address issues in Microsoft Windows, Office and Internet Explorer.</span></p> <p><span style="font-size:medium;">The update provided through MS14-017 fully addresses the Microsoft Word issue first described in </span><a href="http://technet.microsoft.com/security/advisory/2953095"><span style="color:#0563c1;font-size:medium;">Security Advisory 2953095</span></a><span style="font-size:medium;">. This advisory also included a </span><a href="https://support.microsoft.com/kb/2953095"><span style="color:#0563c1;font-size:medium;">Fix it</span></a><span style="font-size:medium;"> to disable opening rich-text format (RTF) files within Microsoft Word. Once the security update is applied, you should disable the Fix it to ensure RTF files will again render normally. At this time, we are still only aware of limited, targeted attacks directed at Microsoft Word 2010. The update will fully address all affected versions.</span></p> <p><span style="font-size:medium;">This Tuesday&lsquo;s release will offer the last security updates made available for Windows XP and Office 2003. Both of these products go out of support on April 8, 2014. If you are unsure about the impact this may have on your environment, I recommend you read the recent </span><a href="http://blogs.technet.com/b/security/archive/2014/03/24/cyber-threats-to-windows-xp-and-guidance-for-small-businesses-and-individual-consumers.aspx"><span style="color:#0563c1;font-size:medium;">blog</span></a><span style="font-size:medium;"> from Trustworthy Computing&rsquo;s Tim Rains, which discusses some of the threats to Windows XP and provides guidance for small businesses and consumers.</span></p> <p><span style="font-size:medium;">As per our usual process, we&rsquo;ve scheduled the security bulletin release for the second Tuesday of the month, April 8, 2014, at approximately 10:00 a.m. PDT. Revisit this blog then for analysis of the risk and impact, as well as deployment guidance, together with a brief video overview of the month&rsquo;s updates. Until then, please review the <a title="ANS summary page" href="http://technet.microsoft.com/security/bulletin/MS14-apr"><span style="color:#0563c1;">ANS summary page</span></a> for more information to help you prepare for security bulletin testing and deployment.</span></p> <p><span style="font-size:medium;">Finally, you can stay on top of the MSRC team&rsquo;s recent activities by following us on Twitter at <a title="@MSFTSecResponse" href="https://twitter.com/msftsecresponse"><span style="color:#0563c1;">@MSFTSecResponse</span></a>.&nbsp;</span></p> <p><span style="font-size:medium;">Thank you,<br /> <a href="http://blogs.technet.com/b/msrc/about.aspx#Dustin_Childs"><span style="color:#0563c1;">Dustin Childs</span></a></span><br /><span style="font-size:medium;"> Group Manager, Response Communications<br /> Microsoft Trustworthy Computing</span></p> <p></p><div style="clear:both;"></div><img src="http://blogs.technet.com/aggbug.aspx?PostID=3626472&AppID=4571&AppType=Weblog&ContentType=0" width="1" height="1">Microsoft WindowsSecurity AdvisoryANSInternet Explorer (IE)Microsoft Office Innovation Isn’t Just for the Young, it’s for Everyone, European Leader Sayshttp://blogs.msdn.com/b/accessibility/archive/2014/04/03/innovation-isnt-just-for-the-young.aspxThu, 03 Apr 2014 16:04:00 GMT91d46819-8472-40ad-a661-2c78acb4018c:10514207Daniel Hubbell - MSFT0http://blogs.msdn.com/b/accessibility/rsscomments.aspx?WeblogPostID=10514207http://blogs.msdn.com/b/accessibility/archive/2014/04/03/innovation-isnt-just-for-the-young.aspx#commentsThe following blog post was written by Paul Nyhan, a staff writer with the Microsoft Accessibility Blog. Paul is a 20-year journalism veteran who has written extensively about disability issues. ----- What if we viewed older generations as an opportunity...(<a href="http://blogs.msdn.com/b/accessibility/archive/2014/04/03/innovation-isnt-just-for-the-young.aspx">read more</a>)<img src="http://blogs.msdn.com/aggbug.aspx?PostID=10514207" width="1" height="1"> The Next Leap Forward in Cyber Defense: Taking Action to Help Defeat Adversarieshttp://blogs.technet.com/b/msrc/archive/2014/04/02/the-next-leap-forward-in-cyber-defense-taking-action-to-help-defeat-adversaries.aspxWed, 02 Apr 2014 16:01:31 GMTd5e57398-b9ef-4490-9955-07cbb4e4a80d:2b5197d0-d8ae-4e11-a48f-112c0b42c54aChris Betz0<p>It is often said that attackers have an advantage, because the defenders have to protect every part of their systems all the time, while the attacker only has to find one way in.</p> <p>This argument oversimplifies the security landscape and the real strength that defenders can achieve if they work together. While it&rsquo;s true that it is difficult to defend against an adversary that targets a single victim, this isn&rsquo;t the way most malicious actors work. It is easier and cheaper for malicious actors to reuse techniques, infrastructure and tools. Most malicious actors build capabilities that work across many targets and modify and reuse them.</p> <p>This is where the industry has the most opportunity to evolve. Industry collaboration and information sharing is part of the solution, but the real key is finding a way to coordinate <i>action</i>. When an attack targeting dozens, hundreds, or thousands of systems occurs, identifying a similar aspect of that attack can begin to unravel it everywhere. The fact that attackers use the same or similar methodologies in many places can actually put them at a disadvantage.</p> <p>Think of how different animals in the wild respond to attacks. Some respond as individuals and scatter in all directions. This allows predators to focus their attack on an individual and give chase. Yet this same attack unravels against animals who respond by forming a circle and standing their ground as a group. As long as they stick together, the predators are at a disadvantage &ndash; unable to separate and run down an individual.</p> <p>This kind of coordinated defense, and more crucially action, is the key to our industry taking the next big leap in the fight against cyber-attacks. It&rsquo;s not enough to share threat indicators such as yara signatures, IP addresses and malware hashes. What we really want to do is move defenders to take action that defends them and undermines an adversary&rsquo;s attack. As an industry, we have to come together and decide on a set of standards or principles by which we&rsquo;re going to not just share information, but use it.</p> <p>So why hasn&rsquo;t the industry moved towards actionable information sharing? In my opinion, we need to advance the current class of information sharing tools, processes, and technologies. Think of the Traffic Light Protocol. TLP tells us how sensitive the information is, and whether we can share it. What it doesn&rsquo;t say is whether it&rsquo;s ok to incorporate an IP address into a network defense system, or to ping the address, or to try and have the address taken down.</p> <p>As an industry, we must work to design and adopt technologies and programs that facilitate a two-way conversation and enable actionable information sharing. This should be the start of partnerships, not where things end. Our tools can no longer just be streams of after-the-fact data that flow from one place to another in varied forms and formats. Appropriate action needs to be part of the dialog, and part of us working together.</p> <p>Part of this transformation is happening today at <a href="http://technet.microsoft.com/en-us/security/dn467918"><span style="color:#0000ff;">Microsoft with our Microsoft Active Protections Program (MAPP)</span></a>. While MAPP initially started as an information-sharing effort amongst security vendors, it&rsquo;s moving to a place where it provides a set of guidance for defenders to protect themselves. To truly evolve to the next level, it will mean shifting from sharing information one way to taking coordinated action. The Microsoft Malware Protection Center (MMPC) has recently talked about the concept and called for a coordinated malware eradication approach at this <a href="http://blogs.technet.com/b/mmpc/archive/2014/01/27/industry-needs-to-work-together-to-eradicate-malware.aspx"><span style="color:#0000ff;">blog post</span></a>.</p> <p>When we get to that point, it won&rsquo;t just be security vendors who are working to keep everyone safe. It will be the networks, the service providers, the government entities, the retailers, the banks, all enterprises of the world pulling together and sharing actionable threat information necessary for defeating the adversaries &mdash; consistently and permanently.</p> <p>This will take a greater degree of trust than just information sharing. But to take that next big leap in enhancing our defense against cyber-attacks, it&rsquo;s where we must begin.</p> <p><a href="http://blogs.technet.com/b/msrc/about.aspx#Chris_Betz"><span style="color:#0000ff;">Chris Betz<br /></span></a>Senior Director<br />Microsoft Security Response Center (MSRC)</p><div style="clear:both;"></div><img src="http://blogs.technet.com/aggbug.aspx?PostID=3626463&AppID=4571&AppType=Weblog&ContentType=0" width="1" height="1">Announcementsrisk assessmentMicrosoft Active Protections Program (MAPP) Three New Samsung Smartphone Accessories Show the Universal Appeal of Accessibilityhttp://blogs.msdn.com/b/accessibility/archive/2014/04/01/three-new-samsung-smartphone-accessories-show-the-universal-appeal-of-accessibility.aspxWed, 02 Apr 2014 06:07:00 GMT91d46819-8472-40ad-a661-2c78acb4018c:10512970Daniel Hubbell - MSFT0http://blogs.msdn.com/b/accessibility/rsscomments.aspx?WeblogPostID=10512970http://blogs.msdn.com/b/accessibility/archive/2014/04/01/three-new-samsung-smartphone-accessories-show-the-universal-appeal-of-accessibility.aspx#commentsAccessibility is increasingly a mainstream issue, as companies, developers and consumers recognize that accessibility is about giving all people, including people with disabilities, new tools and ways to interact with the world. Samsung is one of the...(<a href="http://blogs.msdn.com/b/accessibility/archive/2014/04/01/three-new-samsung-smartphone-accessories-show-the-universal-appeal-of-accessibility.aspx">read more</a>)<img src="http://blogs.msdn.com/aggbug.aspx?PostID=10512970" width="1" height="1"> April Fools! The most popular pranks cybercriminals use to steal your moneyhttp://blogs.msdn.com/b/securitytipstalk/archive/2014/04/01/april-fools-the-most-popular-pranks-cybercriminals-use-to-steal-your-money.aspxTue, 01 Apr 2014 16:31:00 GMT91d46819-8472-40ad-a661-2c78acb4018c:10512472Eve Blakemore5http://blogs.msdn.com/b/securitytipstalk/rsscomments.aspx?WeblogPostID=10512472http://blogs.msdn.com/b/securitytipstalk/archive/2014/04/01/april-fools-the-most-popular-pranks-cybercriminals-use-to-steal-your-money.aspx#comments<p>To celebrate April Fool&rsquo;s Day, read about the email, web, social networking, and phone scams that we hear about most often.</p> <p><strong>Scams that use the Microsoft name or names of other well-known companies.</strong>&nbsp;These scams include fake email messages or websites that use the Microsoft name. The email message might claim that you have won a Microsoft contest, that Microsoft needs your logon information or password, or that a Microsoft representative is contacting you to help you with your computer. (These&nbsp;<a href="http://www.microsoft.com/security/online-privacy/avoid-phone-scams.aspx">fake tech-support scams are often delivered by phone</a>.) For more information, see&nbsp;<a href="http://www.microsoft.com/security/online-privacy/msname.aspx">Avoid scams that use the Microsoft name fraudulently</a>.</p> <p><strong>Rogue security software scams.</strong>&nbsp;Rogue security software, also known as "scareware," is software that appears to be beneficial from a security perspective but provides limited or no security, generates erroneous or misleading alerts, or attempts to lure you into participating in fraudulent transactions. These scams can appear in email, online advertisements, your social networking site, search engine results, or even in pop-up windows on your computer that might appear to be part of your operating system, but are not. For more information, see&nbsp;<a href="http://www.microsoft.com/security/pc-security/antivirus-rogue.aspx">Watch out for fake virus alerts</a>.</p> <p><strong>Ransomware scams.</strong> If you see a pop-up window, webpage, or email message warning you that your computer has been locked because of possible illegal activities, you might be a victim of a criminal extortion scam called&nbsp;<a href="http://www.microsoft.com/security/resources/ransomware-whatis.aspx">ransomware</a>. Ransomware often masquerades as an official-looking warning from a well-known law enforcement agency, such as the US Federal Bureau of Investigation (FBI). For more information, see <a href="http://blogs.msdn.com/b/securitytipstalk/archive/2014/03/18/help-someone-is-holding-my-computer-hostage.aspx">Help! Someone is holding my computer hostage</a>.</p> <p><strong>Browser hijacking</strong>. <a href="http://www.microsoft.com/security/resources/hijacking-whatis.aspx">Browser hijacking</a>&nbsp;is a type of online fraud. Scammers use malicious software to take control of your computer's Internet browser and change how and what it displays when you're surfing the web. Many browser hijackings come from add-on software, also known as browser extensions, browser helper objects, or toolbars. Pay attentions to Internet Explorer warnings when you download software and learn the signs of <a href="http://www.microsoft.com/security/online-privacy/trusted-sites.aspx">trusted websites</a>. For more information, see <a href="http://www.microsoft.com/security/pc-security/browser-hijacking.aspx">Fix your hijacked web browser</a>.</p> <h1>Resources to help you avoid scams</h1> <ul> <li><a href="http://www.microsoft.com/security/online-privacy/phishing-scams.aspx">Email and web scams: How to help protect yourself</a></li> <li><a href="http://www.microsoft.com/security/online-privacy/phishing-symptoms.aspx">How to recognize phishing email messages, links, or phone calls</a></li> <li><a href="http://www.microsoft.com/security/online-privacy/cybersquatting.aspx">Protect yourself from cybersquatting and fake web addresses</a></li> </ul><div style="clear:both;"></div><img src="http://blogs.msdn.com/aggbug.aspx?PostID=10512472" width="1" height="1">fraude-mailemail scams Creating an intelligent “sandbox” for coordinated malware eradication http://blogs.technet.com/b/trustworthycomputing/archive/2014/03/31/creating-an-intelligent-sandbox-for-coordinated-malware-eradication.aspxMon, 31 Mar 2014 21:37:19 GMTd5e57398-b9ef-4490-9955-07cbb4e4a80d:f85b52db-83c0-4255-90d4-994538aab60fTrusted Cloud Team0<p><strong>By TwC Staff</strong></p> <p>Antimalware companies have for some time used machine learning and big data analysis to detect and disrupt malware. But to move from disruption to eradication, the antimalware ecosystem must work with new types of partners in different ways.&nbsp; <a target="_blank" href="/b/trustworthycomputing/archive/2014/03/31/creating-an-intelligent-sandbox-for-coordinated-malware-eradication.aspx">Read more &gt;&gt; </a></p>...(<a href="http://blogs.technet.com/b/trustworthycomputing/archive/2014/03/31/creating-an-intelligent-sandbox-for-coordinated-malware-eradication.aspx">read more</a>)<img src="http://blogs.technet.com/aggbug.aspx?PostID=3626347&AppID=9044&AppType=Weblog&ContentType=0" width="1" height="1">Cloudcyber threatsTrustBig DataITTechnologyCollective DefenseSecuritycyber securityTrustworthy ComputingMicrosoftDataexploitssecurity communityIT Pros United States’ Malware Infection Rate More than Doubles in the First Half of 2013http://blogs.technet.com/b/security/archive/2014/03/31/united-states-malware-infection-rate-more-than-doubles-in-the-first-half-of-2013.aspxMon, 31 Mar 2014 20:47:00 GMTd5e57398-b9ef-4490-9955-07cbb4e4a80d:53fbb6f3-ba5e-457a-8f4e-b30f30c36ed2Tim Rains - Microsoft0http://blogs.technet.com/b/security/rsscomments.aspx?WeblogPostID=3626105http://blogs.technet.com/b/security/commentapi.aspx?WeblogPostID=3626105http://blogs.technet.com/b/security/archive/2014/03/31/united-states-malware-infection-rate-more-than-doubles-in-the-first-half-of-2013.aspx#comments<p>New data in the Microsoft Security Intelligence Report volume 15, indicates that the malware infection rate of the United States increased precipitously between the fourth quarter of 2012 and the first quarter of 2013.&nbsp; The <a href="http://www.microsoft.com/security/pc-security/malware-removal.aspx">Malicious Software Removal Tool </a>(MSRT) cleaned malware on 8.0 of every 1,000 computers scanned (<a href="http://www.microsoft.com/security/sir/glossary.aspx#C">Computers Cleaned per Mille or CCM</a>) in the US in the second quarter of 2013, compared to the worldwide average 5.8 in the same quarter. This was more than double the infection rate of the fourth quarter in 2012 of 3.3, as illustrated in Figures 1 and 2. With the exception of the third quarter of 2011, the US has enjoyed infections rates consistently below the worldwide average.&nbsp; The infection rate in the fourth quarter of 2012 was one of the lowest recorded CCMs for the US in the history of the Microsoft Security Intelligence Report.&nbsp;&nbsp; <br />&nbsp;<br />The percentage of systems that encountered threats in the US during this period increased only slightly from 13.4 percent in the fourth quarter of 2012 to 14.1 percent in the first quarter of 2013. This is well below the worldwide average encounter rate of 17.8 percent in in the first quarter of 2013. The encounter rate in the US decreased in the second quarter of 2013 to 11.5 percent, despite the malware infection rate remaining relatively high. <a href="/b/security/archive/2014/03/31/united-states-malware-infection-rate-more-than-doubles-in-the-first-half-of-2013.aspx">Read more</a></p>...(<a href="http://blogs.technet.com/b/security/archive/2014/03/31/united-states-malware-infection-rate-more-than-doubles-in-the-first-half-of-2013.aspx">read more</a>)<img src="http://blogs.technet.com/aggbug.aspx?PostID=3626105&AppID=5043&AppType=Weblog&ContentType=0" width="1" height="1">United States Threat Landscape Creating an intelligent “sandbox” for coordinated malware eradication http://blogs.technet.com/b/mmpc/archive/2014/03/31/creating-an-intelligent-sandbox-for-coordinated-malware-eradication.aspxMon, 31 Mar 2014 18:30:00 GMTd5e57398-b9ef-4490-9955-07cbb4e4a80d:cc90eae5-5a94-4903-bcb6-0d4c7ee237c3msft-mmpc0http://blogs.technet.com/b/mmpc/archive/2014/03/31/creating-an-intelligent-sandbox-for-coordinated-malware-eradication.aspx#comments<div class="ExternalClass99780ECCB68845069A8B4F80B91098D3"> <p class="ExternalClass1A433E56746040B7B5E7278CF5C87A21">​Hello from China where I am presenting on coordinated malware eradication at the <a href="http://www.pitci.com/2014/engs/index.html">2014 PC Security Labs Information Security Conference</a>.</p> <p class="ExternalClass1A433E56746040B7B5E7278CF5C87A21">Coordinated malware eradication was also the topic of <a href="http://blogs.technet.com/b/mmpc/archive/2014/01/27/industry-needs-to-work-together-to-eradicate-malware.aspx">my last blog</a>. I said the antimalware ecosystem must begin to work with new types of partners if we are going to move from the current state of uncoordinated malware <em>disruption</em>, to a state of coordinated malware <em>eradication</em>. Since then we&rsquo;ve been talking about these ideas at conferences around the world, including the recent RSA Conference in San Francisco, the Digital Crimes Consortium in Singapore, and the APCERT AGM &amp; Conference in Taipei. The level of engagement across the antimalware ecosystem has been high. Security and antivirus (AV) vendors, service providers, Computer Emergency Response Teams (CERTs), anti-fraud departments, and law enforcement have all joined the conversation, asking the essential questions about governance, communication channels, and benefits.</p> <p class="ExternalClass1A433E56746040B7B5E7278CF5C87A21">The overall theme of these discussions has been focused on how we can take the information we have and correlate it in new ways - a topic that lends itself to machine learning and big data analysis in the cloud. I believe this can be the most effective way to accelerate our malware eradication efforts. This proposes the next question: how do we create an intelligent &ldquo;sandbox&rdquo; where we can do this work?</p> <p class="ExternalClass1A433E56746040B7B5E7278CF5C87A21">For some time now, antimalware companies have been applying machine learning and big data analysis to generate more malware detections faster. Machine learning is all about training a machine to find patterns of signals in large streams of labeled information, then using those patterns against future data, all the while using feedback to continuously improve its accuracy. The stronger the labels, and the more diverse the information, the more effective the machine becomes.</p> <p class="ExternalClass1A433E56746040B7B5E7278CF5C87A21">Machine learning is similar to how I see people learn. For instance, when toddlers look at animals, at first they all appear to be the same. Then they learn to distinguish dogs from cows, for example. Pretty soon they can tell poodles from retrievers too. We correct them as necessary, and over many repetitions, they soon start to find more efficient identification patterns. In machine learning terms, we&rsquo;d say the toddlers were trained with labeled information. They extracted patterns of signals from the animals, and then applied these patterns against the new animals that&nbsp;they saw.</p> <p class="ExternalClass1A433E56746040B7B5E7278CF5C87A21">Humans do this intuitively and naturally, whereas machines require complex algorithms and training against huge data sets. Currently in the antimalware business, we have three main sources of machine learning signals: voluntarily opted-in telemetry data on encountered malware threats, our analysis of the malicious files, and malware signals from our partners.</p> <p class="ExternalClass1A433E56746040B7B5E7278CF5C87A21">To give you a sense of the volume and scale I am talking about, each month the Microsoft Malware Protection Center&rsquo;s (MMPC) machine learning systems analyze more than 30 million different file samples, and correlate this with what we know about the associated files, websites, and usage patterns. Our systems classify the file samples and then automatically create and deploy signatures for those identified as malware. The huge pipeline of signals makes it possible for us to quickly spot new malware. When we combine this with insights from our in-house AV researchers, our machines get smarter, and our customers receive greater protection.</p> <p class="ExternalClass1A433E56746040B7B5E7278CF5C87A21">We are using machine learning advances with the cloud too. For instance, we automatically recognize files showing tell-tale patterns of malicious intent. Cloud-based machines correlate that suspicious behavior with the reputation of the particular software being used to decide if AV software should intervene to block &ndash; faster, better, and more efficiently than a client computer could perform the check. In many cases we are able to protect clients even before detection signatures are delivered.</p> <p class="ExternalClass1A433E56746040B7B5E7278CF5C87A21">Although machine learning has already contributed significantly to malware protection, I believe that complete eradication of malware families will fail unless we determine how to identify specific attackers, and how to track a given malware family&rsquo;s malicious activity across its entire lifecycle. The AV industry needs to understand how a malware family is developed and distributed, how it is controlled, how it responds to changes, and how it is monetized.</p> <p class="ExternalClass1A433E56746040B7B5E7278CF5C87A21">To answer these questions, we&rsquo;ll need our machines to correlate more than telemetry, analysis, and the types of signals traditional security vendor partners provide. This is where coordinated malware eradication partnerships come into play. By working together and correlating our signals, we can see the bigger picture and identify appropriate choke points &ndash; weak spots for the malware writers.</p> <p class="ExternalClass1A433E56746040B7B5E7278CF5C87A21"><a href="http://www.microsoft.com/security/portal/blog-images/a/CME1.png"> <img style="width:500px;height:312px;" alt="Coordinated Malware Eradication" src="http://www.microsoft.com/security/portal/blog-images/a/CME1.png" border="0" /></a> <em></em>&nbsp;</p> <p class="ExternalClass1A433E56746040B7B5E7278CF5C87A21"><em>Figure 1: The antimalware ecosystem&rsquo;s coordinated malware eradication</em></p> <p class="ExternalClass1A433E56746040B7B5E7278CF5C87A21">The next question is where we will accomplish this goal. As I said above, we need a &ldquo;sandbox&rdquo; big enough where every industry partner can contribute with a variety of signals and deploy their machine learning and analysis tools. On top of our telemetry and analysis data, Microsoft can also contribute large amounts of cloud-based scalable storage and computing horsepower with the necessary big data analysis tools built-in. Our partners can contribute new information signals, strong labels, and their own tools to better train all of the machines.</p> <p class="ExternalClass1A433E56746040B7B5E7278CF5C87A21">For example, take your typical click-fraud attack. An advertising network can see the URLs being abused, the bank accounts in use, and the websites involved. A CERT or ISP can see parts of the command and control system &ndash; URLs, files being served, domain registrars, etc. AV vendors can see the client code and the URLs it is working with. Individually no one party has enough to identify the entirety of the attack. But when seen together, the correlation (in this example at least) is pretty easy to spot.</p> <p class="ExternalClass1A433E56746040B7B5E7278CF5C87A21"><a href="http://www.microsoft.com/security/portal/blog-images/a/CME3.png"> <img style="width:500px;height:233px;" alt="Coordinated Malware Eradication" src="http://www.microsoft.com/security/portal/blog-images/a/CME3.png" border="0" /></a> <em></em>&nbsp;</p> <p class="ExternalClass1A433E56746040B7B5E7278CF5C87A21"><em>Figure 2: Putting machine learning against massively correlated signals means we can go on the offensive </em></p> <p class="ExternalClass1A433E56746040B7B5E7278CF5C87A21">Putting machine learning to use at these huge scales against massively correlated signals means we can go on the offensive. Hopefully it will leave the bad guys with nowhere to go. It will allow us, as an industry, to blunt the efforts of the malware authors and their supply chains, and to block their attempts to game and steal from our customers.</p> <p class="ExternalClass1A433E56746040B7B5E7278CF5C87A21">I encourage you to join the conversation. We will be holding roundtable discussions at a few more upcoming events. The latest schedule is&nbsp;below.&nbsp; If you would like to attend a discussion, email us at <a href="mailto:cme-invite@microsoft.com">cme-invite@microsoft.com</a>.</p> <p class="ExternalClass1A433E56746040B7B5E7278CF5C87A21"><em>Dennis Batchelder</em><br /><em>Partner PM Manager </em><br /><em>MMPC</em></p> <h3 class="ExternalClass1A433E56746040B7B5E7278CF5C87A21">Upcoming roundtable discussions:</h3> <div class="ExternalClass1A433E56746040B7B5E7278CF5C87A21"> <ul> <li><strong>PC Security Labs Conference</strong>, 2014 - April 1, 2014 - April 2, 2014 Beijing, China</li> <li><strong>CARO Workshop</strong>, May 15, 2014 &ndash; May 16, 2014 Melbourne, FL</li> <li><strong>26th Annual FIRST Conference</strong>, June 22, 2014 &ndash; June 27, 2014 Boston, MA</li> <li><strong>Microsoft Security Research Alliance Summit</strong><br />July 22, 2014 &ndash; July 24, 2014 Seattle, WA<br /><em>Invite only. NDA required</em>.</li> </ul> </div> </div><div style="clear:both;"></div><img src="http://blogs.technet.com/aggbug.aspx?PostID=3626259&AppID=6258&AppType=Weblog&ContentType=0" width="1" height="1"> Reflecting on Updated Privacy Practiceshttp://blogs.technet.com/b/trustworthycomputing/archive/2014/03/29/reflecting-on-updated-privacy-practices.aspxSat, 29 Mar 2014 17:07:36 GMTd5e57398-b9ef-4490-9955-07cbb4e4a80d:6492b8d8-363a-45fa-8560-79de92e2034eTrusted Cloud Team0<p><strong>By Brendon Lynch, Chief Privacy Officer</strong></p> <p>For more than a decade, Microsoft has invested in a comprehensive privacy program that sets the foundation for our efforts to responsibly manage our customers&rsquo; data. An important part of our privacy commitment is that we evolve our policies and practices to address the changes in technology and customer expectations. Earlier today, <a href="/b/microsoft_on_the_issues/archive/2014/03/28/we-re-listening-additional-steps-to-protect-your-privacy.aspx">Microsoft General Counsel Brad Smith announced</a> a change to Microsoft&rsquo;s privacy practices to further enhance our privacy commitments.&nbsp; <a href="/b/trustworthycomputing/archive/2014/03/29/reflecting-on-updated-privacy-practices.aspx" target="_blank">Read more &gt;&gt;</a></p>...(<a href="http://blogs.technet.com/b/trustworthycomputing/archive/2014/03/29/reflecting-on-updated-privacy-practices.aspx">read more</a>)<img src="http://blogs.technet.com/aggbug.aspx?PostID=3626241&AppID=9044&AppType=Weblog&ContentType=0" width="1" height="1">practicesTrustprivacy and reliabilityITMicrosoftDigital Citizenshippersonal dataDataPrivacy It’s Official: The International Association of Accessibility Professionals Launcheshttp://blogs.msdn.com/b/accessibility/archive/2014/03/27/it-s-official-the-international-association-of-accessibility-professionals-launches.aspxThu, 27 Mar 2014 18:06:00 GMT91d46819-8472-40ad-a661-2c78acb4018c:10511554Daniel Hubbell - MSFT0http://blogs.msdn.com/b/accessibility/rsscomments.aspx?WeblogPostID=10511554http://blogs.msdn.com/b/accessibility/archive/2014/03/27/it-s-official-the-international-association-of-accessibility-professionals-launches.aspx#commentsThe International Association of Accessibility Professionals (IAAP) officially began accepting membership applications last week, an important step in elevating, defining, and improving accessibility as a profession around the world. The new group...(<a href="http://blogs.msdn.com/b/accessibility/archive/2014/03/27/it-s-official-the-international-association-of-accessibility-professionals-launches.aspx">read more</a>)<img src="http://blogs.msdn.com/aggbug.aspx?PostID=10511554" width="1" height="1"> Reliability Series #4: Reliability-enhancing techniques (Part 2)http://blogs.technet.com/b/trustworthycomputing/archive/2014/03/27/reliability-series-4-reliability-enhancing-techniques-part-2.aspxThu, 27 Mar 2014 16:38:03 GMTd5e57398-b9ef-4490-9955-07cbb4e4a80d:d6433552-df9c-424c-83a0-d0a535869f97Trusted Cloud Team0<p><strong>By David Bills, Chief Reliability Strategist, Trustworthy Computing</strong></p> <p>In my <a target="_blank" href="/b/trustworthycomputing/archive/2014/03/18/reliability-series-3-reliability-enhancing-techniques-part-1.aspx">previous post</a> in this series, I discussed the Discovery and Authorization/Authentication categories of the &ldquo;DIAL&rdquo; acronym to share mitigations targeting specific failure modes. In this article I&rsquo;ll discuss the &ldquo;Limits/Latency&rdquo; and &ldquo;Incorrectness&rdquo; categories represented by the &ldquo;DIAL&rdquo; acronym, and I&rsquo;ll also share example mitigations targeting specific failure modes for each.&nbsp; <a target="_blank" href="/b/trustworthycomputing/archive/2014/03/18/reliability-series-4-reliability-enhancing-techniques-part-2.aspx">See more &gt;&gt;</a></p>...(<a href="http://blogs.technet.com/b/trustworthycomputing/archive/2014/03/27/reliability-series-4-reliability-enhancing-techniques-part-2.aspx">read more</a>)<img src="http://blogs.technet.com/aggbug.aspx?PostID=3625440&AppID=9044&AppType=Weblog&ContentType=0" width="1" height="1">ReliableCloudReliabilitytrusted online experiencesTrustTechnologyCloud Computingcloud servicesTrustworthy ComputingMicrosoft How to get rid of malware that keeps coming backhttp://blogs.msdn.com/b/securitytipstalk/archive/2014/03/27/how-to-get-rid-of-malware-that-keeps-coming-back.aspxThu, 27 Mar 2014 15:56:00 GMT91d46819-8472-40ad-a661-2c78acb4018c:10509293Eve Blakemore2http://blogs.msdn.com/b/securitytipstalk/rsscomments.aspx?WeblogPostID=10509293http://blogs.msdn.com/b/securitytipstalk/archive/2014/03/27/how-to-get-rid-of-malware-that-keeps-coming-back.aspx#comments<p><a href="http://www.microsoft.com/security/pc-security/windows-defender.aspx">Windows Defender</a> and <a href="http://www.microsoft.com/security/resources/mse-whatis.aspx">Microsoft Security Essentials</a> can get rid of most malware, but here&rsquo;s what you can do if it comes back.</p> <ol start="1"> <li><a href="http://www.microsoft.com/security/pc-security/updates.aspx">Make sure you have automatic updating turned on</a>. This feature ensures that you have the latest security improvements from Microsoft installed on your computer. If you&rsquo;re using other antivirus software, make sure that it is up to date with the latest malware definitions.</li> </ol><ol> <li>Restart your PC.</li> <li>Run a full scan:<ol> <li>Open your Microsoft security software.</li> <li>On the&nbsp;<strong>Home</strong>&nbsp;tab, under&nbsp;<strong>Scan options</strong>, click&nbsp;<strong>Full</strong>.</li> <li>Click&nbsp;<strong>Scan now</strong>.</li> </ol></li> </ol> <p>&nbsp;A full scan can take an hour or more, depending on how many files you have on your PC.</p> <p><a href="https://www.microsoft.com/security/portal/mmpc/help/remediation.aspx">Get more advanced troubleshooting for malware that keeps coming back</a>.</p> <p>Once your computer is clean, <a href="http://www.microsoft.com/security/portal/mmpc/shared/ransomware.aspx#steps_clean">take these steps to help keep it clean</a>.</p><div style="clear:both;"></div><img src="http://blogs.msdn.com/aggbug.aspx?PostID=10509293" width="1" height="1">Windows DefendervirusmalwareMicrosoft Security Essentialssecuritymalicious softwareMicrosoftWindows 8 Reliability Series #3: Reliability-enhancing techniques (Part 1)http://blogs.technet.com/b/trustworthycomputing/archive/2014/03/26/reliability-series-3-reliability-enhancing-techniques-part-1.aspxWed, 26 Mar 2014 16:36:00 GMTd5e57398-b9ef-4490-9955-07cbb4e4a80d:88f88ff2-47aa-42bd-b532-2b4d9465bc4fTrusted Cloud Team0<p><strong>By David Bills, Chief Reliability Strategist, Trustworthy Computing</strong><br /><br />In my <a href="/b/trustworthycomputing/archive/2014/03/18/reliability-series-2-categorizing-reliability-threats-to-your-service.aspx" target="_blank">previous post,</a> I discussed &ldquo;DIAL&rdquo;, an approach we use to categorize common service component interaction failures when applying Resilience Modeling &amp; Analysis, (RMA), to an online service design.&nbsp; In the next two posts,&nbsp; I&rsquo;ll discuss some mitigation strategies and design patterns intended to reduce the likelihood of the types of failures described by &ldquo;DIAL&rdquo;.&nbsp; <a href="/b/trustworthycomputing/archive/2014/03/18/reliability-series-3-reliability-enhancing-techniques-part-1.aspx" target="_blank">See more &gt;&gt;</a></p>...(<a href="http://blogs.technet.com/b/trustworthycomputing/archive/2014/03/26/reliability-series-3-reliability-enhancing-techniques-part-1.aspx">read more</a>)<img src="http://blogs.technet.com/aggbug.aspx?PostID=3625437&AppID=9044&AppType=Weblog&ContentType=0" width="1" height="1">CustomersReliableReliabilitytrusted online experiencesTrustcustomer perspectiveCloud ComputingTrustworthy ComputingMicrosoftIT Pros Reliability Series #2: Categorizing reliability threats to your servicehttp://blogs.technet.com/b/trustworthycomputing/archive/2014/03/25/reliability-series-2-categorizing-reliability-threats-to-your-service.aspxTue, 25 Mar 2014 16:19:00 GMTd5e57398-b9ef-4490-9955-07cbb4e4a80d:de3624e3-ca9e-40bb-be94-0f03f0284297Trusted Cloud Team0<p><strong>By David Bills, Chief Reliability Strategist, Trustworthy Computing</strong><br /><br />Online services face ongoing reliability-related threats represented by device failures, latent flaws in software being triggered by environmental change, and mistakes made by human beings. At Microsoft, one of the ways we&rsquo;re helping to improve the reliability of our services is by investing in resilience modeling and analysis (RMA) as a way for online service engineering teams to incorporate robust resilience design into the development lifecycle. &nbsp; <a href="/b/trustworthycomputing/archive/2014/03/18/reliability-series-2-categorizing-reliability-threats-to-your-service.aspx" target="_blank">See more&gt;&gt;</a></p>...(<a href="http://blogs.technet.com/b/trustworthycomputing/archive/2014/03/25/reliability-series-2-categorizing-reliability-threats-to-your-service.aspx">read more</a>)<img src="http://blogs.technet.com/aggbug.aspx?PostID=3625436&AppID=9044&AppType=Weblog&ContentType=0" width="1" height="1">CustomersReliableCloudReliabilitytrusted online experiencesTrustprivacy and reliabilitycustomer perspectiveCloud Computingcloud servicesTrustworthy ComputingMicrosoftMicrosoft Cloud SolutionsIT Pros How to recover an account if you haven’t already added security information to ithttp://blogs.msdn.com/b/securitytipstalk/archive/2014/03/25/how-to-recover-an-account-if-you-haven-t-already-added-security-information-to-it.aspxTue, 25 Mar 2014 15:42:00 GMT91d46819-8472-40ad-a661-2c78acb4018c:10510580Eve Blakemore12http://blogs.msdn.com/b/securitytipstalk/rsscomments.aspx?WeblogPostID=10510580http://blogs.msdn.com/b/securitytipstalk/archive/2014/03/25/how-to-recover-an-account-if-you-haven-t-already-added-security-information-to-it.aspx#comments<p>A reader asks:</p> <p><em>What can I do if my account has been hacked and I haven&rsquo;t already added security information to it?</em></p> <p>It would be easier to recover your account if you had already associated it with information that cybercriminals can&rsquo;t easily access, like your mobile phone number or an alternate email address. For example, if your account is compromised, Microsoft could send you an account-recapture code in a text message to help you regain access to your account.&nbsp;If you do have access to your account, <a href="http://go.microsoft.com/fwlink/?LinkID=258134">add security information to your account now</a>.</p> <h1>If you haven&rsquo;t already added security information to your account<strong style="font-size: 1.17em;">&nbsp;</strong></h1> <h3>Scan your PC for viruses</h3> <p>&nbsp;If your account has been hacked and you can&rsquo;t get access to it, the first thing you should do is scan your computer for viruses. Do this before you try to change your password. Hackers get your password through malware that's been installed on your PC without your knowledge (for example, when you download a new screen saver, toolbar, or other software from an untrustworthy source.) It&rsquo;s important to clear your PC of viruses or malware before you change your password. That way, the hackers won&rsquo;t get your new password.</p> <p><strong>If your computer is running Windows 8</strong></p> <p>Use the built-in&nbsp;<a href="http://www.microsoft.com/security/pc-security/windows8.aspx#antivirus">Windows Defender</a>&nbsp;to help you get rid of a virus or other malware.</p> <p>Here's how:&nbsp;</p> <ol> <li> <p>From the&nbsp;<a href="http://windows.microsoft.com/en-us/windows-8/charms"><strong>Search charm</strong></a>, search for&nbsp;<strong>defender</strong>, and then open Windows Defender.</p> </li> <li> <p>On the&nbsp;<strong>Home</strong>&nbsp;tab, choose a scan option, and then tap or click&nbsp;<strong>Scan now</strong>.</p> </li> </ol> <p>In addition to the color codes for your PC&rsquo;s overall security status, Windows Defender applies an alert level to any suspected malware it detects. You can decide whether to remove an item entirely, research it further, or let it run because you recognize it.</p> <p>&nbsp;<strong>If your computer is running Windows 7 or Windows Vista</strong>&nbsp;</p> <ul> <li> <p><a href="http://www.microsoft.com/security/scanner/en-us/default.aspx">Run the Microsoft Safety Scanner</a>. The scanner works with the antivirus software that you already have on your computer, regardless of whether the software is from Microsoft.</p> </li> <li> <p>Download&nbsp;<a href="http://www.microsoft.com/security/resources/mse-whatis.aspx">Microsoft Security Essentials</a>&nbsp;for free, and then use the software to run a scan of your computer. For more information, see&nbsp;<a href="http://www.microsoft.com/security/pc-security/microsoft-security-essentials.aspx">Help protect your PC with Microsoft Security Essentials</a>. (Note: Some viruses will prevent you from downloading Microsoft Security Essentials. If you can&rsquo;t download the software, follow the instructions for using <a href="http://windows.microsoft.com/en-us/windows/windows-defender-offline-faq">Windows Defender Offline</a>.)</p> </li> <li> <p>Some malicious software can be difficult to remove. If your antivirus software detects malware but can&rsquo;t remove it,&nbsp;<a href="http://www.microsoft.com/security/portal/mmpc/help/remediation.aspx">follow these steps</a>.</p> </li> </ul> <p><a href="http://www.microsoft.com/security/pc-security/antivirus.aspx">Get more help removing viruses</a></p> <h3>Reset your password</h3> <p>Once you&rsquo;ve scanned your computer for viruses, <a href="https://account.live.com/resetpassword.aspx">reset the password on your account</a>.</p> <p>If you can&rsquo;t reset your password, and you haven&rsquo;t already added security information to your account, you can still get back into the account by&nbsp;<a href="https://account.live.com/acsr?mkt=en-US&amp;mn">filling out a questionnaire</a>. You will be asked specific questions about the account and email messages that might be stored there. Someone will get back to you within 24 hours (typically a lot sooner).</p> <p>For more information, see <a href="http://www.microsoft.com/security/online-privacy/hacked-account.aspx">How to recover your hacked Microsoft account</a>.</p><div style="clear:both;"></div><img src="http://blogs.msdn.com/aggbug.aspx?PostID=10510580" width="1" height="1">fraudmalwaree-mailhotmailpasswordsemailemail scamsMicrosoftWindows 8 Researcher Sees Accessibility Becoming an Integrated Part of Technology Design http://blogs.msdn.com/b/accessibility/archive/2014/03/25/researcher-sees-accessibility-becoming-an-integrated-part-of-technology-design.aspxTue, 25 Mar 2014 15:18:00 GMT91d46819-8472-40ad-a661-2c78acb4018c:10507790Daniel Hubbell - MSFT0http://blogs.msdn.com/b/accessibility/rsscomments.aspx?WeblogPostID=10507790http://blogs.msdn.com/b/accessibility/archive/2014/03/25/researcher-sees-accessibility-becoming-an-integrated-part-of-technology-design.aspx#commentsSara Hendren is a researcher and artist who works in the area of design, accessibility, adaptive and assistive technologies, prosthetics, and cultural and political representations of disability. The following blog post was written by Paul Nyhan, a staff...(<a href="http://blogs.msdn.com/b/accessibility/archive/2014/03/25/researcher-sees-accessibility-becoming-an-integrated-part-of-technology-design.aspx">read more</a>)<img src="http://blogs.msdn.com/aggbug.aspx?PostID=10507790" width="1" height="1"> Windows XP: Risks and Guidance for Small Businesseshttp://blogs.technet.com/b/trustworthycomputing/archive/2014/03/24/windows-xp-risks-and-guidance-for-small-businesses.aspxTue, 25 Mar 2014 00:05:00 GMTd5e57398-b9ef-4490-9955-07cbb4e4a80d:8f7615a0-5682-49c3-879b-fb56333d3fa3Trusted Cloud Team0<p><strong>By Adrienne Hall, General Manager, Trustworthy Computing</strong></p> <p>Those of you that are still running Windows XP are likely aware that support from Microsoft will end on April 8, 2014.&nbsp; Many of the enterprise customers I have talked with have been planning for the transition and are already completed or are in process of completing their migrations to a modern operating system.&nbsp; However, there are some small to mid sized&nbsp;businesses that don&rsquo;t plan to replace their Windows XP systems even after support for these systems ends in April. For those in that situation, you may find this information to be of value. <a href="/b/trustworthycomputing/archive/2014/03/24/windows-xp-risks-and-guidance-for-small-businesses.aspx">See more &gt;&gt;</a></p>...(<a href="http://blogs.technet.com/b/trustworthycomputing/archive/2014/03/24/windows-xp-risks-and-guidance-for-small-businesses.aspx">read more</a>)<img src="http://blogs.technet.com/aggbug.aspx?PostID=3625877&AppID=9044&AppType=Weblog&ContentType=0" width="1" height="1">Small Business GuidanceWindows XP Risks2014Windows XP End of SupportApril 8 Security Advisory 2953095: recommendation to stay protected and for detectionshttp://blogs.technet.com/b/srd/archive/2014/03/24/security-advisory-2953095-recommendation-to-stay-protected-and-for-detections.aspxMon, 24 Mar 2014 19:01:24 GMTd5e57398-b9ef-4490-9955-07cbb4e4a80d:231a64dc-9e55-4295-931c-09e4a6eb9801swiat0<p style="text-align:justify;">Today, Microsoft released <a href="http://technet.microsoft.com/en-us/security/advisory/2953095">Security Advisory 2953095</a> to notify customers of a vulnerability in Microsoft Word. At this time, we are aware of limited, targeted attacks directed at Microsoft Word 2010.</p> <p style="text-align:justify;">This blog will discuss mitigations and temporary defensive strategies that will help customers to protect themselves while we are working on a security update. This blog also provides some preliminary details of the exploit code observed in the wild.</p> <p style="text-align:justify;"><b>&nbsp;</b></p> <p style="text-align:justify;"><b>Mitigations and Workaround</b></p> <p style="text-align:justify;">The in the wild exploit takes advantage of an unspecified RTF parsing vulnerability combined with an ASLR bypass, which depends by a module loaded at predictable memory address.</p> <p style="text-align:justify;">First, our tests showed that EMET default configuration can block the exploits seen in the wild. In this case, EMET&rsquo;s mitigations such as &ldquo;Mandatory ASLR&rdquo; and anti-ROP features effectively stop the exploit. You can find more information about EMET at <span style="color:#0000ff;"><a href="http://www.microsoft.com/emet">http://www.microsoft.com/emet</a></span>. The exploit code seems to target Word 2010 and it deeply relies on the specific ASLR bypass mentioned. We were glad to see in our tests that this exploit fails (resulting in a crash) on machines running Word 2013, due to the <a href="http://blogs.technet.com/b/srd/archive/2014/03/12/when-aslr-makes-the-difference.aspx">ASLR enforcement introduced for this product</a>.</p> <p style="text-align:justify;">In addition to EMET mitigations, users may consider to apply stronger protections by blocking the root cause of the issue with one of the following suggested workarounds:</p> <ul style="text-align:justify;"> <li> <p>disable opening of RTF files;</p> </li> <li> <p>enforce Word to open RTF files always in <em>Protected View</em> in Trust Center settings.</p> </li> </ul> <p style="text-align:justify;">To facilitate deployment of the first workaround, we are providing a <a href="https://support.microsoft.com/kb/2953095">Fix it automated tool</a>. The Fix it uses Office&rsquo;s file block feature and adds few registry keys to prevent opening of RTF files in all Word versions. After the Fix it is installed, opening RTF file will result in the following message:</p> <p style="text-align:justify;"></p> <p><span style="font-family:Times New Roman;font-size:medium;"></span>&nbsp;<a href="http://blogs.technet.com/cfs-file.ashx/__key/communityserver-blogs-components-weblogfiles/00-00-00-61-47/3124.pic1.png"><img style="margin-right:auto;margin-left:auto;display:block;" alt=" " src="http://blogs.technet.com/resized-image.ashx/__size/550x0/__key/communityserver-blogs-components-weblogfiles/00-00-00-61-47/3124.pic1.png" border="0" /></a></p> <p style="text-align:justify;"><br /> If blocking RTF files is not an option, enterprise could enforce &ldquo;<em>Open selected file types in Protected View</em>&rdquo; instead of &ldquo;<em>Do not open selected file types</em>&rdquo; in Trust Center settings. The &ldquo;Protected View&rdquo; mode in Office 2010/2013 does not allow ActiveX controls to load. This will mitigate the attack we observed. Once the workaround is enabled, Word will prompt the <em>Protected View</em> gold bar, but will still allow the preview of the document.</p> <p style="text-align:justify;"></p> <p><a href="http://blogs.technet.com/cfs-file.ashx/__key/communityserver-blogs-components-weblogfiles/00-00-00-61-47/0118.pic2.png"><img style="margin-right:auto;margin-left:auto;display:block;" alt=" " src="http://blogs.technet.com/resized-image.ashx/__size/550x0/__key/communityserver-blogs-components-weblogfiles/00-00-00-61-47/0118.pic2.png" border="0" /></a></p> <p style="text-align:justify;"><br /> Enterprise admins may also consider to make their own custom protection using Trust Center features of Office instead of the Fix it, since these settings can be managed and deployed through GPO. For more details, please refer to: <span style="color:#0000ff;"><a href="http://office.microsoft.com/en-us/word-help/what-is-file-block-HA010355927.aspx#_File_Block_settings">http://office.microsoft.com/en-us/word-help/what-is-file-block-HA010355927.aspx#_File_Block_settings</a>.</span></p> <p style="text-align:justify;"><span style="color:#0000ff;">&nbsp;</span></p> <p><a href="http://blogs.technet.com/cfs-file.ashx/__key/communityserver-blogs-components-weblogfiles/00-00-00-61-47/1212.pic3.png"><img style="margin-right:auto;margin-left:auto;display:block;" alt=" " src="http://blogs.technet.com/resized-image.ashx/__size/550x0/__key/communityserver-blogs-components-weblogfiles/00-00-00-61-47/1212.pic3.png" border="0" /></a></p> <p style="text-align:justify;">&nbsp;</p> <p style="text-align:justify;"><b>Theoretical Outlook attack vector</b></p> <p style="text-align:justify;">There is a theoretical Outlook attack vector for RTF vulnerabilities through the preview pane. The reduced functionality of the preview pane makes this attack vector extremely hard to carry, and to date we have never seen exploits leveraging this mechanism.</p> <p style="text-align:justify;"><b>&nbsp;</b></p> <p style="text-align:justify;"><b>Technical details of the exploit</b></p> <p style="text-align:justify;">The attack detected in the wild is&nbsp;limited and very targeted in nature. The malicious document is designed to trigger a memory corruption vulnerability in the RTF parsing code. The attacker embedded a secondary component in order to bypass ASLR, and leveraged return-oriented-programming techniques using native RTF encoding schemes to craft ROP gadgets. The structure of the malicious document and the individual blocks is described in the picture below.</p> <p style="text-align:justify;"></p> <p><a href="http://blogs.technet.com/cfs-file.ashx/__key/communityserver-blogs-components-weblogfiles/00-00-00-61-47/pic4.png"><img width="439" height="312" style="border:1px solid currentColor;width:435px;height:331px;margin-right:auto;margin-left:auto;display:block;" alt=" " src="http://blogs.technet.com/resized-image.ashx/__size/550x0/__key/communityserver-blogs-components-weblogfiles/00-00-00-61-47/pic4.png" /></a></p> <p></p> <p></p> <p>When the memory corruption vulnerability is triggered, the exploit gains initial code execution and in order to bypass DEP and ASLR, it tries to execute the ROP chain that allocates a large chunk of executable memory and transfers the control to the first piece of the shellcode (egghunter). This code then searches for the main shellcode placed at the end of the RTF document to execute it.</p> <p style="text-align:justify;"></p> <p style="text-align:justify;"></p> <p align="center"><a href="http://blogs.technet.com/cfs-file.ashx/__key/communityserver-blogs-components-weblogfiles/00-00-00-61-47/pic5.png"><img style="border:1px solid currentColor;margin-right:auto;margin-left:auto;display:block;" alt=" " src="http://blogs.technet.com/resized-image.ashx/__size/550x0/__key/communityserver-blogs-components-weblogfiles/00-00-00-61-47/pic5.png" /></a></p> <p style="text-align:justify;"><br /> One peculiar aspect of the main shellcode is the fact that it employs multiple consecutive layers of decryption and well-known anti-debugging tricks, such as test of debugging flags an, RDTSC timing checks and jump-hops over hooks, possibly to defeat automated sandbox, analysis tools and researchers. The shellcode has also been programmed with a special date-based deactivation logic. In fact, it parses the content of &ldquo;<i>C:\Windows\SoftwareDistribution\ReportingEvents.log</i>&rdquo; file and it scans all the available Microsoft updates installed on the machine. The shellcode will not perform any additional malicious action if there are updates installed after April, 8 2014. This means that even after a successful exploitation with reliable code execution, after this date the shellcode may decide to not drop the secondary backdoor payload and simply abort the execution. When the activation logic detects the correct condition to trigger, the exploit drops in the temporary folder a backdoor file named &lsquo;svchost.exe&rsquo; and runs it. The dropped backdoor is a generic malware written in Visual Basic 6 which communicates over HTTPS and relies on execution of multiple windows scripts via WScript.Shell and it can install/run additional MSI components.</p> <p style="text-align:justify;">&nbsp;</p> <p style="text-align:justify;"><b>Detection and indicators for defenders</b></p> <p style="text-align:justify;">We are providing a good list of IOCs (Indicator of Compromise) hoping to facilitate defensive efforts and to help security vendors and professionals to stay protected from this specific attack. The remote C&amp;C server used by the current backdoor in the file uses encrypted SSL traffic with a static self-signed certificate that can be easily detected.</p> <p style="text-align:justify;"><b>&nbsp;</b></p> <p style="text-align:center;"></p> <p style="text-align:center;"></p> <p style="text-align:center;"></p> <table style="margin-right:auto;margin-left:auto;" border="1" cellspacing="0" cellpadding="0"> <tbody> <tr> <td width="168" valign="top"><span style="font-family:Times New Roman;font-size:medium;"> </span> <p><b>&nbsp;YARA RULE (RTF)</b></p> <span style="font-family:Times New Roman;font-size:medium;"> </span></td> <td width="456" valign="top"> <p>rule SA2953095_RTF<br />{<br />&nbsp;&nbsp; meta:<br />&nbsp;&nbsp;&nbsp;&nbsp; description = &quot;MS Security Advisory 2953095&quot;</p> <p>&nbsp;<br />&nbsp;&nbsp; strings:<br />&nbsp;&nbsp;&nbsp; $badHdr&nbsp;&nbsp; = &quot;{\\rt{&quot;<br />&nbsp;&nbsp;&nbsp; $ocxTag&nbsp;&nbsp; = &quot;\\objocx\\&quot;<br />&nbsp;&nbsp;&nbsp; $mscomctl = &quot;MSComctlLib.&quot;<br />&nbsp;&nbsp;&nbsp; $rop&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; = &quot;?\\u-554&quot;</p> <p>&nbsp;&nbsp; condition:<br />&nbsp;&nbsp;&nbsp; filesize &gt; 100KB and filesize &lt; 500KB<br />&nbsp;&nbsp;&nbsp; and $badHdr and $ocxTag and $mscomctl and #rop&gt;8<br />}&nbsp;</p> <span style="font-family:Times New Roman;font-size:medium;"> </span></td> </tr> <tr> <td width="168" valign="top"><span style="font-family:Times New Roman;font-size:medium;"> </span> <p><b>&nbsp;SAMPLE HASHES</b></p> <span style="font-family:Times New Roman;font-size:medium;"> </span></td> <td width="456" valign="top"><span style="font-family:Times New Roman;font-size:medium;"> </span> <p>Filename: %TEMP%\svchost.exe</p> <span style="font-family:Times New Roman;font-size:medium;"> </span> <p>MD5: af63f1dc3bb37e54209139bd7a3680b1<br />SHA1: 77ec5d22e64c17473290fb05ec5125b7a7e02828</p> </td> </tr> <tr> <td width="168" valign="top"><span style="font-family:Times New Roman;font-size:medium;"> </span> <p><b>&nbsp;C&amp;C SERVER AND&nbsp;<br /></b><b>&nbsp;PROTOCOL</b></p> <span style="font-family:Times New Roman;font-size:medium;"> </span></td> <td width="456" valign="top"><span style="font-family:Times New Roman;font-size:medium;"> </span> <p>C&amp;C Server: <br /> h**ps://185.12.44.51 Port: 443</p> <span style="font-family:Times New Roman;font-size:medium;"> </span> <p><i>NOTE: on port 80 the C&amp;C host serves a webpage mimicking the content of &ldquo;http://www.latamcl.com/&rdquo; website</i></p> <span style="font-family:Times New Roman;font-size:medium;"> </span> <p><br />GET request example:<br />h**ps://185.12.44.51/[rannd_alpa_chars].[3charst]?[encodedpayload]<span style="font-family:Times New Roman;font-size:medium;"> </span></p> <br /> <p>User-Agent string:<br />&ldquo;Mozilla/5.0 (compatible; MSIE 10.0; Windows NT 6.2; WOW64;2*Uuhgco}%7)1&rdquo;</p> <span style="font-family:Times New Roman;font-size:medium;"> </span></td> </tr> <tr> <td width="168" valign="top"><span style="font-family:Times New Roman;font-size:medium;"> </span> <p><b>&nbsp;C&amp;C SSL CERTIFICATE<br /></b><b>&nbsp;(self-signed)</b><span style="font-family:Times New Roman;font-size:medium;"> </span></p> </td> <td width="456" valign="top"><span style="font-family:Times New Roman;font-size:medium;"><span style="font-family:Times New Roman;font-size:medium;"></span></span> <p>Issuer:<br />&nbsp;&nbsp;&nbsp; CN=*<br />&nbsp;&nbsp;&nbsp; O=My Company Ltd<br />&nbsp;&nbsp;&nbsp; S=Berkshire<br />&nbsp;&nbsp;&nbsp; C=NW<br />&nbsp;NotBefore: 1/1/2013 3:33 AM<br />&nbsp;NotAfter: 1/1/2014 3:33 AM</p> <span style="font-family:Times New Roman;font-size:medium;"><span style="font-family:Times New Roman;font-size:medium;"></span></span> <p>Public Key Length: 1024 bits<br />Public Key: UnusedBits = 0</p> <span style="font-family:Times New Roman;font-size:medium;"><span style="font-family:Times New Roman;font-size:medium;"></span></span> <p>&nbsp;&nbsp;&nbsp; 0000&nbsp; 30 81 89 02 81 81 00 dc&nbsp; 72 fc af 8f 51 de 2d 27<br />&nbsp;&nbsp;&nbsp; 0010&nbsp; 3e de ad 21 ae 25 11 b6&nbsp; b0 6e ce 6d 79 e4 d3 81<br />&nbsp;&nbsp;&nbsp; 0020&nbsp; 4e 73 11 44 51 63 09 3b&nbsp; 1c e7 79 1f 85 82 94 c1<br />&nbsp;&nbsp;&nbsp; 0030&nbsp; e1 f1 83 b3 1c 6d 53 58&nbsp; 28 07 b5 80 86 30 51 2d<br />&nbsp;&nbsp;&nbsp; 0040&nbsp; 78 c0 48 e8 b2 8d fb 84&nbsp; e1 d1 59 ff d5 4e 1f 8f<br />&nbsp;&nbsp;&nbsp; 0050&nbsp; ff 60 44 56 6b 7b 4d 72&nbsp; 42 d6 da 6a 4c d4 6b 7d<br />&nbsp;&nbsp;&nbsp; 0060&nbsp; f1 68 4d 2c 62 58 53 e7&nbsp; cd cc a1 a4 a2 7a 29 7d<br />&nbsp;&nbsp;&nbsp; 0070&nbsp; 63 eb 42 30 af 24 eb 20&nbsp; 4c 86 f5 9e 6f 48 1c bd<br />&nbsp;&nbsp;&nbsp; 0080&nbsp; 28 aa 47 13 4b cc 53 02&nbsp; 03 01 00 01</p> <span style="font-family:Times New Roman;font-size:medium;"><span style="font-family:Times New Roman;font-size:medium;"></span></span> <p>Cert Hash(md5): f0 82 aa f8 16 0e 83 8c 20 d7 95 f0 9d d2 01 57<br />Cert Hash(sha1): df 72 40 fb 9b cd 53 12 eb a5 f9 c2 dd e7 a2 9a 1d c8 f3 55</p> <span style="font-family:Times New Roman;font-size:medium;"> </span></td> </tr> <tr> <td width="168" valign="top"><span style="font-family:Times New Roman;font-size:medium;"> </span> <p><b>&nbsp;CRASH INDICATORS</b></p> <span style="font-family:Times New Roman;font-size:medium;"> </span></td> <td width="456" valign="top"> <p>Faulting application name: WINWORD.EXE,<br />version: 14.0.7113.5001, time stamp: 0x52866c04<br />Faulting module name: unknown,<br />version: 0.0.0.0, time stamp: 0x00000000<br />Exception code: 0xc0000005<br /><span style="background-color:#ffffff;">Fault offset: 0x40002???</span><br />Faulting process id: n/a<br />Faulting application start time: n/a<br />Faulting application path: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE<br />Faulting module path: unknown<span>&nbsp;</span><span style="font-family:Times New Roman;font-size:medium;"> </span><span style="font-family:Times New Roman;font-size:medium;"><br /></span></p> <p><span style="font-family:Times New Roman;font-size:medium;">&nbsp;</span></p> </td> </tr> <tr> <td width="168" valign="top"><span style="font-family:Times New Roman;font-size:medium;"> </span> <p><b>&nbsp;REGISTRY INDICATORS</b></p> <span style="font-family:Times New Roman;font-size:medium;"> </span></td> <td width="456" valign="top"><span style="font-family:Times New Roman;font-size:medium;"> </span> <p>Registry key added:<br />HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnce\Windows Startup Helper=&rdquo;%windir%\system32\wscript.exe %TEMP%\[malicious.vbs]&rdquo;<span style="font-family:Times New Roman;font-size:medium;"> </span></p> <p>Service name (possibly) created:<br />&ldquo;WindowsNetHelper&rdquo;<span style="font-family:Times New Roman;font-size:medium;">&nbsp;<br /></span>&nbsp;<span style="font-family:Times New Roman;font-size:medium;"> </span></p> </td> </tr> </tbody> </table> <p></p> <p><span style="font-size:medium;">&nbsp;</span></p> <p><span style="font-size:medium;">- Chengyun Chu and Elia Florio, MSRC Engineering</span></p> <p><span style="font-size:medium;">&nbsp;</span></p><div style="clear:both;"></div><img src="http://blogs.technet.com/aggbug.aspx?PostID=3625846&AppID=6147&AppType=Weblog&ContentType=0" width="1" height="1">CVE-2014-17610dayMSRC2953095EMETRTF Microsoft Releases Security Advisory 2953095http://blogs.technet.com/b/msrc/archive/2014/03/24/microsoft-releases-security-advisory-2953095.aspxMon, 24 Mar 2014 18:00:29 GMTd5e57398-b9ef-4490-9955-07cbb4e4a80d:5b32be52-a0b0-41d2-94aa-7646a08f98c6Dustin C. Childs0<p>Today we released <a href="http://technet.microsoft.com/en-us/security/advisory/2953095"><span style="color:#0000ff;">Security Advisory 2953095</span></a> to notify customers of a vulnerability in Microsoft Word. At this time, we are aware of limited, targeted attacks directed at Microsoft Word 2010. An attacker could cause remote code execution if someone was convinced to open a specially crafted Rich Text Format (RTF) file or a specially crafted mail in Microsoft Outlook while using Microsoft Word as the email viewer.</p> <p>As part of the security advisory, we have included an easy, one-click <a href="https://support.microsoft.com/kb/2953095"><span style="color:#0000ff;">Fix it</span></a> to address the known attack vectors. The Fix it is available to all customers and helps prevent known attacks that leverage the vulnerability to execute code. Additionally, applying the Fix it does not require a reboot. We encourage all customers using Microsoft Word to apply this Fix it to help protect their systems.</p> <p>The <a href="http://technet.microsoft.com/en-us/security/jj653751"><span style="color:#0000ff;">Enhanced Mitigation Experience Toolkit (EMET)</span></a> also helps to defend against this vulnerability when configured to work with Microsoft Office software. If you are using EMET 4.1 with the recommended settings, this configuration is already enabled and no additional steps are required.</p> <p>We also encourage you to follow the &quot;Protect Your Computer&quot; guidance of enabling a firewall, applying all software updates and installing anti-virus and anti-spyware software. In addition, we encourage everyone to exercise caution when visiting websites and avoid clicking suspicious links, or opening email messages from unfamiliar senders. More information can be found at <a href="http://www.microsoft.com/protect"><span style="color:#0000ff;">www.microsoft.com/protect</span></a>.</p> <p>We continue to work on a security update to address this issue. We are monitoring the threat landscape very closely and will continue to take appropriate action to help protect our global customers.</p> <p>Thank you,<br /> <a title="Dustin Childs" href="http://blogs.technet.com/b/msrc/about.aspx#Dustin_Childs"><span style="color:#0000ff;">Dustin Childs</span></a><br /> Group Manager, Response Communications<br /> Trustworthy Computing</p><div style="clear:both;"></div><img src="http://blogs.technet.com/aggbug.aspx?PostID=3625661&AppID=4571&AppType=Weblog&ContentType=0" width="1" height="1">AdvisoryFix ItSecurity AdvisoryMicrosoft Office Europe’s New Accessibility Procurement Standard Can Be a Model for the Worldhttp://blogs.msdn.com/b/accessibility/archive/2014/03/24/europe-new-accessibility-procurement-standard.aspxMon, 24 Mar 2014 17:31:11 GMT91d46819-8472-40ad-a661-2c78acb4018c:10510513Daniel Hubbell - MSFT0http://blogs.msdn.com/b/accessibility/rsscomments.aspx?WeblogPostID=10510513http://blogs.msdn.com/b/accessibility/archive/2014/03/24/europe-new-accessibility-procurement-standard.aspx#commentsThe following blog post was written by Laura Ruby - Director of Accessibility Policy and Standards at Microsoft. She has worked in this area of the technology sector for more than 22 years. ----- After years of study and deliberation, European standards...(<a href="http://blogs.msdn.com/b/accessibility/archive/2014/03/24/europe-new-accessibility-procurement-standard.aspx">read more</a>)<img src="http://blogs.msdn.com/aggbug.aspx?PostID=10510513" width="1" height="1"> Cyber threats to Windows XP and guidance for Small Businesses and Individual Consumers http://blogs.technet.com/b/security/archive/2014/03/24/cyber-threats-to-windows-xp-and-guidance-for-small-businesses-and-individual-consumers.aspxMon, 24 Mar 2014 16:03:00 GMTd5e57398-b9ef-4490-9955-07cbb4e4a80d:4f409854-0e97-41ff-bc1b-b3d547270a90Tim Rains - Microsoft0http://blogs.technet.com/b/security/rsscomments.aspx?WeblogPostID=3625784http://blogs.technet.com/b/security/commentapi.aspx?WeblogPostID=3625784http://blogs.technet.com/b/security/archive/2014/03/24/cyber-threats-to-windows-xp-and-guidance-for-small-businesses-and-individual-consumers.aspx#comments<p>It&rsquo;s been well publicized that on April 8th, 2014 Microsoft discontinues product support for Windows XP.&nbsp; Released in 2001, the support policy for the life of Windows XP soon followed in October 2002.&nbsp; In September 2007, we announced that support for Windows XP would be extended an additional two years to April 8 2014.&nbsp; We are very clear about the <a href="http://microsoft.com/lifecycle">lifecycle of our products</a>, deliberately communicating this information years in advance, because we know customers need time to plan for changes to their technology investments and manage upgrades to newer systems and services.&nbsp;</p> <p>We&rsquo;ve also focused on communicating regularly, such as an <a href="/b/security/archive/2013/08/15/the-risk-of-running-windows-xp-after-support-ends.aspx">article</a> posted in August of last year.&nbsp; That piece focused on the fact that supported versions get security updates that address any newly discovered vulnerabilities, which Windows XP won&rsquo;t receive after April 8, 2014.&nbsp; This means that running Windows XP when the product is obsolete (after support ends), will increase the risk of technology being affected by cybercriminals attempting to do harm.&nbsp; This blog post continues on from that article, and also provides guidance to consider as people look ahead.</p> <p>Many of the enterprise customers I&rsquo;ve talked to recently have finished, or are in the process of finishing, technology projects that move their desktop computing environments from Windows XP to Windows 7 or Windows 8.&nbsp; However, I&rsquo;ve also talked to some small businesses and individuals that don&rsquo;t plan to replace their Windows XP systems even after support for these systems ends in April.&nbsp; In light of this, I want to share some of the specific threats to Windows XP-based systems that attackers may attempt after support ends, so that these customers can understand the risks and hopefully decide to immediately upgrade to a more secure version of Windows, or accelerate existing plans to do so. <a href="/b/security/archive/2014/03/24/cyber-threats-to-windows-xp-and-guidance-for-small-businesses-and-individual-consumers.aspx">Read more</a></p>...(<a href="http://blogs.technet.com/b/security/archive/2014/03/24/cyber-threats-to-windows-xp-and-guidance-for-small-businesses-and-individual-consumers.aspx">read more</a>)<img src="http://blogs.technet.com/aggbug.aspx?PostID=3625784&AppID=5043&AppType=Weblog&ContentType=0" width="1" height="1">2014Windows XP End of SupportAttacks on Windows XPApril 8 Reliability Series #1: Reliability vs. resiliencehttp://blogs.technet.com/b/trustworthycomputing/archive/2014/03/24/reliability-series-1-reliability-vs-resilience.aspxMon, 24 Mar 2014 15:52:00 GMTd5e57398-b9ef-4490-9955-07cbb4e4a80d:6ec85603-f53b-4d5f-bc2b-4a3828f0d1c9Trusted Cloud Team0<p><strong>By David Bills, Chief Reliability Strategist, Trustworthy Computing</strong><br /><br />Whenever I speak to customers and partners about reliability I&rsquo;m reminded that while objectives and priorities differ between organizations and customers, at the end of the day, everyone wants their service to work. As a customer, you want to be able to do things online, at a time convenient to you. As an organization &ndash; or a provider of a service &ndash; you want your customers to carry out the tasks they want to, whenever they want to do so.<br /><br />This article is the first in a four-part series on building a resilient service. In&nbsp;my first two posts, I will discuss the topic as it relates to&nbsp;business strategy,&nbsp;and then we&#39;ll dive deeper into the technical details.&nbsp; <a href="/b/trustworthycomputing/archive/2014/03/18/reliability-series-1-reliability-vs-resilience.aspx" target="_blank">See more &gt;&gt;</a></p>...(<a href="http://blogs.technet.com/b/trustworthycomputing/archive/2014/03/24/reliability-series-1-reliability-vs-resilience.aspx">read more</a>)<img src="http://blogs.technet.com/aggbug.aspx?PostID=3625434&AppID=9044&AppType=Weblog&ContentType=0" width="1" height="1">CustomersReliableReliabilitytrusted online experiencesTrustprivacy and reliabilitycustomer perspectiveCloud Computingcloud servicesTrustworthy ComputingMicrosoftIT Pros Threat Modeling a Retail Environmenthttp://blogs.technet.com/b/security/archive/2014/03/20/threat-modeling-a-retail-environment.aspxThu, 20 Mar 2014 17:55:25 GMTd5e57398-b9ef-4490-9955-07cbb4e4a80d:5d7f2e98-60db-4131-9855-a414d43c5dfeMicrosoft Security Staff0http://blogs.technet.com/b/security/rsscomments.aspx?WeblogPostID=3625519http://blogs.technet.com/b/security/commentapi.aspx?WeblogPostID=3625519http://blogs.technet.com/b/security/archive/2014/03/20/threat-modeling-a-retail-environment.aspx#comments<p>Posted by: <strong>Michael Howard</strong>, Principal Consultant, Cybersecurity</p> <p>If you have followed this blog, or followed anything Microsoft has done with the <a href="http://www.microsoft.com/sdl">Security Development Lifecycle</a>, you&rsquo;ll know that we are proponents of the benefits of threat modeling as a way to understand the risks to and potential mitigations for a system.</p> <p>The computer industry is full of systems that look somewhat alike, and have similar &ldquo;moving parts&rdquo;; for example, banking, health care, telecommunications and so on. In the wake of high profile attacks on organizations in the retail industry, we thought developing new guidance that helps with the unique requirements and challenges of that industry could be helpful. We decided that the best way to do this was to team up cybersecurity expertise with retail expertise. We combined the security expertise of senior consultants Tim Delong, Mark Simos and myself from the Microsoft Consulting Services Cybersecurity team, with retail industry expertise of Vic Mile and Marty Ramos from Microsoft&rsquo;s Retail industry vertical team.&nbsp; <a href="/b/security/archive/2014/03/19/threat-modeling-a-retail-environment.aspx">Read more</a></p>...(<a href="http://blogs.technet.com/b/security/archive/2014/03/20/threat-modeling-a-retail-environment.aspx">read more</a>)<img src="http://blogs.technet.com/aggbug.aspx?PostID=3625519&AppID=5043&AppType=Weblog&ContentType=0" width="1" height="1">RetailMichael HowardThreat ModelingSecurity Development Threat Landscape in the Middle East and Southwest Asia – Part 6: Best Practices from Locations with Low Malware Infection Rates http://blogs.technet.com/b/security/archive/2014/03/20/threat-landscape-in-the-middle-east-and-southwest-asia-part-6-best-practices-from-locations-with-low-malware-infection-rates.aspxThu, 20 Mar 2014 16:11:00 GMTd5e57398-b9ef-4490-9955-07cbb4e4a80d:eabae74e-da49-4dea-b838-b0556adf5375Tim Rains - Microsoft0http://blogs.technet.com/b/security/rsscomments.aspx?WeblogPostID=3625141http://blogs.technet.com/b/security/commentapi.aspx?WeblogPostID=3625141http://blogs.technet.com/b/security/archive/2014/03/20/threat-landscape-in-the-middle-east-and-southwest-asia-part-6-best-practices-from-locations-with-low-malware-infection-rates.aspx#comments<p>In this six part series we examined many factors that are likely contributing to relatively high malware infection rates of countries/regions in the Middle East and southwest Asia. Here are the articles in the series for reference:</p> <ul> <li><span style="font-size:small;"><a href="/b/security/archive/2014/03/12/the-threat-landscape-in-the-middle-east-and-southwest-asia-part-1-relatively-high-malware-infection-rates.aspx">The Threat Landscape in the Middle East and Southwest Asia &ndash; Part 1: Relatively High Malware Infection Rates</a></span></li> <li><span style="font-size:small;"><a href="/b/security/archive/2014/03/13/the-threat-landscape-in-the-middle-east-and-southwest-asia-part-2-relatively-high-malware-encounter-rates.aspx">The Threat Landscape in the Middle East and Southwest Asia &ndash; Part 2: Relatively High Malware Encounter Rates</a></span></li> <li><span style="font-size:small;"><a href="/b/security/archive/2014/03/17/the-threat-landscape-in-the-middle-east-and-southwest-asia-part-3-regional-anti-virus-software-usage.aspx">The Threat Landscape in the Middle East and Southwest Asia &ndash; Part 3: Regional Anti-virus Software Usage</a></span></li> <li><span style="font-size:small;"><a href="/b/security/archive/2014/03/18/the-threat-landscape-in-the-middle-east-and-southwest-asia-part-4-regional-windows-xp-market-share.aspx">The Threat Landscape in the Middle East and Southwest Asia &ndash; Part 4: Regional Windows XP Market Share</a></span></li> <li><span style="font-size:small;"><a href="/b/security/archive/2014/03/19/threat-landscape-in-the-middle-east-and-southwest-asia-part-5-socio-economic-factors-and-regional-malware-infection-rates.aspx">The Threat Landscape in the Middle East and Southwest Asia &ndash; Part 5: Socio-economic Factors and Regional Malware Infection Rates </a></span></li> <li><span style="font-size:small;"><a href="/b/security/archive/2014/03/27/threat-landscape-in-the-middle-east-and-southwest-asia-part-6-best-practices-from-locations-with-low-malware-infection-rates.aspx">The Threat Landscape in the Middle East and Southwest Asia &ndash; Part 6: Best Practices from Locations with Low Malware Infection Rates</a></span></li> </ul> <p>I have had the opportunity to travel to many parts of the world to discuss threats and best practices, including those locations with the lowest malware infection rates in the world, as well as some of the locations I discussed in this series with relatively high malware infection rates. The locations that typically have low malware infection rates include Finland, Japan, and Norway. We recently published a series of articles on some of these locations that includes commentary from local security professionals.</p> <ul> <li><span style="font-size:small;"><a href="/b/security/archive/2014/02/06/cleanest-countries-regions-jump-to-the-top-of-our-podium.aspx">Cleanest Countries/Regions Jump to the Top of Our Podium</a></span></li> <li><span style="font-size:small;"><a href="/b/security/archive/2014/02/10/norway-sweeps-in-with-bronze-medal.aspx">Norway Sweeps In With Bronze Medal</a></span></li> <li><span style="font-size:small;"><a href="/b/security/archive/2014/02/13/japan-skates-into-second-place.aspx">Japan Skates into Second Place</a></span></li> <li><a href="/b/security/archive/2014/02/20/and-the-gold-medal-goes-to-finland.aspx"><span style="font-size:small;">And the Gold Medal Goes to &hellip;</span> Finland!</a></li> </ul> <p>When I talk with security professionals in locations with relatively high infection rates they are always interested in learning about the practices that the countries/regions with consistently low malware infection rates employ to be so successful. Here is a summary of those best practices.&nbsp;<a href="/b/security/archive/2014/03/27/threat-landscape-in-the-middle-east-and-southwest-asia-part-6-best-practices-from-locations-with-low-malware-infection-rates.aspx">Read more</a></p>...(<a href="http://blogs.technet.com/b/security/archive/2014/03/20/threat-landscape-in-the-middle-east-and-southwest-asia-part-6-best-practices-from-locations-with-low-malware-infection-rates.aspx">read more</a>)<img src="http://blogs.technet.com/aggbug.aspx?PostID=3625141&AppID=5043&AppType=Weblog&ContentType=0" width="1" height="1">Cybesecurity Threat LandscapeThreat Landscape in the Middle EastMicrosoft Security Intelligence Report Volume 15 Tax scams: 6 ways to help protect yourselfhttp://blogs.msdn.com/b/securitytipstalk/archive/2014/03/20/tax-scams-6-ways-to-help-protect-yourself.aspxThu, 20 Mar 2014 14:26:00 GMT91d46819-8472-40ad-a661-2c78acb4018c:10507120Eve Blakemore2http://blogs.msdn.com/b/securitytipstalk/rsscomments.aspx?WeblogPostID=10507120http://blogs.msdn.com/b/securitytipstalk/archive/2014/03/20/tax-scams-6-ways-to-help-protect-yourself.aspx#comments<p>We&rsquo;ve received reports that cybercriminals are at it again, luring unsuspecting taxpayers in the United States into handing over their personal information as they rush to file their taxes before the deadline.</p> <p>Here are 6 ways to help protect yourself.</p> <p><strong>1. &nbsp; &nbsp;&nbsp;</strong><strong>Beware of all email, text, or social networking messages that appear to be from the IRS. </strong>Cybercriminals often send fraudulent messages meant to trick you into revealing your social security number, account numbers, or other personal information. They&rsquo;ll even use the IRS logo. Read more about how&nbsp;<a href="http://www.irs.gov/uac/Report-Phishing">the IRS does not initiate contact with taxpayers by email or use any social media tools to request personal or financial information</a>.<br /><strong>2.&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; </strong><strong>Use technology to help detect scams.</strong> Scams that ask for personal or financial information are called &ldquo;phishing scams.&rdquo; Internet Explorer, Microsoft Outlook, and other programs have anti-phishing protection built in. Read more <a href="http://www.microsoft.com/security/online-privacy/phishing-scams.aspx#Tools">about identity theft protection tools that can help you avoid tax scams</a>.<br /><strong>3.&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; </strong><strong>Check to see if you already have antivirus software.</strong>&nbsp;If a cybercriminal does fool you with a tax scam that involves downloading malware onto your computer, you might already be protected by your antivirus software. If your computer is running Windows 8, you have <a href="http://www.microsoft.com/security/pc-security/windows8.aspx#antivirus">antivirus software built in</a>. Download&nbsp;<a href="http://www.microsoft.com/security/pc-security/mse.aspx">Microsoft Security Essentials</a>&nbsp;at no cost for Windows 7 and Windows Vista.&nbsp;<br /><strong>4.&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; </strong><strong>Make sure the website uses secure technology.</strong>&nbsp;If you&rsquo;re filing your taxes on the web, make sure that the web address begins with https, and check to see if a tiny locked padlock appears at the bottom right of the screen. For more information, see <a href="http://www.microsoft.com/security/online-privacy/trusted-sites.aspx">How do I know if I can trust a website</a> and <a href="http://blogs.msdn.com/b/securitytipstalk/archive/2014/01/21/what-is-https.aspx">What is HTTPs?</a><br /><strong>5.&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; </strong><strong>Think before you download tax apps. </strong>Download apps only from major app stores&mdash;the&nbsp;<a href="http://www.windowsphone.com/en-us/store" target="_blank">Windows Phone Store</a>&nbsp;or&nbsp;<a href="http://www.apple.com/iphone/from-the-app-store" target="_blank">Apple&rsquo;s App Store</a>, for example&mdash;and stick to popular apps with numerous reviews and comments.<br /><strong>6.&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; </strong><strong>Be realistic.&nbsp;</strong>If it sounds too good to be true, it probably is. From companies that promise to file your taxes for free, to websites that claim you don't have to pay income tax because it's unconstitutional&mdash;keep an eye out for deliberately misleading statements.</p><div style="clear:both;"></div><img src="http://blogs.msdn.com/aggbug.aspx?PostID=10507120" width="1" height="1">fraudid theftphishingprivacyInternet Explorer 7spywarephishing filterspammalwareInternet Explorere-mailsecurityadvance fee fraudhoaxonline safetycybersecuritycybersafetyscamstaxese-mail scamscybercriminalsmalicious softwarepasswordsemailemail scamsInternet Explorer 10 Threat Landscape in the Middle East and Southwest Asia – Part 5: Socio-economic Factors and Regional Malware Infection Rates http://blogs.technet.com/b/security/archive/2014/03/19/threat-landscape-in-the-middle-east-and-southwest-asia-part-5-socio-economic-factors-and-regional-malware-infection-rates.aspxWed, 19 Mar 2014 16:00:00 GMTd5e57398-b9ef-4490-9955-07cbb4e4a80d:41ea39fb-4fd6-4a4e-bfe3-b7f85876f8acTim Rains - Microsoft0http://blogs.technet.com/b/security/rsscomments.aspx?WeblogPostID=3625142http://blogs.technet.com/b/security/commentapi.aspx?WeblogPostID=3625142http://blogs.technet.com/b/security/archive/2014/03/19/threat-landscape-in-the-middle-east-and-southwest-asia-part-5-socio-economic-factors-and-regional-malware-infection-rates.aspx#comments<p>This series examines malware infection rates and the factors contributing to them in several locations in the Middle East and southwest Asia including Bahrain, Egypt, Israel, Iraq, Jordan, Kuwait, Lebanon, Oman, Pakistan, Palestinian Authority, Qatar, Saudi Arabia, Syria, Turkey, and the United Arab Emirates. This region of the world has had <a href="/b/security/archive/2014/03/12/the-threat-landscape-in-the-middle-east-and-southwest-asia-part-1-relatively-high-malware-infection-rates.aspx">high malware infection rates&nbsp; </a>compared to other parts of the world. I looked at how <a href="/b/security/archive/2014/03/13/the-threat-landscape-in-the-middle-east-and-southwest-asia-part-2-relatively-high-malware-encounter-rates.aspx">malware encounter rates </a>effect malware infection rates in the region. I also examined how&nbsp; <a href="/b/security/archive/2014/03/17/the-threat-landscape-in-the-middle-east-and-southwest-asia-part-3-regional-anti-virus-software-usage.aspx">anti-virus software usage</a>&nbsp; and <a href="/b/security/archive/2014/03/19/the-threat-landscape-in-the-middle-east-and-southwest-asia-part-4-regional-windows-xp-market-share.aspx">Windows XP market share&nbsp; </a>impact infection rates in these locations.&nbsp;<a href="/b/security/archive/2014/03/24/threat-landscape-in-the-middle-east-and-southwest-asia-part-5-socio-economic-factors-and-regional-malware-infection-rates.aspx">Read more</a></p>...(<a href="http://blogs.technet.com/b/security/archive/2014/03/19/threat-landscape-in-the-middle-east-and-southwest-asia-part-5-socio-economic-factors-and-regional-malware-infection-rates.aspx">read more</a>)<img src="http://blogs.technet.com/aggbug.aspx?PostID=3625142&AppID=5043&AppType=Weblog&ContentType=0" width="1" height="1">Cybesecurity Threat LandscapeThreat Landscape in the Middle EastMicrosoft Security Intelligence Report Volume 15 Help! Someone is holding my computer hostagehttp://blogs.msdn.com/b/securitytipstalk/archive/2014/03/18/help-someone-is-holding-my-computer-hostage.aspxTue, 18 Mar 2014 16:00:00 GMT91d46819-8472-40ad-a661-2c78acb4018c:10503082Eve Blakemore5http://blogs.msdn.com/b/securitytipstalk/rsscomments.aspx?WeblogPostID=10503082http://blogs.msdn.com/b/securitytipstalk/archive/2014/03/18/help-someone-is-holding-my-computer-hostage.aspx#comments<p>If you see a pop-up window, webpage, or email message warning you that your computer has been locked because of possible illegal activities, you might be a victim of a criminal extortion scam called <a href="http://www.microsoft.com/security/resources/ransomware-whatis.aspx">ransomware</a>.</p> <p>Ransomware often masquerades as an official-looking warning from a well-known law enforcement agency, such as the US Federal Bureau of Investigation (FBI).</p> <p>The aim of ransomware is to prevent you from using your computer until you pay a fee (the "ransom"). If you get an email message or a warning like this, do not follow the payment instructions. If you pay the ransom, the criminals probably won&rsquo;t unlock your computer and might even install more viruses or steal your personal and financial information.</p> <p><a href="http://blogs.msdn.com/cfs-file.ashx/__key/communityserver-blogs-components-weblogfiles/00-00-00-72-21/3122.ransomware.jpg"><img src="http://blogs.msdn.com/resized-image.ashx/__size/550x0/__key/communityserver-blogs-components-weblogfiles/00-00-00-72-21/3122.ransomware.jpg" alt="" border="0" /></a></p> <p>&nbsp;</p> <p><em>Example of ransomware</em></p> <h3>What to do if you think you&rsquo;ve been a victim of ransomware</h3> <p><span style="font-size: 12px;">If you&rsquo;ve already paid the scammers, you should contact your bank and your local authorities, such as the police. If you paid with a credit card, your bank may be able to block the transaction and return your money.</span></p> <p><span style="font-size: 12px;">To detect and remove ransomware and other malicious software that might be installed on your computer, run a full-system scan with an appropriate, up-to-date, security solution. The following Microsoft products can detect and remove this threat:</span></p> <ul> <li><a href="http://windows.microsoft.com/en-US/windows-8/windows-defender#1TC=t1">Windows Defender</a>&nbsp;(built into&nbsp;<a href="http://www.microsoft.com/security/pc-security/windows8.aspx">Windows 8</a>)</li> <li><a href="http://go.microsoft.com/fwlink/?LinkId=168949" target="_blank">Microsoft Security Essentials</a></li> <li><a href="http://www.microsoft.com/security/scanner/default.aspx" target="_blank">Microsoft Safety Scanner</a></li> <li><a href="http://windows.microsoft.com/en-US/windows/what-is-windows-defender-offline">Windows Defender Offline</a>&nbsp;(Some ransomware will not allow you to use the products listed here, so you might have to start your computer from a Windows Defender Offline disk.)</li> <li><a href="http://www.microsoft.com/security/resources/ransomware-whatis.aspx">What is ransomware</a>?</li> </ul> <h3>More information about how to prevent and get rid of ransomware</h3> <ul> <li><a href="http://www.microsoft.com/security/resources/ransomware-whatis.aspx">What is ransomware</a>?</li> <li><a href="http://www.microsoft.com/security/portal/mmpc/shared/ransomware.aspx">Malware Protection Center: Ransomware</a></li> </ul> <p>&nbsp;</p> <p>&nbsp;</p> <p>&nbsp;</p><div style="clear:both;"></div><img src="http://blogs.msdn.com/aggbug.aspx?PostID=10503082" width="1" height="1">malwarerogue security softwareMalicious Software Removal Toolsecuritymalvertisingcybersecuritycybercriminalsmalicious softwareransomware Academy Award-winner Marlee Matlin discusses Xbox One’s accessibility features http://blogs.technet.com/b/trustworthycomputing/archive/2014/03/18/academy-award-winner-marlee-matlin-discusses-xbox-one-s-accessibility-features.aspxTue, 18 Mar 2014 15:20:00 GMTd5e57398-b9ef-4490-9955-07cbb4e4a80d:38c1bb76-2f4a-4e71-bfc2-f17fad7a95e6Trusted Cloud Team0<p><strong>By Bonnie Kearney, Director, Trustworthy Computing</strong></p> <p>Marlee Matlin has been a pioneering advocate for the deaf community since she won an Academy Award for her first movie role, &ldquo;<a href="http://www.imdb.com/title/tt0090830/" target="_blank">Children of a Lesser God</a>.&rdquo; We asked her to explain how the Xbox One she bought for her four children <a href="http://aka.ms/P66yxv">opened a gateway</a> to closed caption movies and television.&nbsp;&nbsp; <a href="http://aka.ms/P66yxv" target="_blank">See more &gt;&gt;<br /></a><br /><br /></p>...(<a href="http://blogs.technet.com/b/trustworthycomputing/archive/2014/03/18/academy-award-winner-marlee-matlin-discusses-xbox-one-s-accessibility-features.aspx">read more</a>)<img src="http://blogs.technet.com/aggbug.aspx?PostID=3625021&AppID=9044&AppType=Weblog&ContentType=0" width="1" height="1">customer perspective accessibility Marlee Matlin: Xbox One Opened a New Gateway to Closed Captioned Movies and TVhttp://blogs.msdn.com/b/accessibility/archive/2014/03/18/xbox-one-opened-a-new-gateway.aspxTue, 18 Mar 2014 13:09:00 GMT91d46819-8472-40ad-a661-2c78acb4018c:10505535Daniel Hubbell - MSFT2http://blogs.msdn.com/b/accessibility/rsscomments.aspx?WeblogPostID=10505535http://blogs.msdn.com/b/accessibility/archive/2014/03/18/xbox-one-opened-a-new-gateway.aspx#commentsThis blog post was written by Academy Award-winning actress Marlee Matlin, who has appeared in more than 30 films and television shows, including &ldquo;Children of A Lesser God,&rdquo; &ldquo;The West Wing,&rdquo; and &ldquo;Switched at Birth.&rdquo;...(<a href="http://blogs.msdn.com/b/accessibility/archive/2014/03/18/xbox-one-opened-a-new-gateway.aspx">read more</a>)<img src="http://blogs.msdn.com/aggbug.aspx?PostID=10505535" width="1" height="1"> The Threat Landscape in the Middle East and Southwest Asia – Part 4: Regional Windows XP Market Share http://blogs.technet.com/b/security/archive/2014/03/18/the-threat-landscape-in-the-middle-east-and-southwest-asia-part-4-regional-windows-xp-market-share.aspxTue, 18 Mar 2014 08:50:00 GMTd5e57398-b9ef-4490-9955-07cbb4e4a80d:ef9ae3a3-9f0c-49c8-8035-4a3be0658a34Tim Rains - Microsoft0http://blogs.technet.com/b/security/rsscomments.aspx?WeblogPostID=3624948http://blogs.technet.com/b/security/commentapi.aspx?WeblogPostID=3624948http://blogs.technet.com/b/security/archive/2014/03/18/the-threat-landscape-in-the-middle-east-and-southwest-asia-part-4-regional-windows-xp-market-share.aspx#comments<p>This is Part 4 of a series of articles on the threat landscape in the Middle East and southwest Asia. This series examines malware infection rates and the factors contributing to them in several locations in the region including Bahrain, Egypt, Israel, Iraq, Jordan, Kuwait, Lebanon, Oman, Pakistan, Palestinian Authority, Qatar, Saudi Arabia, Syria, Turkey, and the United Arab Emirates. <a href="/b/security/archive/2014/03/19/the-threat-landscape-in-the-middle-east-and-southwest-asia-part-4-regional-windows-xp-market-share.aspx">Read more</a></p>...(<a href="http://blogs.technet.com/b/security/archive/2014/03/18/the-threat-landscape-in-the-middle-east-and-southwest-asia-part-4-regional-windows-xp-market-share.aspx">read more</a>)<img src="http://blogs.technet.com/aggbug.aspx?PostID=3624948&AppID=5043&AppType=Weblog&ContentType=0" width="1" height="1">Cybesecurity Threat LandscapeThreat Landscape in the Middle EastMicrosoft Security Intelligence Report Volume 15 March 2014 Security Bulletin Webcast and Q&Ahttp://blogs.technet.com/b/msrc/archive/2014/03/17/march-2014-security-bulletin-webcast-and-q-amp-a.aspxMon, 17 Mar 2014 21:00:00 GMTd5e57398-b9ef-4490-9955-07cbb4e4a80d:7a99a3c8-cf34-4279-8096-669ca852c500Dustin C. Childs0<p>Today we published the <a href="http://blogs.technet.com/b/msrc/p/march-2014-security-bulletin-q-a.aspx">March 2014 Security Bulletin Webcast Questions &amp; Answers page</a>.&nbsp;We answered eight questions in total, with the majority focusing on the updates for Windows (<a href="https://technet.microsoft.com/security/bulletin/ms14-016">MS14-016</a>) and Internet Explorer (<a href="https://technet.microsoft.com/security/bulletin/ms14-012">MS14-012</a>). One question that was not answered on air has been included on the Q&amp;A page.</p> <p>Here is the video replay.</p> <p><object width="500" height="281"><param name="movie" value="//www.youtube.com/v/jYyh1AtW4m4?version=3&amp;hl=en_US" /><param name="allowFullScreen" value="true" /><param name="allowscriptaccess" value="always" /><embed src="http://www.youtube.com/v/jYyh1AtW4m4?version=3&amp;hl=en_US" type="application/x-shockwave-flash" width="500" height="281" /></object></p> <p>We invite you to join us for the next scheduled webcast on Wednesday, April 9, 2014, at 11 a.m. PDT (UTC -7), when we will go into detail about the April bulletin release and answer your bulletin deployment questions live on the air.</p> <p>You can register to attend the webcast at the link below:</p> <p><b>Date: Wednesday, April 9, 2014<br /> Time: 11:00 a.m. PDT (UTC -7)<br /> Register: </b><a href="https://msevents.microsoft.com/CUI/EventDetail.aspx?EventID=1032572978&amp;Culture=en-US"><b>Attendee Registration</b></a></p> <p>I look forward to seeing you next month.</p> <p>Thanks,<br /> <a href="http://blogs.technet.com/b/msrc/about.aspx#Dustin_Childs">Dustin Childs</a><br /> Group Manager, Response Communications<br /> Microsoft Trustworthy Computing</p><div style="clear:both;"></div><img src="http://blogs.technet.com/aggbug.aspx?PostID=3625309&AppID=4571&AppType=Weblog&ContentType=0" width="1" height="1">Microsoft WindowsBulletin WebcastSecurity Bulletin WebcastInternet Explorer (IE) The Threat Landscape in the Middle East and Southwest Asia – Part 3: Regional Anti-virus Software Usage http://blogs.technet.com/b/security/archive/2014/03/17/the-threat-landscape-in-the-middle-east-and-southwest-asia-part-3-regional-anti-virus-software-usage.aspxMon, 17 Mar 2014 16:05:00 GMTd5e57398-b9ef-4490-9955-07cbb4e4a80d:22d4f475-9cdb-43a7-b8d2-2b3bdc17cdbeTim Rains - Microsoft0http://blogs.technet.com/b/security/rsscomments.aspx?WeblogPostID=3624570http://blogs.technet.com/b/security/commentapi.aspx?WeblogPostID=3624570http://blogs.technet.com/b/security/archive/2014/03/17/the-threat-landscape-in-the-middle-east-and-southwest-asia-part-3-regional-anti-virus-software-usage.aspx#comments<p>This is Part 3 in a series of articles focused on understanding the threat landscape in the Middle East and Southwest Asia. <a href="/b/security/archive/2014/03/12/the-threat-landscape-in-the-middle-east-and-southwest-asia-part-1-relatively-high-malware-infection-rates.aspx">Part 1 of the series&nbsp; </a>examined malware infection rates of many locations in the region including Bahrain, Egypt, Israel, Iraq, Jordan, Kuwait, Lebanon, Oman, Pakistan, Palestinian Authority, Qatar, Saudi Arabia, Syria, Turkey, and the United Arab Emirates. <a href="/b/security/archive/2014/03/13/the-threat-landscape-in-the-middle-east-and-southwest-asia-part-2-relatively-high-malware-encounter-rates.aspx">Part 2</a>&nbsp; took a close look at whether the relatively high malware infection rates in the region were simply a result of people encountering malware more frequently in this region than the worldwide average. Relatively high encounter rates among these locations helps partially explain why they have high infection rates. But there were some notable exceptions, like Turkey, that had the highest encounter rate but did not have the highest infection rate; high encounter rates in Turkey were primarily due to attackers targeting Turkish language speakers. This part of the series, Part 3, explores whether differences in real-time anti-virus usage among locations helps explain differences among regional infection rates. i.e. do locations that have a high percentage of unprotected systems have high malware infection rates? You might be surprised by the results. <a href="/b/security/archive/2014/03/12/the-threat-landscape-in-the-middle-east-and-southwest-asia-part-3-regional-anti-virus-software-usage.aspx">Read more</a></p>...(<a href="http://blogs.technet.com/b/security/archive/2014/03/17/the-threat-landscape-in-the-middle-east-and-southwest-asia-part-3-regional-anti-virus-software-usage.aspx">read more</a>)<img src="http://blogs.technet.com/aggbug.aspx?PostID=3624570&AppID=5043&AppType=Weblog&ContentType=0" width="1" height="1">Cybesecurity Threat LandscapeThreat Landscape in the Middle EastMicrosoft Security Intelligence Report Volume 15 The Power of Technology Is Expanding the Use of Memory-Assisting Toolshttp://blogs.msdn.com/b/accessibility/archive/2014/03/13/the-power-of-technology-is-expanding-the-use-of-memory-assisting-tools.aspxThu, 13 Mar 2014 21:34:00 GMT91d46819-8472-40ad-a661-2c78acb4018c:10507779Daniel Hubbell - MSFT2http://blogs.msdn.com/b/accessibility/rsscomments.aspx?WeblogPostID=10507779http://blogs.msdn.com/b/accessibility/archive/2014/03/13/the-power-of-technology-is-expanding-the-use-of-memory-assisting-tools.aspx#commentsThe following blog post was written by Erin Beneteau, a senior learning and development strategist for accessibility at Microsoft. Erin has worked in the field of assistive technology for over 15 years. (Note: This story is based on my experience, but...(<a href="http://blogs.msdn.com/b/accessibility/archive/2014/03/13/the-power-of-technology-is-expanding-the-use-of-memory-assisting-tools.aspx">read more</a>)<img src="http://blogs.msdn.com/aggbug.aspx?PostID=10507779" width="1" height="1"> The Threat Landscape in the Middle East and Southwest Asia – Part 2: Relatively High Malware Encounter Rateshttp://blogs.technet.com/b/security/archive/2014/03/13/the-threat-landscape-in-the-middle-east-and-southwest-asia-part-2-relatively-high-malware-encounter-rates.aspxThu, 13 Mar 2014 16:03:00 GMTd5e57398-b9ef-4490-9955-07cbb4e4a80d:691ff01a-3c62-4576-803e-c467f90b525eTim Rains - Microsoft0http://blogs.technet.com/b/security/rsscomments.aspx?WeblogPostID=3624491http://blogs.technet.com/b/security/commentapi.aspx?WeblogPostID=3624491http://blogs.technet.com/b/security/archive/2014/03/13/the-threat-landscape-in-the-middle-east-and-southwest-asia-part-2-relatively-high-malware-encounter-rates.aspx#comments<p>This is Part 2 in a series of articles focused on understanding the threat landscape in the Middle East and Southwest Asia. <a href="/b/security/archive/2014/03/12/the-threat-landscape-in-the-middle-east-and-southwest-asia-part-1-relatively-high-malware-infection-rates.aspx">Part 1</a> of the series examined the relatively high malware infection rates of numerous locations in the region. This article examines whether these relatively high malware infection rates are a result of people in the region encountering malware more frequently than average.</p> <p>The &ldquo;encounter rate&rdquo; is the percentage of computers running Microsoft real-time security software that report detecting malware or potentially unwanted software during a quarter. Most of these encounters are from systems running Microsoft Security Essentials or Windows Defender (on Windows 8) reporting that they blocked malware from installing on them. The worldwide average encounter rate was 17% in the second quarter of 2013 (2Q13), while the average of all the locations in Figure 1 was 28.5%. Of these locations only Israel, with an encounter rate of 15.74%, had an encounter rate below the worldwide average.&nbsp; <a href="/b/security/archive/2014/03/13/the-threat-landscape-in-the-middle-east-and-southwest-asia-part-2-relatively-high-malware-encounter-rates.aspx">Read more</a></p>...(<a href="http://blogs.technet.com/b/security/archive/2014/03/13/the-threat-landscape-in-the-middle-east-and-southwest-asia-part-2-relatively-high-malware-encounter-rates.aspx">read more</a>)<img src="http://blogs.technet.com/aggbug.aspx?PostID=3624491&AppID=5043&AppType=Weblog&ContentType=0" width="1" height="1">Cybesecurity Threat LandscapeThreat Landscape in the Middle EastMicrosoft Security Intelligence Report Volume 15 When ASLR makes the differencehttp://blogs.technet.com/b/srd/archive/2014/03/12/when-aslr-makes-the-difference.aspxWed, 12 Mar 2014 16:13:30 GMTd5e57398-b9ef-4490-9955-07cbb4e4a80d:56fe7844-ad64-46cf-b139-84a150f943a1swiat0<p style="text-align:justify;"><span style="font-family:Calibri;font-size:medium;">We wrote </span><span style="font-family:Calibri;font-size:medium;"><a href="http://blogs.technet.com/b/srd/archive/2013/12/11/software-defense-mitigating-common-exploitation-techniques.aspx">several times</a> </span><span style="font-family:Calibri;font-size:medium;">in this blog about the importance of enabling <i>Address Space Layout Randomization</i> mitigation (ASLR) in modern software because it&rsquo;s a very important defense mechanism that can increase the cost of writing exploits for attackers and in some cases prevent reliable exploitation. </span><span style="font-family:Calibri;font-size:medium;">In today&rsquo;s blog, we&rsquo;ll go through ASLR one more time to show in practice how it can be valuable to mitigate two real exploits seen in the wild and to suggest solutions for programs not equipped with ASLR yet.</span></p> <p style="text-align:justify;"><span style="font-family:Calibri;font-size:medium;">&nbsp;</span></p> <p style="text-align:justify;"><b><span style="font-family:Calibri;font-size:medium;">Born with ASLR</span></b></p> <p style="text-align:justify;"><span style="font-family:Calibri;"><span style="font-size:medium;">ASLR mitigation adds a significant component in exploit development, but we realized that sometimes a single module without ASLR loaded in a program can be enough to compromise all the benefits at once. For this reason recent versions of most popular Microsoft programs were natively developed to enforce ASLR <span style="font-family:Calibri;font-size:medium;">automatically</span> for every module loaded into the process space. In fact <span style="text-decoration:underline;">Internet Explorer 10/11 and Microsoft Office 2013</span> are designed to run with full benefits of this mitigation and they <span style="text-decoration:underline;">enforce ASLR randomization natively without any additional setting on Win7 and above</span>, even for those DLLs not originally compiled with /DYNAMICBASE flag. So, customers using these programs have already a good native protection and they need to take care only of other </span><span style="font-size:medium;">programs potentially targeted by exploits not using ASLR.</span></span></p> <p style="text-align:justify;"><b><span style="font-family:Calibri;font-size:medium;">&nbsp;</span></b></p> <p style="text-align:justify;"><b><span style="font-family:Calibri;font-size:medium;">ASLR effectiveness in action</span></b></p> <p style="text-align:justify;"><span style="font-family:Calibri;font-size:medium;">Given the importance of ASLR, we are taking additional efforts to close gaps when ASLR bypasses arise in security conferences from time to time or when they are found in-the-wild used in targeted attacks. </span><span style="font-family:Calibri;font-size:medium;">The outcome of this effort is to strength protection also for previous versions of Microsoft OS and browser not able to enforce ASLR natively as IE 10/11 and Office 2013 can do. Some examples of recent updates designed to break well-known ASLR bypasses are showed in the following table.</span></p> <p style="text-align:justify;"></p> <div> <div> <table style="width:624px;height:182px;" border="1" cellspacing="0" cellpadding="0"> <tbody> <tr> <td width="96" valign="top"><span style="font-family:Times New Roman;font-size:medium;"></span> <p><b><span style="font-family:Calibri;font-size:medium;">MS BULLETIN</span></b></p> <span style="font-family:Times New Roman;font-size:medium;"></span></td> <td width="192" valign="top"><span style="font-family:Times New Roman;font-size:medium;"></span> <p><b><span style="font-family:Calibri;font-size:medium;">ASLR BYPASS</span></b></p> <span style="font-family:Times New Roman;font-size:medium;"></span></td> <td width="342" valign="top"><span style="font-family:Times New Roman;font-size:medium;"></span> <p><b><span style="font-family:Calibri;font-size:medium;">REFERENCE</span></b></p> <span style="font-family:Times New Roman;font-size:medium;"></span></td> </tr> <tr> <td width="96" valign="top"><span style="font-family:Times New Roman;font-size:medium;"></span> <p><a href="https://blogs.technet.com/b/srd/archive/2013/08/12/mitigating-the-ldrhotpatchroutine-dep-aslr-bypass-with-ms13-063.aspx"><span style="font-family:Calibri;font-size:medium;">MS13-063</span><span style="font-family:Calibri;">&nbsp;</span></a></p> <span style="font-family:Times New Roman;font-size:medium;"></span></td> <td width="192" valign="top"><span style="font-family:Times New Roman;font-size:medium;"></span> <p><span style="font-family:Calibri;font-size:medium;">LdrHotPatchRoutine</span></p> <span style="font-family:Times New Roman;font-size:medium;"></span></td> <td width="342" valign="top"><span style="font-family:Times New Roman;font-size:medium;"></span> <p><span style="font-family:Calibri;font-size:medium;"><span style="font-family:Calibri;font-size:medium;">Ref:</span> <a href="http://cansecwest.com/slides/2013/DEP-ASLR%20bypass%20without%20ROP-JIT.pdf"><span style="color:#0563c1;font-family:Calibri;font-size:medium;">http://cansecwest.com/slides/2013/DEP-ASLR%20bypass%20without%20ROP-JIT.pdf</span></a><br /></span></p> <p><span style="font-family:Calibri;font-size:medium;">Reported in Pwn2Own 2013, works only for Win7 x64</span><span style="font-family:Times New Roman;font-size:medium;">&nbsp;</span></p> </td> </tr> <tr> <td width="96" valign="top"><span style="font-family:Times New Roman;font-size:medium;"></span> <p><a href="https://blogs.technet.com/b/srd/archive/2013/12/09/ms13-106-another-aslr-bypass-is-gone.aspx"><span style="font-family:Calibri;font-size:medium;">MS13-106</span><span style="font-family:Calibri;">&nbsp;</span></a></p> <span style="font-family:Times New Roman;font-size:medium;"></span></td> <td width="192" valign="top"><span style="font-family:Times New Roman;font-size:medium;"></span> <p><span style="font-family:Calibri;font-size:medium;">HXDS.DLL (Office 2007/2010)</span></p> <span style="font-family:Times New Roman;font-size:medium;"><span style="font-size:medium;"></span></span></td> <td width="342" valign="top"><span style="font-family:Times New Roman;font-size:medium;"><span style="font-size:medium;"></span></span> <p><span style="font-family:Calibri;font-size:medium;">Ref: </span><a href="http://www.greyhathacker.net/?p=585"><span style="color:#0563c1;font-family:Calibri;font-size:medium;">http://www.greyhathacker.net/?p=585</span></a><br /><span style="font-family:Calibri;font-size:medium;"></span></p> <p><span style="font-family:Calibri;font-size:medium;">Seen used in-the-wild with IE/Flash exploits <br />(CVE-2013-3893, CVE-2013-1347, <br />CVE-2012-4969, CVE-2012-4792)</span><span style="font-family:Times New Roman;font-size:medium;"> <br /><br /></span></p> </td> </tr> <tr> <td width="96" valign="top"><span style="font-family:Times New Roman;font-size:medium;"></span> <p><a href="https://technet.microsoft.com/en-us/security/bulletin/ms14-009"><span style="font-family:Calibri;font-size:medium;">MS14-009</span><span style="font-family:Calibri;">&nbsp;</span></a></p> <span style="font-family:Times New Roman;font-size:medium;"></span></td> <td width="192" valign="top"><span style="font-family:Times New Roman;font-size:medium;"></span> <p><span style="font-family:Calibri;font-size:medium;">VSAVB7RT.DLL (.NET)</span></p> <span style="font-family:Times New Roman;font-size:medium;"></span></td> <td width="342" valign="top"><span style="font-family:Times New Roman;font-size:medium;"></span> <p><span style="font-family:Calibri;font-size:medium;">Ref: </span><a href="http://www.greyhathacker.net/?p=585"><span style="color:#0563c1;font-family:Calibri;font-size:medium;">http://www.greyhathacker.net/?p=585</span></a><br /><span style="font-family:Times New Roman;font-size:medium;"><br /></span><span style="font-family:Calibri;font-size:medium;">Seen used in-the-wild with IE exploits <br />(CVE-2013-3893)</span></p> <span style="font-family:Times New Roman;font-size:medium;"></span></td> </tr> </tbody> </table> </div> <div></div> <div><span style="font-family:Times New Roman;font-size:medium;"> </span> <p style="text-align:justify;"><span style="font-family:Calibri;font-size:medium;"><br />We were glad to see the return of these recent ASLR updates in two recent attacks: the Flash exploit <a href="http://www.fireeye.com/blog/technical/targeted-attack/2014/02/operation-greedywonk-multiple-economic-and-foreign-policy-sites-compromised-serving-up-flash-zero-day-exploit.html">found in February (CVE-2014-0502)</a> in some </span><span style="font-family:Calibri;font-size:medium;">targeted attacks </span><span style="font-family:Calibri;font-size:medium;">and a privately reported bug for IE8 (CVE-2014-0324) just patched today. As showed from the code snippets below, the two exploits would not have been effective against </span><span style="font-family:Calibri;font-size:medium;">fully patched machines </span><span style="font-family:Calibri;font-size:medium;">with MS13-106 update installed running Vista or above.</span></p> <p style="text-align:justify;"><span style="font-family:Calibri;font-size:medium;">&nbsp;</span></p> <table style="width:630px;height:628px;" border="1" cellspacing="0" cellpadding="0"> <tbody> <tr> <td width="362" valign="top"><span style="font-family:Times New Roman;font-size:medium;">&nbsp;</span> <p><span style="font-family:Calibri;font-size:medium;"><span style="font-family:Calibri;font-size:medium;"><a href="http://blogs.technet.com/cfs-file.ashx/__key/communityserver-blogs-components-weblogfiles/00-00-00-61-47/4786.pic1.png"><img width="520" height="506" style="width:360px;height:364px;" alt=" " src="http://blogs.technet.com/resized-image.ashx/__size/550x0/__key/communityserver-blogs-components-weblogfiles/00-00-00-61-47/4786.pic1.png" border="0" /></a></span></span></p> </td> <td width="261" valign="top"><span style="font-family:Times New Roman;font-size:medium;"> </span> <p><b><span style="font-family:Calibri;font-size:medium;"><a href="http://blogs.technet.com/cfs-file.ashx/__key/communityserver-blogs-components-weblogfiles/00-00-00-61-47/4786.pic1.png"></a><span style="font-family:Calibri;font-size:medium;"><a href="http://blogs.technet.com/cfs-file.ashx/__key/communityserver-blogs-components-weblogfiles/00-00-00-61-47/4786.pic1.png"></a></span>Exploit code for CVE-2014-0502 (Flash)</span></b></p> <span style="font-family:Times New Roman;font-size:medium;"> </span> <p><span style="font-family:Calibri;font-size:medium;">Unsuccessful attempt of ASLR bypass using HXDS.DLL fixed by MS13-106.</span><span style="font-family:Times New Roman;font-size:medium;"> </span></p> <p><span style="font-family:Calibri;font-size:medium;">NOTE: the code attempts also a second ASLR bypass based on Java 1.6.x</span><span style="font-family:Times New Roman;font-size:medium;"> </span></p> </td> </tr> <tr> <td width="362" valign="top"><span style="font-family:Times New Roman;font-size:medium;">&nbsp;</span><a href="http://blogs.technet.com/cfs-file.ashx/__key/communityserver-blogs-components-weblogfiles/00-00-00-61-47/3201.pic2.png"><img alt=" " src="http://blogs.technet.com/resized-image.ashx/__size/550x0/__key/communityserver-blogs-components-weblogfiles/00-00-00-61-47/3201.pic2.png" border="0" /></a></td> <td width="261" valign="top"><span style="font-family:Times New Roman;font-size:medium;"> </span> <p><b><span style="font-family:Calibri;font-size:medium;">Exploit code for CVE-2014-0324 (IE8)</span></b></p> <span style="font-family:Times New Roman;font-size:medium;"> </span> <p><span style="font-family:Calibri;font-size:medium;">Unsuccessful attempt of ASLR bypass using HXDS.DLL fixed by MS13-106.</span></p> <span style="font-family:Times New Roman;font-size:medium;"> </span></td> </tr> </tbody> </table> <p><span style="font-family:Calibri;font-size:medium;"><span style="font-family:Times New Roman;font-size:medium;"> </span><br /></span></p> <span style="font-family:Times New Roman;font-size:medium;"> </span><span style="font-family:Times New Roman;font-size:medium;"> </span><span style="font-family:Times New Roman;font-size:medium;"> </span> <p style="text-align:justify;"><b><span style="font-family:Calibri;font-size:medium;">Solutions for&nbsp;non-ASLR modules</span></b></p> <p style="text-align:justify;"><span style="font-family:Calibri;"><span style="font-size:medium;">The two&nbsp;exploit codes above shows another important lesson: even if Microsoft libraries are compiled natively with ASLR and even if we work hard to fix known ASLR gaps for our products, there are still opportunities for attackers in using third-party DLLs to tamper the ASLR ecosystem. The example of Java 1.6.x is a well-known case: due to the popularity of this software suite and due to the fact that it loads an old non-ASLR library&nbsp;into the browser <span style="font-family:Calibri;font-size:medium;">(MSVCR71.DLL)</span>, it became a very popular vector used in exploits to bypass ASLR. In fact, security researchers are frequently scanning for popular 3</span><sup><span style="font-size:small;">rd</span></sup><span style="font-size:medium;"> party libraries not compiled with /DYNAMICBASE that can allow a bypass; the following list is just an example of few common ones.</span></span></p> <p><span style="font-family:Calibri;font-size:medium;">&nbsp;</span></p> <table style="width:525px;height:489px;" border="1" cellspacing="0" cellpadding="0"> <tbody> <tr> <td width="252" valign="top"><span style="font-family:Times New Roman;font-size:medium;"> </span> <p><b><span style="font-family:Calibri;"><span style="font-size:medium;">3</span><sup><span style="font-size:small;">rd</span></sup><span style="font-size:medium;"> PARTY ASLR BYPASS</span></span></b></p> <span style="font-family:Times New Roman;font-size:medium;"> </span></td> <td width="378" valign="top"><span style="font-family:Times New Roman;font-size:medium;"> </span> <p><b><span style="font-family:Calibri;font-size:medium;">REFERENCE</span></b></p> <span style="font-family:Times New Roman;font-size:medium;"> </span></td> </tr> <tr> <td width="252" valign="top"><span style="font-family:Times New Roman;font-size:medium;"> </span> <p><span style="font-family:Calibri;font-size:medium;">Java 1.6.x (MSVCR71.DLL)</span></p> <span style="font-family:Times New Roman;font-size:medium;"> </span></td> <td width="378" valign="top"><span style="font-family:Times New Roman;font-size:medium;"> </span> <p><span style="font-family:Calibri;font-size:medium;">&nbsp;Very common ASLR bypass used in-the-wild for multiple CVEs<br /><br />&nbsp;NOTE: Java 1.7.x uses MSVCR100.DLL which supports ASLR<br /></span></p> <span style="font-family:Times New Roman;font-size:medium;"> </span></td> </tr> <tr> <td width="252" valign="top"><span style="font-family:Times New Roman;font-size:medium;"> </span> <p><span style="font-family:Calibri;font-size:medium;">DivX Player 10.0.2</span></p> <span style="font-family:Times New Roman;font-size:medium;"> </span> <p><span style="font-family:Calibri;font-size:medium;">Yahoo Messenger 11.5.0.228</span></p> <span style="font-family:Times New Roman;font-size:medium;"> </span> <p><span style="font-size:medium;">AOL Instant Messenger 7.5.14.8</span></p> <span style="font-family:Times New Roman;font-size:medium;"> </span></td> <td width="378" valign="top"><span style="font-family:Times New Roman;font-size:medium;"> </span> <p><span style="font-family:Calibri;font-size:medium;">&nbsp;Ref: </span><a href="http://www.greyhathacker.net/?p=756"><span style="color:#0563c1;font-family:Calibri;font-size:medium;">http://www.greyhathacker.net/?p=756</span></a><span style="font-family:Times New Roman;font-size:medium;">&nbsp;<br /></span><span style="font-family:Calibri;font-size:medium;">&nbsp;(not seen in real attacks)</span></p> <span style="font-family:Times New Roman;font-size:medium;"> </span> <p><span style="font-family:Calibri;font-size:medium;">&nbsp;</span></p> <span style="font-family:Times New Roman;font-size:medium;"> </span></td> </tr> <tr> <td width="252" valign="top"><span style="font-family:Times New Roman;font-size:medium;"> </span> <p><span style="font-family:Calibri;font-size:medium;">DropBox<br /></span></p> <span style="font-family:Times New Roman;font-size:medium;"> </span></td> <td width="378" valign="top"><span style="font-family:Times New Roman;font-size:medium;"> </span> <p><span style="font-family:Calibri;font-size:medium;">&nbsp;Ref:</span><a href="http://codeinsecurity.wordpress.com/2013/09/09/installing-dropbox-prepare-to-lose-aslr/"><span style="color:#0563c1;font-family:Calibri;font-size:medium;">http://codeinsecurity.wordpress.com/2013/09/09/installing-dropbox-prepare-to-lose-aslr/</span></a><br /><span style="font-family:Calibri;font-size:medium;"><br />&nbsp;(not seen in real attacks)</span></p> <span style="font-family:Times New Roman;font-size:medium;"> </span> <p><span style="font-family:Calibri;font-size:medium;">&nbsp;</span></p> <span style="font-family:Times New Roman;font-size:medium;"> </span></td> </tr> <tr> <td width="252" valign="top"><span style="font-family:Times New Roman;font-size:medium;"> </span> <p><span style="font-size:medium;">veraport20.Veraport20Ctl<br /> <br />Gomtvx.Launcher</span></p> <span style="font-family:Times New Roman;font-size:medium;"> </span> <p><span style="font-size:medium;">INIUPDATER.INIUpdaterCtrl</span></p> <span style="font-family:Times New Roman;font-size:medium;"> </span></td> <td width="378" valign="top"><span style="font-family:Times New Roman;font-size:medium;"> </span> <p><span style="font-family:Calibri;font-size:medium;"><span style="font-family:Calibri;font-size:medium;">&nbsp;Ref: KISA report </span><a href="http://boho.or.kr/upload/file/EpF448.pdf"><span style="color:#0563c1;font-family:Calibri;font-size:medium;">http://boho.or.kr/upload/file/EpF448.pdf</span></a></span></p> <p><span style="font-family:Calibri;font-size:medium;">&nbsp;(seen in-the-wild with CVE-2013-3893</span>)</p> <span style="font-family:Times New Roman;font-size:medium;"> </span> <p></p> <span style="font-family:Times New Roman;font-size:medium;"> </span> <p><span style="font-family:Calibri;font-size:medium;">&nbsp;</span></p> <span style="font-family:Times New Roman;font-size:medium;"> </span></td> </tr> </tbody> </table> <p><span style="font-family:Calibri;font-size:medium;">&nbsp;</span></p> <p style="text-align:justify;"><span style="font-family:Calibri;"><span style="font-size:medium;">As noted at beginning of this blog, Internet Explorer 10/11 and Office 2013 are not affected by ASLR bypasses introduced by 3</span><sup><span style="font-size:small;">rd</span></sup><span style="font-size:medium;"> party modules and plugins. Instead, customers still running older version of Internet Explorer and Office can take advantage of two effective tools that can be used to enforce ASLR mitigation for any module:</span></span></p> <ul style="text-align:justify;"> <li> <p><span style="font-size:medium;"><span style="text-decoration:underline;"><a href="http://www.microsoft.com/emet">EMET (Enhanced Mitigation Experience Toolkit)</a></span>: can be used to enable system-wide <span style="font-size:medium;">ASLR </span>or &ldquo;MandatoryASLR&rdquo; selectively on any process;</span></p> </li> <li> <p><span style="font-size:medium;"><span style="text-decoration:underline;"><a href="http://support.microsoft.com/kb/2639308">&ldquo;Force ASLR&rdquo; update KB2639308</a></span>: makes possible for selected applications to forcibly relocate images not built with /DYNAMICBASE using Image File Execution Options (IFEO) registry keys;</span></p> <p>&nbsp;</p> </li> </ul> <p style="text-align:justify;"><span style="font-family:Calibri;font-size:medium;"><strong>Conclusions</strong><br /></span></p> <p style="text-align:justify;"><span style="font-family:Calibri;font-size:medium;">ASLR bypasses do not represent vulnerabilities, since they have to be combined with a real memory corruption vulnerability in order to allow attackers to create an exploit, however it&#39;s nice to see that closing ASLR bypasses can negatively&nbsp;impact the reliability of certain targeted attacks. </span><span style="font-family:Calibri;font-size:medium;">We encourage all customers to proactively test and deploy the suggested tools when possible, especially for old programs commonly targeted by memory corruption exploits. We expect that attackers will continue increasing their focus and research on </span><span style="font-family:Calibri;font-size:medium;"><a href="http://www.fireeye.com/blog/technical/cyber-exploits/2013/10/aslr-bypass-apocalypse-in-lately-zero-day-exploits.html">more sophisticated ASLR bypasses </a></span><span style="font-family:Calibri;font-size:medium;">which rely on disclosure of memory address rather than non-ASLR libraries.</span><span style="font-family:Calibri;font-size:medium;"><br /></span></p> <p style="text-align:justify;"><span style="font-family:Calibri;font-size:medium;">&nbsp;</span></p> <p style="text-align:justify;"><span style="font-size:medium;">- Elia Florio, MSRC Engineering</span></p> <p style="text-align:justify;"><span style="font-size:medium;">&nbsp;</span></p> </div> </div><div style="clear:both;"></div><img src="http://blogs.technet.com/aggbug.aspx?PostID=3624728&AppID=6147&AppType=Weblog&ContentType=0" width="1" height="1">VSAVB7RTCVE-2014-0324ForceASLRMS13-006ASLRMS14-009HXDSLdrHotPatchRoutineEMET The Threat Landscape in the Middle East and Southwest Asia – Part 1: Relatively High Malware Infection Rateshttp://blogs.technet.com/b/security/archive/2014/03/12/the-threat-landscape-in-the-middle-east-and-southwest-asia-part-1-relatively-high-malware-infection-rates.aspxWed, 12 Mar 2014 15:57:00 GMTd5e57398-b9ef-4490-9955-07cbb4e4a80d:bd94a3f2-14cb-4b4a-94d9-8d15777bf93fTim Rains - Microsoft0http://blogs.technet.com/b/security/rsscomments.aspx?WeblogPostID=3624490http://blogs.technet.com/b/security/commentapi.aspx?WeblogPostID=3624490http://blogs.technet.com/b/security/archive/2014/03/12/the-threat-landscape-in-the-middle-east-and-southwest-asia-part-1-relatively-high-malware-infection-rates.aspx#comments<p>I published a series of articles about the <a href="/b/security/archive/2012/09/25/the-threat-landscape-in-the-middle-east-part-1-qatar.aspx">threat landscape in the Middle East </a>back in 2012 where I focused on the threats found in several locations in the region. This region continues to be of high interest among the customers I talk to because of the above average level of strife and turmoil, and the political transitions that have occurred in the region over the past few years. Additionally, high profile cyber-attacks like Stuxnet, Saudi Aramco, and RasGas have captured the attention of security professionals around the world.</p> <p>Based on the latest data from the <a href="http://www.microsoft.com/security/sir/archive/default.aspx">Microsoft Security Intelligence Report volume 15</a>, we did some deeper analysis on even more locations in the region. Recently I delivered <a href="http://www.rsaconference.com/events/us14/agenda/sessions/1055/a-deep-dive-into-the-security-threat-landscape-of">a presentation at RSA Conference 2014 </a>in San Francisco based on this research. Thanks again to all the RSA attendees that came to my 8:00 AM session. The presentation at RSA Conference was well received so I thought I&rsquo;d share this research with a broader audience by publishing a series of articles based on it. This series of articles will focus on trends we have seen in the region in the two and a half years between the first quarter of 2011 and the second quarter of 2013 &ndash; a full ten quarters of data from millions of systems and some of the Internet&rsquo;s busiest services. The countries/regions we examined include Bahrain, Egypt, Israel, Iraq, Jordan, Kuwait, Lebanon, Oman, Pakistan, Palestinian Authority, Qatar, Saudi Arabia, Syria, Turkey, and the United Arab Emirates. <a href="/b/security/archive/2014/03/12/the-threat-landscape-in-the-middle-east-and-southwest-asia-part-1-relatively-high-malware-infection-rates.aspx">Read more.</a></p>...(<a href="http://blogs.technet.com/b/security/archive/2014/03/12/the-threat-landscape-in-the-middle-east-and-southwest-asia-part-1-relatively-high-malware-infection-rates.aspx">read more</a>)<img src="http://blogs.technet.com/aggbug.aspx?PostID=3624490&AppID=5043&AppType=Weblog&ContentType=0" width="1" height="1">Cybesecurity Threat LandscapeThreat Landscape in the Middle EastMicrosoft Security Intelligence Report Volume 15 Thanks to you the Microsoft #Do1Thing initiative donates $50,000 to TechSoup Globalhttp://blogs.msdn.com/b/securitytipstalk/archive/2014/03/11/thanks-to-you-the-microsoft-do1thing-initiative-donates-50-000-to-techsoup-global.aspxTue, 11 Mar 2014 21:02:00 GMT91d46819-8472-40ad-a661-2c78acb4018c:10505893Kim Sanchez, Director of Trustworthy Computing0http://blogs.msdn.com/b/securitytipstalk/rsscomments.aspx?WeblogPostID=10505893http://blogs.msdn.com/b/securitytipstalk/archive/2014/03/11/thanks-to-you-the-microsoft-do1thing-initiative-donates-50-000-to-techsoup-global.aspx#comments<p><a href="http://blogs.msdn.com/cfs-file.ashx/__key/communityserver-blogs-components-weblogfiles/00-00-00-72-21/6735.SID50k.png"><img style="vertical-align: top; display: block; margin-left: auto; margin-right: auto;" title="Thank you to everyone who joined the movement to help make a better Internet and raise Microsoft dollars for TechSoup Global!" src="http://blogs.msdn.com/resized-image.ashx/__size/550x0/__key/communityserver-blogs-components-weblogfiles/00-00-00-72-21/6735.SID50k.png" alt="Together we've raised $50,000" /></a></p> <p>On&nbsp;<a href="http://blogs.msdn.com/b/securitytipstalk/archive/2014/02/11/do1thing.aspx">Safer Internet Day</a>, February 11, 2014, Microsoft launched the interactive <a href="http://www.microsoft.com/security/saferonline/">Safer Online website</a>. Every time you made your #Do1Thing promise or shared the website with your social circles, Microsoft made a donation to&nbsp;<a href="http://www.techsoup.org/">TechSoup Global</a>.</p> <p>In less than 24 hours, so many of you promised to #Do1Thing to stay safer that Microsoft donated $50,000 to TechSoup Global! But it wasn&rsquo;t just the promise alone.</p> <p>&ldquo;As communities around the world use the Internet to learn and connect, developing responsible online safety habits is something each of us should act on,&rdquo; says <a href="http://www.techsoupglobal.org/story/leadership">Rebecca Masisak</a>, CEO of TechSoup Global. &ldquo;We appreciate being a part of Safer Internet Day. And with your contributions, TechSoup Global will further develop and deliver online safety education training materials and guidance to be shared across our global network.&rdquo;</p> <p>So far, people from five continents have shared what they are doing to help create a better Internet. What&rsquo;s the number one global promise so far?&nbsp;<a href="https://www.microsoft.com/security/pc-security/password-checker.aspx?vm=r&amp;s=1">Creating strong passwords</a>&nbsp;and regularly changing them. Other popular responses included: two-step authentication for online accounts, sharing minimal personal information, using secured Wi-Fi connections, and shopping on&nbsp;<a href="http://blogs.msdn.com/b/securitytipstalk/archive/2014/01/21/what-is-https.aspx">https-enabled websites</a>.&nbsp;</p> <p>Of those who answered our Safer Online polling questions:</p> <ul> <li>Nearly half (<strong>47 percent</strong>) of participants chose learning as the greatest benefit the Internet has brought to their lives, while&nbsp;<strong>17 percent&nbsp;</strong>chose exploring, and&nbsp;<strong>10 percent</strong>&nbsp;go online for entertainment purposes.</li> <li>Website visitors were also asked which potential online risks concern them the most. Of the nine choices,&nbsp;<strong>28 percent</strong>&nbsp;selected financial loss as the most concerning, with&nbsp;<strong>22 percent</strong>&nbsp;opting for loss of personal privacy, and&nbsp;<strong>19 percent</strong>&nbsp;finding forms of malware on their device the greatest concern.</li> <li>Finally, over two thirds (<strong>76 percent</strong>)<strong>&nbsp;</strong>of respondents edit or remove online information that may impact their reputation. Learn how to&nbsp;<a href="http://go.microsoft.com/?linkid=9708812">take charge or your online reputation</a>.</li> </ul> <p>If you haven&rsquo;t done so yet, share your&nbsp;<a href="http://www.microsoft.com/security/saferonline/">#Do1Thing story</a>, see what others around the world are promising, and get online safety tips to help you stay safer online, today and every day!&nbsp;</p><div style="clear:both;"></div><img src="http://blogs.msdn.com/aggbug.aspx?PostID=10505893" width="1" height="1">privacyfamilypasswordsMicrosoftSafer OnlineHTTPSSafer Internet Day 2014Do1ThingTechSoup Globaltwo-step authentication Get security updates for March 2014http://blogs.msdn.com/b/securitytipstalk/archive/2014/03/11/get-security-updates-for-march-2014.aspxTue, 11 Mar 2014 18:36:13 GMT91d46819-8472-40ad-a661-2c78acb4018c:10506996Eve Blakemore5http://blogs.msdn.com/b/securitytipstalk/rsscomments.aspx?WeblogPostID=10506996http://blogs.msdn.com/b/securitytipstalk/archive/2014/03/11/get-security-updates-for-march-2014.aspx#comments<p>Microsoft releases security updates on the second Tuesday of every month.</p> <p><strong><a href="http://go.microsoft.com/fwlink/p/?LinkId=148275">Skip the details and check for&nbsp;the latest updates.</a></strong></p> <p>This bulletin announces the release of security updates for&nbsp;Windows, Microsoft Word, and other programs.<strong><br /></strong></p> <ul> <li><a href="http://www.microsoft.com/security/pc-security/updates.aspx">Learn how to get security updates automatically</a></li> <li><a href="http://technet.microsoft.com/en-us/security/bulletin/ms14-mar">For IT Pros: Microsoft Security Bulletin Summary for March 2014</a></li> </ul> <p>To get more information about security updates and other privacy and security issues delivered to your email inbox,&nbsp;<a href="http://www.microsoft.com/security/resources/newsletter.aspx">sign up for our newsletter</a>.</p><div style="clear:both;"></div><img src="http://blogs.msdn.com/aggbug.aspx?PostID=10506996" width="1" height="1">updatesWindows Defendervirusmalwaresecurity updatesautomatic updatingAutomatic UpdatessecurityWindows 7Windows Updateantivirus softwarepatch TuesdayMicrosoftWindows 8March 2014Microsoft Security Bulletin Summary Assessing risk for the March 2014 security updates http://blogs.technet.com/b/srd/archive/2014/03/11/assessing-risk-for-the-march-2014-security-updates.aspxTue, 11 Mar 2014 17:02:00 GMTd5e57398-b9ef-4490-9955-07cbb4e4a80d:a93f3f3c-3f79-43e0-ab81-3932d4cc1f8aSRD Blog Author0<p>Today we released five security bulletins addressing 23 unique CVE&rsquo;s. Two bulletins have a maximum severity rating of Critical while the other three have a maximum severity rating of Important. We hope that the table below helps you prioritize the deployment of the updates appropriately for your environment.</p> <table border="1"> <tbody> <tr> <td><b>Bulletin</b></td> <td>Most likely attack vector</td> <td>Max Bulletin Severity</td> <td>Max Exploit-ability</td> <td>Likely first 30 days impact</td> <td>Platform mitigations and key notes</td> </tr> <tr> <td><a href="http://technet.microsoft.com/en-us/security/bulletin/MS14-012">MS14-012</a> <p>(Internet Explorer)</p> </td> <td>Victim browses to a malicious webpage.</td> <td>Critical</td> <td>1</td> <td>Likely to see reliable exploits developed within next 30 days.</td> <td>Addresses vulnerability described by <a href="http://technet.microsoft.com/en-us/security/advisory/2934088">Security Advisory 2934088</a>, an issue under targeted attack.</td> </tr> <tr> <td><a href="http://technet.microsoft.com/en-us/security/bulletin/MS14-013">MS14-013</a> <p>(DirectShow)</p> </td> <td>Victim browses to a malicious webpage.</td> <td>Critical</td> <td>3</td> <td>Unlikely to see reliable exploits developed within next 30 days.</td> <td>Addresses single double-free issue in qedit.dll, reachable via a malicious webpage.</td> </tr> <tr> <td><a href="http://technet.microsoft.com/en-us/security/bulletin/MS14-014">MS14-014</a> <p>(Silverlight)</p> </td> <td>Attacker combines this vulnerability with a (separate) code execution vulnerability to execute arbitrary code in the browser security context.</td> <td>Important</td> <td>n/a</td> <td>No chance for direct code execution with this vulnerability.</td> <td>This vulnerability does not result in code execution directly. However, it is a component attackers could&nbsp;use to bypass ASLR.</td> </tr> <tr> <td><a href="http://technet.microsoft.com/en-us/security/bulletin/MS14-015">MS14-015</a> <p>(Kernel mode drivers)</p> </td> <td>Attacker running code at low privilege runs exploit binary to elevate to SYSTEM.</td> <td>Important</td> <td>1</td> <td>Likely to see reliable exploits developed within next 30 days.</td> </tr> <tr> <td><a href="http://technet.microsoft.com/en-us/security/bulletin/MS14-016">MS14-016</a> <p>(Security Account Manager)</p> </td> <td>Attacker able to make API calls to security account manager password API able to brute-force password guessing attempts without triggering account lockout policy.</td> <td>Important</td> <td>n/a</td> <td>No chance for direct code execution with this vulnerability.</td> <td>Attacker must authenticate before calling the affected API. After authenticating, the attacker can choose to guess either their own or other user&#39;s password without risk of lockout.</td> </tr> </tbody> </table> <p>- Jonathan Ness, MSRC engineering team</p><div style="clear:both;"></div><img src="http://blogs.technet.com/aggbug.aspx?PostID=3624765&AppID=6147&AppType=Weblog&ContentType=0" width="1" height="1">Attack VectorRisk Asessment The March 2014 Security Updateshttp://blogs.technet.com/b/msrc/archive/2014/03/11/the-march-2014-security-updates.aspxTue, 11 Mar 2014 17:01:00 GMTd5e57398-b9ef-4490-9955-07cbb4e4a80d:04e7a7a0-96e8-4f15-813e-6d5ba65f6e79Dustin C. Childs0<p><span style="font-family:Calibri;font-size:medium;">This month we release </span><a href="http://technet.microsoft.com/security/bulletin/MS14-mar"><span style="color:#0563c1;font-family:Calibri;font-size:medium;">five bulletins</span></a><span style="font-family:Calibri;font-size:medium;"> to address 23 unique CVEs in Microsoft Windows, Internet Explorer and Silverlight. If you need to prioritize, the update for Internet Explorer addresses the issue first described in </span><a href="http://technet.microsoft.com/en-us/security/advisory/2934088"><span style="color:#0563c1;font-family:Calibri;font-size:medium;">Security Advisory 2934088</span></a><span style="font-family:Calibri;font-size:medium;">, so it should be at the top of your list. While that update does warrant your attention, I want to also call out another impactful update. </span></p> <p><span style="font-family:Calibri;font-size:medium;">MS14-014 provides an update to address a security feature bypass in Silverlight. The issue wasn&rsquo;t publicly known and it isn&rsquo;t under active attack, however it can impact your security in ways that aren&rsquo;t always obvious. Specifically, the update removes an avenue attackers could use to bypass&nbsp;</span><a href="http://msdn.microsoft.com/en-us/library/bb430720.aspx"><span style="color:#0563c1;font-family:Calibri;font-size:medium;">ASLR</span></a><span style="font-family:Calibri;font-size:medium;"> protections. Fixes like this one increase the cost of exploitation to an attacker, who must now find a different way to make their code execution exploit reliable. Picasso said, &ldquo;The hidden harmony is better than the obvious&rdquo; - Shutting down an ASLR bypass could be considered one of the most harmonious things to do to help increase customer security.</span></p> <p><span style="font-family:Calibri;font-size:medium;">Let&rsquo;s not forget the other updates we released today. This month we release two Critical and three Important bulletins. Here&rsquo;s an overview of this month&rsquo;s release:</span></p> <p><span style="font-family:Calibri;"><span style="font-size:medium;"><i>Click to enlarge<br /></i></span></span></p> <p><span style="font-family:Calibri;"><span style="font-size:medium;"><i><a href="http://blogs.technet.com/cfs-file.ashx/__key/communityserver-blogs-components-weblogfiles/00-00-00-45-71/2248.March_5F00_Deployment.jpg"><img alt=" " src="http://blogs.technet.com/resized-image.ashx/__size/550x0/__key/communityserver-blogs-components-weblogfiles/00-00-00-45-71/2248.March_5F00_Deployment.jpg" border="0" /></a><br /></i></span></span></p> <p><span style="font-family:Calibri;font-size:medium;">Our top deployment priority this month is MS14-012, which address 18 issues in Internet Explorer.</span></p> <p><a href="http://technet.microsoft.com/security/bulletin/ms14-012"><span style="color:#0563c1;"><span style="font-family:Calibri;"><span style="font-size:medium;">MS14-012 | Cumulative Security Update for Internet Explorer&nbsp; </span></span></span></a><span style="font-family:Calibri;"><span style="font-size:medium;">&nbsp;<br /> This cumulative update addresses one public and 17 privately disclosed issues in Internet Explorer. These issues could allow remote code execution if a user views a specially crafted webpage using an affected version of Internet Explorer. We are aware of targeted attacks using CVE-2014-0322 against Internet Explorer 10. This issue was first described in </span></span><a href="http://technet.microsoft.com/security/advisory/2934088"><span style="color:#0563c1;font-family:Calibri;font-size:medium;">Security Advisory 2934088</span></a><span style="font-family:Calibri;font-size:medium;">, which included a </span><a href="https://support.microsoft.com/kb/2934088"><span style="color:#0563c1;font-family:Calibri;font-size:medium;">Fix it</span></a><span style="font-family:Calibri;font-size:medium;"> for the issue. We should also note that the observed attacks performed a check for the presence of the Enhanced Mitigation Experience Toolkit (EMET) and did not proceed if it was detected. This update also addresses CVE-2014-0324, which is a privately reported issue that has been seen in a very limited, targeted attack against Internet Explorer 8. Thanks to a previously released ASLR bypass update, the attack seen in the wild would not work against a fully updated system running Windows Vista and above. The </span><a href="http://blogs.technet.com/b/srd/archive/2014/03/11/when-aslr-makes-the-difference.aspx"><span style="color:#0563c1;font-family:Calibri;font-size:medium;">SRD blog</span></a><span style="font-family:Calibri;font-size:medium;"> goes into more detail about how shutting down that </span><a href="http://technet.microsoft.com/security/bulletin/ms13-106"><span style="color:#0563c1;font-family:Calibri;font-size:medium;">bypass</span></a><span style="font-family:Calibri;font-size:medium;"> helped. For all issues addressed by this update, successful exploitation could allow an attacker to gain the same user rights as the local user. Customers with automatic updates enabled will not need to take action, as they will be updated automatically.</span></p> <p><span style="font-family:Calibri;font-size:medium;">We are also revising </span><a href="http://technet.microsoft.com/security/advisory/2755801"><span style="color:#0563c1;font-family:Calibri;font-size:medium;">Security Advisory 2755801</span></a><span style="font-family:Calibri;font-size:medium;"> with the latest update for Adobe Flash Player in Internet Explorer. The update addresses the vulnerabilities described in Adobe Security bulletin </span><a href="http://helpx.adobe.com/security/products/flash-player/apsb14-08.html" target="_blank"><span style="color:#0563c1;font-family:Calibri;font-size:medium;">APSB14-08</span></a><span style="font-family:Calibri;font-size:medium;">. For more information about this update, including download links, see </span><a href="http://support.microsoft.com/kb/2938527" target="_blank"><span style="color:#0563c1;font-family:Calibri;font-size:medium;">Microsoft Knowledge Base Article 2938527</span></a><span style="font-family:Calibri;font-size:medium;">. Also, for those of you who may be interested, </span><a href="https://support.microsoft.com/kb/894199"><span style="color:#0563c1;font-family:Calibri;font-size:medium;">KB864199</span></a><span style="font-family:Calibri;font-size:medium;"> provides a list of the non-security updates released today. This list includes the latest update for the Malicious Software Removal Tool (MSRT), which now includes detections for the </span><a href="http://www.microsoft.com/security/portal/threat/encyclopedia/Entry.aspx?Name=Win32%2fWysotot"><span style="color:#0563c1;font-family:Calibri;font-size:medium;">Wysotot</span></a><span style="font-family:Calibri;font-size:medium;"> and </span><a href="http://www.microsoft.com/security/portal/threat/Encyclopedia/Entry.aspx?Name=BrowserModifier:Win32/Spacekito"><span style="color:#0563c1;font-family:Calibri;font-size:medium;">Spacekito</span></a><span style="font-family:Calibri;font-size:medium;"> malware families. </span></p> <p><span style="font-family:Calibri;font-size:medium;">Watch the bulletin overview video below for a brief summary of today&#39;s releases.</span></p> <p><span style="font-family:Calibri;font-size:medium;"><object width="500" height="281"><param name="movie" value="//www.youtube.com/v/fa536jd5zfQ?version=3&amp;hl=en_US" /><param name="allowFullScreen" value="true" /><param name="allowscriptaccess" value="always" /><embed width="500" height="281" src="http://www.youtube.com/v/fa536jd5zfQ?version=3&amp;hl=en_US" type="application/x-shockwave-flash" /></object></span></p> <p><span style="font-family:Calibri;font-size:medium;">For more information about this month&rsquo;s security updates, including the detailed view of the Exploit Index broken down by CVE, visit the </span><a href="http://technet.microsoft.com/security/bulletin/MS14-Mar"><span style="color:#0563c1;font-family:Calibri;font-size:medium;">Microsoft Bulletin Summary Webpage</span></a><span style="font-family:Calibri;font-size:medium;">. </span></p> <p><span style="font-family:Calibri;font-size:medium;">My colleagues Andrew Gross and Pete Voss will host the monthly bulletin webcast and answer your questions about this month&rsquo;s release. As usual, the webcast is scheduled for Wednesday, March 12, 2014, at 11 a.m. PDT. Please register </span><a href="https://msevents.microsoft.com/CUI/EventDetail.aspx?EventID=1032572977&amp;Culture=en-US"><span style="color:#0563c1;font-family:Calibri;font-size:medium;">here</span></a><span style="font-family:Calibri;font-size:medium;">, and tune in to learn more about this month&rsquo;s security bulletins and advisories. </span></p> <p><span style="font-family:Calibri;font-size:medium;">For all the latest information, you can also follow us at </span><a href="http://www.twitter.com/msftsecresponse"><span style="color:#0563c1;font-family:Calibri;font-size:medium;">@MSFTSecResponse</span></a><span style="font-family:Calibri;font-size:medium;">. </span></p> <p><span style="font-family:Calibri;font-size:medium;">If you happen to be at the CanSecWest conference in Vancouver, B.C, please swing by our booth (number 4) to say hello!</span></p> <p><span style="font-family:Times New Roman;font-size:medium;"> </span>Thanks, <br /> <a href="http://blogs.technet.com/b/msrc/about.aspx#Dustin_Childs"><span style="color:#0563c1;">Dustin Childs</span></a> <br /> Group Manager, Response Communications <br /> Microsoft Trustworthy Computing</p><div style="clear:both;"></div><img src="http://blogs.technet.com/aggbug.aspx?PostID=3624767&AppID=4571&AppType=Weblog&ContentType=0" width="1" height="1">Microsoft Windowsmonthly bulletin releaseSecurity BulletinsBulletinsMalicious Software Removal Tool (MSRT)Internet Explorer (IE) MSRT March 2014 – Wysotothttp://blogs.technet.com/b/mmpc/archive/2014/03/11/msrt-march-2014-wysotot.aspxTue, 11 Mar 2014 16:00:00 GMTd5e57398-b9ef-4490-9955-07cbb4e4a80d:cb014604-f7eb-4225-b067-257ed86761b8msft-mmpc0http://blogs.technet.com/b/mmpc/archive/2014/03/11/msrt-march-2014-wysotot.aspx#comments<div class="ExternalClass1C75481000774D0C8E48842B4D80E1E1"> <p>This month the Microsoft Malicious Software Removal Tool (MSRT) will include the <a href="http://www.microsoft.com/security/portal/threat/encyclopedia/Entry.aspx?Name=Win32/Wysotot">Win32/Wysotot</a> and <a href="http://www.microsoft.com/security/portal/threat/encyclopedia/entry.aspx?Name=MSIL/Spacekito">MSIL/Spacekito</a> families. Below we discuss the history and common behaviors of the Win32/Wysotot&nbsp;family of malware.</p> <p>We first added detection for Win32/Wysotot in October 2013. Figure 1 shows the number of machine encounters since then.&nbsp;</p> <p><a href="http://www.microsoft.com/security/portal/blog-images/a/Wyso1b.png"><img alt="DESCRIPTION" src="http://www.microsoft.com/security/portal/blog-images/a/Wyso1b.png" border="0" /></a>&nbsp;</p> <p><em>Figure 1: Wysotot detections</em></p> <p>Win32/Wysotot is usually installed by software bundlers. Figure 2 shows some of the programs we have seen downloading Win32/Wysotot variants.</p> <p><a href="http://www.microsoft.com/security/portal/blog-images/a/Wyso2.png"><img alt="DESCRIPTION" src="http://www.microsoft.com/security/portal/blog-images/a/Wyso2.png" border="0" /></a>&nbsp;</p> <p><em>Figure 2: Programs that we have seen bundle Win32/Wysotot variants</em></p> <p>Win32/Wysotot can change the start page for common web browsers. The malware executes its payload in two ways:</p> <ol> <li>Modifying the following registry entry:<br /><em>HKLM\SOFTWARE\Clients\StartMenuInternet\IEXPLORE.EXE\shell\open\command = &quot;&quot;C:\Program Files\Internet Explorer\iexplore.exe&quot; hxxp://en.v9.com/?utm_source=b&amp;utm_medium=eBP&amp;utm_campaign=eBP&amp;utm_content=sc&amp;from=eBP&amp;uid=&lt;some text&gt;&amp;ts=&lt;some timestamp&gt;&ldquo;</em></li> <li>Modifying .LNK files that point to popular browsers (Internet Explorer, Firefox, Chrome and Opera). Win32/Wysotot modifies the .LNK files by searching for browser .LNKs&nbsp; harvested in&nbsp;one of two ways:</li> </ol> <ul> <li>It determines the location for Programs in the Start Menu <p><a href="http://www.microsoft.com/security/portal/blog-images/a/Wyso3.png"><img width="400" alt="DESCRIPTION" src="http://www.microsoft.com/security/portal/blog-images/a/Wyso3.png" border="0" /></a>&nbsp;</p> </li> <li>A hardcoded path to the Quick Launch folder<br /> <p><a href="http://www.microsoft.com/security/portal/blog-images/a/Wyso4.png"><img width="400" alt="DESCRIPTION" src="http://www.microsoft.com/security/portal/blog-images/a/Wyso4.png" border="0" /></a>&nbsp;</p> </li> </ul> <p>Through the folders mentioned above, Win32/Wysotot will search for all .LNK files and then check if each one is related to a web browser that&nbsp;it targets. If it finds a match it then modifies the .LNK file directly.</p> <p>In our testing, the modified browser start pages commonly point to one of the following domains:</p> <ul> <li><em>delta-homes.com</em></li> <li><em>onmylike.com</em></li> <li><em>v9.com</em></li> <li><em>v9tr.com</em></li> <li><em>22find.com</em></li> </ul> <p>Figure 3 shows a sample screen shot of the modified .LNK file.</p> <p><br /> <a href="http://www.microsoft.com/security/portal/blog-images/a/Wyso5.png"><img alt="DESCRIPTION" src="http://www.microsoft.com/security/portal/blog-images/a/Wyso5.png" border="0" /></a><em>Figure 3: The modified .LNK file</em></p> <p>There is more detailed information about this family in the <a href="http://www.microsoft.com/security/portal/threat/encyclopedia/Entry.aspx?Name=Win32/Wysotot">Win32/Wysotot</a> description. The best protection from this and other threats is to run a real-time, up-to-date security product, such as <a href="http://windows.microsoft.com/en-us/windows/security-essentials-download">Microsoft Security Essentials</a>.</p> <p><em>Edgardo Diaz</em></p> <p><em>MMPC</em></p> <p>&nbsp;</p> </div><div style="clear:both;"></div><img src="http://blogs.technet.com/aggbug.aspx?PostID=3624502&AppID=6258&AppType=Weblog&ContentType=0" width="1" height="1"> Phishers Targeting Growing Mobile User Base and Online Serviceshttp://blogs.technet.com/b/security/archive/2014/03/10/phishers-targeting-growing-mobile-user-base-and-online-services.aspxMon, 10 Mar 2014 16:00:00 GMTd5e57398-b9ef-4490-9955-07cbb4e4a80d:7d88c466-3772-45ad-924b-de690ccedb12Tim Rains - Microsoft0http://blogs.technet.com/b/security/rsscomments.aspx?WeblogPostID=3623694http://blogs.technet.com/b/security/commentapi.aspx?WeblogPostID=3623694http://blogs.technet.com/b/security/archive/2014/03/10/phishers-targeting-growing-mobile-user-base-and-online-services.aspx#comments<p>We recently published <a href="http://download.microsoft.com/download/5/0/3/50310CCE-8AF5-4FB4-83E2-03F1DA92F33C/Microsoft_Security_Intelligence_Report_Volume_15_English.pdf">volume 15</a> of the <a href="http://www.microsoft.com/sir">Microsoft Security Intelligence Report</a>. This volume of the report contains detailed data on the types of phishing attacks Microsoft products helped to block during the first half of 2013. For the first time ever, the report also contains data on phishing attacks that targeted mobile device users; data on the phishing sites that Windows Phone 8 devices encountered provides valuable insights into one of the ways attackers are trying to take advantage of the rapidly growing number of mobile devices coming online. <a href="/b/security/archive/2014/02/25/phishers-targeting-growing-mobile-user-base-and-online-services.aspx">Read more</a></p>...(<a href="http://blogs.technet.com/b/security/archive/2014/03/10/phishers-targeting-growing-mobile-user-base-and-online-services.aspx">read more</a>)<img src="http://blogs.technet.com/aggbug.aspx?PostID=3623694&AppID=5043&AppType=Weblog&ContentType=0" width="1" height="1">Threat IntelligenceSIRv15Microsoft Security Intelligence Report Volume 15Phishing Support for Windows XP ends in one month on April 8, 2014http://blogs.msdn.com/b/securitytipstalk/archive/2014/03/08/support-for-windows-xp-ends-in-one-month-on-april-8-2014.aspxSat, 08 Mar 2014 19:35:00 GMT91d46819-8472-40ad-a661-2c78acb4018c:10506171Eve Blakemore24http://blogs.msdn.com/b/securitytipstalk/rsscomments.aspx?WeblogPostID=10506171http://blogs.msdn.com/b/securitytipstalk/archive/2014/03/08/support-for-windows-xp-ends-in-one-month-on-april-8-2014.aspx#comments<p>On April 8, 2014, Microsoft will end support for the Windows XP operating system.&nbsp;</p> <p>As a result, technical assistance for Windows&nbsp;XP will no longer be available, including automatic updates that help protect your PC. Microsoft will also stop providing&nbsp;<a href="http://windows.microsoft.com/en-us/windows/security-essentials-download"><strong>Microsoft Security Essentials</strong></a>&nbsp;for download on Windows&nbsp;XP on this date. (If you already have Microsoft Security Essentials installed, you will continue to receive antimalware signature updates for a limited time, but this does not mean that your PC will be secure because Microsoft will no longer provide security updates to help protect it.)</p> <p>To stay protected after support ends, you have two options:</p> <p><strong>Upgrade your current PC</strong></p> <p>Very few older computers will be able to run Windows&nbsp;8.1, which is the latest version of Windows. We recommend that you download and run the Windows Upgrade Assistant to check whether your PC meets the <a href="http://windows.microsoft.com/en-us/windows-8/system-requirements"><strong>system requirements</strong></a> for Windows&nbsp;8.1, and then follow the steps in the tutorial to upgrade if your PC is compatible. For more detailed information, <a href="http://windows.microsoft.com/en-us/windows-8/upgrade-to-windows-8"><strong>read the FAQ</strong></a>.</p> <ul> <li><a href="http://go.microsoft.com/fwlink/p/?LinkId=321548"><strong>Download and run the Windows Upgrade Assistant </strong></a></li> <li><a href="http://windows.microsoft.com/en-us/windows-8/upgrade-from-windows-vista-xp-tutorial"><strong>Tutorial: Upgrade to Windows&nbsp;8.1 from Windows&nbsp;XP</strong></a></li> </ul> <p><strong>Get a new PC</strong></p> <p>If your current PC can't run Windows&nbsp;8.1, it might be time to consider shopping for a new one. Be sure to explore the great selection of new PCs. They're more powerful, lightweight, and stylish than ever before&mdash;and with an average price that's considerably less expensive than the average PC was 10 years ago.</p> <p><a href="http://go.microsoft.com/fwlink/p/?LinkID=392073"><strong>Find your perfect PC</strong></a></p> <p>For more information, see <a href="http://windows.microsoft.com/en-us/windows/end-support-help">Support is ending soon</a>.</p><div style="clear:both;"></div><img src="http://blogs.msdn.com/aggbug.aspx?PostID=10506171" width="1" height="1">automatic updatingWindows 8Windows XP EOS (End of Service) SDL at 10: Driving Business Valuehttp://blogs.technet.com/b/trustworthycomputing/archive/2014/03/06/sdl-at-10-driving-business-value.aspxThu, 06 Mar 2014 22:39:37 GMTd5e57398-b9ef-4490-9955-07cbb4e4a80d:f3831a42-66e4-46ba-ba4c-6afab5a8830bTrusted Cloud Team0<p><strong>By Adrienne Hall, General Manager, Trustworthy Computing</strong></p> <p>Since 2004, the Microsoft <a target="_blank" href="https://www.microsoft.com/security/sdl/default.aspx">Security Development Lifecycle</a> (SDL) has helped developers to build more secure software from the ground up. It&rsquo;s a key component of the Trustworthy Computing Group&rsquo;s mission to expand trust on the internet.</p> <p>As the SDL enters its second decade of service, Microsoft is telling the inside story: <a target="_blank" href="http://www.microsoft.com/security/sdl/story/default.aspx">Life in the Digital Crosshairs</a>.&nbsp;&nbsp; <a target="_blank" href="/b/trustworthycomputing/archive/2014/03/06/sdl-at-10-driving-business-value.aspx">See more &gt;&gt;</a></p> <p></p>...(<a href="http://blogs.technet.com/b/trustworthycomputing/archive/2014/03/06/sdl-at-10-driving-business-value.aspx">read more</a>)<img src="http://blogs.technet.com/aggbug.aspx?PostID=3624493&AppID=9044&AppType=Weblog&ContentType=0" width="1" height="1">practicescloud securityAdrienne HallCloudTrustTechnologyMike Reavey10 Year MilestoneOSACloud Computingcloud servicesTrustworthy ComputingSteve LipnerMicrosoftInformation SecuritySecurity Development LifecycleIT Pros Get advance notice about March 2014 security updateshttp://blogs.msdn.com/b/securitytipstalk/archive/2014/03/06/get-advance-notice-about-march-2014-security-updates.aspxThu, 06 Mar 2014 21:49:00 GMT91d46819-8472-40ad-a661-2c78acb4018c:10505093Eve Blakemore1http://blogs.msdn.com/b/securitytipstalk/rsscomments.aspx?WeblogPostID=10505093http://blogs.msdn.com/b/securitytipstalk/archive/2014/03/06/get-advance-notice-about-march-2014-security-updates.aspx#comments<p>Today, the Microsoft Security Response Center (MSRC) posted&nbsp;details&nbsp;about the&nbsp;<a href="http://technet.microsoft.com/en-us/security/bulletin/ms14-mar">March security updates</a>.</p> <p>If you have automatic updating turned on, most of these updates will download and install on their own. Sometimes you may need to provide input for Windows Update during an installation. In this case, you'll see an alert in the notification area at the far right of the taskbar&mdash;be sure to click it.</p> <p>In Windows 8, Windows will turn on automatic updating during setup unless you choose to turn it off. To check this setting and turn on automatic updating, open the<span class="apple-converted-space">&nbsp;</span><a href="http://windows.microsoft.com/en-us/windows-8/charms" target="_blank"><strong>Search charm</strong></a>, enter<span class="apple-converted-space">&nbsp;</span><strong>Turn automatic updating on or off</strong>, and tap or click<span class="apple-converted-space">&nbsp;</span><strong>Settings</strong><span class="apple-converted-space">&nbsp;</span>to find it.&nbsp;</p> <p>For other versions of Windows, you can check whether automatic updating is turned on through the<span class="apple-converted-space">&nbsp;</span><a href="http://update.microsoft.com/microsoftupdate/" target="_blank">Microsoft Update</a><span class="apple-converted-space">&nbsp;</span>website. This will open Windows Update in Control Panel; if automatic updating is not turned on, you'll be guided through the steps to set it up. After that, all the latest security and performance improvements will be installed on your PC quickly and reliably.</p> <p><strong>If you are a technical professional</strong></p> <p>The&nbsp;<a href="http://www.microsoft.com/technet/security/Bulletin/advance.mspx">Microsoft Security Bulletin Advance Notification Service</a>&nbsp;offers details about security updates approximately three business days before they are released. We do this to enable customers (especially IT professionals) to plan for effective deployment of security updates.</p> <p><a title="Sign up for security notifications" href="http://technet.microsoft.com/en-us/security/dd252948">Sign up for security notifications</a></p><div style="clear:both;"></div><img src="http://blogs.msdn.com/aggbug.aspx?PostID=10505093" width="1" height="1">updatesMSRCsecurity updatesautomatic updatingAutomatic UpdatessecurityMicrosoft UpdateMicrosoft Security Response Centerpatch TuesdaycybersafetyMicrosoftAdvance Notification ServiceANSsecurity notifications Advance Notification Service for the March 2014 Security Bulletin Releasehttp://blogs.technet.com/b/msrc/archive/2014/03/06/advance-notification-server-for-the-march-2014-security-bulletin-release.aspxThu, 06 Mar 2014 18:00:00 GMTd5e57398-b9ef-4490-9955-07cbb4e4a80d:d88c44b4-8491-42c2-8c77-80d3e57e12a4Dustin C. Childs0<p><span style="font-family:helvetica;font-size:small;">Today we provide <a href="http://technet.microsoft.com/security/bulletin/MS14-mar"><span style="color:#0563c1;">advance notification</span></a> for the release of five bulletins for March 2014, two rated Critical and thee rated Important in severity. These updates address issues in Microsoft Windows, Internet Explorer and Silverlight. </span></p> <p><span style="font-family:helvetica;font-size:small;">The update provided in MS14-012 fully addresses the issue first described in <a href="http://technet.microsoft.com/security/advisory/2934088"><span style="color:#0563c1;">Security Advisory 2934088</span></a>. While we have seen a limited number of attacks using this issue, they have only targeted Internet Explorer 10. Customers using other versions of Internet Explorer have not been impacted.</span></p> <p><span style="font-family:helvetica;font-size:small;">As always, we&rsquo;ve scheduled the security bulletin release for the second Tuesday of the month, March 11, 2014, at approximately 10:00 a.m. PDT. Revisit this blog then for analysis of the risk and impact, as well as deployment guidance, together with a brief video overview of the month&rsquo;s updates. Until then, please review the <a title="ANS summary page" href="http://technet.microsoft.com/security/bulletin/MS14-mar"><span style="color:#0563c1;">ANS summary page</span></a> for more information to help you prepare for security bulletin testing and deployment.</span></p> <p><span style="font-family:helvetica;font-size:small;">Don&rsquo;t forget, you can also follow the MSRC team&rsquo;s recent activity on Twitter at <a title="@MSFTSecResponse" href="https://twitter.com/msftsecresponse"><span style="color:#0563c1;">@MSFTSecResponse</span></a>.&nbsp;</span></p> <p><span style="font-family:helvetica;font-size:small;"> Thank you,</span><br /><span style="font-family:helvetica;font-size:small;"> <a href="http://blogs.technet.com/b/msrc/about.aspx#Dustin_Childs"><span style="color:#0563c1;">Dustin Childs</span></a></span><br /><span style="font-family:helvetica;font-size:small;"> Group Manager, Response Communications</span><br /><span style="font-family:helvetica;font-size:small;"> Microsoft Trustworthy Computing</span></p><div style="clear:both;"></div><img src="http://blogs.technet.com/aggbug.aspx?PostID=3624407&AppID=4571&AppType=Weblog&ContentType=0" width="1" height="1">Microsoft WindowsSilverlightSecurity AdvisoryANSInternet Explorer (IE) The Cloud Can Support a New Generation of Accessible Technologieshttp://blogs.msdn.com/b/accessibility/archive/2014/03/06/accessibility-and-the-cloud.aspxThu, 06 Mar 2014 17:24:00 GMT91d46819-8472-40ad-a661-2c78acb4018c:10505799Daniel Hubbell - MSFT2http://blogs.msdn.com/b/accessibility/rsscomments.aspx?WeblogPostID=10505799http://blogs.msdn.com/b/accessibility/archive/2014/03/06/accessibility-and-the-cloud.aspx#commentsThis blog post was written by Rob Sinclair, Microsoft&rsquo;s Chief Accessibility Officer. Rob is responsible for the company's worldwide strategy to develop software and services that make it easier for people of all ages and abilities to see, hear,...(<a href="http://blogs.msdn.com/b/accessibility/archive/2014/03/06/accessibility-and-the-cloud.aspx">read more</a>)<img src="http://blogs.msdn.com/aggbug.aspx?PostID=10505799" width="1" height="1"> Sefnit’s Tor botnet C&C detailshttp://blogs.technet.com/b/mmpc/archive/2014/03/05/sefnit-s-tor-botnet-c-amp-c-details.aspxWed, 05 Mar 2014 21:54:00 GMTd5e57398-b9ef-4490-9955-07cbb4e4a80d:dec82ecb-4c7d-4f31-900b-612ded112f58msft-mmpc0http://blogs.technet.com/b/mmpc/archive/2014/03/05/sefnit-s-tor-botnet-c-amp-c-details.aspx#comments<div class="ExternalClassB6D358E92DA249E6BEEDE55B2A394941"> <p>​We have talked about the impact that resulted from the <a href="http://blogs.technet.com/b/mmpc/archive/2014/01/09/tackling-the-sefnit-botnet-tor-hazard.aspx">Sefnit botnet Tor hazard</a> as well as the clean-up effort that went into that threat. In this post we&rsquo;d like to introduce some of the details regarding the Tor component&rsquo;s configuration and its communication with the Tor service. Specifically, we&rsquo;ll talk about how <a href="http://www.microsoft.com/security/portal/threat/encyclopedia/Entry.aspx?Name=Trojan:Win32/Sefnit.AT">Trojan:Win32/Sefnit.AT</a> communicates with the Tor network, what domains it tries to contact, and where it keeps its configuration data.</p> <p>After Sefnit installs the Tor-based malware component, which is typically named <em>wins.exe</em>, a copy of a non-malicious Tor client is also installed and added as a Windows service. This service is started every time Windows starts and is configured to accept connections on TCP ports 9051 and 9050. However, since these ports are bound to the loopback interface, which is not remotely accessible, no additional threats are added to the infected PC.</p> <h3>Tor service interaction</h3> <p>The TCP port 9051 is the control port for the legitimate local Tor service and is used to control most of the aspects of a Tor client. So far, however, we have only observed this port being used by malware to obtain status information regarding the connection to the Tor network. This is accomplished by periodically requesting status updates using the <a href="https://gitweb.torproject.org/torspec.git?a=blob_plain;hb=HEAD;f=control-spec.txt">control protocol</a>.</p> <p><a href="http://www.microsoft.com/security/portal/blog-images/a/Seft1.jpg"> <img alt="empty authentication request" src="http://www.microsoft.com/security/portal/blog-images/a/Seft1.jpg" border="0" /></a>&nbsp;</p> <p><em>Figure 1: Malware sends an empty authentication request </em></p> <p>From this example we can see that Win32/Sefnit.AT sends an empty authentication request and receives a successful response (250), which means that all authentication methods for the installed Tor client are disabled. Since the TCP port is not accessible remotely, the lack of authentication poses no threat to the victim&rsquo;s PC. Additionally, the malware requests the current state of a Tor circuit, which in this case is established, meaning the Tor client is connected to the anonymizing network.</p> <p>The TCP port 9050 is used as a communication point for the SOCKS proxy, which allows any application that can be configured to use a proxy server to communicate over Tor. The malware uses this method to contact its command and control (C&amp;C) web servers. This bypasses the traditional network infrastructure since traffic over the Tor network is encrypted, which also prevents network-based IDS from detecting the malware. The C&amp;C endpoints utilize the <a href="https://www.torproject.org/docs/hidden-services.html.en">Tor hidden service</a> which allows using the anonymizing network to host web servers without compromising the location and identity of the server owners.</p> <p>In order to contact a web server that uses the Tor hidden service feature the network uses a special domain naming scheme. The server&rsquo;s name is derived from its public key within the Tor network appended with <em>.onion </em>as the <a href="http://archive.icann.org/en/tlds/">top level domain</a> as opposed to .<em>com</em> or .<em>net</em>. The malware contains a list of .<em>onion</em> domains that are contacted using the standard HTTP protocol (over SOCKS):</p> <ul> <li><em> <span class="notranslate">6tlpoektcb3gudt3.onion </span></em></li> <li><em> <span class="notranslate">7fyipi6vxyhpeouy.onion </span></em></li> <li><em> <span class="notranslate">7sc6xyn3rrxtknu6.onion</span></em></li> <li><em> <span class="notranslate">ijqqxydixp4qbzce.onion </span></em></li> <li><em> <span class="notranslate">l77ukkijtdca2tsy.onion </span></em></li> <li><em> <span class="notranslate">lorpzyxqxscsmscx.onion</span></em></li> <li><em> <span class="notranslate">lqqciuwa5yzxewc3.onion </span></em></li> <li><em> <span class="notranslate">lqqth7gagyod22sc.onion </span></em></li> <li><em> <span class="notranslate">mdyxc4g64gi6fk7b.onion </span></em></li> <li><em> <span class="notranslate">onhiimfoqy4acjv4.onion</span></em></li> <li><em> <span class="notranslate">pomyeasfnmtn544p.onion</span></em></li> <li><em> <span class="notranslate">qxc7mc24mj7m4e2o.onion </span></em></li> <li><em> <span class="notranslate">wsytsa2omakx655w.onion </span></em></li> <li><em> <span class="notranslate">ye63peqbnm6vctar.onion </span></em></li> </ul> <p><a href="http://www.microsoft.com/security/portal/blog-images/a/Seft2.jpg"> <img width="500" alt="Sefnit attempts to create a proxy connection" src="http://www.microsoft.com/security/portal/blog-images/a/Seft2.jpg" border="0" /></a>&nbsp;</p> <p><em>Figure 2: Sefnit attempts to create a proxy connection</em></p> <p>From this example we can see the malware attempts to create a proxy connection to the <em>lqqciuwa5yzxewc3.onion </em>domain and succeeds. Next, data is submitted to the <em>/cache </em>directory on that server, which replies with a successful status code (200).</p> <h3>Malware configuration details</h3> <p>The list of CnC servers is stored inside a unique file and folder combination that at first glance appears to be randomly generated, although they have not changed much over time. Specifically, the malware creates a directory with the name <em>049e7fb749be2cdf169e28bb0a27254f</em> and inside places two files using the name <em>181084e525a65ef540c63d60ce07f836 </em>with two different extensions of .<em>ct </em>and .<em>ph</em>.</p> <p>During closer examination we identified that the apparently random directory is actually created by using the MD4 cryptographic hash function to compute a digest of a Unicode string <em>ps</em>. The resulting binary digest is converted into a hex representation and used as the directory name.</p> <p><a href="http://www.microsoft.com/security/portal/blog-images/a/Seft3.png"><img width="500" alt="binary digest calculation" src="http://www.microsoft.com/security/portal/blog-images/a/Seft3.png" border="0" /></a>&nbsp;</p> <p><em>Figure 3: Calculation of the binary digest</em></p> <p>To generate the file names the same cryptographic function is used but this time to compute the digest of a Unicode GUID string {<em>b3717590-6447-47db-abca-a304803890cb</em>}, which after hex conversion results in <em>181084e525a65ef540c63d60ce07f836</em>.</p> <p>The PH file (<em>181084e525a65ef540c63d60ce07f836.ph</em>) may potentially serve as a botnet identifier since the data inside remains fairly static. In fact, it is the <a href="http://csrc.nist.gov/publications/fips/fips197/fips-197.pdf">AES-256 </a>encrypted version of the same GUID string with encryption key <em>#?oUs?ai??+yIIZ?S?dcvDzI XOewA2</em>. This key is hard-coded in the malware binary.</p> <p><a href="http://www.microsoft.com/security/portal/blog-images/a/Seft4.png"><img width="500" alt="The encryption key is hard coded" src="http://www.microsoft.com/security/portal/blog-images/a/Seft4.png" border="0" /></a>&nbsp;</p> <p><br /> <em>Figure 4: The encryption key is hard coded in the malware binary</em></p> <p>The CT file (<em>181084e525a65ef540c63d60ce07f836.ct</em>) contains the actual configuration data that is also encrypted using the AES-256 algorithm together with the same encryption key. The decrypted data is a serialized object, which appears to have been created using the Boost C++ library, and contains the following information:</p> <ul> <li>The victim&rsquo;s public IP address&nbsp;&nbsp;&nbsp;&nbsp;</li> <li>A string resembling an ID (for example, Verna) which is taken from the XOR obfuscated data inside the malware</li> <li>List of C&amp;C domains&nbsp;&nbsp;&nbsp;&nbsp;</li> <li>Current working directory of the malware</li> </ul> <p><a href="http://www.microsoft.com/security/portal/blog-images/a/Seft5.png"><img width="500" alt="decrypted data" src="http://www.microsoft.com/security/portal/blog-images/a/Seft5.png" border="0" /></a>&nbsp;</p> <p><em>Figure 5: The decrypted data is a serialized object</em></p> <p>Such configuration files are detected as <a href="http://www.microsoft.com/security/portal/threat/encyclopedia/Entry.aspx?Name=Trojan:Win32/Sefnit%21cfg">Trojan:Win32/Sefnit!cfg</a>.</p> <p>In conclusion we have couple of interesting observations. First, the cryptographic code is compiled into the malware, as opposed to being dynamically loaded from an external DLL. Specifically, the code is based on the <a href="http://www.openssl.org/news/">OpenSSL</a> library version 1.0.0d released in February 2011. Additionally, the C&amp;C server responses, if we are to trust the response headers, indicate that some web servers use an old version 1.1.19 of <a href="http://wiki.nginx.org/Main">Nginx</a>, which is also from 2011. Lastly, you can use <a href="http://windows.microsoft.com/en-us/windows/security-essentials-download">Microsoft Security Essentials</a> and <a href="http://www.microsoft.com/security/pc-security/windows-defender.aspx">Windows Defender</a> to detect and remove both the Sefnit malware and the configuration files.</p> <p><em>Dmitriy Pletnev</em></p> <p><em>MMPC </em></p> </div><div style="clear:both;"></div><img src="http://blogs.technet.com/aggbug.aspx?PostID=3624389&AppID=6258&AppType=Weblog&ContentType=0" width="1" height="1"> Microsoft vs. malware: a historyhttp://blogs.msdn.com/b/securitytipstalk/archive/2014/03/05/microsoft-vs-malware-a-history.aspxWed, 05 Mar 2014 21:30:00 GMT91d46819-8472-40ad-a661-2c78acb4018c:10504675Eve Blakemore10http://blogs.msdn.com/b/securitytipstalk/rsscomments.aspx?WeblogPostID=10504675http://blogs.msdn.com/b/securitytipstalk/archive/2014/03/05/microsoft-vs-malware-a-history.aspx#comments<p>At 2:00 A.M. on July 13, 2001, Microsoft&rsquo;s then head of security response got a phone call about a computer worm named &ldquo;Code Red&rdquo; that was spreading across computers that connected to the Internet. When the worm quickly spread to hundreds of thousands of computers, Microsoft redoubled its security efforts. But the criminals weren&rsquo;t going away anytime soon.</p> <p>Some say that this was the defining moment that began Microsoft&rsquo;s real battle against worms, viruses, and other <a href="http://www.microsoft.com/security/resources/malware-whatis.aspx">malware</a> and the people who create them.</p> <p>Microsoft learned early on that if it wanted to succeed at building trust with its customers, it could not make security an afterthought when developing its products and services.&nbsp; Thus, the <a href="http://www.microsoft.com/security/sdl/default.aspx">Security Development Lifecycle</a> was born.</p> <p>Read the full story at <a href="http://www.sdlstory.com/">SDLstory.com</a>.</p><div style="clear:both;"></div><img src="http://blogs.msdn.com/aggbug.aspx?PostID=10504675" width="1" height="1">Trustworthy ComputingSDLSecurity Development Lifecycle Life in the Digital Crosshairs: The Untold Storyhttp://blogs.technet.com/b/security/archive/2014/03/05/life-in-the-digital-crosshairs-the-inside-story.aspxWed, 05 Mar 2014 20:52:51 GMTd5e57398-b9ef-4490-9955-07cbb4e4a80d:938c11fe-b532-4ecb-9fbf-0eb0108f4c22Microsoft Security Staff0http://blogs.technet.com/b/security/rsscomments.aspx?WeblogPostID=3623479http://blogs.technet.com/b/security/commentapi.aspx?WeblogPostID=3623479http://blogs.technet.com/b/security/archive/2014/03/05/life-in-the-digital-crosshairs-the-inside-story.aspx#comments<p>On Saturday July 13, 2001, Microsoft was alerted of a nasty piece of malware called &ldquo;Code Red.&rdquo;&nbsp; In just two weeks, ABC News reported that the Code Red worm had infected more than 300,000 Windows computers around the world.&nbsp; When the news broke, it was like something straight out of a Tom Clancy novel.&nbsp; Microsoft learned early on that if it&nbsp;was going to succeed at building trust with its customers, it could not make security an afterthought when developing its products and services.&nbsp;</p> <p>So how do you get a large organization like Microsoft to prioritize security with thousands of developers, writing millions of lines of code?&nbsp; How do you get everyone marching toward the same goal?&nbsp;</p> <p>We spent time with some of the people behind the scenes in security at Microsoft to discuss their journey and how they helped to fundamentally shift the culture within Microsoft.</p> <p>Now you can get the never-before told inside story on Microsoft Security: <strong><a href="http://www.sdlstory.com">www.sdlstory.com</a></strong></p>...(<a href="http://blogs.technet.com/b/security/archive/2014/03/05/life-in-the-digital-crosshairs-the-inside-story.aspx">read more</a>)<img src="http://blogs.technet.com/aggbug.aspx?PostID=3623479&AppID=5043&AppType=Weblog&ContentType=0" width="1" height="1">SDLSecurity Development Lifecycle Life in the digital crosshairs: the untold storyhttp://blogs.msdn.com/b/sdl/archive/2014/03/05/life-in-the-digital-crosshairs-the-untold-story.aspxWed, 05 Mar 2014 17:00:00 GMT91d46819-8472-40ad-a661-2c78acb4018c:10505384SDL Team0http://blogs.msdn.com/b/sdl/rsscomments.aspx?WeblogPostID=10505384http://blogs.msdn.com/b/sdl/archive/2014/03/05/life-in-the-digital-crosshairs-the-untold-story.aspx#comments<p>To mark the 10 year anniversary since the creation of the Security Development Lifecycle, we wanted to tell the behind-the-scenes story of how the SDL came to be. <br />&nbsp;<br />Back in 2004, Microsoft decided that if we were going to succeed at building trust with our customers, security could not be an afterthought when developing our products and services.<br />&nbsp;<br />So how do you get a large organization like Microsoft to prioritize security with thousands of developers, writing millions of lines of code? How do you get everyone marching toward the same goal?&nbsp; <br />Hear from some of the people behind the scenes in security at Microsoft to discuss their journey and how they helped to fundamentally shift the culture within Microsoft.<br />&nbsp;<br />Get the never-before told inside story on Microsoft security: <a href="http://www.sdlstory.com">www.sdlstory.com</a></p> <p><a href="http://www.sdlstory.com"><img src="http://blogs.msdn.com/resized-image.ashx/__size/550x0/__key/communityserver-blogs-components-weblogfiles/00-00-00-79-43/3568.sdl_2D00_10yr_2D00_twitter_2D00_440x220_2D00_1.jpg" alt="" border="0" /></a></p> <p>&nbsp;</p> <p>&nbsp;</p> <p>&nbsp;</p> <p><br />&nbsp;</p><div style="clear:both;"></div><img src="http://blogs.msdn.com/aggbug.aspx?PostID=10505384" width="1" height="1">Life in the digital crosshairsSDL 10 YearMicrosoft Security Development Lifecycle PC health – Part 1: Information stealing malwarehttp://blogs.technet.com/b/mmpc/archive/2014/03/03/pc-health-part-1-information-stealing-malware.aspxTue, 04 Mar 2014 00:13:34 GMTd5e57398-b9ef-4490-9955-07cbb4e4a80d:4ef1e176-221a-4813-8610-dac435705947msft-mmpc0http://blogs.technet.com/b/mmpc/archive/2014/03/03/pc-health-part-1-information-stealing-malware.aspx#comments<div class="ExternalClassDA13689EF19149E9BD5759CC1FC6FD42"> <p>When we were building Windows 8, MMPC partnered with several teams in Microsoft to start the PC Health program. The PC health program has two goals:</p> <ul> <li>To inform and guide customers on additional actions to take when malware might have put their information at risk</li> <li>To monitor the health of PCs running our antimalware products and initiate remediation as required</li> </ul> <p>We&rsquo;ll discuss the PC health program in this two-part blog. Part 1 focuses on the first goal: informing and guiding our customers to take additional action when malware might have put their information at risk.</p> <h3>Information stealing malware</h3> <p><strong>Background and Landscape</strong></p> <p>During 2013, nearly 24 million machines running Microsoft security products encountered information-stealing malware. We estimate that these threats stole user names and passwords, developer code-signing keys, and other data from 4.86M machines. This includes malware that ran, but may not have stolen any data.</p> <p><a href="http://www.microsoft.com/security/portal/blog-images/a/PC1.png"> <img width="500" alt="Information stealing malware graph" src="http://www.microsoft.com/security/portal/blog-images/a/PC1.png" border="0" /></a>&nbsp;</p> <p><em>Figure 1: Monthly count of machines with an active infection, in which the infection is of an information-stealing malware. Families include <a href="http://www.microsoft.com/security/portal/threat/Encyclopedia/Entry.aspx?Name=Win32/Gamarue">Gamarue</a>, <a href="http://www.microsoft.com/security/portal/threat/Encyclopedia/Entry.aspx?Name=Win32/Dorkbot">Dorkbot</a>, <a href="http://www.microsoft.com/security/portal/threat/encyclopedia/Entry.aspx?Name=Win32/Zbot">Zbot</a>, <a href="http://www.microsoft.com/security/portal/threat/encyclopedia/Entry.aspx?Name=Win32/Banker">Banker</a>, <a href="http://www.microsoft.com/security/portal/threat/encyclopedia/Entry.aspx?Name=Win32/Bancos">Bancos</a>, and <a href="http://www.microsoft.com/security/portal/threat/encyclopedia/Entry.aspx?Name=Win32/Fareit">Fareit</a></em></p> <h3>What can we do to better protect these customers?</h3> <p>First, as part of our malware research and automation, we continue reduce the malware time-to-live; that is, we aim to reduce the time between when malware is released into the wild and when we start detecting it. However, it is also important to inform and appropriately guide our customers to take action and mitigate the impact of information-stealing malware.</p> <p><strong>Inform and guide: mitigating the impact of information-stealing malware</strong></p> <p>Since 2012 and the release of Windows 8, if you&rsquo;re running Microsoft Security Essentials or Windows Defender, and an information-stealing malware gets into your machine, you might see a message similar to this in Windows Action Center:</p> <p><a href="http://www.microsoft.com/security/portal/blog-images/a/PC2.jpg"><img width="500" alt="Action center alert" src="http://www.microsoft.com/security/portal/blog-images/a/PC2.jpg" border="0" /></a>&nbsp;</p> <p><em>Figure 2: Windows Action Center message if your machine gets infected by Zbot</em></p> <em></em> <p>We know from our research that, for example, <a href="http://www.microsoft.com/security/portal/threat/encyclopedia/Entry.aspx?Name=Win32/Zbot">Zbot </a>is a malware family known to target user credentials for online banking websites. The message above will appear if your Microsoft antivirus product has detected and removed the threat. However, this message takes recovery one step further: it advises you to change your passwords for the websites that it&rsquo;s known to target.</p> <p>In 2013, a message like this was seen by more than 260,000 users within six months.</p> <p>If you are running System Center Endpoint Protection or Windows Intune, we communicate this information through the event log channel. The administrator can use the information in the event log to determine if the malware ran on the machine. If the malware did run, the event log also contains a link to a description of the threat in our <a href="http://www.microsoft.com/security/portal/threat/Threats.aspx">malware encyclopedia</a>. From there, the admin can assess and take action if the malware exhibits information-stealing behavior.&nbsp;</p> <h3>What do our customers think about this approach?</h3> <p>To determine if customers found this valuable, we monitored user feedback about the Windows Action Center notifications for three months. We received more than three thousand reviews with a 90 percent satisfaction rate.</p> <h3>Further investments</h3> <strong></strong> <p>With the release of Windows 8, your MS account can be used as the primary login across your Windows devices and services (such as Onedrive and Hotmail). To better secure your Microsoft account, we provide the Microsoft Accounts team the PC health information that includes information stealing malware encounters.</p> <p><em>Deepak Manohar and Ina Ragragio</em><br /><em>MMPC</em><br />&nbsp;</p> </div><div style="clear:both;"></div><img src="http://blogs.technet.com/aggbug.aspx?PostID=3624170&AppID=6258&AppType=Weblog&ContentType=0" width="1" height="1"> RSA Conference USA 2014: New Foundations for Threat Modelinghttp://blogs.technet.com/b/trustworthycomputing/archive/2014/02/28/rsa-conference-usa-2014-new-foundations-for-threat-modeling.aspxFri, 28 Feb 2014 15:51:00 GMTd5e57398-b9ef-4490-9955-07cbb4e4a80d:9fe7e165-ae1e-4801-b10f-2004a4e97403Trusted Cloud Team0<p><strong>By&nbsp;TwC Staff</strong></p> <p>What if you could deploy a process that would help you develop software products and services with better security, shorter development cycles, and fewer surprises for your customers?<br /><br />Those are some of the benefits of threat modeling, which was the topic of an excellent presentation: <a href="http://www.rsaconference.com/events/us14/agenda/sessions/1035/new-foundations-for-threat-modeling" target="_blank">New Foundations for Threat Modeling</a>, from Adam Shostack, principal security program manager for Trustworthy Computing, at the RSA Conference USA this week.&nbsp; <a href="/b/trustworthycomputing/archive/2014/02/26/rsa-conference-usa-2014-new-foundations-for-threat-modeling.aspx" target="_blank">See more &gt;&gt;</a></p>...(<a href="http://blogs.technet.com/b/trustworthycomputing/archive/2014/02/28/rsa-conference-usa-2014-new-foundations-for-threat-modeling.aspx">read more</a>)<img src="http://blogs.technet.com/aggbug.aspx?PostID=3623828&AppID=9044&AppType=Weblog&ContentType=0" width="1" height="1">cloud securityCustomersthreat landscapeRSAJeff JonesCloudcyber threatsTrustBig Datacustomer perspectiveTechnologycyber securityTrustworthy ComputingMicrosoftDatasecurity communitySecurity Development LifecycleIT Pros Malicious Proxy Auto-Config redirectionhttp://blogs.technet.com/b/mmpc/archive/2014/02/28/malicious-proxy-auto-config-redirection.aspxFri, 28 Feb 2014 09:59:00 GMTd5e57398-b9ef-4490-9955-07cbb4e4a80d:46f4e8a4-2a9d-4c64-9cea-ea6bfec2201amsft-mmpc0http://blogs.technet.com/b/mmpc/archive/2014/02/28/malicious-proxy-auto-config-redirection.aspx#comments<div class="ExternalClassB716B63D40B849079E48EADE19F0CC3C"> <p>Internet banking credentials are a desired target for cybercriminals. They can be targeted with man-in-the-middle attacks or through password stealing trojans such as <a href="http://www.microsoft.com/security/portal/threat/encyclopedia/entry.aspx?Name=PWS:Win32/Fareit">Fareit</a>, <a href="http://www.microsoft.com/security/portal/threat/encyclopedia/entry.aspx?Name=PWS:Win32/Zbot">Zbot </a>or <a href="http://www.microsoft.com/security/portal/threat/encyclopedia/entry.aspx?name=Win32/Banker">Banker</a>. A less known, yet commonly found in South America and to a lesser extent in Russia, method to gain unauthorized access to a user&rsquo;s banking credentials is through malicious <a href="http://technet.microsoft.com/en-us/library/dd361918.aspx">Proxy Auto-Config </a>(PAC) files. Normally, PAC files offer similar functionality to the <a href="http://technet.microsoft.com/en-us/library/cc751132.aspx">hosts </a>file, allowing IP/website redirection, but only for the browser. Unfortunately, they can also be used for nefarious purposes.</p> <p>When a user is infected with a malicious PAC and visits an internet banking website, the browser is usually redirected to a fake website that mimics the intended banking website. This may result in credentials being stolen - or worse, online account hijacking.</p> <p>The most common infection scenario is shown in figure 1 below:</p> <p>&nbsp;</p> <p><a href="http://www.microsoft.com/security/portal/blog-images/a/PAC1.jpg"><img width="500" alt="Common infection scenario" src="http://www.microsoft.com/security/portal/blog-images/a/PAC1.jpg" border="0" /></a>&nbsp;</p> <p><em>Figure 1: A common PAC infection scenario</em></p> <p>A user is infected through a drive-by attack or by other malware and a malicious PAC file is installed onto their computer. When the victim visits a targeted website, their browser is redirected to a fake website that will record their login details. The infection is silent, the user is not notified of the change in configuration (see figure 5).</p> <p>Our telemetry shows the following country domains are the most targeted by malicious PAC files:</p> <p><a href="http://www.microsoft.com/security/portal/blog-images/a/Pac2.png"> <img width="500" alt="Infection telemtery" src="http://www.microsoft.com/security/portal/blog-images/a/PAC2.png" border="0" /></a>&nbsp;</p> <p><em>Figure 2: Countries most targeted by malicious PACs</em></p> <p>Analysis of the malicious PAC files show that cybercriminals target mostly banking websites in Brazil and Russia, but many attacks are not limited to just online banking entities. We have also seen malicious redirection against other payment methods, such as credit cards, e-mail providers, social networking websites, antivirus products and education institutions. Our <a href="http://www.microsoft.com/security/portal/threat/encyclopedia/Entry.aspx?Name=TrojanProxy:JS/Banker.gen%21A#tab=2">TrojanProxy:JS/Banker.gen!A</a> description has a detailed list of the targeted entities.</p> <p>One important user mitigation comes directly through the browser. What a user would experience when browsing the real website is shown below:</p> <p><a href="http://www.microsoft.com/security/portal/blog-images/a/Pac3.jpg"> <img width="500" alt="browser unsecure" src="http://www.microsoft.com/security/portal/blog-images/a/Pac3.jpg" border="0" /></a>&nbsp;</p> <p><em>Figure 3: Web page without PAC redirection</em></p> <p><a href="http://www.microsoft.com/security/portal/blog-images/a/pac4.jpg"> <img width="500" alt="browser secure" src="http://www.microsoft.com/security/portal/blog-images/a/Pac4.jpg" border="0" /></a>&nbsp;</p> <p><em>Figure 4: Web page with malicious PAC redirection</em></p> <p>You can see above that the original website has an authenticated certificate and appears in a green address bar. The original website is also using HTTPS (secure communication).</p> <p>Any PAC file installation (legit or otherwise) can be manually checked in Internet Explorer by opening the Tools menu, then selecting Internet Options, clicking the Connection tab, and selecting LAN Settings. If you see something similar to the following picture and you didn&rsquo;t install a PAC file, then you might be infected. Keep in mind that the PAC file can also be installed from the internet (using a&nbsp; http:// address), not only as a local file.</p> <p><a href="http://www.microsoft.com/security/portal/blog-images/a/pac5.jpg"> <img width="500" alt="Pac installed" src="http://www.microsoft.com/security/portal/blog-images/a/PAC5.jpg" border="0" /></a>&nbsp;</p> <p><em>Figure 5: LAN setting showing a PAC file installed</em></p> <p>Deleting the file entry in &ldquo;Use automatic configuration script&rdquo; (or disabling it) and the local file referenced can help mitigate an attack.</p> <p>In order to deal with these malicious PAC files we have added several detections, such as <a href="http://www.microsoft.com/security/portal/threat/encyclopedia/entry.aspx?Name=TrojanProxy:JS/Banker.AC#tab=2">TrojanProxy:JS/Banker.AC</a> and <a href="http://www.microsoft.com/security/portal/threat/encyclopedia/Entry.aspx?Name=TrojanProxy:JS/Banker.gen%21A#tab=2">TrojanProxy:JS/Banker.gen!A</a>, and we will continue adding detections for any malicious PAC files we find in the wild. To better protect yourself against these threats, we recommend installing an up-to-date real-time security product, such as Microsoft Security Essentials.</p> <p><em>MMPC Munich</em></p> </div><div style="clear:both;"></div><img src="http://blogs.technet.com/aggbug.aspx?PostID=3623947&AppID=6258&AppType=Weblog&ContentType=0" width="1" height="1"> RSA Conference 2014: Reflections from the Microsoft teamhttp://blogs.technet.com/b/trustworthycomputing/archive/2014/02/27/rsa-conference-2014-reflections-from-the-microsoft-team.aspxFri, 28 Feb 2014 01:36:57 GMTd5e57398-b9ef-4490-9955-07cbb4e4a80d:5b5dc2fa-20a4-40bd-a6c1-f1eeb712b3c8Trusted Cloud Team0<p><strong>By Jeff Jones, Director, Trustworthy Computing</strong></p> <p>One of the best things about the <a target="_blank" href="http://www.rsaconference.com/events/us14">RSA Conference</a> is the incredible exchange of ideas that takes place, and this year was no exception.</p> <p>Microsoft&rsquo;s security and privacy leaders were busy, not just with their own presentations, but also in discussions with other thought leaders, industry professionals and customers from around the world.&nbsp; <a target="_blank" href="/b/trustworthycomputing/archive/2014/02/27/rsa-conference-2014-reflections-from-the-microsoft-team.aspx">See more &gt;&gt;</a></p>...(<a href="http://blogs.technet.com/b/trustworthycomputing/archive/2014/02/27/rsa-conference-2014-reflections-from-the-microsoft-team.aspx">read more</a>)<img src="http://blogs.technet.com/aggbug.aspx?PostID=3623924&AppID=9044&AppType=Weblog&ContentType=0" width="1" height="1">safer onlinecloud securityCustomersthreat landscapekeynoteConsumerization of ITRSAJeff JonesCloudcyber threatscybernormsscott charneySecurity Intelligence ReportTrustBig DataChief Online Safety Officercustomer perspectiveITTechnologyTwC ProfilesExpert OpinionsSecurityOnline Safetycyber securitydata centerscloud servicesSIRTrustworthy ComputingSteve LipnerMicrosoftDigital Citizenshippersonal dataInformation SecurityDataPrivacysecurity communitySecurity Development LifecycleJacqueline BeauchereIT Pros The secrets of teens and social media: “It’s complicated”http://blogs.msdn.com/b/securitytipstalk/archive/2014/02/27/the-secrets-of-teens-and-social-media-it-s-complicated.aspxThu, 27 Feb 2014 22:08:32 GMT91d46819-8472-40ad-a661-2c78acb4018c:10503841Kim Sanchez, Director of Trustworthy Computing0http://blogs.msdn.com/b/securitytipstalk/rsscomments.aspx?WeblogPostID=10503841http://blogs.msdn.com/b/securitytipstalk/archive/2014/02/27/the-secrets-of-teens-and-social-media-it-s-complicated.aspx#comments<p>The news is full of stories about what teenagers are doing online, but does anyone over the age of 18 really understand what&rsquo;s going on?</p> <p>Microsoft researcher danah boyd does.</p> <p>In her new book, <a href="http://www.danah.org/itscomplicated/">It&rsquo;s Complicated: The Social Lives of Networked Teens</a>, boyd leverages more than ten years of research and interviews with teens to move past the cultural anxiety surrounding these issues and find out what teens are actually doing online, what people think they&rsquo;re doing, and where there&rsquo;s a gap in understanding. It&rsquo;s an opportunity for parents to take note.</p> <p><a href="http://www.danah.org/itscomplicated/">Get the book</a></p> <h1>Resources to inspire conversations</h1> <p>Kids may be savvier when it comes to how the devices work, but parents can be instrumental in helping shape how kids think about, engage with, and generally behave around technology both online and off.&nbsp; We know that eight-years-old is the average age at which parents talk to their kids about being good digital citizens according to a <a href="https://survey2.securestudies.com/wix/p222707061.aspx">recent Microsoft survey</a>.&nbsp; But the interactions children experience on social networks and through online gaming are actually conditioning their interpersonal skills no matter what age they go online. Setting kids up for success early is important.&nbsp;</p> <p>If you&rsquo;re a parent, guardian, or educator and you want to help your child navigate the online world, visit <a href="http://www.microsoft.com/security/resources/young-people.aspx">Protecting young people</a> and <a href="http://www.microsoft.com/security/family-safety/online-bullying.aspx">Cyberbullying: Stand up to it</a>, or check out our research on <a href="http://www.microsoft.com/security/resources/conversations.aspx">parent&rsquo;s perceptions of their children&rsquo;s online lives</a>.</p> <p>And before you hand over a digital device to your child, take a look at <a href="http://www.microsoft.com/security/family-safety/gift-checklist.aspx">this checklist</a>.</p><div style="clear:both;"></div><img src="http://blogs.msdn.com/aggbug.aspx?PostID=10503841" width="1" height="1">family A close look at a targeted attack delivery http://blogs.technet.com/b/mmpc/archive/2014/02/27/a-close-look-at-a-targeted-attack-delivery.aspxThu, 27 Feb 2014 15:00:00 GMTd5e57398-b9ef-4490-9955-07cbb4e4a80d:7d009dfa-42c8-476d-98a6-d9bd4690f858msft-mmpc0http://blogs.technet.com/b/mmpc/archive/2014/02/27/a-close-look-at-a-targeted-attack-delivery.aspx#comments<div class="ExternalClassEEDECD50DB8A4254AC8D4D6B095194FE"> <p>For antimalware products, targeted attacks represent a very interesting class of malware. They are stealthy and only target specific organizations and industries - flying under the radar when it comes to identifying new malware files based on telemetry. The purpose of these attacks is most commonly to steal confidential and sensitive information by means of social engineering and unpatched, vulnerable software.</p> <p>We recently investigated a sample used in this kind of attack, <span class="ms-rteThemeBackColor-1-0"> <a href="http://www.microsoft.com/security/portal/threat/encyclopedia/Entry.aspx?Name=Trojan:Win32/Retefe.A#tab=1"> Trojan:Win32/Retefe.A</a></span>, and wanted to share with you what we encountered and possible ways to avoid being infected from similar approaches.</p> <p>Our analysis began when we investigated an RTF document flagged as suspicious due to its inclusion in what looked like a phishing email:</p> <p><a href="http://www.microsoft.com/security/portal/blog-images/a/Target1.jpg"> <img width="500" alt="Suspicious RTF doc" src="http://www.microsoft.com/security/portal/blog-images/a/Target1.jpg" border="0" /></a>&nbsp;</p> <p><em>Figure 1: RTF document attached to phishing email</em></p> <p>The email sender was spoofed by the attackers to appear as a large e-commerce company. The message is in German and is translated as &ldquo;The receipt, from your Zalando Switzerland team&rdquo;. Another reason for flagging the email as phishing was due to the sentence structure &ndash; it seems to be the result of an automated translation tool.</p> <p>When a user attempts to open the RTF document they get the following warning from Outlook:</p> <p><a href="http://www.microsoft.com/security/portal/blog-images/a/Target2.jpg"> <img width="500" alt="Outlook warning" src="http://www.microsoft.com/security/portal/blog-images/a/Target2.jpg" border="0" /></a>&nbsp;</p> <p><em>Figure 2: An attempt to open the RTF prompts an Outlook warning </em></p> <p>At this point we were thinking that the RTF might contain a vulnerability that would be triggered when opening the file. However, when it was opened the document showed no indication that it contained an exploit &ndash; it just displays a small document:</p> <p><a href="http://www.microsoft.com/security/portal/blog-images/a/Target3.jpg"> <img width="500" alt="small document" src="http://www.microsoft.com/security/portal/blog-images/a/Target3.jpg" border="0" /></a>&nbsp;</p> <p><em>Figure 3: The attachment opens a small document </em></p> <p>Again the text is in German and translates as &ldquo;To see the receipt, double click on the image&rdquo;. At this point it was obvious we were dealing with a social engineering attack. The attacker is asking the victim to execute the malware willingly on their machine. Even at this point the user would see a warning message about the risks taken when executing an unknown attachment:</p> <p><a href="http://www.microsoft.com/security/portal/blog-images/a/Target4.jpg"> <img width="500" alt="Warning message" src="http://www.microsoft.com/security/portal/blog-images/a/Target4.jpg" border="0" /></a>&nbsp;</p> <p><em>Figure 4: Security warning when attempting to open suspicious attachment </em></p> <p>The file, which is executed if the user proceeds and clicks Open, is a Control Panel Applet (CPL). Its purpose is to establish a network connection to a malicious server and download the payload file. This particular CPL file tried to download its payload from <em>www.ent&lt;removed&gt;.ch/n.exe.</em></p> <p>At the time of our investigation the file was no longer available, but since this was not the only attempt the bad guys have made, we were able to retrieve the payload from a URL used in similar attacks: <em> www.&lt;removed&gt;-club.ch/n.exe</em></p> <p>We detect payload as <span class="ms-rteThemeBackColor-1-0"></span> <a href="http://www.microsoft.com/security/portal/threat/encyclopedia/Entry.aspx?Name=Trojan:Win32/Retefe.A#tab=1"> <span class="ms-rteThemeBackColor-1-0"> </span> <span class="ms-rteThemeBackColor-1-0">Trojan:Win32/Retefe.A.</span></a></p> <p>The file name of the RTF document is not consistent throughout all attacks. We have seen other names used that follow a similar pattern as those below:</p> <ul> <li>2379F939.rtf</li> <li>O442Z4nV.rtf&nbsp;&nbsp;&nbsp;&nbsp;</li> <li>Quittung 05-02.14.rtf</li> <li>Quittung 2014.05.02.rtf</li> <li>uozohS+K.rtf</li> <li>uvsWuIaY.rtf</li> <li>vMtz+mFA.rtf</li> <li>YdBoUSiG.rtf</li> <li>YgRUlKut.rtf</li> </ul> <p>We&rsquo;ve also observed variations where the RTF document was replaced by a .DOC file following the same infection strategy. The file names used are similar, for example:</p> <ul> <li>Quittung 2014.05.02.doc</li> <li>Quittung 05-02.14.doc</li> <li>unnamed.doc</li> </ul> <p>The document can also be embeded in an archive from which the user needs to extract the .RTF or .DOC file. Example file names include:</p> <ul> <li>A1 Rechnung #13784126 von 05-02-2014.zip</li> <li>A1 Rechnung #746537 von 050214.zip</li> <li>Ihre Bestellung #83919469&nbsp; vom 03022014.zip</li> <li>Ihre Bestellung&nbsp; N9397351&nbsp; vom 0402-14.zip</li> </ul> <p>Trojan:Win32/Retefe.A also displays a window where it informs the user that they need to install an &ldquo;update&rdquo; and advises them to click &ldquo;Yes&rdquo; when the UAC window is displayed. This is another layer of social engineering to trick the user and avoid making them suspicious. The message even shows which button to press in the UAC, and can appear in English or German depending on the computer locale.</p> <p><a href="http://www.microsoft.com/security/portal/blog-images/a/Target5c.png"> <img alt="English" src="http://www.microsoft.com/security/portal/blog-images/a/Target5c.png" border="0" /></a>&nbsp;</p> <p><em>Figure 5: Further social engineering from Trojan:Win32/Retefe.A advises the user to run the malware</em></p> <p><a href="http://www.microsoft.com/security/portal/blog-images/a/Target6.jpg"> <img width="500" alt="Engineering script" src="http://www.microsoft.com/security/portal/blog-images/a/Target6.jpg" border="0" /></a>&nbsp;</p> <p><em>Figure 6: The strings encountered in the binary of the social engineering message</em></p> <p>As shown above, threats such as Trojan:Win32/Retefe.A use multiple techniques to encourage users to run the malicious file. The user also receives numerous warning about the danger of proceeding. Despite these warning we still have reports of this threat running on machines - primarily in German speaking countries. Running an up-to-date, real-time security product, such as <a href="http://windows.microsoft.com/en-us/windows/security-essentials-download">Microsoft Security Essentials</a>, can help protect your PC from this type of malicious threat. However, the best form of defence is to avoid these malicious files from running in the first place. The easiest way to do this is to educate users on the risk of opening unsolicited email attaments and <a href="http://www.microsoft.com/security/online-privacy/phishing-symptoms.aspx">recognising a phising email</a>.</p> <p><strong>Reference files:</strong></p> <p>Downloaded file:</p> <ul> <li>SHA1: 0e832c750e445484494923ce5e2e385cc73a4df1</li> <li>MD5: aa19c341970a39bac50eabf634b6262d</li> <li>Detected : Trojan:Win32/Retefe.A</li> </ul> <p>CPL file:</p> <ul> <li>SHA1: 3b86362334fce7e339f2fd36901eb30043b9481d</li> <li>MD5: 26e2ef85182c0e14a90e1108ab6f644f</li> <li>Detected : TrojanDownloader:Win32/Retefe.A</li> </ul> <p><br /> <em>MMPC Munich</em></p> </div><div style="clear:both;"></div><img src="http://blogs.technet.com/aggbug.aspx?PostID=3623865&AppID=6258&AppType=Weblog&ContentType=0" width="1" height="1"> RSA Conference 2014: Lively discussions at the Microsoft booth http://blogs.technet.com/b/trustworthycomputing/archive/2014/02/26/rsa-conference-2014-lively-discussions-at-the-microsoft-booth.aspxThu, 27 Feb 2014 04:28:14 GMTd5e57398-b9ef-4490-9955-07cbb4e4a80d:8166a70c-7f75-4cbe-8fbd-fb0f4255d09eTrusted Cloud Team0<p>By Jeff Jones, Director, Trustworthy Computing</p> <p>Today at the RSA Conference, we heard from people at the Microsoft booth, including several company representatives and some of the customers who stopped by to talk with them.</p> <p>In our daily video report from the conference, we take you inside the booth, where you&rsquo;ll hear directly from the people there.&nbsp; <a target="_blank" href="/b/trustworthycomputing/archive/2014/02/26/rsa-conference-2014-lively-discussions-at-the-microsoft-booth.aspx">See more &gt;&gt;</a></p>...(<a href="http://blogs.technet.com/b/trustworthycomputing/archive/2014/02/26/rsa-conference-2014-lively-discussions-at-the-microsoft-booth.aspx">read more</a>)<img src="http://blogs.technet.com/aggbug.aspx?PostID=3623827&AppID=9044&AppType=Weblog&ContentType=0" width="1" height="1">cloud securityCustomersRSAJeff JonesCloudOffice 365TrustTechnologyCybersecuritySecurityTrustworthy ComputingMicrosoftPrivacyMicrosoft Cloud Solutionssecurity communitySecurity Development Lifecycle RSA Conference 2014: Microsoft’s Trust Principleshttp://blogs.technet.com/b/trustworthycomputing/archive/2014/02/25/rsa-conference-2014-microsoft-s-trust-principles.aspxWed, 26 Feb 2014 04:22:56 GMTd5e57398-b9ef-4490-9955-07cbb4e4a80d:d854d729-9d83-46f9-8367-80944b15f992Trusted Cloud Team0<p><strong>By Jeff Jones, Director, Trustworthy Computing</strong><br /><br />The keynote sessions at the <a target="_blank" href="http://www.rsaconference.com/">RSA Conference</a> are always compelling. This year&rsquo;s presentations at the Moscone Center in San Francisco have been some of the best I&rsquo;ve seen, with a strong focus on government surveillance programs and what they mean for the IT industry.<br /><br />In his keynote speech, Trustworthy Computing Corporate Vice President, Scott Charney, discussed &ldquo;<a target="_blank" href="http://www.youtube.com/watch?feature=player_embedded&amp;v=ajYuqW4npiw">Conundrums in Cyberspace</a>&rdquo;, along with his take on the sometimes conflicting roles of government as it relates to the internet.&nbsp; <a target="_blank" href="/b/trustworthycomputing/archive/2014/02/25/rsa-conference-2014-microsoft-s-trust-principles.aspx">See more &gt;&gt;</a></p>...(<a href="http://blogs.technet.com/b/trustworthycomputing/archive/2014/02/25/rsa-conference-2014-microsoft-s-trust-principles.aspx">read more</a>)<img src="http://blogs.technet.com/aggbug.aspx?PostID=3623732&AppID=9044&AppType=Weblog&ContentType=0" width="1" height="1">cloud securitythreat landscapekeynoteRSAJeff Jonescyber threatstrusted online experiencescybernormsscott charneyTrustcustomer perspectiveITTechnologyCybersecuritySecurity ResearchSecuritycyber securitydata centersTrustworthy ComputingMicrosoftpersonal dataInformation SecurityDataexploitsEuropePrivacyOnlineIT Pros Microsoft Employees Launch a New College Scholarship for Students with Disabilitieshttp://blogs.msdn.com/b/accessibility/archive/2014/02/25/microsoft-employees-launch-a-new-college-scholarship-for-students-with-disabilities.aspxTue, 25 Feb 2014 22:50:00 GMT91d46819-8472-40ad-a661-2c78acb4018c:10503132Daniel Hubbell - MSFT3http://blogs.msdn.com/b/accessibility/rsscomments.aspx?WeblogPostID=10503132http://blogs.msdn.com/b/accessibility/archive/2014/02/25/microsoft-employees-launch-a-new-college-scholarship-for-students-with-disabilities.aspx#commentsMicrosoft employees have created a new scholarship that will encourage more high school seniors living with a disability to enroll in college, realize the impact technology can have on the world, and explore careers in technology. The Microsoft DisAbility...(<a href="http://blogs.msdn.com/b/accessibility/archive/2014/02/25/microsoft-employees-launch-a-new-college-scholarship-for-students-with-disabilities.aspx">read more</a>)<img src="http://blogs.msdn.com/aggbug.aspx?PostID=10503132" width="1" height="1"> RSA Conference 2014: Conundrums in Cyberspace—Exploiting security in the name of, well, securityhttp://blogs.technet.com/b/trustworthycomputing/archive/2014/02/25/rsa-conference-usa-2014-conundrums-in-cyberspace-exploiting-security-in-the-name-of-well-security.aspxTue, 25 Feb 2014 17:49:00 GMTd5e57398-b9ef-4490-9955-07cbb4e4a80d:5a530ec0-89f2-4851-a15a-6dea6d2300bcTrusted Cloud Team0<p><strong>By Adrienne Hall, General Manager, Trustworthy Computing</strong></p> <p>Since Microsoft&rsquo;s founding nearly four decades ago, computing and technology have experienced some momentous shifts with regard to trust. The emergence of security concerns related to the internet was one such shift. It prompted Bill Gates to launch Microsoft&rsquo;s Trustworthy Computing (TwC) initiative in 2002, in a <a href="http://www.microsoft.com/en-us/news/features/2012/jan12/gatesmemo.aspx" target="_blank">memo </a>calling for changes to ensure customer trust at every level.</p> <p>We are currently in the midst of another seismic shift with regard to trust &mdash; the vigorous global discussion that began last year with disclosures of widespread government surveillance programs.</p> <p>Today at the RSA Security Conference USA in San Francisco, Scott Charney, Corporate Vice President, Trustworthy Computing, gave a keynote speech about the changing cybersecurity landscape:&nbsp; Conundrums in Cyberspace&mdash;Exploiting security in the name of, well, security.&nbsp; <a href="/b/trustworthycomputing/archive/2014/02/24/rsa-conference-usa-2014-conundrums-in-cyberspace-exploiting-security-in-the-name-of-well-security.aspx" target="_blank">See more &gt;&gt;</a></p>...(<a href="http://blogs.technet.com/b/trustworthycomputing/archive/2014/02/25/rsa-conference-usa-2014-conundrums-in-cyberspace-exploiting-security-in-the-name-of-well-security.aspx">read more</a>)<img src="http://blogs.technet.com/aggbug.aspx?PostID=3623597&AppID=9044&AppType=Weblog&ContentType=0" width="1" height="1">practicesCustomersAdrienne HallRSAcybernormsscott charneyTrustcustomer perspectiveTechnologySecuritycyber securityTrustworthy ComputingMicrosoftPrivacysecurity community Now Available: EMET 5.0 Technical Preview http://blogs.technet.com/b/security/archive/2014/02/25/now-available-emet-5-0-technical-preview.aspxTue, 25 Feb 2014 17:37:46 GMTd5e57398-b9ef-4490-9955-07cbb4e4a80d:78ac5906-150d-4a29-a3ac-3eb40a2068a1Tim Rains - Microsoft0http://blogs.technet.com/b/security/rsscomments.aspx?WeblogPostID=3623115http://blogs.technet.com/b/security/commentapi.aspx?WeblogPostID=3623115http://blogs.technet.com/b/security/archive/2014/02/25/now-available-emet-5-0-technical-preview.aspx#comments<p>Today at <a href="http://www.rsaconference.com/events/us14">RSA Conference 2014</a>, Microsoft released a new version of its Enhanced Mitigation Experience Toolkit (EMET), &ldquo;<a href="http://www.microsoft.com/emet">EMET 5.0 Technical Preview</a>.&rdquo; EMET is one of our most popular <a href="/b/security/archive/2012/10/04/microsoft-s-free-security-tools-summary.aspx">free security tools </a>that helps IT Professionals and Developers manage risk for their organizations.&nbsp; Typically it is used by IT Professionals and Developers to help protect systems from exploitation via software vulnerabilities.&nbsp;&nbsp; <a href="/b/security/archive/2014/02/25/now-available-emet-5-0-technical-preview.aspx">Read more</a></p> <p></p>...(<a href="http://blogs.technet.com/b/security/archive/2014/02/25/now-available-emet-5-0-technical-preview.aspx">read more</a>)<img src="http://blogs.technet.com/aggbug.aspx?PostID=3623115&AppID=5043&AppType=Weblog&ContentType=0" width="1" height="1">EMET 5.0 Technical PreviewEnhanced Mitigation Experience ToolkitSoftware vulnerability mitigationsEMET Announcing EMET 5.0 Technical Previewhttp://blogs.technet.com/b/srd/archive/2014/02/25/announcing-emet-5-0-technical-preview.aspxTue, 25 Feb 2014 17:32:20 GMTd5e57398-b9ef-4490-9955-07cbb4e4a80d:12c2c343-59c0-44c7-b0db-642fc76aa16fswiat0<p><span>Today, we are thrilled to announce a preview release of the next version of the Enhanced Mitigation Experience Toolkit, better known as EMET. You can download EMET 5.0 Technical Preview <a href="http://www.microsoft.com/emet"><span style="color:#0563c1;">here</span></a>. This Technical Preview introduces new features and enhancements that we expect to be key components of the final EMET 5.0 release. We are releasing this technical preview to gather customer feedback about the new features and enhancements. Your feedback will affect the final EMET 5.0 technical implementation. We encourage you to download this Technical Preview, try it out in a test environment, and let us know how you would like these features and enhancements to show up in the final version. If you are in San Francisco, California, for the <a href="http://www.rsaconference.com/events/us14"><span style="color:#0563c1;">RSA Conference USA 2014</span></a>, please join us at the Microsoft booth (number 3005) for a demo of EMET 5.0 Technical Preview and give us feedback directly in person.&nbsp; Several members of the EMET team will be demonstrating at the Microsoft booth for the entire Conference.</span></p> <p><span>As mentioned, this Technical Preview release implements new features to disrupt and block the attacks that we have detected and analyzed over the past several months. The techniques used in these attacks have inspired us with new mitigation ideas to disrupt exploitation and raise the cost to write reliable exploits. The EMET 5.0 Technical Preview also implements additional defensive mechanisms to reduce exposure from attacks.</span></p> <p><span>The two new features introduced in EMET 5.0 Technical Preview are the <b>Attack Surface Reduction (ASR)</b> and the <b>Export Address Table Filtering Plus (EAF+)</b>. Similar to what we have done with EMET 3.5 Technical Preview, where we introduced a new set of mitigations to counter Return Oriented Programming (ROP), we are introducing these two new mitigations and ask for your feedback on how they can be improved. Of course, they are a &ldquo;work in progress.&rdquo; Our goal is to have them polished for the final version of EMET 5.0.</span></p> <p><span>Let&rsquo;s see in detail what these two new mitigations do, and the reasoning that led us to their implementation.</span></p> <p><span><a href="http://blogs.technet.com/cfs-file.ashx/__key/communityserver-blogs-components-weblogfiles/00-00-00-61-47/2555.pic1.png"><img style="margin-right:auto;margin-left:auto;display:block;" alt=" " src="http://blogs.technet.com/resized-image.ashx/__size/550x0/__key/communityserver-blogs-components-weblogfiles/00-00-00-61-47/2555.pic1.png" border="0" /></a></span></p> <h2>Attack Surface Reduction</h2> <p style="margin:0in 0in 8pt;"><span>In mid-2013, <a href="http://support.microsoft.com/kb/2751647"><span style="color:#0563c1;">we published a Fix it solution</span></a> to disable the Oracle Java plug-in in Internet Explorer. We received a lot of positive feedback and a number of suggestions on how we could improve the Fix it. The most recurring suggestion we received was to allow the Oracle Java plug-in on intranet websites, which commonly run Line-of-Business applications written in Java, while blocking it on Internet Zone websites. In addition to that Java-related customer feedback, we have also seen a number of exploits targeting the Adobe Flash Player plug-in. For example, the <a href="http://news.cnet.com/8301-27080_3-20051071-245.html"><span style="color:#0563c1;">RSA breach was enabled by an Adobe Flash Player exploit</span></a> embedded inside a Microsoft Excel file and a number of targeted attacks have been carried out by Adobe Flash Player exploits embedded in Microsoft Word documents, as described by <a href="https://citizenlab.org/2014/02/mapping-hacking-teams-untraceable-spyware/"><span style="color:#0563c1;">Citizen Lab</span></a>. We decided to design a new feature that can be used to mitigate similar situations and to help to reduce the attack surface of applications. We call this feature Attack Surface Reduction (ASR), and it can be used as a mechanism to block the usage of a specific modules or plug-ins within an application. For example, you can configure EMET to prevent Microsoft Word from loading the Adobe Flash Player plug-in, or, with the support of <a href="http://msdn.microsoft.com/en-us/library/ie/ms537183(v=vs.85).aspx#zones"><span style="color:#0563c1;">security zones</span></a>, you can use EMET to prevent Internet Explorer from loading the Java plug-in on an Internet Zone website while continuing to allow Java on Intranet Zone websites.</span></p> <p style="margin:0in 0in 8pt;"><span>The example below shows ASR in action, preventing Microsoft Word from launching an Adobe Flash Player file embedded in the document. By default, EMET 5.0 Technical Preview comes pre-configured to block certain plug-ins from being loaded by Internet Explorer, Microsoft Word and Microsoft Excel. The feature is fully configurable by changing two registry keys that list the names of the plug-ins to block, and, if supported, the security zones that allow exceptions. For more details on how to configure ASR please refer to the EMET 5.0 Technical Preview <a href="http://www.microsoft.com/en-us/download/details.aspx?id=41963" target="_blank">user guide</a>.</span></p> <p style="text-align:center;"><span><a href="http://blogs.technet.com/cfs-file.ashx/__key/communityserver-blogs-components-weblogfiles/00-00-00-61-47/2728.pic2.png"><img alt=" " src="http://blogs.technet.com/resized-image.ashx/__size/550x0/__key/communityserver-blogs-components-weblogfiles/00-00-00-61-47/2728.pic2.png" border="0" /></a></span></p> <h2>EAF+</h2> <p><span>We also added new capabilities to the existing Export Address Table Filtering (EAF). EAF+ consolidates protection of lower-level modules and prevents certain exploitation techniques used to build dynamic ROP gadgets in memory from export tables. EAF+ can be enabled through the &ldquo;Mitigation Settings&rdquo; ribbon. When EAF+ is enabled, it will add the following additional safeguards over-and-above the existing EAF checks:</span></p> <ul> <li> <p><span>Add protection for KERNELBASE exports in addition to the existing NTDLL.DLL and KERNEL32.DLL</span></p> </li> <li> <p><span>Perform additional integrity checks on stack registers and stack limits when export tables are read from certain lower-level modules</span></p> </li> <li> <p><span>Prevent memory read operations on protected export tables when they originate from suspicious modules that may reveal memory corruption bugs used as &ldquo;read primitives&rdquo; for memory probing</span></p> </li> </ul> <p><span>For example, the third protection mechanism in the list above mitigates the exploitation technique developed in Adobe Flash Player used in some recent Internet Explorer exploits (CVE-2013-3163 and CVE-2014-0322), where the attacker attempted to build ROP gadgets by scanning the memory and parsing DLL exports using ActionScript code. Exploits for these vulnerabilities are already blocked by other EMET mitigations. EAF+ provides another way to disrupt and defeat advanced attacks. The screenshot below shows the exploit for CVE-2014-0322 in action on Internet Explorer protected by EMET 5.0 Technical Preview with only EAF+ enabled.<br /></span></p> <p><a href="http://blogs.technet.com/cfs-file.ashx/__key/communityserver-blogs-components-weblogfiles/00-00-00-61-47/0876.pic3.png"><img style="margin-right:auto;margin-left:auto;display:block;" alt=" " src="http://blogs.technet.com/resized-image.ashx/__size/550x0/__key/communityserver-blogs-components-weblogfiles/00-00-00-61-47/0876.pic3.png" border="0" /></a></p> <h2>Other improvements</h2> <p><span>This Technical Preview enables the &ldquo;Deep Hooks&rdquo; mitigation setting. We have been working with third-party software vendors whose products do not run properly with Deep Hooks enabled. We believe these vendors have resolved the application compatibility issues that previously existed with Deep Hooks enabled. We enable Deep Hooks in the Technical Preview to evaluate the possibility of having this setting turned on by default in the final EMET 5.0 release because it has proven to be effective against certain advanced exploits using ROP gadgets with lower level APIs. We have also introduced some additional hardening to protect EMET&rsquo;s configuration when loaded in memory, and fixed several application compatibility issues including a common one that involves Adobe Reader and the &ldquo;MemProt&rdquo; mitigation.</span></p> <h2>Acknowledgments</h2> <p><span>We&rsquo;d like to thank Spencer J. McIntyre from SecureState, Jared DeMott from Bromium Labs, along with Peleus Uhley and Ashutosh Mehra from the Adobe Security team <span style="line-height:107%;">for their collaboration on the EMET 5.0 Technical Preview</span>.</span></p> <p><span>We are excited for this Technical Preview and we hope that the additions are as valuable for our customers as they are for us. We invite you to install and give EMET 5.0 Technical Preview a try; we look forward to hearing your feedback and suggestions on how to enhance the new features that we have introduced. We would also welcome any suggestions for additional new features you&rsquo;d like to see included in the final version of EMET 5.0. We greatly value the feedback we receive, and we want to build a product that not only provides additional protection to systems but is also easy to use and configure. We then invite you all to download <a href="http://www.microsoft.com/emet"><span style="color:#0563c1;">EMET 5.0 Technical Preview</span></a> and <a href="mailto:emet_feedback@microsoft.com"><span style="color:#0563c1;">drop us a line</span></a>!</span></p> <ul> <li> <p><span>The EMET Team</span></p> </li> </ul><div style="clear:both;"></div><img src="http://blogs.technet.com/aggbug.aspx?PostID=3623486&AppID=6147&AppType=Weblog&ContentType=0" width="1" height="1">EMET Announcing the Enhanced Mitigation Experience Toolkit (EMET) 5.0 Technical Previewhttp://blogs.technet.com/b/msrc/archive/2014/02/25/announcing-the-enhanced-mitigation-experience-toolkit-emet-5-0-technical-preview.aspxTue, 25 Feb 2014 17:30:00 GMTd5e57398-b9ef-4490-9955-07cbb4e4a80d:7aca5297-1b83-464c-9d20-ab7be2e2869cChris Betz0<p><a href="http://blogs.technet.com/cfs-file.ashx/__key/communityserver-blogs-components-weblogfiles/00-00-00-45-71/1033.emet1.jpg"></a>I&rsquo;m here at the Moscone Center, San Francisco, California, attending the annual <a href="http://www.rsaconference.com/events/us14"><span style="color:#0563c1;">RSA Conference USA 2014</span></a>. There&rsquo;s a great crowd here and many valuable discussions. Our Microsoft Security Response Center (MSRC) engineering teams have been working hard on the next version of EMET, which helps customers increase the effort attackers must make to compromise a computer system.</p> <p>I&rsquo;m happy to announce the public release of the <a href="http://www.microsoft.com/emet"><span style="color:#0563c1;">EMET 5.0 Technical Preview</span></a> today from the RSA exhibit hall.</p> <p>During last night&rsquo;s RSA reception, conference attendees got a sneak preview of EMET 5.0 as demonstrated by Jonathan Ness, Chengyun Chu, Elia Florio and Elias Bachaalany from our EMET engineering team. If you missed it, we&rsquo;ll have our EMET engineering team here all week at RSA demonstrating the current version of EMET 4.1, as well as the EMET 5.0 Technical Preview, at the Microsoft Booth (number 3005).</p> <p>EMET anticipates the most common actions and techniques adversaries might use in compromising a computer, and can help protect the computer by diverting, terminating, blocking and invalidating those actions and techniques. In recent 0-days, EMET has been an effective mitigation against memory corruption. Having EMET installed and configured on computers meant that the computers were protected from those attacks.</p> <p>EMET 5.0 Technical Preview adds new protections for enterprises on top of the <a href="http://technet.microsoft.com/en-us/security/jj653751"><span style="color:#0563c1;">12 built-in security mitigations</span></a> included in version 4.1. For instance, the new Attack Surface Reduction mitigation allows enterprises to better protect third-party and custom-built applications by selectively enabling Java, Adobe Flash Player and Microsoft or third-party plug-ins. At the Security Research and Defense blog, our engineering team provides a <a href="http://blogs.technet.com/b/srd/archive/2014/02/21/announcing-emet-5-0-technical-preview.aspx"><span style="color:#0563c1;">deep dive blog post</span></a> on EMET 5.0 Technical Preview.</p> <p><a href="http://blogs.technet.com/cfs-file.ashx/__key/communityserver-blogs-components-weblogfiles/00-00-00-45-71/8306.emet1.jpg"><img alt=" " src="http://blogs.technet.com/resized-image.ashx/__size/550x0/__key/communityserver-blogs-components-weblogfiles/00-00-00-45-71/8306.emet1.jpg" border="0" /></a></p> <p>Since the first release of EMET in 2009, our customers and the security community have adopted EMET and provided us with valuable feedback. Your feedback both in <a href="http://social.technet.microsoft.com/Forums/en/emet/threads"><span style="color:#0563c1;">forums</span></a> and through <a href="http://www.microsoft.com/en-us/microsoftservices/support.aspx"><span style="color:#0563c1;">Microsoft Premier Support Services</span></a>, which provides enterprise support for EMET, has helped shape the new EMET capabilities to further expand the range of scenarios it addresses.</p> <p>The same goes for EMET 5.0 Technical Preview. As we march towards the final release of EMET 5.0, we would like to invite you to download the EMET 5.0 Technical Preview at <a href="http://www.microsoft.com/emet"><span style="color:#0563c1;">microsoft.com/emet</span></a> to deploy in your test environments. Your feedback is valuable in shaping our roadmap. Please <a href="http://social.technet.microsoft.com/Forums/en/emet/threads"><span style="color:#0563c1;">let us know</span></a> what you think.</p> <p>Finally, if you&rsquo;re at the RSA Conference, please stop by our booth and share your feedback with Jonathan, Chengyun, Elia and Elias. We&rsquo;d like to hear from you!</p> <p>Thanks,<br /><a href="http://blogs.technet.com/b/msrc/about.aspx#Chris_Betz"><span style="color:#0563c1;">Chris Betz</span></a><br /> Senior Director<br />Microsoft Security Response Center (MSRC)</p><div style="clear:both;"></div><img src="http://blogs.technet.com/aggbug.aspx?PostID=3623596&AppID=4571&AppType=Weblog&ContentType=0" width="1" height="1">AnnouncementsEMET Best ways to battle botnetshttp://blogs.msdn.com/b/securitytipstalk/archive/2014/02/25/best-ways-to-battle-botnets.aspxTue, 25 Feb 2014 16:33:00 GMT91d46819-8472-40ad-a661-2c78acb4018c:10502821Eve Blakemore10http://blogs.msdn.com/b/securitytipstalk/rsscomments.aspx?WeblogPostID=10502821http://blogs.msdn.com/b/securitytipstalk/archive/2014/02/25/best-ways-to-battle-botnets.aspx#comments<h1>What is a botnet?</h1> <p><a href="http://www.microsoft.com/security/resources/botnet-whatis.aspx">Botnets</a>&nbsp;are networks of compromised computers that criminals use to commit fraud, such as:</p> <ul> <li>Secretly spreading&nbsp;<a href="http://www.microsoft.com/security/resources/malware-whatis.aspx">malware</a></li> <li>Stealing personal information</li> <li>Hijacking Internet search results to take you to websites that are potentially dangerous</li> </ul> <h1>How do I know if my computer is part of a botnet?</h1> <p>Your computer might be part of a botnet if it crashes or stops responding often or you experience other <a href="http://www.microsoft.com/security/pc-security/malware-symptoms.aspx">malware symptoms</a>. You might also be directed to this page:</p> <p><a href="http://blogs.technet.com/resized-image.ashx/__size/550x0/__key/communityserver-blogs-components-weblogfiles/00-00-00-80-54/6403.Malware.jpg"><img style="max-width: 550px;" src="http://blogs.technet.com/resized-image.ashx/__size/550x0/__key/communityserver-blogs-components-weblogfiles/00-00-00-80-54/6403.Malware.jpg" alt="" border="0" /></a></p> <p>&nbsp;</p> <h1>How can I clean my computer if I&rsquo;ve been infected?</h1> <p>Botnets infect your computer with malware. To clean your computer, run the <a href="http://www.microsoft.com/security/scanner/en-us/default.aspx">Microsoft Safety Scanner</a>, and then run a scan with your antivirus software.</p> <p><a href="http://www.microsoft.com/security/pc-security/antivirus.aspx">Get more guidance on how to remove malware</a></p> <h1>How can I help keep my computer out of botnets?</h1> <p>Make sure your computer has antivirus software, such as Windows Defender or Microsoft Security Essentials, and keep it updated.</p> <p>To learn more about botnets, see&nbsp;<a href="http://www.microsoft.com/security/pc-security/botnet.aspx">How to better protect your PC from botnets and malware</a>.</p><div style="clear:both;"></div><img src="http://blogs.msdn.com/aggbug.aspx?PostID=10502821" width="1" height="1">malwarebotnetantivirus software RSA Conference 2014: A look at the week aheadhttp://blogs.technet.com/b/trustworthycomputing/archive/2014/02/24/rsa-conference-2014-a-look-at-the-week-ahead.aspxTue, 25 Feb 2014 03:47:08 GMTd5e57398-b9ef-4490-9955-07cbb4e4a80d:86ddaeab-0da6-484a-8b14-3e42dd04f9d4Trusted Cloud Team0<p><strong>By Jeff Jones, Director, Trustworthy Computing</strong></p> <p>Greetings from RSA Conference 2014 in San Francisco.&nbsp;Microsoft is proud to be part of the&nbsp;important discussions taking place this week, and I&#39;ll be bringing you daily video reports with highlights from the event.</p> <p>Our first installment takes a look at the week ahead,&nbsp;including the keynote address from Trustworthy Computing Corporate Vice President, Scott Charney, and an overview of the&nbsp;briefing sessions featuring Microsoft security and privacy experts.&nbsp;&nbsp; <a href="/b/trustworthycomputing/archive/2014/02/24/rsa-conference-2014-a-look-at-the-week-ahead.aspx" target="_blank">See more &gt;&gt;</a></p>...(<a href="http://blogs.technet.com/b/trustworthycomputing/archive/2014/02/24/rsa-conference-2014-a-look-at-the-week-ahead.aspx">read more</a>)<img src="http://blogs.technet.com/aggbug.aspx?PostID=3623608&AppID=9044&AppType=Weblog&ContentType=0" width="1" height="1">RSAJeff JonesCloudcyber threatsscott charneyTrustCybersecuritySecuritycyber securityTrustworthy ComputingInformation SecurityPrivacy RSA Conference 2014: Hot Topics in Privacyhttp://blogs.technet.com/b/trustworthycomputing/archive/2014/02/21/rsa-conference-2014-hot-topics-in-privacy.aspxFri, 21 Feb 2014 22:03:20 GMTd5e57398-b9ef-4490-9955-07cbb4e4a80d:27126d24-c49c-447c-b3fb-b33d7e63ae37Trusted Cloud Team0<p><strong>By TwC Staff</strong></p> <p>Data privacy is a topic that tends to spur wide-ranging conversations, with dramatically varying national and global pivots. Issues related to data privacy are important and complex, so we expect the topic to generate many discussions among attendees at the annual <a target="_blank" href="http://www.rsaconference.com/events/us14">RSA Conference USA</a> in San Francisco, Feb. 24-28.</p> <p>Microsoft&rsquo;s Chief Privacy Officer, Brendon Lynch, will be in attendance and will share his thoughts on emerging trends in the privacy world, as part of a panel of privacy leaders, on Wednesday, Feb. 26. The panelists will tackle current &ldquo;<a target="_blank" href="http://www.rsaconference.com/events/us14/agenda/sessions/1354/hot-topics-in-privacy">Hot Topics in Privacy</a>,&rdquo; with a focus on important and emerging privacy issues.&nbsp; <a target="_blank" href="/b/trustworthycomputing/archive/2014/02/21/rsa-conference-2014-hot-topics-in-privacy.aspx">See more &gt;&gt;</a></p>...(<a href="http://blogs.technet.com/b/trustworthycomputing/archive/2014/02/21/rsa-conference-2014-hot-topics-in-privacy.aspx">read more</a>)<img src="http://blogs.technet.com/aggbug.aspx?PostID=3623464&AppID=9044&AppType=Weblog&ContentType=0" width="1" height="1">RSAMicrosoftPrivacy How do I know if I already have antivirus software?http://blogs.msdn.com/b/securitytipstalk/archive/2014/02/21/how-do-i-know-if-i-already-have-antivirus-software.aspxFri, 21 Feb 2014 17:14:00 GMT91d46819-8472-40ad-a661-2c78acb4018c:10501970Eve Blakemore6http://blogs.msdn.com/b/securitytipstalk/rsscomments.aspx?WeblogPostID=10501970http://blogs.msdn.com/b/securitytipstalk/archive/2014/02/21/how-do-i-know-if-i-already-have-antivirus-software.aspx#comments<h1>If your computer is running Windows 8</h1> <p>If your computer is running Windows 8, you already have antivirus software. Windows 8 includes <a href="http://www.microsoft.com/security/pc-security/windows-defender.aspx">Windows Defender</a>, which helps protect you from viruses, spyware, and other <a href="http://www.microsoft.com/security/resources/malware-whatis.aspx">malicious software</a>.</p> <p>If Windows Defender is turned off and you don&rsquo;t have another antivirus program installed (or your other antivirus program is not working), you will see a warning in the notification area on your taskbar.</p> <h1>If your computer is running Windows 7</h1> <p>Windows 7 includes spyware protection, but to protect against viruses you can download <a href="http://www.microsoft.com/security/pc-security/microsoft-security-essentials.aspx">Microsoft Security Essentials</a> for free.</p> <p><strong>To find out if you already have antivirus software:</strong></p> <ol start="1"> <li>Open Action Center by clicking the&nbsp;<strong>Start</strong>&nbsp;button&nbsp;, clicking&nbsp;<strong>Control Panel</strong>, and then, under&nbsp;<strong>System and Security</strong>, clicking <strong>Review your computer's status</strong>.</li> <li>Click the arrow button&nbsp;&nbsp;next to&nbsp;<strong>Security</strong>&nbsp;to expand the section.</li> </ol> <p>If Windows can detect your antivirus software, it's listed under&nbsp;<strong>Virus protection</strong>.</p> <p>Windows doesn't detect all antivirus software, and some antivirus software doesn't report its status to Windows. If your antivirus software isn't displayed in Action Center and you're not sure how to find it, try any of the following:</p> <ul> <li>Type the name of the software or the publisher in the Search box on the <strong>Start</strong> menu.</li> <li>Look for your antivirus program's icon in the notification area of the taskbar.</li> </ul> <h1>If your computer is running Windows Vista</h1> <p>Windows Vista does not include virus protection. To protect against viruses, you can download <a href="http://www.microsoft.com/security/pc-security/microsoft-security-essentials.aspx">Microsoft Security Essentials</a> for free.</p> <p>The status of your antivirus software is typically displayed in Windows Security Center.</p> <ol start="1"> <li>Open Security Center by clicking the&nbsp;<strong>Start</strong>&nbsp;button&nbsp;, clicking&nbsp;<strong>Control Panel</strong>, clicking&nbsp;<strong>Security</strong>, and then clicking&nbsp;<strong>Security Center</strong>.</li> <li>Click&nbsp;<strong>Malware protection</strong>.</li> </ol> <p>If Windows can detect your antivirus software, it will be listed under&nbsp;<strong>Virus protection</strong>.</p> <p>Windows does not detect all antivirus software, and some antivirus software doesn't report its status to Windows. If your antivirus software is not displayed in Windows Security Center and you're not sure how to find it, try any of the following:</p> <ul> <li>Look for the antivirus software in the list of programs on the <strong>Start</strong> menu.</li> <li>Type the name of the software or the publisher in the Search box on the <strong>Start</strong> menu.</li> <li>Look for the icon in the notification area of the taskbar.</li> </ul> <h1>If your computer is running Windows XP</h1> <p>Click the security icon on the taskbar, or click&nbsp;<strong>Start</strong>, select&nbsp;<strong>Control Panel</strong>, and then double-click&nbsp;<strong>Security Center</strong>.</p> <p>On April 8, 2014, Microsoft will end support for Windows XP. This means that after April 8, there will be no new security updates available through automatic updating for computers that are still running Windows XP.</p> <p>Also on this date, Microsoft will stop providing <a href="http://windows.microsoft.com/en-us/windows/security-essentials-download">Microsoft Security Essentials</a> for download on Windows&nbsp;XP. (If you already have Microsoft Security Essentials installed, you will continue to receive antimalware signature updates for a limited time, but this does not mean that your PC will be secure because Microsoft will no longer provide security updates to protect it.)</p> <p>For more information, see&nbsp;<a href="http://windows.microsoft.com/en-us/windows/end-support-help">Support is ending soon</a>.</p> <p>Get more information about upgrading to&nbsp;<a href="http://www.microsoft.com/security/pc-security/windows7.aspx">Windows 7</a>&nbsp;and&nbsp;<a href="http://www.microsoft.com/security/pc-security/windows8.aspx">Windows 8</a>.</p> <h1>I don&rsquo;t know what operating system my computer is running</h1> <p><a href="http://windows.microsoft.com/en-us/windows/which-operating-system">Find out what operating system your computer is running</a></p> <p>&nbsp;</p> <p>&nbsp;</p><div style="clear:both;"></div><img src="http://blogs.msdn.com/aggbug.aspx?PostID=10501970" width="1" height="1">Windows DefendervirusmalwareMicrosoft Security EssentialsWindows 7antivirus softwaremalicious softwareWindows XPWindows 8 Recognizing American Sign Language on International Mother Language Dayhttp://blogs.msdn.com/b/accessibility/archive/2014/02/21/mother-language-day.aspxFri, 21 Feb 2014 16:15:00 GMT91d46819-8472-40ad-a661-2c78acb4018c:10501563Daniel Hubbell - MSFT0http://blogs.msdn.com/b/accessibility/rsscomments.aspx?WeblogPostID=10501563http://blogs.msdn.com/b/accessibility/archive/2014/02/21/mother-language-day.aspx#commentsThe following blog post was written by Ellen Kampel, Public Relations Manager for Accessibility at Microsoft. Ellen holds a Masters in Social Work (MSW) and works on technology issues related to aging and people with disabilities. ----- Today we...(<a href="http://blogs.msdn.com/b/accessibility/archive/2014/02/21/mother-language-day.aspx">read more</a>)<img src="http://blogs.msdn.com/aggbug.aspx?PostID=10501563" width="1" height="1"> The MSRT in Action: Keeping systems safehttp://blogs.technet.com/b/mmpc/archive/2014/02/20/the-msrt-in-action-keeping-systems-safe.aspxFri, 21 Feb 2014 00:54:38 GMTd5e57398-b9ef-4490-9955-07cbb4e4a80d:790350fb-bd45-48f1-8e0b-18f11926b49emsft-mmpc0http://blogs.technet.com/b/mmpc/archive/2014/02/20/the-msrt-in-action-keeping-systems-safe.aspx#comments<p>In four days the January release of the Microsoft Malicious Software Removal Tool (MSRT) detected almost a million threats on PCs across the globe.</p> <p>In the video below, Dustin Childs and Joe Faulhaber explain what happened as the MSRT sprang into action.</p> <p><iframe width="500" height="281" src="http://www.youtube.com/embed/7gUTRuNAB0s" frameborder="0"></iframe></p><div style="clear:both;"></div><img src="http://blogs.technet.com/aggbug.aspx?PostID=3623318&AppID=6258&AppType=Weblog&ContentType=0" width="1" height="1"> And the Gold Medal Goes to … Finland!http://blogs.technet.com/b/security/archive/2014/02/20/and-the-gold-medal-goes-to-finland.aspxThu, 20 Feb 2014 15:01:00 GMTd5e57398-b9ef-4490-9955-07cbb4e4a80d:3c7fc2f6-d3d8-4183-9d1d-f6c8a96559a4Tim Rains - Microsoft0http://blogs.technet.com/b/security/rsscomments.aspx?WeblogPostID=3623117http://blogs.technet.com/b/security/commentapi.aspx?WeblogPostID=3623117http://blogs.technet.com/b/security/archive/2014/02/20/and-the-gold-medal-goes-to-finland.aspx#comments<p>The closing ceremonies are quickly approaching in Sochi, Russia, with ice skaters, skiers, curlers and other world-renowned athletes racing to stand atop the podium. But one nation is already seeing gold: <a href="/b/security/archive/2011/08/04/finland-lessons-from-some-of-the-least-malware-infected-countries-in-the-world-part-3.aspx">Finland</a> has once again prevailed as the country with the lowest malware infection rates.</p> <p>We&rsquo;re thrilled to honor Finland&rsquo;s computer security efforts with the gold medal in the closing ceremonies of our <a href="/b/security/archive/2014/02/06/cleanest-countries-regions-jump-to-the-top-of-our-podium.aspx">blog series</a>. Microsoft measures quarterly malware infection rates in 106 countries/regions worldwide in its <a href="http://www.microsoft.com/security/sir/default.aspx">Security Intelligence Report (SIR).</a> The latest report indicates that Finland has demonstrated its prowess with the least amount of malware infections in the second quarter of 2013. <a href="/b/security/archive/2014/02/18/and-the-gold-medal-goes-to-finland.aspx">Read more</a></p>...(<a href="http://blogs.technet.com/b/security/archive/2014/02/20/and-the-gold-medal-goes-to-finland.aspx">read more</a>)<img src="http://blogs.technet.com/aggbug.aspx?PostID=3623117&AppID=5043&AppType=Weblog&ContentType=0" width="1" height="1">Finland Threat LandscapeSecurity Intelligence Report Volume 15SIRv15Least Malware Infected Countries Fix it tool available to block Internet Explorer attacks leveraging CVE-2014-0322http://blogs.technet.com/b/srd/archive/2014/02/19/fix-it-tool-available-to-block-internet-explorer-attacks-leveraging-cve-2014-0322.aspxWed, 19 Feb 2014 23:12:00 GMTd5e57398-b9ef-4490-9955-07cbb4e4a80d:53dd3f9b-522b-4194-a2b9-e15681af90b1SRD Blog Author0<p>Today, we released <a href="http://technet.microsoft.com/en-us/security/advisory/2934088">Security Advisory 2934088</a> to provide guidance to customers concerned about a new vulnerability found in Internet Explorer versions 9 and 10. This vulnerability has been exploited in limited, targeted attacks against Internet Explorer 10 users browsing to www.vfw.org and www.gifas.asso.fr. We will cover the following topics in this blog post:</p> <ul> <li><span style="font-size:small;"><strong>Platforms affected</strong></span></li> <li><span style="font-size:small;"><strong>Steps you can take to stay safe</strong></span></li> <li><span style="font-size:small;"><strong>More details about the vulnerability</strong></span></li> <li><span style="font-size:small;"><strong>More details about the Fix It tool</strong></span></li> </ul> <p><b>Platforms Affected</b></p> <p>As described in <a href="http://technet.microsoft.com/en-us/security/advisory/2934088">Security Advisory 2934088</a>, both Internet Explorer 9 and Internet Explorer 10 contain the vulnerable code. However, we have not seen any exploit code capable of triggering the vulnerability on Internet Explorer 9. The chart below may help explain the risk by platform:</p> <table border="1"> <tbody> <tr> <td>&nbsp;</td> <td>Windows XP<br />Server 2003</td> <td>Windows Vista<br />Server 2008</td> <td>Windows 7<br />Server 2008 R2</td> <td>Windows 8<br />Server 2012</td> <td>Windows 8.1<br />Server 2012 R2</td> </tr> <tr> <td>Internet Explorer 6</td> <td bgcolor="green">Not vulnerable</td> <td>n/a</td> <td>n/a</td> <td>n/a</td> <td>n/a</td> </tr> <tr> <td>Internet Explorer 7</td> <td bgcolor="green">Not vulnerable</td> <td bgcolor="green">Not vulnerable</td> <td>n/a</td> <td>n/a</td> <td>n/a</td> </tr> <tr> <td>Internet Explorer 8</td> <td bgcolor="green">Not vulnerable</td> <td bgcolor="green">Not vulnerable</td> <td bgcolor="green">Not vulnerable</td> <td>n/a</td> <td>n/a</td> </tr> <tr> <td>Internet Explorer 9</td> <td>n/a</td> <td bgcolor="yellow">Vulnerable,<br />not under attack</td> <td bgcolor="yellow">Vulnerable,<br />not under attack</td> <td>n/a</td> <td>n/a</td> </tr> <tr> <td>Internet Explorer 10</td> <td>n/a</td> <td>n/a</td> <td bgcolor="red">Under attack</td> <td bgcolor="red">Under attack</td> <td>n/a</td> </tr> <tr> <td>Internet Explorer 11</td> <td>n/a</td> <td>n/a</td> <td bgcolor="green">Not vulnerable</td> <td>n/a</td> <td bgcolor="green">Not vulnerable</td> </tr> </tbody> </table> <p><b>Steps you can take to stay safe</b></p> <p>Any of the following three protection mechanisms will protect you from exploits we have seen that leverage this vulnerability for code execution:</p> <p>1 &ndash; <a href="http://windows.microsoft.com/en-us/internet-explorer/download-ie-MCM">Upgrade to Internet Explorer 11</a></p> <p>2 &ndash; Install the <a href="http://www.microsoft.com/en-us/download/details.aspx?id=41138">Enhanced Mitigation Experience Toolkit (EMET)</a></p> <p>3 &ndash; Install the <a href="http://support.microsoft.com/kb/2934088">Fix it workaround tool</a></p> <p>Upgrading to Internet Explorer 11 is the best way to stay safe from exploit attempts targeting this vulnerability.</p> <p>The <a href="http://www.microsoft.com/en-us/download/details.aspx?id=41138">Enhanced Mitigation Experience Toolkit (EMET)</a> is also an effective way to block the targeted attacks we have analyzed. This particular exploit explicitly checks for EMET and refuses to run on any system where EMET is installed. However, even with the exploit&rsquo;s EMET check removed, the default configuration of EMET blocks the attack. In this particular case, EMET&rsquo;s EAF and Anti-Detour features block the exploit in the default EMET configuration. With EMET&rsquo;s &ldquo;Deep Hooks&rdquo; feature enabled, the MemProt, StackPivot, and CallerCheck features each independently are capable of blocking this exploit. We are pleased to see EMET continuing to provide protection for a significant portion of memory corruption exploits today. On that note, we found that in the second half of 2013, all in-the-wild exploits that we encountered that have&nbsp;leveraging memory corruption for code execution were blocked by EMET! We recommend that all customers install this tool. Watch next week for an announcement at the RSA Conference about the future of EMET.</p> <p>The third, and likely easiest way to protect yourself from attempts to exploit the vulnerability, is to install the Fix it workaround tool released in <a href="http://technet.microsoft.com/en-us/security/advisory/2934088">today&rsquo;s advisory</a>. You can refer to <a href="http://support.microsoft.com/kb/2934088">Knowledge Base Article 2934088</a> for complete details but simply clicking through the &ldquo;Fix It&rdquo; installer from the following link will protect your system from attempts to exploit the vulnerability:</p> <div align="center"> <table style="width:75%;" border="1" cellpadding="0"> <tbody> <tr> <td> <p align="center"><strong>Apply Fix it</strong></p> </td> <td> <p align="center"><strong>Uninstall Fix it</strong></p> </td> </tr> <tr> <td> <p align="center"><a href="http://go.microsoft.com/?linkid=9844137"><img title="Microsoft Fix it 50994" style="border:0px currentColor;" alt="Microsoft Fix it 50994" src="http://blogs.technet.com/resized-image.ashx/__size/142x54/__key/communityserver-blogs-components-weblogfiles/00-00-00-61-47/0574.fixit.png" /></a><br />&nbsp; <a href="http://go.microsoft.com/?linkid=9844137">Enable the CVE-2014-0322 Workaround</a></p> </td> <td> <p align="center"><a href="http://go.microsoft.com/?linkid=9844138"><img title="Microsoft Fix it 50995" style="border:0px currentColor;" alt="Microsoft Fix it 50995" src="http://blogs.technet.com/resized-image.ashx/__size/142x54/__key/communityserver-blogs-components-weblogfiles/00-00-00-61-47/0574.fixit.png" /></a><br />&nbsp; <a href="http://go.microsoft.com/?linkid=9844138">Uninstall the CVE-2014-0322 Workaround</a></p> </td> </tr> </tbody> </table> </div> <p>Installing the Fix it does not require a reboot but administrative privileges on the system are required. The Fix it installation will be effective on any Internet Explorer 9 or Internet Explorer 10 system where the most recently-released security update (MS14-010) has already been installed. More specifically, the appcompat shim is enabled for the Internet Explorer process where mshtml.dll is one of the following four versions: 9.0.8112.16533, 9.0.8112.20644, 10.0.9200.16798, or 10.0.9200.20916. The eventual security update that addresses this vulnerability will ship with an incremented mshtml.dll version number, thereby automatically obsoleting this Fix it.</p> <p>You can read more about previous instances of this temporary workaround technique at <a href="http://blogs.technet.com/b/srd/archive/tags/fixit">http://blogs.technet.com/b/srd/archive/tags/fixit</a>/. Fix its have been a popular mitigation technique with our customers to cover the gap between the time when an exploit appears and the time when a final, comprehensive, fully-tested security update is available for wide distribution. The last instance of a Fix It tool to address an Internet Explorer vulnerability (addressed by MS13-080) was installed on 23 million computers. The most recent security-related Fix it solution mitigated an Office vulnerability that was subsequently addressed by MS13-096. That Fix It solution was installed on 57 million computers. We mention these numbers with the hope of giving you confidence that a number of your IT Pro peers are using Fix it solutions to protect their enterprise network.</p> <p><b>More details about the vulnerability and exploit</b></p> <p>CVE-2014-0322 describes an mshtml.dll use-after-free vulnerability involving the CMarkup object being accessed after it has been freed. As described above, this vulnerability is present in both Internet Explorer 9 and Internet Explorer 10 but exploits we have seen target only 32-bit Internet Explorer 10. The exploit was explained in greater detail on the <a href="http://www.fireeye.com/blog/technical/cyber-exploits/2014/02/operation-snowman-deputydog-actor-compromises-us-veterans-of-foreign-wars-website.html">FireEye security blog</a>. To recap, it uses Javascript to trigger the use-after-free condition and then uses Flash to convert a write primitive into a read/write primitive that enables DEP and ASLR to be bypassed. The primitive conversion happens by redirecting a write based on a freed object&rsquo;s data (which has now been reallocated by the attacker) to corrupt a size field inside a Flash object. The corrupted size field in the Flash object is used to read and write outside of the object&rsquo;s boundary, allowing discovery of module addresses in Internet Explorer&rsquo;s Address Space. We are not aware of any elevation of privilege or sandbox escape vulnerability being used to &ldquo;break out&rdquo; of the Internet Explorer Protected Mode sandbox. Therefore, even after the exploit gains code execution, it still needs a non-trivial element to result in a persistent compromise of the computer.</p> <p><b>More details about the Fix it tool</b></p> <p>The Fix it redirects execution of two functions, mshtml!CMarkup::InsertElementInternal and mshtml!CMarkup::InsertTextInternal, to the code introduced by the appcompat shim. Similar changes are made in both functions. Let&rsquo;s take a closer look at mshtml!CMarkup::InsertElementInternal:</p> <pre>0:020&gt; u mshtml!Cmarkup::InsertElementInternal MSHTML!CMarkup::InsertElementInternal: e9d3d2a500 jmp MSHTML!SZ_HTMLNAMESPACE+0xf (66bb43c7) // we redirect execution 0:020&gt; u 66bb43c7 MSHTML!SZ_HTMLNAMESPACE+0xf: 60 pushad //save registers 8bc8 mov ecx,eax //move the this* pointer to ecx e818468bff call MSHTML!CMarkup::CLock::CLock+0x2 (664689e7) //call into the code where we AddRef() on this CMarkup object 61 popad //restore our registers 55 push ebp //execute the code we overwrote in the jump to this shim 8bec mov ebp,esp e91c2d5aff jmp MSHTML!CMarkup::InsertElementInternal+0x5 (661570f4) //jump back to the next instruction after the our redirection point </pre> <p>Similar to the <a href="http://blogs.technet.com/b/srd/archive/2013/09/17/cve-2013-3893-fix-it-workaround-available.aspx">Fix it solution for CVE-2013-3893</a>, the shim leverages slack space near the end of the mshtml.dll&rsquo;s .text section. Astute readers may notice that the appcompat shim does not introduce any code to reduce the reference count on the CMarkup object. Said another way, the appcompat shim introduces a memory leak.&nbsp; The memory is restored when an IE tab (process) is terminated. This minor side effect of the workaround tool is harmless and of course it won&rsquo;t be present in the final comprehensive security update for this vulnerability.</p> <p><b>Acknowledgements</b></p> <p>Thanks to Richard Van Eeden, Axel Souchet, Chengyun Chu, and Elia Florio for the help triaging this vulnerability and help building the Fix it workaround tool.</p> <p><b>Conclusion</b></p> <p>Please let us know if you have any questions about the risk posed by this vulnerability, the exploits we have seen leveraging the vulnerability for code execution, or mitigation opportunities available to protect your systems. You can email us at <a href="mailto:secure@microsoft.com">secure@microsoft.com</a> with [SRD] in subject line. Or if you plan to attend the RSA Conference in San Francisco, CA next week, feel free to stop by the Microsoft Booth #3005 to talk to us in person. We&rsquo;re looking forward to announcing EMET news on Tuesday morning.</p> <p>- Neil Sikka, MSRC Engineering (@neilsikka)</p><div style="clear:both;"></div><img src="http://blogs.technet.com/aggbug.aspx?PostID=3623299&AppID=6147&AppType=Weblog&ContentType=0" width="1" height="1">0dayfixitRisk AsessmentAttackEMET Microsoft Releases Security Advisory 2934088http://blogs.technet.com/b/msrc/archive/2014/02/19/microsoft-releases-security-advisory-2934088.aspxWed, 19 Feb 2014 23:10:00 GMTd5e57398-b9ef-4490-9955-07cbb4e4a80d:1e1d1cc8-06ca-47e8-9f23-966d709ef376Dustin C. Childs0<p>Today, we released <a href="http://technet.microsoft.com/security/advisory/2934088"><span style="color:#0563c1;">Security Advisory 2934088</span></a> regarding an issue that impacts Internet Explorer 9 and 10. Internet Explorer 6, 7, 8 and 11 are not affected. At this time, we are only aware of limited, targeted attacks against Internet Explorer 10. This issue allows remote code execution if users browse to a malicious website with an affected browser. This would typically occur by an attacker convincing someone to click a link in an email or instant message.</p> <p>As part of the security advisory, we have also included an easy, one-click <a href="http://support.microsoft.com/kb/2934088"><span style="color:#0563c1;">Fix it</span></a> to address the known attack vectors. The Fix it is available to all customers and helps prevent known attacks that leverage the vulnerability to execute code and should not affect your ability to browse the web. Additionally, applying the Fix it does not require a reboot. We encourage all customers using Internet Explorer 9 and 10 to apply this Fix it to help protect their systems.<span style="font-family:Calibri;"> </span>The Security Research and Defense <a href="http://blogs.technet.com/b/srd/archive/2014/02/19/fix-it-tool-available-to-block-internet-explorer-attacks-leveraging-cve-2014-0322.aspx"><span style="color:#0563c1;">blog</span></a> provides greater technical insight into the issue and how the Fix it helps protect customers.</p> <p>Internet Explorer 11 is not affected by this issue, so <a href="http://windows.microsoft.com/en-US/internet-explorer/download-ie"><span style="color:#0563c1;">upgrading</span></a> to this version will also help protect customers from this issue.</p> <p>We also encourage you to follow the &quot;Protect Your Computer&quot; guidance of enabling a firewall, applying all software updates and installing anti-virus and anti-spyware software. In addition, we encourage everyone to exercise caution when visiting websites and avoid clicking suspicious links, or opening email messages from unfamiliar senders. Additional information can be found at <a href="http://www.microsoft.com/protect">www.microsoft.com/protect</a>.</p> <p>We continue to work on a security update to address this issue. We are monitoring the threat landscape very closely and will continue to take appropriate action to help protect our global customers.</p> <p>Thank you,<br /> <br /> <a title="Dustin Childs" href="http://blogs.technet.com/b/msrc/about.aspx#Dustin_Childs">Dustin Childs</a><br /> Group Manager, Response Communications<br /> Trustworthy Computing</p><div style="clear:both;"></div><img src="http://blogs.technet.com/aggbug.aspx?PostID=3623301&AppID=4571&AppType=Weblog&ContentType=0" width="1" height="1">Security AdvisoryInternet Explorer (IE) 5 things you need to know about tech support scamshttp://blogs.msdn.com/b/securitytipstalk/archive/2014/02/19/5-things-you-need-to-know-about-tech-support-scams.aspxWed, 19 Feb 2014 17:48:00 GMT91d46819-8472-40ad-a661-2c78acb4018c:10501541Eve Blakemore22http://blogs.msdn.com/b/securitytipstalk/rsscomments.aspx?WeblogPostID=10501541http://blogs.msdn.com/b/securitytipstalk/archive/2014/02/19/5-things-you-need-to-know-about-tech-support-scams.aspx#comments<p>If someone calls you from Microsoft tech support to help you fix your computer, mobile phone, or tablet, this is <a href="http://www.microsoft.com/security/online-privacy/msname.aspx">a scam</a> designed to install malicious software on your computer, steal your personal information, or both.</p> <p><strong>Do not trust unsolicited calls. Do not provide any personal information.</strong></p> <p>What you need to know about tech support phone scams:</p> <ol> <li> <p>Microsoft will not make unsolicited phone calls about computer security or software fixes. If you receive a call like this one, it&rsquo;s a scam, and all you need to do is hang up.</p> </li> <li> <p>Cybercriminals often use publicly available phone directories, so they might know your name and other personal information when they call you. They might even guess what operating system you're using.</p> </li> <li> <p>If you have already given access to your computer to someone who claimed to be from Microsoft, immediately change your computers password, download the <a href="http://www.microsoft.com/security/scanner/en-us/default.aspx">Microsoft Safety Scanner</a>, and then make sure you have <a href="http://www.microsoft.com/security/resources/antivirus-whatis.aspx">antivirus software</a> installed.</p> </li> <li> <p>If you gave someone your credit card information to pay for services, contact your credit card company and alert them to this fraudulent purchase.</p> </li> <li> <p>The Federal Trade Commission (FTC) has received reports that criminals are taking advantage of consumers&rsquo; knowledge of the scam by calling to offer refunds for phony tech support. <a href="http://www.ftc.gov/news-events/press-releases/2014/01/ftc-tells-consumers-hang-tech-support-refund-scams">This is also a scam.</a></p> </li> </ol> <p>For more information, see <a href="http://www.microsoft.com/security/online-privacy/avoid-phone-scams.aspx">Avoid tech support phone scams</a>.</p><div style="clear:both;"></div><img src="http://blogs.msdn.com/aggbug.aspx?PostID=10501541" width="1" height="1">fraudid theftphone scams RSA Conference 2014: Microsoft’s commitment to protecting customershttp://blogs.technet.com/b/trustworthycomputing/archive/2014/02/19/rsa-conference-2014-microsoft-s-commitment-to-protecting-customers.aspxWed, 19 Feb 2014 16:24:00 GMTd5e57398-b9ef-4490-9955-07cbb4e4a80d:816f1662-c5c8-4e27-b956-5c6a722daf28Trusted Cloud Team0<p><strong>By Jeff Jones, Director, Trustworthy Computing</strong></p> <p>The annual <a target="_blank" href="http://www.rsaconference.com/events/us14">RSA Conference USA</a> in San Francisco brings together many of the brightest minds in IT security and features a wide range of important, thought-provoking discussions. An estimated 26,000 guests will attend this year&rsquo;s conference, which runs next week, from Feb. 24-28.</p> <p>Microsoft is a conference sponsor and we&rsquo;ll present several speaker sessions during the week. One highlight is the keynote presentation on Feb. 25 by Scott Charney, Corporate Vice President of Trustworthy Computing. In his session, entitled: <em>Conundrums in Cyberspace : Exploiting security in the name of, well, security</em>, Scott will discuss the company&rsquo;s commitment to protecting customers in the wake of recent disclosures of widespread government surveillance programs.&nbsp;&nbsp;&nbsp; <a target="_blank" href="/b/trustworthycomputing/archive/2014/02/19/rsa-conference-2014-microsoft-s-commitment-to-protecting-customers.aspx">See more &gt;&gt;</a></p>...(<a href="http://blogs.technet.com/b/trustworthycomputing/archive/2014/02/19/rsa-conference-2014-microsoft-s-commitment-to-protecting-customers.aspx">read more</a>)<img src="http://blogs.technet.com/aggbug.aspx?PostID=3623201&AppID=9044&AppType=Weblog&ContentType=0" width="1" height="1">keynoteRSAJeff Jonescyber threatsscott charneyTrustBig DataTechnologyCybersecurityTrust CenterSecuritydata centersTrustworthy ComputingMicrosoftDataEuropePrivacy New Skills for New Jobs: Challenges and Opportunities for People with Disabilitieshttp://blogs.msdn.com/b/accessibility/archive/2014/02/18/new-skills-for-new-jobs-challenges-and-opportunities-for-people-with-disabilities.aspxTue, 18 Feb 2014 18:47:00 GMT91d46819-8472-40ad-a661-2c78acb4018c:10501192Daniel Hubbell - MSFT0http://blogs.msdn.com/b/accessibility/rsscomments.aspx?WeblogPostID=10501192http://blogs.msdn.com/b/accessibility/archive/2014/02/18/new-skills-for-new-jobs-challenges-and-opportunities-for-people-with-disabilities.aspx#commentsThe following blog post was written by James Thurston &ndash; Director of International Accessibility Policy at Microsoft. James works with Microsoft&rsquo;s global subsidiaries, NGOs, and governments around the world to develop public policies that support...(<a href="http://blogs.msdn.com/b/accessibility/archive/2014/02/18/new-skills-for-new-jobs-challenges-and-opportunities-for-people-with-disabilities.aspx">read more</a>)<img src="http://blogs.msdn.com/aggbug.aspx?PostID=10501192" width="1" height="1"> A journey to CVE-2014-0497 exploithttp://blogs.technet.com/b/mmpc/archive/2014/02/17/a-journey-to-cve-2014-0497-exploit.aspxMon, 17 Feb 2014 22:50:00 GMTd5e57398-b9ef-4490-9955-07cbb4e4a80d:9404970b-c529-4e5b-8289-2682168db73emsft-mmpc0http://blogs.technet.com/b/mmpc/archive/2014/02/17/a-journey-to-cve-2014-0497-exploit.aspx#comments<div class="ExternalClass81D09C22098A4D24B9D1D7BFD3CC23DF"> <p>​Last week we published a <a href="http://blogs.technet.com/b/mmpc/archive/2014/02/10/a-journey-to-cve-2013-5330-exploit.aspx">blog post about a CVE-2013-5330 exploit</a>. We&rsquo;ve also recently seen a new, similar attack targeting a patched Adobe Flash Player vulnerability (<a href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0497">CVE-2014-0497</a>).</p> <p>The vulnerability related to this malware was addressed with a <a href="http://helpx.adobe.com/security/products/flash-player/apsb14-04.html">patch released by Adobe on February 4, 2014</a>.&nbsp;Flash Player versions 12.0.0.43 and earlier&nbsp;are vulnerable. We analyzed how these attacks work and found the following details.</p> <p>The malicious file has been distributed as a .swf file, which contains:</p> <ul> <li>The vulnerability trigger</li> <li>Shellcode</li> <li>A PE file (encrypted)</li> </ul> <p>The .swf file can be hosted on a web server and run when the webpage is visited. When the .swf is loaded, the vulnerability is triggered.</p> <p>The .swf successfully bypasses the validation of memory range and is able to access an arbitrary location.&nbsp; It overwrites a pointer in a VTABLE to successfully pass control to a controlled location (Note that the exploit does not rely on heap spray &ndash; see figure 1). The controlled location starts with stack pivot ROP gadgets built from a Flash Player DLL. The ROP gadgets call VirtualProtect() to make the shellcode memory region executable. Finally, the control is passed to the shellcode via a jmp esp instruction (as shown in figure 3).</p> <p><a href="http://www.microsoft.com/security/portal/blog-images/a/CV1.png"><img style="height:45px;width:500px;" alt="Control transfer" src="http://www.microsoft.com/security/portal/blog-images/a/CV1.png" border="0" /></a></p> <p><em>Figure 1: Control transfer via an overwritten pointer in VTABLE</em></p> <p><a href="http://www.microsoft.com/security/portal/blog-images/a/CV2.png"><img alt="ROP gadgets" src="http://www.microsoft.com/security/portal/blog-images/a/CV2.png" border="0" /></a></p> <p><em>Figure 2: Stack pivot ROP gadgets</em></p> <p><a href="http://www.microsoft.com/security/portal/blog-images/a/CV3.png"><img style="height:233px;width:500px;" alt="Control is passed to shellcode" src="http://www.microsoft.com/security/portal/blog-images/a/CV3.png" border="0" /></a></p> <p><em>Figure 3: Control is passed to shellcode via &ldquo;jmp esp&rdquo;</em></p> <p>The shellcode simply drops a PE File (already decrypted by .swf) as %temp%\a.exe and executes it. The dropped PE file (Sha1: 265fdeb993a09d2350daa130de4ce5b662bed628) is detected as <a href="http://www.microsoft.com/security/portal/threat/encyclopedia/Entry.aspx?Name=TrojanDownloader:Win32/Siromost.A">TrojanDownloader:Win32/Siromost.A</a>.</p> <p>The telemetry of this exploit is shown in figure 4.</p> <p><a href="http://www.microsoft.com/security/portal/blog-images/a/CV4.png"><img alt="Daily reports for CVE-2014-0497" src="http://www.microsoft.com/security/portal/blog-images/a/CV4.png" border="0" /></a></p> <p><em>Figure 4: Daily reports for CVE-2014-0497</em></p> <p>We have confirmed this exploit works across multiple Flash Player versions. In our lab testing, we are able to reproduce the attack on the following Adobe Flash Player versions:</p> <ul> <li>11.6.602.171</li> <li>11.6.602.180</li> <li>11.7.700.169</li> <li>11.7.700.202</li> <li>11.7.700.224</li> <li>11.8.800.94</li> <li>11.8.800.168</li> <li>11.8.800.175</li> <li>11.9.900.117</li> <li>11.9.900.152</li> <li>11.9.900.170</li> </ul> <p>Version 12.x (12.0.0.43 and earlier) is known to contain the vulnerability used by the attack, but it also carries a mitigation that prevents building the ROP gadget from the Flash Player DLL. The sample we analyzed does not support version 12.x for this reason.</p> <p>If you&#39;re using Flash Player version 12.0.0.43 or earlier, you need to update your Flash Player now to be protected against these attacks.</p> <p>You can also find more information about this vulnerability, including workarounds, in <a href="http://technet.microsoft.com/en-us/security/advisory/2755801">Microsoft Security Advisory (2755801)</a>.</p> <p><em>Chun Feng</em><br /><em>MMPC</em></p> </div><div style="clear:both;"></div><img src="http://blogs.technet.com/aggbug.aspx?PostID=3623093&AppID=6258&AppType=Weblog&ContentType=0" width="1" height="1"> February 2014 Security Bulletin Webcast and Q&Ahttp://blogs.technet.com/b/msrc/archive/2014/02/14/february-2014-security-bulletin-webcast-and-q-amp-a.aspxFri, 14 Feb 2014 18:30:00 GMTd5e57398-b9ef-4490-9955-07cbb4e4a80d:954367f4-97c6-4e35-9ce5-ec22f9287ab1Dustin C. Childs0<p><span style="font-size:medium;"></span><span style="font-family:verdana,geneva;font-size:small;"><span>Today we published the </span><span><a href="http://blogs.technet.com/b/msrc/p/february-2014-security-bulletin-q-a.aspx"><span style="color:#0563c1;">February 2014 Security Bulletin Webcast Questions &amp; Answers page</span></a>.&nbsp; We answered seven questions on air, with the majority of questions focusing on the MSXML bulletin (<a href="https://technet.microsoft.com/security/bulletin/ms14-005"><span style="color:#0563c1;">MS14-005</span></a>) and the revision to <a href="http://technet.microsoft.com/security/advisory/2915720"><span style="color:#0563c1;">Security Advisory 2915720</span></a>. One question that was not answered on air has been included on the Q&amp;A page.</span></span></p> <p><span style="font-family:verdana,geneva;font-size:small;">Here is the video replay.</span></p> <p><span style="font-family:verdana,geneva;font-size:small;"><object width="500" height="281"><param name="movie" value="//www.youtube.com/v/ygUn4rfvYx0?version=3&amp;hl=en_US" /><param name="allowFullScreen" value="true" /><param name="allowscriptaccess" value="always" /><embed width="500" height="281" src="http://www.youtube.com/v/ygUn4rfvYx0?version=3&amp;hl=en_US" type="application/x-shockwave-flash" /></object></span></p> <p><span style="font-family:verdana,geneva;font-size:small;">We invite you to join us for the next scheduled webcast on Wednesday, March 12, 2014, at 11 a.m. PDT (UTC -7), when we will go into detail about the March bulletin release and answer your bulletin deployment questions live on the air. </span></p> <p><span style="font-family:verdana,geneva;font-size:small;">You can register to attend the webcast at the link below:</span></p> <p><span style="font-family:verdana,geneva;font-size:small;"><b>Date: Wednesday, March 12, 2014<br /> Time: 11:00 a.m. PDT (UTC -7)<br /> Register: </b><a href="https://msevents.microsoft.com/CUI/EventDetail.aspx?EventID=1032572977&amp;Culture=en-US"><b><span style="color:#0563c1;">Attendee Registration</span></b></a></span></p> <p><span style="font-family:verdana,geneva;font-size:small;">I look forward to seeing you next month.</span></p> <p><span style="font-family:verdana,geneva;font-size:small;"><span> </span>Thanks,</span><br /><span style="font-family:verdana,geneva;font-size:small;"> <a href="http://blogs.technet.com/b/msrc/about.aspx#Dustin_Childs"><span style="color:#0563c1;">Dustin Childs</span></a></span><br /><span style="font-family:verdana,geneva;font-size:small;"> Group Manager, Response Communications</span><br /><span style="font-family:verdana,geneva;font-size:small;"> Microsoft Trustworthy Computing</span></p><div style="clear:both;"></div><img src="http://blogs.technet.com/aggbug.aspx?PostID=3622881&AppID=4571&AppType=Weblog&ContentType=0" width="1" height="1">Security Update Webcast Q &amp; AWebcast Q&amp;ABulletin WebcastCustomer QuestionsSecurity Bulletin Webcast 5 safety tips for online datinghttp://blogs.msdn.com/b/securitytipstalk/archive/2014/02/13/5-safety-tips-for-online-dating.aspxThu, 13 Feb 2014 18:50:42 GMT91d46819-8472-40ad-a661-2c78acb4018c:10500018Eve Blakemore3http://blogs.msdn.com/b/securitytipstalk/rsscomments.aspx?WeblogPostID=10500018http://blogs.msdn.com/b/securitytipstalk/archive/2014/02/13/5-safety-tips-for-online-dating.aspx#comments<p>If you&rsquo;re going to be connecting online this Valentine&rsquo;s Day (or ever), follow these safety and privacy tips.</p> <ol> <li><strong>Avoid catfishing</strong>. This is a type of <a href="http://blogs.msdn.com/b/securitytipstalk/archive/2013/06/20/catfishing-are-you-falling-for-it.aspx">social engineering designed to entice you into a relationship</a> in order to steal your personal information, your money, or both. Always remember that people on the other end of online conversations might not be who they say they are. Treat all <a href="http://www.microsoft.com/security/online-privacy/phishing-symptoms.aspx">email and social networking messages</a>&nbsp;with caution when they come from someone you don&rsquo;t know.</li> <li>&nbsp;<strong>Use online dating websites you trust.</strong> Knowing when to trust a website depends in part on who publishes it, what information they want, and what you want from the site. Before you sign up on a site, read the privacy policy. Can&rsquo;t find it? Find another site. For more information, see <a href="http://www.microsoft.com/security/online-privacy/trusted-sites.aspx">How do I know if I can trust a website?</a></li> <li>&nbsp;<strong>Be careful with the information you post on online.</strong> Before you put anything on a social networking site, personal website, or dating profile, think about what you are posting, who you are sharing it with, and how this will reflect on your <a href="http://www.microsoft.com/security/online-privacy/reputation.aspx">online reputation</a>. For more information, watch this video about <a href="http://youtu.be/D1NQPUk1CHo">the dangers of oversharing</a>.</li> <li>&nbsp;<strong>Be smart about details in photographs. </strong>Photographs can reveal a lot of personal information, including identifiable details such as street signs, house numbers, or your car&rsquo;s license plate. Photographs can also reveal location information. For more information, see <a href="http://www.microsoft.com/security/online-privacy/location-services.aspx">Use location services more safely</a>.</li> <li>&nbsp;<strong>Block and report suspicious people.</strong> Use the tools in your email, social networking program, or dating website to block and report unwanted contact. <a href="http://www.microsoft.com/security/online-privacy/phishing-scams.aspx#Victim">Read this if you think you might already be a victim of a scam</a>.</li> </ol><div style="clear:both;"></div><img src="http://blogs.msdn.com/aggbug.aspx?PostID=10500018" width="1" height="1">fraudid theftphishingprivacychild safetymalwaree-mailsecurityhoaxcybersecuritycybersafetye-mail scamscybercriminalsmalicious softwareemailemail scamscatfishingonline dating Industry Standards at Work: Improving Closed Captioning of Internet Videohttp://blogs.msdn.com/b/accessibility/archive/2014/02/13/industry-standards-at-work-improving-closed-captioning-of-internet-video.aspxThu, 13 Feb 2014 16:21:00 GMT91d46819-8472-40ad-a661-2c78acb4018c:10492604Daniel Hubbell - MSFT2http://blogs.msdn.com/b/accessibility/rsscomments.aspx?WeblogPostID=10492604http://blogs.msdn.com/b/accessibility/archive/2014/02/13/industry-standards-at-work-improving-closed-captioning-of-internet-video.aspx#commentsThe following blog post was written by Ann Marie Rohaly - Director of Accessibility Policy and Standards at Microsoft. She has a Ph.D. in biomedical engineering and has worked in the area of accessibility since 2009. ----- Eight years ago, five...(<a href="http://blogs.msdn.com/b/accessibility/archive/2014/02/13/industry-standards-at-work-improving-closed-captioning-of-internet-video.aspx">read more</a>)<img src="http://blogs.msdn.com/aggbug.aspx?PostID=10492604" width="1" height="1"> Japan Skates into Second Placehttp://blogs.technet.com/b/security/archive/2014/02/13/japan-skates-into-second-place.aspxThu, 13 Feb 2014 15:03:00 GMTd5e57398-b9ef-4490-9955-07cbb4e4a80d:c722bbc5-205d-4d09-a30a-770e1746c142Tim Rains - Microsoft0http://blogs.technet.com/b/security/rsscomments.aspx?WeblogPostID=3622597http://blogs.technet.com/b/security/commentapi.aspx?WeblogPostID=3622597http://blogs.technet.com/b/security/archive/2014/02/13/japan-skates-into-second-place.aspx#comments<p>Skaters are speeding around Sochi ice rinks this week at the 2014 Winter Games, capturing the world&rsquo;s attention with their grace and athletic prowess. Our <a href="/b/security/archive/2014/02/06/cleanest-countries-regions-jump-to-the-top-of-our-podium.aspx">blog series</a> also skates along to another medal round, as we honor Japan with our second-place silver medal for its exemplary approach to managing malware threats. <a href="/b/security/archive/2014/02/11/japan-skates-into-second-place.aspx">Read more</a></p>...(<a href="http://blogs.technet.com/b/security/archive/2014/02/13/japan-skates-into-second-place.aspx">read more</a>)<img src="http://blogs.technet.com/aggbug.aspx?PostID=3622597&AppID=5043&AppType=Weblog&ContentType=0" width="1" height="1">Japan Threat LandscapeSIRv15Least Malware Infected Countries The NIST Cybersecurity Framework: A Significant Milestone towards Critical Infrastructure Resiliencyhttp://blogs.technet.com/b/security/archive/2014/02/13/the-nist-cybersecurity-framework-a-significant-milestone-towards-critical-infrastructure-resiliency.aspxThu, 13 Feb 2014 14:53:00 GMTd5e57398-b9ef-4490-9955-07cbb4e4a80d:038a2e0a-98d2-4c8e-a7d5-088d2f7f1222Microsoft Security Staff0http://blogs.technet.com/b/security/rsscomments.aspx?WeblogPostID=3622787http://blogs.technet.com/b/security/commentapi.aspx?WeblogPostID=3622787http://blogs.technet.com/b/security/archive/2014/02/13/the-nist-cybersecurity-framework-a-significant-milestone-towards-critical-infrastructure-resiliency.aspx#comments<p>Posted by <strong>Matt Thomlinson</strong>, Vice President, Microsoft Security</p> <p>Yesterday, the Administration <a href="http://www.nist.gov/cyberframework/">released</a> the much anticipated Cybersecurity Framework.&nbsp; What does the Framework mean for the critical infrastructures, both in the United States and beyond?&nbsp; The Framework, developed over the past year by the National Institute of Standards and Technology (NIST), is a significant milestone in an ongoing and successful collaboration among a broad range of industry and government organizations concerned with improving the cybersecurity of critical infrastructure.&nbsp; Microsoft appreciates the opportunity to contribute to the development of the Cybersecurity Framework, and we were honored to participate in Wednesday&rsquo;s launch event.&nbsp; <a href="/b/security/archive/2014/02/13/the-nist-cybersecurity-framework-a-significant-milestone-towards-critical-infrastructure-resiliency.aspx">Read more</a></p>...(<a href="http://blogs.technet.com/b/security/archive/2014/02/13/the-nist-cybersecurity-framework-a-significant-milestone-towards-critical-infrastructure-resiliency.aspx">read more</a>)<img src="http://blogs.technet.com/aggbug.aspx?PostID=3622787&AppID=5043&AppType=Weblog&ContentType=0" width="1" height="1"> RSA Conference 2014: Internet Growth Brings New Opportunities and New Challengeshttp://blogs.technet.com/b/security/archive/2014/02/12/rsa-conference-2014-internet-growth-brings-new-opportunities-and-new-challenges.aspxWed, 12 Feb 2014 17:01:00 GMTd5e57398-b9ef-4490-9955-07cbb4e4a80d:34d55c10-8332-4672-802d-097a6134bba8Tim Rains - Microsoft0http://blogs.technet.com/b/security/rsscomments.aspx?WeblogPostID=3622206http://blogs.technet.com/b/security/commentapi.aspx?WeblogPostID=3622206http://blogs.technet.com/b/security/archive/2014/02/12/rsa-conference-2014-internet-growth-brings-new-opportunities-and-new-challenges.aspx#comments<p>It&rsquo;s hard to believe <a href="http://www.rsaconference.com/events/us14">RSA Conference USA 2014</a> is just a few weeks away.&nbsp; Microsoft has been an active participant at RSA Conference for over a decade now and it&rsquo;s great to see how far the awareness and importance of IT security has come. Over the past decade, attendance has grown dramatically, and this year&rsquo;s conference is expected to be attended by more than 24,000 people.&nbsp;<a href="/b/security/archive/2014/02/06/rsa-conference-2014-internet-growth-brings-new-opportunities-and-new-challenges.aspx">Read more</a></p>...(<a href="http://blogs.technet.com/b/security/archive/2014/02/12/rsa-conference-2014-internet-growth-brings-new-opportunities-and-new-challenges.aspx">read more</a>)<img src="http://blogs.technet.com/aggbug.aspx?PostID=3622206&AppID=5043&AppType=Weblog&ContentType=0" width="1" height="1">threat landscapeRSA USA 2014SIRv15Security Intelligence Report A safer internet is important for businesses, toohttp://blogs.technet.com/b/trustworthycomputing/archive/2014/02/11/a-safer-internet-is-important-for-businesses-too.aspxTue, 11 Feb 2014 18:56:00 GMTd5e57398-b9ef-4490-9955-07cbb4e4a80d:ec6515f1-d26b-4542-8026-fb4ace5bdc0fTrusted Cloud Team0<p><strong>By TwC Staff</strong><br /><br />Today is <a target="_blank" href="http://www.microsoft.com/security/resources/sid.aspx">Safer Internet Day</a>, an annual campaign to encourage positive online behaviors and raise awareness of safety issues on the web. SID began in Europe more than a decade ago and is now observed in more than 100 countries.<br /><br />While the campaign focuses on consumers, some recent data suggest that businesses and organizations should also pay close attention. Employees who take unnecessary risks online can damage not only their own reputations and finances, but those of their employers as well.&nbsp;&nbsp; <a href="/b/trustworthycomputing/archive/2014/02/11/a-safer-internet-is-important-for-businesses-too.aspx">Read more &gt;&gt;</a></p>...(<a href="http://blogs.technet.com/b/trustworthycomputing/archive/2014/02/11/a-safer-internet-is-important-for-businesses-too.aspx">read more</a>)<img src="http://blogs.technet.com/aggbug.aspx?PostID=3622634&AppID=9044&AppType=Weblog&ContentType=0" width="1" height="1">safer onlineSafer Internet Daysafety &amp; security centerConsumerization of ITcyber threatsChief Online Safety Officercustomer perspectiveOnline SafetysafeTrustworthy ComputingMicrosoftDigital Citizenshippersonal dataOnlineJacqueline Beauchere Assessing risk for the February 2014 security updates http://blogs.technet.com/b/srd/archive/2014/02/11/assessing-risk-for-the-february-2014-security-updates.aspxTue, 11 Feb 2014 18:05:00 GMTd5e57398-b9ef-4490-9955-07cbb4e4a80d:fa3c4055-c4c4-4848-be51-8326d442252fSRD Blog Author0<p>Today we released seven security bulletins addressing 31 unique CVE&rsquo;s. Four bulletins have a maximum severity rating of Critical while the other three have a maximum severity rating of Important. We hope that the table below helps you prioritize the deployment of the updates appropriately for your environment.</p> <table border="1"> <tbody> <tr> <td><b>Bulletin</b></td> <td><b>Most likely attack vector</b></td> <td><b>Max Bulletin Severity</b></td> <td><b>Max Exploit-ability</b></td> <td><b>Likely first 30 days impact</b></td> <td><b>Platform mitigations and key notes</b></td> </tr> <tr> <td><a href="http://technet.microsoft.com/security/bulletin/MS14-010">MS14-010</a> <p>(Internet Explorer)</p> </td> <td>Victim browses to a malicious webpage.</td> <td>Critical</td> <td>1</td> <td>Likely to see reliable exploits developed within next 30 days.</td> <td>Addresses both memory corruption vulnerabilities and elevation of privilege vulnerabilities in a single package.</td> </tr> <tr> <td><a href="http://technet.microsoft.com/security/bulletin/MS14-011">MS14-011</a> <p>(VBScript)</p> </td> <td>Victim browses to a malicious webpage.</td> <td>Critical</td> <td>1</td> <td>Likely to see reliable exploits developed within next 30 days.</td> <td>The single CVE addressed by this bulletin is included in MS14-010 for IE9 users. Customers with IE9 installed need not deploy MS14-011.</td> </tr> <tr> <td><a href="http://technet.microsoft.com/security/bulletin/MS14-007">MS14-007</a> <p>(DirectWrite)</p> </td> <td>Victim browses to a malicious webpage.</td> <td>Critical</td> <td>1</td> <td>Likely to see reliable exploits developed within next 30 days.</td> <td>Internet Explorer is vector to this vulnerability in&nbsp;DirectWrite.</td> </tr> <tr> <td><a href="http://technet.microsoft.com/security/bulletin/MS14-005">MS14-005</a> <p>(MSXML)</p> </td> <td>Victim browses to a malicious website to be exposed to this information leak vulnerability.</td> <td>Important</td> <td>3</td> <td>Vulnerability first seen as ASLR bypass mechanism in targeted attacks during November 2013. May see attacks again begin using this again as details emerge.</td> <td>As discussed in the <a href="http://blogs.technet.com/b/srd/archive/2013/11/12/technical-details-of-the-targeted-attack-using-cve-2013-3918.aspx">SRD </a>and <a href="http://www.fireeye.com/blog/technical/2013/11/new-ie-zero-day-found-in-watering-hole-attack.html">FireEye </a>blogs during November 2013, this vulnerability was used along with another vulnerability in active attacks. The MS13-090 security update completely blocked all attacks described by those blog posts.</td> </tr> <tr> <td><a href="http://technet.microsoft.com/security/bulletin/MS14-009">MS14-009</a> <p>(.NET Framework)</p> </td> <td>Most likely to be exploited vulnerability involves attacker initiating but not completing POST requests to ASP.NET web application, resulting in resource exhaustion denial of service.</td> <td>Important</td> <td>1</td> <td>Resource exhaustion attacks involving CVE-2014-0253 already in progress in the wild.</td> <td>CVE-2014-0253 addresses resource exhaustion &ldquo;<a href="http://en.wikipedia.org/wiki/Slowloris">Slowloris</a>&rdquo; attack. <p>CVE-2014-0257 addresses sandbox escape vulnerability invoving com objects running code out-of-process.</p> <p>CVE-2014-0295 addresses the vsab7rt.dll ASLR bypass described at<a href="http://www.greyhathacker.net/?p=585"> http://www.greyhathacker.net/?p=585</a>.</p> </td> </tr> <tr> <td><a href="http://technet.microsoft.com/security/bulletin/MS14-008">MS14-008</a> <p>(Forefront Protection for Exchange)</p> </td> <td>Code is unlikely to be reachable. However, if attackers do find a way, it would involve a malicious email message being processed by the Forefront Protection for Exchange service.</td> <td>Critical</td> <td>2</td> <td>Unlikely to see exploits developed targeting this vulnerability.</td> <td>While this vulnerability&rsquo;s attack vector appears attractive (email), the vulnerability is unlikely to be reachable. It was discovered internally by code analysis and we have not been successful in developing a real-world vulnerability trigger. We address it via security update out of an abundance of caution.</td> </tr> <tr> <td><a href="http://technet.microsoft.com/security/bulletin/MS14-006">MS14-006</a> <p>(IPv6)</p> </td> <td>Attacker on the same subnet as victim (IPv6 link-local) sends large number of malicious router advertisements resulting in victim system bugcheck.</td> <td>Important</td> <td>3</td> <td>Denial of service only.</td> <td>This bugcheck is triggered by a watchdog timer on the system, not due to memory corruption. Affects Windows RT, Windows Server 2012 (not R2), and Windows 8 (not 8.1).</td> </tr> </tbody> </table> <p>- Jonathan Ness, MSRC</p><div style="clear:both;"></div><img src="http://blogs.technet.com/aggbug.aspx?PostID=3622632&AppID=6147&AppType=Weblog&ContentType=0" width="1" height="1">Attack VectorRisk Asessment Safer Internet Day 2014 and Our February 2014 Security Updateshttp://blogs.technet.com/b/msrc/archive/2014/02/11/safer-internet-day-2014-and-our-february-2014-security-updates.aspxTue, 11 Feb 2014 18:01:00 GMTd5e57398-b9ef-4490-9955-07cbb4e4a80d:621d5715-7271-403b-b088-096624717897Dustin C. Childs0<p><span style="font-family:Calibri;font-size:medium;">In addition to today being the </span><a href="http://technet.microsoft.com/security/bulletin/ms14-feb"><span style="color:#0563c1;font-family:Calibri;font-size:medium;">security update release</span></a><span style="font-family:Calibri;font-size:medium;">, February 11 is officially </span><a href="http://www.microsoft.com/security/resources/sid.aspx"><span style="color:#0563c1;font-family:Calibri;font-size:medium;">Safer Internet Day</span></a><span style="font-family:Calibri;font-size:medium;"> for 2014. This year, we&rsquo;re asking folks to <b>Do 1 Thing</b> to stay safer online. While you may expect my &ldquo;Do 1 Thing&rdquo; recommendation would be to apply security updates, I&rsquo;m guessing that for readers of this blog, that request would be redundant. Instead, I&rsquo;ll ask that you also install the latest version of the Enhanced Mitigation Experience Toolkit (</span><a href="http://aka.ms/emet"><span style="color:#0563c1;font-family:Calibri;font-size:medium;">EMET</span></a><span style="font-family:Calibri;font-size:medium;">). If you aren&rsquo;t familiar with EMET, the utility helps prevent vulnerabilities from being successfully exploited by using security mitigation technologies built into the operating system. EMET doesn&rsquo;t guarantee that vulnerabilities cannot be exploited, but it works to make exploitation as difficult as possible and is a great addition to any layered defense.</span></p> <p><span style="font-family:Calibri;font-size:medium;">If you choose to install EMET as part of Safer Internet Day, you won&rsquo;t just be making a difference on your own systems, you can also help a great non-profit organization. Starting today, when you </span><a href="http://www.saferinternetday.org/web/guest/register"><span style="color:#0563c1;font-family:Calibri;font-size:medium;">share your promise</span></a><span style="font-family:Calibri;font-size:medium;"> to create a better Internet or participate in </span><a href="http://www.microsoft.com/security/resources/sid.aspx"><span style="color:#0563c1;font-family:Calibri;font-size:medium;">selected social media activities</span></a><span style="font-family:Calibri;font-size:medium;">, Microsoft will make a donation to </span><a href="http://www.techsoup.org/" target="_blank"><span style="color:#0563c1;font-family:Calibri;font-size:medium;">TechSoup Global</span></a><span style="font-family:Calibri;font-size:medium;"> &ndash; a nonprofit organization using technology to solve global problems and foster social change.</span></p> <p><span style="font-family:Calibri;font-size:medium;">Now let&rsquo;s get back to that other &ldquo;One Thing&rdquo; &ndash; This month, we&rsquo;re releasing seven updates, four rated Critical and three rated Important, addressing 31 unique CVEs in Microsoft Windows, Internet Explorer, .NET Framework and Forefront Protection for Exchange. Here&rsquo;s an overview of this month&rsquo;s release:</span></p> <p><i><span style="font-family:Calibri;font-size:medium;">Click to enlarge</span></i></p> <p><a href="http://blogs.technet.com/cfs-file.ashx/__key/communityserver-blogs-components-weblogfiles/00-00-00-45-71/February_5F00_Deployment2.jpg"><img src="http://blogs.technet.com/resized-image.ashx/__size/550x0/__key/communityserver-blogs-components-weblogfiles/00-00-00-45-71/February_5F00_Deployment2.jpg" border="0" alt=" " /></a></p> <p><span style="font-family:Calibri;font-size:medium;">Our top deployment priorities for this month are MS14-007, MS14-010 and MS14-011, which address issues in Microsoft Windows Direct2D, Internet Explorer, and the VBScript Scripting Engine.</span></p> <p><a href="http://technet.microsoft.com/security/bulletin/ms14-007"><span style="color:#0563c1;font-family:Calibri;font-size:medium;">MS14-007 | Vulnerability in Direct2D Could Allow Remote Code Execution </span></a><span style="font-family:Calibri;"><span style="font-size:medium;">&nbsp;<br /> This update addresses a privately reported vulnerability in the Microsoft Windows Direct2D component. The vulnerability could allow remote code execution if a customer views a specially crafted webpage using Internet Explorer.</span></span></p> <p><a href="http://technet.microsoft.com/security/bulletin/ms14-010"><span style="color:#0563c1;"><span style="font-family:Calibri;"><span style="font-size:medium;">MS14-010 | Cumulative Security Update for Internet Explorer&nbsp; </span></span></span></a><span style="font-family:Calibri;"><span style="font-size:medium;">&nbsp;<br /> This cumulative update addresses one public and 23 privately disclosed issues in Internet Explorer. It&rsquo;s important to remember that this is still just one update. Our guidance to customers does not change based on the number of CVEs contained in a single Internet Explorer update. An attacker who successfully exploited the most severe of these issues could execute code at the level of the logged on user. Customers who deploy this update will be protected from that scenario.</span></span></p> <p><a href="http://technet.microsoft.com/security/bulletin/ms14-011"><span style="color:#0563c1;font-family:Calibri;font-size:medium;">MS14-011 | Vulnerability in VBScript Scripting Engine Could Allow Remote Code Execution </span></a><span style="font-family:Calibri;"><span style="font-size:medium;">&nbsp;<br /> This update addresses a privately reported vulnerability in the VBScript scripting engine within Microsoft Windows. The vulnerability could allow remote code execution if a user views a specially crafted webpage using Internet Explorer. Although this update and MS14-007 have similar exploit vectors to the update for Internet Explorer, these issues actually reside in Windows components &ndash; not Internet Explorer. This update also shares a CVE with the MS14-010 update for Internet Explorer as the VBScript scripting engine was included in Internet Explorer 9.</span></span></p> <p><span style="font-family:Calibri;font-size:medium;">We&rsquo;ve mentioned it several times before, but in case you missed it, we revised </span><a href="http://technet.microsoft.com/security/advisory/2862973"><span style="color:#0563c1;font-family:Calibri;font-size:medium;">Security Advisory 2862973</span></a><span style="font-family:Calibri;"><span style="font-size:medium;"> today to provide the update through automatic updates. We originally released this update last August to allow for testing, as the update will impact applications and services using certificates with the MD5 hashing algorithm. If you have already applied the update, you won&rsquo;t need to take any additional action. If you haven&rsquo;t applied this update yet, you can do so through automatic updates.</span></span></p> <p><span style="font-family:Calibri;font-size:medium;">Watch the bulletin overview video below for a brief summary of today&#39;s releases.</span></p> <p><span style="font-family:Calibri;font-size:medium;"><object width="500" height="281"><param name="movie" value="//www.youtube.com/v/jKwY9afst0s?version=3&amp;hl=en_US" /><param name="allowFullScreen" value="true" /><param name="allowscriptaccess" value="always" /><embed width="500" height="281" src="http://www.youtube.com/v/jKwY9afst0s?version=3&amp;hl=en_US" type="application/x-shockwave-flash" /></object></span></p> <p><span style="font-family:Calibri;font-size:medium;">For more information about this month&rsquo;s security updates, including the detailed view of the Exploit Index broken down by CVE, visit the </span><a href="http://technet.microsoft.com/security/bulletin/MS14-feb"><span style="color:#0563c1;font-family:Calibri;font-size:medium;">Microsoft Bulletin Summary Web page</span></a><span style="font-family:Calibri;font-size:medium;">. </span></p> <p><span style="font-family:Calibri;font-size:medium;">Jonathan Ness and I will host the monthly bulletin webcast, scheduled for Wednesday, February 12, 2014, at 11 a.m. PST. I invite you to register </span><a href="https://msevents.microsoft.com/CUI/EventDetail.aspx?EventID=1032572879&amp;Culture=en-US"><span style="color:#0563c1;font-family:Calibri;font-size:medium;">here</span></a><span style="font-family:Calibri;font-size:medium;">, and tune in to learn more about this month&rsquo;s security bulletins and advisories. </span></p> <p><span style="font-family:Calibri;font-size:medium;">For all the latest information, you can also follow us at </span><a href="http://www.twitter.com/msftsecresponse"><span style="color:#0563c1;font-family:Calibri;font-size:medium;">@MSFTSecResponse</span></a><span style="font-family:Calibri;font-size:medium;">. </span></p> <p><span style="font-family:Calibri;font-size:medium;">I encourage you to consider what &ldquo;one thing&rdquo; you can do to improve your internet safety, and I look forward to hearing your questions about this month&rsquo;s release in our webcast tomorrow.</span></p> <p><span style="font-family:Times New Roman;font-size:medium;"> </span><span style="font-size:small;">Thanks, </span><br /><span style="font-size:small;"> <a href="http://blogs.technet.com/b/msrc/about.aspx#Dustin_Childs"><span style="color:#0563c1;">Dustin Childs</span></a> </span><br /><span style="font-size:small;"> Group Manager, Response Communications</span><br /><span style="font-size:small;"> Microsoft Trustworthy Computing</span></p><div style="clear:both;"></div><img src="http://blogs.technet.com/aggbug.aspx?PostID=3622587&AppID=4571&AppType=Weblog&ContentType=0" width="1" height="1">Microsoft ExchangeMicrosoft WindowsSecurity BulletinsInternet Explorer (IE) Get security updates for February 2014http://blogs.msdn.com/b/securitytipstalk/archive/2014/02/11/get-security-updates-for-february-2014.aspxTue, 11 Feb 2014 18:00:00 GMT91d46819-8472-40ad-a661-2c78acb4018c:10498547Eve Blakemore2http://blogs.msdn.com/b/securitytipstalk/rsscomments.aspx?WeblogPostID=10498547http://blogs.msdn.com/b/securitytipstalk/archive/2014/02/11/get-security-updates-for-february-2014.aspx#comments<p>Microsoft releases security updates on the second Tuesday of every month.</p> <p><strong><a href="http://go.microsoft.com/fwlink/p/?LinkId=148275">Skip the details and check for&nbsp;the latest updates.</a></strong></p> <p>This bulletin announces the release of security updates for&nbsp;Windows, Microsoft Word, and other programs.<strong><br /></strong></p> <ul> <li><a href="http://www.microsoft.com/security/pc-security/updates.aspx">Learn how to get security updates automatically</a></li> <li><a href="http://technet.microsoft.com/en-us/security/bulletin/ms14-feb">For IT Pros: Microsoft Security Bulletin Summary for February 2014</a></li> </ul> <p>To get more information about security updates and other privacy and security issues delivered to your email inbox,&nbsp;<a href="http://www.microsoft.com/security/resources/newsletter.aspx">sign up for our newsletter</a>.</p><div style="clear:both;"></div><img src="http://blogs.msdn.com/aggbug.aspx?PostID=10498547" width="1" height="1"> MSRT February 2014 - Jenxcushttp://blogs.technet.com/b/mmpc/archive/2014/02/11/msrt-february-2014-jenxcus.aspxTue, 11 Feb 2014 17:00:00 GMTd5e57398-b9ef-4490-9955-07cbb4e4a80d:e130694d-5d2f-4868-abf0-0008001e6074msft-mmpc0http://blogs.technet.com/b/mmpc/archive/2014/02/11/msrt-february-2014-jenxcus.aspx#comments<p>​We have been seeing a lot more VBScript malware in recent months, thanks in most part to <a href="http://www.microsoft.com/security/portal/threat/encyclopedia/Entry.aspx?Name=Worm:VBS/Jenxcus#tab=1">VBS/Jenxcus</a>. Jenxcus is a worm coded in VBScript that is capable of propagating via removable drives. Its payload opens a backdoor on an infected machine, allowing it to be controlled by a remote attacker. For the past few months we have seen the number of affected machines remain constantly high. For this reason we have included Jenxcus in the February release of the Microsoft <a href="http://www.microsoft.com/security/pc-security/malware-removal.aspx">Malicious Software Removal Tool </a>(MSRT).</p> <p><a href="http://www.microsoft.com/security/portal/blog-images/a/Jen1.png"><img style="height:272px;width:500px;" alt="Jenxcus machine infections" src="http://www.microsoft.com/security/portal/blog-images/a/Jen1.png" border="0" /></a></p> <p><em>Figure 1: Jenxcus machine infections October 2013 &ndash; January 2014</em></p> <p>Although Jenxcus is not a very complex malware, it seems to be successful in taking advantage of social engineering attacks - where the malicious script file is commonly bundled with other programs. When the program bundle is executed Jenxcus runs silently in the background. We have seen these bundled programs hosted in certain websites and also seeded in some torrent files.</p> <p>Figure 2 shows an example of a spoofed YouTube site (take note that this is a fake YouTube site) that can be used to attack users of social media services such as Facebook and Twitter by luring them to watch a video. When attempting to play the video, the site serves a fake Flash Player update which is bundled with Jenxcus.</p> <p><a href="http://www.microsoft.com/security/portal/blog-images/a/Jen2.png"><img style="height:355px;width:500px;" alt="Jenxcus is bundled with a fake Flash Player" src="http://www.microsoft.com/security/portal/blog-images/a/Jen2.png" border="0" /></a></p> <p><em>Figure 2: Jenxcus is bundled with a fake Flash Player update on a fake video hosting site </em></p> <p>Another reason why Jenxcus is affecting a large number of machines is due to its worm capability which propagates via removable drives. If a removable drive is found on the infected machine, most Jenxcus variants create a shortcut&nbsp;that uses the same name as personal files found in the drive. The shortcut points to a copy of the malware, and thus users can be caught off-guard by thinking&nbsp;the shortcut link points to&nbsp;a trusted clean file. As shown in Figure 3, when the shortcut link is run it will silently execute <em>Servieca.vbs </em>in the background while also playing <em>my song.mp3 </em>to avoid any suspicion from the user.</p> <p><a href="http://www.microsoft.com/security/portal/blog-images/a/Jen3.png"><img alt="the shortcut link also runs Servieca.vbs" src="http://www.microsoft.com/security/portal/blog-images/a/Jen3.png" border="0" /></a></p> <p><em>Figure 3: When the shortcut link is run it will also silently execute Servieca.vbs</em></p> <p>Jenxcus also has backdoor capabilities - it connects to a host which provides it with commands to execute. The host is usually hardcoded into the worm. Most of the host sites are leveraging <em>no-ip.org</em> to avoid being easily traced.</p> <p><a href="http://www.microsoft.com/security/portal/blog-images/a/Jen4.png"><img alt="the shortcut link also runs Servieca.vbs" src="http://www.microsoft.com/security/portal/blog-images/a/Jen4.png" border="0" /></a></p> <p><em>Figure 4:&nbsp; Jenxcus uses no-ip.org as its host</em></p> <p>The latest variants of Jenxcus are now typically obfuscated to evade easy detection. Figure 5 shows an example of how an obfuscated Jenxcus variant looks.</p> <p><a href="http://www.microsoft.com/security/portal/blog-images/a/Jen5.png"><img style="height:225px;width:500px;" alt="Obfuscated Jenxcus variant" src="http://www.microsoft.com/security/portal/blog-images/a/Jen5.png" border="0" /></a></p> <p><em>Figure 5: An obfuscated Jenxcus variant</em></p> <p>In this particular example, the obfuscator inserted a combination of a random set of garbage numbers and characters in between the code. Removing this would leave decimal values that, when converted to ASCII characters, would reveal the original code.</p> <p>Given the tricks and evasion techniques employed by Jenxcus, we recommend you run up-to-date, real-time antimalware software and enable scanning on removable drives.</p> <p>Being vigilant with your clicks and downloads will also help prevent Jenxcus and other threats from getting inside your system.</p> <p><em>Francis Allan Tan Seng and Ferdinand Plazo</em><br /><em>MMPC</em></p><div style="clear:both;"></div><img src="http://blogs.technet.com/aggbug.aspx?PostID=3622581&AppID=6258&AppType=Weblog&ContentType=0" width="1" height="1"> Microsoft Asks People to “Do 1 Thing”http://blogs.msdn.com/b/accessibility/archive/2014/02/11/microsoft-asks-people-to-do-1-thing.aspxTue, 11 Feb 2014 15:28:00 GMT91d46819-8472-40ad-a661-2c78acb4018c:10497470Daniel Hubbell - MSFT5http://blogs.msdn.com/b/accessibility/rsscomments.aspx?WeblogPostID=10497470http://blogs.msdn.com/b/accessibility/archive/2014/02/11/microsoft-asks-people-to-do-1-thing.aspx#commentsThe following blog post was written by Ellen Kampel, Public Relations Manager for Accessibility at Microsoft. Ellen holds a Masters in Social Work (MSW) and works on technology issues related to aging and people with disabilities. ----- Microsoft...(<a href="http://blogs.msdn.com/b/accessibility/archive/2014/02/11/microsoft-asks-people-to-do-1-thing.aspx">read more</a>)<img src="http://blogs.msdn.com/aggbug.aspx?PostID=10497470" width="1" height="1"> Ask Your Employees to "Do 1 Thing" Todayhttp://blogs.technet.com/b/security/archive/2014/02/11/ask-your-employees-to-do-one-thing-today.aspxTue, 11 Feb 2014 14:01:00 GMTd5e57398-b9ef-4490-9955-07cbb4e4a80d:9a6d6301-4eae-4817-aca1-803209df5a4bTim Rains - Microsoft0http://blogs.technet.com/b/security/rsscomments.aspx?WeblogPostID=3622595http://blogs.technet.com/b/security/commentapi.aspx?WeblogPostID=3622595http://blogs.technet.com/b/security/archive/2014/02/11/ask-your-employees-to-do-one-thing-today.aspx#comments<p>One of the most important things an IT Professional can do in any organization is help protect its employees from cybercriminal activity by raising the level of education and awareness for IT Security.&nbsp; Doing so helps to&nbsp;reduce risks to both employees and the company.&nbsp; While ongoing education is important, it can sometimes be challenging to get the attention of employees.&nbsp; Many of the IT Professionals that I talk with are interested in finding new ways to stimulate these conversations within their organization.&nbsp; One great way to do so is&nbsp;on Safer Internet Day (SID). <a href="/b/security/archive/2014/02/11/ask-your-employees-to-do-one-thing-today.aspx">Read more</a></p>...(<a href="http://blogs.technet.com/b/security/archive/2014/02/11/ask-your-employees-to-do-one-thing-today.aspx">read more</a>)<img src="http://blogs.technet.com/aggbug.aspx?PostID=3622595&AppID=5043&AppType=Weblog&ContentType=0" width="1" height="1">Safer Internet DaySIDOnline SafetyDo One Thing Do one thing to stay safer online, today and every dayhttp://blogs.msdn.com/b/securitytipstalk/archive/2014/02/11/do1thing.aspxTue, 11 Feb 2014 14:00:00 GMT91d46819-8472-40ad-a661-2c78acb4018c:10497689Kim Sanchez, Director of Trustworthy Computing2http://blogs.msdn.com/b/securitytipstalk/rsscomments.aspx?WeblogPostID=10497689http://blogs.msdn.com/b/securitytipstalk/archive/2014/02/11/do1thing.aspx#comments<p>Imagine how much safer we&rsquo;d all be if we each did one thing to stay safer online.</p> <p>As part of <a href="http://www.microsoft.com/security/resources/sid.aspx">Safer Internet Day 2014</a>, we&rsquo;re launching <a href="http://www.microsoft.com/saferonline">Safer Online</a>, a new interactive website where you can share your &ldquo;Do1Thing&rdquo; pledge, learn what others are doing to help protect themselves online, and get instant tips to enhance and better protect your digital lifestyle.</p> <p>Protecting yourself and your family online is easier than you think.</p> <p>Here&rsquo;s an example of one thing you can do right now:</p> <p><strong>To help spread the word, </strong>download and use the <a href="http://go.microsoft.com/?linkid=9843177" target="_blank">#Do1Thing icon</a> (JPG) from the Safer Online site as your social media profile picture to encourage others to join the Safer Internet Day (SID) movement. &nbsp;&nbsp;We want you to share your story on the Safer Online website with others.&nbsp; When you do, Microsoft will make a donation to <a href="http://www.techsoup.org/">TechSoup Global</a>, a non-profit organization using technology to solve global problems and foster social change.</p> <p><iframe src="http://www.youtube.com/embed/ITe-roisNAc" frameborder="0" width="560" height="315"></iframe></p> <p><em>Take a quick tour of the new Safer Online consumer site that&rsquo;s inspiring people around the world to &ldquo;Do 1 Thing&rdquo; to protect themselves online.</em></p> <p>For more information about our work in Internet safety, visit our <a href="http://www.microsoft.com/security">Safety &amp; Security Center</a>.</p> <p>&nbsp;</p> <p class="Legalese">&nbsp;</p> <p>&nbsp;</p><div style="clear:both;"></div><img src="http://blogs.msdn.com/aggbug.aspx?PostID=10497689" width="1" height="1">privacychild safetyMicrosoftSafer Internet Day 2014Do1ThingTechSoup Global A journey to CVE-2013-5330 exploithttp://blogs.technet.com/b/mmpc/archive/2014/02/10/a-journey-to-cve-2013-5330-exploit.aspxMon, 10 Feb 2014 22:40:05 GMTd5e57398-b9ef-4490-9955-07cbb4e4a80d:e8178ed9-cf7d-45f8-9740-fed177703843msft-mmpc0http://blogs.technet.com/b/mmpc/archive/2014/02/10/a-journey-to-cve-2013-5330-exploit.aspx#comments<p>​Recently, we&#39;ve seen a few attacks in the wild targeting a patched Adobe Flash Player vulnerability (<a href="http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-5330">CVE-2013-5330</a>). This vulnerability was addressed with a <a href="https://www.adobe.com/au/support/security/bulletins/apsb13-26.html">patch released by Adobe </a>on November 12, 2013. On the Windows platform, Flash Player version 11.9.900.117 and earlier, are vulnerable.</p> <p>We had a chance to analyze how the attacks work and noted some interesting details from our investigation.</p> <p>The malicious file has been distributed as a .swf file using obfuscator secureSWF, which has been designed as a &ldquo;one-stop&rdquo; attack. It contains the vulnerability&rsquo;s trigger, the heap spray and shellcode, and an encrypted PE file (see figure 1).</p> <p><a href="http://www.microsoft.com/security/portal/blog-images/a/CVE1.png"><img alt="malicious .swf file" src="http://www.microsoft.com/security/portal/blog-images/a/CVE1.png" border="0" /></a></p> <p><em>Figure 1: The malicious .swf file</em></p> <p>This .swf exploit can be hosted on a web server and run when the webpage is visited. When the .swf is loaded, the vulnerability is triggered. The .swf successfully bypasses the validation of memory range and is able to access arbitrary locations. It builds a deliberated crafted VTABLE (figure 2) and uses it to pass control to a controlled location, which contains the &ldquo;Shim&rdquo; code (a small piece of code before the shellcode is executed), as shown in figure 3.</p> <p><a href="http://www.microsoft.com/security/portal/blog-images/a/CVE2.png"><img style="height:263px;width:500px;" alt="Crafted VTABLE" src="http://www.microsoft.com/security/portal/blog-images/a/CVE2.png" border="0" /></a></p> <p><em>Figure 2: Crafted VTABLE for control transfer</em></p> <p><a href="http://www.microsoft.com/security/portal/blog-images/a/CVE3.png"><img style="height:223px;width:500px;" alt="Shim code" src="http://www.microsoft.com/security/portal/blog-images/a/CVE3.png" border="0" /></a></p> <p><em>Figure 3: The &quot;Shim&rdquo; code</em></p> <p>The &ldquo;Shim&rdquo; code calls VirtualProtect() to make the shellcode memory area writable and executable. After the VirtualProtect() call, the control is passed to the shellcode. The shellcode is short and pithy &ndash; only 140 bytes (see figure 4).</p> <p>Interestingly, the shellcode doesn&rsquo;t contain the code to resolve the API addresses. Instead, the API addresses are resolved by the ActionScript (see figure 5 - the placeholders for the API addresses are marked as red).</p> <p>The shellcode simply drops a PE file (already decrypted by .swf) to the %temp% directory and loads it with LoadLibrary() call. The dropped PE file (SHA1: 05446C67FF8C0BAFFA969FC5CC4DD62EDCAD46F5) is detected as <a href="http://www.microsoft.com/security/portal/threat/encyclopedia/Entry.aspx?Name=TrojanSpy:Win32/Lurk">TrojanSpy:Win32/Lurk</a>. The telemetry for this file is showm in figure 6.</p> <p><a href="http://www.microsoft.com/security/portal/blog-images/a/CVE4.png"><img style="height:297px;width:500px;" alt="&ldquo;shellcode&rdquo;" src="http://www.microsoft.com/security/portal/blog-images/a/CVE4.png" border="0" /></a></p> <p><em>Figure 4: Short and sweet &ldquo;shellcode&rdquo; </em></p> <p><a href="http://www.microsoft.com/security/portal/blog-images/a/CVE5.png"><img alt="ActionScript" src="http://www.microsoft.com/security/portal/blog-images/a/CVE5.png" border="0" /></a></p> <p><em>Figure 5: The ActionScript used to generate the shellcode</em></p> <p><a href="http://www.microsoft.com/security/portal/blog-images/a/CVE6.png"><img style="height:303px;width:500px;" alt="TrojanSpy:Win32/Lurk infections" src="http://www.microsoft.com/security/portal/blog-images/a/CVE6.png" border="0" /></a></p> <p><em>Figure 6: TrojanSpy:Win32/Lurk infected machines</em></p> <p>We have received reports that an iframe loading this malicious .swf file has been injected to some clean or benign websites. Visiting these websites with an outdated version of Flash Player, can lead to a compromise of the machine.</p> <p>If you&#39;re using Flash Player version 11.9.900.117 or earlier, you need to update your Flash Player now to be protected against these attacks.</p> <p><em>Chun Feng </em><br /><em>MMPC</em></p><div style="clear:both;"></div><img src="http://blogs.technet.com/aggbug.aspx?PostID=3622579&AppID=6258&AppType=Weblog&ContentType=0" width="1" height="1"> Update (2/10) - Advance Notification Service for February 2014 Security Bulletin Releasehttp://blogs.technet.com/b/msrc/archive/2014/02/10/advance-notification-service-for-february-2014-security-bulletin-release.aspxMon, 10 Feb 2014 18:00:00 GMTd5e57398-b9ef-4490-9955-07cbb4e4a80d:f3d1db32-c08a-4d3d-bd16-b034ecd6342fDustin C. Childs0<p><span style="font-family:arial,helvetica,sans-serif;font-size:small;"><i><span>Update as of February 10, 2014</span></i></span></p> <p><span style="font-family:arial,helvetica,sans-serif;font-size:small;">We are adding two updates to the February release. There will be Critical-rated updates for Internet Explorer and VBScript in addition to the previously announced updates scheduled for release on February 11, 2014. These updates have completed testing and will be included in tomorrow&rsquo;s release.</span></p> <p><span style="font-family:arial,helvetica,sans-serif;font-size:small;">This brings the total for Tuesday&rsquo;s release to seven bulletins, four Critical. Please review the <a title="ANS summary page" href="http://technet.microsoft.com/security/bulletin/MS14-feb"><span style="color:#0563c1;">ANS summary page</span></a> for updated information to help customers prepare for security bulletin testing and deployment. </span></p> <p><span style="font-family:arial,helvetica,sans-serif;font-size:small;">Thanks,<br /> Dustin </span></p> <p><span style="font-family:arial,helvetica,sans-serif;font-size:small;">------</span></p> <p><span style="font-family:arial,helvetica,sans-serif;font-size:small;">Today we are providing <a href="http://technet.microsoft.com/security/bulletin/MS14-feb">advance notification</a> for the release of five bulletins, two rated Critical and three rated Important, for February 2014. The Critical updates address vulnerabilities in Microsoft Windows and Security Software while the Important-rated updates address issues in Windows and the .NET Framework.</span></p> <p><span style="font-family:arial,helvetica,sans-serif;font-size:small;">As per usual, we&rsquo;ve scheduled the security bulletin release for the second Tuesday of the month, February 11, 2014, at approximately 10:00 a.m. PST. Revisit this blog then for analysis of the risk and impact, as well as deployment guidance, together with a brief video overview of the month&rsquo;s updates. Until then, please review the <a title="ANS summary page" href="http://technet.microsoft.com/security/bulletin/MS14-feb">ANS summary page</a> for more information that will help customers prepare for security bulletin testing and deployment.</span></p> <p><span style="font-family:arial,helvetica,sans-serif;font-size:small;">Don&rsquo;t forget, you can also follow the MSRC team&rsquo;s recent activity on Twitter at <a title="@MSFTSecResponse" href="https://twitter.com/msftsecresponse">@MSFTSecResponse</a>.&nbsp;</span></p> <p><span style="font-family:arial,helvetica,sans-serif;font-size:small;">Thank you,</span><br /><span style="font-family:arial,helvetica,sans-serif;font-size:small;"> <a title="http://blogs.technet.com/b/msrc/about.aspx#Dustin_Childs" href="http://blogs.technet.com/controlpanel/blogs/posteditor.aspx/Dustin%20Childs">Dustin Childs</a></span><br /><span style="font-family:arial,helvetica,sans-serif;font-size:small;"> Group Manager, Response Communications </span><br /> Microsoft Trustworthy Computing</p><div style="clear:both;"></div><img src="http://blogs.technet.com/aggbug.aspx?PostID=3622247&AppID=4571&AppType=Weblog&ContentType=0" width="1" height="1">Microsoft WindowsSecurity BulletinsANS.NET FrameworkInternet Explorer (IE) Norway Sweeps In With Bronze Medalhttp://blogs.technet.com/b/security/archive/2014/02/10/norway-sweeps-in-with-bronze-medal.aspxMon, 10 Feb 2014 14:54:00 GMTd5e57398-b9ef-4490-9955-07cbb4e4a80d:da18ef8d-4148-4b98-a649-a6a43e1f47f5Tim Rains - Microsoft0http://blogs.technet.com/b/security/rsscomments.aspx?WeblogPostID=3622274http://blogs.technet.com/b/security/commentapi.aspx?WeblogPostID=3622274http://blogs.technet.com/b/security/archive/2014/02/10/norway-sweeps-in-with-bronze-medal.aspx#comments<p>Norway could dominate cross-country skiing events this week, thanks to several renowned athletes already making headlines. Whether its skiers racing past their competition or not, Norway&rsquo;s cross-country efforts in computer security are already victorious, scooping up Microsoft&rsquo;s bronze medal as one of the world&rsquo;s best at keeping their environment free of malware. <a href="/b/security/archive/2014/02/10/norway-sweeps-in-with-bronze-medal.aspx">Read more</a></p>...(<a href="http://blogs.technet.com/b/security/archive/2014/02/10/norway-sweeps-in-with-bronze-medal.aspx">read more</a>)<img src="http://blogs.technet.com/aggbug.aspx?PostID=3622274&AppID=5043&AppType=Weblog&ContentType=0" width="1" height="1">Norway threat landscapeSIRv15Security Intelligence Report Support for Windows XP ends in two months on April 8, 2014http://blogs.msdn.com/b/securitytipstalk/archive/2014/02/08/support-for-windows-xp-ends-in-two-months-on-april-8-2014.aspxSat, 08 Feb 2014 19:48:00 GMT91d46819-8472-40ad-a661-2c78acb4018c:10497417Eve Blakemore41http://blogs.msdn.com/b/securitytipstalk/rsscomments.aspx?WeblogPostID=10497417http://blogs.msdn.com/b/securitytipstalk/archive/2014/02/08/support-for-windows-xp-ends-in-two-months-on-april-8-2014.aspx#comments<p>On April 8, 2014, Microsoft will end support for its decade-old Windows XP operating system. This means that after April 8 there will be no new security updates available through automatic updating for computers that are still running Windows XP.</p> <p>For more information, see <a href="http://windows.microsoft.com/en-us/windows/end-support-help">Support is ending soon</a>.</p> <p>Without critical security updates, your PC may become vulnerable to harmful viruses, spyware, and other malicious software that can steal or damage your business data and other personal information.</p> <p>Get more information about upgrading to <a href="http://www.microsoft.com/security/pc-security/windows7.aspx">Windows 7</a> and <a href="http://www.microsoft.com/security/pc-security/windows8.aspx">Windows 8</a>.</p><div style="clear:both;"></div><img src="http://blogs.msdn.com/aggbug.aspx?PostID=10497417" width="1" height="1">security updatessecurityWindows 7Windows XPWindows 8 Scientists Explore How Technology Can Expand Human Rights for People with Disabilities. and Everyone.http://blogs.msdn.com/b/accessibility/archive/2014/02/07/scientists-explore-how-technology-can-expand-human-rights-for-people-with-disabilities-and-everyone.aspxFri, 07 Feb 2014 16:47:15 GMT91d46819-8472-40ad-a661-2c78acb4018c:10497638Daniel Hubbell - MSFT0http://blogs.msdn.com/b/accessibility/rsscomments.aspx?WeblogPostID=10497638http://blogs.msdn.com/b/accessibility/archive/2014/02/07/scientists-explore-how-technology-can-expand-human-rights-for-people-with-disabilities-and-everyone.aspx#commentsThe following blog post was written by James Thurston &ndash; Director of International Accessibility Policy at Microsoft. James works with Microsoft&rsquo;s global subsidiaries, NGOs, and governments around the world to develop public policies that support...(<a href="http://blogs.msdn.com/b/accessibility/archive/2014/02/07/scientists-explore-how-technology-can-expand-human-rights-for-people-with-disabilities-and-everyone.aspx">read more</a>)<img src="http://blogs.msdn.com/aggbug.aspx?PostID=10497638" width="1" height="1"> Cleanest Countries/Regions Jump to the Top of Our Podium http://blogs.technet.com/b/security/archive/2014/02/06/cleanest-countries-regions-jump-to-the-top-of-our-podium.aspxThu, 06 Feb 2014 22:16:00 GMTd5e57398-b9ef-4490-9955-07cbb4e4a80d:0b52d49c-cedd-42b1-918d-e495510b0d24Tim Rains - Microsoft0http://blogs.technet.com/b/security/rsscomments.aspx?WeblogPostID=3622205http://blogs.technet.com/b/security/commentapi.aspx?WeblogPostID=3622205http://blogs.technet.com/b/security/archive/2014/02/06/cleanest-countries-regions-jump-to-the-top-of-our-podium.aspx#comments<p>As world-class winter athletes compete on the slopes of Russia today, we decided to celebrate our own global medalists &mdash; the countries/regions&nbsp;which had the least amount of malware infections in the&nbsp;first half of 2013. <a href="/b/security/archive/2014/02/06/cleanest-countries-regions-jump-to-the-top-of-our-podium.aspx">Read more</a></p>...(<a href="http://blogs.technet.com/b/security/archive/2014/02/06/cleanest-countries-regions-jump-to-the-top-of-our-podium.aspx">read more</a>)<img src="http://blogs.technet.com/aggbug.aspx?PostID=3622205&AppID=5043&AppType=Weblog&ContentType=0" width="1" height="1">SIRv15Security Intelligence ReportLeast Malware Infected Countries Get advance notice about February 2014 security updateshttp://blogs.msdn.com/b/securitytipstalk/archive/2014/02/06/get-advance-notice-about-february-2014-security-updates.aspxThu, 06 Feb 2014 19:25:00 GMT91d46819-8472-40ad-a661-2c78acb4018c:10496794Eve Blakemore2http://blogs.msdn.com/b/securitytipstalk/rsscomments.aspx?WeblogPostID=10496794http://blogs.msdn.com/b/securitytipstalk/archive/2014/02/06/get-advance-notice-about-february-2014-security-updates.aspx#comments<p>Today, the Microsoft Security Response Center (MSRC) posted&nbsp;details&nbsp;about the&nbsp;<a href="http://technet.microsoft.com/en-us/security/bulletin/ms14-feb">February security updates</a>.</p> <p>If you have automatic updating turned on, most of these updates will download and install on their own. Sometimes you may need to provide input for Windows Update during an installation. In this case, you'll see an alert in the notification area at the far right of the taskbar&mdash;be sure to click it.</p> <p>In Windows 8, Windows turns on automatic updating during setup unless you turn it off. To check this setting and turn on automatic updating, open the<span class="apple-converted-space">&nbsp;</span><a href="http://windows.microsoft.com/en-us/windows-8/charms" target="_blank"><strong>Search charm</strong></a>, enter<span class="apple-converted-space">&nbsp;</span><strong>automatic updating</strong>, and tap or click<span class="apple-converted-space">&nbsp;</span><strong>Settings</strong><span class="apple-converted-space">&nbsp;</span>to find it.&nbsp;</p> <p><span>For other versions of Windows, you can check whether automatic updating is turned on through Windows Update in Control Panel. If automatic updating is not turned on, you'll be guided through the steps to set it up. After that, all the latest security and performance improvements will be installed on your PC quickly and reliably.</span></p> <p><strong>If you are a technical professional</strong></p> <p>The&nbsp;<a href="http://www.microsoft.com/technet/security/Bulletin/advance.mspx">Microsoft Security Bulletin Advance Notification Service</a>&nbsp;offers details about security updates approximately three business days before they are released. We do this to enable customers (especially IT professionals) to plan for effective deployment of security updates.</p> <p><a title="Sign up for security notifications" href="http://technet.microsoft.com/en-us/security/dd252948">Sign up for security notifications</a></p><div style="clear:both;"></div><img src="http://blogs.msdn.com/aggbug.aspx?PostID=10496794" width="1" height="1">security updatesMicrosoftAdvance Notification ServiceANS Threats in the Cloud – Part 2: Distributed Denial of Service Attackshttp://blogs.technet.com/b/security/archive/2014/02/06/threats-in-the-cloud-part-2-distributed-denial-of-service-attacks.aspxThu, 06 Feb 2014 16:54:00 GMTd5e57398-b9ef-4490-9955-07cbb4e4a80d:ce26bfeb-9652-4006-a734-c1c7e7089513Tim Rains - Microsoft0http://blogs.technet.com/b/security/rsscomments.aspx?WeblogPostID=3622016http://blogs.technet.com/b/security/commentapi.aspx?WeblogPostID=3622016http://blogs.technet.com/b/security/archive/2014/02/06/threats-in-the-cloud-part-2-distributed-denial-of-service-attacks.aspx#comments<p>Organizations that operate or use Internet connected services such as websites, portals and Cloud services need to be aware of threats that can disrupt service. In the first part of this series I discussed Domain Name System (DNS) attacks and their potential to disrupt services and infect large volumes of users with malware.&nbsp; This article discusses Distributed Denial of Service (DDoS) attacks using insights from the latest volume of the <a href="http://www.microsoft.com/security/sir/archive/default.aspx">Microsoft Security Intelligence Report</a>, volume 15.&nbsp; <a href="/b/security/archive/2014/02/06/threats-in-the-cloud-part-2-distributed-denial-of-service-attacks.aspx">Read more</a></p>...(<a href="http://blogs.technet.com/b/security/archive/2014/02/06/threats-in-the-cloud-part-2-distributed-denial-of-service-attacks.aspx">read more</a>)<img src="http://blogs.technet.com/aggbug.aspx?PostID=3622016&AppID=5043&AppType=Weblog&ContentType=0" width="1" height="1">Security Intelligence Report Volume 15Distributed Denial of Service AttacksSIRv15DDOSThreats in the Cloud Blind and low-vision seniors dance and bowl with Microsoft Xbox gameshttp://blogs.msdn.com/b/accessibility/archive/2014/02/06/blind-and-low-vision-seniors-dance-and-bowl-with-microsoft-xbox-games.aspxThu, 06 Feb 2014 14:02:00 GMT91d46819-8472-40ad-a661-2c78acb4018c:10492603Daniel Hubbell - MSFT1http://blogs.msdn.com/b/accessibility/rsscomments.aspx?WeblogPostID=10492603http://blogs.msdn.com/b/accessibility/archive/2014/02/06/blind-and-low-vision-seniors-dance-and-bowl-with-microsoft-xbox-games.aspx#comments"You go girl!" "You got this!" Shouts of encouragement echo through the main auditorium at VISIONS at Selis Manor (a senior center in midtown Manhattan) as participants take turns stepping up to face the bowling alley on the screen. As each bowler winds...(<a href="http://blogs.msdn.com/b/accessibility/archive/2014/02/06/blind-and-low-vision-seniors-dance-and-bowl-with-microsoft-xbox-games.aspx">read more</a>)<img src="http://blogs.msdn.com/aggbug.aspx?PostID=10492603" width="1" height="1"> University of Washington Scientists Engage In Basic Mind Control http://blogs.msdn.com/b/accessibility/archive/2014/02/05/university-of-washington-scientists-engage-in-basic-mind-control.aspxWed, 05 Feb 2014 16:48:00 GMT91d46819-8472-40ad-a661-2c78acb4018c:10492600Daniel Hubbell - MSFT0http://blogs.msdn.com/b/accessibility/rsscomments.aspx?WeblogPostID=10492600http://blogs.msdn.com/b/accessibility/archive/2014/02/05/university-of-washington-scientists-engage-in-basic-mind-control.aspx#commentsBreakthrough Could Someday Help Those with Limited Motion The power to control someone else&rsquo;s mind has been a staple of science fiction movies for decades. Now two University of Washington researchers have managed a basic form of mind control...(<a href="http://blogs.msdn.com/b/accessibility/archive/2014/02/05/university-of-washington-scientists-engage-in-basic-mind-control.aspx">read more</a>)<img src="http://blogs.msdn.com/aggbug.aspx?PostID=10492600" width="1" height="1"> Threats in the Cloud – Part 1: DNS Attackshttp://blogs.technet.com/b/security/archive/2014/02/04/threats-in-the-cloud-part-1-dns-attacks.aspxTue, 04 Feb 2014 17:12:00 GMTd5e57398-b9ef-4490-9955-07cbb4e4a80d:223b5d76-29d1-46e0-9d96-f01ccf4f98e6Tim Rains - Microsoft0http://blogs.technet.com/b/security/rsscomments.aspx?WeblogPostID=3622012http://blogs.technet.com/b/security/commentapi.aspx?WeblogPostID=3622012http://blogs.technet.com/b/security/archive/2014/02/04/threats-in-the-cloud-part-1-dns-attacks.aspx#comments<p>The popularity of Cloud services has increased immensely over the past few years. Transparency into how these services are architected and managed has played a big role in this growth story. Many of the CISOs I talk to about leveraging Cloud services want insight into the types of threats that Cloud services face, in order to feel comfortable with hosting their organization&rsquo;s data and applications in the Cloud. In the latest volume of the&nbsp;<a href="http://www.microsoft.com/security/sir/archive/default.aspx">Microsoft Security Intelligence Report</a>, volume 15, we include details on a couple of threats that Cloud service providers and their customers should be aware of. But for organizations that have been running their own data centers and web properties, these threats will be familiar and come as no surprise; attacks on the global Domain Name System (DNS) infrastructure and Distributed Denial of Service (DDoS) attacks are something that proprietors of Internet-connected IT infrastructures and Cloud services, big and small, need to be aware of and plan for in order to manage the risk of interruption to their operations. These attacks have the potential to interrupt Internet services such as websites, portals, and Cloud services, and to infect Internet connected devices with malware. <a href="/b/security/archive/2014/02/04/threats-in-the-cloud-part-1-dns-attacks.aspx">Read more</a></p>...(<a href="http://blogs.technet.com/b/security/archive/2014/02/04/threats-in-the-cloud-part-1-dns-attacks.aspx">read more</a>)<img src="http://blogs.technet.com/aggbug.aspx?PostID=3622012&AppID=5043&AppType=Weblog&ContentType=0" width="1" height="1">Security Intelligence Report Volume 15DNS AttacksSIRv15Domain Name System AttacksThreats in the CloudCybersecurity Accessibility Makes It to Super Bowlhttp://blogs.msdn.com/b/accessibility/archive/2014/02/03/accessibility-makes-it-to-super-bowl.aspxMon, 03 Feb 2014 23:36:47 GMT91d46819-8472-40ad-a661-2c78acb4018c:10496516Daniel Hubbell - MSFT0http://blogs.msdn.com/b/accessibility/rsscomments.aspx?WeblogPostID=10496516http://blogs.msdn.com/b/accessibility/archive/2014/02/03/accessibility-makes-it-to-super-bowl.aspx#commentsThis blog post was written by Bonnie Kearney, Director of Accessibility &amp; Aging Communications at Microsoft. Bonnie has been with Microsoft for more than 18 years and is especially passionate about building awareness for technology that improves the...(<a href="http://blogs.msdn.com/b/accessibility/archive/2014/02/03/accessibility-makes-it-to-super-bowl.aspx">read more</a>)<img src="http://blogs.msdn.com/aggbug.aspx?PostID=10496516" width="1" height="1"> Super Seattle Sunday Shows the Power of Accessible Technologyhttp://blogs.msdn.com/b/accessibility/archive/2014/02/03/any-given-sunday-and-achieving-our-full-potential.aspxMon, 03 Feb 2014 23:30:00 GMT91d46819-8472-40ad-a661-2c78acb4018c:10496464Daniel Hubbell - MSFT1http://blogs.msdn.com/b/accessibility/rsscomments.aspx?WeblogPostID=10496464http://blogs.msdn.com/b/accessibility/archive/2014/02/03/any-given-sunday-and-achieving-our-full-potential.aspx#commentsThis blog post was written by Rob Sinclair, Microsoft&rsquo;s Chief Accessibility Officer. Rob is responsible for the company's worldwide strategy to develop software and services that make it easier for people of all ages and abilities to see, hear,...(<a href="http://blogs.msdn.com/b/accessibility/archive/2014/02/03/any-given-sunday-and-achieving-our-full-potential.aspx">read more</a>)<img src="http://blogs.msdn.com/aggbug.aspx?PostID=10496464" width="1" height="1"> Microsoft announces Brussels Transparency Center at Munich Security Conferencehttp://blogs.technet.com/b/trustworthycomputing/archive/2014/01/31/placeholder-brussels-transparency-center.aspxFri, 31 Jan 2014 19:49:22 GMTd5e57398-b9ef-4490-9955-07cbb4e4a80d:eca4e9f6-17d3-4e0a-a40e-96ea7e127cd2Trusted Cloud Team0<p><strong>By Brendon Lynch, Chief Privacy Officer</strong></p> <p>Today my colleague Matt Thomlinson, Vice President, Microsoft Security, was on a panel entitled &ldquo;Rebooting Trust? Freedom vs. Security in Cyberspace&rdquo; at the long standing (it is in its 50th year!) Munich Security Conference.</p> <p>He also discussed a number of efforts afoot to protect customer data from government snooping: expanding encryption across our services; reinforcing legal protections for our customers&rsquo; data; and enhancing the transparency of our software code, including establishing a number of locations called Transparency Centers, to enable even greater assurances of the integrity of our products and services.</p> <p>Matt announced that Microsoft will open a Transparency Center in Brussels, one of several around the world.&nbsp;&nbsp; <a target="_blank" href="/b/trustworthycomputing/archive/2014/01/31/placeholder-brussels-transparency-center.aspx">Read more &gt;&gt; </a></p> <p></p>...(<a href="http://blogs.technet.com/b/trustworthycomputing/archive/2014/01/31/placeholder-brussels-transparency-center.aspx">read more</a>)<img src="http://blogs.technet.com/aggbug.aspx?PostID=3621886&AppID=9044&AppType=Weblog&ContentType=0" width="1" height="1">cloud securityCustomersCloudcyber threatscybernormsTrustBig DataITTechnologyCybersecuritySecurityCloud Computingcyber securitydata centerscloud servicesTrustworthy ComputingMicrosoftInformation SecurityDataEuropePrivacyMicrosoft Cloud Solutions A coordinated approach to eradicating malwarehttp://blogs.technet.com/b/trustworthycomputing/archive/2014/01/30/a-coordinated-approach-to-eradicating-malware.aspxThu, 30 Jan 2014 17:54:09 GMTd5e57398-b9ef-4490-9955-07cbb4e4a80d:eb40ccb4-fbf8-4587-a384-c3219846d8f0Trusted Cloud Team0<p><strong>By TwC Staff</strong></p> <p>Microsoft and others in the technology industry have worked together for many years to disrupt malicious software, or malware, and to reduce its impact on customers. But despite those efforts, many malware families live on, continuing to infect computers and cause damage well after they are discovered. <br />&nbsp;<br />Can industry leaders come together and begin eliminating malware once and for all?&nbsp; <a target="_blank" href="/b/trustworthycomputing/archive/2014/01/30/a-coordinated-approach-to-eradicating-malware.aspx">Read more &gt;&gt;</a></p>...(<a href="http://blogs.technet.com/b/trustworthycomputing/archive/2014/01/30/a-coordinated-approach-to-eradicating-malware.aspx">read more</a>)<img src="http://blogs.technet.com/aggbug.aspx?PostID=3621793&AppID=9044&AppType=Weblog&ContentType=0" width="1" height="1">cloud securityCustomersthreat landscaperisk managementcyber threatsMitigationsTrustBig DataTechnologyCybersecurityCollective DefenseSecuritycyber securityTrustworthy ComputingMicrosoftInformation Securityexploitssecurity communityIT Pros The best time to change your password is nowhttp://blogs.msdn.com/b/securitytipstalk/archive/2014/01/30/the-best-time-to-change-your-password-is-now.aspxThu, 30 Jan 2014 16:29:00 GMT91d46819-8472-40ad-a661-2c78acb4018c:10495108Eve Blakemore9http://blogs.msdn.com/b/securitytipstalk/rsscomments.aspx?WeblogPostID=10495108http://blogs.msdn.com/b/securitytipstalk/archive/2014/01/30/the-best-time-to-change-your-password-is-now.aspx#comments<p>You can reduce your chances of being hacked by regularly changing the passwords on all the accounts where you enter financial or other sensitive information. Set an automatic reminder to update passwords on your email, banking, and credit card websites every three months.</p> <p>Different sites have different rules for passwords that they&rsquo;ll accept, but here is some basic guidance on how to create strong passwords:</p> <ul> <li><strong>Length.</strong>&nbsp;Make your passwords at least eight (8) characters long.</li> <li><strong>Complexity.</strong>&nbsp;Include a combination of at least three (3) upper and/or lowercase letters, punctuation, symbols, and numerals. The more variety of characters in your password, the better.</li> <li><strong>Variety.</strong>&nbsp;Don't use the same password for everything. Cybercriminals can steal passwords from websites that have poor security and then use those same passwords to target more secure environments, such as banking websites.</li> </ul> <p>Learn more about how to <a href="https://www.microsoft.com/security/pc-security/password-checker.aspx">create strong passwords</a> and <a href="http://www.microsoft.com/security/pc-security/protect-passwords.aspx">protect your passwords</a>.</p> <p>If you think someone has gone into your account and changed your password, learn how to <a href="http://www.microsoft.com/security/online-privacy/hacked-account.aspx">recover a hacked account</a>.</p><div style="clear:both;"></div><img src="http://blogs.msdn.com/aggbug.aspx?PostID=10495108" width="1" height="1">fraudphishingprivacychild safetyonline shoppinghotmailonline safetyonline reputationcybersecuritycybersafetycybercriminalspasswordsOutlook.com Breaking Barriers: Exergamers NYC project at Selfhelp in Queenshttp://blogs.msdn.com/b/accessibility/archive/2014/01/30/breaking-barriers-exergamers-nyc-project-at-selfhelp-in-queens.aspxThu, 30 Jan 2014 15:46:00 GMT91d46819-8472-40ad-a661-2c78acb4018c:10492597Daniel Hubbell - MSFT0http://blogs.msdn.com/b/accessibility/rsscomments.aspx?WeblogPostID=10492597http://blogs.msdn.com/b/accessibility/archive/2014/01/30/breaking-barriers-exergamers-nyc-project-at-selfhelp-in-queens.aspx#commentsThe bowling league at the Selfhelp Benjamin Rosenthal Prince Street Senior Center in Flushing, Queens, might be the most diverse sports team in NYC. Ranging in age from 60 to 92, the players represent many countries, and speak a variety of languages....(<a href="http://blogs.msdn.com/b/accessibility/archive/2014/01/30/breaking-barriers-exergamers-nyc-project-at-selfhelp-in-queens.aspx">read more</a>)<img src="http://blogs.msdn.com/aggbug.aspx?PostID=10492597" width="1" height="1"> Building reliable cloud serviceshttp://blogs.technet.com/b/trustworthycomputing/archive/2014/01/29/building-reliable-cloud-services.aspxThu, 30 Jan 2014 00:08:59 GMTd5e57398-b9ef-4490-9955-07cbb4e4a80d:8264ea7c-fb57-47ac-b125-5a5080b4587aTrusted Cloud Team0<p><strong>By David Bills, Chief Reliability Strategist</strong></p> <p>Reliability continues to be top of mind for everyone involved with online services. Today we are publishing an updated version of our whitepaper <a href="http://download.microsoft.com/download/5/9/3/59382FDF-93C6-45BC-8A58-C98131D6C402/An%20introduction%20to%20designing%20reliable%20cloud%20services%20January%202014.pdf" target="_blank">&ldquo;Introduction to Designing Reliable Cloud Services</a>&rdquo;.</p> <p>The paper describes fundamental reliability concepts and a reliability design-time process for organizations that create, deploy, and/or consume cloud services. It is designed to help decision makers understand the factors and processes that make cloud services more reliable.&nbsp; <a href="/b/trustworthycomputing/archive/2014/01/28/building-reliable-cloud-services.aspx" target="_blank">Read more &gt;&gt;</a></p>...(<a href="http://blogs.technet.com/b/trustworthycomputing/archive/2014/01/29/building-reliable-cloud-services.aspx">read more</a>)<img src="http://blogs.technet.com/aggbug.aspx?PostID=3621607&AppID=9044&AppType=Weblog&ContentType=0" width="1" height="1">practicesCustomersrisk managementRecoveryReliableCloudReliabilityTrustprivacy and reliabilitycustomer perspectiveTechnologyExpert OpinionsCloud Computingdata centerscloud servicesTrustworthy ComputingData What are your privacy perceptions?http://blogs.msdn.com/b/securitytipstalk/archive/2014/01/28/what-are-your-privacy-perceptions.aspxTue, 28 Jan 2014 20:45:06 GMT91d46819-8472-40ad-a661-2c78acb4018c:10495099Eve Blakemore8http://blogs.msdn.com/b/securitytipstalk/rsscomments.aspx?WeblogPostID=10495099http://blogs.msdn.com/b/securitytipstalk/archive/2014/01/28/what-are-your-privacy-perceptions.aspx#comments<p>To mark Data Privacy Day 2014, Microsoft released results of a survey measuring consumer privacy perceptions in the United States and Europe. According to our research, people in the United States estimate they have about 50 percent control over the way their information is used online. In Europe, it&rsquo;s about 40 percent.&nbsp;</p> <p>At Microsoft, we&rsquo;re committed to earning customer trust by demonstrating accountability and an inherent respect for privacy. Individuals expect us to prioritize their privacy and incorporate strong privacy protections into our products and services and we are constantly looking for ways to innovate on privacy in support of our customers.</p> <p><a href="http://www.microsoft.com/en-us/twc/privacy/data-privacy-day.aspx"><img src="http://blogs.msdn.com/resized-image.ashx/__size/550x0/__key/communityserver-blogs-components-weblogfiles/00-00-00-72-21/2313.DPD_2D00_2014.jpg" alt="" border="0" /></a></p> <p>For more information, see <a href="http://blogs.technet.com/b/microsoft_on_the_issues/archive/2014/01/27/marking-data-privacy-day-with-dialogue-and-new-data.aspx">Marking Data Privacy Day with dialogue and new data</a>, a blog post by Brendon Lynch, Chief Privacy Officer at Microsoft.</p><div style="clear:both;"></div><img src="http://blogs.msdn.com/aggbug.aspx?PostID=10495099" width="1" height="1">privacyData Privacy Day Two new papers help show the value of data classification http://blogs.technet.com/b/trustworthycomputing/archive/2014/01/28/two-new-papers-help-show-the-value-of-data-classification.aspxTue, 28 Jan 2014 17:05:00 GMTd5e57398-b9ef-4490-9955-07cbb4e4a80d:79b2c6a7-9643-4b55-8330-fef54d950f68Trusted Cloud Team0<p><strong>By Adrienne Hall, General Manager, Trustworthy Computing</strong></p> <p>Data classification is one of the most basic ways for organizations to determine and assign relative values to the data they possess. By separating data into categories based on sensitivity (high, medium or low, for example), an organization can set protections and procedures for managing that data accordingly.&nbsp; This process can yield significant benefits, such as compliance efficiencies, improved resource management, and facilitation of migration to the cloud.&nbsp; <a title="http://blogs.technet.com/b/trustworthycomputing/archive/2014/01/28/two-new-papers-help-show-the-value-of-data-classification.aspx" href="/b/trustworthycomputing/archive/2014/01/28/two-new-papers-help-show-the-value-of-data-classification.aspx" target="_blank">Read more &gt;&gt;</a></p>...(<a href="http://blogs.technet.com/b/trustworthycomputing/archive/2014/01/28/two-new-papers-help-show-the-value-of-data-classification.aspx">read more</a>)<img src="http://blogs.technet.com/aggbug.aspx?PostID=3621519&AppID=9044&AppType=Weblog&ContentType=0" width="1" height="1">CSAcloud securityAdrienne HallCloudCIOsTrustCybersecurityCloud Security AllianceSecurity ResearchSecurityCloud Computingcyber securitycloud servicesTrustworthy ComputingMicrosoftDataMicrosoft Cloud Solutions Windows Developer Quietly Creates Apps to Help People with Disabilities Communicatehttp://blogs.msdn.com/b/accessibility/archive/2014/01/28/windows-developer-quietly-creates-apps-to-help-people-with-disabilities-communicate.aspxTue, 28 Jan 2014 15:41:00 GMT91d46819-8472-40ad-a661-2c78acb4018c:10492595Daniel Hubbell - MSFT0http://blogs.msdn.com/b/accessibility/rsscomments.aspx?WeblogPostID=10492595http://blogs.msdn.com/b/accessibility/archive/2014/01/28/windows-developer-quietly-creates-apps-to-help-people-with-disabilities-communicate.aspx#commentsThe following blog post was written by Paul Nyhan, a staff writer with the Microsoft Accessibility Blog. Paul is a 20-year journalism veteran who has written extensively about disability issues. ----- Many days Guy Barker is on his home computer...(<a href="http://blogs.msdn.com/b/accessibility/archive/2014/01/28/windows-developer-quietly-creates-apps-to-help-people-with-disabilities-communicate.aspx">read more</a>)<img src="http://blogs.msdn.com/aggbug.aspx?PostID=10492595" width="1" height="1"> Coordinated malware eradicationhttp://blogs.technet.com/b/mmpc/archive/2014/01/27/industry-needs-to-work-together-to-eradicate-malware.aspxTue, 28 Jan 2014 07:30:00 GMTd5e57398-b9ef-4490-9955-07cbb4e4a80d:856f599c-7531-4f88-b32b-5dc880a0e891msft-mmpc0http://blogs.technet.com/b/mmpc/archive/2014/01/27/industry-needs-to-work-together-to-eradicate-malware.aspx#comments<div class="ExternalClass0D182C4AD1BA4CB28EB2D34D6A3DF12E"> <p class="ExternalClass41FA3300299B487FB25C66B049327DFA">Today, as an industry, we are very effective at disrupting malware families, but those disruptions rarely eradicate them. Instead, the malware families linger on, rearing up again and again to wreak havoc on our customers.&nbsp;</p> <p class="ExternalClass41FA3300299B487FB25C66B049327DFA">To change the game, we need to change the way we work.</p> <p class="ExternalClass41FA3300299B487FB25C66B049327DFA">It is counterproductive when you think about it. The antimalware ecosystem encompasses many strong groups: security vendors, service providers, CERTs, anti-fraud departments, and law enforcement. Each group uses their own strengths and methods to protect their customers and constituents. Each group is able to claim victory from their efforts, but the malware families retain a significant advantage. No matter how big, the reach of each antimalware ecosystem player only extends so far. As a result, our adversaries only need to shift just a bit beyond that reach to get back in business. For example, let&rsquo;s assume an advertising network identifies and shuts down a click-fraud attack.&nbsp; This is great for the network and its advertisers, but the bad guys need only to pivot and attack another advertising network to remain in business. And this time, maybe the bad guys are more effective, because now they&rsquo;re more educated about the need for resiliency and continuity.</p> <p class="ExternalClass41FA3300299B487FB25C66B049327DFA">By not working together, we have yielded our advantage to the malware authors. They can see the reach of our tools, and they can dance away from each of us. While we are disrupting them, we are also making them more resilient and more efficient.</p> <p class="ExternalClass41FA3300299B487FB25C66B049327DFA">If we want to fight effectively and protect our customers and constituents, we need to eradicate the malware families. To do this, we must coordinate our collective scope and reach so that the bad guys have no room to dance away. Of course, some coordination already exists within the industry today. Antimalware vendors exchange malware samples, prevalence information, and even clean file metadata. They participate with CERTs, ISPs, and law enforcement in sinkholes and takedowns. But it hasn&rsquo;t been enough: a quick glance at the age of the detections that we&rsquo;re still using to find our top malware families shows that we are not&nbsp;eradicating them.</p> <p class="ExternalClass41FA3300299B487FB25C66B049327DFA"><a href="http://www.microsoft.com/security/portal/blog-images/a/Group1a.png"><img class="ms-rtePosition-4" style="height:491px;width:600px;" alt="Graph of malware encounters" src="http://www.microsoft.com/security/portal/blog-images/a/Group1a.png" border="0" /></a></p> <p class="ExternalClass41FA3300299B487FB25C66B049327DFA"><em>Figure 1: Malware encounters on Microsoft real-time protection products September 1, 2013 - January&nbsp;25, 2014</em></p> <p class="ExternalClass41FA3300299B487FB25C66B049327DFA">Getting to a more&nbsp;coordinated eradication effort for each malware family will require much&nbsp;stronger industry partnerships. It also needs new partnerships with financial institutions, payment networks, large internet services, and software bundlers. Each partnership will increase our collective ability to present a unified front, thereby reducing the bad guys&rsquo; ability to evade and profit.</p> <p class="ExternalClass41FA3300299B487FB25C66B049327DFA">Tighter coordination is a natural evolution of the malware protection industry, and it is already beginning. For example, when Microsoft teamed up with Europol&rsquo;s European Cybercrime Centre (EC3), the Federal Bureau of Investigation (FBI), a number of ISPs and A10 Networks against the Sirefef/ZeroAccess botnet, the results went far beyond a few days of disruption.&nbsp; Faced with a broadly coordinated action against their IP addresses, Sirefef authors waved the white flag. They are not quite eradicated, but they&rsquo;re certainly heading that way.</p> <p class="ExternalClass41FA3300299B487FB25C66B049327DFA">While these efforts are working against malware authors, they are essentially one-offs. We have hundreds of active malware families that require eradication, and we need a repeatable model that will scale.</p> <p class="ExternalClass41FA3300299B487FB25C66B049327DFA">We have&nbsp;talked about <a href="http://www.microsoft.com/security/portal/mmpc/shared/protection.aspx">the scope of Microsoft&rsquo;s customer-focused approach</a>, and how we are sharing malware telemetry information. We want to take it much further.&nbsp;We need to create a structure that makes it easy to coordinate campaigns and share more types of information across the entire antimalware ecosystem.</p> <p class="ExternalClass41FA3300299B487FB25C66B049327DFA">The time has come to do this now. We need committed antimalware ecosystem partners to join together in coordinated campaigns to eradicate malware families. Here are some examples of how partners can help with their tools, reach, and scope:</p> <div class="ExternalClass41FA3300299B487FB25C66B049327DFA"> <ul> <li><strong>Security vendors:</strong> By sharing detection methods, malware behavior, and unpacking techniques, vendors can more quickly identity and block the malware families as they appear on network-connected endpoints and servers.</li> <li><strong>Financial institutions, online search, and advertising businesses:</strong> With better fraudulent behavior identification, these organizations can starve malware authors of their ill-gotten gains.</li> <li><strong>CERTs and ISPs:</strong> Armed with vetted lists, CERTS and ISPs can block and take down deploy sites, and command and control servers.</li> <li><strong>Law enforcement:</strong> Using correlated evidence, law enforcement can prosecute the people and organizations behind the malware.</li> </ul> </div> <p><a href="http://www.microsoft.com/security/portal/blog-images/a/Group2a.png"><img class="ms-rtePosition-4" style="height:336px;width:600px;" alt="Antimalware ecosystem coordinated eradication" src="http://www.microsoft.com/security/portal/blog-images/a/Group2a.png" border="0" /></a></p> <p><em>Figure 2: The antimalware ecosystem&rsquo;s coordinated malware eradication</em></p> <p>The challenge is how we can all work together&nbsp;in a way that&rsquo;s efficient and long-lasting. Microsoft is committed to helping drive this industry effort&nbsp;forward. We are beginning by looking at what we can contribute to such a community, and we are asking our antimalware ecosystem partners to do the same.</p> <p>Several industry events are coming up this spring and summer. For example, RSA in San Francisco in February 2014, DCC in Singapore and&nbsp;the&nbsp;PCSL/IEEE Malware Conference in Beijing in March 2014, the May 2014 CARO Workshop in Florida, and the June 2014 FIRST event in Boston. These are great opportunities to hammer out a working framework for making coordinated malware eradication a reality. Microsoft will be hosting discussions at these events to do just that.<span class="ms-rteForeColor-2" style="color:#ff0000;">*</span></p> <p>I look forward to your feedback and on-going conversations about coordinated malware eradication.</p> <p><em>Dennis Batchelder</em><br /><em>MMPC&nbsp;</em></p> <p><em><span class="ms-rteForeColor-2" style="color:#ff0000;">* </span>To join the discussions at these events, please contact us at <a href="mailto:cme-invite@microsoft.com">cme-invite@microsoft.com</a>.</em></p> </div><div style="clear:both;"></div><img src="http://blogs.technet.com/aggbug.aspx?PostID=3621530&AppID=6258&AppType=Weblog&ContentType=0" width="1" height="1"> NYC LGBT seniors compete in virtual bowling tournaments with Microsoft Xboxhttp://blogs.msdn.com/b/accessibility/archive/2014/01/23/nyc-exergamers-1.aspxThu, 23 Jan 2014 17:24:00 GMT91d46819-8472-40ad-a661-2c78acb4018c:10492190Daniel Hubbell - MSFT0http://blogs.msdn.com/b/accessibility/rsscomments.aspx?WeblogPostID=10492190http://blogs.msdn.com/b/accessibility/archive/2014/01/23/nyc-exergamers-1.aspx#commentsBarbara Police, 64, loved bowling since she was a kid. After she lost her sight 14 years ago, she was able to continue playing at a specially constructed bowling alley for people with visual impairments. But several years ago, a shoulder injury made it...(<a href="http://blogs.msdn.com/b/accessibility/archive/2014/01/23/nyc-exergamers-1.aspx">read more</a>)<img src="http://blogs.msdn.com/aggbug.aspx?PostID=10492190" width="1" height="1"> Antimalware Support for Windows XP and the January 2014 Security Bulletin Webcast and Q&Ahttp://blogs.technet.com/b/msrc/archive/2014/01/17/antimalware-support-for-windows-xp-and-the-january-2014-security-bulletin-webcast-q-amp-a-and-slide-deck.aspxFri, 17 Jan 2014 18:35:00 GMTd5e57398-b9ef-4490-9955-07cbb4e4a80d:719b1efd-a13e-4f32-8050-7998a5367a51Dustin C. Childs0<p><span style="font-size:small;">Today we&rsquo;re publishing the </span><a href="http://blogs.technet.com/b/msrc/p/january-2014-security-bulletin-q-a.aspx"><span style="color:#0000ff;font-size:small;">January 2014 Security Bulletin Webcast Questions &amp; Answers page</span></a><span style="font-size:small;">.&nbsp; We answered 16 questions in total, with the majority of questions focusing on the Dynamics AX bulletin (</span><a href="https://technet.microsoft.com/security/bulletin/ms14-004"><span style="color:#0000ff;font-size:small;">MS14-004</span></a><span style="font-size:small;">), the update for Microsoft Word (</span><a href="https://technet.microsoft.com/security/bulletin/ms14-001"><span style="color:#0000ff;font-size:small;">MS14-001</span></a><span style="font-size:small;">) and the re-release of the Windows 7 and Windows Server 2008 R2 updates provided through </span><a href="https://technet.microsoft.com/security/bulletin/ms13-081"><span style="color:#0000ff;font-size:small;">MS13-081</span></a><span style="font-size:small;">.</span></p> <p><span style="font-size:small;">We also wanted to point out a </span><a href="http://blogs.technet.com/b/mmpc/archive/2014/01/15/microsoft-antimalware-support-for-windows-xp.aspx"><span style="color:#0000ff;font-size:small;">new blog</span></a><span style="font-size:small;"> from the Microsoft Malware Protection Center (MMPC) detailing support antimalware support for Windows XP beyond April 8, 2014. Although there will be no new security updates for Windows XP after this date, Microsoft will continue to &nbsp;provide updates to our antimalware signatures and engine for Windows XP users through July 14, 2015.</span></p> <p><span style="font-family:Calibri;font-size:small;"><object width="400" height="225"><param name="movie" value="//www.youtube.com/v/Qbiw-P6JWyo?hl=en_US&amp;version=3" /><param name="allowFullScreen" value="true" /><param name="allowscriptaccess" value="always" /><embed width="400" height="225" src="http://www.youtube.com/v/Qbiw-P6JWyo?hl=en_US&amp;version=3" type="application/x-shockwave-flash" /></object></span></p> <p><span style="font-size:small;">We invite you to join us for the next scheduled webcast on Wednesday, February 12, 2014, at 11 a.m. PST (UTC -8), when we will go into detail about the February bulletin release and answer your bulletin deployment questions live on the air. </span></p> <p><span style="font-size:small;">You can register to attend the webcast at the link below:</span></p> <p><strong><span style="font-size:small;">Date: Wednesday, February 12, 2014</span></strong><b><br /><span style="font-size:small;"> <strong>Time: 11:00 a.m. PST (UTC -8)</strong><br /> <strong>Register: </strong></span></b><a href="https://msevents.microsoft.com/CUI/EventDetail.aspx?EventID=1032572879&amp;Culture=en-US"><strong><span style="color:#0000ff;font-size:small;">Attendee Registration</span></strong></a></p> <p><span style="font-size:small;">I look forward to seeing you next month.</span></p> <p><span style="font-size:small;">Thanks,</span></p> <p><span style="font-family:Times New Roman;font-size:small;"> </span><a href="http://blogs.technet.com/b/msrc/about.aspx#Dustin_Childs"><span style="color:#0000ff;">Dustin Childs</span></a><br /> Group Manager, Response Communications<br /> Microsoft Trustworthy Computing</p><div style="clear:both;"></div><img src="http://blogs.technet.com/aggbug.aspx?PostID=3620684&AppID=4571&AppType=Weblog&ContentType=0" width="1" height="1">Microsoft WindowsBulletin WebcastCustomer QuestionsQ&amp;AMicrosoft DynamicsMicrosoft Office Microsoft antimalware support for Windows XPhttp://blogs.technet.com/b/mmpc/archive/2014/01/15/microsoft-antimalware-support-for-windows-xp.aspxWed, 15 Jan 2014 20:00:00 GMTd5e57398-b9ef-4490-9955-07cbb4e4a80d:0e545d6d-d0d6-4f9c-839e-62196764acafmsft-mmpc17http://blogs.technet.com/b/mmpc/archive/2014/01/15/microsoft-antimalware-support-for-windows-xp.aspx#comments<div class="ExternalClassE3FCE4E09F5744C8AC952CE7B28FF10F"> <p>Microsoft has announced the Windows XP end of support date of April 8, 2014. After this date, Windows XP will no longer be a supported operating system<span style="color:#ff0000;">*</span>. To help organizations complete their migrations, Microsoft will continue to provide updates to our antimalware signatures and engine for Windows XP users through July 14, 2015.</p> <p>This does not affect the end-of-support date of Windows XP, or the supportability of Windows XP for other Microsoft products, which deliver and apply those signatures.</p> <p>For enterprise customers, this applies to System Center Endpoint Protection, Forefront Client Security, Forefront Endpoint Protection and Windows Intune running on Windows XP. For consumers, this applies to Microsoft Security Essentials.</p> <p>Our research shows that the effectiveness of antimalware solutions on out-of-support operating systems is limited. Running a well-protected solution starts with using modern software and hardware designed to help protect against today&rsquo;s threat landscape.</p> <p>Microsoft recommends best practices to protect your PC such as:</p> <ul> <li>Using modern software that has advanced security technologies and is supported with regular security updates</li> <li>Regularly applying security updates for all software installed</li> <li>Running up-to-date anti-virus software.</li> </ul> <p>Our goal is to provide great antimalware solutions for our consumer and business customers. We will continue to work with our customers and partners in doing so, and help our customers complete their migrations as Windows XP end of life approaches.</p> <p><strong><i>MMPC</i></strong></p> <p><i><span style="color:#ff0000;">* </span>We&#39;ve received some inquiries about what &quot;no longer supported operating system&quot; means. To clarify, this mean that, after April 8, 2014, Windows XP users will no longer receive new security updates, non-security hotfixes, free or paid assisted support options, or online technical content updates from Microsoft.</i></p> <p><em>February 5, 2014: We&rsquo;ve received several inquiries about the difference between security updates and antimalware signatures, as well as the Malicious Software Removal Tool (MSRT) for Windows XP. You can find answers to these questions and more on our <a href="http://windows.microsoft.com/en-us/windows/security-essentials-download?os=winxp&amp;arch=other">Windows XP end of support</a> page.</em></p> <p><i>&nbsp;</i></p> </div><div style="clear:both;"></div><img src="http://blogs.technet.com/aggbug.aspx?PostID=3620483&AppID=6258&AppType=Weblog&ContentType=0" width="1" height="1"> Protection metrics – December resultshttp://blogs.technet.com/b/mmpc/archive/2014/01/14/protection-metrics-december-results.aspxWed, 15 Jan 2014 00:00:00 GMTd5e57398-b9ef-4490-9955-07cbb4e4a80d:e957b271-8884-4288-beed-a40ffa3fd395msft-mmpc0http://blogs.technet.com/b/mmpc/archive/2014/01/14/protection-metrics-december-results.aspx#comments<div class="ExternalClass5E4213CAA98A4E27832435EA2E5474C8"> <p>Happy New Year! December 2013 was an exciting month for monitoring <a href="http://www.microsoft.com/security/portal/mmpc/shared/protection.aspx">our protection results</a> and watching malware trends. The good news - our customer infection rate for December (0.06 percent) was lower than any other month in 2013 and one third the size of our peak in <a href="http://blogs.technet.com/b/mmpc/archive/2013/11/26/our-protection-metrics-october-results.aspx">October</a>. The <a href="http://www.microsoft.com/security/portal/threat/encyclopedia/entry.aspx?Name=Win32/Sefnit">Win32/Sefnit</a> trio mentioned in the October and <a href="http://blogs.technet.com/b/mmpc/archive/2013/12/23/protection-metrics-november-results.aspx">November</a> 2013 results declined even more significantly than last month. Even better, <a href="http://www.microsoft.com/security/portal/threat/encyclopedia/entry.aspx?Name=Win32/Sirefef">Win32/Sirefef</a> malware development appears to have stopped after <a href="http://blogs.technet.com/b/microsoft_blog/archive/2013/12/19/zeroaccess-criminals-wave-white-flag-the-impact-of-partnerships-on-cybercrime.aspx">the disruption effort</a> led by the Microsoft Digital Crimes Unit. <a href="http://www.microsoft.com/security/portal/threat/encyclopedia/entry.aspx?Name=Win32/Wysotot">Win32/Wysotot</a> also suffered significant declines. More on these families in the year in review section below.</p> <p>As for our other protection metrics, our performance metrics were consistent, and although incorrect detections remained low, we picked up one more crafted file attack. This was a specially-crafted clean file designed to trick antimalware vendors into incorrectly detecting a good program as malicious. This file raised our impact to 0.001 percent (or one in 100,000 in comparison to normal months where the impact closer to 1 in a 1,000,000). Along with improving our own processes to thwart these attack attempts on our systems, Dennis Batchelder and Hong Jia gave a <a href="http://www.virusbtn.com/conference/vb2013/abstracts/LM7-JiaBatchelder.xml">presentation on this attack technique at VirusBulletin</a> to help other vendors (from our data, we could see that there were several vendors who also appeared to be targets) discover and prevent these attacks from affecting customers.</p> <p><strong>Malware infections - Year in review</strong></p> <p>December 2013 was a good end to a tumultuous year. Figure 1 shows that although in this last quarter, our infection rates rose primarily due to the Sefnit trio, our overall rates ended on a good note with the decline of many malware families. Although fighting malware can often feel like whack-a-mole, seeing major families disappear into oblivion and the overall malware infection rate decline feels like a win in our industry.</p> <p>Figure 2 highlights several major families that, earlier in the year, were contributing significantly to infections affecting Microsoft customers in addition to the overall infection rate (also shown on our <a href="http://www.microsoft.com/security/portal/mmpc/shared/protection-prev.aspx">protection metrics trend page</a>.)</p> <p><a href="http://www.microsoft.com/security/portal/blog-images/a/Decmet1.png"><img style="width:500px;" alt="2013 average infection rates" src="http://www.microsoft.com/security/portal/blog-images/a/Decmet1.png" border="0" /></a></p> <p><em>Figure 1: 2013 average daily infection rates</em></p> <p><a href="http://www.microsoft.com/security/portal/blog-images/a/Decmet2.png"><img style="width:500px;" alt="Malware family contributions to infections - 2013" src="http://www.microsoft.com/security/portal/blog-images/a/Decmet2.png" border="0" /></a></p> <p><em>Figure 2: 2013 malware infections by family</em></p> <p>First, I&#39;ll talk about <a href="http://www.microsoft.com/security/portal/threat/encyclopedia/entry.aspx?Name=Win32/FakeRean">FakeRean</a>. This family poses as fake security software, which, as a category, took a dive in 2013 as we reported in the last Security Intelligence Report (<a href="http://www.microsoft.com/security/sir/default.aspx">SIRv15</a>). FakeRean practically disappeared by July 2013.</p> <p>Next, the Sefnit trio. Sefnit, a family that has been around for some time, made a strong comeback in 2013 and was given a strong assist by several trojans (<a href="http://www.microsoft.com/security/portal/threat/encyclopedia/entry.aspx?Name=Win32/Rotbrow">Rotbrow</a> and <a href="http://www.microsoft.com/security/portal/threat/encyclopedia/entry.aspx?Name=Win32/Brantall">Brantall</a>) used to distribute it. We took the fight to several fronts. One of the methods of distribution for Sefnit is through Tor. <a href="http://blogs.technet.com/b/mmpc/archive/2014/01/09/tackling-the-sefnit-botnet-tor-hazard.aspx">We worked with the Tor project</a> to clean up the clients that were installed by Sefnit, preventing further abuse. We also took out the new distributors &ndash; Rotbrow and Brantall &ndash; reaching out to our MVI and VIA partners to ensure they also detected them. By December 2013, all three were in significant decline, and Sefnit impact is down to a trickle in comparison to the surge we saw in September and October 2013.</p> <p>Wysotot, a new family that emerged late in 2013, hit a few highs in October and November, but slowed per our telemetry in December.</p> <p>Last but not least, Sirefef. This family starting becoming very prevalent in 2012. Originally focusing on clickfraud and employing techniques making it really difficult to remove once installed, this threat quickly became a concern. In 2013, we started collaborating with the Digital Crimes Unit to apply some novel disruption techniques to squeeze this malware family out of existence. As figures 2 and 3 show, it worked. The malware authors even responded with a somewhat humorous &quot;white flag&quot; in their code and appear to have stopped development in their family altogether.</p> <p><a href="http://www.microsoft.com/security/portal/blog-images/a/Decmet3.png"><img style="width:500px;" alt="Sirefef encounter rates" src="http://www.microsoft.com/security/portal/blog-images/a/Decmet3.png" border="0" /></a></p> <p><em>Figure 3: Sirefef encounters for Microsoft real-time protection customers</em></p> <p>Of course these families could make a comeback. We&#39;ll be here waiting for them when they try.</p> <p><em>Holly Stewart</em></p> <p><em>MMPC</em></p> </div><div style="clear:both;"></div><img src="http://blogs.technet.com/aggbug.aspx?PostID=3620553&AppID=6258&AppType=Weblog&ContentType=0" width="1" height="1"> MSRT January 2014 – Bladabindihttp://blogs.technet.com/b/mmpc/archive/2014/01/14/msrt-january-2014-bladabindi.aspxTue, 14 Jan 2014 22:00:00 GMTd5e57398-b9ef-4490-9955-07cbb4e4a80d:c085606d-d5b4-4cbd-b61b-3a669e22e5d0msft-mmpc0http://blogs.technet.com/b/mmpc/archive/2014/01/14/msrt-january-2014-bladabindi.aspx#comments<div class="ExternalClass43A52BA06D4F4DE3BC0A37069AEC6139"> <p>This month the Malicious Software Removal Tool (MSRT) includes a new malware family - <a href="http://www.microsoft.com/security/portal/threat/encyclopedia/Entry.aspx?Name=MSIL/Bladabindi">MSIL/Bladabindi</a>. An interesting part of this family is that the author made three versions of this RAT, written in VB.NET, VBS and AutoIt. The malware builder is also publically available for download.</p> <p>Because of this, there are many variants in this family, and they spread in many different ways, such as Facebook message and hacked websites. Once installed, malware in this family can be used to take control of a PC and steal sensitive information. We added Bladabindi to the MSRT due to its prevalence throughout 2013.</p> <p><a href="http://www.microsoft.com/security/portal/blog-images/a/Blada1.png"><img style="height:305px;width:500px;" alt="DESCRIPTION" src="http://www.microsoft.com/security/portal/blog-images/a/Blada1.png" border="0" /></a></p> <p><em>Figure 1: Telemetry data showing the prevalence of Bladabindi</em></p> <p>Bladabindi variants can be created by using the Remote Access Tool (RAT) known as &quot;NJ Rat&quot;. We detect this RAT as <a href="http://www.microsoft.com/security/portal/threat/encyclopedia/Entry.aspx?Name=VirTool:MSIL/Bladabindi.A">VirTool:MSIL/Bladabindi.A</a>. Bladabindi can also be downloaded by recent variants of <a href="http://www.microsoft.com/security/portal/threat/encyclopedia/Entry.aspx?Name=Win32/Jenxcus">Jenxcus family</a>, which likely has the same author as Bladabindi.</p> <p>Recently its author released a dedicated downloader to download Bladabindi and run it directly from memory - we detect this as <a href="http://www.microsoft.com/security/portal/threat/encyclopedia/Entry.aspx?Name=TrojanDownloader:MSIL/Bladabindi.A">TrojanDownloader:MSIL/Bladabindi.A</a>.</p> <p>Bladabindi variants are usually installed with an enticing name and icon to trick people into running it. The following are some sample file names:<span style="font-size:8pt;font-family:&#39;verdana&#39;, &#39;sans-serif&#39;;line-height:107%;"><span style="font-size:8pt;font-family:&#39;verdana&#39;, &#39;sans-serif&#39;;line-height:107%;"><span style="font-family:Times New Roman;font-size:medium;"> </span></span></span></p> <ul> <li>فيس بوك.exe &ndash; (<i>Facebook.exe</i>)</li> <li>فيديو قتلى المجموعات الإرهابية.exe &ndash; (<i>Video killed the terrorist groups.exe</i>)</li> <li>! My Picutre.SCR</li> <li>Windows_7_Activators.exe</li> <li>hot.exe</li> <li>StartupFaster.exe</li> </ul> <p>Below are some sample icons:</p> <p><a href="http://www.microsoft.com/security/portal/blog-images/a/Blada2.png"><img style="height:370px;width:500px;" alt="DESCRIPTION" src="http://www.microsoft.com/security/portal/blog-images/a/Blada2.png" border="0" /></a></p> <p><em>Figure 2: Some file icons used by Bladabindi</em></p> Bladabindi is written in VB.NET, and usually obfuscated with various .NET obfuscators to avoid detection. It uses undocumented APIs to make itself a critical process, which will cause a system crash if it is terminated. This can make it difficult to remove from your PC when the malware is running. MSIL/Bladabindi also has backdoor functionality, including: <ul> <li>Using your camera to take picture</li> <li>Running files</li> <li>Registry manipulation</li> <li>Remote shells</li> <li>Key logging</li> <li>Screen captures</li> <li>Loading plugins dynamically</li> <li>Updating</li> <li>Uninstalling</li> <li>Restarting</li> </ul> <p>From information we collected, it seems Bladabindi&#39;s author tries to show their ability to develop malware, to help their chances of being hired on to other projects. They even use the following picture (showing infected machines) as the header photo of their Twitter page.</p> <p><a href="http://www.microsoft.com/security/portal/blog-images/a/Blada3.png"><img style="height:307px;width:500px;" alt="DESCRIPTION" src="http://www.microsoft.com/security/portal/blog-images/a/Blada3.png" border="0" /></a></p> <p><em>Figure 3: Bladabindi author&#39;s Twitter page</em></p> <p>Though there is no direct evidence connecting the author, distributor, and online account owner associated with the malware, the same user name is consistently used across multiple forums and social media. Do you remember the infamous <a href="http://www.microsoft.com/security/portal/threat/encyclopedia/Entry.aspx?Name=Win32/Hupigon">Win32/Hupigon</a> worm? - Another case where a malware author wrote a backdoor, but claims they didn&#39;t distribute it.</p> <p>As usual, the best protection from Bladabindi, and other malware or potentially unwanted software is to have up-to-date security software installed and being aware of the risks of social engineering.</p> <p><em>Zhitao Zhou, Steven Zhou, and Francis Allan Tan Seng</em><br /><em>MMPC</em></p> </div><div style="clear:both;"></div><img src="http://blogs.technet.com/aggbug.aspx?PostID=3620500&AppID=6258&AppType=Weblog&ContentType=0" width="1" height="1">MSRTmalware research A Look Into the Future and the January 2014 Bulletin Releasehttp://blogs.technet.com/b/msrc/archive/2014/01/14/a-look-into-the-future-and-the-january-2014-bulletin-release.aspxTue, 14 Jan 2014 18:00:00 GMTd5e57398-b9ef-4490-9955-07cbb4e4a80d:15b5f43b-905b-4d6e-94e7-3ce046bef2c0Dustin C. Childs0<p><span style="font-size:medium;">In January, there are those who like to make predictions about the upcoming year. I am not one of those people. Instead, I like to quote </span><a href="http://en.wikipedia.org/wiki/Niels_Bohr"><span style="color:#0563c1;font-size:medium;">Niels Bohr</span></a><span style="font-size:medium;"> who said, &ldquo;Prediction is very difficult, especially if it&rsquo;s about the future.&rdquo; However, I can say without a doubt that change is afoot in 2014. </span></p> <p><span style="font-size:medium;">In February, usage of the MD5 hash algorithm in certificates will be restricted, as first discussed in </span><a href="http://technet.microsoft.com/security/advisory/2862973"><span style="color:#0563c1;font-size:medium;">Security Advisory 2862973</span></a><span style="font-size:medium;">, and the update goes out through </span><a href="http://go.microsoft.com/fwlink/?LinkID=40747"><span style="color:#0563c1;font-size:medium;">Microsoft Update</span></a><span style="font-size:medium;"> on the 11th. This will impact applications and services using certificates with the MD5 hashing algorithm and will apply only to certificates utilized for server authentication, code signing and time stamping. The restriction is limited to certificates issued under roots in the Microsoft root certificate program.</span></p> <p><span style="font-size:medium;">Support for Windows XP comes to an end in April. There has already been </span><a href="http://blogs.windows.com/windows/b/business/archive/2012/04/09/upgrade-today-two-year-countdown-to-end-of-support-for-windows-xp-and-office-2003.aspx"><span style="color:#0563c1;font-size:medium;">much</span></a><span style="font-size:medium;"> </span><a href="http://blogs.technet.com/b/security/archive/2013/08/15/the-risk-of-running-windows-xp-after-support-ends.aspx"><span style="color:#0563c1;font-size:medium;">written</span></a><span style="font-size:medium;"> </span><a href="http://blogs.msdn.com/b/auspartners/archive/2013/12/06/why-windows-xp-end-of-support-could-also-be-the-end-of-your-credibility.aspx"><span style="color:#0563c1;font-size:medium;">about</span></a><span style="font-size:medium;"> </span><a href="http://blogs.technet.com/b/mmpc/archive/2013/10/29/infection-rates-and-end-of-support-for-windows-xp.aspx"><span style="color:#0563c1;font-size:medium;">this</span></a><span style="font-size:medium;"> </span><a href="http://blogs.technet.com/b/security/archive/2013/04/09/the-countdown-begins-support-for-windows-xp-ends-on-april-8-2014.aspx"><span style="color:#0563c1;font-size:medium;">auspicious</span></a><span style="font-size:medium;"> </span><a href="http://blogs.technet.com/b/mediumbusiness/archive/2011/12/23/end-of-support-for-microsoft-windows-xp-sp3-and-office-2003.aspx"><span style="color:#0563c1;font-size:medium;">event</span></a><span style="font-size:medium;">, so I won&rsquo;t rehash it all here. Of course, we realize that just because support is ending, it does not mean XP usage will &ndash; much to the delight of attackers around the world. I&rsquo;m not sure if it&rsquo;s possible to have fond memories of an operating system, but XP will always maintain a warm place in my heart &ndash; just not on my laptop.</span></p> <p><span style="font-size:medium;">June brings changes to the Windows Authenticode verification function. This affects developers more than consumers, but it&rsquo;s an important change. Once implemented, certain programs will be considered &quot;unsigned&quot; if Windows identifies content that does not conform to the Authenticode specification. You can read all about this change in </span><a href="http://technet.microsoft.com/security/advisory/2915720"><span style="color:#0563c1;font-size:medium;">Security Advisory 2915720</span></a><span style="font-size:medium;"> and over on the </span><a href="http://blogs.technet.com/b/srd/archive/2013/12/10/ms13-098-update-to-enhance-the-security-of-authenticode.aspx"><span style="color:#0563c1;font-size:medium;">SRD blog</span></a><span style="font-size:medium;">. </span></p> <p><span style="font-size:medium;">Some things will remain the same. Sun or snow, we will still be here every second Tuesday of the month to bring you the latest security updates. This </span><a href="http://technet.microsoft.com/security/bulletin/MS14-jan"><span style="color:#0563c1;font-size:medium;">month</span></a><span style="font-size:medium;">, we&rsquo;re releasing four security bulletins addressing six unique CVEs in Microsoft Windows, Office, and Dynamics AX.&nbsp; All updates this month are rated Important. Here&rsquo;s on overview of this month&rsquo;s release:</span></p> <p><span style="font-size:medium;"><i>Click to embiggen</i></span><br /><span style="font-size:medium;"><i><a href="http://blogs.technet.com/cfs-file.ashx/__key/communityserver-blogs-components-weblogfiles/00-00-00-45-71/Jan_2D00_2014_2D00_Priority_2D00_Final.jpg"><img alt=" " src="http://blogs.technet.com/resized-image.ashx/__size/550x0/__key/communityserver-blogs-components-weblogfiles/00-00-00-45-71/Jan_2D00_2014_2D00_Priority_2D00_Final.jpg" border="0" /></a></i></span></p> <p><span style="font-size:medium;"></span>&nbsp;</p> <p><span style="font-size:medium;">Our top deployment priority for this month is </span><a href="http://technet.microsoft.com/security/bulletin/ms14-002"><span style="color:#0563c1;font-size:medium;">MS14-002</span></a><span style="font-size:medium;">, which addresses a publicly known issue in the Windows Kernel.</span></p> <p><a href="http://technet.microsoft.com/security/bulletin/ms14-002"><span style="color:#0563c1;font-size:medium;">MS14-002 | Vulnerability in Windows Kernel Could Allow Elevation of Privilege</span></a> <span style="font-size:medium;"> This bulletin addresses the issue first described in Security Advisory 2918840, which allows an attacker to perform an elevation of privilege if they are able to log on to a system and run a specially crafted application. We are aware of targeted attacks using this vulnerability, where attackers attempts to lure someone into opening a specially crafted PDF to access the system. Even when we first saw this, the PDF portion of the attack did not affect those with a fully updated system.</span></p> <p><span style="font-size:medium;">We&rsquo;re also re-releasing </span><a href="http://technet.microsoft.com/security/bulletin/ms13-081"><span style="color:#0563c1;font-size:medium;">MS13-081</span></a><span style="font-size:medium;"> to provide a re-offering of KB2862330 for Windows 7 and Windows Server 2008 R2. The re-released update addresses an issue in the original offering that caused the </span><a href="https://support.microsoft.com/kb/2862330"><span style="color:#0563c1;font-size:medium;">KB2862330</span></a><span style="font-size:medium;"> update to fail or only partially install on some systems with third-party USB drivers. If you are running an affected system, you will be re-offered the new update and we encourage you to install it at the earliest opportunity.</span></p> <p><span style="font-size:medium;">Finally, we are also revising </span><a href="http://technet.microsoft.com/security/advisory/2755801"><span style="color:#0563c1;font-size:medium;">Security Advisory 2755801</span></a><span style="font-size:medium;"> with the latest update for Adobe Flash Player in Internet Explorer. The update addresses the vulnerabilities described in Adobe Security bulletin </span><a href="http://helpx.adobe.com/security/products/flash-player/apsb14-02.html" target="_blank"><span style="color:#0563c1;font-size:medium;">APSB14-02</span></a><span style="font-size:medium;">. For more information about this update, including download links, see </span><a href="http://support.microsoft.com/kb/2916626" target="_blank"><span style="color:#0563c1;font-size:medium;">Microsoft Knowledge Base Article 2916626</span></a><span style="font-size:medium;">.</span></p> <p><span style="font-size:medium;">Watch the bulletin overview video below for a brief summary of today&#39;s releases.</span></p> <p><span style="font-size:medium;"><object width="560" height="316"><param name="movie" value="//www.youtube.com/v/C-HSSLI-8_4?version=3&amp;hl=en_US" /><param name="allowFullScreen" value="true" /><param name="allowscriptaccess" value="always" /><embed width="400" height="225" src="http://www.youtube.com/v/C-HSSLI-8_4?version=3&amp;hl=en_US" type="application/x-shockwave-flash" /></object></span></p> <p><span style="font-size:medium;">For more information about this month&rsquo;s security updates, including the detailed view of the Exploit Index broken down by CVE, visit the </span><a href="http://technet.microsoft.com/security/bulletin/MS14-jan"><span style="color:#0563c1;font-size:medium;">Microsoft Bulletin Summary Web page</span></a><span style="font-size:medium;">. </span></p> <p><span style="font-size:medium;">William Peteroy and I will host the monthly bulletin webcast, scheduled for Wednesday, January 15, 2013, at 11 a.m. PST. I invite you to register </span><a href="https://msevents.microsoft.com/CUI/EventDetail.aspx?EventID=1032572876&amp;Culture=en-US"><span style="color:#0563c1;font-size:medium;">here</span></a><span style="font-size:medium;">, and tune in to learn more about this month&rsquo;s security bulletins and advisories. </span></p> <p><span style="font-size:medium;">For all the latest information, you can also follow us at </span><a href="http://www.twitter.com/msftsecresponse"><span style="color:#0563c1;font-size:medium;">@MSFTSecResponse</span></a><span style="font-size:medium;">. </span></p> <p><span style="font-size:medium;">I look forward to hearing your questions about this month&rsquo;s release in our webcast tomorrow.</span></p> <p><span style="font-size:medium;">Thanks, </span><a href="http://blogs.technet.com/b/msrc/about.aspx#Dustin_Childs"><span style="color:#0563c1;font-size:medium;">Dustin Childs</span></a> <br /><span style="font-size:medium;">Group Manager, Response Communications<br />Microsoft Trustworthy Computing</span></p> <p></p><div style="clear:both;"></div><img src="http://blogs.technet.com/aggbug.aspx?PostID=3620468&AppID=4571&AppType=Weblog&ContentType=0" width="1" height="1">Microsoft Windowsmonthly bulletin releaseMicrosoft DynamicsMicrosoft Office Assessing risk for the January 2014 security updates http://blogs.technet.com/b/srd/archive/2014/01/14/assessing-risk-for-the-january-2014-security-updates.aspxTue, 14 Jan 2014 16:56:00 GMTd5e57398-b9ef-4490-9955-07cbb4e4a80d:0f25b526-0f45-420d-b246-92aa98c84246SRD Blog Author0<p>Today we released four security bulletins addressing six CVE&rsquo;s. All four bulletins have a maximum severity rating of Important. We hope that the table below helps you prioritize the deployment of the updates appropriately for your environment.</p> <table border="1"> <tbody> <tr> <td><b>Bulletin</b></td> <td><b>Most likely attack vector</b></td> <td><b>Max Bulletin Severity</b></td> <td><b>Max exploit-ability rating</b></td> <td><b>Likely first 30 days impact</b></td> <td><b>Platform mitigations and key notes</b></td> </tr> <tr> <td><a href="http://technet.microsoft.com/en-us/security/bulletin/MS14-002">MS14-002</a> <p>(NDProxy, a kernel-mode driver)</p> </td> <td>Attacker able to run code at a low privilege level inside an application sandbox exploits this vulnerability to elevate privileges to SYSTEM.</td> <td>Important</td> <td>1</td> <td>Likely to continue seeing Adobe PDF exploits leveraging this vulnerability to elevate privileges outside sandbox.</td> <td>All exploits we have analyzed for this vulnerability attempt to exploit an already-patched Adobe Reader vulnerability, CVE-2013-3346. This Adobe vulnerability was addressed via a September 11, 2013 Adobe security update. <p>Addresses vulnerability described by security advisory 2914486.</p> </td> </tr> <tr> <td><a href="http://technet.microsoft.com/en-us/security/bulletin/MS14-001">MS14-001</a> <p>(Word)</p> </td> <td>Victim opens malicious Office document.</td> <td>Important</td> <td>1</td> <td>Likely to see reliable exploits developed within next 30 days.</td> <td>&nbsp;</td> </tr> <tr> <td><a href="http://technet.microsoft.com/en-us/security/bulletin/MS14-003">MS14-003</a> <p>(win32k.sys, a kernel-mode driver)</p> </td> <td>Attacker running code at low privilege runs exploit binary to elevate to SYSTEM.</td> <td>Important</td> <td>1</td> <td>Likely to see reliable exploits developed within next 30 days.</td> <td>&nbsp;</td> </tr> <tr> <td><a href="http://technet.microsoft.com/en-us/security/bulletin/MS14-004">MS14-004</a> <p>(Microsoft Dynamics AX)</p> </td> <td>Attacker able to authenticate to Dynamics server could cause denial-of-service condition preventing it from servicing other client requests.</td> <td>Important</td> <td>n/a</td> <td>Denial of service only, not usable for code execution.</td> <td>&nbsp;</td> </tr> </tbody> </table> <p>- Jonathan Ness, MSRC engineering</p><div style="clear:both;"></div><img src="http://blogs.technet.com/aggbug.aspx?PostID=3620481&AppID=6147&AppType=Weblog&ContentType=0" width="1" height="1">Risk Asessmentrating Tackling the Sefnit botnet Tor hazardhttp://blogs.technet.com/b/mmpc/archive/2014/01/09/tackling-the-sefnit-botnet-tor-hazard.aspxFri, 10 Jan 2014 03:40:00 GMTd5e57398-b9ef-4490-9955-07cbb4e4a80d:80751539-8385-4e12-b66d-9cd7c9edc49dmsft-mmpc3http://blogs.technet.com/b/mmpc/archive/2014/01/09/tackling-the-sefnit-botnet-tor-hazard.aspx#comments<div class="ExternalClass3BE6943817F14ABEA8691C823A9B1943"> <p class="ExternalClass99F82614541C45BC8F38DF427354ABD8">Sefnit, a prevailing malware known for using infected computers for click fraud and bitcoin mining, has left millions of machines potentially vulnerable to future attacks. We recently blogged about <a href="http://blogs.technet.com/b/mmpc/archive/2013/09/25/mevade-and-sefnit-stealthy-click-fraud.aspx">Sefnit performing click fraud</a> and how we <a href="http://blogs.technet.com/b/mmpc/archive/2013/12/10/rotbrow-the-sefnit-distributor.aspx">added detection on the upstream Sefnit installer</a>. In this blog we explain how the Tor client service, added by Sefnit, is posing a risk to millions of machines, and how we are working to address the problem.</p> <p class="ExternalClass99F82614541C45BC8F38DF427354ABD8"><a href="http://www.microsoft.com/security/portal/threat/encyclopedia/Entry.aspx?Name=Win32/Sefnit">Win32/Sefnit</a>&nbsp;made headlines&nbsp;last August as it took the Tor Network by storm. Tor is an open source project for online anonymity and is commonly used to browse the Internet anonymously.&nbsp;Around August 19, 2013, millions of infected computers running Win32/Sefnit installers are believed to have been woken up and given instructions en masse, to download and install a Sefnit component using the Tor Network for C&amp;C communication. Based on the Tor Network&rsquo;s connecting-user estimates, evidence suggests this resulted in more than four million Sefnit-installed Tor client services pushed in just over two weeks, as shown in Figure 1.</p> <p class="ExternalClass99F82614541C45BC8F38DF427354ABD8"><a href="http://www.microsoft.com/security/portal/blog-images/a/Tor1b.png"><img style="width:600px;height:362px;" alt="Win32/Sefnit affects the Tor network" src="http://www.microsoft.com/security/portal/blog-images/a/Tor1b.png" border="0" /></a></p> <p class="ExternalClass99F82614541C45BC8F38DF427354ABD8"><em>Figure 1: The effect of Win32/Sefnit on the Tor Network connecting-user base</em></p> <p class="ExternalClass99F82614541C45BC8F38DF427354ABD8">The security problem lies in the fact that during a Sefnit component infection, the Tor client service is also silently installed in the background. Even after Sefnit is removed, unless specific care is taken, the Tor service will be left and still regularly connect to the Tor Network. This is a problem not only for the workload it applies to the Tor Network, but also for the security of these computers.</p> <h2 class="ExternalClass99F82614541C45BC8F38DF427354ABD8">The Tor client</h2> <p class="ExternalClass99F82614541C45BC8F38DF427354ABD8">The Tor client service left behind on a previously-infected machine may seem harmless at first glance - Tor is a good application used to anonymize traffic and usually poses no threat. Unfortunately, the version installed by Sefnit is v0.2.3.25 &ndash; and does not self-update. The latest Tor release build at the time of writing is v0.2.4.20. While no high-severity security bulletins have been issued affecting Tor v0.2.3.25, Tor has a history of high-severity vulnerabilities - as illustrated in Figure 2.</p> <p class="ExternalClass99F82614541C45BC8F38DF427354ABD8">&nbsp;</p> <div class="ExternalClass99F82614541C45BC8F38DF427354ABD8"> <table class="MsoTable15Plain3 ms-rteTable-0" style="margin:auto auto auto 30.6pt;width:500px;border-collapse:collapse;" border="0" cellspacing="0" cellpadding="0"> <tbody> <tr class="ms-rteTableHeaderRow-0"><th class="ms-rteTableHeaderFirstCol-0" style="border-width:medium medium 1pt;border-style:none none solid;border-color:#f0f0f0 #f0f0f0 #7f7f7f;padding:0in 5.4pt;width:116.85pt;background-color:transparent;" rowspan="1" colspan="1"> <div style="margin:0in 0in 0pt;line-height:normal;"><b><span style="text-transform:uppercase;"><span style="font-family:Calibri;">CVE</span></span></b></div> </th><th class="ms-rteTableHeaderOddCol-0" style="border-width:medium medium 1pt;border-style:none none solid;border-color:#f0f0f0 #f0f0f0 #7f7f7f;padding:0in 5.4pt;width:116.85pt;background-color:transparent;" rowspan="1" colspan="1"> <div style="margin:0in 0in 0pt;line-height:normal;"><b><span style="text-transform:uppercase;"><span style="font-family:Calibri;">Versions Affected</span></span></b></div> </th><th class="ms-rteTableHeaderEvenCol-0" style="border-width:medium medium 1pt;border-style:none none solid;border-color:#f0f0f0 #f0f0f0 #7f7f7f;padding:0in 5.4pt;width:181.2pt;background-color:transparent;" rowspan="1" colspan="1"> <div style="margin:0in 0in 0pt;line-height:normal;"><b><span style="text-transform:uppercase;"><span style="font-family:Calibri;">DESCRIPTION</span></span></b></div> </th></tr> <tr class="ms-rteTableOddRow-0"><th class="ms-rteTableFirstCol-0" style="background:#f2f2f2;padding:0in 5.4pt;border:#f0f0f0;width:116.85pt;" rowspan="1" colspan="1"> <div style="margin:0in 0in 0pt;line-height:normal;"><a href="http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2011-2778&amp;cid=2"><span style="color:#0563c1;font-family:Calibri;">CVE-2011-2778</span></a></div> </th> <td width="156" class="ms-rteTableOddCol-0" valign="top" style="background:#f2f2f2;padding:0in 5.4pt;border:#f0f0f0;width:116.85pt;"> <div style="margin:0in 0in 0pt;line-height:normal;"><span style="font-family:Calibri;">v0.2.2.35 and earlier</span></div> </td> <td width="242" class="ms-rteTableEvenCol-0" valign="top" style="background:#f2f2f2;padding:0in 5.4pt;border:#f0f0f0;width:181.2pt;"> <div style="margin:0in 0in 0pt;line-height:normal;"><span style="font-family:Calibri;">Multiple heap-based buffer overflows.</span></div> </td> </tr> <tr class="ms-rteTableEvenRow-0"><th class="ms-rteTableFirstCol-0" style="padding:0in 5.4pt;border:#f0f0f0;width:116.85pt;background-color:transparent;" rowspan="1" colspan="1"> <div style="margin:0in 0in 0pt;line-height:normal;"><a href="http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2010-1676&amp;cid=2"><span style="color:#0563c1;font-family:Calibri;">CVE-2010-1676</span></a></div> </th> <td width="156" class="ms-rteTableOddCol-0" valign="top" style="padding:0in 5.4pt;border:#f0f0f0;width:116.85pt;background-color:transparent;"> <div style="margin:0in 0in 0pt;line-height:normal;"><span style="font-family:Calibri;">0.2.2.20-alpha and earlier and v0.2.1.28 and earlier</span></div> </td> <td width="242" class="ms-rteTableEvenCol-0" valign="top" style="padding:0in 5.4pt;border:#f0f0f0;width:181.2pt;background-color:transparent;"> <div style="margin:0in 0in 0pt;line-height:normal;"><span style="font-family:Calibri;">Heap-based buffer-overflow.</span></div> </td> </tr> <tr class="ms-rteTableOddRow-0"><th class="ms-rteTableFirstCol-0" style="background:#f2f2f2;padding:0in 5.4pt;border:#f0f0f0;width:116.85pt;" rowspan="1" colspan="1"> <div style="margin:0in 0in 0pt;line-height:normal;"><a href="http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2009-0939&amp;cid=2"><span style="color:#0563c1;font-family:Calibri;">CVE-2009-0939</span></a></div> </th> <td width="156" class="ms-rteTableOddCol-0" valign="top" style="background:#f2f2f2;padding:0in 5.4pt;border:#f0f0f0;width:116.85pt;"> <div style="margin:0in 0in 0pt;line-height:normal;"><span style="font-family:Calibri;">v0.2.0.34 and earlier</span></div> </td> <td width="242" class="ms-rteTableEvenCol-0" valign="top" style="background:#f2f2f2;padding:0in 5.4pt;border:#f0f0f0;width:181.2pt;"> <div style="margin:0in 0in 0pt;line-height:normal;"><span style="font-family:Calibri;">Treats incomplete IPv4 addresses as valid causing unknown impact.</span></div> </td> </tr> <tr class="ms-rteTableEvenRow-0"><th class="ms-rteTableFirstCol-0" style="padding:0in 5.4pt;border:#f0f0f0;width:116.85pt;background-color:transparent;" rowspan="1" colspan="1"> <div style="margin:0in 0in 0pt;line-height:normal;"><a href="http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2009-0414&amp;cid=2"><span style="color:#0563c1;font-family:Calibri;">CVE-2009-0414</span></a></div> </th> <td width="156" class="ms-rteTableOddCol-0" valign="top" style="padding:0in 5.4pt;border:#f0f0f0;width:116.85pt;background-color:transparent;"> <div style="margin:0in 0in 0pt;line-height:normal;"><span style="font-family:Calibri;">v0.2.0.33 and earlier</span></div> </td> <td width="242" class="ms-rteTableEvenCol-0" valign="top" style="padding:0in 5.4pt;border:#f0f0f0;width:181.2pt;background-color:transparent;"> <div style="margin:0in 0in 0pt;line-height:normal;"><span style="font-family:Calibri;">Unspecified heap corruption.</span></div> </td> </tr> </tbody> </table> </div> <p class="ExternalClass99F82614541C45BC8F38DF427354ABD8"><em>Figure 2: History of vulnerabilities affecting Tor with potential for remote-code execution</em></p> <p class="ExternalClass99F82614541C45BC8F38DF427354ABD8">Some of these vulnerabilities can be exploited for the remote execution of arbitrary code without authentication &ndash; essentially giving an attacker&nbsp;access to take over the machine remotely. This Tor service is a security risk to the machines even after Sefnit has been removed, since it is probable that a serious security vulnerability will be identified in the future. In summary, this means that a malicious actor may be able to infect millions of machines with any malware at some point in the future.</p> <h2 class="ExternalClass99F82614541C45BC8F38DF427354ABD8">Cleanup efforts</h2> <p class="ExternalClass99F82614541C45BC8F38DF427354ABD8">Since the Sefnit-caused Tor eruption in August, we have worked to curb this risk. In this process, we consulted with Tor project developers to help plan the cleanup. We&nbsp;retroactively remediated machines that had previously been cleaned of Sefnit but still had a Sefnit-added Tor service:</p> <div class="ExternalClass99F82614541C45BC8F38DF427354ABD8"> <p style="margin:0px;padding:0px;"></p> <ul> <li><strong>October 27, 2013</strong>: We modified our signatures to remove the Sefnit-added&nbsp;Tor&nbsp;client service<span style="color:#ff0000;">*</span>.&nbsp;Signature and remediation are included in all Microsoft security software, including <a href="http://windows.microsoft.com/en-us/windows/security-essentials-download">Microsoft Security Essentials</a>, <a href="http://windows.microsoft.com/en-us/windows-8/how-find-remove-virus#1TC=t1">Windows Defender</a> on Windows 8, <a href="http://www.microsoft.com/security/scanner/en-us/default.aspx">Microsoft Safety Scanner</a>, <a href="http://www.microsoft.com/en-us/server-cloud/products/system-center-2012-r2-configuration-manager/default.aspx#fbid=wUq6xkrDwJC">Microsoft System Center Endpoint Protection</a>, and <a href="http://windows.microsoft.com/en-us/windows/what-is-windows-defender-offline">Windows Defender Offline</a>.</li> <li><strong>November 12, 2013</strong>: Signature and remediation is included in <a href="http://www.microsoft.com/security/pc-security/malware-removal.aspx">Malicious Software Removal Tool</a> and delivered through Windows Update/Microsoft Update.</li> </ul> <p style="margin:0px;padding:0px;"></p> </div> <p>These actions and their effect on the Tor Network&rsquo;s estimated connecting-users is illustrated in Figure 3.</p> <p>&nbsp;<a href="http://www.microsoft.com/security/portal/blog-images/a/Tor3b.png"><img style="width:600px;height:302px;" alt="Tor Network connecting user estimate timeline" src="http://www.microsoft.com/security/portal/blog-images/a/Tor3b.png" border="0" /></a></p> <p><em>Figure 3: Tor Network connecting-user estimate timeline with marked events.</em></p> <p>Our actions so far have put a dent in the number of users at risk, but more work is needed to address an estimated two million machines that have yet to be reached. Many of the unreached machines are likely not running Microsoft security software, and we need your help to reduce this risk further.</p> <p><strong>Home users:</strong></p> <p>Download and run our free <a href="http://www.microsoft.com/security/pc-security/malware-removal.aspx"></a><a href="http://www.microsoft.com/security/scanner/en-us/default.aspx">Microsoft Safety Scanner</a> to scan and clean your PC.</p> <p><strong>Network administrators and advanced users:</strong></p> <p>Download and run our free <a href="http://www.microsoft.com/security/pc-security/malware-removal.aspx"></a><a href="http://www.microsoft.com/security/scanner/en-us/default.aspx">Microsoft Safety Scanner</a> to scan and clean workstations.</p> <p>Your anti-virus solution may have removed Sefnit from your workstations while leaving the Sefnit-added Tor service running. The remediation of the Tor service is dependent on the completeness of the removal by other AV scanners. For this reason, we recommend you check your workstations for Tor client services added by Sefnit. You can use the following commands to check and stop the Tor client service using Command Prompt as Administrator:</p> <ol><ol> <li>Query the basic information about the Tor service by issuing the command: &ldquo;sc query tor.&rdquo; If the service is found, it should result in something like the following:</li> </ol></ol> <p><a href="http://www.microsoft.com/security/portal/blog-images/a/Q1.png"><img style="width:600px;height:124px;" alt="Tor service is found" src="http://www.microsoft.com/security/portal/blog-images/a/Q1.png" border="0" /></a></p> <ol><ol> <li>If the Tor service is found, and you weren&#39;t expecting&nbsp;it,&nbsp;it&rsquo;s highly likely that it is a Sefnit-installed service. The configuration should be queried by issuing command &ldquo;sc qc tor,&rdquo; which should give you a result like that shown below:</li> </ol></ol> <p><a href="http://www.microsoft.com/security/portal/blog-images/a/Q2.png"><img style="width:600px;height:174px;" alt="Tor service configuration" src="http://www.microsoft.com/security/portal/blog-images/a/Q2.png" border="0" /></a></p> <ol><ol> <li> <p>If the &ldquo;BINARY_PATH_NAME&rdquo; above matches, the Sefnit-added Tor client service can be stopped by the command &ldquo;sc stop tor&rdquo;:</p> </li> </ol></ol> <p><a href="http://www.microsoft.com/security/portal/blog-images/a/Q3.png"><img style="width:600px;height:124px;" alt="Stopping the Tor service" src="http://www.microsoft.com/security/portal/blog-images/a/Q3.png" border="0" /></a></p> <ol><ol> <li> <p>You can then delete the service with the command &ldquo;sc delete tor&rdquo;:</p> </li> </ol></ol> <p><a href="http://www.microsoft.com/security/portal/blog-images/a/Q4.png"><img style="width:600px;height:41px;" alt="Correct Tor service removal" src="http://www.microsoft.com/security/portal/blog-images/a/Q4.png" border="0" /></a></p> <ol><ol> <li>Verify that the service is no longer running by &ldquo;sc query tor&rdquo; again. If removed correctly, this should display the following error:</li> </ol></ol> <p><a href="http://www.microsoft.com/security/portal/blog-images/a/Q5.png"><img style="width:600px;height:58px;" alt="The service is no longer running" src="http://www.microsoft.com/security/portal/blog-images/a/Q5.png" border="0" /></a></p> <p>We also shared this information with our Microsoft Virus Initiative&nbsp;and&nbsp;Virus Information Alliance&nbsp;partners so that they, too, can help in the clean-up.</p> <p><em>Geoff McDonald</em><br /><em>MMPC</em></p> <p><span style="color:#ff0000;">* </span><em>January 22, 2014: To clarify, this protection removes the services started by the Sefnit malware, but it does not uninstall Tor, remove any Tor binaries, or prevent users from using Tor.</em></p> <p><span style="color:#ff0000;"></span></p> <p><em>&nbsp;</em></p> </div><div style="clear:both;"></div><img src="http://blogs.technet.com/aggbug.aspx?PostID=3620234&AppID=6258&AppType=Weblog&ContentType=0" width="1" height="1">SefnitTorMSRT Advance Notification Service for the January 2014 Security Bulletin Releasehttp://blogs.technet.com/b/msrc/archive/2014/01/09/advance-notification-service-for-the-january-2014-security-bulletin-release.aspxThu, 09 Jan 2014 18:00:00 GMTd5e57398-b9ef-4490-9955-07cbb4e4a80d:10c24633-0c2b-4e17-b1da-8608f3fd6d1cDustin C. Childs0<p><span style="font-family:verdana,geneva;"><span>Today we provide </span><a href="http://technet.microsoft.com/security/bulletin/MS14-jan"><span style="color:#0563c1;">advance notification</span></a><span> for the release of four bulletins for January 2014. All bulletins this month are rated Important in severity and address vulnerabilities in Microsoft Windows, Office, and Dynamics AX. The update provided in MS14-002 fully addresses the issue first described in </span><a href="http://technet.microsoft.com/security/advisory/2914486"><span style="color:#0563c1;">Security Advisory 2914486</span></a><span>. We have only seen this issue used in conjunction with a PDF exploit in targeted attacks and not on its own. This only impacts customers using Windows XP or Server 2003 as more recent Windows versions are not affected. </span></span></p> <p><span style="font-family:verdana,geneva;"><span>As always, we&rsquo;ve scheduled the security bulletin release for the second Tuesday of the month, January 14, 2014, at approximately 10:00 a.m. PST. Revisit this blog then for analysis of the risk and impact, as well as deployment guidance, together with a brief video overview of the month&rsquo;s updates. Until then, please review the </span><a title="ANS summary page" href="http://technet.microsoft.com/security/bulletin/MS14-jan"><span style="color:#0563c1;">ANS summary page</span></a><span> for more information to help you prepare for security bulletin testing and deployment.</span></span></p> <p><span style="font-family:verdana,geneva;"><span>Don&rsquo;t forget, you can also follow the MSRC team&rsquo;s recent activity on Twitter at </span><a title="@MSFTSecResponse" href="https://twitter.com/msftsecresponse"><span style="color:#0563c1;">@MSFTSecResponse</span></a><span>.&nbsp;</span></span></p> <p><span style="font-family:verdana,geneva;"><span> </span>Thank you,</span><br /><span style="font-family:verdana,geneva;"><a href="http://blogs.technet.com/b/msrc/about.aspx#Dustin_Childs"><span style="color:#0563c1;">Dustin Childs</span></a></span><br /><span style="font-family:verdana,geneva;">Group Manager, Response Communications</span><br /><span style="font-family:verdana,geneva;">Microsoft Trustworthy Computing</span></p><div style="clear:both;"></div><img src="http://blogs.technet.com/aggbug.aspx?PostID=3619983&AppID=4571&AppType=Weblog&ContentType=0" width="1" height="1">Microsoft WindowsSecurity BulletinsANSMicrosoft Office Protection metrics – November resultshttp://blogs.technet.com/b/mmpc/archive/2013/12/23/protection-metrics-november-results.aspxTue, 24 Dec 2013 00:43:00 GMTd5e57398-b9ef-4490-9955-07cbb4e4a80d:66d947e9-3384-4667-aeed-13e753c57170msft-mmpc0http://blogs.technet.com/b/mmpc/archive/2013/12/23/protection-metrics-november-results.aspx#comments<div class="ExternalClass36832F41998C4C7C9E028673340EB1AC"> <p>In <a href="http://blogs.technet.com/b/mmpc/archive/2013/11/26/our-protection-metrics-october-results.aspx">our October results</a>, we talked about a trio of families related to <a href="http://www.microsoft.com/security/portal/threat/encyclopedia/entry.aspx?Name=Win32/Sefnit">Win32/Sefnit</a>. Our <a href="http://www.microsoft.com/security/portal/mmpc/shared/protection.aspx">November results</a> showed progress against Sefnit and the installers and downloaders of Sefnit (<a href="http://www.microsoft.com/security/portal/threat/encyclopedia/entry.aspx?Name=Win32/Rotbrow">Win32/Rotbrow</a> and <a href="http://www.microsoft.com/security/portal/threat/encyclopedia/entry.aspx?Name=Win32/Brantall">Win32/Brantall</a>).&nbsp;In comparison to September, active Sefnit&nbsp;infections have been reduced by 82 percent. As with prior months, our rate of incorrect detections also remained low and performance stayed consistent.</p> <p>(If you want a refresh on the definition of the metrics we use in our monthly results, see our initial post: <a href="http://blogs.technet.com/b/mmpc/archive/2013/10/25/our-protection-metrics-september-results.aspx">Our protection metrics &ndash; September results.</a>)</p> <p>For Rotbrow, (which, by the way, was also <a href="http://blogs.technet.com/b/mmpc/archive/2013/12/10/rotbrow-the-sefnit-distributor.aspx">added to the MSRT in December</a>), we saw half the number of active infections in November in comparison to the previous month. Active Brantall infections were reduced by about a fifth, month over month.</p> <p>A relatively new family, <a href="http://www.microsoft.com/security/portal/threat/encyclopedia/entry.aspx?Name=Win32/Wysotot">Win32/Wysotot</a>, which was added to our realtime protection products at the end of October, and impacted 0.002 percent of our customer base in November, had a moderate impact (although much smaller in comparison to the Sefnit trio), but went into decline later in the month. Wysotot is typically installed on your computer through software bundlers that advertise free software or games. It redirects you to another website when you open certain browsers through a shortcut file. It can also download other software, run and kill processes on your computer and sends the status of your security software to a command and control (C&amp;C) server.</p> <p>The <a href="http://www.microsoft.com/security/portal/threat/encyclopedia/Entry.aspx?Name=Worm:VBS/Jenxcus#tab=2">VBS/Jenxcus</a> family had a similar impact, but, contrary to Wysotot, hasn&#39;t declined. This worm uses shortcut links to propagate, but also is often downloaded online or through torrents. It also has the capability to spread through removable drives, so if your computer&#39;s infected with Jenxcus, make sure you also scan any removable drives you&#39;ve used recently with an antivirus product. More on Jenxcus next month.</p> <p>Also, <a href="http://blogs.technet.com/b/microsoft_blog/archive/2013/12/19/zeroaccess-criminals-wave-white-flag-the-impact-of-partnerships-on-cybercrime.aspx">considering the recent action against the Sirefef family</a>, we will have a few interesting trends to report next month. Stay tuned for that update in the new year.</p> <p>In the meantime, make sure your antivirus solution is up to date. If you&#39;re running Windows 8, <a href="http://www.microsoft.com/security/pc-security/windows-defender.aspx">Windows Defender</a> helps protect you against malware; if you&#39;re running Windows 7 and earlier, you can install <a href="http://www.microsoft.com/security_essentials">Microsoft Security Essentials</a>.</p> <p><em>Holly Stewart</em></p> <em>MMPC</em></div><div style="clear:both;"></div><img src="http://blogs.technet.com/aggbug.aspx?PostID=3619249&AppID=6258&AppType=Weblog&ContentType=0" width="1" height="1">SefnitRotbrowProtection metrics Turkey: Understanding high malware encounter rates in SIRv15 http://blogs.technet.com/b/mmpc/archive/2013/12/23/turkey-understanding-high-malware-encounter-rates-in-sirv15.aspxMon, 23 Dec 2013 18:09:08 GMTd5e57398-b9ef-4490-9955-07cbb4e4a80d:38f76ab5-6ad7-4bef-aac8-5d404fa2ad0cmsft-mmpc0http://blogs.technet.com/b/mmpc/archive/2013/12/23/turkey-understanding-high-malware-encounter-rates-in-sirv15.aspx#comments<div class="ExternalClass4ED02A25C19E4079B4D3702ACF39F96F"> <p>In our most recent version of the <a href="http://www.microsoft.com/security/sir/default.aspx">Security Intelligence Report (SIRv15)</a>, we compared the encounter rates of malware categories for the top 10 countries with computers reporting the most detections in 2Q13. Amongst these countries, Turkey stood out with considerably high encounter rates in multiple categories. Encounter rate is the percentage of computers in a country that reported at least one detection of malware.</p> <p><a href="http://www.microsoft.com/security/portal/blog-images/a/Turkey1.png"><img style="height:121px;width:600px;" alt="Threat category prevalence worldwide " src="http://www.microsoft.com/security/portal/blog-images/a/Turkey1.png" border="0" /></a></p> <p><em>Figure 1. Threat category prevalence worldwide and in the 10 locations with the most computers reporting detections in 2Q13. Totals for each location may exceed 100 percent because some computers reported threats from more than one category.</em></p> <p>If you examine the above table carefully, Turkey&#39;s encounter rate in miscellaneous trojans, worms, exploits, and trojan downloaders and droppers are at least 18 percent greater than the next highest country in this list. Our research here is focused on examining contributing factors to the higher rate.</p> <p>Miscellaneous trojans are malware that are self-contained and do not self-replicate. On the other hand, worms are defined as malware that send copies of themselves through various communication mechanisms. Exploits include malware that take advantage of software vulnerabilities, and trojan downloaders and droppers are trojans that download or drop other malware onto computers it has already infected. The high encounter rates of a wide area of malware types in an isolated region suggest that Turkey may have been targeted by online criminals.</p> <p><strong>Targeted encounter rate</strong></p> <p>To go about investigating this hypothesis, a definition of <i>targeted</i> is necessary. For this research, we define a family as targeted if at least 80 percent of the infected computers are located in a single country. Subsequently, we can update the original definition of encounter rate for this problem. <i>Targeted encounter rate</i> is the percentage of computers that reported at least one detection of a targeted malware family.</p> <p><a href="http://www.microsoft.com/security/portal/blog-images/a/Turkey2.png"><img style="height:99px;width:600px;" alt="Targeted encounter rate in 10 locations" src="http://www.microsoft.com/security/portal/blog-images/a/Turkey2.png" border="0" /></a></p> <p><em>Figure 2. Targeted encounter rate in the 10 locations with the most computers reporting detections in 2Q13. Totals for each location may exceed 100 percent because some computers reported threats from more than one category.</em></p> <p>Turkey has experienced extremely high targeted encounter rates in miscellaneous trojans, trojan downloaders and droppers, and worms, when compared to the other top regions/countries. Running an updated real-time antimalware solution is highly recommended for computers in any region seeing increases in these malware category types. For further information, see <a href="http://download.microsoft.com/download/E/0/F/E0F59BE7-E553-4888-9220-1C79CBD14B4F/Microsoft_Security_Intelligence_Report_Volume_14_Running_Unprotected_English.pdf">Running Unprotected, a deep dive into this topic in SIRv14</a>.</p> <p>Further investigation into the top targeted families in Turkey can give us more concrete evidence of targeting.</p> <p><a href="http://www.microsoft.com/security/portal/blog-images/a/Turkey3.png"><img style="height:102px;width:600px;" alt="Machine count inside and outside Turkey" src="http://www.microsoft.com/security/portal/blog-images/a/Turkey3.png" border="0" /></a></p> <p><em>Figure 3. Machine count inside and outside Turkey for the top five targeted families in Turkey.</em></p> <p><strong>Top targeted families</strong></p> <p>Each of the top targeted families use the Turkish language in some aspect. <a href="http://www.microsoft.com/security/portal/threat/encyclopedia/Entry.aspx?Name=Trojan:JS/Kilim.A#tab=1">Kilim</a> and <a href="http://www.microsoft.com/security/portal/threat/encyclopedia/Entry.aspx?Name=Trojan:JS/Reksner.A#tab=1">Reksner</a> both use social media outlets, such as Facebook and Twitter, for infection. They gain access to user accounts and post false advertisements and malicious links in Turkish to continue spreading. <a href="http://www.microsoft.com/security/portal/threat/encyclopedia/Entry.aspx?Name=Worm:MSIL/Murkados.A#tab=1">Murkados</a> hides its presence by setting the homepage of a Chrome browser, which it has modified, to the Turkish Google search webpage. <a href="http://www.microsoft.com/security/portal/threat/encyclopedia/Entry.aspx?Name=TrojanDownloader:MSIL/Truado.C#tab=1">Truado</a> redirects user traffic between various Turkish websites. <a href="http://www.microsoft.com/security/portal/threat/encyclopedia/Entry.aspx?Name=Trojan:Win32/Preflayer.A#tab=1">Preflayer</a> uses a fake Adobe installer in Turkish to trick users and infect computers. All of these families leverage Turkish language as their basis for attack, rather than focusing on attacking Turkey-based computers. There are also hints of various Turkish words in the source code showing that the malware might be authored by local attackers.</p> <p>Language targeting is not uncommon; many families specifically target languages, as we have seen above and in the <a href="http://www.microsoft.com/security/sir/default.aspx">Security Intelligence Report</a>. A quick look at the Turkish language shows that most people who read websites in Turkish live in Turkey. So, malware authors targeting Turkey might just be an unintentional consequence of trying to infect the population of Turkish computer users.</p> <p>From this data, we can confidently conclude that Turkey was indeed targeted by malware authors through language targeting. Social engineering, used by all families discussed above, is a method that online criminals use to trick users into performing actions or divulging confidential information, to gain access to their computers or hide the presence of malicious behavior. Social engineering can occur in any language that is used on computers, commonly using email, web or telephone scams. Using a language that is less prevalent does not exclude you from the dangers of malware.</p> <p>We recommend commonly known protective measures, no matter what language you use. If you suspect that confidential information has been stolen by a social engineering attack that a computer user may have responded to, take a few steps to protect data, such as:</p> <ul> <li>Changing passwords or PINs on all compromised accounts.</li> <li>Place a fraud alert on credit reports.</li> <li>Do not follow the links in fraudulent email messages and be similarly wary of files on portable flash drives.</li> <li>Routinely review bank and credit card statements monthly for unexplained charges or inquiries.</li> </ul> <div>&nbsp;</div> <p>IT professionals are recommended to follow best practices in security risk management, including:</p> <ul> <li>Using group policy to enforce configuration for Windows Update and SmartScreen filter</li> <li>Using Network Access Protection (NAP) and Direct Access (DA) to enforce compliance polices for firewall, antimalware, and patch management on remote systems connecting to corporate network</li> <li>Implementing a strong security awareness program for their enterprise to prevent malware and potentially unwanted software.</li> </ul> <p>You can learn about Microsoft&#39;s own best practices in <a href="http://www.microsoft.com/security/sir/strategy/default.aspx#%21section_2_1">Malware at Microsoft: Dealing with threats in the Microsoft environment</a>.</p> <p>For additional guidelines we recommend for consumers and enterprises to leverage to protect computers from social engineering attacks:</p> <ul> <li><a href="http://www.microsoft.com/security/online-privacy/phishing-scams.aspx">Email and web scams: How to help protect yourself</a></li> <li><a href="http://www.microsoft.com/security/sir/story/default.aspx#%210day_itpro">Advice to IT professionals on social engineering </a></li> </ul> <p><em>Kevin Yeo</em></p> <p><em>MMPC</em></p> </div><div style="clear:both;"></div><img src="http://blogs.technet.com/aggbug.aspx?PostID=3619210&AppID=6258&AppType=Weblog&ContentType=0" width="1" height="1"> Predictions for 2014 and the December 2013 Security Bulletin Webcast, Q&A, and Slide Deckhttp://blogs.technet.com/b/msrc/archive/2013/12/16/predictions-for-2014-and-the-december-2013-security-bulletin-webcast-q-amp-a-and-slide-deck.aspxMon, 16 Dec 2013 22:33:09 GMTd5e57398-b9ef-4490-9955-07cbb4e4a80d:515bd8e9-f9d0-4e26-89e1-a0b3631c2c84Dustin C. Childs0<p><span style="font-size:small;">Today we&rsquo;re publishing the </span><a href="http://blogs.technet.com/b/msrc/p/december-2013-security-bulletin-q-a.aspx"><span style="font-size:small;">December 2013 Security Bulletin Webcast Questions &amp; Answers page</span></a><span style="font-size:small;">.&nbsp; We answered 17 questions in total, with the majority of questions focusing on the Graphics Component bulletin (</span><a href="https://technet.microsoft.com/security/bulletin/ms13-096"><span style="font-size:small;">MS13-096</span></a><span style="font-size:small;">), Security Advisory </span><a href="http://technet.microsoft.com/security/advisory/2915720"><span style="font-size:small;">2915720</span></a><span style="font-size:small;"> and Security Advisory </span><a href="http://technet.microsoft.com/security/advisory/2905247"><span style="font-size:small;">2905247</span></a><span style="font-size:small;">.</span></p> <p><span style="font-size:small;">We also wanted to note a </span><a href="http://blogs.technet.com/b/security/archive/2013/12/12/security-professionals-top-threat-predictions-for-2014.aspx"><span style="font-size:small;">new blog</span></a><span style="font-size:small;"> on the Microsoft Security Blog site on the top cyber threat predications for 2014. Topics from ransomware to regulation are covered by seven of Trustworthy Computing&rsquo;s top thought leaders. If you don&rsquo;t mind spoilers, take a few minutes to read what may be coming next.</span></p> <p><span style="font-size:small;">We invite you to join us for the next scheduled webcast on Wednesday, January 15, 2013, at 11 a.m. PST (UTC -8), when we will go into detail about the January bulletin release and answer your bulletin deployment questions live on the air. </span></p> <p><span style="font-size:small;">You can register to attend the webcast at the link below:</span></p> <p><span style="font-family:arial black,avant garde;"><strong><span style="font-size:small;">Date: Wednesday, January 15, 2013</span></strong><b><br /><span style="font-size:small;"> <strong>Time: 11:00 a.m. PST (UTC -8)</strong><br /> <strong>Register: </strong></span></b><a href="https://msevents.microsoft.com/CUI/EventDetail.aspx?EventID=1032572876&amp;Culture=en-US"><strong><span style="font-size:small;">Attendee Registration</span></strong></a></span></p> <p><object width="560" height="315"><param name="movie" value="//www.youtube.com/v/9vWpJ1p1ZIE?hl=en_US&amp;version=3&amp;rel=0" /><param name="allowFullScreen" value="true" /><param name="allowscriptaccess" value="always" /><embed width="560" height="315" src="http://www.youtube.com/v/9vWpJ1p1ZIE?hl=en_US&amp;version=3&amp;rel=0" type="application/x-shockwave-flash" /></object></p> <p><span style="font-size:small;">Have a safe and happy holiday season.<br /> Thanks,</span></p> <p><span style="font-family:Times New Roman;font-size:small;"> </span><a href="http://blogs.technet.com/b/msrc/about.aspx#Dustin_Childs">Dustin Childs</a><br /> Group Manager, Response Communications<br /> Microsoft Trustworthy Computing</p><div style="clear:both;"></div><img src="http://blogs.technet.com/aggbug.aspx?PostID=3618618&AppID=4571&AppType=Weblog&ContentType=0" width="1" height="1">Bulletin WebcastCustomer QuestionsQ&amp;A Be a real security pro - Keep your private keys privatehttp://blogs.technet.com/b/mmpc/archive/2013/12/15/be-a-real-security-pro-keep-your-private-keys-private.aspxSun, 15 Dec 2013 22:20:35 GMTd5e57398-b9ef-4490-9955-07cbb4e4a80d:b2059651-1c4c-40e0-9ff1-8831302c6e3amsft-mmpc4http://blogs.technet.com/b/mmpc/archive/2013/12/15/be-a-real-security-pro-keep-your-private-keys-private.aspx#comments<div class="ExternalClassEEBDBDC0D85542B2874F0E8EC8663930"> <p>One of the many unusual characteristics of the <a href="http://www.microsoft.com/security/portal/threat/encyclopedia/Entry.aspx?Name=Win32/Stuxnet">Stuxnet</a> malware that was discovered in 2010 was that its files were distributed with a valid digital signature, created using authentication credentials that belonged to two unrelated legitimate software companies. Normally the signature would verify that the program was issued by the company listed in the signing certificate, and that the contents of the program had not been tampered with since it was signed. By using other companies&rsquo; authentication credentials to sign their own files, malware distributors are able to make it appear that their files have come from a more trustworthy source.</p> <p>Since then, malware signed with poorly secured or stolen credentials has been relatively rare. Most digitally-signed malware uses code-signing certificates that have been paid for and obtained directly from the certification authority (CA) that issued them. These CAs would be unaware the certificates were intended to be used for nefarious purposes. For example, recently the fake antivirus family <a href="http://www.microsoft.com/security/portal/threat/encyclopedia/Entry.aspx?Name=Rogue:Win32/FakePAV">Rogue:Win32/FakePav</a> reappeared after being inactive for more than a year. Prior to the period of inactivity, FakePav&rsquo;s executables were not digitally signed, but the new variants have been. After a few days using&nbsp;a single certificate, FakePav switched to a different certificate, issued in the same name as the previous one, but by a different CA.</p> <p>However, in the past month or so, the use of stolen certificates has&nbsp;become more common. In particular, <a href="http://www.microsoft.com/security/portal/threat/encyclopedia/Entry.aspx?Name=Rogue:Win32/Winwebsec">Rogue:Win32/Winwebsec</a>, another rogue calling itself Antivirus Security Pro, has been distributed signed with credentials stolen from at least twelve different software developers.</p> <p><a href="http://www.microsoft.com/security/portal/blog-images/a/Cert1.png"><img style="height:413px;width:600px;" alt="Antivirus Security Pro user interface" src="http://www.microsoft.com/security/portal/blog-images/a/Cert1.png" border="0" /></a></p> <p><em>Figure 1: Antivirus Security Pro user interface</em></p> <p>A related family, <a href="http://www.microsoft.com/security/portal/threat/encyclopedia/Entry.aspx?Name=TrojanSpy:Win32/Ursnif#tab=2">TrojanSpy:Win32/Ursnif</a>, has also been distributed with files signed using stolen credentials. We have observed Winwebsec downloading&nbsp;Ursnif, a trojan that monitors web traffic, and steals sensitive information, including passwords. Earlier variants of Ursnif were also capable of stealing certificates and private keys, but this functionality does not appear to be present in the latest versions. Instead, it appears to have been added to certain samples of <a href="http://www.microsoft.com/security/portal/threat/encyclopedia/Entry.aspx?Name=PWS:Win32/Fareit">PWS:Win32/Fareit</a>.</p> <p><a href="http://www.microsoft.com/security/portal/blog-images/Winwebsec/stealsA.png"><img alt="Fareit steals certificates" src="http://www.microsoft.com/security/portal/blog-images/Winwebsec/stealsA.png" border="0" /></a></p> <p><em>Figure 2: Fareit steals certificates</em></p> <p><a href="http://www.microsoft.com/security/portal/threat/encyclopedia/Entry.aspx?Name=PWS:Win32/Fareit">PWS:Win32/Fareit</a>&nbsp;is a Trojan that mostly steals passwords from a user&#39;s FTP client, but sometimes also downloads and installs other malware, such as Winwebsec and <a href="http://www.microsoft.com/security/portal/threat/encyclopedia/Entry.aspx?Name=Win32/Sirefef">Win32/Sirefef</a>.</p> <p><a href="http://www.microsoft.com/security/portal/blog-images/Winwebsec/infectsA.png"><img alt="Fareit infects computers, using stolen signed certificates" src="http://www.microsoft.com/security/portal/blog-images/Winwebsec/infectsA.png" border="0" /></a></p> <p><em>Figure 3: Relationship and interactions between Fareit, Sirefef, Winwebsec, and Ursnif families</em></p> <p>The stolen certificates were issued by a number of different CAs to software developers in various locations around the world. The table below shows details of some of the certificates used to sign Winwebsec samples. Note that the<em> number of samples </em>column lists only the digitally-signed Winwebsec samples that we have a copy of &ndash; there may be many other samples that we have not received. But,&nbsp;it gives an idea of the magnitude of the problem. Interestingly, one of these certificates was issued only three days before we started seeing malware samples signed with it, which suggests that the malware&rsquo;s distributors are regularly stealing new certificates, rather than using certificates from an older stockpile.</p> <p><a href="http://www.microsoft.com/security/portal/blog-images/a/cert5.png"><img style="height:260px;width:600px;" alt="Certificates used to sign Rogue:Win32/Winwebse" src="http://www.microsoft.com/security/portal/blog-images/a/cert5.png" border="0" /></a></p> <p><em>Figure 4: Certificates used to sign Rogue:Win32/Winwebsec samples</em></p> <p>For those of you who are software developers, Microsoft has <a href="http://msdn.microsoft.com/en-us/windows/hardware/gg487309.aspx">a document that describes the best practices for code-signing</a>.&nbsp; Although that document was written in 2007 and contains a few references to operating system tools that have since changed, all of the recommendations of appropriate security procedures for obtaining and storing code-signing certificates and private keys, and for digitally signing your software, remain as relevant as ever.</p> <p>Just as it is important to keep your house and car keys secure, securing your code-signing private keys is essential. Not only is it inconvenient, and often expensive, to have the certificate replaced, it can also result in loss of your company&rsquo;s reputation if it is used to sign malware. The document recommends keeping private keys physically secure by storing them on a securely-stored hardware device such as a smart card, USB token, or hardware security module. Certainly, no system used to store code-signing credentials should ever be used for web browsing, and it is vital that these systems run a regularly updated antivirus solution, and that any file you sign has been scanned for possible virus infection beforehand.</p> <p>If a system you use for signing has been infected with Win32/Fareit or other malware, and you suspect your private keys have been compromised, you should contact the CA that issued the credentials immediately.</p> <p><em>David Wood</em><br /><em>MMPC </em></p> <p>SHA1s:</p> <p>d330699f28a295c42b7e3b4a127c79dfed3c34f1 (PWS:Win32/Fareit with certificate stealing capability)<br />006c4857c6004b0fcbb185660e6510e1feb0a7a3 (Digitally-signed Winwebsec)</p> <p>&nbsp;</p> </div><div style="clear:both;"></div><img src="http://blogs.technet.com/aggbug.aspx?PostID=3618523&AppID=6258&AppType=Weblog&ContentType=0" width="1" height="1">winwebsecUrsnifcode-signing certificatesAntivirus Security Profareit Software defense: mitigating common exploitation techniqueshttp://blogs.technet.com/b/srd/archive/2013/12/11/software-defense-mitigating-common-exploitation-techniques.aspxThu, 12 Dec 2013 00:04:00 GMTd5e57398-b9ef-4490-9955-07cbb4e4a80d:93962483-8422-45bb-8ef1-252fe982a260swiat0<p><span style="font-family: Calibri; font-size: small;">In our previous posts in this series, we described various mitigation improvements that attempt to prevent the exploitation of specific classes of memory safety vulnerabilities such as those that involve </span><a href="http://blogs.technet.com/b/srd/archive/2013/10/02/software-defense-mitigating-stack-corruption-vulnerabilties.aspx"><span style="color: #0563c1; font-family: Calibri; font-size: small;">stack corruption</span></a><span style="font-family: Calibri; font-size: small;">, </span><a href="http://blogs.technet.com/b/srd/archive/2013/10/29/software-defense-mitigation-heap-corruption-vulnerabilities.aspx"><span style="color: #0563c1; font-family: Calibri; font-size: small;">heap corruption</span></a><span style="font-family: Calibri; font-size: small;">, and </span><a href="http://blogs.technet.com/b/srd/archive/2013/11/06/software-defense-safe-unlinking-and-reference-count-hardening.aspx"><span style="color: #0563c1; font-family: Calibri; font-size: small;">unsafe list management and reference count mismanagement</span></a><span style="font-size: small;"><span style="font-family: Calibri;">. These mitigations are typically associated with a specific developer mistake such as writing beyond the bounds of a stack or heap buffer, failing to correctly track reference counts, and so on. As a result, these mitigations generally attempt to detect side-effects of such mistakes before an attacker can get further along in the exploitation process, e.g. before they gain control of the instruction pointer. </span></span></p> <p><span style="font-size: small;"><span style="font-family: Calibri;">Another approach to mitigating exploitation is to focus on breaking techniques that can apply to many different classes of memory safety vulnerabilities. These mitigations can have a broader impact because they apply to techniques that are used further along in the process of exploiting many vulnerabilities. For example, once an attacker has gained control of the instruction pointer through an arbitrary vulnerability, they will inherently need to know the address of useful executable code to set it to. This is where well-known mitigations like Data Execution Prevention (DEP) and Address Space Layout Randomization (ASLR) come into play &ndash; both of which have been supported on Windows for many releases now. When combined, these mitigations have proven that they can make it very difficult to exploit many classes of memory safety vulnerabilities even when an attacker has gained control of the instruction pointer.</span></span></p> <p><span style="font-family: Calibri; font-size: small;">In recent years, attackers have been increasingly forced to adapt to exploiting vulnerabilities in applications that make use of a broad range of mitigations, including DEP and ASLR. As our </span><a href="http://blogs.technet.com/b/srd/archive/2010/12/08/on-the-effectiveness-of-dep-and-aslr.aspx"><span style="color: #0563c1; font-family: Calibri; font-size: small;">previous blog post explains</span></a><span style="font-size: small;"><span style="font-family: Calibri;">, there are scenarios where both DEP and ASLR can be bypassed, and it is no surprise that attackers have been increasingly focused on improving their ability to do so. Likewise, attackers have placed greater interest on finding classes of vulnerabilities, such as use after free issues, that can grant them more flexibility when attempting to develop an exploit. In light of these trends, we focused a significant amount of attention in Windows 8 and Windows 8.1 on improving the robustness of mitigations that break exploitation techniques that apply to many classes of vulnerabilities. In particular, this blog post will cover some of the noteworthy improvements that have been made to ASLR, such as eliminating predictable address space mappings, increasing the amount of entropy that exists in the address space, and making it more difficult to disclose address space information where possible.</span></span></p> <h1><span style="color: #2e74b5;"><span style="font-family: Calibri Light;">Force ASLR</span></span></h1> <p><span style="font-family: Calibri; font-size: small;">For compatibility reasons, executable images (DLLs/EXEs) must indicate their desire to be randomized by ASLR through the </span><a href="http://msdn.microsoft.com/en-us/library/bb384887.aspx"><span style="color: #0563c1; font-family: Calibri; font-size: small;">/DYNAMICBASE flag</span></a><span style="font-family: Calibri; font-size: small;"> provided by the Visual C++ linker.&nbsp; If an executable image has not been linked with /DYNAMICBASE, the Windows kernel will attempt to load the image at its preferred base address.&nbsp; This can cause the executable to reliably load at a predictable location in memory.&nbsp; While this limitation of ASLR on Windows is by design, real-world exploits for software vulnerabilities have become </span><a href="http://www.microsoft.com/en-us/download/details.aspx?id=39680"><span style="color: #0563c1; font-family: Calibri; font-size: small;">increasingly reliant</span></a><span style="font-size: small;"><span style="font-family: Calibri;"> on executable images that have not enabled support for ASLR.&nbsp; </span></span></p> <p><span style="font-family: Calibri; font-size: small;">To generically mitigate this issue, an application running on Windows 8 (or Windows 7 with </span><a href="http://support.microsoft.com/kb/2639308"><span style="color: #0563c1; font-family: Calibri; font-size: small;">KB 2639308</span></a><span style="font-size: small;"><span style="font-family: Calibri;"> installed) can elect to enable a security feature known as <em>Force ASLR</em>.&nbsp; When enabled, this feature forces all relocatable images to be randomized when they are loaded by the application, including those images which have not been linked with /DYNAMICBASE.&nbsp; This is designed to prevent executable images from being loaded at a predictable location in memory.&nbsp; If desired, an application can also elect to prevent non-relocatable images from being loaded.</span></span></p> <p><span style="font-size: small;"><span style="font-family: Calibri;">Since the Force ASLR feature will cause executable images to be randomized that have not enabled support for ASLR, there is a risk that a compatibility problem may be encountered.&nbsp; In addition, the method used to forcibly relocate executable images that have not been built with /DYNAMICBASE can have a performance impact due to decreased page sharing. This is because Force ASLR essentially mimics the behavior of a base address collision and thus may incur a memory cost due to copy-on-write. As such, the Force ASLR feature is not enabled by default for applications running on Windows 8.&nbsp; Instead, applications must explicitly enable this feature.</span></span></p> <p><span style="font-family: Calibri; font-size: small;">The Force ASLR feature has been enabled by default for critical applications such as Internet Explorer 10+, Microsoft Office 2013, and Windows Store applications.&nbsp; This means an attacker attempting to exploit vulnerabilities accessible through these applications will not be able to rely on non-randomized executable images. For example, our </span><a href="http://blogs.technet.com/b/srd/archive/2013/12/09/ms13-106-another-aslr-bypass-is-gone.aspx"><span style="color: #0563c1; font-family: Calibri; font-size: small;">recent security update to enable ASLR for HXDS.DLL</span></a><span style="font-size: small;"><span style="font-family: Calibri;"> would not appreciably impact the security posture of applications that enable Force ASLR because this non-ASLR DLL would already get randomized. Going forward, attackers will most likely need to rely on a vulnerability-specific address space information disclosure when exploiting applications that completely enable ASLR or that make use of Force ASLR. </span></span></p> <h1><span style="color: #2e74b5;"><span style="font-family: Calibri Light;">Bottom-up and Top-down Randomization</span></span></h1> <p><span style="font-size: small;"><span style="font-family: Calibri;">Virtual memory allocations that are made by an application can have their base address assigned in one of three ways: bottom-up, top-down, or based.&nbsp; The bottom-up method searches for a free region starting from the bottom of the address space (e.g. VirtualAlloc default), the top-down method searches starting from the top of the address space (e.g. VirtualAlloc with MEM_TOP_DOWN), and the based method attempts to allocate memory at a supplied base address (e.g. VirtualAlloc with an explicit base).&nbsp; In practice, the majority of the memory that is allocated by an application will use the bottom-up allocation method, and it is rare to see applications use the based method for allocating memory.</span></span></p> <p><span style="font-size: small;"><span style="font-family: Calibri;">Prior to Windows 8, bottom-up and top-down allocations were not randomized by ASLR.&nbsp; This meant that allocations made through functions like VirtualAlloc and MapViewOfFile had no entropy and could therefore be placed at a predictable location in memory (barring non-deterministic application behavior).&nbsp; While certain memory regions had their own base randomization, such as heaps, stacks, TEBs, and PEBs, all other bottom-up and top-down allocations were not randomized.</span></span></p> <p><span style="font-size: small;"><span style="font-family: Calibri;">Starting with Windows 8, the base address of all bottom-up and top-down allocations is explicitly randomized.&nbsp; This is accomplished by randomizing the address that bottom-up and top-down allocations start from for a given process.&nbsp; In this way, fragmentation within the address space is minimized while also realizing the benefits of randomizing the base address of all memory allocations that are not explicitly based.</span></span></p> <p><span style="font-size: small;"><span style="font-family: Calibri;">For compatibility reasons, applications must indicate that they support bottom-up and top-down randomization.&nbsp; An application can do this by linking their EXE with /DYNAMICBASE.</span></span></p> <h1><span style="color: #2e74b5;"><span style="font-family: Calibri Light;">High Entropy Randomization</span></span></h1> <p><span style="font-size: small;"><span style="font-family: Calibri;">One of the major differences between 64-bit and 32-bit applications on Windows is the size of the virtual address space that is made available to a process.&nbsp; 64-bit applications whose EXE is linked with the /LARGEADDRESSAWARE flag receive 8 TB in Windows 8 (128 TB in Windows 8.1) of virtual address space whereas 32-bit applications only receive 2 GB by default.&nbsp; The limited amount of address space available to 32-bit applications places practical constraints on the amount of entropy that can be applied by ASLR when randomizing the location of memory mappings.&nbsp; Since 64-bit applications do not suffer from these limitations by default, it is possible to significantly increase the amount of entropy that is used by ASLR.&nbsp; The ASLR implementation in Windows 8 takes full advantage of this opportunity by enabling high degrees of entropy for 64-bit applications.&nbsp; Providing higher degrees of entropy can further decrease the reliability of exploits written by an attacker and also makes it less likely that an attacker will be able to correctly guess or brute force an address.</span></span></p> <h2><span style="font-size: medium;"><span style="color: #2e74b5;"><span style="font-family: Calibri Light;">High Entropy Bottom-up Randomization</span></span></span></h2> <p><span style="font-size: small;"><span style="font-family: Calibri;">This feature introduces 1 TB of variance into the address that bottom-up allocations start from.&nbsp; This equates to 24 bits of entropy, or a 1 in 16,777,216 chance of guessing the start address correctly.&nbsp; Since heaps, stacks, and most other memory regions are allocated bottom-up, this has the effect of making traditional address space spraying attacks impractical (such as heap and JIT spraying).&nbsp; This is because systems today do not have enough memory available to spray the amount that would be needed to achieve even small degrees of reliability.&nbsp; In addition, executable images that are randomized by the Force ASLR feature receive high degrees of entropy as a result of the high entropy bottom-up randomization feature being enabled for an application. As a result, exploits for vulnerabilities in 64-bit applications that rely on address space spraying will first need to disclose the address at least one bottom-up allocation in order to determine where data may have been placed relative to that address.</span></span></p> <p><span style="font-family: Calibri; font-size: small;">For compatibility reasons, this feature is disabled by default and must be enabled on a per-application basis.&nbsp; This is because some 64-bit applications have latent pointer truncation issues that can surface when dealing with pointers above 4 GB (significant bits set beyond bit 31).&nbsp; 64-bit applications that enable this feature are guaranteed to receive memory addresses that are above 4 GB when allocating bottom-up memory (unless insufficient address space exists above 4 GB).&nbsp; 64-bit applications can enable support for this feature by linking their EXE with the </span><a href="http://msdn.microsoft.com/en-us/library/vstudio/jj835761.aspx"><span style="color: #0563c1; font-family: Calibri; font-size: small;">/HIGHENTROPYVA linker flag</span></a><span style="font-size: small;"><span style="font-family: Calibri;"> provided by Visual Studio 2012. This flag is enabled by default for native applications when building with Visual Studio 2012 and beyond.</span></span></p> <h2><span style="font-size: medium;"><span style="color: #2e74b5;"><span style="font-family: Calibri Light;">High Entropy Top-down Randomization</span></span></span></h2> <p><span style="font-size: small;"><span style="font-family: Calibri;">This feature introduces 8 GB of variance into the address that top-down allocations start from.&nbsp; This equates to 17 bits of entropy, or a 1 in 131,072 chance of guessing the start address correctly.&nbsp; 64-bit processes automatically receive high degrees of entropy for top-down allocations if top-down randomization has been enabled (which is controlled by whether the EXE linked with /DYNAMICBASE).&nbsp; &nbsp;</span></span></p> <h2><span style="font-size: medium;"><span style="color: #2e74b5;"><span style="font-family: Calibri Light;">High Entropy Image Randomization</span></span></span></h2> <p><span style="font-family: Calibri;"><span style="font-size: small;">Prior to Windows 8, 64-bit executable images received the same amount of entropy that was used when randomizing 32-bit executable images (8 bits, or 1 in 256 chance of guessing correctly).&nbsp; The amount of entropy applied to 64-bit images has been significantly increased in most cases starting with Windows 8:</span></span></p> <ul> <li><span style="font-family: Calibri;"><span style="font-size: small;">DLL images based above 4 GB: 19 bits of entropy (1 in 524,288 chance of guessing correctly)</span></span></li> <li><span style="font-family: Calibri;"><span style="font-size: small;">DLL images based below 4 GB: 14 bits of entropy (1 in 16,384 chance of guessing correctly).&nbsp; </span></span></li> <li><span style="font-family: Calibri;"><span style="font-size: small;">EXE images based above 4 GB: 17 bits of entropy (1 in 131,072 chance of guessing correctly).</span></span></li> <li><span style="font-size: small;"><span style="font-family: Calibri;">EXE images based below 4 GB: 8 bits of entropy (1 in 256 chance of guessing correctly).</span></span></li> </ul> <p><span style="font-size: small;"><span style="font-family: Calibri;">The reason that entropy differences exist due to the base address of an image is again for compatibility reasons.&nbsp; The Windows kernel currently uses the preferred base address of an image as a hint to decide if the image supports being based above 4 GB.&nbsp; Images that are based below 4 GB may not have been tested in scenarios where they are relocated above 4 GB and therefore may have latent pointer truncation issues.&nbsp; As such, the Windows kernel makes a best-effort attempt to ensure that these images load below 4 GB.&nbsp; Because of these constraints, the vast majority of 64-bit EXEs and DLLs in Windows 8 and Windows 8.1 have been based above 4 GB to ensure that they benefit from the highest possible degrees of entropy. 64-bit images produced by the Visual C++ tool chain also base images above 4 GB by default.</span></span></p> <h1><span style="color: #2e74b5;"><span style="font-family: Calibri Light;">Address Space Information Disclosure Hardening</span></span></h1> <p><span style="font-size: small;"><span style="font-family: Calibri;">The effectiveness of ASLR is inherently dependent on an attacker being unable to discover the location of objects in memory.&nbsp; In some cases, an attacker can leverage a vulnerability in a program to disclose information about the address space layout of a process.&nbsp; For example, an attacker could use a vulnerability to read memory that they would not normally be able to access and thereby discover the address of a DLL in memory.&nbsp; While the mechanics of disclosing address space information are typically dependent on the application and vulnerability that are being exploited, there are some general approaches that attackers have identified.&nbsp; In Windows 8, we have taken steps to eliminate and destabilize known address space information disclosure vectors, although these changes have by no means resolved the general problem posed by address space information disclosures.</span></span></p> <h2><span style="font-size: medium;"><span style="color: #2e74b5;"><span style="font-family: Calibri Light;">Image pointers removed from SharedUserData</span></span></span></h2> <p><span style="font-family: Calibri; font-size: small;">Windows uses an internal data structure known as SharedUserData to efficiently communicate certain pieces of information from the kernel to all processes on a system.&nbsp; For efficiency and compatibility reasons, the memory address that SharedUserData is located at is consistent across all processes on a system and across all versions of Windows, including Windows 8 (0x7ffe0000).&nbsp; Since Windows XP Service Pack 2, this memory region has contained pointers into a system DLL (NTDLL.DLL) that have been used to enable efficient system call invocation, among other things.&nbsp; The presence of image pointers at a known-fixed location in memory was noted as being useful in the context of certain types of address space information disclosures.&nbsp; In Windows 8 (and now prior versions with MS13-063 installed), all image pointers have been removed from SharedUserData to mitigate this type of attack. The removal of these pointers effectively mitigated a DEP/ASLR bypass that was later disclosed which affected versions of Windows prior to Windows 8 (involving </span><a href="http://blogs.technet.com/b/srd/archive/2013/08/12/mitigating-the-ldrhotpatchroutine-dep-aslr-bypass-with-ms13-063.aspx"><span style="color: #0563c1; font-family: Calibri; font-size: small;">LdrHotPatchRoutine</span></a><span style="font-size: small;"><span style="font-family: Calibri;">). </span></span></p> <h2><span style="font-size: medium;"><span style="color: #2e74b5;"><span style="font-family: Calibri Light;">Predictable fixed memory mappings eliminated</span></span></span></h2> <p><span style="font-size: small;"><span style="font-family: Calibri;">Ensuring that all forms of memory allocation have some base level of entropy has the effect of eliminating what would otherwise be predictable memory mappings in the address space. In some cases, an attacker may be able to leverage a vulnerability to read the contents of arbitrary locations in memory. In these cases, the attacker must be able to predict or discover the address of the object that they wish to read from (typically via heap spraying). The improvements that have been made to ASLR in Windows 8 have made it more difficult for attackers to do this reliably, particularly on 64-bit. As a result, any address space information disclosure that relies on reading from a specified location in memory will generally be more difficult and less reliable on Windows 8. It should be noted, however, that the size of the 32-bit address space places practical constraints on the impact of this, particularly in cases where an attacker is able to fill a large portion of the address space with desired content.</span></span></p> <h2><span style="font-size: medium;"><span style="color: #2e74b5;"><span style="font-family: Calibri Light;">Kernel address space information access restrictions</span></span></span></h2> <p><span style="font-size: small;"><span style="font-family: Calibri;">While the previous sections highlighted improvements that were made to ASLR for user mode applications, we also made investments in Windows 8.1 into hardening the Windows kernel against disclosing kernel address space information to lesser privileged user mode processes. The majority of these improvements focused on restricting low integrity processes from accessing certain system and process information classes that intentionally expose kernel address space information. In addition, certain kernel addresses were removed from the shared desktop heap and hypervisor-assisted restrictions were added to limit the exposure of kernel addresses via instructions that can be used to query the GDT/IDT descriptor table base addresses. As a result of these improvements, sandboxed applications such as Internet Explorer 11, Microsoft Office 2013, and Windows Store apps are all prevented from discovering addresses through these interfaces. This means it will be more difficult for attackers to exploit local kernel vulnerabilities as a means of escaping these sandboxes.</span></span></p> <h1><span style="color: #2e74b5;"><span style="font-family: Calibri Light;">Conclusion</span></span></h1> <p><span style="font-size: small;"><span style="font-family: Calibri;">The improvements that have been made to ASLR in Windows 8 and Windows 8.1 have addressed various limitations that attackers have been taking advantage when exploiting vulnerabilities. As a result of these improvements, we anticipate that attackers will continue to be increasingly reliant on address space information disclosures as a means of bypassing ASLR. Forcing attackers to rely on information disclosures has the effect of adding another costly check box to the conditions that attackers need to satisfy when exploiting memory safety vulnerabilities in modern applications.</span></span></p> <p><span style="font-family: Calibri; font-size: small;">- Matt Miller</span></p><div style="clear:both;"></div><img src="http://blogs.technet.com/aggbug.aspx?PostID=3617869&AppID=6147&AppType=Weblog&ContentType=0" width="1" height="1">Defense-in-depthmitigationexploitationASLR Assessing risk for the December 2013 security updates http://blogs.technet.com/b/srd/archive/2013/12/10/assessing-risk-for-the-december-2013-security-updates.aspxTue, 10 Dec 2013 18:03:00 GMTd5e57398-b9ef-4490-9955-07cbb4e4a80d:d4e0026f-727f-49ef-bb6e-6fc3060241deswiat0<p>Today we released eleven security bulletins addressing 24 CVE&rsquo;s. Five bulletins have a maximum severity rating of Critical while the other six have a maximum severity rating of Important. We hope that the table below helps you prioritize the deployment of the updates appropriately for your environment.</p> <table style="width: 350px;" border="1"> <tbody> <tr> <td>Bulletin</td> <td>Most likely attack vector</td> <td>Max Bulletin Severity</td> <td>Max XI</td> <td>Likely first 30 days impact</td> <td>Platform mitigations and key notes</td> </tr> <tr> <td><a href="https://technet.microsoft.com/en-us/security/bulletin/ms13-096">MS13-096</a> <p>(GDI+ TIFF parsing)</p> </td> <td>Victim opens malicious Office document.</td> <td>Critical</td> <td>1</td> <td>Likely to continue seeing Office document attacks leveraging CVE-2013-3906.</td> <td>Addresses vulnerability first described in <a href="https://support.microsoft.com/kb/2896666">Security Advisory 2896666</a>. More information about these attacks described in<a href="http://blogs.technet.com/b/srd/archive/2013/11/05/cve-2013-3906-a-graphics-vulnerability-exploited-through-word-documents.aspx"> this SRD blog post</a> from November.</td> </tr> <tr> <td> <p><a href="https://technet.microsoft.com/en-us/security/bulletin/ms13-097">MS13-097</a></p> <p>(Internet Explorer)</p> </td> <td>Victim browses to a malicious webpage.</td> <td>Critical</td> <td>1</td> <td>Likely to see reliable exploits developed within next 30 days.</td> <td>Address five remote code execution and two elevation of privilege vulnerabilities. The elevation of privilege vulnerabilities could be used by an attacker to elevate out of Internet Explorer&rsquo;s Protected Mode after already achieving code execution within that environment.</td> </tr> <tr> <td> <p><a href="https://technet.microsoft.com/en-us/security/bulletin/ms13-099">MS13-099</a></p> <p>(VBScript)</p> </td> <td>Victim browses to a malicious webpage.</td> <td>Critical</td> <td>1</td> <td>Likely to see reliable exploits developed within next 30 days.</td> <td>Not a vulnerability in the browser directly &ndash; however, the Scripting.Dictionary ActiveX control is on the pre-approved list and is allowed to load without prompt.</td> </tr> <tr> <td> <p><a href="https://technet.microsoft.com/en-us/security/bulletin/ms13-105">MS13-105</a></p> <p>(Exchange)</p> </td> <td>Attacker sends email with malicious attachment and lures victim to view the attachment as a webpage within Outlook Web Access. The attacker could potentially compromise the server-side process generating the web page.</td> <td>Critical</td> <td>1</td> <td>Likely to see reliable exploits developed within next 30 days.</td> <td>Addresses Oracle Outside In issues included in the October 2013 security update: <a href="http://www.oracle.com/technetwork/topics/security/cpuoct2013-1899837.html">http://www.oracle.com/technetwork/topics/security/cpuoct2013-1899837.html</a></td> </tr> <tr> <td> <p><a href="https://technet.microsoft.com/en-us/security/bulletin/ms13-098">MS13-098</a></p> <p>(Authenticode)</p> </td> <td>Victim computer infected because user runs / double-clicks a malicious installer that had been signed by a trusted 3rd party and subsequently altered by an attacker to download a malicious executable.</td> <td>Critical</td> <td>1</td> <td>Limited, targeted attacks expected to continue in next 30 days.</td> <td>This issue relies on user first choosing to run a malicious binary. More information on scope of this issue and additional hardening provided by the security update here: <a href="http://blogs.technet.com/b/srd/archive/2013/12/10/ms13-098-update-to-enhance-the-security-of-authenticode.aspx">http://blogs.technet.com/b/srd/archive/2013/12/10/ms13-098-update-to-enhance-the-security-of-authenticode.aspx</a></td> </tr> <tr> <td> <p><a href="https://technet.microsoft.com/en-us/security/bulletin/ms13-100">MS13-100</a></p> <p>(SharePoint)</p> </td> <td>Attacker able to authenticate to vulnerable SharePoint server sends blob of data that is incorrectly de-serialized resulting in potential code execution server-side.</td> <td>Important</td> <td>1</td> <td>Likely to see reliable exploits developed within next 30 days.</td> <td>Successful attack elevates authenticated user to W3WP service account on the SharePoint site.</td> </tr> <tr> <td> <p><a href="https://technet.microsoft.com/en-us/security/bulletin/ms13-101">MS13-101</a></p> <p>(Kernel mode drivers)</p> </td> <td>Attacker running code at low privilege runs exploit binary to elevate to SYSTEM.</td> <td>Important</td> <td>1</td> <td>Likely to see reliable exploits developed within next 30 days.</td> <td>Addresses primarily win32k.sys local elevation of privilege vulnerabilities. The font case also being addressed results in denial-of-service only, not code execution.</td> </tr> <tr> <td> <p><a href="https://technet.microsoft.com/en-us/security/bulletin/ms13-102">MS13-102</a></p> <p>(LPC)</p> </td> <td>Attacker running code at low privilege on Windows XP or Windows Server 2003 runs exploit binary to elevate to SYSTEM.</td> <td>Important</td> <td>1</td> <td>Likely to see reliable exploits developed within next 30 days.</td> <td>Does not affect Windows Vista or any later versions of Windows.</td> </tr> <tr> <td> <p><a href="https://technet.microsoft.com/en-us/security/bulletin/ms13-106">MS13-106</a></p> <p>(hxds.dll ASLR mitigation bypass)</p> </td> <td>Attacker combines this vulnerability with a (separate) code execution vulnerability to compromise a system.</td> <td>Important</td> <td>n/a</td> <td>This issue has been leveraged as an exploit component in several real-world browser-based attacks.</td> <td>This vulnerability does not result in code execution directly. However, it is a component attackers use to bypass ASLR. Applying this security update will disrupt a number of in-the-wild exploits even in cases where an update is not applied for a code execution vulnerability.</td> </tr> <tr> <td> <p><a href="https://technet.microsoft.com/en-us/security/bulletin/ms13-104">MS13-104</a></p> <p>(Office)</p> </td> <td>Attacker sends victim a link to malicious server. If victim clicks the link, browser makes a request to Microsoft&rsquo;s Office 365 server on behalf of the victim in such a way that a user token is captured by the malicious server, allowing owner of the malicious server to log in to SharePoint Online the same way the victim user would have been able to log in.</td> <td>Important</td> <td>n/a</td> <td>This issue was reported to us by Adallom after they detected targeted attacks leveraging this vulnerability.</td> <td>Affects customers who use Office 2013 to access the Office 365 SharePoint Online multi-tenant service.</td> </tr> <tr> <td> <p><a href="https://technet.microsoft.com/en-us/security/bulletin/ms13-103">MS13-103</a></p> <p>(SignalR)</p> </td> <td>Attacker sends victim a link exploiting a Cross-Site Scripting (XSS) vulnerability on an Intranet Visual Studio Team Foundation Server (TFS) for which they have access rights. If the victim clicks the link, an automatic action is taken on their behalf on the TFS server that they otherwise might not have wanted to execute.</td> <td>Important</td> <td>1</td> <td>Likely to see reliable exploits developed within next 30 days.</td> <td>&nbsp;</td> </tr> </tbody> </table> <p>- Jonathan Ness, MSRC's engineering team</p><div style="clear:both;"></div><img src="http://blogs.technet.com/aggbug.aspx?PostID=3617353&AppID=6147&AppType=Weblog&ContentType=0" width="1" height="1">Attack VectorRisk AsessmentExploitability Omphaloskepsis and the December 2013 Security Update Releasehttp://blogs.technet.com/b/msrc/archive/2013/12/10/omphaloskepsis-and-the-december-2013-security-update-release.aspxTue, 10 Dec 2013 18:00:00 GMTd5e57398-b9ef-4490-9955-07cbb4e4a80d:b01aae7f-7077-4779-94ec-c419e8a96d85Dustin C. Childs0<p><span style="font-size: small;">There are times when we get too close to a topic. We familiarize ourselves with every aspect and nuance, but fail to recognize not everyone else has done the same. Whether you consider this myopia, navel-gazing, or human nature, the effect is the same. I recognized this during the recent webcast when someone asked the question &ndash; &ldquo;What&rsquo;s the difference between a security advisory and a security bulletin?&rdquo; The answer was simple to me, as I&rsquo;ve been doing this for years, but the question was valid and it reminded me that not every person on the planet knows all of the ins and outs of Update Tuesday.</span></p> <p><span style="font-size: small;">Given this month&rsquo;s </span><a href="http://technet.microsoft.com/security/bulletin/MS13-dec"><span style="color: #0563c1; font-size: small;">release</span></a><span style="font-size: small;">, the question is timely, as we have 11 bulletins and 3 new advisories releasing today. As we look through today&rsquo;s release, I thought it would be helpful to step back and take a closer look at some of the terminology we use frequently. Let&rsquo;s begin by taking a look at the bulletins for December.</span></p> <p><span style="font-size: small;"><a href="http://blogs.technet.com/cfs-file.ashx/__key/communityserver-blogs-components-weblogfiles/00-00-00-45-71/7360.deployment.jpg"><img src="http://blogs.technet.com/resized-image.ashx/__size/550x0/__key/communityserver-blogs-components-weblogfiles/00-00-00-45-71/7360.deployment.jpg" alt="" border="0" /></a></span></p> <p><span style="font-size: small;">You may notice the graphic is significantly different from past months. In the new format, where you see circles throughout the deck, that&rsquo;s the deployment priority. The numbers in squares represent the exploit index and the words in color indicate bulletin severity.</span></p> <p><span style="font-size: small;">As we review our top bulletin deployment priorities for this month, let&rsquo;s pause to review the official definition of a security bulletin.</span></p> <p><span style="font-size: small;">Security bulletins include the <a href="http://www.microsoft.com/en-us/download/details.aspx?id=559">following</a>: </span></p> <ul> <li><span style="font-size: small;">Details of all affected products</span></li> <li><span style="font-size: small;">A list of frequently asked questions</span></li> <li><span style="font-size: small;">Information about workarounds and mitigations</span></li> <li><span style="font-size: small;">Any other information that IT staff needs to address the issue</span></li> </ul> <p><span style="font-size: small;">But that doesn&rsquo;t really explain <em>why</em> a security bulletin is released. Simply put, when there is a </span><a href="http://technet.microsoft.com/library/cc751383.aspx"><span style="color: #0563c1; font-size: small;">significant</span></a><span style="font-size: small;"> security-related update for something we ship, it goes in a security bulletin. If an issue in software can be corrected by applying new software, it becomes a security bulletin. Update for the Windows kernel? Security bulletin. Cumulative update for Internet Explorer? Security bulletin. Code problem with .NET Framework? Security bulletin. I think you see where I&rsquo;m going with this. </span></p> <p><span style="font-size: small;">This month, we have 11 security bulletins, 5 Critical and 6 Important in severity, addressing 24 unique CVEs in Microsoft Windows, Internet Explorer, Office and Exchange. For those who need to prioritize deployment planning we recommend focusing on </span><a href="http://technet.microsoft.com/security/bulletin/ms13-096"><span style="color: #0563c1; font-size: small;">MS13-096</span></a><span style="font-size: small;">, </span><a href="http://technet.microsoft.com/security/bulletin/ms13-097"><span style="color: #0563c1; font-size: small;">MS13-097</span></a><span style="font-size: small;">, and </span><a href="http://technet.microsoft.com/security/bulletin/ms13-099"><span style="color: #0563c1; font-size: small;">MS13-099</span></a><span style="font-size: small;">.</span></p> <p><a href="http://technet.microsoft.com/security/bulletin/ms13-096"><span style="color: #0563c1; font-size: small;">MS13-096 | Vulnerability in Microsoft Graphics Component Could Allow Remote Code Execution</span></a><br /><span style="font-size: small;"> This security update resolves a publicly disclosed vulnerability in Microsoft Windows, Microsoft Office, and Microsoft Lync. The vulnerability could allow remote code execution if a user views content that contains specially crafted TIFF files. As we highlighted through ANS, </span>this update fully resolves the issue first described in Security Advisory 2896666. For those who installed the Fix it released through the advisory, you do not need to uninstall the Fix it prior to installing the update, but we do recommend disabling the Fix it after installation to ensure TIFF images are displayed correctly.</p> <p><a href="http://technet.microsoft.com/security/bulletin/ms13-097"><span style="color: #0563c1; font-size: small;">MS13-097 | Cumulative Update for Internet Explorer</span></a><br /><span style="font-size: small;"> This security update resolves seven privately reported vulnerabilities in Internet Explorer. The most severe vulnerabilities could allow remote code execution if a user views a specially crafted webpage using Internet Explorer. An attacker who successfully exploited the most severe of these vulnerabilities could gain the same user rights as the current user.</span></p> <p><a href="http://technet.microsoft.com/security/bulletin/ms13-099"><span style="color: #0563c1; font-size: small;">MS13-099 | Vulnerability in Microsoft Scripting Runtime Object Library Could Allow Remote Code Execution</span></a><br /><span style="font-size: small;"> This security update resolves a privately reported vulnerability in Microsoft Windows. The vulnerability could allow remote code execution if an attacker convinces a user to visit a specially crafted website or a website that hosts specially crafted content. An attacker who successfully exploited this vulnerability could gain the same user rights as the local user.</span></p> <p><span style="font-size: small;">In addition to the security bulletins, we are also releasing three security advisories this month and revising one more. So how do security advisories differ from security bulletins? After all, sometimes we see updates included in Security Advisories as well &ndash; including advisories this month. What&rsquo;s the difference?</span></p> <p><span style="font-size: small;">The easiest way to think of advisories is to consider them as a call to action. With bulletins, updates are usually sent out through Windows or Microsoft Update. If you&rsquo;ve enabled automatic updating, there&rsquo;s no action for you &ndash; the update will be installed and if needed, your system will reboot. Even if you manually apply all updates, bulletins should require nothing more than installing a package and potentially restarting a service or system. Advisories cover topics that potentially affect your security but cannot be resolved through an update alone. Let&rsquo;s look at the advisories this month as examples.</span></p> <p><a href="http://technet.microsoft.com/security/advisory/2905247"><span style="color: #0563c1; font-size: small;">Security Advisory 2905247 &ndash; Insecure ASP.NET Site Configuration Could Allow Elevation of Privilege</span></a><br /><span style="font-size: small;"> This update enables administrators to configure their ASP.NET servers to ensure that view state MAC remains enabled at all times, as well as to provide general guidance on how to enable view state MAC on IIS servers.</span></p> <p><span style="font-size: small;">In this instance, we&rsquo;re not correcting faulty code; we&rsquo;re allowing administrators to enforce a default behavior that&rsquo;s more secure than the non-default setting.</span></p> <p><a href="http://technet.microsoft.com/security/advisory/2871690"><span style="color: #0563c1; font-size: small;">Security Advisory 2871690 &ndash; Update to Revoke Non-compliant UEFI Modules</span></a><br /><span style="font-size: small;"> This advisory notifies customers that an update is available for Windows 8 and Windows Server 2012 that revokes the digital signatures for specific Unified Extensible Firmware Interface (UEFI) modules. The affected UEFI modules consist of specific Microsoft-signed modules that are either not in compliance with our certification program or their authors have requested that the packages be revoked. This update applies to nine private, third-party UEFI modules used for test purposes only.</span></p> <p><span style="font-size: small;">While this may seem like something we can address through a security bulletin, these UEFI modules are not known to be in public distribution. In all likelihood, you are not affected. Your friends aren&rsquo;t affected. No one you know is affected. Still, we can&rsquo;t be 100% certain that no one is affected, so we&rsquo;re releasing this advisory with instructions for checking just in case.</span></p> <p><a href="http://technet.microsoft.com/security/advisory/2915720"><span style="color: #0563c1; font-size: small;">Security Advisory 2915720 &ndash; Changes in Windows Authenticode Signature Verification</span></a><br /><span style="font-size: small;"> This advisory informs customers of an impending change to how Windows verifies Authenticode-signed binaries. It also recommends that developers who sign binaries with Windows Authenticode ensure that their signatures conform to the change by June 10, 2014. The <a href="http://blogs.technet.com/b/srd/archive/2013/12/10/ms13-098-update-to-enhance-the-security-of-authenticode.aspx">SRD blog</a> covers additional technical details about the changes.</span></p> <p><span style="font-size: small;">This is an interesting advisory on an interesting topic. It accompanies a security bulletin, </span><a href="http://technet.microsoft.com/security/bulletin/ms13-098"><span style="color: #0563c1; font-size: small;">MS13-098</span></a><span style="font-size: small;">, which does address an issue in Windows. In addition to resolving a security issue through new code, the update also introduces new functionality. This advisory details the new functionality and provides guidelines to both administrators and developers. The advisory provide some suggested test scenarios to ensure your enterprise and executables are ready for the change. Again, since this change tightens security rather than addresses an issue, it&rsquo;s more appropriate that we communicate this to you through an advisory.</span></p> <p><span style="font-size: small;">Finally, we are also revising </span><a href="http://technet.microsoft.com/security/advisory/2755801"><span style="color: #0563c1; font-size: small;">Security Advisory 2755801</span></a><span style="font-size: small;"> with the latest update for Adobe Flash Player in Internet Explorer. The update addresses the vulnerabilities described in Adobe Security bulletin </span><a href="http://helpx.adobe.com/security/products/flash-player/apsb13-28.html" target="_blank"><span style="color: #0563c1; font-size: small;">APSB13-28</span></a><span style="font-size: small;">. For more information about this update, including download links, see </span><a href="http://support.microsoft.com/kb/2907997" target="_blank"><span style="color: #0563c1; font-size: small;">Microsoft Knowledge Base Article 2907997</span></a><span style="font-size: small;">.</span></p> <p><span style="font-size: small;">If you&rsquo;ve been intrepid enough to read this far down, watch the bulletin overview video below for a brief summary of today&rsquo;s releases. </span></p> <p><span style="font-size: small;"><iframe src="http://www.youtube.com/embed/6B-zTXF6qQ4" frameborder="0" width="550" height="309"></iframe></span></p> <p><span style="font-size: small;">For more information about this month&rsquo;s security updates, visit the </span><a href="http://technet.microsoft.com/security/bulletin/MS13-dec"><span style="color: #0563c1; font-size: small;">Microsoft Bulletin Summary Web page</span></a><span style="font-size: small;">. </span></p> <p><span style="font-size: small;">Jonathan Ness and I will host the monthly bulletin webcast, scheduled for Wednesday, December 11, 2013, at 11 a.m. PST. I invite you to register </span><a href="https://msevents.microsoft.com/CUI/EventDetail.aspx?EventID=1032557386&amp;Culture=en-US"><span style="color: #0563c1; font-size: small;">here</span></a><span style="font-size: small;">, and tune in to learn more about this month&rsquo;s security bulletins and advisories. </span></p> <p><span style="font-size: small;">For all the latest information, you can also follow the MSRC team on Twitter at </span><a href="http://www.twitter.com/msftsecresponse"><span style="color: #0563c1; font-size: small;">@MSFTSecResponse</span></a><span style="font-size: small;">. </span></p> <p><span style="font-size: small;">I hope this in-depth discussion of bulletins and advisories has been worth your time. If so, let me know what other topics you would like to see covered here. I never grow weary of talking about second Tuesday.</span></p> <p><span style="font-size: small;">Thanks,<br /> </span><a href="http://blogs.technet.com/b/msrc/about.aspx#Dustin_Childs"><span style="color: #0563c1; font-size: small;">Dustin Childs</span></a><br /><span style="font-size: small;"> Group Manager, Response Communications<br /> Microsoft Trustworthy Computing</span></p><div style="clear:both;"></div><img src="http://blogs.technet.com/aggbug.aspx?PostID=3617155&AppID=4571&AppType=Weblog&ContentType=0" width="1" height="1">Microsoft ExchangeMicrosoft Windowsmonthly bulletin releaseSecurity BulletinSecurity Updaterisk assessmentMicrosoft Office Rotbrow: the Sefnit distributorhttp://blogs.technet.com/b/mmpc/archive/2013/12/10/rotbrow-the-sefnit-distributor.aspxTue, 10 Dec 2013 18:00:00 GMTd5e57398-b9ef-4490-9955-07cbb4e4a80d:c0c7abbe-6fac-490b-a6fc-fdc27ad6ddabmsft-mmpc2http://blogs.technet.com/b/mmpc/archive/2013/12/10/rotbrow-the-sefnit-distributor.aspx#comments<div class="ExternalClass7BB8256564F54D08BCFF2E38E9A3A44C"> <p>This month's addition to the <a href="http://www.microsoft.com/security/pc-security/malware-removal.aspx">Microsoft Malicious Software Removal Tool</a> is a family that is both old and new. <a href="http://www.microsoft.com/security/portal/threat/encyclopedia/entry.aspx?Name=Win32/Rotbrow">Win32/Rotbrow</a> existed as far back as 2011, but the first time we saw it used for malicious purposes was only in the past few months.</p> <p>In September, Geoff <a href="http://blogs.technet.com/b/mmpc/archive/2013/09/25/mevade-and-sefnit-stealthy-click-fraud.aspx">blogged</a> about the dramatic resurgence of Win32/Sefnit (aka Mevade). At the time, we knew of several ways in which Sefnit was distributed, but we continued investigating how it was able to get on so many machines. When we concentrated on the most prevalent component, which Geoff labelled the "Updater and Installer Service" in his blog, we found one file in particular stood out. We knew that this file was bundled with an installer for a&nbsp;harmless program called&nbsp;FileScout, but where did the FileScout installer come from?</p> <p>Our telemetry showed us a pattern. The FileScout/Sefnit installer was not being downloaded directly from the web; it was usually written by a process called "BitGuard.exe". We were quickly able to trace the individual file that was writing the installer on so many computers. It was the most prevalent sample of something that called itself "Browser Protector" (and sometimes "Browser Defender"). We had seen many versions of this before, but never any that exhibited behaviour that would warrant our detection. This sample was different &ndash; we knew it must have either carried the FileScoout/Sefnit installer inside it, or it was downloading it from somewhere else.</p> <p>It took only minutes to identify which possibility was correct. Inside the file we found a resource called RT_BIN, whose content was not immediately significant, but whose size was 251,299 bytes - exactly the same as the FileScout/Sefnit installer.</p> <p>Apparently the resource was encrypted. We could see that "Browser Protector" contained the same RC4 decryption code we'd seen in Sefnit, and the decryption key was easy to locate inside the code (rather obviously it was "FilescoutEncryptionKey"), so we tried it out. Sure enough, the decrypted result matched the the FileScout/Sefnit installer we expected. It was also easy to confirm that "Browser Protector" could write the decrypted file to the temporary folder with the file name setup_fsu_cid.exe, exactly as we had seen from our telemetry.</p> <p>While we found that many variants of "Browser Protector" do not contain Sefnit, they are capable of updating to versions that do, so we added a generic detection under the name Win32/Rotbrow. To further stymie this avenue for Sefnit distribution, this month we add the Rotbrow family to MSRT.</p> <p><strong>SHA1s:</strong></p> <p>Sefnit updater and installer service: 942860bedf408cc4c6a1831ef3744a3f9e68b375<br />FileScout installer: c5758309136cd1e7e804d2003dc5ca27ae743ac3<br />Rotbrow: efe10525395591ca4fb6ec083f6f22c9e0db2d9d</p> </div><div style="clear:both;"></div><img src="http://blogs.technet.com/aggbug.aspx?PostID=3616471&AppID=6258&AppType=Weblog&ContentType=0" width="1" height="1">Malicious Software Removal ToolMSRTmalware MS13-098: Update to enhance the security of Authenticodehttp://blogs.technet.com/b/srd/archive/2013/12/10/ms13-098-update-to-enhance-the-security-of-authenticode.aspxTue, 10 Dec 2013 17:20:00 GMTd5e57398-b9ef-4490-9955-07cbb4e4a80d:2ed5f9d8-4e67-47a8-8df1-2380f8498a6dswiat0<p>Today we released <a href="http://technet.microsoft.com/en-us/security/bulletin/MS13-098">MS13-098</a>, a security update that strengthens the <a href="http://msdn.microsoft.com/en-us/library/windows/hardware/ff686697(v=vs.85).aspx">Authenticode</a> code-signing technology against attempts to modify a signed binary without invalidating the signature. This update addresses a specific instance of malicious binary modification that could allow a modified binary to pass the Authenticode signature check. More importantly, it also introduces further hardening to consider a binary &ldquo;unsigned&rdquo; if any modification has been made in a certain portion of the binary. Those improvements to the Authenticode Signature Verification, as described below, require changes from a small but important set of third party application developers, so the new process will not be enabled by default today. Six months from today, on June 10, 2014, binaries will be considered unsigned if they do not conform to the new verification process. If you want to enable the regkey and test the change today, Please see the information posted in the <a href="http://technet.microsoft.com/en-us/security/advisory/2915720">security advisory 2915720</a>.</p> <p>We&rsquo;d like to use this blog post to share more about Authenticode and the role of Authenticode in enabling customer confidence while running executables downloaded from the internet.</p> <p><strong>Authenticode and signed binaries</strong></p> <p>Authenticode&reg; is a digital signature format that is used to determine the origin and integrity of software binaries. Authenticode is based on Public-Key Cryptography Standards (PKCS) #7 signed data and X.509 certificates to bind an Authenticode-signed binary to the identity of a software publisher.</p> <p>The idea behind Authenticode is to leverage the reputation of a software developer or company to help customers make a trust decision. If you trust a particular company, you can execute binaries published by that company from any source and media as long as the binary is signed with the company&rsquo;s valid Authenticode signature. The valid Authenticode signature does not guarantee that the software is safe to run. However, it does prove that the binary has been signed by that particular company and has not been altered afterward. According to the Authenticode Portable Executable format specification the Authenticode signatures can be &ldquo;embedded&rdquo; in a Windows PE file, in a location specified by the Certificate Table entry in Optional Header Data Directories. When Authenticode is used to sign a Windows PE file, the algorithm that calculates the file's Authenticode hash value excludes certain PE fields. When embedding the signature in the file, the signing process can modify these fields without affecting the file's hash value. These fields are as follows: the checksum, certificate table RVA, certificate table size and the attribute certificate table. The certificate table contains a PKCS #7 SignedData structure containing the PE file's hash value, a signature created by the software publisher&rsquo;s private key, and the X.509 v3 certificates that bind the software publisher&rsquo;s signing key to a legal entity. A PKCS #7 SignedData structure can optionally contain:</p> <ul> <li>A description of the software publisher</li> <li>The software publisher's URL</li> <li>An Authenticode timestamp</li> </ul> <p>The following schema illustrates how an Authenticode signature is included in a Windows PE file:</p> <p><a href="http://blogs.technet.com/cfs-file.ashx/__key/communityserver-blogs-components-weblogfiles/00-00-00-61-47/8358.authenticode.PNG"><img src="http://blogs.technet.com/resized-image.ashx/__size/550x0/__key/communityserver-blogs-components-weblogfiles/00-00-00-61-47/8358.authenticode.PNG" alt="" border="0" /></a></p> <p>This design philosophy allows no executable code being omitted from the signature. Once the code is authenticated and attributed to an author, everything that code does is the responsibility of the author.</p> <p><strong>Installer programs and Authenticode signatures</strong></p> <p>Downloaders and installers signed by Authenticode require special consideration because they download and execute other executables. As explained above, Authenticode testifies that a particular program&rsquo;s code was signed by the author and that the executable code has not changed since then. If that particular program is designed to download and run a second executable from the network, the original program needs to verify the second executable&rsquo;s integrity with Authenticode or by other means. The developers of a program should pay close attention to guarantee the same level of trust and integrity across the full download chain to ensure that executables downloaded by their installer are also trustworthy and cannot be replaced with a malicious program.</p> <p>Microsoft was informed that a small set of third party installer programs, signed with a valid Authenticode signature, had been modified to download a different executable than the one originally designed to download without invalidating the installer&rsquo;s Authenticode signature.</p> <p>We analyzed each of these samples to study the execution flow to learn how they worked. Firstly, the code, which is covered by Authenticode, is executed from the entry point. Then, this code looks for an overlay inside the file to read a stream. Finally, the code decrypts a URL from the stream and downloads and executes an executable from that URL. The programs unfortunately omitted the integrity check before executing the downloaded file.</p> <p>An overlay is data appended to the physical image of a Portable Executable. Explained simply, one can take a PE binary, append additional content to the end without adjusting the header, and it has an overlay. This data area is not defined as part of the image by the PE header and therefore isn't part of the virtual image of the loaded PE. The Authenticode verification code verifies that the Attribute Certificate table is the last thing in the file and report an invalid signature if something is appended after that.</p> <p>In the sample reported to Microsoft, the size of the certificate directory had been increased to cover the overlay. So technically, the certificate directory was the last thing in the file, allowing the test to pass.</p> <p>There are couple of lessons to learn from this sample:</p> <p>First, the developer stored the URL stream intentionally inside the certificate directory to allow them to sign once and create different installers. This particular sub-optimal practice enabled the malicious binary modification reported to Microsoft. The <a href="http://technet.microsoft.com/en-us/security/bulletin/MS13-098">MS13-098</a> hardening, expected to go into effect June 10, 2014, will consider a binary unsigned in this case going forward.</p> <p>Second, the developer in this particular case was not validating the file subsequently downloaded and executed by any other means.</p> <p>A better way to enable the scenario desired by the developer would have been to store the URL as a resource inside the PE. In doing so, the URL would have been covered by Authenticode and any attempt to modify the downloaded URL would have resulted in a failed signature verification.</p> <p>Today, with <a href="http://technet.microsoft.com/en-us/security/bulletin/MS13-098">MS13-098</a>, as described above, the Windows team has added additional hardening and mitigation in order to detect this kind of bad practices and report an invalid Authenticode signature. When enabled, these hardening measures will detect cases where additional unverified data has been placed after the PKCS #7 blob in the certificate directory of a PE image. The check validates that there is no non-zero data beyond the PKCS #7 structure. Although this change prevents one form of this unsafe practice, it is not capable of preventing all such forms; for example, an application developer can place unverified data within the PKCS #7 blob itself which will not be taken into account when verifying the Authenticode signature. However, as this blog post illustrates, developers are strongly discouraged from doing this as it can lead to unsafe application behavior and could potentially put the reputation of the signing company at risk if their application makes use of the unverified data in an unsafe way.</p> <p>- Ali Rahbar, MSRC engineering team</p> <p>I would like to thank the Jonathan Ness, Elia Florio and Ali Pezeshk</p> <p>Ref : <a href="http://download.microsoft.com/download/9/c/5/9c5b2167-8017-4bae-9fde-d599bac8184a/Authenticode_PE.docx">http://download.microsoft.com/download/9/c/5/9c5b2167-8017-4bae-9fde-d599bac8184a/Authenticode_PE.docx</a></p><div style="clear:both;"></div><img src="http://blogs.technet.com/aggbug.aspx?PostID=3617343&AppID=6147&AppType=Weblog&ContentType=0" width="1" height="1">trust decisionspoofing MS13-106: Farewell to another ASLR bypasshttp://blogs.technet.com/b/srd/archive/2013/12/09/ms13-106-another-aslr-bypass-is-gone.aspxTue, 10 Dec 2013 04:18:00 GMTd5e57398-b9ef-4490-9955-07cbb4e4a80d:943fe6e0-234e-4acc-a3d4-691c3bb0915bswiat0<p style="text-align: justify;">Today we released <a href="http://technet.microsoft.com/en-us/security/bulletin/ms13-106">MS13-106</a>&nbsp;which resolves a security feature bypass that can allow attackers to circumvent Address Space <br />Layout Randomization (ASLR)&nbsp;using a specific DLL library (HXDS.DLL) provided as part of Microsoft Office 2007 and 2010.</p> <p style="text-align: justify;">The existence of an ASLR bypass does not directly enable the execution of code and does not represent a risk by itself, since <br />this bypass still needs to be used in conjunction with another higher-severity vulnerability that allows remote code <br />execution in order to provide some value to attackers. ASLR is an important mitigation that has been supported <br />since Windows Vista which, when combined with Data Execution Prevention (DEP), makes it <a href="http://blogs.technet.com/b/srd/archive/2010/12/08/on-the-effectiveness-of-dep-and-aslr.aspx">more difficult to exploit memory <br />corruption vulnerabilities</a>.</p> <p style="text-align: justify;">Because ASLR is a generic mitigation aimed at stopping exploitation techniques that apply to many vulnerabilities, attackers <br />are very interested in attempting to find new bypass techniques for it. These bypass techniques typically fall into one of <br />three categories:</p> <p style="text-align: justify; padding-left: 30px;">1)&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; Presence of a DLL at runtime that has not been compiled with /DYNAMICBASE flag&nbsp;<br />&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;(therefore loaded at a predictable location in memory).</p> <p style="text-align: justify; padding-left: 30px;">2)&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; Presence of predictable memory regions or pointers that can be leveraged to execute code&nbsp;<br />&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;or alter program behavior.</p> <p style="text-align: justify; padding-left: 30px;">3)&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; Leveraging a vulnerability to dynamically disclose memory addresses.</p> <p style="text-align: justify;"><br />The ASLR bypass that has been addressed by MS13-106 falls into the first category. The difficulty of finding and using an <br />ASLR bypass varies based on the category of the technique. It is generally easier to identify DLL modules that fall into the <br />first category (especially expanding the search through third-party browser plugins and toolbars), while it is generally more <br />difficult, and less reusable, to find or create a bypass for the other two categories. For example, two of the recent <br />Internet Explorer exploits that were used in targeted attacks (<a href="http://blogs.technet.com/b/srd/archive/2013/09/17/cve-2013-3893-fix-it-workaround-available.aspx">CVE-2013-3893</a>&nbsp;and <a href="http://blogs.technet.com/b/srd/archive/2013/10/08/ms13-080-addresses-two-vulnerabilities-under-limited-targeted-attacks.aspx">CVE-2013-3897</a>) both relied on the <br />same ASLR bypass, which fell into the first category -- making use of the HXDS.DLL library that is part of Office 2007/2010 <br />that was not compiled using /DYNAMICBASE.</p> <p style="text-align: justify;">Bolstering the effectiveness of ASLR helps to harden the security of our products and that is why MSRC continues to release<br />tools and updates that enforce ASLR more broadly on Windows (such as <a href="http://support.microsoft.com/kb/2639308">KB2639308</a>&nbsp;and&nbsp;<a href="http://www.microsoft.com/emet">EMET</a>) and to release updates that <br />close known ASLR bypasses as part of our defense-in-depth strategy (such as <a href="http://blogs.technet.com/b/srd/archive/2013/08/12/mitigating-the-ldrhotpatchroutine-dep-aslr-bypass-with-ms13-063.aspx">MS13-063</a>&nbsp;for the bypass presented at<br />CanSecWest 2013).</p> <p style="text-align: justify;"><br />Today <a href="http://technet.microsoft.com/en-us/security/bulletin/ms13-106">MS13-106</a>&nbsp;closes one additional known bypass that will no longer be available to attackers.</p> <p style="text-align: justify;">&nbsp;<br />- Elia Florio, MSRC Engineering</p> <p style="text-align: justify;">&nbsp;</p><div style="clear:both;"></div><img src="http://blogs.technet.com/aggbug.aspx?PostID=3617195&AppID=6147&AppType=Weblog&ContentType=0" width="1" height="1">HXDS.DLLExploitASLRMS13-106bypass Security Advisory 2916652 released, Certificate Trust List updatedhttp://blogs.technet.com/b/msrc/archive/2013/12/09/security-advisory-2916652-released-certificate-trust-list-updated.aspxMon, 09 Dec 2013 18:00:00 GMTd5e57398-b9ef-4490-9955-07cbb4e4a80d:31187d0b-5ccb-4d32-a363-6e1486b38e5fMSRCTeam0<p>Microsoft is updating the Certificate Trust List (CTL) for all supported releases of Microsoft Windows to remove the trust of a mis-issued third-party digital certificate, which could be used to spoof content and perform phishing or man-in-the-middle attacks against web properties. With this action, customers will be automatically be protected against this issue. Additionally, the Enhanced Mitigation Experience Toolkit (EMET) 4.0 and newer versions help mitigate man-in-the-middle attacks by detecting untrusted or improperly issued SSL certificates through the Certificate Trust feature.</p> <p>For more information, please see <a href="http://technet.microsoft.com/en-us/security/advisory/2916652">Microsoft Security Advisory 2916652</a>.</p> <p>Thank you,<br /><span style="color: #0563c1;"><a href="http://blogs.technet.com/b/msrc/about.aspx#Dustin_Childs">Dustin Childs</a></span><br /> Group Manager, Response Communications <br /> Microsoft Trustworthy Computing</p><div style="clear:both;"></div><img src="http://blogs.technet.com/aggbug.aspx?PostID=3617064&AppID=4571&AppType=Weblog&ContentType=0" width="1" height="1">Advisory BlueHat v13 is Cominghttp://blogs.technet.com/b/bluehat/archive/2013/12/06/bluehat-v13-is-coming.aspxFri, 06 Dec 2013 23:34:00 GMTd5e57398-b9ef-4490-9955-07cbb4e4a80d:80406a7c-a97c-4e40-918b-86ee57cf1529BlueHat10http://blogs.technet.com/b/bluehat/rsscomments.aspx?WeblogPostID=3616644http://blogs.technet.com/b/bluehat/archive/2013/12/06/bluehat-v13-is-coming.aspx#comments<p>This week, starting Thursday, we&rsquo;ll be hosting our 13<sup>th </sup>edition of BlueHat. I&rsquo;m always so impressed with the level of knowledge we attract to each BlueHat, and while the event is invite-only, we&rsquo;ll be sharing glimpses into the event via this blog and the hashtag #BlueHat.</p> <p>For each of the past six years I have had the honor to work among some of the most talented engineers I have ever met, here at Microsoft. I am inspired by the mission we embrace in securing our products, devices, and services. There are few other vantage points with as broad a footprint on the internet, since one of Microsoft&rsquo;s early mottos helped put &ldquo;a computer in every home.&rdquo; Our job in the Microsoft Security Response Center (MSRC) is to help protect the customers who use the technology that the rest of the company works so hard to create. In everything we do in the MSRC, we strive to fulfill our mission to help insure the security and privacy of over a billion computer systems and our customers worldwide.</p> <p>In 2005, we started the BlueHat conference to educate the developers and executives of Microsoft about current and emerging threats. The idea was to bring the hackers and security researchers to us, and in doing so foster an environment where the bidirectional exchange of ideas around the balance between security and functionality could meet fertile ground in the famed &ldquo;hallway track.&rdquo; We hand-pick just a small number of speakers and external attendees to concentrate on learning from them in most cases, and the chance to teach some of them from what we have learned, to help enhance the security and privacy of the Internet as a whole.</p> <p>This year is no different in that we have invited speakers chosen to educate, amaze, and work with Microsoft to help us understand the emerging security threats to us and our customers. Together, we will rise to face the most important challenges in helping to secure the global Internet ecosystem.</p> <p>Beginning on Dec 12, 2013, we&rsquo;ll begin this year&rsquo;s BlueHat by focusing on the threat landscape, learning about determined adversaries to help us defend our own network and assets, and tools to detect and mitigate attacks. Next we&rsquo;ll welcome some of the world&rsquo;s top experts to discuss devices and services, from low-level hardware to web services, to help us build products, devices, and services that are more secure from the ground up.</p> <p>Finally, we&rsquo;ll close out the conference with a thought-provoking track that I like to call the &ldquo;Persistence of Trust,&rdquo; where we will discuss the core elements that comprise the trust we rely on to support what the Internet has become &ndash; a global information sharing network that humanity uses to exchange goods, services, money, and most importantly, ideas. To support these functions, we must strengthen the technology that underlies and supports that trust, and we must design products, devices, and services that are resistant to security and privacy breaches.&nbsp;</p> <p>Here&rsquo;s a quick overview of the planned speaker lineup for the two days of BlueHat v13.</p> <p><strong>Day 1: Thursday, December 12</strong></p> <p>Microsoft Technical Fellow, Anders Vinberg, will open BlueHat&rsquo;s first track, <strong>Threat Landscape</strong>. Anders will talk about a broad assurance initiative for the next wave, covering Windows Server and System Center, in close alignment with the Core OS team, identity, Office and Azure. Next, we&rsquo;ll set the stage with a talk from FireEye&rsquo;s Zheng Bu and YiChong Lin designed to walk us through the techniques of the average and not so average targeted attacker, and show us ways to detect and combat the adversary. Microsoft Partner Development Manager, Mario Goertzel, will then speak to some of the hard problems that we face in antimalware - specifically, how we equip customers and partners with the right tools and analysis to help us all defend our networks and assets.&nbsp;Closing out the Threat Landscape track, Microsoft Principal Security Program Manager Lead, Graham Calladine, and Microsoft Senior Security Software Development Engineer, Thomas Garnier, will walk us through what attackers are doing now, how our current products and practices work against us, and how we can change this.</p> <p>After lunch, the <strong>Devices &amp; Services </strong>track kicks off with Josh Thomas, whose DARPA-funded research will reveal some hardware-level universal attacks that are possible on mobile devices. Next up we will have Microsoft&rsquo;s first Mitigation Bypass Bounty recipient, James Forshaw talk about executing unsigned code on the Surface RT, without jailbreaking it. Next, Microsoft Principal Software Development Engineer, Lee Holmes, will talk with us about PowerShell. Chris Tarnovsky will then discuss Semiconductor devices and their backward steps in physical security through higher common criteria ratings. Next up, we&rsquo;ll hear from Microsoft Partner Development Manager, Chris Kaler, and Microsoft Senior Program Manager, Serge Mera, about the latest in Message Analyzer. Mario Heiderich will then take us into the wilds of JavaScript MVC and templating frameworks. The afternoon will wrap up with a call to action from our own Russ McRee, followed by several lightning talks.</p> <p><strong>Day 2: Friday, December 13</strong></p> <p>Taking into consideration the inevitable socializing from the night before, we&rsquo;re giving our attendees a slow morning. Between 9:00 AM and 12:00 noon we&rsquo;ll have a recovery brunch with mimosas, lightning talks, and the famed hallway track. I&rsquo;ll be the Day 2 keynote opening the track <strong>Persistence of Trust, </strong>at 12:30 noon. My talk will focus on security strategy at Microsoft, what we&rsquo;re doing in terms of our defensive industry partner programs like MAPP, and of course, I&rsquo;ll provide an update on our <a href="http://blogs.technet.com/b/bluehat/archive/2013/11/01/bounty-evolution-100-000-for-new-mitigation-bypass-techniques-wanted-dead-or-alive.aspx">strategic Bounty programs</a>. I&rsquo;ll then handoff to Justin Troutman, who will talk about Mackerel, a cryptographic design and development framework based on the premise that real-world cryptography is not about cryptography at all; it's about products. Peter Gutmann, famed researcher with the University of Auckland, New Zealand, will take the stage and illuminate the psychology of computer insecurity. After a short break, Alex Stamos, CTO of Artemis Internet, and Tom Ritter, Principal Security Engineer with iSEC Partners, will awaken us with tales life after elliptic curve crypto&rsquo;s coming extinction. From Bromium Labs we&rsquo;ll hear from Rahul Kashyap and Rafal Wojtczuk, who will discuss and demonstrate how to reliably break out of various popular sandboxes. Finally, closing BlueHat v13, renowned security and privacy expert and advocate of human rights, Morgan Marquis-Boire will explore what I call the elephant in the room, as he discusses the surveillance landscape and coercion resistant design.</p> <p>As chair of the BlueHat content board, I would be remiss in my duty to the mission of BlueHat if I ignored the revelations of the summer of 2013, and the concerns about government surveillance of the internet. Hence, we will be continuing our internal dialog with a conversation with Morgan and others in attendance on how to design products, devices, and services that are more resistant to abuse and surveillance. &nbsp;For us, and for over a billion of our customers worldwide, this issue transcends borders and politics. We are a global company and part of a global community, and as such we will continue to work with our customers, partners, and even our competitors to ensure a safer, more trustworthy Internet for all.</p> <p>From the age of the great worms, to the evolution of more sophisticated and targeted attacks, to the era where modern warfare takes place on not only the information superhighway, but also on the civilian streets of the Internet, we will serve faithfully in our mission to help protect our customers from security and privacy breaches, no matter the adversary.</p> <p>&nbsp;</p> <p>BlueHat is coming. Brace yourselves.</p> <p>&nbsp;</p> <p>Katie Moussouris</p> <p>Senior Security Strategist</p> <p>Microsoft Security Response Center</p> <p>http://twitter.com/k8em0</p> <p>(that&rsquo;s a zero)</p> <p>&nbsp;</p><div style="clear:both;"></div><img src="http://blogs.technet.com/aggbug.aspx?PostID=3616644&AppID=4967&AppType=Weblog&ContentType=0" width="1" height="1"> BlueHat v13 is Cominghttp://blogs.technet.com/b/bluehat/archive/2013/12/06/bluehat-v13-is-coming.aspxFri, 06 Dec 2013 23:34:00 GMTd5e57398-b9ef-4490-9955-07cbb4e4a80d:80406a7c-a97c-4e40-918b-86ee57cf1529BlueHat10http://blogs.technet.com/b/bluehat/rsscomments.aspx?WeblogPostID=3616644http://blogs.technet.com/b/bluehat/archive/2013/12/06/bluehat-v13-is-coming.aspx#comments<p>This week, starting Thursday, we&rsquo;ll be hosting our 13<sup>th </sup>edition of BlueHat. I&rsquo;m always so impressed with the level of knowledge we attract to each BlueHat, and while the event is invite-only, we&rsquo;ll be sharing glimpses into the event via this blog and the hashtag #BlueHat.</p> <p>For each of the past six years I have had the honor to work among some of the most talented engineers I have ever met, here at Microsoft. I am inspired by the mission we embrace in securing our products, devices, and services. There are few other vantage points with as broad a footprint on the internet, since one of Microsoft&rsquo;s early mottos helped put &ldquo;a computer in every home.&rdquo; Our job in the Microsoft Security Response Center (MSRC) is to help protect the customers who use the technology that the rest of the company works so hard to create. In everything we do in the MSRC, we strive to fulfill our mission to help insure the security and privacy of over a billion computer systems and our customers worldwide.</p> <p>In 2005, we started the BlueHat conference to educate the developers and executives of Microsoft about current and emerging threats. The idea was to bring the hackers and security researchers to us, and in doing so foster an environment where the bidirectional exchange of ideas around the balance between security and functionality could meet fertile ground in the famed &ldquo;hallway track.&rdquo; We hand-pick just a small number of speakers and external attendees to concentrate on learning from them in most cases, and the chance to teach some of them from what we have learned, to help enhance the security and privacy of the Internet as a whole.</p> <p>This year is no different in that we have invited speakers chosen to educate, amaze, and work with Microsoft to help us understand the emerging security threats to us and our customers. Together, we will rise to face the most important challenges in helping to secure the global Internet ecosystem.</p> <p>Beginning on Dec 12, 2013, we&rsquo;ll begin this year&rsquo;s BlueHat by focusing on the threat landscape, learning about determined adversaries to help us defend our own network and assets, and tools to detect and mitigate attacks. Next we&rsquo;ll welcome some of the world&rsquo;s top experts to discuss devices and services, from low-level hardware to web services, to help us build products, devices, and services that are more secure from the ground up.</p> <p>Finally, we&rsquo;ll close out the conference with a thought-provoking track that I like to call the &ldquo;Persistence of Trust,&rdquo; where we will discuss the core elements that comprise the trust we rely on to support what the Internet has become &ndash; a global information sharing network that humanity uses to exchange goods, services, money, and most importantly, ideas. To support these functions, we must strengthen the technology that underlies and supports that trust, and we must design products, devices, and services that are resistant to security and privacy breaches.&nbsp;</p> <p>Here&rsquo;s a quick overview of the planned speaker lineup for the two days of BlueHat v13.</p> <p><strong>Day 1: Thursday, December 12</strong></p> <p>Microsoft Technical Fellow, Anders Vinberg, will open BlueHat&rsquo;s first track, <strong>Threat Landscape</strong>. Anders will talk about a broad assurance initiative for the next wave, covering Windows Server and System Center, in close alignment with the Core OS team, identity, Office and Azure. Next, we&rsquo;ll set the stage with a talk from FireEye&rsquo;s Zheng Bu and YiChong Lin designed to walk us through the techniques of the average and not so average targeted attacker, and show us ways to detect and combat the adversary. Microsoft Partner Development Manager, Mario Goertzel, will then speak to some of the hard problems that we face in antimalware - specifically, how we equip customers and partners with the right tools and analysis to help us all defend our networks and assets.&nbsp;Closing out the Threat Landscape track, Microsoft Principal Security Program Manager Lead, Graham Calladine, and Microsoft Senior Security Software Development Engineer, Thomas Garnier, will walk us through what attackers are doing now, how our current products and practices work against us, and how we can change this.</p> <p>After lunch, the <strong>Devices &amp; Services </strong>track kicks off with Josh Thomas, whose DARPA-funded research will reveal some hardware-level universal attacks that are possible on mobile devices. Next up we will have Microsoft&rsquo;s first Mitigation Bypass Bounty recipient, James Forshaw talk about executing unsigned code on the Surface RT, without jailbreaking it. Next, Microsoft Principal Software Development Engineer, Lee Holmes, will talk with us about PowerShell. Chris Tarnovsky will then discuss Semiconductor devices and their backward steps in physical security through higher common criteria ratings. Next up, we&rsquo;ll hear from Microsoft Partner Development Manager, Chris Kaler, and Microsoft Senior Program Manager, Serge Mera, about the latest in Message Analyzer. Mario Heiderich will then take us into the wilds of JavaScript MVC and templating frameworks. The afternoon will wrap up with a call to action from our own Russ McRee, followed by several lightning talks.</p> <p><strong>Day 2: Friday, December 13</strong></p> <p>Taking into consideration the inevitable socializing from the night before, we&rsquo;re giving our attendees a slow morning. Between 9:00 AM and 12:00 noon we&rsquo;ll have a recovery brunch with mimosas, lightning talks, and the famed hallway track. I&rsquo;ll be the Day 2 keynote opening the track <strong>Persistence of Trust, </strong>at 12:30 noon. My talk will focus on security strategy at Microsoft, what we&rsquo;re doing in terms of our defensive industry partner programs like MAPP, and of course, I&rsquo;ll provide an update on our <a href="http://blogs.technet.com/b/bluehat/archive/2013/11/01/bounty-evolution-100-000-for-new-mitigation-bypass-techniques-wanted-dead-or-alive.aspx">strategic Bounty programs</a>. I&rsquo;ll then handoff to Justin Troutman, who will talk about Mackerel, a cryptographic design and development framework based on the premise that real-world cryptography is not about cryptography at all; it's about products. Peter Gutmann, famed researcher with the University of Auckland, New Zealand, will take the stage and illuminate the psychology of computer insecurity. After a short break, Alex Stamos, CTO of Artemis Internet, and Tom Ritter, Principal Security Engineer with iSEC Partners, will awaken us with tales life after elliptic curve crypto&rsquo;s coming extinction. From Bromium Labs we&rsquo;ll hear from Rahul Kashyap and Rafal Wojtczuk, who will discuss and demonstrate how to reliably break out of various popular sandboxes. Finally, closing BlueHat v13, renowned security and privacy expert and advocate of human rights, Morgan Marquis-Boire will explore what I call the elephant in the room, as he discusses the surveillance landscape and coercion resistant design.</p> <p>As chair of the BlueHat content board, I would be remiss in my duty to the mission of BlueHat if I ignored the revelations of the summer of 2013, and the concerns about government surveillance of the internet. Hence, we will be continuing our internal dialog with a conversation with Morgan and others in attendance on how to design products, devices, and services that are more resistant to abuse and surveillance. &nbsp;For us, and for over a billion of our customers worldwide, this issue transcends borders and politics. We are a global company and part of a global community, and as such we will continue to work with our customers, partners, and even our competitors to ensure a safer, more trustworthy Internet for all.</p> <p>From the age of the great worms, to the evolution of more sophisticated and targeted attacks, to the era where modern warfare takes place on not only the information superhighway, but also on the civilian streets of the Internet, we will serve faithfully in our mission to help protect our customers from security and privacy breaches, no matter the adversary.</p> <p>&nbsp;</p> <p>BlueHat is coming. Brace yourselves.</p> <p>&nbsp;</p> <p>Katie Moussouris</p> <p>Senior Security Strategist</p> <p>Microsoft Security Response Center</p> <p>http://twitter.com/k8em0</p> <p>(that&rsquo;s a zero)</p> <p>&nbsp;</p><div style="clear:both;"></div><img src="http://blogs.technet.com/aggbug.aspx?PostID=3616644&AppID=4967&AppType=Weblog&ContentType=0" width="1" height="1"> Advance Notification Service for December 2013 Security Bulletin Releasehttp://blogs.technet.com/b/msrc/archive/2013/12/05/advance-notification-service-for-december-2013-security-bulletin-release.aspxThu, 05 Dec 2013 19:40:00 GMTd5e57398-b9ef-4490-9955-07cbb4e4a80d:6f41a735-dd87-464b-adf1-f62ca2bd72c4Dustin C. Childs0<p><span style="font-size: small;">Today we&rsquo;re providing </span><a title="advance notification" href="http://technet.microsoft.com/security/bulletin/MS13-dec"><span style="color: #0563c1; font-size: small;">advance notification</span></a><span style="font-size: small;"> for the release of 11 bulletins, five Critical and six Important, for December 2013. The Critical updates address vulnerabilities in Internet Explorer, Windows, Microsoft Exchange and GDI+. The Critical update for GDI+ fully addresses the publicly disclosed issue described in </span><a title="Security Advisory 2887505" href="http://technet.microsoft.com/security/advisory/2896666"><span style="color: #0563c1; font-size: small;">Security Advisory 2896666</span></a><span style="font-size: small;">.&nbsp;&nbsp;</span></p> <p><span style="font-size: small;">This release won&rsquo;t include an update for the issue described in </span><a href="http://technet.microsoft.com/security/advisory/2914486"><span style="color: #0563c1; font-size: small;">Security Advisory 2914486</span></a><span style="font-size: small;">. We&rsquo;re still working to develop a security update and we&rsquo;ll release it when ready. Until then, we recommend folks review the advisory and apply the suggested workaround on their Windows XP and Windows Server 2003 systems. Customers with more recent versions of Windows are not affected by this issue. </span></p> <p><span style="font-size: small;">As always, we&rsquo;ve scheduled the security bulletin release for the second Tuesday of the month, December 10, 2013, at approximately 10:00 a.m. PST. Revisit this blog then for analysis of the risk and impact, as well as deployment guidance, together with a brief video overview of the month&rsquo;s updates. Until then, please review the </span><a title="ANS summary page" href="http://technet.microsoft.com/security/bulletin/MS13-dec"><span style="color: #0563c1; font-size: small;">ANS summary page</span></a><span style="font-size: small;"> for more information that will help customers prepare for security bulletin testing and deployment.</span></p> <p><span style="font-size: small;">Don&rsquo;t forget, you can also follow the MSRC team&rsquo;s recent activity on Twitter at </span><a title="@MSFTSecResponse" href="https://twitter.com/msftsecresponse"><span style="color: #0563c1; font-size: small;">@MSFTSecResponse</span></a><span style="font-size: small;">.&nbsp;</span></p> <p>Thank you,<br /> <span style="color: #0563c1;"><a href="http://blogs.technet.com/b/msrc/about.aspx#Dustin_Childs">Dustin Childs</a></span><br /> Group Manager, Response Communications <br /> Microsoft Trustworthy Computing</p><div style="clear:both;"></div><img src="http://blogs.technet.com/aggbug.aspx?PostID=3616000&AppID=4571&AppType=Weblog&ContentType=0" width="1" height="1">Microsoft ExchangeMicrosoft WindowsSecurity BulletinsANSInternet Explorer (IE)Microsoft Office Microsoft Releases Security Advisory 2914486http://blogs.technet.com/b/msrc/archive/2013/11/27/microsoft-releases-security-advisory-2914486.aspxWed, 27 Nov 2013 22:30:00 GMTd5e57398-b9ef-4490-9955-07cbb4e4a80d:20a94492-2de1-4638-8c56-7997add14017Dustin C. Childs0<p>Today we released <a href="http://technet.microsoft.com/en-us/security/advisory/2914486">Security Advisory 2914486</a> regarding a local elevation of privilege (EoP) issue that affects customers using Microsoft Windows XP and Server 2003. Windows Vista and later are not affected by this local EoP issue. A member of the Microsoft Active Protections Program (MAPP)&nbsp;<a href="http://www.fireeye.com/blog/technical/cyber-exploits/2013/11/ms-windows-local-privilege-escalation-zero-day-in-the-wild.html">found this issue</a> being used on systems compromised by a third-party remote code execution vulnerability. These limited, targeted attacks require users to open a malicious PDF file. The issues described by the advisory cannot be used to gain access to a remote system alone.</p> <p>While we are actively working to develop a security update to address this issue, we encourage customers running Windows XP and Server 2003 to deploy the following workarounds as described in the advisory:</p> <p style="padding-left: 30px;"><strong>Delete NDProxy.sys and reroute to Null.sys</strong><br />For environments with non-default, limited user privileges, Microsoft has verified that the following workaround effectively blocks the attacks that have been observed in the wild.</p> <p>We also always encourage people to follow the "Protect Your Computer" guidance of enabling a firewall, applying all software updates and installing anti-virus and anti-spyware software. We also encourage folks to exercise caution when visiting websites and avoid clicking suspicious links, or opening email messages from unfamiliar senders. Additional information can be found at <a href="http://www.microsoft.com/protect">www.microsoft.com/protect</a>.</p> <p>We hope this doesn&rsquo;t disrupt any holiday plans you may have, but we did want to provide you with actionable information to help protect your systems. We continue to monitor the threat landscape closely and will take appropriate action to help protect customers.</p> <p>Thank you,<br /><a href="http://blogs.technet.com/b/msrc/about.aspx#Dustin_Childs">Dustin Childs</a><br />Group Manager, Response Communications<br />Trustworthy Computing</p><div style="clear:both;"></div><img src="http://blogs.technet.com/aggbug.aspx?PostID=3614444&AppID=4571&AppType=Weblog&ContentType=0" width="1" height="1">AdvisoryMicrosoft WindowsSecurity AdvisorySecurityAttack Our protection metrics – October resultshttp://blogs.technet.com/b/mmpc/archive/2013/11/26/our-protection-metrics-october-results.aspxWed, 27 Nov 2013 02:09:00 GMTd5e57398-b9ef-4490-9955-07cbb4e4a80d:80e4aec6-abad-4783-bfbf-5fcdccdec84dmsft-mmpc3http://blogs.technet.com/b/mmpc/archive/2013/11/26/our-protection-metrics-october-results.aspx#comments<div class="ExternalClassD1CD61E83CD641B4BB64B9CEA93E55C7"> <p>​Last month we introduced our monthly protection metrics and talked about our September results. Today, we&rsquo;d like to talk about our results from October. If you want a refresh on the definition of the metrics we use in our monthly results, see our prior post: <a href="http://blogs.technet.com/b/mmpc/archive/2013/10/25/our-protection-metrics-september-results.aspx">Our protection metrics &ndash; September results.</a></p> <p>During October 2013, while our rate of incorrect detections&nbsp;remained low, and our performance metrics stayed fairly consistent, the infection rate of 0.18 percent was&nbsp;higher in comparison to the average daily infection rate of&nbsp;0.1 percent in the first half of the year.</p> <p>In September, we talked about a family called <a href="http://www.microsoft.com/security/portal/threat/encyclopedia/entry.aspx?Name=Win32/Sefnit">Win32/Sefnit</a> that was the driver behind the increase in our infection rate. We mentioned that the distributors of Sefnit are using some sneaky techniques to infect computers. This includes programs that install legitimate software, and occasionally install legitimate software with bonus material (Sefnit). Many of these installer programs were previously determined to be clean. However, with this change in behavior (installing the Sefnit malware), they now meet our detection criteria.</p> <p>Sefnit is a bot that can take instructions from remote servers to do practically anything. We&rsquo;ve observed it using infected computers for <a href="http://www.microsoft.com/security/portal/mmpc/shared/glossary.aspx#click_fraud">click fraud</a>, which&nbsp;makes money by pretending to be a person clicking on ads from your computer or by redirecting your search results. It may also abuse your computer&rsquo;s resources through Bitcoin mining.</p> <p>The two installer families related to Sefnit that were behind the high active infection rate in October are <a href="http://www.microsoft.com/security/portal/threat/encyclopedia/entry.aspx?Name=Win32/Rotbrow">Win32/Rotbrow</a> and <a href="http://www.microsoft.com/security/portal/threat/encyclopedia/entry.aspx?Name=Win32/Brantall">Win32/Brantall</a>. Rotbrow is a program that claims to protect you from browser addons.<span>&nbsp; </span>Brantall pretends to be an installer for other, legitimate programs. Brantall might install those legitimate programs as well as malware. These previously legitimate software programs were prevalent in comparison to most malware families, and so most of our detections in October were on active infections.</p> <p>The <a href="http://www.microsoft.com/security/pc-security/malware-removal.aspx">Malicious Software Removal Tool</a>, which scans 600-700 million computers each month, has found and removed more than two million Sefnit infections on computers protected by current, real-time antimalware during the past two months. Until our antimalware partners target not only Sefnit, but also the Sefnit installers, people may struggle with reinfections.</p> <p>Like us, many antimalware vendors have previously classified these programs as clean or potentially unwanted rather than high or severe malware. We&rsquo;ve even had a tester ask us recently if our detection for one of these programs was an incorrect detection. Based on the installation of Sefnit, these programs absolutely meet our detection criteria, even if they had previously developed a reputation as a clean program.</p> <p>We&rsquo;ve identified related samples for our antimalware partners so that they can protect their customers against these threats if they have not already.</p> <p>If you want to check your computer for Rotbrow or Brantall, you can install <a href="http://www.microsoft.com/security_essentials">Microsoft Security Essentials</a>, enable <a href="http://www.microsoft.com/security/pc-security/windows-defender.aspx">Windows Defender</a> (on Windows 8), or use the <a href="http://www.microsoft.com/security/scanner/default.aspx">Microsoft Safety Scanner</a> if you already have current antimalware installed. They&rsquo;re all provided to you for free to make good on our pledge to help keep you all safe. You can read more about our security software on the <a href="http://www.microsoft.com/security/portal/mmpc/products/choices.aspx">Microsoft Malware Protection Center</a> website.</p> <p>Our goal is to provide great antimalware solutions for our consumer and business customers. I hope this blog demonstrates how committed we are in raising the bar for ourselves and others in the industry for doing so. We're monitoring our results, performance, and progress closely, prioritizing for real threats that might affect our customers and applying lessons learned to make our products even better. Plus, we support our antimalware partners in order to build a strong ecosystem to fight malware &ndash; the true adversary. More next month!</p> <p><em>Holly Stewart</em></p> <p><em>MMPC</em></p> </div><div style="clear:both;"></div><img src="http://blogs.technet.com/aggbug.aspx?PostID=3614195&AppID=6258&AppType=Weblog&ContentType=0" width="1" height="1"> Security and policy surrounding bring your own devices (BYOD)http://blogs.technet.com/b/msrc/archive/2013/11/26/security-and-policy-surrounding-bring-your-own-devices-byod.aspxWed, 27 Nov 2013 02:00:00 GMTd5e57398-b9ef-4490-9955-07cbb4e4a80d:4d76ff39-34d1-4a38-b87f-2bae4833fb3bMSRCTeam0<p><span style="font-family: arial,helvetica,sans-serif; font-size: small;">As the proliferation of devices continues to capture the imagination of consumers, and has ignited what is referred to as bring your own device (BYOD) revolution, many IT departments across the globe are now facing increased security considerations. While organizations encourage BYOD for cost savings and productivity, it is also important to have robust security policies supporting BYOD.</span></p> <p><span style="font-family: arial,helvetica,sans-serif; font-size: small;">Last week, several media reports surfaced of an attack on the European Parliament in which some members allegedly had their email unlawfully accessed. Initial media speculations inaccurately implied that the attack used a vulnerability in Microsoft&rsquo;s Exchange ActiveSync. While details and specifics of this attack unfold, based on our initial assessment, we have determined this is not a vulnerability in the ActiveSync protocol; the issue is how third party devices handle authentication of certificates.&nbsp;&nbsp;</span></p> <p><span style="font-family: arial,helvetica,sans-serif; font-size: small;">This type of&nbsp;attack&nbsp;has been previously discussed at the <a href="https://media.blackhat.com/bh-us-12/Briefings/Hannay/BH_US_12_Hannay_Exchanging_Demands_Slides.pdf">Black Hat 2012 Conference</a>. Enhancements to newer versions of Windows Phone block this type of attack automatically. In fact, Microsoft&rsquo;s implementation of Exchange ActiveSync on Windows Phone regularly protects customers from this type of attack, as it does not allow a malicious certificate to be trusted by the device.&nbsp;</span></p> <p><span style="font-family: arial,helvetica,sans-serif; font-size: small;">Third party software developers license, and can modify, Exchange ActiveSync from Microsoft to ensure that customers can receive their email on any device. Third party developers are responsible for ensuring that their implementation of the Exchange ActiveSync protocol is secure. That said, there are also ways in which customers can help protect themselves from similar types of attacks:</span></p> <ul> <li><span style="font-family: arial,helvetica,sans-serif; font-size: small;">Become familiar with&nbsp;&ldquo;<a href="http://technet.microsoft.com/en-us/library/bb430761(v=exchg.141).aspx">Understanding security for Exchange ActiveSync</a>&rdquo;</span></li> <li><span style="font-family: arial,helvetica,sans-serif; font-size: small;">Configure Exchange ActiveSync to use a trusted certificate</span></li> <li><span style="font-family: arial,helvetica,sans-serif; font-size: small;">Set restrictions based on <a href="http://msdn.microsoft.com/en-us/library/dd299446(v=EXCHG.80).aspx">device model and device type</a>&nbsp;to only allow well-implemented clients</span></li> <li><span style="font-family: arial,helvetica,sans-serif; font-size: small;">Clearly define policy to ensure devices support the security functionality required and only use devices that do not accept automatic or prompted certificate renewal<strong> </strong></span></li> </ul> <p><span style="font-family: arial,helvetica,sans-serif; font-size: small;">We strongly encourage all customers evaluating a BYOD business strategy to ensure they fully understand the various security features and capabilities of the devices that are brought into their organization.&nbsp;</span></p> <p><span style="font-family: arial,helvetica,sans-serif; font-size: small;">Matt Thomlinson</span><br /><span style="font-family: arial,helvetica,sans-serif; font-size: small;">General Manager</span><br /><span style="font-family: arial,helvetica,sans-serif; font-size: small;">Trustworthy Computing Security</span></p><div style="clear:both;"></div><img src="http://blogs.technet.com/aggbug.aspx?PostID=3614192&AppID=4571&AppType=Weblog&ContentType=0" width="1" height="1"> Carberp-based trojan attacking SAPhttp://blogs.technet.com/b/mmpc/archive/2013/11/20/carberp-based-trojan-attacking-sap.aspxThu, 21 Nov 2013 04:48:00 GMTd5e57398-b9ef-4490-9955-07cbb4e4a80d:50d8ce2a-ff19-40cf-b192-8a59eab211c9msft-mmpc6http://blogs.technet.com/b/mmpc/archive/2013/11/20/carberp-based-trojan-attacking-sap.aspx#comments<div class="ExternalClassBFB1CA77344C44D6B5068E4FF2635DB1"> <p>Recently there has been quite a bit of buzz about an information-stealing trojan that was found to be targeting the logon client for SAP. We detect this trojan as <a href="http://www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?name=TrojanSpy:Win32/Gamker.A">TrojanSpy:Win32/Gamker.A</a>.</p> <p>SAP is a&nbsp;global company with headquarters in Germany and operations in 130 countries worldwide. SAP develops enterprise software applications for tracking and managing business operations, and&nbsp;is used by an estimated&nbsp;<a href="http://www.rsaconference.com/writable/presentations/file_upload/ads-r07-if-i-want-a-perfect-cyberweapon_-ill-target-erp.pdf">86% of Forbes 500 companies</a>. These business operations can range from applications such as tracking the manufacture of a product in a factory, managing human resources processes, or tracking and managing customer sales. Needless to say, the data contained in SAP systems is often&nbsp;sensitive and the security surrounding SAP systems is a recurring topic in the information security field.</p> <p>A few weeks ago,&nbsp;another vendor&nbsp;reported a trojan in the wild specifically including functionality targeting SAP. This is believed to be the first malware developed by criminals targeting SAP.</p> <p>In this blog we&nbsp;will&nbsp;present our&nbsp;analysis on how this trojan targets SAP and how it has code in common with <a href="http://www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?name=Win32/Carberp">Win32/Carberp</a>.</p> <p>&nbsp;</p> <p><strong>Based on Carberp source</strong></p> <p>Carberp is an infamous banking trojan whose source-code was leaked <a href="http://krebsonsecurity.com/2013/06/carberp-code-leak-stokes-copycat-fears">earlier this year</a>, and&nbsp;Gamker clearly&nbsp;shares part of its code with Carberp's code. Gamker has code-matches to the remote control code contained in Carberp:</p> <ul> <li>Carberp/source - absource /pro/all source/RemoteCtl/hvnc2/libs/hvnc/hvnc/</li> </ul> <p>The following relative files match through the string constants that are encrypted within Gamker:</p> <ul> <li><a href="https://github.com/hzeroo/Carberp/blob/master/source%20-%20absource/pro/all%20source/RemoteCtl/hvnc2/libs/hvnc/hvnc/injlib/remote_thread.cpp">/injlib/remote_thread.cpp</a></li> <li><a href="https://github.com/hzeroo/Carberp/blob/master/source%20-%20absource/pro/all%20source/RemoteCtl/hvnc2/libs/hvnc/hvnc/vnc/vnc.cpp">/vnc/vnc.cpp</a></li> </ul> <p>This usage of the virtual network computing (VNC) code indicates that&nbsp;Gamker has the capability to remotely control an infected machine. It is unclear if there is a larger connection between&nbsp;Gamker and Carberp since the&nbsp;remainder of Gamker&rsquo;s code differs from Carberp's publicly leaked code.</p> <p>&nbsp;</p> <p><strong>SAP targeting</strong></p> <p>Gamker&nbsp;is a general banking and information-stealing trojan. Among its targets are online banking web-browser sessions, BitCoin wallets, public and&nbsp;private keys, cryptography&nbsp;tools,&nbsp;and finance-related software applications. In this section we go into detail on the threat this trojan poses to SAP.</p> <p>The malware records keystrokes per application, generating keylog records in plaintext format to the file "%APPDATA%\&lt;lowercase letters&gt;". An example of these recorded keylogs is as follows:</p> <p><a href="http://www.microsoft.com/security/portal/blog-images/Gamker/Gamker1.png"><img style="height: 171px; width: 600px;" src="http://www.microsoft.com/security/portal/blog-images/Gamker/Gamker1.png" alt="Example keylogs" border="0" /></a></p> <p><em>Figure 1: Example of recorded keylogs</em></p> <p>&nbsp;</p> <p>In addition to this keylogging, hardcoded inside the payload is a list of application names which are used as triggers to record additional information. Among this list is the SAP Logon for Windows client, as seen in Figure 2:&nbsp;</p> <p><a href="http://www.microsoft.com/security/portal/blog-images/Gamker/Gamker2.png"><img style="height: 204px; width: 600px;" src="http://www.microsoft.com/security/portal/blog-images/Gamker/Gamker2.png" alt="Highlighted targeted saplogon.exe component" border="0" /></a></p> <p><em>Figure 2: Targeting of SAP saplogon.exe component</em></p> <p>&nbsp;</p> <p><em>Table 1 - List of triggers used to record screenshots and command-line arguments</em></p> <table style="width: 600px;" border="1" cellspacing="0" cellpadding="4"> <tbody> <tr> <td valign="top" width="185"> <p><strong>Executable name trigger</strong></p> </td> <td valign="top" width="174"> <p><strong>Category assigned by trojan author</strong></p> </td> <td valign="top" width="258"> <p><strong>Description</strong></p> </td> </tr> <tr> <td valign="top" width="185"> <p>rclient.exe</p> </td> <td valign="top" width="174"> <p>CFT</p> </td> <td valign="top" width="258"> <p>Client for Remote Administration</p> </td> </tr> <tr> <td valign="top" width="185"> <p>CyberTerm.exe</p> </td> <td valign="top" width="174"> <p>CTERM</p> </td> <td valign="top" width="258"> <p>Unknown Russian payment-related tool</p> </td> </tr> <tr> <td valign="top" width="185"> <p>WinPost.exe</p> </td> <td valign="top" width="174"> <p>POST</p> </td> <td valign="top" width="258"> <p>Unknown, likely a tool use to perform HTTP POST operations</p> </td> </tr> <tr> <td valign="top" width="185"> <p>PostMove.exe</p> </td> <td valign="top" width="174"> <p>POST</p> </td> <td valign="top" width="258"> <p>Unknown, likely a tool use to perform HTTP POST operations</p> </td> </tr> <tr> <td valign="top" width="185"> <p>Translink.exe</p> </td> <td valign="top" width="174"> <p>WU</p> </td> <td valign="top" width="258"> <p>Tool by Western Union Inc</p> </td> </tr> <tr> <td valign="top" width="185"> <p>webmoney.exe</p> </td> <td valign="top" width="174"> <p>WM</p> </td> <td valign="top" width="258"> <p>Unknown</p> </td> </tr> <tr> <td valign="top" width="185"> <p>openvpn-gui</p> </td> <td valign="top" width="174"> <p>CRYPT</p> </td> <td valign="top" width="258"> <p>Client for VPN remote access to computers</p> </td> </tr> <tr> <td valign="top" width="185"> <p>truecrypt.exe</p> </td> <td valign="top" width="174"> <p>CRYPT</p> </td> <td valign="top" width="258"> <p>Tool used to manage TrueCrypt protected filesystems</p> </td> </tr> <tr> <td valign="top" width="185"> <p>bestcrypt.exe</p> </td> <td valign="top" width="174"> <p>CRYPT</p> </td> <td valign="top" width="258"> <p>Tool used to manage BestCrypt protected filesystems</p> </td> </tr> <tr> <td valign="top" width="185"> <p>saplogon.exe</p> </td> <td valign="top" width="174"> <p>SAP</p> </td> <td valign="top" width="258"> <p>SAP Logon for Windows</p> </td> </tr> <tr> <td valign="top" width="185"> <p>ELBA5STANDBY.exx</p> </td> <td valign="top" width="174"> <p>ELBALOCAL</p> </td> <td valign="top" width="258"> <p>Unknown</p> </td> </tr> <tr> <td valign="top" width="185"> <p>ELBA5.exx</p> </td> <td valign="top" width="174"> <p>ELBALOCAL</p> </td> <td valign="top" width="258"> <p>Unknown</p> </td> </tr> <tr> <td valign="top" width="185"> <p>oseTokenServer.exe</p> </td> <td valign="top" width="174"> <p>MCSIGN</p> </td> <td valign="top" width="258"> <p>Application by Omikron related to electronic banking</p> </td> </tr> <tr> <td valign="top" width="185"> <p>OEBMCC32.exe</p> </td> <td valign="top" width="174"> <p>MCLOCAL</p> </td> <td valign="top" width="258"> <p>Application by Omikron related to electronic banking</p> </td> </tr> <tr> <td valign="top" width="185"> <p>OEBMCL32.exe</p> </td> <td valign="top" width="174"> <p>MCLOCAL</p> </td> <td valign="top" width="258"> <p>Application by Omikron Systemhaus GmbH related to electronic banking</p> </td> </tr> <tr> <td valign="top" width="185"> <p>ebmain.exe</p> </td> <td valign="top" width="174"> <p>BANKATLOCAL</p> </td> <td valign="top" width="258"> <p>Application by UniCredit Bank Australia</p> </td> </tr> <tr> <td valign="top" width="185"> <p>bcmain.exe</p> </td> <td valign="top" width="174"> <p>BANKATCASH</p> </td> <td valign="top" width="258"> <p>Unknown</p> </td> </tr> <tr> <td valign="top" width="185"> <p>hbp.exe</p> </td> <td valign="top" width="174"> <p>HPB</p> </td> <td valign="top" width="258"> <p>Maybe Deutsche Bundesbank Eurosystem</p> </td> </tr> <tr> <td valign="top" width="185"> <p>Hob.exe</p> </td> <td valign="top" width="174"> <p>HPB</p> </td> <td valign="top" width="258"> <p>Maybe Deutsche Bundesbank Eurosystem</p> </td> </tr> <tr> <td valign="top" width="185"> <p>bb24.exe</p> </td> <td valign="top" width="174"> <p>PSHEK</p> </td> <td valign="top" width="258"> <p>Unknown</p> </td> </tr> <tr> <td valign="top" width="185"> <p>KB_PCB.exe</p> </td> <td valign="top" width="174"> <p>PSHEK</p> </td> <td valign="top" width="258"> <p>Profibanka by Komercn&iacute; banka</p> </td> </tr> <tr> <td valign="top" width="185"> <p>SecureStoreMgr.exe</p> </td> <td valign="top" width="174"> <p>PSHEK</p> </td> <td valign="top" width="258"> <p>Unknown</p> </td> </tr> <tr> <td valign="top" width="185"> <p>Pkkb.exe</p> </td> <td valign="top" width="174"> <p>PSHEK</p> </td> <td valign="top" width="258"> <p>Banking application, Komercn&iacute; banka</p> </td> </tr> </tbody> </table> <p>&nbsp;</p> <p>When the keylogging component is loaded into a process that matches one of the executable names in Table 1, it then additionally records the command-line arguments passed to the application, and begins to capture screenshots of the entire desktop periodically. It captures 10 screenshots spaced about&nbsp;one second apart from each other before transmitting them to the C&amp;C server.</p> <p>In addition to these listed triggers, there are also two other application lists used as screen and command-line argument-recording triggers included in Table 3 and Table 4 below, under the category names "IT" and "ETC" respectively.</p> <p>An example of the recorded data after executing "saplogon.exe" with command-line arguments "-test" can be seen in Figure 3 below:</p> <p><a href="http://www.microsoft.com/security/portal/blog-images/Gamker/Gamker3.png"><img src="http://www.microsoft.com/security/portal/blog-images/Gamker/Gamker3.png" alt="Screenshot of recording of command-line arguments passed into saplogon.exe" border="0" /></a></p> <p><em>Figure 3: Recording of command-line arguments passed into saplogon.exe</em></p> <p>&nbsp;</p> <p>With screenshots captured every&nbsp;one second in the "%APPDATA%\&lt;lowercase letters&gt;\scrs\" directory seen in Figure 4 below:</p> <p><a href="http://www.microsoft.com/security/portal/blog-images/Gamker/Gamker4.png"><img src="http://www.microsoft.com/security/portal/blog-images/Gamker/Gamker4.png" alt="Screenshots captured after running saplogon.exe" border="0" /></a></p> <p><em>Figure 4: Screenshots captured after executing saplogon.exe</em></p> <p>&nbsp;</p> <p>In summary, this is an attempted attack on SAP and not just a harmless data-gathering operation to determine if SAP is installed. The attackers are using the execution of the SAP component "saplogon.exe" to trigger recording of the command-line arguments passed into it, combined with a series of 10 screenshots to the C&amp;C server. These three types of information sent to the server will, in many cases, include critical information such as:</p> <ol> <li>Keylogs:</li> <ul> <li>SAP password and sometimes the user name.</li> </ul> <li>Screenshots:</li> <ul> <li>SAP user name, server name, some confidential data, and more.</li> </ul> <li>Command-line arguments:</li> <ul> <li>Unlikely to contain sensitive information based on initial analysis of the &lsquo;saplogon.exe&rsquo; binary.</li> </ul> <li>VNC:</li> <ul> <li>A VNC session can be initiated by the attacker to grab any additional information necessary to compromise the SAP server, as well as attack the SAP server directly from the infected machine.</li> </ul> </ol> <p>This trojan&rsquo;s targeting of businesses, as opposed to individuals, is an alarming move and we will be monitoring this for further developments to protect and inform our customers.</p> <p>&nbsp;</p> <p><strong>Mitigating the risk</strong></p> <p>To reduce the risk of and mitigate the damages caused by an attack like the one on&nbsp;SAP, there are a number of recommended security policies. Some general recommended policies are as follows:</p> <ul> <li>Access control. Grant users the minimum access privilege level required to complete their job. This reduces the amount of data compromised in a successful attack.</li> <li>Two-factor authentication. A two-factor authentication process&nbsp;may stop this attack from being successful.</li> <li>Security education. Schedule training courses for all employees. A security-smart employee may be able to avoid infection in the first place.</li> <li>Antimalware solution. Run antimalware software on all workstations and monitor compliance. This&nbsp;may detect the trojan prior to infecting the workstation.</li> <li>Network intrusion detection system. This may create alerts on the suspicious VNC connection, detect the data exfiltration, or may also detect the trojan C&amp;C communication on the network.</li> <li>Security management. Ensure workstations are running up-to-date versions of Windows with the latest security patches applied.&nbsp;All security critical software such as Java,&nbsp;Adobe Flash,&nbsp;Adobe Reader,&nbsp;Microsoft Office, and web-browser clients&nbsp;are up-to-date. Compliance needs to be monitored and enforced.</li> </ul> <p>For further recommendations, guidelines, and information on additional SAP security products it is recommended to consult SAP and read through their <a href="http://www.sap.com/pc/tech/application-foundation-security/software/security-solutions-overview.html">security solutions</a>.</p> <p>&nbsp;</p> <p>&nbsp;</p> <p><em>Geoff McDonald</em></p> <p><em>MMPC</em></p> <p><em>&nbsp; </em></p> <p><strong>Appendix</strong></p> <p>&nbsp;</p> <p><em>Table 2 &ndash; Reference checksums for analyzed samples</em></p> <table style="width: 600px;" border="1" cellspacing="0" cellpadding="4"> <tbody> <tr> <td valign="top" width="255"> <p><strong>Checksum</strong></p> </td> <td valign="top" width="138"> <p><strong>Detection</strong></p> </td> <td valign="top" width="164"> <p><strong>Comment</strong></p> </td> </tr> <tr> <td valign="top" width="255"> <p><em>SHA1:4e2da5a532451500e890d176d71dc878844a9baa</em></p> <p><em>MD5: c9197f34d616b46074509b4827c85675</em></p> </td> <td valign="top" width="138"> <div>&nbsp;</div> <div><a href="http://www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?name=TrojanSpy:Win32/Gamker.A"><span style="color: #1659d8;">TrojanSpy:Win32/Gamker.A</span></a></div> <p>&nbsp;</p> </td> <td valign="top" width="164"> <p>Injects the trojan into all processes.</p> </td> </tr> <tr> <td valign="top" width="255"> <p><em>SHA1:6a9e1f85068fe1e4607b993774fc9cb229cd751b</em></p> <p><em>MD5: efe6cd23659a05478e28e08a138df81e</em></p> </td> <td valign="top" width="138"> <p><a href="http://www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?name=TrojanSpy:Win32/Gamker.A"><span style="color: #1659d8;">TrojanSpy:Win32/Gamker.A</span></a></p> </td> <td valign="top" width="164"> <p>Carberp-based password and information stealer.</p> </td> </tr> </tbody> </table> <p>&nbsp;</p> <p><em>Table 3 &ndash; Additional screen and command-line capture triggers under the category "IT"</em></p> <table style="width: 457px;" border="1" cellspacing="0" cellpadding="4"> <tbody> <tr> <td valign="top" width="168"> <p><em>TelemacoBusinessManager.exe</em></p> </td> <td valign="top" width="154"> <p><em>Ceedo.exe</em></p> </td> <td valign="top" width="136"> <p><em>FileProtector.exe</em></p> </td> </tr> <tr> <td valign="top" width="168"> <p><em>Telemaco.exe</em></p> </td> <td valign="top" width="154"> <p><em>CeedoRT.exe</em></p> </td> <td valign="top" width="136"> <p><em>contoc.exe</em></p> </td> </tr> <tr> <td valign="top" width="168"> <p><em>StartCeedo.exe</em></p> </td> <td valign="top" width="154"> <p><em>legalSign.exe</em></p> </td> <td valign="top" width="136"> <p><em>IDProtect Monitor.exe</em></p> </td> </tr> <tr> <td valign="top" width="168"> <p><em>dikeutil.exe</em></p> </td> <td valign="top" width="154"> <p><em>SIManager.exe</em></p> </td> <td valign="top" width="136"> <p><em>bit4pin.exe</em></p> </td> </tr> </tbody> </table> <p>&nbsp;</p> <p><em>Table 4 &ndash; Additional screen and command-line capture triggers under the category "ETC"</em></p> <table style="width: 600px;" border="1" cellspacing="0" cellpadding="4"> <tbody> <tr> <td valign="top" width="82"> <p><em>iscc.exe</em></p> </td> <td valign="top" width="100"> <p><em>rmclient.exe</em></p> </td> <td valign="top" width="87"> <p><em>Dealer.exe</em></p> </td> <td valign="top" width="111"> <p><em>visa.exe</em></p> </td> <td valign="top" width="91"> <p><em>SACLIENT.exe</em></p> </td> </tr> <tr> <td valign="top" width="82"> <p><em>info.exe</em></p> </td> <td valign="top" width="100"> <p><em>eclnt.exe</em></p> </td> <td valign="top" width="87"> <p><em>QUICKPAY.exe</em></p> </td> <td valign="top" width="111"> <p><em>ClientBK.exe</em></p> </td> <td valign="top" width="91"> <p><em>SXDOC.exe</em></p> </td> </tr> <tr> <td valign="top" width="82"> <p><em>WClient.exe</em></p> </td> <td valign="top" width="100"> <p><em>Client32.exe</em></p> </td> <td valign="top" width="87"> <p><em>UNISTREAM.exe</em></p> </td> <td valign="top" width="111"> <p><em>OnCBCli.exe</em></p> </td> <td valign="top" width="91"> <p><em>RETAIL32.exe</em></p> </td> </tr> <tr> <td valign="top" width="82"> <p><em>IMBLink32.exe</em></p> </td> <td valign="top" width="100"> <p><em>client6.exe</em></p> </td> <td valign="top" width="87"> <p><em>iWallet.exe</em></p> </td> <td valign="top" width="111"> <p><em>BUDGET.exe</em></p> </td> <td valign="top" width="91"> <p><em>UARM.exe</em></p> </td> </tr> <tr> <td valign="top" width="82"> <p><em>Bk_kw32.exe</em></p> </td> <td valign="top" width="100"> <p><em>ClntW32.exe</em></p> </td> <td valign="top" width="87"> <p><em>bitcoin-qt.exe</em></p> </td> <td valign="top" width="111"> <p><em>ARM\\ARM.exe</em></p> </td> <td valign="top" width="91"> <p><em>CLB.exe</em></p> </td> </tr> <tr> <td valign="top" width="82"> <p><em>BC_Loader.exe</em></p> </td> <td valign="top" width="100"> <p><em>el_cli.exe</em></p> </td> <td valign="top" width="87"> <p><em>Pmodule.exe</em></p> </td> <td valign="top" width="111"> <p><em>WUPostAgent.exe</em></p> </td> <td valign="top" width="91"> <p><em>PRCLIENT.exe</em></p> </td> </tr> <tr> <td valign="top" width="82"> <p><em>elbank.exe</em></p> </td> <td valign="top" width="100"> <p><em>LFCPaymentAIS.exe</em></p> </td> <td valign="top" width="87"> <p><em>RETAIL.exe</em></p> </td> <td valign="top" width="111"> <p><em>ProductPrototype.exe</em></p> </td> <td valign="top" width="91"> <p><em>EELCLNT.exe</em></p> </td> </tr> <tr> <td valign="top" width="82"> <p><em>selva_copy.exe</em></p> </td> <td valign="top" width="100"> <p><em>UpOfCards.exe</em></p> </td> <td valign="top" width="87"> <p><em>QIWIGUARD.exe</em></p> </td> <td valign="top" width="111"> <p><em>MWCLIENT32.exe</em></p> </td> <td valign="top" width="91"> <p><em>ASBANK_LITE.exe</em></p> </td> </tr> <tr> <td valign="top" width="82"> <p><em>EximClient.exe</em></p> </td> <td valign="top" width="100"> <p><em>Payments.exe</em></p> </td> <td valign="top" width="87"> <p><em>OKMain.exe</em></p> </td> <td valign="top" width="111"> <p><em>JSCASHMAIN.exe</em></p> </td> <td valign="top" width="91"> <p><em>MMBANK.exe</em></p> </td> </tr> <tr> <td valign="top" width="82"> <p><em>bb.exe</em></p> </td> <td valign="top" width="100"> <p><em>PaymMaster.exe</em></p> </td> <td valign="top" width="87"> <p><em>CSHELL.exe</em></p> </td> <td valign="top" width="111"> <p><em>EffectOffice.Client.exe</em></p> </td> <td valign="top" width="91"> <p><em>BBCLIENT.exe</em></p> </td> </tr> <tr> <td valign="top" width="82"> <p><em>startclient7.exe</em></p> </td> <td valign="top" width="100"> <p><em>ubs_net.exe</em></p> </td> <td valign="top" width="87"> <p><em>CNCCLIENT.exe</em></p> </td> <td valign="top" width="111"> <p><em>WFINIST.exe</em></p> </td> <td valign="top" width="91"> <p><em>BCLIENT.exe</em></p> </td> </tr> <tr> <td valign="top" width="82"> <p><em>terminal.exe</em></p> </td> <td valign="top" width="100"> <p><em>LPBOS.exe</em></p> </td> <td valign="top" width="87"> <p><em>ContactNG.exe</em></p> </td> <td valign="top" width="111"> <p><em>ETSRV.exe</em></p> </td> <td valign="top" width="91"> <p><em>xplat_client.exe</em></p> </td> </tr> <tr> <td valign="top" width="82"> <p><em>bankcl.exe</em></p> </td> <td valign="top" width="100"> <p><em>fcClient.exe</em></p> </td> <td valign="top" width="87"> <p><em>BANK32.exe</em></p> </td> <td valign="top" width="111"> <p><em>BBMS.exe</em></p> </td> <td valign="top" width="91"> <p><em>PinPayR.exe</em></p> </td> </tr> <tr> <td valign="top" width="82"> <p><em>kb_cli.exe</em></p> </td> <td valign="top" width="100"> <p><em>Edealer.exe</em></p> </td> <td valign="top" width="87"> <p><em>URALPROM.exe</em></p> </td> <td valign="top" width="111"> <p><em>bk.exe</em></p> </td> <td valign="top" width="91"> <p><em>DTPayDesk.exe</em></p> </td> </tr> <tr> <td valign="top" width="82"> <p><em>cb193w.exe</em></p> </td> <td valign="top" width="100"> <p><em>Qiwicashier.exe</em></p> </td> <td valign="top" width="87"> <p><em>TERMW.exe</em></p> </td> <td valign="top" width="111"> <p><em>SAADM.exe</em></p> </td> <td valign="top" width="91"> <p><em>W32MKDE.exe</em></p> </td> </tr> <tr> <td rowspan="1" valign="top" width="82">​ <div><em>RTADMIN.exe</em></div> </td> <td rowspan="1" valign="top" width="100">​ <div><em>RTCERT.exe</em></div> </td> <td rowspan="1" valign="top" width="87">​ <div><em>litecoin-qt.exe</em></div> </td> <td rowspan="1" valign="top" width="111">​ <div><em>Transact.exe</em></div> </td> <td rowspan="1" valign="top" width="91">​ <div><em>Ibwn8.exe</em></div> </td> </tr> <tr> <td rowspan="1" valign="top" width="82">​ <div><em>clcard.exe</em></div> </td> <td rowspan="1" valign="top" width="100">​ <div><em>avn_cc.exe</em></div> </td> <td rowspan="1" valign="top" width="87">​ <div><em>sapphire.exe</em></div> </td> <td rowspan="1" valign="top" width="111">​ <div><em>srclbclient.exee</em></div> </td> <td rowspan="1" valign="top" width="91">​ <div><em>Client2.exe</em></div> </td> </tr> <tr> <td rowspan="1" valign="top" width="82">​ <div><em>WebLogin.exe</em></div> </td> <td rowspan="1" valign="top" width="100">​ <div><em>rpay.exe</em></div> </td> <td rowspan="1" valign="top" width="87">​ <div><em>KBADMIN.exe</em></div> </td> <td rowspan="1" valign="top" width="111">​ <div><em>Sunflow.exe</em></div> </td> <td rowspan="1" valign="top" width="91">​ <div><em>CliBank.exe</em></div> </td> </tr> <tr> <td rowspan="1" valign="top" width="82">​ <div><em>KLBS.exe</em></div> </td> <td rowspan="1" valign="top" width="100">​ <div><em>AdClient.exe</em></div> </td> <td rowspan="1" valign="top" width="87">​ <div><em>payment_processor.exe</em></div> </td> <td rowspan="1" valign="top" width="111">​ <div><em>NURITSmartLoader.exe</em></div> </td> <td rowspan="1" valign="top" width="91">​ <div><em>Omeg\\M7.exe</em></div> </td> </tr> <tr> <td rowspan="1" valign="top" width="82">​ <div><em>SGBClient.exe</em></div> </td> <td rowspan="1" valign="top" width="100">​ <div><em>iquote32.exe</em></div> </td> <td rowspan="1" valign="top" width="87">​ <div><em>plat.exe</em></div> </td> <td rowspan="1" valign="top" width="111">​ <div><em>ibcremote31.exe</em></div> </td> <td rowspan="1" valign="top" width="91">​ <div><em>WinVal.exe</em></div> </td> </tr> <tr> <td rowspan="1" valign="top" width="82">​ <div><em>Payroll.exe</em></div> </td> <td rowspan="1" valign="top" width="100">​ <div><em>CLBank.exe</em></div> </td> <td rowspan="1" valign="top" width="87">​ <div><em>LBank.exe</em></div> </td> <td rowspan="1" valign="top" width="111">​</td> <td rowspan="1" valign="top" width="91">​</td> </tr> </tbody> </table> <p>&nbsp;</p> </div><div style="clear:both;"></div><img src="http://blogs.technet.com/aggbug.aspx?PostID=3612667&AppID=6258&AppType=Weblog&ContentType=0" width="1" height="1"> Backup the best defense against (Cri)locked fileshttp://blogs.technet.com/b/mmpc/archive/2013/11/19/backup-the-best-defense-against-cri-locked-files.aspxTue, 19 Nov 2013 14:00:00 GMTd5e57398-b9ef-4490-9955-07cbb4e4a80d:53780976-f7ee-4cfb-933b-9e3eb0b9ca5cmsft-mmpc10http://blogs.technet.com/b/mmpc/archive/2013/11/19/backup-the-best-defense-against-cri-locked-files.aspx#comments<p>Crilock &ndash; also known as CryptoLocker &ndash; is one notorious ransomware that&rsquo;s been making the rounds since early September. Its primary payload is to target and encrypt your files, such as your pictures and Office documents. All of the file types that can be encrypted are listed in our <a href="http://www.microsoft.com/security/portal/threat/encyclopedia/Entry.aspx?Name=Trojan:Win32/Crilock.A">Trojan:Win32/Crilock.A</a> and <a href="http://www.microsoft.com/security/portal/threat/encyclopedia/Entry.aspx?Name=Trojan:Win32/Crilock.B">Trojan:Win32/Crilock.B</a> descriptions.</p> <p class="ExternalClass455762B566624F9E8CAFBBD22BA40B4E">Crilock affected about 34,000 machines between September and early November 2013.</p> <p>Once Crilock encrypts your file types, they are rendered unusable. The malware shows a message that covers your desktop and demands you pay a ransom to have access to your files again. The ransom can be paid with various online currencies such as BitCoin, CashU, MoneyPak, Paysafecard, and Ukash. Once you pay, the malware author will supposedly give you back the private keys used in encryption. However, we don&rsquo;t recommend doing this as there is no guarantee that paying will lead to recovering your documents and, in effect, you&rsquo;re giving criminals some of your hard-earned money.</p> <p><a href="http://www.microsoft.com/security/portal/blog-images/a/crilock1.png"><img style="height: 386px; width: 500px;" src="http://www.microsoft.com/security/portal/blog-images/a/crilock1.png" alt="Crilock message" border="0" /></a></p> <p><em>Figure 1: The message that Crilock might display on your desktop</em></p> <p><a href="http://www.microsoft.com/security/portal/blog-images/a/crilock2.png"><img style="height: 482px; width: 500px;" src="http://www.microsoft.com/security/portal/blog-images/a/crilock2.png" alt="Crilock document upload" border="0" /></a></p> <p><em>Figure 2: Crilock asks you to upload your encrypted documents and recover them for a fee</em></p> <p>The Crilock authors have even setup an online payment scheme on the Tor network where affected people can upload their encrypted files for recovery.</p> <p>Crilock encrypts your files using an AES-256 key that is unique to each file and then encrypts the file-specific AES key using a 2048-bit RSA public key. This is similar to the GpCode ransomware, which first came out in 2006 and used the same technique, but with RC4 first, and then 1024-bit RSA for encrypting the per-file key.</p> <p>Crilock can be downloaded onto your computer by exploits or malware. For instance, we have seen <a href="http://www.microsoft.com/security/portal/threat/encyclopedia/entry.aspx?Name=TrojanDownloader:Win32/Upatre.A&amp;ThreatID=-2147284373#tab=2">Upatre </a>download Zbot, which in turn downloads Crilock. Upatre has been heavily spammed in the past few months, and spam runs can be an effective way to distribute malware. This is discussed in detail in the blog post <a href="http://blogs.technet.com/b/mmpc/archive/2013/10/31/upatre-emerging-up-d-at-er-in-the-wild.aspx">Upatre: Emerging Up(d)at(er) in the wild</a>.</p> <p>As shown in the chart below, Crilock has predominantly affected English-speaking countries, although it does have a comparatively small presence in non-English speaking locations as well. Every Crilock variant we&rsquo;ve seen so far has a ransom message written only in English.</p> <p><a href="http://www.microsoft.com/security/portal/blog-images/a/crilock3.png"><img style="height: 399px; width: 500px;" src="http://www.microsoft.com/security/portal/blog-images/a/crilock3.png" alt="Crilock affected countries graph" border="0" /></a></p> <p><a href="http://www.microsoft.com/security/portal/blog-images/a/crilock8.png"><img style="height: 250px; width: 500px;" src="http://www.microsoft.com/security/portal/blog-images/a/crilock8.png" alt="Crilock affected countries map" border="0" /></a></p> <p><em>Figure 3: Crilock-affected countries from September 2013 to early November 2013</em></p> <p><strong>Can&nbsp;you recover your documents without paying?</strong></p> <p>In some cases, you can recover previous versions of encrypted files. However, the following conditions must be in place:</p> <ul> <li><a href="http://windows.microsoft.com/en-US/windows/repair-recovery-help#repair-recovery-help=windows-8%26v1h=win8tab1">System Restore Point</a> must have been turned on before you were infected with Crilock.</li> <li>You must already have detected and removed Crilock, and there can be no traces of it on your PC.</li> <li>Your files must be on the same PC you're using to recover them (that is, the files aren't on a network or removable drive).</li> </ul> <p>SkyDrive for Windows 8.1 also has a means of restoring previous versions of Microsoft documents. Similar to System Restore Point, you can look at the version history and recover files from a previous state.</p> <p><a href="http://www.microsoft.com/security/portal/blog-images/a/crilock5.png"><img style="height: 552px; width: 500px;" src="http://www.microsoft.com/security/portal/blog-images/a/crilock5.png" alt="Right-click on the file to see available version history" border="0" /></a></p> <p><em>Figure 4: Right-click on the file to see available version history</em></p> <p><a href="http://www.microsoft.com/security/portal/blog-images/a/crilock6.png"><img src="http://www.microsoft.com/security/portal/blog-images/a/crilock6.png" alt="Restore file from older known working versions" border="0" /></a></p> <p><em>Figure 6: Restore file from older known working versions</em></p> <p>You can find more information about restoring previous file versions below:</p> <ul> <li><a href="http://windows.microsoft.com/en-us/windows-8/how-use-file-history">Restore files or folders using File History</a></li> <li><a href="http://windows.microsoft.com/en-us/windows7/previous-versions-of-files-frequently-asked-questions">Previous versions of files: frequently asked questions</a></li> <li><a href="http://windows.microsoft.com/en-us/skydrive/work-together-office">SkyDrive Overview</a></li> </ul> <p>We&rsquo;ve also added signatures based on Crilock behaviors to our antimalware products. This detection, Behavior:Win32/Crilock.A, can detect an infection before it infects and encrypts files.</p> <p>Crilock is not the first malware to extort money by encrypting files and it certainly won&rsquo;t be the last. However, you can help prevent Crilock and other malware, from infecting your PC by:</p> <ul> <li>Keeping your operating system and antivirus product up-to-date.</li> <li>Being careful about which files you download (and where you download from).</li> <li>Being cautious about which attachments and links you open.</li> </ul> <p>Ransomware such as Crilock also emphasizes the importance of backing up your files on a regular basis. You can back up files by enabling System Restore, using manual syncing methods, or even by manually moving your files to a separate drive.</p> <p><em>Marianne Mallen and Karthik Selvaraj</em><br /><em>MMPC</em></p><div style="clear:both;"></div><img src="http://blogs.technet.com/aggbug.aspx?PostID=3611943&AppID=6258&AppType=Weblog&ContentType=0" width="1" height="1"> MBSA 2.3 and the November 2013 Security Bulletin Webcast, Q&A, and Slide Deckhttp://blogs.technet.com/b/msrc/archive/2013/11/15/mbsa-2-3-and-the-november-2013-security-bulletin-webcast-q-amp-a-and-slide-deck.aspxFri, 15 Nov 2013 18:00:00 GMTd5e57398-b9ef-4490-9955-07cbb4e4a80d:a056161b-e995-41c9-80a3-e9944944b175Dustin C. Childs0<p>Today we&rsquo;re publishing the <a href="http://blogs.technet.com/b/msrc/p/november-2013-security-bulletin-q-a.aspx">November 2013 Security Bulletin Webcast Questions &amp; Answers page</a>.&nbsp; The majority of questions focused on the ActiveX Kill Bits bulletin (<a href="http://technet.microsoft.com/en-us/security/bulletin/ms13-090">MS13-090</a>) and the advisories. We also answered a few general questions that were not specific to any of this month&rsquo;s updates, but that may be of interest.</p> <p>We&rsquo;ve discussed the Microsoft Baseline Security Analyzer (MBSA) tool in this and many other webcasts, and I&rsquo;m happy to report version 2.3 is now <a href="http://bit.ly/1duOCl7">available</a>. This new version adds support for Windows 8, Windows 8.1, Windows Server 2012, and Windows Server 2012 R2. However, Windows 2000 systems will no longer be supported by MBSA. If you aren&rsquo;t familiar with the tool or would just like to know more about it, we encourage you to read the <a href="http://technet.microsoft.com/en-US/security/cc184922.aspx">FAQ</a> found on the Security TechCenter. Thanks also go out to everyone who participated in the public preview leading up to this release.</p> <p>We invite you to join us for the next scheduled webcast on Wednesday, December 11, 2013, at 11 a.m. PST (UTC -8), when we will go into detail about the December bulletin release and answer your bulletin deployment questions live on the air.</p> <p>You can register to attend the webcast at the link below:</p> <p><strong>Date: Wednesday, December 11, 2013<br />Time: 11:00 a.m. PST (UTC -8)<br />Register: <a href="https://msevents.microsoft.com/CUI/EventDetail.aspx?EventID=1032557386&amp;culture=en-US"><strong>Attendee Registration</strong></a></strong></p> <p>&nbsp;</p> <p><iframe src="http://www.youtube.com/embed/KqVpF7QqFj0?rel=0" frameborder="0" width="475" height="267"></iframe></p> <p>&nbsp;</p> <p>Thanks,</p> <p><a href="http://blogs.technet.com/b/msrc/about.aspx#Dustin_Childs">Dustin Childs</a><br />Group Manager, Response Communications<br />Microsoft Trustworthy Computing</p><div style="clear:both;"></div><img src="http://blogs.technet.com/aggbug.aspx?PostID=3611047&AppID=4571&AppType=Weblog&ContentType=0" width="1" height="1">AdvisorySecurity Update Webcast Q &amp; AWebcast Q&amp;AMicrosoft Windowsmonthly bulletin releaseKillbitSecurity BulletinsSecurity Update WebcastBulletinsupdate tuesdaysecurity bulletin releaseQ&amp;ASecurity Bulletin WebcastWebcastInternet Explorer (IE)Security UpdateactivexMicrosoft Office Introducing Enhanced Mitigation Experience Toolkit (EMET) 4.1http://blogs.technet.com/b/srd/archive/2013/11/12/introducing-enhanced-mitigation-experience-toolkit-emet-4-1.aspxTue, 12 Nov 2013 21:00:00 GMTd5e57398-b9ef-4490-9955-07cbb4e4a80d:21bbff67-04c7-42ba-a287-3d42ec9828dbswiat0<p>In June 2013, we released EMET 4.0 and customer response has been fantastic. Many customers across the world now include EMET as part of their defense-in-depth strategy and appreciate how EMET helps businesses prevent attackers from gaining access to computers systems. Today, we&rsquo;re releasing a new version, <a href="http://www.microsoft.com/en-us/download/details.aspx?id=41138"> EMET 4.1</a>, with updates that simplify configuration and accelerate deployment.</p> <p>EMET anticipates the most common techniques adversaries might use and shields computer systems against those security threats. EMET uses security mitigation technologies such as Data Execution Prevention (DEP), Mandatory Address Space Layout Randomization (ASLR), Structured Exception Handler Overwrite Protection (SEHOP), Export Address Table Access Filtering (EAF), Anti-ROP, and SSL/TLS Certificate Trust&nbsp;Pinning, to help protect computer systems from new or undiscovered threats. EMET can also protect legacy applications or third party line of business applications where you do not have access to the source code.</p> <p>Today&rsquo;s EMET 4.1 release includes new functionality and updates, such as:</p> <ul> <li>Updated default protection profiles, Certificate Trust rules, and Group Policy Object configuration.</li> <li>Shared remote desktop environments are now supported on Windows servers where EMET is installed.</li> <li>Improved Windows Event logging mechanism allows for more accurate reporting in multi-user scenarios.</li> <li>Several application-compatibility enhancements and mitigation false positive reporting.</li> </ul> <p>EMET built by Microsoft Security Research Center (MSRC) engineering team, brings the latest in security science to your organization. While many EMET users exchange feedback and ideas at <a href="http://social.technet.microsoft.com/Forums/en/emet/threads">TechNet user forums</a>, a less known fact is that Microsoft Premier Support options are also available for businesses that deploy EMET within their enterprise. Many of our customers deploy EMET - at scale - through the Microsoft System Center Configuration manager and apply enterprise application, user and accounts rules through Group Policy. EMET works well with the tools and support options our customers know and use today.</p> <p>As we continue to advance EMET, we welcome your feedback on what you like and what additional features would help in protecting your business. If you are attending <a href="http://www.rsaconference.com/">RSA Conference</a> at San Francisco, or the <a href="https://www.blackhat.com/us-13/">Blackhat Conference</a> in Las Vegas next year, be sure to stop by the Microsoft booth, and share your feedback with us. We look forward to hearing from you. &nbsp;&nbsp;</p> <p>&nbsp;</p> <p><a href="http://www.microsoft.com/emet">The EMET Team</a></p><div style="clear:both;"></div><img src="http://blogs.technet.com/aggbug.aspx?PostID=3609984&AppID=6147&AppType=Weblog&ContentType=0" width="1" height="1">mitigationEMET Technical details of the targeted attack using IE vulnerability CVE-2013-3918http://blogs.technet.com/b/srd/archive/2013/11/12/technical-details-of-the-targeted-attack-using-cve-2013-3918.aspxTue, 12 Nov 2013 18:02:00 GMTd5e57398-b9ef-4490-9955-07cbb4e4a80d:30f068c7-fab9-4f03-b8c5-ccf96e5cc4e7swiat0<p><span style="font-size: 12px;">Over the weekend we became aware of an </span><a style="font-size: 12px;" href="http://www.fireeye.com/blog/technical/2013/11/new-ie-zero-day-found-in-watering-hole-attack.html">active attack</a><span style="font-size: 12px;"> relying on an unknown remote code execution vulnerability of a legacy ActiveX component used by Internet Explorer. We are releasing this blog to confirm </span><a style="font-size: 12px;" href="http://blogs.technet.com/b/msrc/archive/2013/11/11/activex-control-issue-being-addressed-in-update-tuesday.aspx">one more time</a><span style="font-size: 12px;"> that the code execution vulnerability will be fixed in today&rsquo;s UpdateTuesday release and to clarify some details about the second vulnerability reported.</span></p> <p>The attack was disclosed to us by our security partners and it&rsquo;s the typical targeted attack exploited through a specific &ldquo;drive-by&rdquo; legitimate website that was compromised to include an additional piece of code added by the attackers. At the moment we have analyzed samples from the active attack that are targeting only older Internet Explorer versions running on Windows XP (IE7 and 8) because of the lack of additional security mitigations on those platforms (Windows 7 is affected but not under active attack). <a href="http://www.microsoft.com/emet">EMET</a> was able to proactively mitigate this exploit.</p> <p>The exploit was created combining two distinct vulnerabilities, but with different impact and severity ratings:</p> <ol> <li><span style="font-size: 12px;">a remote code execution vulnerability (</span><a style="font-size: 12px;" href="http://technet.microsoft.com/en-us/security/bulletin/ms13-090">CVE-2013-3918</a><span style="font-size: 12px;">) in the InformationCardSigninHelper ActiveX component used by Internet Explorer;</span></li> <li><span style="font-size: 12px;">an information disclosure vulnerability (no CVE assigned yet) used by attackers only to improve the reliability of the exploit and to create ROP payloads specifically targeted for the victim&rsquo;s machine;</span></li> </ol> <p>The <span style="text-decoration: underline;">remote code execution vulnerability</span> with higher severity rating will be fixed immediately in today&rsquo;s Patch Tuesday and we advise customers to prioritize the deployment of <a href="http://technet.microsoft.com/en-us/security/bulletin/ms13-090">MS13-090</a> for their monthly release. As usual, customers with Automatic Updates enabled will not need to take any action to receive the update and will be automatically protected.</p> <p>The <span style="text-decoration: underline;">information disclosure vulnerability</span> does not allow remote code execution and so it has a lower security rating since it will be typically used in combination with other high-severity bug (like it happened with CVE-2013-3918) to improve effectiveness of exploitation. Also, this vulnerability requires attackers to have prior knowledge of path and filenames present on targeted machines in order to be successfully exploited. This vulnerability was not used to bypass ASLR, but simply to remotely determine the exact version of a certain DLL on disk in order to build a more precise ROP payload (it&rsquo;s a local information disclosure rather than a memory address disclosure).</p> <p>We are still investigating the impact and root cause of the information disclosure vulnerability and we may follow up with additional information and mitigations as they become available.</p> <p>&nbsp;</p> <p>Elia Florio &ndash; MSRC Engineering</p><div style="clear:both;"></div><img src="http://blogs.technet.com/aggbug.aspx?PostID=3610040&AppID=6147&AppType=Weblog&ContentType=0" width="1" height="1">MS13-0900dayZero-Day ExploitInformationCardSigninHelperIECVE-2013-3918EMET Assessing risk for the November 2013 security updateshttp://blogs.technet.com/b/srd/archive/2013/11/12/assessing-risk-for-the-november-2013-security-updates.aspxTue, 12 Nov 2013 18:01:00 GMTd5e57398-b9ef-4490-9955-07cbb4e4a80d:8ba5aa57-568b-4bc7-9dac-8325679bc402swiat0<p>Today we released eight security bulletins addressing 19 CVE&rsquo;s. Three bulletins have a maximum severity rating of Critical while the other five have a maximum severity rating of Important. We hope that the table below helps you prioritize the deployment of the updates appropriately for your environment.</p> <table border="1"> <tbody> <tr> <td><strong>Bulletin</strong></td> <td><strong>Most likely attack vector</strong></td> <td><strong>Max Bulletin Severity</strong></td> <td><strong>Max Exploit-ability</strong></td> <td><strong>Likely first 30 days impact</strong></td> <td><strong>Platform mitigations and key notes</strong></td> </tr> <tr> <td><a href="http://technet.microsoft.com/en-us/security/bulletin/MS13-090">MS13-090</a> <p>(ActiveX killbit)</p> </td> <td>Victim browses to a malicious webpage.</td> <td>Critical</td> <td>1</td> <td>Expect to continue seeing driveby-style attacks leveraging CVE-2013-3918.</td> <td>Addresses the out-of-bounds memory access vulnerability mentioned on the FireEye blog on Friday: <a href="http://www.fireeye.com/blog/technical/2013/11/new-ie-zero-day-found-in-watering-hole-attack.html">http://www.fireeye.com/blog/technical/2013/11/new-ie-zero-day-found-in-watering-hole-attack.html</a>. &nbsp;More information about this attack can be found on our blog at&nbsp;<a href="http://blogs.technet.com/b/srd/archive/2013/11/12/technical-details-of-the-targeted-attack-using-cve-2013-3918.aspx">http://blogs.technet.com/b/srd/archive/2013/11/12/technical-details-of-the-targeted-attack-using-cve-2013-3918.aspx</a></td> </tr> <tr> <td><a href="http://technet.microsoft.com/en-us/security/bulletin/MS13-088">MS13-088</a> <p>(Internet Explorer)</p> </td> <td>Victim browses to a malicious webpage.</td> <td>Critical</td> <td>1</td> <td>Likely to see reliable exploits developed within next 30 days.</td> <td>&nbsp;</td> </tr> <tr> <td><a href="http://technet.microsoft.com/en-us/security/bulletin/MS13-089">MS13-089</a> <p>(Windows GDI)</p> </td> <td>Victim opens a malicious .WRI file in Wordpad</td> <td>Critical</td> <td>1</td> <td>Likely to see reliable exploits developed within next 30 days.</td> <td>This update addresses a vulnerability in converting a BMP to WMF. While the Wordpad vector would be only &ldquo;Important&rdquo; severity, we believe other attack vectors may exists if third party applications are installed. Those attack vectors may not require user interaction. Therefore, out of an abundance of caution, we&rsquo;ve rated this bulletin &ldquo;Critical&rdquo;.</td> </tr> <tr> <td><a href="http://technet.microsoft.com/en-us/security/bulletin/MS13-091">MS13-091</a> <p>(Word)</p> </td> <td>Victim opens malicious Word document.</td> <td>Important</td> <td>1</td> <td>Likely to see reliable exploits developed within next 30 days.</td> <td>&nbsp;</td> </tr> <tr> <td><a href="http://technet.microsoft.com/en-us/security/bulletin/MS13-092">MS13-092</a> <p>(Hyper-V)</p> </td> <td>Attacker running code inside a virtual machine can cause bugcheck of host hypervisor system; or potentially execute code in another VM running on same hypervisor system.</td> <td>Important</td> <td>1</td> <td>Likely to see reliable denial-of-service exploit developed within next 30 days.</td> <td>Guest -&gt; Host is denial-of-service (bugcheck). Guest -&gt; Guest has potential for code execution.</td> </tr> <tr> <td><a href="http://technet.microsoft.com/en-us/security/bulletin/MS13-093">MS13-093</a> <p>(AFD.sys)</p> </td> <td>Attacker running code at low privilege runs malicious EXE to reveal kernel memory addresses and contents.</td> <td>Important</td> <td>n/a</td> <td>No chance for direct code execution. Information disclosure only.</td> <td>Affects only 64-bit systems. Does not affect Windows 8.1.</td> </tr> <tr> <td><a href="http://technet.microsoft.com/en-us/security/bulletin/MS13-094">MS13-094</a> <p>(Outlook)</p> </td> <td>Attacker sends victim S/MIME email that triggers a number of HTTP requests during S/MIME signature validation. Because requests can be sent to an arbitrary host and port, timing differences can reveal to the attacker which hosts and ports are accessible to the victim&rsquo;s computer.</td> <td>Important</td> <td>n/a</td> <td>No chance for direct code execution. Information disclosure only.</td> <td>This vulnerability can be leveraged to &ldquo;port scan&rdquo; several thousand ports per S/MIME email opened by victim. Signature verification for multiple S/MIME signers in this way will take some time and will block Outlook during the process.</td> </tr> <tr> <td><a href="http://technet.microsoft.com/en-us/security/bulletin/MS13-095">MS13-095</a> <p>(Digital signature parsing denial-of-service)</p> </td> <td>Attackers sends malformed X.509 certificate to web service causing temporary resource exhaustion denial-of-service condition.</td> <td>Important</td> <td>n/a</td> <td>No chance for direct code execution. Denial of service only.</td> <td>&nbsp;</td> </tr> </tbody> </table> <p>- Jonathan Ness, MSRC Engineering</p><div style="clear:both;"></div><img src="http://blogs.technet.com/aggbug.aspx?PostID=3610122&AppID=6147&AppType=Weblog&ContentType=0" width="1" height="1">Attack VectorRisk Asessmentrating Security Advisory 2880823: Recommendation to discontinue use of SHA-1http://blogs.technet.com/b/srd/archive/2013/11/12/security-advisory-2880823-recommendation-to-discontinue-use-of-sha-1.aspxTue, 12 Nov 2013 18:00:00 GMTd5e57398-b9ef-4490-9955-07cbb4e4a80d:e8de7bd8-9f7b-4067-9d7c-c0ff193ba409swiat0<p>Microsoft is recommending that customers and CA&rsquo;s stop using SHA-1 for cryptographic applications, including use in SSL/TLS and code signing. <a href="http://technet.microsoft.com/security/advisory/2880823">Microsoft Security Advisory 2880823</a>&nbsp;has been released along with the policy announcement that Microsoft will stop recognizing the validity of SHA-1 based certificates after 2016.</p> <p><strong>Background</strong></p> <p>Secure Hashing Algorithm 1 (SHA-1) is a message digest algorithm published in 1995 as part of NIST&rsquo;s Secure Hash Standard. A hashing algorithm is considered secure only if it produces unique output for any given input and that output cannot be reversed (the function only works one-way).</p> <p>Since 2005 there have been known collision attacks (where multiple inputs can produce the same output), meaning that SHA-1 no longer meets the security standards for a producing a cryptographically secure message digest.</p> <p>For attacks against hashing algorithms, we have seen a pattern of attacks leading up to major real-world impacts:</p> <p><strong>Short history of MD5 Attacks</strong></p> <p>Source: <a href="http://2012.sharcs.org/slides/stevens.pdf">Marc Stevens, Cryptanalysis of MD5 and SHA-1</a></p> <ul> <li>1992: MD5 published</li> <li>1993: Pseudo-collision attack</li> <li>2004: Identical-prefix collision found in 2^40 calls</li> <li>2006: chosen-prefix collision found in 2^49 calls</li> <li>2009: identical-prefix and chosen prefix optimized to 2^16 and 2^39 calls respectively, Rouge CA practical attacks implemented</li> </ul> <p>It appears that SHA-1 is on a similar trajectory:</p> <ul> <li>1995: SHA-1 published</li> <li>2005: SHA-1 collision attack published in 2^69 calls</li> <li>2005: NIST recommendation for movement away from SHA-1</li> <li>2012: Identical-prefix collision 2^61 calls presented</li> <li>2012: Chosen-prefix collision 2^77.1 calls presented</li> </ul> <p><strong>Current Issues</strong></p> <p>Microsoft is actively monitoring the situation and has released a <a href="http://blogs.technet.com/b/pki/">policy for deprecating SHA-1 by 2016</a>.</p> <p><strong>Microsoft Recommendations</strong></p> <p>Microsoft recommends that Certificate Authorities (CA&rsquo;s) stop using SHA-1 for digital signatures and that consumers request SHA-2 certificates from CA&rsquo;s.</p> <p><strong>Microsoft Policy</strong></p> <p>Microsoft has publicized a <a href="http://blogs.technet.com/b/pki/">new policy</a>&nbsp;that calls for users and CA&rsquo;s to stop using SHA1-based certificates by 2016.</p> <p>- William Peteroy, MSRC</p> <p>I would like to thank the Microsoft PKI team as well as Ali Rahbar of the MSRC Engineering team for their hard work and input.</p><div style="clear:both;"></div><img src="http://blogs.technet.com/aggbug.aspx?PostID=3610137&AppID=6147&AppType=Weblog&ContentType=0" width="1" height="1"> Security Advisory 2868725: Recommendation to disable RC4http://blogs.technet.com/b/srd/archive/2013/11/12/security-advisory-2868725-recommendation-to-disable-rc4.aspxTue, 12 Nov 2013 18:00:00 GMTd5e57398-b9ef-4490-9955-07cbb4e4a80d:a8cb0a42-b169-4aeb-9ec9-008777960859swiat0<p>In light of recent research into practical attacks on biases in the RC4 stream cipher, Microsoft is recommending that customers enable TLS1.2 in their services and take steps to retire and deprecate RC4 as used in their TLS implementations. Microsoft recommends TLS1.2 with AES-GCM as a more secure alternative which will provide similar performance.</p> <p><strong>Background</strong></p> <p>Developed in 1987 by Ron Rivest, RC4 was one of the earliest stream ciphers to see broad use. It was initially used in commercial applications and was faster than alternatives when implemented in software and over time became pervasive because of how cheap, fast and easy it was to implement and use.</p> <p><strong>Stream vs. Block</strong></p> <p>At a high level, a stream cipher generates a pseudorandom stream of bits of the same length as the plaintext and then XOR's the pseudorandom stream and the plaintext to generate the cipher text. This is different than a block cipher, which chunks plaintext into separate blocks, pads the plaintext to the block size and encrypts the blocks.</p> <p><strong>A History of Issues</strong></p> <p>RC4 consists of a Key Scheduling Algorithm (KSA) which feeds into a Psuedo-Random Generator (PRG), both of which need to be robust for use of the cipher to be considered secure. Beyond implementation issues with RC4, such as, document encryption and the 802.11 WEP implementation, there are some significant issues that exist in the KSA which lead to issues in the leading bytes of PRG output.</p> <p>By definition, a PRG is only secure if the output is indistinguishable from a stream of random data. In 2001, Mantin and Shamir &lt; <a href="http://citeseerx.ist.psu.edu/viewdoc/summary?doi=10.1.1.4.6198">http://citeseerx.ist.psu.edu/viewdoc/summary?doi=10.1.1.4.6198</a> &gt; found a significant bias in RC4 output, specifically that the second byte of output would be &lsquo;0&rsquo;. Attacks and research have evolved since 2001, the work of T. Isobe, T. Ohigashi, Y. Watanabe, M. Morii of Kobe University in Japan is especially significant when evaluating the risk of RC4 use. Their findings show additional, significant bias in the first 257 bytes of RC4 output as well as practical plaintext recovery attacks on RC4.</p> <p class="p1">The plaintext recovery attacks show a passive attacker collecting ciphertexts encrypted with different keys. Given 2^32 ciphertexts with different keys, the first 257 bytes of the plaintext are recovered with a probability of more than .5 &lt; <a href="http://home.hiroshima- u.ac.jp/ohigashi/rc4/Full_Plaintext_Recovery%20Attack_on%20Broadcast_RC4_pre-proceedings.pdf">http://home.hiroshima- u.ac.jp/ohigashi/rc4/Full_Plaintext_Recovery%20Attack_on%20Broadcast_RC4_pre-proceedings.pdf </a>&gt;.</p> <p>Since early RC4 output cannot be discarded from SSL/TLS implementations without protocol-level changes, this attack demonstrates the practicality of attacks against RC4 in common implementations.</p> <p><strong>Internet Use of RC4</strong></p> <p class="p1">One of the first steps in evaluating the customer impact of new security research and understanding the risks involved has to do with evaluating the state of public and customer environments. Using a sample size of five million sites, we found that 58% of sites do not use RC4, while approximately 43% do. Of the 43% that utilize RC4, only 3.9% require its use. Therefore disabling RC4 by default has the potential to decrease the use of RC4 by over almost forty percent.</p> <p><a href="http://blogs.technet.com/cfs-file.ashx/__key/communityserver-blogs-components-weblogfiles/00-00-00-61-47/6153.rc4.png"><img src="http://blogs.technet.com/resized-image.ashx/__size/550x0/__key/communityserver-blogs-components-weblogfiles/00-00-00-61-47/6153.rc4.png" alt="" border="0" /></a></p> <p><strong>Microsoft's Response</strong></p> <p>Today's update provides tools for customers to test and disable RC4. The launch of Internet Explorer 11 (IE 11) and Windows 8.1 provide more secure defaults for customers out of the box.</p> <p>IE 11 enables TLS1.2 by default and no longer uses RC4-based cipher suites during the &gt;TLS handshake.</p> <p>More detailed information about these changes can be found in the IE 11 blog &lt;<a href="http://blogs.msdn.com/b/ie/archive/2013/11/12/ie11-automatically-makes-over-40-of-the-web-more-secure-while-making-sure-sites-continue-to-work.aspx">http://blogs.msdn.com/b/ie/archive/2013/11/12/ie11-automatically-makes-over-40-of-the-web-more-secure-while-making-sure-sites-continue-to-work.aspx</a>&gt;</p> <p>For application developers, we have implemented additional options in SChannel which allow for its use without RC4.</p> <p><strong>Today's Updates</strong></p> <p>Today's update KB 2868725provides support for the Windows 8.1 RC4 changes on Windows 7, Windows 8, Windows RT, Server 2008 R2, and Server 2012. These updates will not change existing settings and customers must implement changes (which are detailed below) to help secure their environments against weaknesses in RC4.</p> <p><strong>Call to Action</strong></p> <p>Microsoft strongly encourages customers to evaluate, test and implement the options for disabling RC4 below to increase the security of clients, servers and applications. Microsoft recommends enabling TLS1.2 and AES-GCM. Clients and servers running on Windows with custom SSL/TLS implementations, such as, Mozilla Firefox and Google Chrome will not be affected by changes to SChannel.</p> <p><strong>How to Completely Disable RC4</strong></p> <p>Clients and Servers that do not wish to use RC4 ciphersuites, regardless of the other party's supported ciphers, can disable the use of RC4 cipher suites completely by setting the following registry keys. In this manner any server or client that is talking to a client or server that must use RC4, can prevent a connection from happening. Clients that deploy this setting will not be able to connect to sites that require RC4 while servers that deploy this setting will not be able to service clients that must use RC4.</p> <ul> <li>[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\RC4 128/128]</li> <ul> <li>"Enabled"=dword:00000000</li> </ul> </ul> <ul> <li>[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\RC4 40/128]</li> <ul> <li>"Enabled"=dword:00000000</li> </ul> </ul> <ul> <li>[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\RC4 56/128]</li> <ul> <li>"Enabled"=dword:00000000</li> </ul> </ul> <p><strong>How Other Applications Can Prevent the Use of RC4 based Cipher Suites</strong></p> <p>RC4 is not turned off by default for all applications. Applications that call into SChannel directly will continue to use RC4 unless they opt-in to the security options. Applications that use SChannel can block the use of RC4 cipher suites for their connections by passing the SCH_USE_STRONG_CRYPTO flag to SChannel in the SCHANNEL_CRED structure. If compatibility needs to be maintained, then they can also implement a fallback that does not pass this flag.</p> <p class="p1">Microsoft recommends that customers upgrade to TLS1.2 and utilize AES-GCM. On modern hardware AES-GCM has similar performance characteristics and is a much more secure alternative to RC4.</p> <p>- William Peteroy, MSRC</p> <p>I would like to thank the Windows, Internet Explorer and .NET teams for their work in this effort as well as Ali Rahbar and Suha Can of the MSRC Engineering team for their hard work and input. I would also like to thank Matthew Green for the excellent write-ups he has for this and other applied cryptography issues on his <a href="http://blog.cryptographyengineering.com/">blog</a>.</p><div style="clear:both;"></div><img src="http://blogs.technet.com/aggbug.aspx?PostID=3610131&AppID=6147&AppType=Weblog&ContentType=0" width="1" height="1">Schannel Authenticity and the November 2013 Security Updateshttp://blogs.technet.com/b/msrc/archive/2013/11/12/authenticity-and-the-november-2013-security-updates.aspxTue, 12 Nov 2013 18:00:00 GMTd5e57398-b9ef-4490-9955-07cbb4e4a80d:998a7b8b-29fd-4138-81ce-02fbee59596aDustin C. Childs0<p>If you haven't had a chance to see the movie <a href="http://www.imdb.com/title/tt1454468/?ref_=hm_cht_t2">Gravity</a>, I highly recommend you take the time to check it out. The plot moves a bit slowly at times, but director Alfonso Cuaron's work portrayal of zero gravity is worth the ticket price alone. Add in stellar acting and you end up with an epic movie that really makes you miss the shuttle program.&nbsp;Still, the movie has its detractors. Specifically, astrophysicist and geek icon Neil deGrasse Tyson has been <a href="http://www.wired.com/underwire/2013/10/neil-degrasse-tyson-gravity/">critical</a> about the movie's authenticity. To deGrasse Tyson, a lack of authenticity disrupts the movie-going experience.<br /><br />Similarly, a lack of authenticity can disrupt your computing experience, which leads me to a couple of interesting items in this month's release.&nbsp; Two advisories this month deal with authenticity by focusing on certificates and cryptography.&nbsp; The first is <a href="http://technet.microsoft.com/security/advisory/2868725">Security Advisory 286725</a>, which disables the use of the RC4 stream cipher. As computing power increases, cryptographic attacks that were once only theoretical become practical - this is the case with RC4, which was originally designed in 1987. That's the same year The Simpsons first appeared as shorts on The Tracy Ullman Show. Computing has changed somewhat in that time.<br /><br />We've already taken this step in Windows 8.1 and Internet Explorer 11, and now we're providing an update to disable its use in other operating systems as well.&nbsp; Rather than automatically disable the cipher, the update provides a registry key that allows developers to eliminate RC4 as an available cipher in their applications.&nbsp; The <a href="http://blogs.technet.com/b/srd/archive/2013/11/12/security-advisory-2868725-recommendation-to-disable-rc4.aspx">SRD blog</a> provides a deep dive into RC4 and the implications of disabling it.<br /><br /><a href="http://technet.microsoft.com/security/advisory/2880823">Security Advisory 2880823</a> also impacts cryptography and authenticity but addresses SHA1.&nbsp;We aren't going to surprise the world by saying we're turning off support for SHA1 today, but we are announcing a <a href="http://social.technet.microsoft.com/wiki/contents/articles/1760.windows-root-certificate-program-technical-requirements.aspx">new policy</a> for Certificate Authorities (CAs) that deprecates the use of the SHA1 algorithm in SSL and code signing certificates in favor of the SHA2 algorithm. After January 2016, only SHA2 certificates can be issued. The good folks over on the <a href="http://blogs.technet.com/b/pki/archive/2013/11/12/sha1-deprecation-policy.aspx">PKI blog</a> go into more detail about the change.<br /><br />We have an update regarding a cryptographic function as well, <a href="http://technet.microsoft.com/security/bulletin/ms13-095">MS13-095</a> addresses an issue in Digital Signatures that could cause a web service to stop responding if it receives a specially crafted <a href="http://msdn.microsoft.com/en-us/library/aa529568.aspx">X.509 certificate</a>. Since these certificates are used to ensure authenticity, having the web service go down during negotiation is suboptimal.<br /><br />Of course, another way to help ensure authenticity throughout your computing experience is to use EMET. An updated version of the program is <a href="http://aka.ms/EMET4">available</a> today. Of the many improvements, there is an update to the default settings that includes two new application protection profiles for applications. There's also an update for the Certificate Trust profile that offers more applications protection. Full details about this release can be found on the <a href="http://blogs.technet.com/b/srd/archive/2013/11/11/introducing-enhanced-mitigation-experience-toolkit-emet-4-1.aspx">SRD blog</a>. It may not patch any holes, but it can make it harder to reach any issue that may exist on a system and, if your family is like mine, it will significantly reduce calls from relatives looking for tech support.<br /><br />Of course it takes more than just authenticity to make a secure computing experience, which leads us to the other updates for November. Today, we released eight bulletins, three Critical and five Important, addressing 19 unique CVEs in Microsoft Windows, Internet Explorer, and Office. For those who need to prioritize their deployment planning we recommend focusing on <a href="http://technet.microsoft.com/security/bulletin/ms13-090">MS13-090</a>, <a href="http://technet.microsoft.com/security/bulletin/ms13-088">MS13-088</a>, and <a href="http://technet.microsoft.com/security/bulletin/ms13-089">MS13-089</a>.<br /><br />Our Bulletin Deployment Priority graph provides an overview of this month's priority releases (click to enlarge).<br /><br /><a href="http://blogs.technet.com/cfs-file.ashx/__key/communityserver-blogs-components-weblogfiles/00-00-00-45-71/5238.Overview-Slide_5F00_DP.png"><img src="http://blogs.technet.com/resized-image.ashx/__size/550x0/__key/communityserver-blogs-components-weblogfiles/00-00-00-45-71/5238.Overview-Slide_5F00_DP.png" alt="" border="0" /></a><br /><br /><strong><a href="http://technet.microsoft.com/security/bulletin/ms13-090">MS13-090 | Cumulative Security Update of Active X Kill Bits</a></strong><br />This update addresses a remote code execution issue in an ActiveX control by providing a kill bit for associated ActiveX controls. We are aware of limited attacks that exploit this issue. The code execution occurs at the level of the logged on user, so non-admin users would face less of an impact.&nbsp; The remote code execution vulnerability with higher severity rating be fixed in today's release and we advise customers to prioritize the deployment of MS13-090 for their monthly release.&nbsp; As usual, customer with Automatic Updates enabled will not need to take any action to receive the update.&nbsp; Additional information about this vulnerability is available on the <a href="http://blogs.technet.com/b/srd/archive/2013/11/12/technical-details-of-the-targeted-attack-using-cve-2013-3918.aspx">Security Research &amp; Defense blog</a>.<br /><br /><strong><a href="http://technet.microsoft.com/security/bulletin/ms13-088">MS13-088 | Cumulative Update for Internet Explorer</a></strong><br />This security update resolves ten privately reported vulnerabilities in Internet Explorer. The most severe vulnerabilities could allow remote code execution if a user views a specially crafted webpage using Internet Explorer. An attacker who successfully exploited the most severe of these vulnerabilities could gain the same user rights as the current user.<br /><br /><strong><a href="http://technet.microsoft.com/security/bulletin/ms13-089">MS13-089 | Vulnerability in Windows Graphics Device Interface Could Allow Remote Code Execution</a></strong><br />This update addresses one privately reported vulnerability in Microsoft Windows.&nbsp;The vulnerability could allow remote code execution if a user views or opens a specially crafted Windows Write file in WordPad. An attacker who successfully exploited this vulnerability could gain the same user rights as the current user.<br /><br />Last but not least, we are also providing an update for users of DirectAccess (DA) through <a href="http://technet.microsoft.com/security/advisory/2862152">Security Advisory 2862152</a>. This security feature bypass issue would require a man-in-the-middle attacker to be successful, but if someone can snoop on your DA connection, it's possible they could impersonate a legitimate DA server in order to establish connections with legitimate DA clients.&nbsp; The attacker-controlled system could then intercept the target user's network traffic and potentially determine the encrypted domain credentials. This update, along with the new configuration guidelines available in KB2862152, helps ensure the authenticity of DA connections.<br /><br />Watch the bulletin overview video below for a brief summary of today's releases.<br /><br />&nbsp;<iframe src="http://www.youtube.com/embed/gwNAfmqhBCE" frameborder="0" width="400" height="225"></iframe> <br /><br />Our risk and impact graph shows an aggregate view of this month's Security and Exploitability Index (click to enlarge).<br /><br /><a href="http://blogs.technet.com/cfs-file.ashx/__key/communityserver-blogs-components-weblogfiles/00-00-00-45-71/8228.Overview-Slide_5F00_Severity.png"><img src="http://blogs.technet.com/resized-image.ashx/__size/550x0/__key/communityserver-blogs-components-weblogfiles/00-00-00-45-71/8228.Overview-Slide_5F00_Severity.png" alt="" border="0" /></a><br /><br />For more information about this month's security updates, including the detailed view of the Exploit Index broken down by CVE, visit the <a href="http://technet.microsoft.com/security/bulletin/MS13-nov">Microsoft Bulletin Summary Webpage</a>.<br /><br />Jonathan Ness and I will host the monthly bulletin webcast, scheduled for Wednesday, November 13, 2013, at 11 a.m. PST. I invite you to <a href="https://msevents.microsoft.com/CUI/EventDetail.aspx?EventID=1032557383&amp;Culture=en-US">register here</a> and tune in to learn more about this month's security bulletins and advisories.&nbsp;We'll provide authentic answers to your update deployment questions, but no zero gravity effects will be employed.<br /><br />For all the latest information, you can also follow the MSRC team on Twitter at <a href="http://www.twitter.com/msftsecresponse">@MSFTSecResponse</a>.<br /><br />I look forward to hearing your questions in the webcast tomorrow.<br /><br />Thanks,<br /><br /><a href="http://blogs.technet.com/b/msrc/about.aspx#Dustin_Childs">Dustin Childs</a><br />Group Manager, Response Communications<br />Microsoft Trustworthy Computing</p><div style="clear:both;"></div><img src="http://blogs.technet.com/aggbug.aspx?PostID=3609956&AppID=4571&AppType=Weblog&ContentType=0" width="1" height="1">Microsoft WindowsSecurity BulletinMalicious Software Removal Tool (MSRT)Security AdvisoryInternet Explorer (IE)Microsoft Office ActiveX Control issue being addressed in Update Tuesdayhttp://blogs.technet.com/b/msrc/archive/2013/11/11/activex-control-issue-being-addressed-in-update-tuesday.aspxMon, 11 Nov 2013 21:18:00 GMTd5e57398-b9ef-4490-9955-07cbb4e4a80d:a7af4820-07a7-48e4-8e0e-aa90248ca52eDustin C. Childs0<p>Late last Friday, November 8, 2013, a vulnerability, CVE-2013-3918, affecting an Internet Explorer ActiveX Control was publically disclosed. We have confirmed that this vulnerability is an issue already scheduled to be addressed in &ldquo;Bulletin 3&rdquo;, which will be released as MS13-090, as listed in the November Advanced Notification Service (ANS). The security update will be distributed to customers tomorrow via Windows Update at approximately 10:00 AM PDT. Customers who have Automatic Updates enabled will not need to take any action to receive the update.&nbsp;</p> <p>While we are in the process of finalizing the security update to address this issue, we encourage Internet Explorer customers concerned with this vulnerability to follow the following mitigations:</p> <ul> <li><strong>Set Internet and local intranet security zone settings to "High" to block ActiveX Controls and Active Scripting in these zones</strong><br />This action will help <strong>prevent exploitation</strong> but may <strong>affect usability</strong>; therefore, trusted sites should be added to the Internet Explorer Trusted Sites zone to minimize disruption.</li> <li><strong>Configure Internet Explorer to prompt before running Active Scripting or disable Active Scripting in the Internet and local intranet security zones</strong> <br />This action will help <strong>prevent exploitation</strong> but can <strong>affect usability</strong>, so trusted sites should be added to the Internet Explorer Trusted Sites zone to minimize disruption.</li> <li><strong><a title="Deploy the Enhanced Mitigation Experience Toolkit (EMET)" href="http://www.microsoft.com/emet">Deploy the Enhanced Mitigation Experience Toolkit (EMET)</a></strong> <br />This will <strong>help prevent exploitation</strong> by providing mitigations to help protect against this issue and <strong>should not affect usability</strong> of websites.</li> </ul> <p>As a best practice, we always encourage customers to follow the "Protect Your Computer" guidance of enabling a firewall, applying all software updates and installing anti-virus and anti-spyware software. We also encourage customers to exercise caution when visiting websites and avoid clicking suspicious links or opening email messages from unfamiliar senders. Additional information can be found at <a title="www.microsoft.com/protect" href="http://www.microsoft.com/protect">www.microsoft.com/protect</a>.</p> <p>We will continue to monitor the threat landscape very closely and take appropriate action to help protect our customers.</p> <p>Thank you,<br /><a title="Dustin Childs" href="http://blogs.technet.com/b/msrc/about.aspx#Dustin_Childs">Dustin Childs</a><br />Group Manager, Response Communications<br />Trustworthy Computing</p> <p>&nbsp;</p><div style="clear:both;"></div><img src="http://blogs.technet.com/aggbug.aspx?PostID=3609933&AppID=4571&AppType=Weblog&ContentType=0" width="1" height="1">Zero-Day ExploitworkaroundsSecurityInternet Explorer (IE)activex Software defense: safe unlinking and reference count hardeninghttp://blogs.technet.com/b/srd/archive/2013/11/06/software-defense-safe-unlinking-and-reference-count-hardening.aspxWed, 06 Nov 2013 13:24:00 GMTd5e57398-b9ef-4490-9955-07cbb4e4a80d:cdc61c51-6e36-408a-a935-291c3ca5ce42swiat0<p><span style="font-size: small;"><span style="font-family: Calibri;">Object lifetime management vulnerabilities represent a very common class of memory safety vulnerability.&nbsp; These vulnerabilities come in many shapes and sizes, and are typically quite difficult to mitigate generically.&nbsp; Vulnerabilities of this type result commonly from incorrect accounting with respect to <em>reference counts</em> describing active users of an object, or improper handling of certain object states or error conditions.&nbsp; While generically mitigating these issues represents an ongoing challenge, Microsoft has taken steps towards mitigating certain, specific classes of these issues in Windows 8 and Windows 8.1.&nbsp; These mitigations typically involve widespread instrumentation of code to reduce the impact of specific classes of issues.</span></span></p> <h1><span style="color: #2e74b5;">Introducing fast fail</span></h1> <p><span style="font-size: small;"><span style="font-family: Calibri;">Before we further detail some of the mitigations discussed in this post, it&rsquo;s important to take a brief moment to outline the mechanism by which these upcoming mitigations report their failures.</span></span></p> <p><span style="font-size: small;"><span style="font-family: Calibri;">When it comes to memory safety mitigations, one of the most basic (but sometimes overlooked) aspects of a mitigation is what to do when corruption has been detected.&nbsp; Typical memory safety mitigations attempt to detect some sort of indication that a program has &ldquo;gone off the guard rails&rdquo; and severely corrupted some form of its internal state; consequently, it is valuable for the code that detects the corruption to assume the minimum possible about the state of the process, and to depend on as little as possible when dealing with the error condition (often leading to a crash dump being captured, and the faulting program being terminated).</span></span></p> <p><span style="font-size: small;"><span style="font-family: Calibri;">The mechanisms for dealing with triggering crash dump capture and program termination have historically been very environment-specific.&nbsp; The APIs often used to do so in user mode Windows, for example, do not exist in the Windows kernel; instead, a different set of APIs must be used.&nbsp; Furthermore, many existing mechanisms have not been designed to absolutely minimize dependencies on the state of the corrupted program at the time of error reporting.</span></span></p> <p><span style="font-size: small;"><span style="font-family: Calibri;">Environment-specific mechanisms for critical failure reporting are also problematic for compiler generated code, or code that is compiled once and then linked in to programs that might run in many different environments (such as user mode, kernel mode, early boot, etc.).&nbsp; Previously, this problem has typically been addressed by providing a small section of stub code that is linked in to a program and which provides an appropriate critical failure reporting abstraction.&nbsp; However, this approach becomes increasingly problematic as the scope of programs that take dependencies on said stub library increases.&nbsp; For security features whose error reporting facilities are linked in to vast numbers of programs, the stub code must be extremely circumspect with respect to which APIs it may take dependencies on. </span></span></p> <p><span style="font-size: small;"><span style="font-family: Calibri;">Take the case of /GS as an example; directly linking to the crash dump writing code would pull that code in to nearly every program built with /GS enabled, for example; this would clearly be highly undesirable.&nbsp; Some programs might need to run on OS&rsquo;s before those facilities were even introduced, and even if that were not the case, pulling in additional dependent DLLs (or static linked library code) across such a wide scope of programs would incur unacceptable performance implications.</span></span></p> <p><span style="font-family: Calibri; font-size: small;">To address the needs of both future compiler-based (code generation altering) mitigations, which would strongly prefer to be as environment, as well as common framework/library-based mitigations, we introduced a facility called <em>fast fail</em> (sometimes referred to as<em> fail fast</em>) to Windows 8 and Visual Studio 2012.&nbsp; Fast fail represents a uniform mechanism for requesting immediate process termination in the context of a potentially corrupted process that is enabled by a combination of support in various Microsoft runtime environments (boot, kernel, user, hypervisor, etc.) as well as a new compiler intrinsic, </span><a href="http://msdn.microsoft.com/en-us/library/hh977022.aspx"><span style="color: #0563c1; font-family: Calibri; font-size: small;">__fastfail</span></a><span style="font-size: small;"><span style="font-family: Calibri;">.&nbsp; Code using fast fail has the advantage of being inlineable, compact (from a code generation perspective), and binary portable across multiple runtime environments.</span></span></p> <p><span style="font-size: small;"><span style="font-family: Calibri;">Internally, fast fail is implemented by the several architecture-specific mechanisms:</span></span></p> <table border="1" cellspacing="0" cellpadding="0"> <tbody> <tr> <td valign="top" width="208"> <p><span style="font-size: small;"><span style="font-family: Calibri;">Architecture</span></span></p> </td> <td valign="top" width="208"> <p><span style="font-size: small;"><span style="font-family: Calibri;">Instruction</span></span></p> </td> <td valign="top" width="208"> <p><span style="font-size: small;"><span style="font-family: Calibri;">Location of &ldquo;Code&rdquo; argument</span></span></p> </td> </tr> <tr> <td valign="top" width="208"> <p><span style="font-size: small;"><span style="font-family: Calibri;">AMD64</span></span></p> </td> <td valign="top" width="208"> <p><span style="font-size: small;"><span style="font-family: Calibri;">int 0x29</span></span></p> </td> <td valign="top" width="208"> <p><span style="font-size: small;"><span style="font-family: Calibri;">rcx</span></span></p> </td> </tr> <tr> <td valign="top" width="208"> <p><span style="font-size: small;"><span style="font-family: Calibri;">ARM</span></span></p> </td> <td valign="top" width="208"> <p><span style="font-size: small;"><span style="font-family: Calibri;">Opcode 0xDEFB*</span></span></p> </td> <td valign="top" width="208"> <p><span style="font-size: small;"><span style="font-family: Calibri;">r0</span></span></p> </td> </tr> <tr> <td valign="top" width="208"> <p><span style="font-size: small;"><span style="font-family: Calibri;">x86</span></span></p> </td> <td valign="top" width="208"> <p><span style="font-size: small;"><span style="font-family: Calibri;">int 0x29</span></span></p> </td> <td valign="top" width="208"> <p><span style="font-size: small;"><span style="font-family: Calibri;">ecx</span></span></p> </td> </tr> </tbody> </table> <p><span style="font-size: small;"><span style="font-family: Calibri;">* <em>ARM defines a range of Thumb2 opcode space that is permanently undefined, and which will never allocated for processor use.&nbsp; These opcodes can be used for platform-specific purposes.</em></span></span></p> <p><span style="font-size: small;"><span style="font-family: Calibri;">A single, Microsoft-defined <em>code</em> argument (assigned symbolic constants prefixed with FAST_FAIL_&lt;description&gt; in winnt.h and wdm.h) is provided to the __fastfail intrinsic.&nbsp; The code argument, intended for use in classifying failure reports, describes the type of failure condition and is incorporated into failure reports in an environment-specific fashion.</span></span></p> <p><span style="font-size: small;"><span style="font-family: Calibri;">A fast fail request is self-contained and typically requires just two instructions to execute.&nbsp; The kernel, or equivalent, then takes the appropriate action once a fast fail request has been executed.&nbsp; In user mode code, there are no memory dependencies involved (beyond the instruction pointer itself) when a fast fail event is raised, maximizing its reliability even in the case of severe memory corruption.</span></span></p> <p><span style="font-size: small;"><span style="font-family: Calibri;">User mode fast fail requests are surfaced as a second chance non-continuable exception with exception code 0xC0000409 and with at least one exception code (the first exception parameter being the fast fail code that was supplied as an argument to the __fastfail intrinsic).&nbsp; This exception code, previously used exclusively to report /GS stack buffer overrun events, was selected as it is already known to the Windows Error Reporting (WER) and debugging infrastructure as an indication that the process is corrupt and minimal in-process actions should be taken in response to the failure.&nbsp; Kernel mode fast fail requests are implemented with a dedicated bugcheck code, KERNEL_SECURITY_CHECK_FAILURE (0x139).&nbsp; In both cases, no exception handlers are invoked (as the program is expected to be in a corrupted state).&nbsp; The debugger (if present) is given an opportunity to examine the state of the program before it is terminated.</span></span></p> <p><span style="font-size: small;"><span style="font-family: Calibri;">Pre-Windows 8 operating systems that do not support the fast fail instruction natively will typically treat a fast fail request as an access violation, or UNEXPECTED_KERNEL_MODE_TRAP bugcheck.&nbsp; In these cases, the program is still terminated, but not necessarily as quickly.</span></span></p> <p><span style="font-size: small;"><span style="font-family: Calibri;">The compact code-generation characteristics and support across multiple runtime environments without additional dependencies make fast fail ideal for use by mitigations that involve program-side code instrumentation, whether these be compiler-based or library/framework-based.&nbsp; Since the failure reporting logic can be embedded directly in application code in an environment-agnostic fashion, at the specific point where the corruption or inconsistency was detected, there is minimal disturbance to the active program state at the time of failure detection.&nbsp; The compiler can also implicitly treat a fast fail site as &ldquo;no-return&rdquo;, since the operating system does not allow the program to be resumed after a fast fail request (even in the face of exception handlers), enabling further optimizations to minimize the code generation impact of failure reporting.&nbsp; We expect that future compiler-based mitigations will take advantage of fast fail to report failures inline and in-context (where possible).</span></span></p> <h1><span style="color: #2e74b5;">Safe unlinking retrospective</span></h1> <p><a href="http://blogs.technet.com/b/srd/archive/2009/05/26/safe-unlinking-in-the-kernel-pool.aspx"><span style="color: #0563c1; font-family: Calibri; font-size: small;">Previously</span></a><span style="font-size: small;"><span style="font-family: Calibri;">, we discussed the targeted addition of safe unlinking integrity checks to the executive pool allocator in the Windows 7 kernel.&nbsp; Safe unlinking (and safe linking) are a set of general techniques for validating the integrity of a doubly-linked list when a modifying operation, such as a list entry unlink or link, occurs.&nbsp; These techniques operate by verifying that the neighboring list links for a list entry being acted upon actually still point to the list entry being linked or unlinked into the list.</span></span></p> <p><span style="font-size: small;"><span style="font-family: Calibri;">Safe unlinking operations have historically been an attractive defense to include to the book-keeping data structures of memory allocators as an added defense against <em>pool overrun</em> or <em>heap overrun</em> vulnerabilities.&nbsp; Windows XP Service Pack 2 first introduced safe unlinking to the Windows heap allocator, and Windows 7 introduced safe unlinking to the executive pool allocator in the kernel.&nbsp; To understand why this is a valuable defensive technique, it is helpful to examine how memory allocators are often implemented.</span></span></p> <p><span style="font-size: small;"><span style="font-family: Calibri;">It is common for a memory allocator to include a <em>free list</em> of available memory regions that may be utilized to satisfy an allocation request.&nbsp; Frequently, the free list is implemented by embedding a doubly linked list entry inside of an available memory block that is logically located on the free list of the allocator, in addition to other metadata about the memory block (such as its size).&nbsp; This scheme allows an allocator to quickly locate and return a suitable memory block to a caller in response to an allocation request.</span></span></p> <p><span style="font-size: small;"><span style="font-family: Calibri;">Now, when a memory block is returned to a caller to satisfy an allocation, it is <em>unlinked</em> from the free list.&nbsp; This involves updating the neighboring list entries (located within the list entry embedded in the free allocation block) to point to one another, instead of the block that has just been freed.&nbsp; In the context of an overrun scenario, where an attacker has managed to overrun a buffer and overwrite the contents of a neighboring, freed memory block header, the attacker may have the opportunity to supply arbitrary values for the <em>next</em> and <em>previous</em> pointers, which will then be written through when the (overwritten) freed memory block is next allocated.</span></span></p> <p><span style="font-size: small;"><span style="font-family: Calibri;">This yields what is commonly called a &ldquo;write-what-where&rdquo; or &ldquo;write anywhere&rdquo; primitive that lets an attacker choose a specific value (<em>what</em>) and a specific address (<em>where</em>) to store said value.&nbsp; This is a powerful primitive from an exploitation perspective, and affords an attacker a high degree of freedom [2].</span></span></p> <p><span style="font-size: small;"><span style="font-family: Calibri;">In the context of memory allocators, safe unlinking helps mitigate this class of vulnerability by verifying that the list neighbors still point to the elements that the list entry embedded within the freed block says they should.&nbsp; If the block&rsquo;s list entry has been overwritten and an attacker has commandeered its list entries, this invariant will typically fail (provided that the logically previous and next list entries are not corrupted as well), enabling the corruption to be detected.</span></span></p> <h1><span style="color: #2e74b5;">Safe unlinking in Windows 8</span></h1> <p><span style="font-size: small;"><span style="font-family: Calibri;">Safe unlinking is broadly applicable beyond simply the internal linked lists of memory allocators; many applications and kernel mode components utilize linked lists within their own data structures.&nbsp; These data structures also stand to benefit from having safe unlinking (and safe linking) integrity checks inserted; beyond simply providing protection against heap-based overruns overwriting list pointers in application-specific data on the heap[1], linked list integrity checks in application-level code often provide a means to better protect against conditions where an application might erroneously delete an application-specific object containing a linked list entry twice (due to an application-specific object lifetime mismanagement issue), or might otherwise incorrectly use or synchronize access to a linked list.</span></span></p> <p><span style="font-family: Calibri; font-size: small;">Windows provides a </span><a href="http://msdn.microsoft.com/en-us/library/windows/hardware/ff554296(v=vs.85).aspx"><span style="color: #0563c1; font-family: Calibri; font-size: small;">generalized library</span></a><span style="font-size: small;"><span style="font-family: Calibri;"> for manipulating doubly-linked lists, in the form of a set of inline functions provided in common Windows headers that are both exposed to third party driver code as well as heavily used internally.&nbsp; This library is well-suited as a central location instrument code throughout the Microsoft code base, as well as third party driver code by extension, with safe unlinking (and safe linking) list integrity checks.</span></span></p> <p><span style="font-size: small;"><span style="font-family: Calibri;">Starting with Windows 8, the &ldquo;LIST_ENTRY&rdquo; doubly linked list library is instrumented with list integrity checks that protect code using the library against list corruption.&nbsp; All list operations that write through a list entry node&rsquo;s list link pointer will first check that the neighboring list links still point back to the node in question, which enables many classes of issues to be caught before they cause further corruption (for example, a double-remove of a list entry is typically immediately caught at the second remove).&nbsp; Since the library is designed as an operating-environment-agnostic, inline function library, the fast fail mechanism is used to report failures.</span></span></p> <p><span style="font-size: small;"><span style="font-family: Calibri;">Within Microsoft, our experience has been that the safe linking (and safe unlinking) instrumentation has been highly effective at identifying linked list misuse, with in excess of over 100 distinct bugs fixed in the Windows 8 development cycle on account of the list integrity checks.&nbsp; Many Windows components leverage the same doubly linked list library, leading to widespread coverage throughout the Windows code base [1].</span></span></p> <p><span style="font-size: small;"><span style="font-family: Calibri;">We have also enabled third party code to take advantage of these list integrity checks; drivers that build with the Windows 8 WDK will get the integrity checks by default, no matter what OS is targeted at build time.&nbsp; The integrity checks are backwards compatible to previous OS&rsquo;s; however, previous OS releases will react to a list entry integrity check failure in a driver with a more generic bugcheck code such as UNEXPECTED_KERNEL_MODE_TRAP, rather than the dedicated KERNEL_SECURITY_CHECK_FAILURE bugcheck code introduced in Windows 8.</span></span></p> <p><span style="font-size: small;"><span style="font-family: Calibri;">With any broad form of code instrumentation, one concern that is nearly omnipresent naturally relates to the performance impact of the instrumentation.&nbsp; Our experience has been that the performance impact of safe unlinking (and safe unlinking) is minimal, even in workloads that involve large number of list entry manipulation operations.&nbsp; Since the list entry manipulation operations already inherently involve following pointers through to the neighboring list entries, simply adding an extra comparison (with a branch to a common fast fail reporting label) has proven to be quite inexpensive.</span></span></p> <h1><span style="color: #2e74b5;">Reference count hardening</span></h1> <p><span style="font-size: small;"><span style="font-family: Calibri;">It is common for objects that have non-trivial lifetime management to utilize reference counts to manage responsibility for keeping a particular object alive, and cleaning the object up once there are no active users of the object.&nbsp; Given that object lifetime mismanagement is one of the most common situations where memory corruption vulnerabilities come in to play, it is thus no particular surprise that reference counts are often center stage when it comes to many of these vulnerabilities.</span></span></p> <p><span style="font-size: small;"><span style="font-family: Calibri;">While there has been research into this area (for example, Mateusz &ldquo;j00ru&rdquo; Jurczyk&rsquo;s November 2012 case study on reference count vulnerabilities [5]), generically mitigating all reference count mismanagement issues remains a difficult problem.&nbsp; Reference count-related vulnerabilities can generally be broken down into several broad classes:</span></span></p> <ul> <li><span style="font-size: small;"><span style="font-family: Calibri;">Under-referencing an object (such as forgetting to increase the reference count when taking out a long-lived pointer to an object, or decrementing the reference count of an object improperly).&nbsp; These vulnerabilities are difficult to cheaply mitigate as the information available to ascertain whether a reference count <em>should</em> be decremented at a certain time based on the lifetime model of a particular object is often not readily available at the time when the reference count is decremented.&nbsp; This class of vulnerability can lead to an object being deleted while another user of the object still holds what they believe to be a valid pointer to the object; the object could then be replaced with potentially attacker-controlled data if the attacker can allocate memory on the heap at the same location as the just-deleted object.</span></span></li> <li><span style="font-size: small;"><span style="font-family: Calibri;">Over-referencing an object (such as forgetting to decrement a reference count in an error path).&nbsp; This class of vulnerability is common in situations where a complex section of code has an early-exit path that does not clean up entirely.&nbsp; Similar to under-referencing, this class of vulnerability can also eventually lead to an object being prematurely deleted should the attacker be able to force the reference count to &ldquo;wrap around&rdquo; to zero after repeatedly exercising the code path that obtains (but then forgets to release) a reference to a particular object.&nbsp; Historically, this class of vulnerability has most often had an impact in the local kernel exploitation arena, where there is typically a rich set of objects exposed to untrusted user mode code, along with a variety of APIs to manipulate the state of said objects.</span></span></li> </ul> <p><span style="font-size: small;"><span style="font-family: Calibri;">Starting with Windows 8, the kernel object manager has started enforcing protection against reference count wrap in its internal reference counts.&nbsp; If a reference count increment operation detects that the reference count has wrapped, then an immediate REFERENCE_BY_POINTER bugcheck is raised, preventing the wrapped reference count condition from being exploited by causing a subsequent use-after-free situation.&nbsp; This enables the over-referencing class of vulnerabilities to be strongly mitigated in a robust fashion.&nbsp; We expect that with this hardening in place, it will not be practical to exploit an over-reference condition of kernel object manager objects for code execution, provided that all of the add-reference paths are protected by the hardening instrumentation.</span></span></p> <p><span style="font-size: small;"><span style="font-family: Calibri;">Furthermore, the object manager also similarly protects against transitions from &lt;= 0 references to a positive number of references, which may make attempts to exploit other classes of reference count vulnerabilities less reliable if an attacker cannot easily prevent other reference count manipulation &ldquo;traffic&rdquo; from occurring while attempting to leverage the use after free condition.&nbsp; However, it should still be noted that this is not a complete mitigation for under-referencing issues.</span></span></p> <p><span style="font-size: small;"><span style="font-family: Calibri;">In Windows 8.1, we have stepped up reference count hardening in the kernel by adding this level of hardening to certain other portions of the kernel that maintain their own, &ldquo;private&rdquo; reference counts for objects not managed by the object manager.&nbsp; Where possible, code has additionally been converted to use a common set of reference count management logic that implements the same level of best practices that the object manager&rsquo;s internal reference counts do, including usage of pointer-sized reference counts (which further helps protect against reference count wrap issues, particularly on 64-bit platforms or conditions where an attacker must allocate memory for each leaked reference).&nbsp; Similar to the list entry integrity checks introduced in Windows 8, where reference count management is provided as an inline function library, fast fail is used as a convenient and low-overhead mechanism to quickly abort the program when a reference count inconsistency is detected.</span></span></p> <p><span style="font-family: Calibri; font-size: small;">A concrete example of a vulnerability that would have been strongly mitigated by the broader adoption of reference count hardening in Windows 8.1 is </span><a href="http://technet.microsoft.com/en-us/security/bulletin/ms13-017"><span style="color: #0563c1; font-family: Calibri; font-size: small;">CVE-2013-1280 (MS13-017</span></a><span style="font-size: small;"><span style="font-family: Calibri;">), which stemmed from an early-exit code path (in response to an error condition) in the I/O manager, within which the code did not properly release reference count to an internal I/O manager object that was previously obtained earlier in the vulnerable function.&nbsp; If an attacker were able to exercise the code path in question repeatedly, then they may have been able to cause the reference count to wrap around and thus later trigger a use after free condition.&nbsp; With the reference count hardening in place, an attempt to exploit this vulnerability would have resulted in an immediate bugcheck instead of a potential use after free situation arising.</span></span></p> <h1><span style="color: #2e74b5;">Conclusion</span></h1> <p><span style="font-size: small;"><span style="font-family: Calibri;">The reference count and list entry hardening changes introduced during Windows 8 and expanded on during Windows 8.1 are designed to drive up the cost of exploitation of certain classes of object lifetime management vulnerabilities.&nbsp; Situations such as over-referencing or leaked references can be strongly mitigated when protected by the reference count hardening deployed in Windows 8 and Windows 8.1, making it extremely difficult to practically exploit them for code execution.&nbsp; Pervasively instrumenting list entry operations throughout the Microsoft code base (and increasingly through third party drivers that use the Windows 8, or above, WDK) makes exploiting certain lifetime mismanagement issues less reliable, and improves reliability by catching corruption closer to the cause (and in some cases before corruption can impact other parts of the system).</span></span></p> <p><span style="font-size: small;"><span style="font-family: Calibri;">That being said, there continue to be future opportunities to increase adoption of these classes of mitigations throughout Microsoft&rsquo;s code base (and third parties, by extension), as well as potential opportunities for future compiler-based or framework-based broad instrumentation to catch and detect other classes of issues.&nbsp; We expect to continue to research and invest further in compiler-based and framework-based mitigations for object lifetime management (and other vulnerability classes) in the future.</span></span></p> <p><span style="font-size: small;"><span style="font-family: Calibri;">- Ken Johnson</span></span></p> <h1><span style="color: #2e74b5;">References</span></h1> <p><span style="font-size: small;"><span style="font-family: Calibri;">[1] Ben Hawkes.&nbsp; Windows 8 and Safe Unlinking in NTDLL.&nbsp; July, 2012.</span></span></p> <p><span style="font-size: small;"><span style="font-family: Calibri;">[2] Kostya Kortchinsky.&nbsp; Real World Kernel Pool Allocation.&nbsp; SyScan.&nbsp; July, 2008.</span></span></p> <p><span style="font-size: small;"><span style="font-family: Calibri;">[3] Chris Valasek. Modern Heap Exploitation using the Low Fragmentation Heap. SyScan Taipei. Nov, 2011.</span></span></p> <p><span style="font-size: small;"><span style="font-family: Calibri;">[4] Adrian Marinescu.&nbsp; Windows Vista Heap Management Enhancements.&nbsp; Black Hat USA.&nbsp; August, 2006.</span></span></p> <p><span style="font-size: small;"><span style="font-family: Calibri;">[5] Mateusz &ldquo;j00ru&rdquo; Jurczyk.&nbsp; Windows Kernel Reference Count Vulnerabilities &ndash; Case Study.&nbsp; November 2012.</span></span></p><div style="clear:both;"></div><img src="http://blogs.technet.com/aggbug.aspx?PostID=3608612&AppID=6147&AppType=Weblog&ContentType=0" width="1" height="1"> CVE-2013-3906: a graphics vulnerability exploited through Word documentshttp://blogs.technet.com/b/srd/archive/2013/11/05/cve-2013-3906-a-graphics-vulnerability-exploited-through-word-documents.aspxTue, 05 Nov 2013 17:09:00 GMTd5e57398-b9ef-4490-9955-07cbb4e4a80d:2845948e-5459-463f-907b-f52f0e3bafedswiat0<p><span style="font-size: 12px;">Recently we become aware of a vulnerability of a Microsoft graphics component that is actively exploited in targeted attacks using crafted Word documents sent by email. Today we are releasing </span><a style="font-size: 12px;" href="https://support.microsoft.com/kb/2896666">Security Advisory 2896666</a><span style="font-size: 12px;"> which includes a proactive </span><a style="font-size: 12px;" href="https://support.microsoft.com/kb/2896666">Fix it workaround</a><span style="font-size: 12px;"> for blocking this attack while we are working on the final update. In this blog, we&rsquo;ll share details of the vulnerability and the Fix It workaround and provide mitigations and suggestions to layer protections against the attack.</span></p> <p>&nbsp;</p> <p><strong>The exploit</strong></p> <p>The attacks observed are very limited and carefully carried out against selected computers, largely in the Middle East and South Asia. The exploit needs some user interaction since it arrives disguised as an email that entices potential victims to open a specially crafted Word attachment. This attachment will attempt to exploit the vulnerability by using a malformed graphics image embedded in the document itself.</p> <p>In order to achieve code execution, the exploit combines multiple techniques to bypass DEP and ASLR protections. Specifically, the exploit code performs a large memory heap-spray using ActiveX controls (instead of the usual scripting) and uses hardcoded ROP gadgets to allocate executable pages. This also means the exploit will fail on machines hardened to block ActiveX controls embedded in Office documents (e.g. Protected View mode used by Office 2010) or on computers equipped with a different version of the module used to build the static ROP gadgets.</p> <p><span style="font-size: 12px;">&nbsp;</span></p> <table border="1" cellspacing="0" cellpadding="0"> <tbody> <tr> <td valign="top" width="448">&nbsp;<a href="http://blogs.technet.com/cfs-file.ashx/__key/communityserver-blogs-components-weblogfiles/00-00-00-61-47/2746.pic1.png"><img src="http://blogs.technet.com/resized-image.ashx/__size/550x0/__key/communityserver-blogs-components-weblogfiles/00-00-00-61-47/2746.pic1.png" alt="" border="0" /></a></td> <td valign="top" width="175"> <p>&nbsp;Heap-Spray of memory</p> <p>&nbsp;</p> </td> </tr> <tr> <td valign="top" width="448">&nbsp;<a href="http://blogs.technet.com/cfs-file.ashx/__key/communityserver-blogs-components-weblogfiles/00-00-00-61-47/0066.pic2.png"><img src="http://blogs.technet.com/resized-image.ashx/__size/550x0/__key/communityserver-blogs-components-weblogfiles/00-00-00-61-47/0066.pic2.png" alt="" border="0" /></a></td> <td valign="top" width="175"> <p>&nbsp;Initial ROP gadgets</p> </td> </tr> </tbody> </table> <p>&nbsp;</p> <p><strong>Affected software</strong></p> <p>Our initial investigations show that the vulnerability will not affect Office 2013 but will affect older versions such as Office 2003 and 2007. Due to the way Office 2010 uses the vulnerable graphic library, it is only affected only when running on older platforms such as Windows XP or Windows Server 2003, but it is not affected when running on newer Windows families (7, 8 and 8.1). This is another example that demonstrates the benefits of running recent versions of software in terms of security improvements (consider also that Windows XP support <a href="http://blogs.technet.com/b/security/archive/2013/08/15/the-risk-of-running-windows-xp-after-support-ends.aspx">will end in April 2014</a>). For more information and for the complete list of affected software, please refer to <a href="https://support.microsoft.com/kb/2896666">Security Advisory 2896666</a>.</p> <p>&nbsp;</p> <table border="1" cellspacing="0" cellpadding="0"> <tbody> <tr> <td valign="top" width="150"> <p>&nbsp;Office 2003</p> </td> <td valign="top" width="354"> <p>&nbsp;Affected</p> </td> </tr> <tr> <td valign="top" width="150"> <p>&nbsp;Office 2007</p> </td> <td valign="top" width="354"> <p>&nbsp;Affected</p> </td> </tr> <tr> <td valign="top" width="150"> <p>&nbsp;Office 2010</p> </td> <td valign="top" width="354"> <p>&nbsp;Affected only on Windows XP/Windows Server2003</p> </td> </tr> <tr> <td valign="top" width="150"> <p>&nbsp;Office 2013</p> </td> <td valign="top" width="354"> <p>&nbsp;Not affected</p> </td> </tr> </tbody> </table> <p>&nbsp;</p> <p><strong>&nbsp;</strong></p> <p><strong>Fix it workaround</strong></p> <p>We created a <a href="https://support.microsoft.com/kb/2896666">temporary Fix it workaround</a> that can block this attack. This temporary workaround doesn&rsquo;t address the root cause of the vulnerability but simply changes the configuration of the computer to block rendering of the vulnerable graphic format that can trigger the bug. The change made by the Fix it consists in adding the following key to the local registry:</p> <div> <p>HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Gdiplus\DisableTIFFCodec = 1</p> </div> <p>We advise customers to evaluate usage of TIFF images in their environment before applying this workaround.</p> <p>&nbsp;</p> <p><strong>Other layers of defense</strong></p> <p>Users who are not able to deploy the Fix it workaround can still take some important steps to raise the bar for attackers and protect themselves.</p> <ul> <li><span style="text-decoration: underline;">Install EMET (the Enhanced Mitigation Experience Toolkit)</span></li> </ul> <p style="padding-left: 30px;">Our tests shows that <a href="http://www.microsoft.com/emet">EMET</a> is able to mitigate this exploit in advance when any of the following mitigations are enabled for Office binaries:</p> <ol><ol> <li>multiple ROP mitigations (StackPointer, Caller, SimExec, MemProt) available in EMET 4.0;</li> <li>other mitigations (MandatoryASLR, EAF, HeapSpray ) included in EMET 3.0 and 4.0;</li> </ol></ol> <p>&nbsp;</p> <p style="padding-left: 30px;">&nbsp;<a href="http://blogs.technet.com/cfs-file.ashx/__key/communityserver-blogs-components-weblogfiles/00-00-00-61-47/7041.pic3.png"><img src="http://blogs.technet.com/resized-image.ashx/__size/550x0/__key/communityserver-blogs-components-weblogfiles/00-00-00-61-47/7041.pic3.png" alt="" border="0" /></a></p> <p align="center">&nbsp;</p> <ul> <li><span style="text-decoration: underline;">Use Protected View and block ActiveX controls in Office documents</span></li> </ul> <p style="padding-left: 30px;">Even if the vulnerability relies in a graphic library, attackers deeply rely on other components to bypass DEP/ASLR and execute code, so users can still makes exploitation more difficult and unreliable by using Protected View to open attachments (default for Office 2010) or simply by blocking the execution of ActiveX controls embedded in Office documents. These general recommendations for Office hardening and better protection against attacks have been already suggested in the past in the following blogs which include examples and more details:</p> <p style="padding-left: 30px;"><a href="http://blogs.technet.com/b/srd/archive/2012/04/10/ms12-027-enhanced-protections-regarding-activex-controls-in-microsoft-office-documents.aspx">http://blogs.technet.com/b/srd/archive/2012/04/10/ms12-027-enhanced-protections-regarding-activex-controls-in-microsoft-office-documents.aspx</a></p> <p style="padding-left: 30px;"><a href="http://blogs.technet.com/b/mmpc/archive/2012/08/31/a-technical-analysis-on-cve-2012-1535-adobe-flash-player-vulnerability-part-2.aspx">http://blogs.technet.com/b/mmpc/archive/2012/08/31/a-technical-analysis-on-cve-2012-1535-adobe-flash-player-vulnerability-part-2.aspx</a></p> <p>&nbsp;</p> <p>Finally, we are working with our <a href="http://www.microsoft.com/security/msrc/collaboration/mapp.aspx">MAPP</a> partners to provide information that will help to detect samples related to this attack and improve overall coverage of antimalware and security products.</p> <p>We&rsquo;d like to thank Haifei Li of McAfee Labs IPS Team for reporting this vulnerability in a coordinated manner and for collaborating with us.</p> <p>&nbsp;</p> <p>- Elia Florio, MSRC Engineering</p> <p>&nbsp;</p><div style="clear:both;"></div><img src="http://blogs.technet.com/aggbug.aspx?PostID=3608375&AppID=6147&AppType=Weblog&ContentType=0" width="1" height="1">0dayExploitOfficefixit2896666CVE-2013-3906Zero-DayEMET Bounty Evolution: $100,000 for New Mitigation Bypass Techniques Wanted Dead or Alivehttp://blogs.technet.com/b/bluehat/archive/2013/11/01/bounty-evolution-100-000-for-new-mitigation-bypass-techniques-wanted-dead-or-alive.aspxFri, 01 Nov 2013 17:20:00 GMTd5e57398-b9ef-4490-9955-07cbb4e4a80d:729f5d15-b280-4992-bde8-307b70bff06aBlueHat10http://blogs.technet.com/b/bluehat/rsscomments.aspx?WeblogPostID=3607648http://blogs.technet.com/b/bluehat/archive/2013/11/01/bounty-evolution-100-000-for-new-mitigation-bypass-techniques-wanted-dead-or-alive.aspx#comments<p>Those who know me personally or follow me on Twitter are familiar with my obsession with karaoke. I do it as often as I can rope people into going with me, never forcing anyone to sing, though invariably everyone does &ndash; or at least sings from the sidelines to the songs they know. One of my all-time favorite songs is Bon Jovi&rsquo;s Wanted Dead or Alive, and it&rsquo;s the song in my head as I write this post. By the end, I hope to have a few more people singing along. Go ahead and load it into the playlist as you read on.</p> <p>Today, Microsoft is announcing the first evolution of its bounty programs, first announced in <a href="http://blogs.technet.com/b/bluehat/archive/2013/06/19/heart-of-blue-gold-announcing-new-bounty-programs.aspx">June of 2013</a>. We are expanding the pool of talent who can participate and submit novel mitigation bypass techniques and defensive ideas to include responders and forensic experts who find active attacks in the wild. That means more people can &ldquo;sing along&rdquo; to earn big bounty payouts than ever before.</p> <p>Today&rsquo;s news means we are going from accepting entries from only a handful of individuals capable of inventing new mitigation bypass techniques on their own, to potentially thousands of individuals or organizations who find attacks in the wild. Now, both finders and discoverers can turn in new techniques for $100,000.</p> <p>Our platform-wide defenses, or mitigations, are a kind of shield that protects the entire operating system and all the applications running on it. Individual bugs are like arrows.&nbsp; The stronger the shield, the less likely any individual bug or arrow can get through. Learning about &ldquo;ways around the shield,&rdquo; or new mitigation bypass techniques, is much more valuable than learning about individual bugs because insight into exploit techniques can help us defend against entire classes of attack as opposed to a single bug &ndash; hence, we are willing to pay $100,000 for these rare new techniques.</p> <p>Building upon the success of our strategic bounty programs, Microsoft is evolving the bounty landscape to the benefit of our customers. The bounty programs we have created are designed to change the dynamics and the economics of the current vulnerability market. We currently do this in a few ways:</p> <ol start="1"> <li> <p>Offering bounties for bugs when other buyers typically are not buying them (e.g. during the preview/beta period) allows Microsoft to get a number of critical bugs out of the market before they are widely traded in grey or black markets and subsequently used to attack customers.</p> </li> <li> <p>Offering <a href="http://blogs.technet.com/b/bluehat/archive/2013/10/08/congratulations-to-james-forshaw-recipient-of-our-first-100-000-bounty-for-new-mitigation-bypass-techniques.aspx">researchers a $100,000 bounty</a>&nbsp;to teach us new mitigation bypass techniques enables us to build better defenses&nbsp;into our products faster and to provide workarounds and mitigations through tools such as <a href="http://www.microsoft.com/en-us/download/details.aspx?id=39273">EMET</a>.</p> </li> <li> <p>Evolving our bounty programs to include responders and forensic experts, who can turn in techniques that are being used in active attacks, enables us to work on building better defenses in to our products. We will&nbsp;work whenever possible with our <a href="http://www.microsoft.com/security/msrc/collaboration/mapp.aspx">MAPP program</a> and engage our community network of defenders to help mitigate these attacks more rapidly.</p> </li> </ol> <p>In this new expansion of Microsoft&rsquo;s bounty programs, organizations and individuals are eligible to submit Proof-of-Concept code and technical analysis of exploits they find in active use in the wild for our standard bounty amount of up to $100,000. Participants would also be eligible for up to $50,000 in addition if they also submit a qualifying defense idea. The <a href="http://www.microsoft.com/security/msrc/report/bypass_bounty.aspx">submission criteria for both programs</a> are&nbsp;similar &ndash; but the source may be different.</p> <p><strong>To participate in the expanded bounty program, organizations must pre-register with us before turning in a submission by emailing us at doa [at] Microsoft [dot] com.</strong> After you preregister and sign an agreement, then we&rsquo;ll accept an entry of technical write-up and proof of concept code for bounty consideration.<br /><br />We want to learn about these rare new exploitation techniques as early as possible, ideally before they are used, but we&rsquo;ll pay for them even if they are currently being used in targeted attacks if the attack technique is new &ndash; because we want them dead or alive.</p> <p>This evolution of our bounty programs is designed to further disrupt the vulnerability and exploit markets.&nbsp;Currently, black markets pay high prices for vulnerabilities and exploits based on factors that include exclusivity and longevity of usefulness before a vendor discovers and mitigates it.&nbsp; By expanding our bounty program, Microsoft is cutting down the time that exploits and vulnerabilities purchased on the black market remain useful, especially for targeted attacks that rely on stealthy exploitation without discovery.</p> <p>We shall see how the song plays out, but I for one am excited for more singers to step up to the microphone, or to sing out from the sidelines.</p> <p>&nbsp;</p> <p>Katie Moussouris</p> <p>Senior Security Strategist and karaoke MC</p> <p>Microsoft Security Response Center</p> <p><a href="http://twitter.com/k8em0">http://twitter.com/k8em0</a><br />(that&rsquo;s a zero)</p><div style="clear:both;"></div><img src="http://blogs.technet.com/aggbug.aspx?PostID=3607648&AppID=4967&AppType=Weblog&ContentType=0" width="1" height="1"> Bounty Evolution: $100,000 for New Mitigation Bypass Techniques Wanted Dead or Alivehttp://blogs.technet.com/b/bluehat/archive/2013/11/01/bounty-evolution-100-000-for-new-mitigation-bypass-techniques-wanted-dead-or-alive.aspxFri, 01 Nov 2013 17:20:00 GMTd5e57398-b9ef-4490-9955-07cbb4e4a80d:729f5d15-b280-4992-bde8-307b70bff06aBlueHat10http://blogs.technet.com/b/bluehat/rsscomments.aspx?WeblogPostID=3607648http://blogs.technet.com/b/bluehat/archive/2013/11/01/bounty-evolution-100-000-for-new-mitigation-bypass-techniques-wanted-dead-or-alive.aspx#comments<p>Those who know me personally or follow me on Twitter are familiar with my obsession with karaoke. I do it as often as I can rope people into going with me, never forcing anyone to sing, though invariably everyone does &ndash; or at least sings from the sidelines to the songs they know. One of my all-time favorite songs is Bon Jovi&rsquo;s Wanted Dead or Alive, and it&rsquo;s the song in my head as I write this post. By the end, I hope to have a few more people singing along. Go ahead and load it into the playlist as you read on.</p> <p>Today, Microsoft is announcing the first evolution of its bounty programs, first announced in <a href="http://blogs.technet.com/b/bluehat/archive/2013/06/19/heart-of-blue-gold-announcing-new-bounty-programs.aspx">June of 2013</a>. We are expanding the pool of talent who can participate and submit novel mitigation bypass techniques and defensive ideas to include responders and forensic experts who find active attacks in the wild. That means more people can &ldquo;sing along&rdquo; to earn big bounty payouts than ever before.</p> <p>Today&rsquo;s news means we are going from accepting entries from only a handful of individuals capable of inventing new mitigation bypass techniques on their own, to potentially thousands of individuals or organizations who find attacks in the wild. Now, both finders and discoverers can turn in new techniques for $100,000.</p> <p>Our platform-wide defenses, or mitigations, are a kind of shield that protects the entire operating system and all the applications running on it. Individual bugs are like arrows.&nbsp; The stronger the shield, the less likely any individual bug or arrow can get through. Learning about &ldquo;ways around the shield,&rdquo; or new mitigation bypass techniques, is much more valuable than learning about individual bugs because insight into exploit techniques can help us defend against entire classes of attack as opposed to a single bug &ndash; hence, we are willing to pay $100,000 for these rare new techniques.</p> <p>Building upon the success of our strategic bounty programs, Microsoft is evolving the bounty landscape to the benefit of our customers. The bounty programs we have created are designed to change the dynamics and the economics of the current vulnerability market. We currently do this in a few ways:</p> <ol start="1"> <li> <p>Offering bounties for bugs when other buyers typically are not buying them (e.g. during the preview/beta period) allows Microsoft to get a number of critical bugs out of the market before they are widely traded in grey or black markets and subsequently used to attack customers.</p> </li> <li> <p>Offering <a href="http://blogs.technet.com/b/bluehat/archive/2013/10/08/congratulations-to-james-forshaw-recipient-of-our-first-100-000-bounty-for-new-mitigation-bypass-techniques.aspx">researchers a $100,000 bounty</a>&nbsp;to teach us new mitigation bypass techniques enables us to build better defenses&nbsp;into our products faster and to provide workarounds and mitigations through tools such as <a href="http://www.microsoft.com/en-us/download/details.aspx?id=39273">EMET</a>.</p> </li> <li> <p>Evolving our bounty programs to include responders and forensic experts, who can turn in techniques that are being used in active attacks, enables us to work on building better defenses in to our products. We will&nbsp;work whenever possible with our <a href="http://www.microsoft.com/security/msrc/collaboration/mapp.aspx">MAPP program</a> and engage our community network of defenders to help mitigate these attacks more rapidly.</p> </li> </ol> <p>In this new expansion of Microsoft&rsquo;s bounty programs, organizations and individuals are eligible to submit Proof-of-Concept code and technical analysis of exploits they find in active use in the wild for our standard bounty amount of up to $100,000. Participants would also be eligible for up to $50,000 in addition if they also submit a qualifying defense idea. The <a href="http://www.microsoft.com/security/msrc/report/bypass_bounty.aspx">submission criteria for both programs</a> are&nbsp;similar &ndash; but the source may be different.</p> <p><strong>To participate in the expanded bounty program, organizations must pre-register with us before turning in a submission by emailing us at doa [at] Microsoft [dot] com.</strong> After you preregister and sign an agreement, then we&rsquo;ll accept an entry of technical write-up and proof of concept code for bounty consideration.<br /><br />We want to learn about these rare new exploitation techniques as early as possible, ideally before they are used, but we&rsquo;ll pay for them even if they are currently being used in targeted attacks if the attack technique is new &ndash; because we want them dead or alive.</p> <p>This evolution of our bounty programs is designed to further disrupt the vulnerability and exploit markets.&nbsp;Currently, black markets pay high prices for vulnerabilities and exploits based on factors that include exclusivity and longevity of usefulness before a vendor discovers and mitigates it.&nbsp; By expanding our bounty program, Microsoft is cutting down the time that exploits and vulnerabilities purchased on the black market remain useful, especially for targeted attacks that rely on stealthy exploitation without discovery.</p> <p>We shall see how the song plays out, but I for one am excited for more singers to step up to the microphone, or to sing out from the sidelines.</p> <p>&nbsp;</p> <p>Katie Moussouris</p> <p>Senior Security Strategist and karaoke MC</p> <p>Microsoft Security Response Center</p> <p><a href="http://twitter.com/k8em0">http://twitter.com/k8em0</a><br />(that&rsquo;s a zero)</p><div style="clear:both;"></div><img src="http://blogs.technet.com/aggbug.aspx?PostID=3607648&AppID=4967&AppType=Weblog&ContentType=0" width="1" height="1"> Software Defense: mitigating heap corruption vulnerabilitieshttp://blogs.technet.com/b/srd/archive/2013/10/29/software-defense-mitigation-heap-corruption-vulnerabilities.aspxTue, 29 Oct 2013 11:10:00 GMTd5e57398-b9ef-4490-9955-07cbb4e4a80d:8fc71019-1904-4313-adf2-aa1d3144cea9swiat0<p><span style="font-family: Calibri; font-size: small;">Heap corruption vulnerabilities are the most common type of vulnerability that Microsoft addresses through security updates today. These vulnerabilities typically occur as a result of programming mistakes that make it possible to write beyond the bounds of a heap buffer (a <em>spatial</em> issue) or to place a heap allocated object in an unexpected state such as by using the object after it has been freed (a <em>temporal</em> issue). Over time, attackers have developed a number of techniques to help them exploit various types of heap corruption vulnerabilities. Starting with Windows XP Service Pack 2, Microsoft began introducing hardening changes to the Windows heap manager that were designed to make it more difficult to exploit heap corruption vulnerabilities. In this blog post, we will review some of the general methods that have been used to exploit and mitigate heap corruption vulnerabilities and highlight hardening changes that have been made in Windows 8 and Windows 8.1 to further complicate exploitation. For more background on the Windows 8 heap architecture, please refer to the </span><a href="http://channel9.msdn.com/Shows/Going+Deep/Inside-Windows-8-Greg-Colombo-Heap-Manager"><span style="color: #0563c1; font-family: Calibri; font-size: small;">Channel 9 interview on the Windows 8 heap manager</span></a><span style="font-size: small;"><span style="font-family: Calibri;">.</span></span></p> <h1><span style="color: #2e74b5;">Heap corruption exploitation, then and now</span></h1> <p><span style="font-family: Calibri; font-size: small;">In a </span><a href="http://blogs.technet.com/b/srd/archive/2009/08/04/preventing-the-exploitation-of-user-mode-heap-corruption-vulnerabilities.aspx"><span style="color: #0563c1; font-family: Calibri; font-size: small;">previous blog post</span></a><span style="font-size: small;"><span style="font-family: Calibri;">, we covered the history of heap-based exploitation and mitigation techniques from Windows XP through Windows 7. This blog post showed that prior to Windows Vista, most of the research on heap corruption exploitation techniques focused on corrupting heap metadata in order to achieve more powerful exploitation primitives (such as the ability to write an arbitrary value to any location in memory). One of the reasons attackers focused on corrupting heap metadata is because it was always present and therefore could enable application-independent (generic) exploitation techniques. The release of Windows Vista changed the landscape of heap exploitation through numerous heap hardening changes that addressed nearly all of the heap metadata corruption exploitation techniques that were known at the time.</span></span></p> <p><span style="font-size: small;"><span style="font-family: Calibri;">As a consequence of the hardening changes in Windows Vista, attackers have largely shifted their focus toward exploitation techniques that rely on corrupting application-specific data stored on the heap. For example, attackers will attempt to use a heap corruption vulnerability to corrupt the C++ virtual table pointer of an object on the heap or to corrupt the base or length field of a heap-allocated array to achieve the ability to read or write to any location in memory. There has been additional research on heap metadata corruption post-Windows Vista and there are a small number of known real-world exploits that have relied on these metadata corruption techniques[1,2,3,4], but as this blog post will show, all of the publicly known exploitation techniques that rely on metadata corruption have been addressed in Windows 8.1.</span></span></p> <h1><span style="color: #2e74b5;">Heap corruption mitigations </span></h1> <p><span style="font-size: small;"><span style="font-family: Calibri;">The heap manager in Windows 8 and Windows 8.1 builds on the hardening changes of previous Windows releases by incorporating new security features that mitigate not only metadata corruption techniques but also less generic techniques that rely on corrupting application-specific data. These new security features can be broken down into the following threat categories: heap integrity checks, guard pages, and allocation order randomization. All of the security features introduced in Windows 8 have been inherited by Windows 8.1.</span></span></p> <p><span style="font-size: medium;"><span style="color: #2e74b5;">Heap integrity checks</span></span></p> <p><span style="font-size: small;"><span style="font-family: Calibri;">The heap manager in Windows 8 and Windows 8.1 includes a number of new integrity checks that are designed to detect heap metadata corruption and terminate an application safely if corruption is detected. This section describes some of the noteworthy integrity checks that have been added.</span></span></p> <p><span style="color: #1f4d78;">Catch-all exception handling blocks have been removed</span></p> <p><span style="font-size: small;"><span style="font-family: Calibri;">Previous versions of the Windows heap made use of catch-all exception handling blocks in certain cases where exceptions were considered non-fatal.&nbsp; This had the potential to make it easier for attackers to exploit heap corruption issues in certain cases, in particular by allowing an attacker multiple attack attempts.&nbsp; Therefore, these catch-all blocks have been removed from the heap in Windows 8, meaning such exceptions now lead to safe termination of the application.</span></span></p> <p><span style="color: #1f4d78;">HEAP handle can no longer be freed</span></p> <p><span style="font-size: small;"><span style="font-family: Calibri;">The HEAP handle is an internal data structure that is used to maintain the state associated with a given heap.&nbsp; Prior to Windows 8, an attacker could use a heap-based memory corruption vulnerability to coerce the heap into freeing the HEAP handle data structure.&nbsp; After doing this, the attacker could force the heap to reallocate the memory that previously stored the HEAP handle state.&nbsp; This in turn allowed an attacker to corrupt internal heap metadata, including certain function pointer fields.&nbsp; The Windows 8 heap mitigates this attack by preventing a HEAP handle from being freed.</span></span></p> <p><span style="color: #1f4d78;">HEAP CommitRoutine encoded by a global key</span></p> <p><span style="font-size: small;"><span style="font-family: Calibri;">The HEAP handle data structure includes a function pointer field called CommitRoutine that is called when memory regions within the heap are committed.&nbsp; Starting with Windows Vista, this field was encoded using a random value that was also stored as a field in the HEAP handle data structure.&nbsp; While this mitigated trivial corruption of only the CommitRoutine function pointer, it did not mitigate the case where an attacker could corrupt both the CommitRoutine and the field that stored the encoding key.&nbsp; The Windows 8 heap mitigates this attack by using a global key to encode the CommitRoutine function pointer rather than a key that is stored within the HEAP handle data structure.&nbsp; </span></span></p> <p><span style="color: #1f4d78;">Extended block header validation</span></p> <p><span style="font-size: small;"><span style="font-family: Calibri;">Each heap allocation returned by the Windows heap has a header that describes the allocation&rsquo;s size, flags, and other attributes. &nbsp;In some cases, the Windows heap may flag an allocation as having an <em>extended block header</em> which informs the heap that there is additional metadata associated with the allocation.&nbsp; In previous versions of Windows, an attacker could corrupt the header of an allocation and make it appear as if the allocation had an extended block header.&nbsp; This could then be used by an attacker to force the heap to free another allocation that is currently in use by the program.&nbsp; The Windows 8 heap mitigates this attack by performing additional validation on extended block headers to ensure that they are correct.</span></span></p> <p><span style="color: #1f4d78;">Blocks cannot be allocated if they are already busy</span></p> <p><span style="font-size: small;"><span style="font-family: Calibri;">Some of the attacks that have been proposed by security researchers rely on reallocating memory that is already in use by the program (e.g. [3]).&nbsp; This can allow an attacker to corrupt the state of an in-use heap allocation, such as a C++ object, and thereby gain control of the instruction pointer.&nbsp; The Windows 8 heap mitigates this attack by verifying that an allocation is not already flagged as in-use (&ldquo;busy&rdquo;) when it is about to be allocated.&nbsp; If a block is flagged as in-use, the heap takes steps to safely terminate the process.</span></span></p> <p><span style="color: #2e74b5;">Encoded FirstAllocationOffset and BlockStride</span></p> <p><span style="font-size: small;"><span style="font-family: Calibri;">One of the exploitation techniques proposed in [4] involved corrupting heap metadata (FirstAllocationOffset and BlockStride) that is used by the Low Fragmentation Heap (LFH) to calculate the address of an allocation within a subsegment. By corrupting these fields, an attacker can trick the heap into returning an address that is outside the bounds of a subsegment and potentially enable corruption of other in-use heap allocations. The heap manager in Windows 8.1 addresses this attack by encoding the FirstAllocationOffset and BlockStride fields in order to limit an attacker&rsquo;s ability to deterministically control the calculation of allocation addresses by the LFH.</span></span></p> <p><span style="font-size: medium;"><span style="color: #2e74b5;">Guard pages</span></span></p> <p><span style="font-size: small;"><span style="font-family: Calibri;">One of the ways that the Windows 8 heap better protects application data and heap metadata is through the use of <em>guard pages</em>.&nbsp; In this context, a guard page is an inaccessible page of memory that will cause an access violation if an application attempts to read from it or write to it.&nbsp; Placing a guard page between certain types of sub-regions within the heap helps to partition the heap and localize any memory corruptions that may occur.</span></span></p> <p><span style="font-family: Calibri; font-size: small;">In an ideal setting, the Windows heap would encapsulate all allocations in guard pages in a manner that is similar to </span><a href="http://technet.microsoft.com/en-us/library/ff549561"><span style="color: #0563c1; font-family: Calibri; font-size: small;">full-page heap verification</span></a><span style="font-size: small;"><span style="font-family: Calibri;">. Unfortunately, this type of protection is not feasible for performance reasons. Instead, the Windows 8 heap uses guard pages to isolate certain types of sub-regions within the heap. In particular, guard pages are enabled for the following types of sub-regions:</span></span></p> <ul> <li><span style="font-size: small;"><span style="font-family: Calibri;"><strong>Large allocations</strong>. In cases where an application attempts to allocate memory that is larger than 512K (on 32-bit) or 1MB (on 64-bit), the memory allocation request is passed directly to the virtual memory allocator and the size is updated to allocate extra space for a guard page.&nbsp; This ensures that all large allocations have a trailing guard page.</span></span></li> <li><span style="font-size: small;"><span style="font-family: Calibri;"><strong>Heap segments</strong>. The Windows heap allocates large chunks of memory, known as heap segments, which are divided up as an application allocates memory.&nbsp; The Windows 8 heap adds a trailing guard page to all heap segments when they are allocated.</span></span></li> <li><span style="font-size: small;"><span style="font-family: Calibri;"><strong>Maximally-sized subsegments</strong>. Each heap segment may contain one or more subsegment that is used by the frontend allocator (the Low Fragmentation Heap, or LFH) to allocate blocks of the same size.&nbsp; Once a certain threshold has been reached for allocating blocks of a given size, the LFH will begin allocating <em>maximally-sized subsegments</em>, which are subsegments that contain the maximum number of blocks possible for a given size.&nbsp; The Windows 8 heap adds a trailing guard page to maximally-sized subsegments. For 32-bit applications, guard pages are inserted probabilistically to minimize the amount of virtual address space that is consumed.</span></span></li> </ul> <p><span style="font-size: medium;"><span style="color: #2e74b5;">Allocation order randomization</span></span></p> <p><span style="font-size: small;"><span style="font-family: Calibri;">One of the behaviors that attackers rely on when exploiting heap buffer overruns is that there must be a way to reliably position certain heap allocations adjacent to one another.&nbsp; This requirement stems from the fact that an attacker needs to know how many bytes must be written in order to corrupt a target allocation on the heap (while minimizing collateral damage to the heap that could cause the application and hence the attack to be terminated).&nbsp; Attackers typically try to ensure that allocations are immediately adjacent to each other through techniques that are often referred to as <em>heap massaging</em> or <em>heap normalization</em>.&nbsp; These techniques attempt to bring the heap into a state where new allocations are placed at a desired location with respect to one another.</span></span></p> <p><span style="font-size: small;"><span style="font-family: Calibri;">In Windows 8, a new security feature has been added to the LFH which randomizes the order of allocations. This means that allocations that are made through the LFH are no longer guaranteed to be placed immediately adjacent to one another even after an attacker has attempted to normalize the heap.&nbsp; This has the effect of preventing an attacker from reliably assuming that an allocation containing a target object will be positioned after the allocation that they are able to overflow.&nbsp; While an attacker may attempt to increase the reliability of their attack by corrupting more data or allocating more target objects, they run the risk of destabilizing the process by corrupting other heap state or causing the process to terminate by accessing a guard page as described in the previous section. This is a good example of several mitigations working together: neither is foolproof on its own, but combined they result in increasingly complex requirements for a successful attack.</span></span></p> <p><span style="font-family: Calibri; font-size: small;">Although allocation order randomization helps make the internal layout of the heap nondeterministic, there are limitations to how far it goes. First and foremost, the performance of the Windows heap is critical as it is used as a general purpose memory allocator by the vast majority of the applications that run on Windows. As a side effect of this, allocation order randomization is currently limited to randomizing allocations within individual LFH subsegments (which accounts for the majority of allocations made by applications). This means backend allocations have no inherent entropy and therefore may be subject to deterministic allocation patterns, as noted in [5]. In addition to performance, there are also inherent limits to the effectiveness of allocation order randomization. If an attacker can read the contents of heap memory, they may be able to overcome the effects of randomization. Similarly, allocation order randomization is not designed to strongly mitigate heap vulnerabilities that are related to object lifetime issues, such as use after free vulnerabilities. This is because an attacker will generally be able to allocate a sufficient number of replacement objects to overcome the effects of allocation order randomization. We&rsquo;ll discuss some other mitigations that are targeted at addressing use after free issues, which are </span><a href="http://www.microsoft.com/en-us/download/details.aspx?id=39680"><span style="color: #0563c1; font-family: Calibri; font-size: small;">increasingly preferred by exploit writers</span></a><span style="font-size: small;"><span style="font-family: Calibri;">, later in this series.</span></span></p> <h1><span style="color: #2e74b5;">Conclusion</span></h1> <p><span style="font-size: small;"><span style="font-family: Calibri;">The hardening changes that have been made to the Windows heap manager in Windows 8 and Windows 8.1 have been designed to make it more difficult and costly to exploit heap corruption vulnerabilities. This has been accomplished by adding additional integrity checks to metadata that is used by the heap, by protecting application data stored on the heap through the use of guard pages, and by randomizing the order of allocations. These mitigations do not make heap corruption vulnerabilities impossible to exploit, but they do have an impact on the time it takes to develop an exploit and how reliable an exploit will be. Both of these factors play a role in determining whether or not an attacker will develop an exploit for a vulnerability. With that being said, the fact that heap corruption vulnerabilities are the most common vulnerability class that we address through security updates means it is likely that we will continue to see additional research into new exploitation techniques for heap vulnerabilities in the future. As such, we will continue to look for ways to harden the Windows heap to further increase the difficulty of developing reliable exploits for heap corruption vulnerabilities.</span></span></p> <p><span style="font-size: small;"><span style="font-family: Calibri;">- Matt Miller</span></span></p> <h1><span style="color: #2e74b5;">References</span></h1> <p><span style="font-size: small;"><span style="font-family: Calibri;">[1] Ben Hawkes. Attacking the Vista Heap. Black Hat USA. Aug, 2008.</span></span></p> <p><span style="font-size: small;"><span style="font-family: Calibri;">[2] Ben Hawkes. Attacking the Vista Heap. Ruxcon. Nov, 2008.</span></span></p> <p><span style="font-size: small;"><span style="font-family: Calibri;">[3] Chris Valasek. Modern Heap Exploitation using the Low Fragmentation Heap. SyScan Taipei. Nov, 2011.</span></span></p> <p><span style="font-size: small;"><span style="font-family: Calibri;">[4] Chris Valasek. Windows 8 Heap Internals. Black Hat USA. Aug, 2012.</span></span></p> <p><span style="font-size: small;"><span style="font-family: Calibri;">[5] Zhenhua Liu. Advanced Heap Manipulation in Windows 8. Black Hat Europe, Mar, 2013.</span></span></p><div style="clear:both;"></div><img src="http://blogs.technet.com/aggbug.aspx?PostID=3606540&AppID=6147&AppType=Weblog&ContentType=0" width="1" height="1"> MS13-080 addresses two vulnerabilities under limited, targeted attackshttp://blogs.technet.com/b/srd/archive/2013/10/08/ms13-080-addresses-two-vulnerabilities-under-limited-targeted-attacks.aspxTue, 08 Oct 2013 17:12:00 GMTd5e57398-b9ef-4490-9955-07cbb4e4a80d:c6f431cc-78e6-4fef-ae78-981877d4c100swiat0<p>Today we released MS13-080 which addresses nine CVEs in Internet Explorer. This bulletin fixes multiple security issues, including two critical vulnerabilities that haven been actively exploited in limited targeted attacks, which we will discuss in details in this blog entry.</p> <p><strong>CVE-2013-3893: the final patch after Fix it workaround</strong></p> <p>Previously, Microsoft released <a href="http://technet.microsoft.com/en-us/security/advisory/2887505">Security Advisory 2887505</a> and made available the <a href="http://go.microsoft.com/?linkid=9838025">Fix it workaround 51001</a> to provide earlier protection to all customers for an actively exploited security issue that was reported to us. Fix it workarounds are examples of the reactive steps that MSRC can take in order to provide earlier protection solutions for customers during active attacks in combination with technologies such as <a href="http://www.microsoft.com/en-us/download/details.aspx?id=39273">EMET</a> that help make exploitation more complicated for attackers. We have noticed some appreciation of Fix it workarounds across users given the download numbers and we are glad that users are proactively using this type of protection when possible while waiting for the comprehensive update. Today&rsquo;s bulletin for Internet Explorer addresses this CVE, so we recommend to all customers (with or without Fix it workaround applied) to prioritize the installation of this security update. Customers who decided to install Fix it workaround 51001 can install MS13-080 bulletin at any moment and then remove the Fix it at any time using the uninstaller <a href="http://go.microsoft.com/?linkid=9838026">51002</a> (as usual, we remind users that the presence of Fix it does not interfere with security updates and upcoming bulletins).</p> <p>We are aware that a<a href="https://community.rapid7.com/community/metasploit/blog/2013/09/30/metasploit-releases-cve-2013-3893-ie-setmousecapture-use-after-free"> Metasploit module</a> has been released recently for this CVE, however from the telemetry received from our partners and sensor feeds, the exploitation activity detected at this moment is still limited in nature and specifically is targeting older IE versions (8 and 9) using an ASLR bypass that requires the presence of Office 2007/2010 on the machine.</p> <p><strong>CVE-2013-3897: the unexpected use-after-free</strong></p> <p>MS13-080 also fixes a second CVE vulnerability that has been exploited in limited attacks over the web. This issue is a user-after-free vulnerability in CDisplayPointer triggered with &ldquo;onpropertychange&rdquo; event handler. This exploit was found cached on a popular Javascript analysis website and reported to us. The exploit code for this issue, released probably around mid-September, uses heap-spray to allocate a small ROP chain around address 0x14141414 and is designed to target only IE8 running on Windows XP for Korean and Japanese language-based users, as showed in the Javascript code snippet below.</p> <p><a href="http://blogs.technet.com/cfs-file.ashx/__key/communityserver-blogs-components-weblogfiles/00-00-00-61-47/2133.ie.png"><img src="http://blogs.technet.com/resized-image.ashx/__size/550x0/__key/communityserver-blogs-components-weblogfiles/00-00-00-61-47/2133.ie.png" alt="" border="0" /></a></p> <p>We&rsquo;d like to take this opportunity to thank our valued partners Trustwave, the National Cyber Security Centre of the Netherlands, and Renato Ettisberger from IOprotect GmbH&nbsp;&nbsp;for reporting this vulnerability in a coordinated manner and for collaborating with us. We also decided to provide additional details of the exploit and its payload that will help security vendors and users to strengthen defense against these attacks while the security updates are applied.</p> <table border="1"> <tbody> <tr> <td><strong>MALICIOUS URL</strong></td> <td><strong>SHA1</strong></td> </tr> <tr> <td>hXXp://1.234.31.[x]/mii/swf.js</td> <td>5F153C6ACB5F63691769E6B8C1FAC772928B08D8</td> </tr> <tr> <td>hXXp://1.234.31.[x]/mii/guy2.html</td> <td>C15DBB6E1206F55553FC892BEA41747FC56532AE</td> </tr> <tr> <td>hXXp://1.234.31.[x]/mii/fird.gif</td> <td>A44649623478987F87ACF6292865D3FCB4294072</td> </tr> </tbody> </table> <p>NOTE: [x] has been detected being a variable IP range using .153 and .154 values</p> <p>As observed in both exploits, attackers are able to target previous versions of Internet Explorer on older platforms where all the newest mitigations are not available or not enabled by default. As such, we advise users, to install and use the latest versions of Internet Explorer on modern Windows in order to raise exploitation challenges for attackers and have better defense. For more information about the impact of software mitigations on patterns of vulnerability exploitation, <a href="http://www.microsoft.com/en-us/download/details.aspx?id=39680">Microsoft released recently a whitepaper</a> that can help to understand the role of software mitigations and exploitation strategies of attackers.</p> <p>Special thanks to IE team for assembling this fix in record time and Richard van Eeden for help analyzing the root cause of the bugs.</p> <p>- Elia Florio, MSRC Engineering</p><div style="clear:both;"></div><img src="http://blogs.technet.com/aggbug.aspx?PostID=3601184&AppID=6147&AppType=Weblog&ContentType=0" width="1" height="1">Zero-Day ExploitfixitInternet Explorer (IE)IE Assessing risk for the October 2013 security updates http://blogs.technet.com/b/srd/archive/2013/10/08/assessing-risk-for-the-october-2013-security-updates.aspxTue, 08 Oct 2013 16:56:00 GMTd5e57398-b9ef-4490-9955-07cbb4e4a80d:8f87de60-9376-4886-89f4-9a61bf7bbcacswiat0<p>Today we released eight security bulletins addressing 25 CVE&rsquo;s. Four bulletins have a maximum severity rating of Critical while the other four have a maximum severity rating of Important. We hope that the table below helps you prioritize the deployment of the updates appropriately for your environment.</p> <table border="1"> <tbody> <tr> <td><strong>Bulletin</strong></td> <td><strong>Most likely attack vector</strong></td> <td><strong>Max Bulletin Severity</strong></td> <td><strong>Max Exploit-ability</strong></td> <td><strong>Likely first 30 days impact</strong></td> <td><strong>Platform mitigations and key notes</strong></td> </tr> <tr> <td><a href="http://technet.microsoft.com/en-us/security/bulletin/MS13-080">MS13-080</a> <p>(Internet Explorer)</p> </td> <td>Victim browses to a malicious webpage.</td> <td>Critical</td> <td>1</td> <td>Likely to see continued attacks against both CVE-2013-3893 and CVE-2013-3897.</td> <td>Addresses two CVE&rsquo;s currently under limited attack and seven CVE&rsquo;s not known to be under attack.</td> </tr> <tr> <td><a href="http://technet.microsoft.com/en-us/security/bulletin/MS13-081">MS13-081</a> <p>(win32k.sys and OTF font parsing)</p> </td> <td>Most likely to be exploited attack vector requires attacker to already be running code on a machine and then uses this vulnerability to elevate from low-privileged account to SYSTEM. <p>Additional attack vector involves victim browsing to a malicious webpage that serves up OTF font file resulting in code execution as SYSTEM.</p> </td> <td>Critical</td> <td>1</td> <td>Likely to see reliable exploits developed within next 30 days.</td> <td>&nbsp;</td> </tr> <tr> <td><a href="http://technet.microsoft.com/en-us/security/bulletin/MS13-083">MS13-083</a> <p>(ComCtl32)</p> </td> <td>Victim opens a malicious RTF file with an embedded control in either Word or Wordpad, resulting in potential code execution in the context of the logged-on user.</td> <td>Critical</td> <td>1</td> <td>Likely to see reliable exploits developed within next 30 days.</td> <td>ComCtl32 is used in a number of different scenarios. We expect the most likely attack vector is via MSCOMCTL within an Office document. However, we encourage customers to apply the update on all systems to address other attack vectors as well.</td> </tr> <tr> <td><a href="http://technet.microsoft.com/en-us/security/bulletin/MS13-082">MS13-082</a> <p>(.NET Framework)</p> </td> <td>Victim browses to malicious XBAP application hosted by an Intranet zone website.</td> <td>Critical</td> <td>2</td> <td>Less likely to see reliable exploit developed for this or other .NET Framework vulnerabilities.</td> <td>&nbsp;</td> </tr> <tr> <td><a href="http://technet.microsoft.com/en-us/security/bulletin/MS13-085">MS13-085</a> <p>(Excel)</p> </td> <td>Victim opens malicious Excel spreadsheet.</td> <td>Important</td> <td>1</td> <td>Likely to see reliable exploits developed within next 30 days.</td> <td>&nbsp;</td> </tr> <tr> <td><a href="http://technet.microsoft.com/en-us/security/bulletin/MS13-086">MS13-086</a> <p>(Word)</p> </td> <td>Victim opens malicious Word document.</td> <td>Important</td> <td>1</td> <td>Likely to see reliable exploits developed within next 30 days.</td> <td>Office 2010 and Office 2013 not affected.</td> </tr> <tr> <td><a href="http://technet.microsoft.com/en-us/security/bulletin/MS13-084">MS13-084</a> <p>(SharePoint)</p> </td> <td>Attacker sends victim a link exploiting a Cross-Site Scripting (XSS) vulnerability on an Intranet SharePoint server for which they have access rights. When the victim clicks the link, an automatic action is taken on their behalf on the SharePoint server that they otherwise might not have wanted to execute.</td> <td>Important</td> <td>1</td> <td>Likely to see reliable exploits developed within next 30 days.</td> <td>By default, modern browsers block XSS attacks in Internet Zone sites.</td> </tr> <tr> <td><a href="http://technet.microsoft.com/en-us/security/bulletin/MS13-087">MS13-087</a> <p>(Silverlight)</p> </td> <td>Possible to use as component in multi-stage attack as this vulnerability allows attacker access to memory addresses and/or contents from the same process.</td> <td>Important</td> <td>n/a</td> <td>No potential for direct code execution.</td> <td>Information disclosure only.</td> </tr> </tbody> </table> <p>- Jonathan Ness, MSRC Engineering</p><div style="clear:both;"></div><img src="http://blogs.technet.com/aggbug.aspx?PostID=3601177&AppID=6147&AppType=Weblog&ContentType=0" width="1" height="1">Risk Asessmentrating Congratulations to James Forshaw Recipient of Our First $100,000 Bounty for New Mitigation Bypass Techniques!http://blogs.technet.com/b/bluehat/archive/2013/10/08/congratulations-to-james-forshaw-recipient-of-our-first-100-000-bounty-for-new-mitigation-bypass-techniques.aspxTue, 08 Oct 2013 16:47:00 GMTd5e57398-b9ef-4490-9955-07cbb4e4a80d:b6872250-b7f5-4cfe-b181-57356ecbacbfBlueHat10http://blogs.technet.com/b/bluehat/rsscomments.aspx?WeblogPostID=3601174http://blogs.technet.com/b/bluehat/archive/2013/10/08/congratulations-to-james-forshaw-recipient-of-our-first-100-000-bounty-for-new-mitigation-bypass-techniques.aspx#comments<p>Congratulations to James Forshaw for coming up with a new exploitation technique to get our first ever $100,000 bounty. A security vulnerability researcher with <a href="http://www.contextis.com/">Context Information Security</a>, James already came in hot with design level bugs he found during the <a href="http://www.microsoft.com/security/msrc/report/acknowledgement.aspx">IE11 Preview Bug Bounty</a>, and we&rsquo;re thrilled to give him even more money for helping us improve our platform-wide security by leaps.</p> <p>Coincidentally, one of our brilliant engineers at Microsoft, Thomas Garnier, had also found a variant of this class of attack technique. Microsoft engineers like Thomas are constantly evaluating ways to improve security, but James&rsquo; submission was of such high quality and outlined some other variants such that we wanted to award him the full $100,000 bounty.</p> <p>While we can&rsquo;t go into the details of this new mitigation bypass technique until we address it, we are excited that we will be better able to protect customers by creating new defenses for future versions of our products because we learned about this technique and its variants.</p> <p>The reason we pay so much more for a new attack technique versus for an individual bug is that learning about new mitigation bypass techniques helps us develop defenses against entire classes of attack. This knowledge helps us make individual vulnerabilities less useful when attackers try to use them against customers. When we strengthen the platform-wide mitigations, we make it harder to exploit bugs in all software that runs on our platform, not just Microsoft applications.</p> <p>If you have a new mitigation bypass technique that can defeat our latest platform-wide mitigations, or new defense idea, and would like to participate in our bounty programs, please see the official guidelines <a href="http://www.microsoft.com/security/msrc/report/bypass_bounty.aspx">here</a>. For a technical description of an exploitation technique that would have qualified, please read the SRD blog by Matt Miller and William Peteroy <a href="http://blogs.technet.com/b/srd/archive/2013/08/12/mitigating-the-ldrhotpatchroutine-dep-aslr-bypass-with-ms13-063.aspx">here</a>. If you have an idea that&rsquo;s in scope, please send in your whitepaper and proof of concept code to secure [at] Microsoft [dot] com.</p> <p>We&rsquo;re not done evolving our freshly minted bounty programs, which have now paid out over $128,000.&nbsp;Watch this blog for future developments as we continue to hone the biggest ongoing vendor bounty program in the industry.</p> <p>Until then, our special thanks go to James: Congratulations and well done! You not only made history by receiving a total of $109,400 from our bounty programs, you&rsquo;re also helping us make our customers safer from entire classes of attack. On behalf of over a billion people worldwide -- Thank you and way to go!!</p> <p>&nbsp;</p> <p>Katie Moussouris</p> <p>Senior Security Strategist, Microsoft Security Response Center</p> <p><a href="http://twitter.com/k8em0">http://twitter.com/k8em0</a><br />(that&rsquo;s a zero)</p><div style="clear:both;"></div><img src="http://blogs.technet.com/aggbug.aspx?PostID=3601174&AppID=4967&AppType=Weblog&ContentType=0" width="1" height="1"> Congratulations to James Forshaw Recipient of Our First $100,000 Bounty for New Mitigation Bypass Techniques!http://blogs.technet.com/b/bluehat/archive/2013/10/08/congratulations-to-james-forshaw-recipient-of-our-first-100-000-bounty-for-new-mitigation-bypass-techniques.aspxTue, 08 Oct 2013 16:47:00 GMTd5e57398-b9ef-4490-9955-07cbb4e4a80d:b6872250-b7f5-4cfe-b181-57356ecbacbfBlueHat10http://blogs.technet.com/b/bluehat/rsscomments.aspx?WeblogPostID=3601174http://blogs.technet.com/b/bluehat/archive/2013/10/08/congratulations-to-james-forshaw-recipient-of-our-first-100-000-bounty-for-new-mitigation-bypass-techniques.aspx#comments<p>Congratulations to James Forshaw for coming up with a new exploitation technique to get our first ever $100,000 bounty. A security vulnerability researcher with <a href="http://www.contextis.com/">Context Information Security</a>, James already came in hot with design level bugs he found during the <a href="http://www.microsoft.com/security/msrc/report/acknowledgement.aspx">IE11 Preview Bug Bounty</a>, and we&rsquo;re thrilled to give him even more money for helping us improve our platform-wide security by leaps.</p> <p>Coincidentally, one of our brilliant engineers at Microsoft, Thomas Garnier, had also found a variant of this class of attack technique. Microsoft engineers like Thomas are constantly evaluating ways to improve security, but James&rsquo; submission was of such high quality and outlined some other variants such that we wanted to award him the full $100,000 bounty.</p> <p>While we can&rsquo;t go into the details of this new mitigation bypass technique until we address it, we are excited that we will be better able to protect customers by creating new defenses for future versions of our products because we learned about this technique and its variants.</p> <p>The reason we pay so much more for a new attack technique versus for an individual bug is that learning about new mitigation bypass techniques helps us develop defenses against entire classes of attack. This knowledge helps us make individual vulnerabilities less useful when attackers try to use them against customers. When we strengthen the platform-wide mitigations, we make it harder to exploit bugs in all software that runs on our platform, not just Microsoft applications.</p> <p>If you have a new mitigation bypass technique that can defeat our latest platform-wide mitigations, or new defense idea, and would like to participate in our bounty programs, please see the official guidelines <a href="http://www.microsoft.com/security/msrc/report/bypass_bounty.aspx">here</a>. For a technical description of an exploitation technique that would have qualified, please read the SRD blog by Matt Miller and William Peteroy <a href="http://blogs.technet.com/b/srd/archive/2013/08/12/mitigating-the-ldrhotpatchroutine-dep-aslr-bypass-with-ms13-063.aspx">here</a>. If you have an idea that&rsquo;s in scope, please send in your whitepaper and proof of concept code to secure [at] Microsoft [dot] com.</p> <p>We&rsquo;re not done evolving our freshly minted bounty programs, which have now paid out over $128,000.&nbsp;Watch this blog for future developments as we continue to hone the biggest ongoing vendor bounty program in the industry.</p> <p>Until then, our special thanks go to James: Congratulations and well done! You not only made history by receiving a total of $109,400 from our bounty programs, you&rsquo;re also helping us make our customers safer from entire classes of attack. On behalf of over a billion people worldwide -- Thank you and way to go!!</p> <p>&nbsp;</p> <p>Katie Moussouris</p> <p>Senior Security Strategist, Microsoft Security Response Center</p> <p><a href="http://twitter.com/k8em0">http://twitter.com/k8em0</a><br />(that&rsquo;s a zero)</p><div style="clear:both;"></div><img src="http://blogs.technet.com/aggbug.aspx?PostID=3601174&AppID=4967&AppType=Weblog&ContentType=0" width="1" height="1"> Bounty News Update: Bountiful Harvesthttp://blogs.technet.com/b/bluehat/archive/2013/10/04/bounty-news-update-bountiful-harvest.aspxFri, 04 Oct 2013 20:21:00 GMTd5e57398-b9ef-4490-9955-07cbb4e4a80d:e49b8a72-db18-49ad-8ead-9e581f3f8f63BlueHat10http://blogs.technet.com/b/bluehat/rsscomments.aspx?WeblogPostID=3600645http://blogs.technet.com/b/bluehat/archive/2013/10/04/bounty-news-update-bountiful-harvest.aspx#comments<p>Fall is a season traditionally associated with a harvest after planting the seeds and tending the crops.&nbsp;Today I&rsquo;m proud to announce the names of six very smart people who have helped us make our products more secure by participating in our new bounty programs.&nbsp; When we launched <a href="http://blogs.technet.com/b/bluehat/archive/2013/06/19/heart-of-blue-gold-announcing-new-bounty-programs.aspx">our bounty programs in June</a> this year, we had a few strategic goals in mind:</p> <ul> <li>Increase the win-win between the hacker/security researcher community and Microsoft&rsquo;s customers, and build relationships with new researchers in the process</li> <li>Receive more vulnerability reports earlier in the release cycle of our products, ideally during the beginning of the preview (or beta) period</li> <li>Learn about new exploitation techniques that can be used to defeat our platform-wide defenses, so we can build protections against entire classes of attack</li> </ul> <p>Now that we have permission from the bounty program recipients to publish their names and bounty amounts, I&rsquo;ll list them all <a href="http://www.microsoft.com/security/msrc/report/acknowledgement.aspx">here</a>.&nbsp;You may have seen a few congratulatory and celebratory tweets; we wanted to officially acknowledge these security researchers who have helped our customers by participating in our bounty programs.</p> <p>&nbsp;</p> <p align="center"><span style="font-size: medium;"><strong>On behalf of over a billion customers, THANK YOU!</strong> </span><br /><span style="font-size: medium;">James Forshaw </span><br /><span style="font-size: medium;">Ivan Fratric </span><br /><span style="font-size: medium;">Jose Antonio Vazquez Gonzalez </span><br /><span style="font-size: medium;">Masato Kinugawa </span><br /><span style="font-size: medium;">Fermin J. Serna </span><br /><span style="font-size: medium;">Peter Vreugdenhil</span></p> <p>&nbsp;</p> <p>I am also thrilled to highlight a few of our bounty program results:</p> <p><strong>Overall:</strong></p> <p>We&rsquo;ve worked with so many bright security researchers through the years, and are thrilled that through the bounty programs, we received reports from researchers who had never reported to us directly before. This means we have even more great minds interested in working directly with us to help make our products more secure.</p> <p><strong>IE11 Preview Bug Bounty:</strong></p> <p>During the first 30 days of the IE11 preview period we received several vulnerabilities that qualified for a bounty, in contrast to the first 30 days of the IE10 beta, when we did not receive any bulletin-class reports. The Preview period is a great time for us to receive these reports because we can address these issues earlier. Oftentimes, researchers typically do not report these findings until after code was released to manufacturing. With these submissions, we will be able to address these vulnerabilities earlier in the process providing a more secure version of Internet Explorer</p> <p>As the leaves turn colors and the temperatures cool off, I&rsquo;m happy to be sharing the bountiful harvest of our programs, started as seeds planted in early summer. It&rsquo;s been a great first three months of Microsoft&rsquo;s bounty programs, and we&rsquo;re overjoyed that our programs have been met with great participation and enthusiasm from the hacker community.</p> <p>Stay tuned for more news coming soon!</p> <p>Katie Moussouris<br />Senior Security Strategist, Microsoft Security Response Center<br /><a href="https://twitter.com/k8em0">http://twitter.com/k8em0</a> &nbsp;(that&rsquo;s a zero)</p><div style="clear:both;"></div><img src="http://blogs.technet.com/aggbug.aspx?PostID=3600645&AppID=4967&AppType=Weblog&ContentType=0" width="1" height="1">bountyprogramsZero-Day ExploitBounty Bounty News Update: Bountiful Harvesthttp://blogs.technet.com/b/bluehat/archive/2013/10/04/bounty-news-update-bountiful-harvest.aspxFri, 04 Oct 2013 20:21:00 GMTd5e57398-b9ef-4490-9955-07cbb4e4a80d:e49b8a72-db18-49ad-8ead-9e581f3f8f63BlueHat10http://blogs.technet.com/b/bluehat/rsscomments.aspx?WeblogPostID=3600645http://blogs.technet.com/b/bluehat/archive/2013/10/04/bounty-news-update-bountiful-harvest.aspx#comments<p>Fall is a season traditionally associated with a harvest after planting the seeds and tending the crops.&nbsp;Today I&rsquo;m proud to announce the names of six very smart people who have helped us make our products more secure by participating in our new bounty programs.&nbsp; When we launched <a href="http://blogs.technet.com/b/bluehat/archive/2013/06/19/heart-of-blue-gold-announcing-new-bounty-programs.aspx">our bounty programs in June</a> this year, we had a few strategic goals in mind:</p> <ul> <li>Increase the win-win between the hacker/security researcher community and Microsoft&rsquo;s customers, and build relationships with new researchers in the process</li> <li>Receive more vulnerability reports earlier in the release cycle of our products, ideally during the beginning of the preview (or beta) period</li> <li>Learn about new exploitation techniques that can be used to defeat our platform-wide defenses, so we can build protections against entire classes of attack</li> </ul> <p>Now that we have permission from the bounty program recipients to publish their names and bounty amounts, I&rsquo;ll list them all <a href="http://www.microsoft.com/security/msrc/report/acknowledgement.aspx">here</a>.&nbsp;You may have seen a few congratulatory and celebratory tweets; we wanted to officially acknowledge these security researchers who have helped our customers by participating in our bounty programs.</p> <p>&nbsp;</p> <p align="center"><span style="font-size: medium;"><strong>On behalf of over a billion customers, THANK YOU!</strong> </span><br /><span style="font-size: medium;">James Forshaw </span><br /><span style="font-size: medium;">Ivan Fratric </span><br /><span style="font-size: medium;">Jose Antonio Vazquez Gonzalez </span><br /><span style="font-size: medium;">Masato Kinugawa </span><br /><span style="font-size: medium;">Fermin J. Serna </span><br /><span style="font-size: medium;">Peter Vreugdenhil</span></p> <p>&nbsp;</p> <p>I am also thrilled to highlight a few of our bounty program results:</p> <p><strong>Overall:</strong></p> <p>We&rsquo;ve worked with so many bright security researchers through the years, and are thrilled that through the bounty programs, we received reports from researchers who had never reported to us directly before. This means we have even more great minds interested in working directly with us to help make our products more secure.</p> <p><strong>IE11 Preview Bug Bounty:</strong></p> <p>During the first 30 days of the IE11 preview period we received several vulnerabilities that qualified for a bounty, in contrast to the first 30 days of the IE10 beta, when we did not receive any bulletin-class reports. The Preview period is a great time for us to receive these reports because we can address these issues earlier. Oftentimes, researchers typically do not report these findings until after code was released to manufacturing. With these submissions, we will be able to address these vulnerabilities earlier in the process providing a more secure version of Internet Explorer</p> <p>As the leaves turn colors and the temperatures cool off, I&rsquo;m happy to be sharing the bountiful harvest of our programs, started as seeds planted in early summer. It&rsquo;s been a great first three months of Microsoft&rsquo;s bounty programs, and we&rsquo;re overjoyed that our programs have been met with great participation and enthusiasm from the hacker community.</p> <p>Stay tuned for more news coming soon!</p> <p>Katie Moussouris<br />Senior Security Strategist, Microsoft Security Response Center<br /><a href="https://twitter.com/k8em0">http://twitter.com/k8em0</a> &nbsp;(that&rsquo;s a zero)</p><div style="clear:both;"></div><img src="http://blogs.technet.com/aggbug.aspx?PostID=3600645&AppID=4967&AppType=Weblog&ContentType=0" width="1" height="1">bountyprogramsZero-Day ExploitBounty Software Defense: mitigating stack corruption vulnerabiltieshttp://blogs.technet.com/b/srd/archive/2013/10/02/software-defense-mitigating-stack-corruption-vulnerabilties.aspxWed, 02 Oct 2013 10:16:00 GMTd5e57398-b9ef-4490-9955-07cbb4e4a80d:42be7b01-b8bf-4c43-8464-0c414b949a4dswiat0<p><span style="font-size: medium;"><span style="color: #2e74b5;">Introduction</span></span></p> <p><span style="font-size: small;"><span style="font-family: Calibri;">One of the oldest forms of memory safety exploitation is that of stack corruption vulnerabilities, with several early high-profile exploits being of this type. It seems fitting therefore to kick off this Software Defense series by looking at the status of software defense today with respect to this age-old problem.</span></span></p> <p><span style="font-size: medium;"><span style="color: #2e74b5;">Mitigating stack-based corruption vulnerabilities</span></span></p> <p><span style="font-