Trustworthy Computing Security and Privacy Blogs./blogs/default.aspxThis page consolidates and features blogs from Microsoft’s Trustworthy Computing (TwC) group, The team charged with working to deliver more secure, private and reliable computing experiences to customers and the globe. Drop by to read about Microsoft’s long-term vision and strategy, for computing privacy and security.Microsoft Bounty Programs Expansion – Nano Server Technical Preview Bounty, 30 Apr 2016 00:00:23 +0000 is pleased to announce another expansion of the Microsoft Bounty Programs. Today we begin a bounty for the Nano Server installation option of Windows Server 2016 Technical Preview 5. Please visit to find more details.

Nano Server is a remotely administered, headless installation option of the server operating system. In this first release, the Nano Server deployment is focused on two scenarios:

  1. As the host for compute and/or storage clusters
  2. As a lightweight OS in a VM or container for “born in the cloud” applications.

In summary:

  • All binaries included in the Nano Server configuration of Windows Server 2016 Technical Preview 5 and any subsequent Betas, Technical Previews or Release Candidates during the bounty period
  • Hyper-V escapes and Mitigation Bypass vulnerabilities will be evaluated against the Mitigation Bypass Bounty instead
  • The bounty will run April 29, 2016 – July 29, 2016
  • Bounty payouts will range from $500 USD to $15,000 USD

These additions to the Microsoft Bounty Program will be part of the rigorous security programs at Microsoft. Bounties complement the Microsoft Security Development Lifecycle (SDL), Operational Security Assurance (OSA) framework, regular penetration testing of our products and services, and Security and Compliance Accreditations by third party audits.

As always, the most up-to-date information about the Microsoft Bounty Programs can be found at and in the associated terms and FAQs.

Changes to Security Update Links, 29 Apr 2016 22:17:32 +0000 have historically been published on both the Microsoft Download Center and the Microsoft Update Catalog and Security Bulletins linked directly to update packages on the Microsoft Download Center. Some updates will no longer be available from the Microsoft Download Center.

Security bulletins will continue to link directly to the updates, but will point to the packages on the Microsoft Update Catalog for updates not available on the Microsoft Download Center. Customers that use tools linking to the Microsoft Download Center should follow the links provided in the Security Bulletins or search directly on the Microsoft Update Catalog.

For tips on searching the Microsoft Update Catalogue visit the frequently asked questions page.

Digging deep for PLATINUM, 26 Apr 2016 19:00:41 +0000 blog introduces our latest report from the Windows Defender Advanced Threat Hunting team. You can read the full report at:

There is no shortage of headlines about cybercriminals launching large-scale attacks against organizations. For us, the activity groups that pose the most danger are the ones who selectively target organizations and desire to stay undetected, protect their investment, and maximize their ROI. That’s what motivated us – the Windows Defender Advanced Threat Hunting team, known as hunters – when we recently discovered a novel technique being used by one such activity group.

We have code named this group PLATINUM, following our internal practice of assigning rogue actors chemical element names. Based on our investigations, we know PLATINUM has been active since 2009 and primarily targets governmental organizations, defense institutes, intelligence agencies, and telecommunication providers in South and Southeast Asia. The group has gone to great lengths to develop covert techniques that allow them to conduct cyber-espionage campaigns for years without being detected.

Uncovering these kinds of techniques is true detective work, and finding them in the wild is a challenge, but with the wealth of anonymized information we can utilize from over 1 billion Windows devices, a broad spectrum of services, Microsoft’s intelligent security graph as well as advanced analytics and machine algorithms to surface suspicious behaviors, Microsoft is in the best position to do so.

Digging up the nugget

Through our advanced and persistent hunting, we discovered PLATINUM is using hotpatching as a technique to attempt to cloak a backdoor they use. Using hotpatching in the malicious context has been theorized [1], [2], but has not been observed in the wild before. Finding such techniques is a focus of the Microsoft APT hunter team, and we want to provide some brief insights on how the team dug up this PLATINUM “nugget”.

In the first part of this methodology, a hunter carves out some rough data sets from existing information and data that can be further analyzed. This could be based on rough heuristics, such as looking for files with high entropy, that were first observed recently, and that are confined to a geographic region that fits the profile of the activity group being investigated.

Carving the data still yields large data sets that can’t be manually analyzed, and advanced threat analytics can help in sorting through the data for meaningful information in the second step. Graph inferences through the Microsoft intelligent security graph can bubble pieces of information to the top of the queue for a hunter to choose from. In the PLATINUM investigation, we identified 31 files.

Lastly, the hunter works directly with the resulting set. During this stage of the PLATINUM investigation, a hunter found a file with unusual string (“.hotp1”). The hunter’s experience and intuition drove him to dig deeper. In this case, that further investigation led us to the malicious use of hotpatching by this activity group and the “nugget” was uncovered.

Deconstructing the attack

So what is hotpatching? Hotpatching is a previously supported OS feature for installing updates without having to reboot or restart a process. It requires administrator-level permissions, and at a high level, a hotpatcher can transparently apply patches to executables and DLLs in actively running processes.

Using hotpatching in a malicious context is a technique that can be used to avoid being detected, as many antimalware solutions monitor non-system processes for regular injection methods, such as CreateRemoteThread. Hotpatching originally shipped with Windows Server 2003 and was used to ship 10 patches to Windows Server 2003. Windows 10, our most secure operating system ever, is not susceptible to this and many other techniques and attack vectors.

What this means in practical terms is that PLATINUM was able to abuse this feature to hide their backdoor from the behavioral sensors of many host security products. We first observed a sample employing the hotpatching technique on a machine in Malaysia. This allowed PLATINUM to gain persistent access to the networks of companies it targeted and victimized over a long period without being detected.

Thwarting the bad guys

The Microsoft APT hunter team actively tracks activity groups like PLATINUM. We proactively identify these groups and the techniques they use and work to address vulnerabilities and implement security mitigations. The team builds detections and threat intelligence that are utilized by many of our products and services. Beta users of Windows Defender ATP can take advantage of this additional layer of protection and intelligence for a broad set of activity groups.

We’ve included a more technical exploration of  our research and detection of the hotpatching technique in the remainder of this blog.

You can also see a closer look at the PLATINUM activity group in our report PLATINUM: Targeted attacks in South and Southeast Asia. Windows Defender Advanced Threat Protection beta and preview users can also find the report, along with other APT activity group reports, in the Windows Defender ATP portal.

We continue to dig for PLATINUM.

The Windows Defender Advanced Threat Hunting Team

Hotpatching – a case study

We first observed the sample (Sample1) that is capable of utilizing hotpatching on a machine in Malaysia (which matches the general target profile of PLATINUM) on January 28, 2016 . The portable executable (PE) timestamp, which can be arbitrarily set by the adversary, dates back to August 9, 2015, while the unpacked version contains a PE timestamp for November 26, 2015.

It is a DLL that runs as a service and serves as an injector component of a backdoor. Interestingly, this sample not only supported the hotpatching technique described in this post, but was able to apply more common code-injection techniques, including the following, into common Windows processes (primarily targeting winlogon.exe, lsass.exe and svchost.exe):

  • CreateRemoteThread
  • NtQueueApcThread to run an APC in a thread in the target process
  • RtlCreatUserThread
  • NtCreateThreadEx

Hotpatching technique

For hotpatching, the sample goes through the following steps:

  1. It patches the loader with a proper hotpatch to treat injected DLLs with execute page permissions. This step is required for DLLs loaded from memory (in an attempt to further conceal the malicious code).
  2. The backdoor is injected into svchost using the hotpatch API.

Patching the loader is done by creating a section named “\knowndlls\mstbl.dll”. This DLL does not reside on-disk, but is rather treated as a cached DLL by the session manager.

It then proceeds to write a PE file within that section. The PE file will have one section (“.hotp1 “) with the hotpatch header structure. This structure contains all the information necessary to perform the patching of the function “ntdll!LdrpMapViewOfSection” used by the loader, such that the loader will treat created sections as PAGE_EXECUTE_READWRITE instead of PAGE_READWRITE. The patch is successfully applied by invoking NtSetSystemInformation.

The malware builds the information describing the first patch

Figure 1: The malware builds the information describing the first patch


The highlighted "push 4" is patched to "push 0x40", meaning that the parameter for the following API call NtMapViewOfSection is changed from PAGE_READWRITE to PAGE_EXECUTE_READWRITE.

Figure 2: The highlighted “push 4″ is patched to “push 0x40″, meaning that the parameter for the following API call NtMapViewOfSection is changed from PAGE_READWRITE to PAGE_EXECUTE_READWRITE.

Now that the memory permission issue has been solved, the injector can proceed with injecting the malicious DLL into svchost. Again, it creates a (now executable) section named “knowndlls\fgrps.dll” and invokes NtSetSystemInformation, causing the final payload to be loaded and executed within the target process (svchost).

Trying to hide the payload using hotpatching also falls in line with the last functional insights we have on the sample. It seems to have an expiry date of January 15, 2017 – at that point in time, the DLL will no longer perform the injection, but rather execute another PLATINUM implant:

C:\program files\Windows Journal\Templates\Cpl\jnwmon.exe –ua

This implant may be related to an uninstall routine. Note that we observed the sample last on the machine on September 3, 2015, which may indicate PLATINUM pulled the trigger earlier.





A brief discourse on ‘Changing browsing experience’, 22 Apr 2016 06:24:39 +0000

In response to questions we’ve received from the software distribution and monetization industry, and following our blog announcing our browser modifier policy update, we’d like to provide some details on what we refer to in our policy as “changing browsing experience”.

For us, “changing browsing experience” means behaviors that modify the content of webpages.

We consider programs installed and running on a PC that make webpages look differently than they would on the same browser had those programs not been installed, to be programs that change browsing experience.  These programs are required to use the browsers’ extensibility models.

Browsers’ extensibility models ensure user choice and control.  Extensible browsers present consent prompts that ensure users are asked to grant permission for an extension to be enabled.  It is done using a consistent language and placement that is straightforward and clear.

By requiring programs that change browsing experience to use the extensibility models, we ensure that users are kept at the helm of their choice and control.  Programs can only make such alterations to webpages when users grant them the permission to do so, using the browsers’ consistent and reliable consent prompting.

Some programs modify browsing access in ways that don’t insert or change web content.  We don’t consider these as changing the browsing experience.

Examples of programs that modify browsing access include:

  • VPNs – software type that provides access
  • Parental control programs – software type that restricts access

If these programs don’t insert or change web content, then they are not changing browsing experiences. Therefore, they are not required to use the browsers’ extensibility models.

Our intent with this policy is clear: we are determined to protect our customers’ choice and browsing experience control.  The requirement to use the browsers’ supported extensibility models is an important pillar in achieving this goal.


Barak Shein and Michael Johnson


Building a More Accessible Web Platform, 21 Apr 2016 22:00:38 +0000 February the Edge team shared the roadmap for empowering all Microsoft Edge customers through accessibility and inclusive design. Today, we’re excited to share more about Microsoft Edge’s native support for the modern UI Automation accessibility framework, coming with the Windows 10 Anniversary Update. UI Automation enables Windows applications to provide programmatic information about their user interface to assistive technology products such as screen readers, and enables a comprehensive ecosystem. Read more about the updates on the Microsoft Edge Developer Blog.

JavaScript-toting spam emails: What should you know and how to avoid them?, 18 Apr 2016 16:00:23 +0000 have recently observed that spam campaigns are now using JavaScript attachments aside from Office files. The purpose of the code is straightforward. It downloads and runs other malware.

Some of the JavaScript downloaders that we’ve seen are:

The same JavaScript downloaders are also responsible for spreading the following ransomware:

The spam email contains a .zip or .rar file attachment which carries a malicious JavaScript. The JavaScript attachment mostly has the following icon, depending on the system’s script software. The file names are either related to the spam campaign, or completely random:


Figure 1: Examples of JavaScript attachments from spam email campaigns

Not your favorite Java

Just like a typical email campaign, the JavaScript-toting spam finds its way in your PC after a successful social engineering trick. In bag of tricks are attachment file names intentionally crafted to pique any person’s curiosity (finance-related, etc.).

The JavaScript attachments are heavily-obfuscated to avoid antivirus software detections. It consists of a download and execute function paired with one or two URLs hosting the malware.


Figure 2: Sample code and URL



Figure 3: Another code sample



Figure 4: Another code sample



Figure 5: Another code sample


In some cases, the malicious JavaScript attachment is bundled with a dummy file to evade email rules.


Figure 6: An example of a JavaScript attachment and a dummy file



Figure 7: Another example of a JavaScript attachment and a dummy file


These URLs are mostly short-lived. But when successfully downloaded, the malware, in this case Ransom:Win32/Locky, enters the system and proceeds in its destructive mission.

It is interesting to note that an Office attachment with malicious macros typically requires two or more clicks on the document to run it. One click to open the document, and another click to enable the macros.

On the other hand, the JavaScript attachments only takes one or two clicks for it to start executing.

It is uncommon and quite suspicious for people to send legitimate applications in pure JavaScript file format (files with .js or .jse extension) via email. You should be wary of it and should not click or open it.



Figure 8: A screenshot of how the JavaScript attachment gets executed.


Same stuff, new package

It has been a common vector for malware to spread through email attachment. In the past months, we have seen Office file attachments that contains malicious macro. The code is simple and straightforward, it’s main objective is to download and execute other malware, such as password stealers, backdoors and ransomwares.

The JavaScript-toting email spam is no different.

These malicious email attachments are distributed through spam campaigns. Spam campaigns range from different social engineering areas that appeal to people’s curiosity – enough for them to take action and click what shouldn’t be clicked: from finance-related subjects like receipts, invoice and bank accounts, to resumes and shipment notifications.



Figure 9: A screenshot of a sample bank-related email spam.



Figure 10: A screenshot of a sample remittance-themed email spam.



Figure 11: A screenshot of a sample invoice-themed email spam.



Figure 12: A screenshot of a sample resume-themed email spam.



Figure 13: A screenshot of a shipment notification-themed email spam.



Figure 14: A screenshot of a sample debt case-themed email spam.

Mitigation and prevention

To avoid falling prey from those JavaScript-toting-emails’ social engineering tricks

See some of the related blogs and threat reports:


Alden Pornasdoro


MSRT April release features Bedep detection, 12 Apr 2016 20:24:06 +0000 part of our ongoing effort to provide better malware protection, the Microsoft Malicious Software Removal Tool (MSRT) release this April will include detections for:

In this blog, we’ll focus on the Bedep family of trojans.


The bothersome Bedep

Win32/Bedep was first detected in November 25, 2014 as a malware family made up of DLLs which has been distributed by Angler Exploit Kit. Microsoft detects Angler as:

JS/Axpergle and HTML/Axpergle have been known to carry and drop Bedep around by redirecting unsuspecting users to compromised websites.

Bedep is bothersome not only because it is carried around by an exploit kit, but because it also connects to a remote server to do the nasty:

All of the above malware families have these in common: they steal your personal information and send them to the hacker, watch what you do online, drops other malware onto your PC, and update them too.

  • Collect information about your PC to send it off to the malware perpetrator
  • Update the downloaded malware

The good thing is, Windows Defender detects and removes Bedep and its variants.

This threat has been prevalent in North America, and various parts of Latin America, Europe, and Southeast Asia.


Figure 1: The map shows Win32/Bedep’s prevalence in North America, Latin America, Europe, and South East Asia in the last six months.



Figure 2: The pie chart shows the Bedep distribution among the top 10 countries for the past six months


The exploit shellcode sometimes loads Bedep directly in the memory from the Angler Exploit Kit, without being written to disk. However, it gets written to disk at other times.

It can either be installed as 32bit DLL (Backdoor:Win32/Bedep.A) or 64bit DLL (Backdoor:Win64/Bedep.A), depending on the affected Windows OS version.

This threat is initially loaded by shellcode running in an exploited browser process (for example, iexplore.exe). Then, the threat downloads a copy of itself and injects that into explorer.exe.

We have observed that the first exploit is not enough. The attacker needs more exploits to bypass the OS or browser’s layered defenses. As a precaution, you should always be careful on clicking the User Account Control (UAC) prompts.

We’ve also seen that Bedep can drop itself as %ProgramData%\<{CLSID}>\<filename>.dll

Example path and file names: C:\ProgramData\{9A88E103-A20A-4EA5-8636-C73B709A5BF8}\acledit.dll.

It then creates the following registry entries:

In subkey: HKEY_CURRENT_USER\CLSID\%Random CLSID%\InprocServer32

Example: HKEY_CURRENT_USER\CLSID\{F6BF8414-962C-40FE-90F1-B80A7E72DB9A}\InprocServer32

Sets value: “ThreadingModel

With data: “Apartment

Sets value: “”

With data: %Bedep Filename%

Example: “C:\ProgramData\{9A88E103-A20A-4EA5-8636-C73B709A5BF8}\acledit.dll

In subkey: HKEY_CURRENT_USER\Drive\ShellEx\FolderExtensions\%Random CLSID%

Example: HKEY_CURRENT_USER\Drive\ShellEx\FolderExtensions\{F6BF8414-962C-40FE-90F1-B80A7E72DB9A}

Sets value: “DriveMask

With data: dword:ffffffff


For details about various Bedep variants, see the following malware encyclopedia entries:


Mitigation and prevention

To help stay protected from Bedep and other threats, use an up-to-date Windows Defender for Windows 10 as your antimalware scanner, and ensure that MAPS has been enabled.

Though trojans have been a permanent fixture in the malware ecosystem, there’s still something that you or your administrators can proactively do:


Jonathan San Jose


April 2016 Security Update Release, 12 Apr 2016 10:00:43 +0000 we released security updates to provide additional protections against malicious attackers. As a best practice, we encourage customers to apply security updates as soon as they are released.

More information about this month’s security updates and advisories can be found in the Security TechNet Library.


Improvements to Narrator in Windows 10, 11 Apr 2016 21:50:03 +0000 February, Jenny Lay-Flurrie, chief accessibility officer for Microsoft, reaffirmed our company-wide commitment to accessibility and outlined our guiding principles and goals to improve accessibility across our products, services and websites. In support of this commitment, the Windows team would like to share progress the team has made with respect to Narrator since the release of Windows 10 last summer.

What We’ve Learned

Since the release of Windows 10 we have heard lots of feedback through our Windows Insider program as well as through direct conversations with users of Assistive Technology (AT). This feedback has aligned to four key areas:

  1. Improve the accessibility our new browser, Microsoft Edge.
  2. Improve support for common email scenarios with Windows Mail.
  3. Improve Narrator by increasing performance, reliability and usability.
  4. Improve the accessibility of Windows 10 experiences like the Start menu, the lock screen, Cortana, Store, Music, Videos and more.

The Edge and Mail teams have previously provided updates on their progress and priorities, which you can read about on their blogs. This post will focus on the work we are doing in support of improving Narrator. And in the coming months we will be sharing more about the improved accessibility of other Windows 10 experiences.

Improvements to Narrator

Today we are excited to share progress on improvements to Narrator focused on three main areas; performance, reliable reading and usability. Some of these updates can already be seen in the current pre-release builds available through the Windows Insider program, which you can join by visiting Others will be included in upcoming builds made available through Windows Insider.
Improvements to expect in Narrator include:

Better Performance

  • Improved performance when navigating the start menu.
  • Significant performance improvements when typing

More Reliable Reading

  • We have improved things like table navigation resulting in a better reading and editing experience in apps like Windows Mail and Word


  • Narrator will now read suggested results in apps like Cortana and Edge as well as suggested e-mail addresses in Outlook.
  • Keyboard commands in Narrator are now more familiar to users of other screen readers.
  • Some keyboard interactions have been simplified and updated to ensure better ergonomics, making them easier to type.

The following video gives a quick walkthrough of some of the improved keyboard interactions:

Other Investments

While much of our work aligns with our commitment to deliver a great in-box screen reading experience with Narrator, we also have longstanding relationships with our 3rd party screen reading partners. We firmly believe that the ecosystem of screen reading applications from vendors like Freedom Scientific, NV Access, AI Squared, Dolphin and Serotek will continue to deliver the most comprehensive set of access solutions for the blind and visually impaired. We are working together through regular technical discussions and collaboration to ensure they can support our primary Windows 10 apps and experiences.

We are also implementing a change in Narrator to help you chose the best possible experience when browsing the web. We recognize that some assistive technologies like Narrator may work better with Internet Explorer. With the April 2016 update for Windows 10, the first time you run Narrator you will be presented with the option to set Internet Explorer as the default web browser.

And finally, in addition to the work on Narrator, our documentation team has been working hard to update the resources available to those who are learning how to use Narrator. We are looking forward to providing improved and more complete documentation at the next public update for Windows 10.

Looking Forward

Microsoft is committed to making Windows 10 a great experience for all users and over the next few months we will continue to work on the performance, reliability and usability of tools designed for people with disabilities. We will also keep working on new features, like additional languages for Narrator, and will continue to post regular updates about our progress.

If you’re interested in providing help or suggestions, we would love to get your feedback via the Windows Insider Program or for technical support, contact the Microsoft Disability Answer Desk.

Seeing AI: New Technology Research to Support the Blind and Visually Impaired Community, 07 Apr 2016 18:23:01 +0000’s mission is to empower every person and every organization on the planet to achieve more, which includes creating and delivering technology for people of all abilities. As a part of this effort, last week at the Microsoft Build Conference, we debuted a new research project in development – Seeing AI – aimed at helping people who are visually impaired or blind to understand more about who and what is around them. Seeing AI will use computer vision, image and speech recognition, natural language processing and machine learning from Microsoft’s Cognitive Services and Office Lens to help describe a person’s surroundings, read text, answer questions and even identify emotions on people’s faces.

Seeing AI demo concept video

Seeing AI might be used either as a mobile app or via smart glasses from Pivothead. Although Seeing AI would not replace mobility aids such as guide dogs and canes, it will add another layer of information that could further enable people of all abilities to use technology in a more personal and enjoyable way.

This project was born out of last year’s //oneweek Hackathon, an event where Microsoft employees work together and try to make wild ideas a reality. Although Seeing AI is still in the development phase and not currently available, there has been tremendous progress on this initiative in a relatively short amount of time and we will definitely provide updates when we have more information to share.

We’re so excited to be working across the company and with others around the world to explore new opportunities that can help people of all abilities to achieve more. As always, we love your continued feedback and ideas as we keep working together to push the boundaries of what technology can do to empower every person on the planet.

Keeping Browsing Experience in Users’ Hands, an Update…, 24 Mar 2016 05:27:45 +0000 we published the Keeping Browsing Experience in Users’ Hands blog in December 2015, we’ve received feedback from the ecosystem and engaged in discussions with the industry. Based on those discussions and feedback, we are making a couple of updates.

We are broadening the scope of the evaluation criteria we blogged about to state:

Programs that change the user browsing experience must only use the browsers’ supported extensibility model for installation, execution, disabling and removal. Browsers without supported extensibility models will be considered non-extensible.

This addition addresses software that modifies the browsing experience, not just those that insert ads into the browsing experience.

Accordingly, we are moving the criterion from the Advertising criteria to become an expansion of our BrowserModifier criteria.

By doing so we are closing additional gaps that impact the browsing experience from outside the browser, not just ad injection software, and are pointing developers to comply with the browser’s respective extensibility models.

Internet Explorer and Microsoft Edge’s policy, for example, can be found at

In addition, and due to the broadening of the policy, we are further extending the notification up until May 2, 2016.

We continue to encourage developers who may be affected by this policy to work with us during the notification time, and fix their software to become compliant with the new criteria and follow the respective browser policies.

Enforcement starts on May 2, 2016.

Barak Shein and Michael Johnson



New feature in Office 2016 can block macros and help prevent infection, 22 Mar 2016 21:45:30 +0000 malware is on the rise and we understand it is a frustrating experience for everyone. To help counter this threat, we are releasing a new feature in Office 2016 that blocks macros from loading in certain high-risk scenarios.


Macro-based malware infection is still increasing

Macro-based malware continues its rise. We featured macro-based malware in our Threat Intelligence report last year, but infections are still increasing.

Despite periodic lulls, infections for the top 20 most detected macro-based malware were high over the past three months.


In the enterprise, recent data from our Office 365 Advanced Threat Protection service indicates 98% of Office-targeted threats use macros.

Note these are detections and not necessarily successful infections. To learn more about Advanced Threat Protection and other security features in Office 365, check out this blog and video.

The enduring appeal for macro-based malware appears to rely on a victim’s likelihood to enable macros. Previous versions of Office include a warning when opening documents that contain macros, but malware authors have become more resilient in their social engineering tactics, luring users to enable macros in good faith and ending up infected.


Block the macro, block the threat

In response to the growing trend of macro-based threats, we’ve introduced a new, tactical feature in Office 2016 that can help enterprise administrators prevent the risk from macros in certain high risk scenarios. This feature:

  1. Allows an enterprise to selectively scope macro use to a set of trusted workflows.
  2. Block easy access to enable macros in scenarios considered high risk.
  3. Provide end users with a different and stricter notification so it is easier for them to distinguish a high-risk situation against a normal workflow.

This feature can be controlled via Group Policy and configured per application. It enables enterprise administrators to block macros from running in Word, Excel and PowerPoint documents that come from the Internet. This includes scenarios such as the following:

  1. Documents downloaded from Internet websites or consumer storage providers (like OneDrive, Google Drive, and Dropbox).
  2. Documents attached to emails that have been sent from outside the organization (where the organization uses the Outlook client and Exchange servers for email)
  3. Documents opened from public shares hosted on the Internet (such as files downloaded from file-sharing sites).

Let’s walk through a common attack scenario and see this feature in action.

Claudia is an enterprise administrator at Contoso. After a rash of macro-based malware attacks targeting her organization, she learns of this new feature in Office 2016 and has rolled out a Group Policy update to all Office clients on the network.

Stewart is a cybercriminal looking to attack and penetrate the Contoso network. Stewart uses macro-based malware because he’s had recent successes using it. He launches his attack campaign against Contoso by targeting James, an employee there.

James receives an email from Stewart in his inbox that has an attached Word document. The email has content designed to pique James’s interest and influence him to open the attachment.

Email with a macro-enabled attachment

When James opens the Word document, it opens in Protected View. Protected View is a feature that has been available in Word, Excel, and PowerPoint since Office 2010. It is a sandboxed environment that lets a user read the contents of a document. Macros and all other active content are disabled within Protected View, and so James is protected from such attacks so long as he chooses to stay in Protected View.

Word document instructing a user to enable macros to get out of protected view mode


However, Stewart anticipates this step and has a clear and obvious message right at the top of the document designed to lure James into making decisions detrimental to his organization’s security. James follows the instructions in the document, and exits Protected View as he believes that will provide him with access to contents of the document. James is then confronted with a strong notification from Word that macros have been blocked in this document by his enterprise administrator. There is no way for him to enable the macro from within the document.

Warning message appears in a document if macros can't be enabled


James’s security awareness is heightened by the strong warning and he starts to suspect that there is something fishy about this document and the message. He quickly closes the document and notifies his IT team about his suspicions.

This feature relies on the security zone information that Windows uses to specify trust associated with a specific location. For example, if the location where the file originates from is considered the Internet zone by Windows, then macros are disabled in the document. Users with legitimate scenarios that are impacted by this policy should work with their enterprise administrator to identify alternative workflows that ensure the file’s original location is considered trusted within the organization.


Use Group Policy to enforce the setting, or configure it individually

Administrators can enable this feature for Word, Excel, and PowerPoint by configuring it under the respective application’s Group Policy Administrative Templates for Office 2016. For example, to enable this setting for Word:

  1. Open the Group Policy Management Console, right-click the Group Policy Object you want to configure and click Edit.
  2. In the Group Policy Management Editor, go to User configuration.
  3. Click Administrative templates > Microsoft Word 2016 > Word options > Security > Trust Center.
  4. Open the Block macros from running in Office files from the Internet setting to configure and enable it.

Group policy settings location

You can read more about this Group Policy setting at Plan security settings for VBA macros in Office 2016.


Final tips

For end-users, we always recommend that you don’t enable macros on documents you receive from a source you do not trust or know, and be careful even with macros in attachments from people you do trust – in case they’ve been hacked.

For enterprise administrators, turn on mitigations in Office that can help shield you from macro based threats, including this new macro-blocking feature. If your enterprise does not have any workflows that involve the use of macros, disable them completely. This is the most comprehensive mitigation that you can implement today.

Microsoft Bounty Programs Announce Expansion – Bounty for Microsoft OneDrive, 18 Mar 2016 00:19:38 +0000 Microsoft, we continue to add new properties to our security bug bounty programs to help keep our customer’s secure. Today, I’m pleased to announce the addition of Microsoft OneDrive to the Microsoft Online Services Bug Bounty Program.

This addition further incentivizes security researchers to report service vulnerabilities to Microsoft. As part of the Microsoft Online Services Bug Bounty Program, the payouts will range from $500 – $15,000 USD.

Join us at the Microsoft Booth at CanSecWest 2016 in Vancouver, Canada to learn more about Microsoft OneDrive and the bounty programs. You can find the updated terms here. Send your submissions to

Happy Hunting,

Jason Shirk

No mas, Samas: What’s in this ransomware’s modus operandi?, 18 Mar 2016 00:15:08 +0000

We’ve seen how ransomware managed to become a threat category that sends consumers and enterprise reeling when it hits them.  It has become a high-commodity malware that is used as payload to spam email, macro malware, and exploit kit campaigns. It also digs onto victims’ pockets in exchange for recovering files from their encrypted form.  This is where Crowti, Tescrypt, Teerac, and Locky have been very active at.

We’ve also observed some malware authors providing a different method of distribution in the black market called ransom-as-a-service (RaaS).  Malicious actors use RaaS to download the ransomware app builder and customize them accordingly.  We’ve seen two threats, Sarento and Enrume, built through this type of service and deployed to infect machines during the second half of 2015.


How Samas is different from other ransomware?


Ransom:MSIL/Samas, which surfaced in the past quarter, has a different way of getting into the system – it has a more targeted approach of getting installed.  We have observed that this threat requires other tools or components to aid its deployment:

Figure 1:  Ransom:MSIL/Samas infection chain 

Samas ransomware’s tools of trade


The Samas infection chain diagram illustrates how Ransom:MSIL/Samas gets into the system.   It starts with a pen-testing/attack server searching for potential vulnerable networks to exploit with the help of a publicly-available tool named reGeorg, which is used for tunnelling.

Java-based vulnerabilities were also observed to have been utilized, such as CVE-2010-0738 related to outdated JBOSS server applications.

It can use other information-stealing malware (Derusbi/Bladabindi) to gather login credentials as well.  When it has done so, it will list the stolen credentials into a text file, for example, list.txt, and use this to deploy the malware and its components through a third party tool named psexec.exe through batch files that we detect as Trojan:BAT/Samas.B and Trojan:BAT/Samas.C.

One of the batch files that we detect as Trojan:Bat/Samas.B also deletes the shadow files through the vssadmin.exe tool.

Trojan:MSIL/Samas.A usually takes  the name of delfiletype.exe or sqlsrvtmg1.exe and does the following:

  1. Look for certain file extensions that are related to backup files in the system.
  2. Make sure they are not being locked up by other processes, otherwise, the trojan terminates such processes.
  3. Delete the backup files.

Ransom:MSIL/Samas demonstrates typical ransomware behavior by encrypting files in the system using AES algorithm and renaming the encrypted file with extension encrypted.RSA. It displays the ransom note when it has encrypted the files and will delete itself with the help of a binary in its resource named del.exe.

Figure 2: Click to enlarge the image so you can see the Samas ransom message clearly.


So far, we’ve seen a new Ransom:MSIL/Samas variant that shows signs of changing its code from the simple ASCII strings to more hex encoded characters possibly to better evade detection from security vendors.  An example below shows that the files extension names to encrypt has been converted to hex strings:

Figure 3:  Version 1 – Ransom:MSIL/Samas.A


Figure 4: Version 2 – Ransom:MSIL/Samas.B


It has also changed from using WordPress as its decryption service site, hxxps://, and moved on to a more obscure Tor site to help anonymize itself, hxxp://wzrw3hmj3pveaaqh.onion/diana.

Figure 5: Majority of the Ransom:MSIL/Samas infections are detected in North America, and a few instances in Europe


Mitigation and prevention

But yes, you can say no mas (translation from Spanish: no more) to Samas ransomware.

To help prevent yourself from falling prey to Samas or other ransomware attacks, use Windows Defender for Windows 10 as your antimalware scanner, and ensure that MAPS has been enabled.

Though ransomware and macro-based malware are on the rise, there’s still something that you or your administrators can proactively do:


Marianne Mallen



Secure Development Blog, 17 Mar 2016 17:52:30 +0000 more »]]>We’re proud to announce Secure Development at Microsoft, our developer focused security blog at Microsoft. The blog was created to inform developers of new security tools, services, open source projects and best development practices in order to help instill a security mindset across the development community and enable cross collaboration amongst its members.

Blog posts will be written by Microsoft engineers to give developers the right level of technical depth in order to get them up and running with integrating security assurance into their projects right away. We’ll cross reference their posts to make sure anyone following this blog can also check out the technical side of what we do.

Check them out!

Announcing Microsoft Sessions at CSUN Conference, 16 Mar 2016 18:00:23 +0000 is pleased to be participating next week at the 31st Annual International Technology and Persons with Disabilities Conference (CSUN) in San Diego. On Wednesday March 23rd, we are hosting a number of educational sessions onsite to share information about the accessibility of our latest products including Windows 10 and Office 365, as well as to inspire dialog with some of our engineers and product managers. Below is our full schedule of session topics. If you are attending CSUN this year, we encourage you to join us for any or all of these talks. We look forward to connecting with you in San Diego.

Location: Pier Room, 3rd Floor of Harbor Tower

Session Schedule for Mar 23, 2016:

9:00 – 9:50am - Getting to know Windows 10
10:00 – 10:50am - Accessibility in Windows 10
11:00 -11:40am - What’s New for Accessibility in Edge – Panel Discussion with Edge Accessibility Product Managers on plans and progress
11:40am -1:20pm - Break for Lunch
1:20 – 2:10pm - Accessibility Enhancements in Office 365 – Panel Discussion with Microsoft Accessibility Product Managers on plans and progress
2:20 – 2:45pm - Accessibility Enhancements in Office 365 – Demonstrations by Microsoft Accessibility Experts with a variety of devices and assistive technologies
2.45 – 3:10pm - Learning Tools for OneNote – Overview of new, free tools that ease reading, writing and comprehension for everyone, including people with dyslexia
3:20 – 5:20pm - Round table discussions with Office 365 Accessibility Team – Bring your questions and suggestions!

The three heads of the Cerberus-like Cerber ransomware, 10 Mar 2016 04:20:00 +0000 this month, we saw a new ransomware family that launches a three-prong attempt to get you to hand over your hard-earned cash.

Called “Cerber” (it replaces file extensions with .cerber), we like to think of this three-prong approach as a nod to the mythical multiple-headed hound, Cerberus.

The attack starts with a text-to-speech (TTS) synthesized recording of a text message:

  • Attention! Attention! Attention! Your documents, photos, databases and other important files have been encrypted!

While it’s not terribly original, originality doesn’t count for much in malware circles – if something works (that “something” usually forcing victims to pay money or lose data), then everyone just jumps on the bandwagon and before you know it, bam macros are being used to deliver malware.

So perhaps expect to see a lot more synthesized, robotic-sounding messages making the rounds, attempting to steal your data and money.

The use of audio files as part of a ransomware attack isn’t particularly new, Tobfy was doing it way back in 2014, but the rise of TTS through the popularity of Cortana, Siri, and Android Now might see a new (easier) way for ransomware authors to annoy their victims into paying, if only to quiet the constant TTS announcement at every logon.

In Cerber’s case, it uses a VisualBasic Script (.vbs file) to call the Microsoft Speech API (SAPI) SpVoice.Speak method at every start up.

VB script used to call the SAPI Speak method

If the API can’t call the speech synthesizer, you’ll see an error message similar to this:

Error returned when TTS is disabled or not available

The other “prongs” in the attack are the usual flavor of current ransomware notices – a simple .html page or .txt file is opened using the native handler. The files include instructions to download the Tor browser, connect to a specific Tor site and start transferring some Bitcoins. It might display the ransom notes in different languages, based on the victim’s IP geolocation.

HTML page with ransom payment instructions

Plain text file with ransom payment instructions

Ransomware has come a long way from the non-encrypting lockscreen FBI and national police authority scare warnings, and this newer “low-cost approach” is both frustrating and effective.

Unlike other current ransomware (like Crowti) it completely renames the extension and the file name for files it targets. It’s also very selective in choosing the folders where it won’t infect. The list of folders it avoids mostly includes system folders, such as Program Files, the Users folder, the Recycle Bin and various others. It does, however, encrypt files in folders in network shares, and in all drives on the machine, and uses RSA encryption.

The list of file types it targets is extensive, and includes common types such as Office documents, some database files (including .sql, and .sqlite), and archive files (for example, .rar and .zip).

It stores configuration data in JSON format, which it decrypts and loads directly to memory at run time. The data includes:

  • The list of file extensions it targets
  • The folders it avoids
  • The public RSA key used for encryption (the private key is stored on the attacker’s server)
  • The mutex name format
  • The .html and .txt content used in the ransom note
  • The IP of a server it sends statistical data to

See our malware encyclopedia entry for details on the file types and folders it targets.

Encrypted files are given a randomized jumble of 10 characters for the file name, and the extension is changed to .cerber. Therefore, a file called kawaii.png could be renamed to something like 5kdAaBbL3d.cerber.

The instructions presented to a victim will lead them to a website where they can choose their language (considerate!) and must enter a CAPTCHA or anti-spambot challenge (ironic!). The language-choice page begins with an instruction to “choose your language”. This phrase rotates between the 12 languages the user can choose from.

Choice of 12 languages

CAPTCHA to access the payment site

After they’ve passed these gates, the site provides details on how the victim can obtain and transfer Bitcoins to the attackers. There will be a “special price” that increases based on how quickly the victim pays the ransom, which is reminiscent of Crowti and others.

Cerber payment site, requesting Bitcoin

Our strongest suggestion to prevent attacks from Cerber and other ransomware remains the same: use Windows Defender as your antimalware client, and ensure that MAPS has been enabled.

Both ransomware and macro-based malware are on the rise, users can disable the loading of macros in Office programs, and administrators can disable macro loading using Group Policy settings.

MSRT March 2016 – Vonteera, 09 Mar 2016 21:32:39 +0000 part of our ongoing effort to provide better malware protection, the March release of the Microsoft Malicious Software Removal Tool (MSRT) will include detections for Vonteera – a family of browser modifiers, and Fynloski – a family of backdoor trojans. In this blog, we’ll focus on the Vonteera family of browser modifiers.


We first detected BrowserModifier:Win32/Vonteera in August 2013, and the numbers have been pretty big; during the past six months, we’ve had over eight million detections. Encounters have been distributed among the following countries and regions:

Vonteera distribution numbers

We classify Vonteera as unwanted software because it violates the following objective criteria:

  • Lack of choice – the threat circumvents user consent dialogs from the browser or operating system. It installs, reinstalls, or removes software without your permission, interaction, or consent.
  • Lack of control – the threat prevents or limits you from viewing or modifying browser features or settings.
  • Installation and removal – the threat fails to use standard install/uninstall features, such as Add/Remove Programs.

Vonteera is usually distributed by software bundlers that offer free applications or games.

Once installed on your PC, it modifies your homepage and changes your search provider.

It uses Group Policy to install a plug-in into the following browsers in an effort to make it difficult to remove:

  • Google Chrome
  • Internet Explorer
  • Mozilla Firefox

This makes it more difficult to change the browser settings and remove the added Vonteera plug-in through the Manage Add-ons settings.

Search policy message

More recent versions of Vonteera began adding legitimate certificates that belong to a number of security and antimalware products to the untrusted certificates list that the Windows operating system maintains, which forces Windows to not trust legitimate security and antimalware products. This means that if Vonteera is present on your PC, you might not be able to run your security software.

It also runs a service, so even if you try to delete these certificates from the untrusted list, Vonteera just adds them back to this list, so you still might not be able to run your security software.​


Our malware encyclopedia entry for Win32/Vonteera has more details about this malware family.

By adding Vonteera to the MSRT we hope to have a bigger impact and reach more affected machines and help remove this unwanted software. However, as with all threats, prevention is the best protection.

Stay protected

To help stay protected from this and other threats we recommend running up-to-date real-time security software such as Windows Defender for Windows 8.1 and Windows 10.

We also recommend you:

For more tips on preventing malware infections, including ransomware infections, see:

March 2016 Security Update Release, 09 Mar 2016 10:00:08 +0000 we released security updates to provide additional protections against malicious attackers. As a best practice, we encourage customers to apply security updates as soon as they are released.

More information about this month’s security updates can be found in the Security TechNet Library.


Locky malware, lucky to avoid it, 24 Feb 2016 20:01:01 +0000 may have seen reports of the Locky malware circulating the web; we think this is a good time to discuss its distribution methods, and reiterate some best-practice methods that will help prevent infection.

We’ve seen Locky being distributed by spam email, not in itself a unique distribution method, but this means that spreading is broad and not isolated to any particular region. This ransomware knows no borders, and we’ve seen high infection rates across the world.
The Locky email attachment usually arrives as a Word document, but could also be an Excel document, that appears to be an invoice. We’ve also seen the following downloaders distribute Ransom:Win32/Locky.A:

If you open this file and allow the macro to run, the malware is downloaded and runs on your PC, encrypting your files. A ransom message is then displayed demanding payment in order to unlock your encrypted files. Note that once your files are encrypted, the only guaranteed way to restore them is from backup. Microsoft does not recommend you pay the ransom; there is no guarantee that this will give you access to your files.

While Microsoft detects and removes Locky, we recommend you disable macros to help prevent this and other macro-downloaded threats from infecting your PC, and then only enable macros that you trust, on a case-by-case basis. To help keep your enterprise secure, consider using a trusted location for files in your enterprise, then you can store documents that require macros there.  You can also use our cloud protection services to help boost your protection; this, and other advice on how to help keep your PC protected are outlined below.


Disable all except digitally signed macros in Microsoft Word

To help prevent malicious files from running macros that might download malware automatically, we recommend you change your settings to disable all except digitally signed macros.

To do this:

1. Open a Microsoft Word document.
2. Click the File tab.
3. Click Options.
4. In the Trust Center, click Trust Center Settings.

Trust Center settings

5. Select Disable all macros except digitally signed macros.

Macro settings in Trust Center

6. Click OK.


Block macros from running in Office files from the Internet in your enterprise

Office 16 provides a Group Policy setting that enables you to block macros from running in Word, Excel and PowerPoint files from the Internet. Read about how to block macros from running in Office 16 files from the Internet.


Only enable trusted content

If you have disabled macros, when you open a file that has macros you’ll see a message bar similar to the following:

Enable macro message

Only click Enable Content if you trust the file, that is, you know where it’s from and are certain that running the macro is harmless.


Use advanced threat and cloud protection

You can boost your protection by using Office 365 Advanced Threat Protection and also enabling Microsoft Active Protection Service (MAPS).

Office 365 helps by blocking dangerous email threats; see the Overview of Advanced Threat Protection in Exchange: new tools to stop unknown attacks, for details.

MAPS uses cloud protection to help guard against the latest malware threats. You should check if MAPS is enabled on your PC.


Help prevent malware infections on your PC

There are a number of other things you can do to help prevent malware infections, for example:


So to wrap this up: this ransomware is bad, but infection is preventable! Microsoft detects and removes this threat, but by ensuring that you only run known, trusted macros, you’ll help prevent a Locky infection – and any other malware that relies on malicious macros. Generally, a good approach is to only allow digitally signed macros that you trust to run on any of your documents.

Stay safe, from all of us at the MMPC.

-Jasmine Sesso, MMPC

Making Windows 10 and Office 365 more accessible: Our path forward, 24 Feb 2016 15:06:06 +0000 is top of mind at Microsoft and two recent blog posts reflect this mindset. The first shares our corporate roadmap to improve accessibility and the second details progress and plans for accessibility in Office 365. As Chief Accessibility Officer Jenny Lay-Flurrie outlined, Microsoft has established three guiding principles on accessibility – transparency, accountability and inclusion.

The recent blogs, both the overarching corporate blog and the Office 365 blog , are aligned to our commitment to transparency. Our plans are aimed at delivering an experience that enables not just access, but also productivity. Within Windows 10, we will be working to improve commonly used features with showcase Windows experiences, improving browsing and reading experiences on Edge, providing a better screen-reader experience for Windows 10 mail and working on Narrator. For Office 365, we are focusing on making it easier to author accessible content, easier to use Office 365 with screen readers, enhancing the experience with apps in High Contrast Mode, introducing new tools that are beneficial to people with dyslexia and enabling everyone to use our applications in more intuitive ways.

There’s more in the blog posts, and I encourage you to check out the full details. We are committed to keeping our customers updated on our progress with future updates on this blog, and we look forward to getting your feedback and what matters most to you as we move forward.

Corporate Blog:
Office 365 Blog:

February 2016 Security Update Release Summary, 09 Feb 2016 10:00:00 +0000 we released security updates to provide additional protections against malicious attackers. As a best practice, we encourage customers to apply security updates as soon as they are released.

More information about this month’s security updates and advisories can be found in the Security TechNet Library. 


Enhanced Mitigation Experience Toolkit (EMET) version 5.5 is now available, 02 Feb 2016 17:17:28 +0000 Enhanced Mitigation Experience Toolkit (EMET) benefits enterprises and all computer users by helping to protect against security threats and breaches that can disrupt businesses and daily lives. It does this by anticipating, diverting, terminating, blocking, or otherwise invalidating the most common actions and techniques adversaries might use to compromise a computer. In this way, EMET can help protect your computer systems even from new and undiscovered threats before they are formally addressed by security updates and antimalware software.

Today we are pleased to announce the release of EMET 5.5, which includes the following new functionality and updates:

  • Windows 10 compatibility
  • Improved configuration of various mitigations via GPO
  • Improved writing of the mitigations to the registry, making it easier to leverage existing tools to manage EMET mitigations via GPO 
  • EAF/EAF+ pseudo-mitigation performance improvements
  • Support for untrusted fonts mitigation in Windows 10

Mitigations in Windows 10

EMET was released in 2009 as a standalone tool to help enterprises better protect their Windows clients by providing an interface to manage built-in Windows security mitigations while also providing additional features meant to disrupt known attack vectors used by prevalent malware. Since that time,  we have made substantial improvements to the security of the browser and the core OS. With Windows 10 we have implemented many features and mitigations that can make EMET unnecessary on devices running Windows 10. EMET is most useful to help protect down-level systems, legacy applications, and to provide Control Flow Guard (CFG) protection for 3rd party software that may not yet be recompiled using CFG.

Some of the Windows 10 features that provide equivalent (or better) mitigations than EMET are:

Device Guard: Device Guard is a combination of enterprise-related hardware and software security features that, when configured together, will lock a device down so that it can only run trusted applications. Device Guard provides hardware-based zero day protection for all software running in kernel mode, thus protecting the device and Device Guard itself from tampering, and app control policies that prevent untrusted software from running on the device.

Control Flow Guard (CFG): As developers compile new apps, CFG analyzes and discovers every location that any indirect-call instruction can reach.  It builds that knowledge into the binaries (in extra data structures – the ones mentioned in a dumpbin/loadconfig display).  It also injects a check, before every indirect-call in your code, that ensures the target is one of those expected, safe locations.  If that check fails at runtime, the operating system closes the program.

AppLocker: AppLocker is an application control feature introduced in Windows 7 that helps prevent the execution of unwanted and unknown applications within an organization's network while providing security, operational, and compliance benefits. AppLocker can be used in isolation or in combination with Device Guard to control which apps from trusted publishers are allowed to run.

For more information on Windows 10 security features please review the Windows 10 Security overview whitepaper on TechNet.

EMET 5.5 and Edge

Given the advanced technologies used to protect Microsoft Edge, including industry leading sandboxing, compiler, and memory management techniques, EMET 5.5 mitigations do not apply to Edge.


For support using EMET 5.5, please visit


The EMET team

Accessibility Update for Windows 10 Mail, 01 Feb 2016 12:10:00 +0000 Kate Everitt, Program Manager, Windows 10 Mail

Microsoft is committed to delivering inclusive experiences. As CEO Satya Nadella recently wrote, we are proactively taking steps and implementing a strategy to ensure we make progress on this goal across the company.

Part of this commitment involves enhancing the accessibility of our services and increasing the transparency about our progress. Today, we want to share how we’re improving Mail for Windows 10 to enhance usability with screen readers. We welcome your feedback as we continue this work throughout the year.

Using Mail today

Narrator, the screen reader built into Windows 10, currently provides the most complete experience when using Mail. We are working closely with the Microsoft UI Automation (UIA) team to continue improving both Mail and the platform. We know that many of you are using other screen readers, and we are also working with the developers of other screen readers and assistive technology vendors to improve the Mail experience here as well.

Recent Improvements

We are excited about the flexibility you have to update Mail frequently via the Microsoft Store. Since the initial release of Windows 10 last summer, we have made many improvements to the accessibility of the Mail app. Here are some of the updates we have made since we first shipped:

  • There is more predictable keyboard behavior so you always know where you are in the app.
  • Navigation is more familiar. You can move to the content of an email using the Enter key instead of the F6 Key, and use the Escape key to move back to the message list.
  • Reading mails with bullet points with Exchange accounts is more reliable when using a screen reader.
  • We’ve worked on improving the names of items and information used by screen readers as you move around the mail app, so you have more information that you need and less that you do not. 
  • You can enjoy a more efficient reading experience for complex emails.

Getting Started

Here are a few tips to help you get started when using Mail with a screen reader: 

  • Because we are continually improving, get the latest version of “Mail and Calendar” by Microsoft Corporation from the Microsoft Store. 
  • Make sure you have an up-to-date screen reader such as Narrator, JAWS 17, NVDA 2015.4, Window Eyes 9.3.1 or later.
  • Narrator is the recommended screen reader – you can turn it on by pressing the Windows key + Enter, and Caps + M to read an email.
  • Incoming messages are grouped by conversation by default. You can change a setting to list each message individually, if you prefer.
  • If you are having difficulty reading emails, you may get a better experience by turning on Caret browsing with F7.

We have published several help documents to give an understanding of how Mail works with a screen reader, including Get help for using a screen reader with Mail for Windows 10 and a list of Keyboard Shortcuts for Windows 10.

Looking Forward

Our focus for Mail over the next few months will be on enhancing the screen reader experience for reading complex emails and improving the account setup experience. Microsoft is working hard to make it easier for people with disabilities to communicate, consume and create content on any device, and for everyone to create accessible content. We will post regular updates about our progress on this initiative via

If you’re interested in providing help or suggestions, we would love to get your feedback via the Windows Insider Program. For support, contact the Microsoft Disability Answer Desk or this blog:


Internet Video Captioning Standards Earn Emmy Awards, 22 Jan 2016 11:30:00 +0000 Friday January 8, the National Academy of Television Arts & Sciences held the 67th Annual Technology & Engineering Emmy® Awards in Las Vegas.  These awards “honor development and innovation in broadcast technology and recognize… developments and/or standardization involved in engineering technologies which either represent so extensive an improvement on existing methods or are so innovative in nature that they materially have affected the transmission, recording, or reception of television.” Two of the honorees, the Society of Motion Picture and Television Engineers (SMPTE) and the World Wide Web Consortium (W3C), were recognized for their pioneering development of industry standards enabling closed captions on Internet video.

From left to right: Ann Marie Rohaly, Director of Accessibility Policy and Standards, Microsoft; Peter Symes, SMPTE Director of Standards and Engineering; Michael Dolan, Television Broadcast Technology Inc.; and Barbara Lange, SMPTE Executive Director.

From left to right: Ann Marie Rohaly, Director of Accessibility Policy and Standards, Microsoft; Peter Symes, SMPTE Director of Standards and Engineering; Michael Dolan, Television Broadcast Technology Inc.; and Barbara Lange, SMPTE Executive Director. Source: Cashman Photo, Las Vegas NV & The National Academy of Television Arts and Sciences

Microsoft applauds both organizations on this significant accomplishment. The W3C Timed Text Markup Language (TTML) standard and the SMPTE Timed Text (SMPTE-TT) standard enable content that is closed-captioned when on television to be closed-captioned when offered via the Internet. The standards are freely available to the public, which removes any barrier to access to this vital information, which enables the hearing-impaired to enjoy video via the Internet.

In 2012, the US Federal Communications Commission (FCC) adopted SMPTE-TT as the “safe harbor” standard for Internet video captions.  Because of the pioneering efforts of SMPTE and W3C, millions of deaf and hard of hearing individuals now enjoy watching their favorite television programs on the internet – something that was not possible only a few years ago.

Microsoft is proud to have contributed to the development of these standards. Accessibility is at the core of our mission to empower every person and organization on the planet to achieve more, and we fully believe in the power of technology to help people lead richer lives, whether it is at work, at home or on the go. In addition to our contributions to the standards, they are supported in our Microsoft Movies & TV service and we were the first company to implement TTML in an Internet browser.

Two Microsoft employees were actively involved in this standards work. Sean Hayes, Senior Program Manager, served for several years as Chair of the W3C committee that developed the TTML standard and was a core technical contributor to the development of both the TTML and SMPTE-TT standards.  Ann Marie Rohaly, Director of Accessibility Policy and Standards, chaired the SMPTE committee that created the SMPTE-TT standard and was a member of the FCC’s Video Programming Accessibility Advisory Committee.

Preview version of Learning Tools for OneNote now available, 19 Jan 2016 15:05:00 +0000’s classrooms include students with a wide range of abilities. Educators are expected to adapt content to meet the needs of each of their students, including students with learning differences. While technology can be an enabler to learning, for some, technology is a challenge. Many educators lose valuable instructional time discovering, justifying, deploying and maintaining assistive technology for students with learning differences. To help address these challenges, we’re introducing Learning Tools for OneNote. Born from the winning Microsoft hackathon project last summer, Learning Tools for OneNote is a toolbar add-in for OneNote 2013 and 2016, which improves reading and writing experiences for all students—including for students with learning differences like dyslexia.

During the development of Learning Tools for OneNote we worked with the team at Dyslexic Advantage to gather valuable early feedback. It is an honor to have them already recognize Learning Tools for OneNote as one of their top dyslexia apps 2016.

You can learn more and download the Learning Tools for OneNote preview version today at

Triaging the exploitability of IE/EDGE crashes, 12 Jan 2016 14:27:00 +0000 


Both Internet Explorer (IE) and Edge have seen significant changes in order to help protect customers from security threats. This work has featured a number of mitigations that together have not only rendered classes of vulnerabilities not-exploitable, but also dramatically raised the cost for attackers to develop a working exploit.

Because of these changes, determining the exploitability of crashes has become increasingly complicated, as the effect of these mitigations must be taken into account during analysis. We have received a number of requests from the security community for clarification on how these mitigations affect exploitability.  To ensure that only valid issues are submitted, we thought it may be useful to offer some guidance.


Use after free mitigations

Use-after-free (UAF) is a common type of vulnerability in modern object-orientated software. They are caused when an instance of an object is freed while a pointer to the object is still kept by the program. Since the object instance has been freed, this pointer is dangling, pointing to unmapped memory. Such a vulnerability is exploitable when the unmapped memory is controllable by an attacker, and will be used when the dangling pointer is later dereferenced by the program. We can split UAF vulnerabilities into 3 classes based upon where the dangling pointer is stored: the stack, heap, and the registers.

We have developed two primary mitigations to protect against UAFs:

  • Memory Protector (MP) [IE10 and below]

MP is designed to protect objects against UAFs where the reference is stored on the stack, or in a register.

  • MemGC [Edge & IE11]

MemGC is a new replacement for MP, currently enabled on Edge and IE11. Protected objects are only freed when no references exist on the stack, heap or registers, offering complete coverage. 


Exploitability & Servicing

MemGC [Edge & IE11]

  • We consider UAFs that are addressed by MemGC strongly mitigated, and will not issue a security update for them.
  • The only exception for this are rare cases where zero writing the object leads to an exploitable state, although we have yet to see an occurrence of this.

Memory Protector [IE10 and below]

  • We consider stack and register based UAFs strongly mitigated and will not issue a security update for them, except in the circumstances explained below.
  • Heap reference based UAFs are not mitigated by MP, and so will still be addressed via a security update.


Triaging crashes

Memory protector

Memory protector (MP) is a mitigation first introduced in July 2014 initially for all supported versions of Internet Explorer, but now only applies to IE 10 and below. It is designed to mitigate a subset of use-after-free vulnerabilities, due to dangling pointers stored on the stack or the registers. At a high level, it works as follows:

  1. When delete is called on an object instance, its contents is zero wrote, and it is placed in a queue. Once the queue has reached a threshold size, we then begin the process of seeing if it is safe to free each object instance in the queue.
  2. To test to see if it is safe to free an object instance, we scan both the registers and all pointer aligned stack entries to see if there exists a pointer to the object. If no pointer is found then the object is freed, otherwise the object is kept in the queue.

Part (1) of the algorithm delays the potential freeing of the object to a later point in time, is controllable by an attacker, and as such is not considered a security mitigation.

To make it easier to determine the exploitability of these issues, MP has a mode called “Stress Mode”. Under this mode the delayed free component (1) of MP is disabled: stack/register scanning happens on every free, rather than when the queue has reached a threshold length. It can be enabled with the registry key:

HKLM:/Software/Microsoft/Internet Explorer/Main/Feature Control/FEATURE_MEMPROTECT_MODE/iexplore.exe DWORD 2

(note that this key, and “Stress Mode” are only applicable to MP, not MemGC).

Example crash

With the delayed free component of MP now disabled by forcing the object instance to be freed at the earliest possible instant, we can now concentrate on determining exploitability, based on Part (2), as shown by an illustrative example below:

In this case, we have a use-after-free vulnerability causing a near-null dereference. Tracing backwards, we can see that the value of eax was set a few instructions previously:

If we look at this object in memory, we see that has been zero wrote, and by checking the PageHeap End Magic we can see that this heap chunk is still allocated under Stress Mode:

Now we need to see if there are any stack references to this object instance, starting at the call frame when delete was called. This can be completed using windbg scripting: for example, scanning for references to an object with base address stored in ebx with size 0x30:


Checking stack reference locations with MP

In this case, we find a single reference to the object instance on the stack. With this information we must now check to see which call frame contains this reference.

Here, we show an example call stack at the point when the object is deleted:

If there is a reference to an object instance on the stack or registers, then MP will never free the object instance. Thus, if between the point delete is first called in frame_2 until the point when we crash with a near null dereference in frame_5 there is always a stack reference, the object instance cannot be freed and reallocated/controlled by an attacker.

In this example, the reference we found by scanning the stack (at 0x1024ae9c) is stored in frame_8. Since this reference is present all of the time between the freeing point in frame_2 and the crashing point in frame_8, we consider this case as not-exploitable since it is strongly mitigated by MP.

Two other main situations can also occur:

  1. If (for example) the stack reference was in frame_3 rather than frame_8, then there is a period between the freeing of the object and the crashing point when there are no stack references. This case may be exploitable since if the code path between these points can be slightly altered to force another call to delete, we will be left with an exploitable situation.
  2. When running under stress mode, the crash may now occur on a freed block since the delayed free component is disabled (usually due to the reference being stored on the heap). Under this circumstance, the case would be generally exploitable.


MemGC is a new replacement for MP, currently available in Edge and all supported versions of IE11, and mitigates use-after-free vulnerabilities in a similar fashion as MP. However, it also offers additional protection by scanning the heap for references to protected object types, as well as the stack and registers. MemGC will zero write upon free and will delay the actual free until garbage collection is triggered and no references to the freed object are found.

Just like MP, mitigated use-after-free vulnerabilities will most likely result in a near-null pointer dereferences or occasionally in no crash at all. If you suspect that a near-null pointer dereference is actually a mitigated use-after-free vulnerability you can verify this with the following steps:

  • Find the position where the near-null value is read, determining the base pointer of the object:

If we dump the object, we can see that it has been zero wrote as before:

  • Trace back and find the allocation call stack for this chunk, using the base pointer that was found in the first step. If the object is allocated with edgehtml!MemoryProtection::HeapAlloc() or edgehtml!MemoryProtection::HeapAllocClear() it means that the object is tracked by MemGC e.g.

Similarly, when the object is freed, it will be via edgehtml!MemoryProtection::HeapFree() e.g.

To double check that the issue is successfully mitigated, we can scan for references to the object on both the heap and stack.

For scanning the stack, we can use the same technique as described in the Memory Protector section. We can then use the same criteria as described above to determine exploitability; if there exists a stack reference between the freeing point and crashing point, we consider it strongly mitigated by MemGC.

When scanning the heap, we use a similar method, by first scanning the heap for references with values between the base pointer and basepointer+object_size of the object we are interested in. If any references are found, we then just need to check to see what objects they are associated with. If the object containing the reference is also tracked by MemGC (i.e. allocated via HeapAlloc() or HeapAllocClear()), then MemGC will not free the object we are interested in, so we consider it strongly mitigated by MemGC.

In this example, if we use the stack scanning command from above, we see that there is a reference on the stack preventing the object from being freed between the deletion and crashing points, making it successfully mitigated by MemGC.


In conclusion these new mitigations dramatically enhance the security by making sets of use-after-free vulnerabilities non-exploitable. When triaging issues in both IE & Edge, the behavior of these mitigations needs to be taken into account in order to determine the exploitability of these issues.


We would like to thank the following people for their contribution to this post:

Chris Betz, Crispin Cowan, John Hazen, Gavin Thomas, Marek Zmyslowski, Matt Miller, Mechele Gruhn, Michael Plucinski, Nicolas Joly, Phil Cupp, Sermet Iskin, Shawn Richardson and Suha Can

Stephen Fleming & Richard van Eeden.  MSRC Engineering, Vulnerabilities & Mitigations Team.

January 2016 Security Update Release Summary, 12 Jan 2016 10:14:40 +0000 we released security updates to provide additional protections against malicious attackers. As a best practice, we encourage customers to apply security updates as soon as they are released.

More information about this month’s security updates and advisories can be found in the Security TechNet Library. 


Reaffirming our commitment to accessibility, 16 Dec 2015 10:00:00 +0000 Microsoft, our mission is to empower every person and organization on the planet to achieve more. This mission connects in fundamental ways with how we as a company operate, how we design and develop technology and how we work with others to serve people with disabilities. We are committed to delivering great experiences to people with disabilities, and as President and Chief Legal Officer Brad Smith noted earlier this month, this will require us to raise our ambition.

Today, Microsoft CEO Satya Nadella reaffirmed that accessibility is core to our mission, and outlined three commitments that will guide our progress as a company in an all-company mail. Here is what he shared in that mail:

As I think about living our mission, top of mind for me heading into 2016 is how we must make Microsoft products accessible to the more than 1 billion people globally of all abilities. This is a shared goal. Universal design is central to how we realize our mission and will make all our products better. Along with our Senior Leadership Team, I will continue to devote my time and passion to this priority.

Specifically, we will do three things: First, be transparent in sharing our goals and plans to ensure our products are accessible. Second, be accountable, which means engineering leads will prioritize universal design in the development of all products and services going forward. Third, continue to make this part of our work on building a more inclusive culture, including efforts to expand our existing accessibility hiring and awareness training initiatives and programs.

Want to see your Imagine Cup idea funded? Follow in Team Prognosis’ footsteps!, 15 Dec 2015 14:00:00 +0000 back in August, well before Team Prognosis spent a week on Microsoft campus getting a crash course in business, they had applied for the prestigious Horizon 2020 grant with the European Commission. In November, they received the good news that their proposal had been accepted and they would be getting €4M!

Konstantinos Mavrodis, Vicky Bikia, Despina Efthymiadou and Dimitris Iakovakis created Prognosis, a Windows Phone app designed for early detection and intervention of Parkinson’s disease. The app collects user data from sensors embedded in a mobile phone and, optionally, via the Microsoft Band, which runs in the background so data is collected unobtrusively.

In mid-November, they got an email from their mentor, Leontios Hadjileontiadis, with the exciting and life-changing news that their grant proposal was one of five accepted out of 165 applicants. They were scattered throughout the world at that time of the news, but they quickly jumped on a Skype call to celebrate.

“We had just come back from Seattle and got this news – it was such a blessing and just perfect timing,” said Despina.

Over the next five years, they will build Prognosis into a thriving business.

Horizon 2020 is the biggest EU Research and Innovation program, with nearly €80 billion of funding available over seven years (2014 to 2020). By coupling research and innovation, Horizon 2020 works to help achieve economic growth with its emphasis on excellent science, industrial leadership and tackling societal challenges. The goal is to ensure Europe produces world-class science, removes barriers to innovation and makes it easier for the public and private sectors to work together in delivering innovation.

Team Prognosis worked with the lab staff and their mentor at Aristotle University to write the grueling and extremely detailed 70-page proposal, which was no small feat considering they were simultaneously working on their Imagine Cup project at the time and pushing hard to finish their undergraduate degrees.

They submitted the proposal in August and began the long wait. Their proposal would go through three rounds of review and finally emerge as one of the six winners.

So what’s next? The team will get together with their 11 partners (which include Microsoft and Kings College, London) for an all-hands-on-deck planning meeting in February. Until then, they all plan to study for finals and relax over the holiday break.

But not all is on hold for Prognosis until February. “My thesis correlates with Prognosis – so I am working on it all the time,” said Dimitris. In fact, each team member is looking for ways to coordinate their academic studies with Prognosis.

Konstantinos told us that he can’t wait to get started. “I am most excited to begin research and development for the sleep intervention for patients. Sleep is such an important part and will serve a key role in the patient’s life.”

Vicky said that she just feels blessed at the prospect of a meaningful career. “We are very lucky to have something to work on that is of great interest to us and has an impact on other people. Not everyone gets that in life.”

Though they are beyond excited to receive the grant, the grant money doesn’t come without it’s pressures. Because it’s a medical app, they have to get it right. It’s not just a game people will play. Vicky emphasized, “It has to be safe.”

Dimitris said that the entire last year (Imagine Cup, Ability Bootcamp, and now the Horizon 2020 grant money) has really boosted their confidence. “We know our dreams have made it this far. We are excited!”

“It’s true!” Vicky exclaimed. “We feel like more than students now. We feel responsible for something really, really big. It’s really training us. Now we know there is a place for young people to contribute in this world to dream, hope, and create.”

Despina agreed. “We are looking forward to the impact all this may have on peoples’ everyday lives. Awards, grants are exciting things, but they are not the most important. The most important for us is helping people, and we want to see what we can achieve through this project.”

We are continually inspired by Konstantinos, Despina, Vicky and Dimitris! If you are too, consider starting where they did – by registering for Imagine Cup.

December 2015 Security Update Release Summary, 08 Dec 2015 10:06:30 +0000 we released security updates to provide additional protections against malicious attackers. As a best practice, we encourage customers to apply security updates as soon as they are released.

More information about this month’s security updates and advisories can be found in the Security TechNet Library. 


BlueHat v15 Announces Schedule and Registration, 18 Nov 2015 13:14:00 +0000 we inch closer to the 15th BlueHat Security Conference, we are happy to announce the lineup of speakers and topics for this event.  This year will continue with a solid speaker and topic selection that engage engineers, executives, and invited guests to discuss and tackle some of the hardest problems facing the industry today.  Through this conference, our engineering teams get deep technical information and education on the latest threats from proven industry experts.

BlueHat is set for Tuesday, January 12th through Wednesday, January 13th at Microsoft’s Redmond campus.  The first day will set the stage of the threat environment and what is impacting customers today.  The second day splits into four simultaneous tracks (two in the morning and two in afternoon) focusing on protecting customers and defense strategy, pivoting to help customers, software/service development, and attacks/exploits in the wild.

External invites have been sent and registration is now open for BlueHat v15.  We look forward to another great conference.


Tuesday, January 12th, 2016 | General Audience


9:00-9:50 AM| Ofir Arkin | Intel
Keynote:  Security in a World Out of Our Control

The traditional security models are failing as they become obsolete in a world where the environment and technology are constantly changing and advancing.The need to allow anywhere anytime access (Mobility) to enterprise resources from any user (Collaboration), and any device (BYOD), has challenged the mare existence of the fixed perimeter and the traditional defense mechanisms. In a world where IT is losing control over devices, users and even it’s own infrastructure a new security model, that takes into account these new realities, must be put in place.


10:00-10:50 AM | Nick Carr and Matthew Dunwoody | Mandiant           
No Easy Breach: Challenges and Lessons from One of Madiant's Most Demanding Investigations

Every IR presents unique challenges. But – when an attacker uses PowerShell, WMI, Kerberos attacks, novel persistence mechanisms, seemingly unlimited C2 infrastructure and half-a-dozen rapidly evolving malware families across a 100k node network to compromise the environment at a rate of 10 systems per day – the cumulative challenges can become overwhelming. This talk will showcase the obstacles overcome during one of the largest and most advanced breaches Mandiant has ever responded to, the novel investigative techniques employed, and the lessons learned that allowed us to help remediate it.

11:00-11:50 AM | Shawn Loveland |Microsoft 
The Business of Cybercrime

Just as the PC/computer/mobile device ecosystem has grown over the decades, so has the cybercrime industry, which today is more organized and motivated than at any time in history.  Blackhat cybercrime is a form of malicious online behavior motivated by profit and a predictable ROI.  Treating Blackhat cybercrime as a purely technological problem, makes mitigation difficult, costly, and ineffective.  By understanding the attacker’s Tools, Techniques, Motivations, and Business Models, we can understand how our products, services, and users are, and will be, victimized by Blackhat Cybercriminals.


1:00-1:50 PM |Daniel Edwards | Microsoft        
HoneyPots & Deception – What is happening to our Azure customers?

The theme of the talk this year will be about my experiments in running a honeypot in Azure, what I learned, how the information can be used to improve protection and a call to action.  The PowerPoint is a very basic outline meant to convey the theme of the talk.  I just haven’t had a chance to create all the diagrams but I already have all the data (and continue to collect additional data every day) that I am talking too.  The word document is a sample of the analysis that I will be incorporating.

2:00-2:50 PM | Alex Weinert and Dana Kaufman| Microsoft
A Year in the Trenches with Microsoft Identity Protection team

Between Microsoft account, Microsoft’s consumer system which supports Outlook, Xbox, OneDrive, and more; and Azure Active Directory, which supports virtually all enterprise identity deployments, Microsoft’s Identity team supports more than 2B identities in every market and services over 14B logins every day. The Identity Protection team is responsible for ensuring that access is granted only to account owners, and that those account owners are not fraudsters. In this session, we’ll provide an overview of the protection systems in play, how we see fraudsters adapting to those systems, and industry trends in a world where the high stakes attacks meet high tech adaptive countermeasures. We’ll punctuate the talk with a few scary stories front lines, and our forecast for the future of identity protection.

3:00-3:50 PM |Jonathan Birch | Microsoft          
Unintended Authentication

Unintended authentication to untrusted services is a common but largely ignored problem in Windows applications. In this talk, I explain how this type of vulnerability occurs and why its potential and current exploitation create a risk that application developers should work immediately to mitigate. To give reference examples, I discuss two cases where this type of vulnerability occurred and was fixed in Microsoft Office. Finally, I demonstrate how to test for and fix unintended authentication problems and best practices that can be used to prevent them from being introduced into a product.

4:00-4:50 PM |Matt Graeber | Veris Group        
Windows Management Instrumentation – The Omnipresent Attack and Defense Platform

A resourceful attacker seeking to maximize his or her compromise/effort ratio will naturally target any omnipresent technology present in a homogeneous environment. Windows Management Instrumentation (WMI) is one such technology that is present and listening on every Windows operating system dating back to Windows 95. WMI is a powerful remote administration technology used to get/set system information, execute commands, and perform actions in response to events. While it is a well-known and heavily used technology by diehard Microsoft sysadmins, attackers (i.e. diehard unintended sysadmins) find such built-in technology enticing, especially those who wish to maintain a minimal footprint in their target environment. In reality, targeted and criminal actors are making heavy use of WMI in the wild and defenders need to be informed of its capabilities both from an offensive and defensive perspective. This talk aims to inform the audience of the basics of WMI, in the wild attacks, theoretical attack scenarios, and how defenders can leverage the WMI eventing system against an attacker.

Wednesday, January 13th, 2016 | General Audience 

TRACK 1 – DEVELOPMENT                         

9:00-9:50 AM | Lee Holmes |Microsoft
Attackers Hunt Sysadmins. It's time to fight back

What do the NSA, APT groups, and run-of-the-mill attackers have in common? They. Hunt. Sysadmins. After all, what’s a better way to compromise an entire infrastructure than to target the folks with complete and unconstrained access to it? It’s time to fight back. In this talk, we introduce PowerShell Just Enough Administration, a powerful platform capability that lets you add role-based access controls to your existing PowerShell-based remote management infrastructure.

10:00-10:50 AM | Laura Bell | SafeStack              
Protecting our people (The Awkward Border)

People are problematic when it comes to security. We all know and laugh about the ease with which we can lie, cheat and steal from those around us whilst stubbornly refusing to admit that the same scams would probably work on us too. A culture of fear and negative consequences spanning decades has given us a workforce that is not only scared of being attacked, but scared of saying something if they see a threat or do something wrong.

So how do we change this? Can we enable, empower and engage _all_ of our people to protect themselves and those around them? More importantly can we do this without destroying privacy or putting those people at risk? This isn't a sales pitch. This isn't a miracle cure. This is the story of trying to protect our people and the difficult road to achieving this.

11:00-11:25 AM | Shawn Hernan | Microsoft
Factor-and-a-half Authentication

Many traditional techniques for protecting the stored representation of passwords derive their security by making the password verification operation expensive. For example, a server may hash a password many times as a way to slow down brute-force attacks against an offline copy of the password database. In such a scheme, acceptable password security may result in unacceptably poor login-time performance. Memory-intensive functions like scrypt may not scale well on a server that has to support a large number of simultaneous login attempts.  Multi-factor authentication schemes based provide protection against many of the common problems that plague reusable passwords. Unfortunately, adoption rates for MFA are low in general, and many of the systems are expensive or suffer from usability issues.  This talk proposes an authentication system “factor-and-a-half authentication,” to address some of these problems. Factor-and-a-half authentication consists of “something you know,” and “something you create,” along with initial setup and verification protocols and policy management between clients and server.

11:30-11:55 AM | Scott Longheyer | Microsoft 
Network Defense- Isolation Enforcement

Some things are meant to be shared, some are not. From dedicated to software-defined networks, we discuss modern solutions to enforce network isolation in extremely dynamic, often exposed, single or multi-tenant hosting environments. The tools are getting better, let’s wield them. Network certifications are not required to attend.

TRACK 2 – Pivoting to Help Customers                                     

1:00-1:50 PM | Amit Hilbuch |Microsoft             
Early Detection of Fraud Storms in the Cloud

Cloud computing resources are sometimes hijacked for fraudulent use. While some fraudulent use manifests as a small-scale resource consumption, a more serious type of fraud is that of fraud storms, which are events of large-scale fraudulent use. These events begin when fraudulent users discover new vulnerabilities in the sign up process, which they then exploit in mass. The ability to perform early detection of these storms is a critical component of any cloud-based public computing system.

In this work we analyze telemetry data from Microsoft Azure to detect fraud storms and raise early alerts on sudden increases in fraudulent use. The use of machine learning approaches to identify such anomalous events involves two inherent challenges: the scarcity of these events, and at the same time, the high frequency of anomalous events in cloud systems. We compare the performance of a supervised approach to the one achieved by an unsupervised, multivariate anomaly detection framework. We further evaluate the system performance taking into account practical considerations of robust-ness in the presence of missing values, and minimization of the model’s data collection period. This work describes the system, as well as the underlying machine learning algorithms applied. A beta version of the system is deployed and used to continuously control fraud levels in Azure.

2:00-2:50 PM | Christiaan Beek | Intel Security
There’s A Pot of Gold at The End of the Ransomware Rainbow

Ransomware is one of the threats we have seen rising over the past few years with a huge resurfacing in 2014. Mostly Windows platform but also Linux, Mobile and OSX Operating systems are getting targeted for these campaigns.  In this presentation, we will start with an overview of the different crypto-ransomwares we have seen in the past couple of year combined with some of the technical developments in the industry that assisted in making this business-model very lucrative. We continue with some examples of in-depth analysis of behavior patterns we discovered in certain families that helped us identifying them and classifying them. Besides the malware itself we will highlight some insights around how the actors in general are operating, the infrastructure they build-up, the financial infrastructure, the profit and connections with other cybercrime operations.

 3:00-3:50 PM | Jasika Bawa, Costas Boulis, and Roman Porter| Microsoft           
Advancing SmartScreen To Disrupt The Exploit Kit Economy

Microsoft SmartScreen integrated with Internet Explorer, Microsoft Edge, and Windows, has helped protect users from socially engineered attacks such as phishing and malware downloads since the release of Internet Explorer 7. Over time, SmartScreen reputation checks on URLs and SmartScreen Application Reputation protection in the browser and in Windows have significantly changed the socially engineered attack landscape, leaving such attacks at historic lows. However, attackers have continued to adapt—enter Exploit Kits (EKs), one of the fastest growing threats online.

EKs often originate on trusted websites and target vulnerabilities in software used by our customers every day. Moreover, EK-based attacks do not require any user interaction—there's nothing to click, nothing to download—and infection is invisible. Approximately two-thirds of new malware is now being delivered by EKs, hardly surprising given that a single EK on a popular site can infect thousands of people in less than an hour. The recently analyzed Angler EK, for instance, was found to target almost 90,000 innocent victims each day, earning cyber criminals potentially more than $30 million annually and further proving the EK space to be an extremely financially lucrative one. But all isn't lost! Starting with the November release of Windows 10, Microsoft SmartScreen will begin protecting users from EK attacks in Internet Explorer and Microsoft Edge. In this talk, we will discuss the growing EK landscape, how it is impacting our customers, and how, with new synchronous blocks for EKs, SmartScreen once again aims to continue increasing the cost of exploitation for attackers.

4:00-4:50 PM | Mark Novak and Dave Probert |Microsoft          
Virtual Secure Mode and Shielded Virtual Machines

Virtual Secure Mode is a new virtualization-assisted security technology that made its debut in Windows 10.  This talk will describe the fascinating security properties of VSM as well as cover the two new technologies that were built with its help: shielded virtual machines and Credential Guard. Microsoft developers interested in utilizing VSM in their projects should talk to folks in the WDG.

Wednesday, January 13th, 2016 | General Audience  


9:00-9:50 AM |Nils Sommer|Bytegeist
Windows Kernel Fuzzing

Attackers often rely on Windows kernel vulnerabilities to break out of application sandboxes and escalate privileges. To rapidly identify such vulnerabilities, we adapted techniques from browser fuzzing to assess the kernel and have reported a number of critical issues to Microsoft. All aspects of the fuzzer, from test case generation to testcase minimisation are highly distributed and it produces high quality testcases for reproduction. This talk will discuss our approach for fuzz testing the Windows kernel, from assessing the kernel's attack surface and effective test case generation, to the design and architecture of a highly distributed fuzzer that scales to many hundreds of CPU cores.

10:00-10:50 AM | Leigh Honeywell and Ari Rubinstein | Slack   
Secure Development for Snake People: New Ideas for the Next Generation

Startups hear the word “process” and freak out – shipping code every day isn’t optional. What if you could build a secure development process that accelerated development, instead of slowing it down? At Slack, we have – allowing our small team to distribute security work to developers, and building up their security skills from intern to senior engineer. We’ll talk through the tools and processes we built – a flexible, open source framework including a lightweight self-service assessment tool, a checklist generator, and most importantly a chat-based process. Together, these encourage security thinking in the tools developers already spend their time in – allowing us to effortlessly document people’s thought processes around risk. By empowering developers to think about security themselves and incorporate secure practices into their own teams and workflows, we’ve defeated the fear of the checkbox and replaced it with new tooling and process that teams actually want to work with.

11:00-11:25 AM | Jason Shirk|Microsoft             
Microsoft Bounty Program: Making it to the MSRC Top 100

Microsoft has been working with security researchers for a long time as part of a robust security regimen, which we continue to value and drive passionately. Bug bounties are an increasingly important part of the vulnerability research and defense ecosystem. We believe that bounties will continue to evolve over time, and will be regularly managing the Microsoft Bounty Programs. In this talk Jason will be talking about what we've seen to date, what we've learned, and diving more deeply into the data behind running the Bug Bounty Programs at Microsoft.

11:30-11:55 AM | Eugene Bobukh|Microsoft    
Transcending Threat Modeling Limitations

Threat Modeling as we know it today has inherent scalability limitations. It can be shown that its computational complexity is O(N^2) with respect to the number of elements modeled. In everyday practice that places an upper limit for human driven threat modeling at approximately 20 elements. However, contemporary software is significantly more complex, consisting of thousands of logical components. What options are available to transcend that limitation? In this talk we shall explore some experimental approaches for scalable threat modeling.


1:00-1:50 PM | Anna Chung | Uber
The Glocalization of the Underground Market

Start with a general introduction of Chinese speaking cyber crime underground market, this presentation aims to discuss how international hacking tools and compromised data being used by financially motivated criminals, and what kind of adjustments were made in order to localize the business model. The talk would use cyber crime activities targeting Japanese online banking system and possibly the spread of DDoS web-based DDoS tools to explain the glocalization status in Chinese underground economy.

2:00-2:50 PM | Nicolas Joly |Microsoft

Although Windows has a long history of vulnerabilities and exploit techniques, Windows Phone OS has proven to be much harder to exploit than its cousin. Low market share, little public research, high focus on IOS and Android, but also strong security policies made that target highly resistant to massive pwnage. But as often happens with exploits, a good vulnerability such as a write-what-where condition is usually enough to defeat all mitigations in place. Based on research conducted for mobile Pwn2Own 2014, this talk will depict the road taken to get a working exploit for Internet Explorer Mobile running on WP 8.1.

3:00-3:50 PM | Kostya Kortchinsky | Google
VMware Workstation Escape: the Virtual Printer Case

VM Escapes, or how to execute code on the Host OS from a Guest. While they are not a new concept, they are increasingly attractive as virtualization expands, in the datacenters and elsewhere.
This presentation, focusing on VMware Workstation, will demonstrate how arbitrary code execution in the Host was achieved from the Guest through memory corruption vulnerabilities in VMware Workstation Printer Virtualization.
I will cover the virtual printer protocol, how to fuzz it, the vulnerabilities uncovered (through fuzzing and reading the assembly code), and finally walk through a fully working exploit for Workstation 11.1.0 on a Windows 8.1 Host.


4:00-4:50 PM | Matt Miller and David Weston | Microsoft
The Cutting Edge of Web Browser Exploitation

Web browsers are the primary portal to the Internet for most people and it is no surprise that they continue to be one of the most preferred infection vectors for targeted and large scale attacks in-the-wild. Over the past few years, Microsoft has observed some significant changes in the trends related to how browser-based vulnerabilities are discovered and exploited in practice. In this presentation, we will explore these trends and dig into the technical details of how browser-based vulnerability exploitation has changed over the past 15 years. We will show how Microsoft has responded to these changes in the threat landscape by showcasing some of the major security investments that have been made in Windows, Internet Explorer, and the Microsoft Edge browser. We will provide an objective assessment of the impact that these investments have had thus far and explain how these hardening measures, particularly in the Microsoft Edge browser, have significantly affected the playbook that attackers have developed for exploiting browser-based vulnerabilities.


**PLEASE NOTE: This schedule may be subject to change but we will endeavor to keep the final schedule as close as possible to what appears here.



BlueHat v15 End-of Event Survey Give-Away Rules

At the end of each conference day, please ensure you complete the End-of-Event survey located at:  

As part of the Microsoft BlueHat BlueHat v15 Conference, Microsoft will conduct a give-away of prizes described in the prizes section below. A reconciliation of attendees and end of event survey completions will occur to determine eligible participants. Any duplications will be removed as only one entry per person is allowed. A random drawing by a disinterested party will occur based the list of eligible personnel who have submitted their end of event surveys by Midnight on 1/18/2016. All decisions regarding winners by the event organizers are final.

Prizes: As part of the BlueHat Conference, Microsoft will select one individual to receive a Microsoft Xbox One valued at $399 and 10 individuals to receive a Starbucks gift card valued at $10 each.

Eligibility: The give-away is open to all the BlueHat v15 attendees (to External attendees, Microsoft FTEs and Interns, and Contingent Staff) who attend the conference either in person or via Live Streaming, and COMPLETE the End of Event Surveys. Personnel who are unable to attend due to technical issues, geography, or other events that prohibit attendance are not eligible. Additionally, personnel who view only the On Demand videos after the event and event organizers are not eligible.

Any questions regarding this give-away should be sent to

BlueHat v15 Give-Away Winners

Microsoft Xbox One Winner

Christian Kuhtz

$10 Starbucks Gift Card Winners
Rich Eicher
Nate Warfield
Marius Bunescu
Max Poliashenko
John Bambenek
Roman Golovin
Samuel Jenkins
Neil Coles
Chris Kaler
Angie Wilson

BlueHat v15 Full Agenda_Jan12-13.pdf

November 2015 Security Update Release Summary, 10 Nov 2015 10:02:32 +0000

Today we released security updates to provide protections against malicious attackers. As a best practice, we encourage customers to apply security updates as soon as they are released.

More information about this month’s security updates and advisories can be found in the Security TechNet Library. 


EMET: To be, or not to be, A Server-Based Protection Mechanism, 20 Oct 2015 15:27:00 +0000 Folks – Platforms PFE Dan Cuomo here to discuss a common question seen in the field:

“My customer is deploying EMET and would like to know if it is supported on Server Operating Systems.”

On the surface there is a simple answer to this question, however with a little poking, a little prodding, the question quickly becomes:

“Does EMET protect Server workloads?”

This is a more complicated question that usually incurs some email-based eye-rolling when we tell them, like most questions, “It depends.”  They really didn’t mean to ask that question either and so after some more poking, and some more prodding, a number of different questions are uncovered, all of which require a little more analysis than the typical “YES” or “NO” question.  So in the next few paragraphs we’ll discuss the reasons for this question, and how to have this conversation with decision makers in the organization.

Is EMET Supported on Server Operating Systems?

The simple answer to the server support question is an emphatic “YES!”  As you can see in the EMET support article (summary below), EMET 5.2 can be installed on most currently supported operating systems (as of the writing of this article) and their derivatives.  For example, the Client OS’ 7, 8, and 8.1 are all supported as are the Server OS’ 2008, 2008 R2, 2012, and 2012 R2. (Note that EMET 5.5 Beta provides support for Windows 10)

Operating System (min supported) 

EMET 5.2 


Windows 10 


Windows 8.1 


Windows 8  


Windows Server 2012 R2 


Windows Server 2012 


Windows 7 Service Pack 1  


Windows Server 2008 R2 Service Pack 1  


Windows Server 2008 Service Pack 2  


Windows Vista Service Pack 2  




[Short and Sweet]:

Q: Is EMET Supported on server Operating Systems?

A: Yes, EMET is supported on currently supported server Operating Systems

Can EMET Protect My Legacy Server Operating Systems?

One reason customers consider deploying EMET is to protect their legacy systems such as Windows XP (EoL: April 8th, 2014) and Server 2003 (EoL: July 14th 2015).  Many customers may still be wondering if they really need to migrate or event how to get started.  This link and this Tech Ed video It’s the End of the World As You Know It…Windows Server 2003 End of Life will give you a bunch of great information.  If you want the Cliffsnotes, yes you REALLY need to migrate; one thing you won’t find on this page is a link to download EMET.

You may be wondering if you can avoid migrating a legacy system to a newer, supported operating system if you install EMET.  The absence of EMET from the prior links as well as this video  should make it abundantly clear that that the answer is “NO.”  You still need to migrate off of the legacy operating systems.  In addition, once the server operating systems goes out of support, EMET is no longer supported on that platform.  For example, now that we’ve passed July 14th, any remaining 2003 systems in your enterprise are no longer supported.  Likewise, the EMET application on those systems is also unsupported.

EMET primarily mitigates user-mode application exploits that target applications like Microsoft Office, Internet Explorer, and Adobe Acrobat.  As such, it may provide some additional protection while you’re migrating, however it will not protect you against all exploits targeted at this legacy platform and it is certainly not a long-term “silver-bullet” to enterprise security.  Your safest course of action is to upgrade those legacy systems to a newer, supported operating system.

Note: Having just read that the last sentence, many of you are currently misinterpreting what I said as proof that you don’t really need to upgrade if you have a mission critical application that only runs on a legacy OS.  STOP IT!!!

All joking aside, I will tell you that nearly every customer I have encountered thinks they’re the exception to the rule.  In reality, there are few actual exceptions.  If you don’t know what to do or how to get started, I implore you to contact us to see how we can help you.

[Short and Sweet]:

Q: Will EMET protect your legacy operating system?

A: Nope.  While EMET could mitigate some potential vulnerabilities on a legacy system, it should not be considered a long-term alternative to migrating to a support OS.

What should I protect with EMET?

OK, let’s recap.  We now know EMET can be installed on supported server operating systems.  In addition, it can provide some level of protection while you’re migrating off a legacy OS.  But what applications should you configure EMET to protect in these environments?

When considering an application protection strategy, keep in mind that “agents” are most likely already sprawling throughout your enterprise, consuming valuable system resources.  I’ve regularly heard customers say, “Not another agent!?”  With this in mind, focus on a risk-management based approach.  This would include applications that are:

1)      Most likely to be exploited

2)      Consuming content from external or untrusted sources

Most likely to be exploited:

In addition to being the least desirable high school yearbook award, this category describes applications that are highly targeted by attackers.  This often boils down to the widespread use of an application.  Protecting applications that attackers believe yield a high reward (for example, those that affect many people) should be considered essential.

An example of this would be Microsoft Word or Adobe Acrobat.  Both of these applications have a large user base.  An attacker would know that if successful, the exploit would affect many customers.  In contrast, an exploit that targets a “home-grown” LOB application would yield a low-reward.

Applications consuming content from external or untrusted sources

This category describes applications that consume or access content from an external or untrusted source such as the internet.  For example, both Microsoft Word and Adobe Acrobat handle “untrusted” content when a user downloads and opens *.docx or *.pdf from the internet.  However, opening *.docx or *.pdf from an intranet SharePoint site is of low risk.  Another example would be any web browser that has access to the internet.

When you first configure EMET you’re greeted with the wizard shown below:

If you select the option to “Use Recommended Settings” (shown above), you are among other things, configuring EMET to use the “Recommended Software.xml” protection profile included with the installer.  The included applications (shown below) are recommended by the EMET Product Group and have gone through testing to verify that, by-and-large, the mitigations selected will reduce the number of false-positives and incompatibilities incurred with EMET.

Note: False-positives and incompatibilities are likely to occur as many applications make use of the exact behavior that the mitigations intend to block.  Please review EMET mitigation guidelines for a list of known application mitigation compatibility issues. 

Please also review Kurt Falde’s article on Troubleshooting an EMET Mitigation Application Crash for information on what to do when you find an incompatible application mitigation.

It is imperative to thoroughly test your configuration making sure that the pilot contains a good representation of target systems.  For example, make sure to include all necessary plug-ins or add-ins to applications that will be encountered in the enterprise for both client and server operating systems.

The included protection profiles are great low-risk way to get started.  These profiles contain the “low-hanging fruit” and provide the biggest gains.  The applications included in the recommended software protection profile (shown below) cover a range of popular applications and those that consume external or untrusted content.

The popular protection profile is a superset of the recommended protection profile.  It adds a number of additional applications that fit the same bill.  Once you’ve tested the applications in the recommended list, test the applications in the popular list against a group of machines that are representative of your target environment.

[Short and Sweet]:

Q: What should you protect with EMET?

A: Stick to the applications in the recommended and popular protection profiles.  These include applications that have been tested, are widespread, and may handle external or untrusted content.

What about generic Microsoft processes?

Nope.  Technically speaking, you can ask EMET to protect any application that runs on a system.  However, keep in mind that these additional applications have not been tested and may not behave as expected.  We specifically call this out in the EMET mitigations guidelines, “System and network services are also out-of-scope for EMET. Although it is technically possible to protect these services by using EMET, we do not advise you to do this.”

This includes servers that you really care about, like domain controllers.  Between you and me, if you’re thinking about protecting LSASS.EXE or MSExchangeIS.exe, this is what we in “the biz” call an “RGE” (resume generating event).  Put down the mouse and step away slowly…

[Short and Sweet]:

Q: What about generic Microsoft processes?

A: Nope, stick to the applications in the recommended and popular profile lists.

What else should I consider?

Some of you savvy readers out there are probably saying to yourself,

“Now hold the phone, Dan.  We follow pretty stringent guidelines about what does or does not get installed on servers.  We have enforced rules that prevent the installation of the applications listed in the protection profiles.”

“In fact, we even make sure that administrative users are unable to reach the internet from servers.  We’re confident that none of the applications you spoke of previously will reach our servers.

Before completely discarding EMET, it’s important to note that EMET does provide other capabilities that you may be able to leverage, such as certificate trust pinning.  However, if you can honestly tell me that there is no way that those applications will get installed on your systems and that they can never come in contact with untrusted content, you may not need EMET on your servers.  On a side-note, if you’re looking for a PFE, I know someone who would love to work in an environment like that J

It’s to these customers I usually recommend a Microsoft Security Risk Assessment (#ShamelessPlug) or other security assessment that helps make sure that your perception is reality.  Some of the best advice I’ve been given is, “trust, but verify.”

In contrast, perhaps your team is just too big, or too widespread.  Maybe you don’t have the necessary process, procedure, or technology to eliminate this risk in your server environment.  In cases like these I would advise rolling out EMET to your server infrastructure as well.

[Short and Sweet]:

Q: What else should I consider?

A: Look at your IT team structure.  Review your processes and procedures.  Have a third party look at them.  Verify EMET can’t help you before you decide you don’t need it!


As you have now seen, this seemingly simple question spirals into a complicated one very quickly.  EMET is supported on servers, and can be used to enhance security across a wide range of platforms.  Use the built-in protection profiles as a baseline and thoroughly test your target systems prior to deployment.

Lastly, if your technology, process, and procedures for server security are foolproof, then feel free to focus your efforts elsewhere.  Otherwise consider EMET part of your IT security “flu-shot.”  Take the time now and roll it out before you have a problem.

Thanks for reading,

Dan Cuomo


Microsoft Bounty Programs Expansion – .NET Core and ASP.NET Beta Bounty, 20 Oct 2015 10:00:00 +0000, I have another exciting expansion of the Microsoft Bounty Programs to announce. Please visit to find out more. I’ll be discussing this new bounty in my talk at SyScan360 on October 21, 2015. We are delighted to offer a bounty for the .NET Core and ASP.NET Beta which Microsoft released earlier this month.

.NET and ASP.NET represent critical building blocks in the Visual Studio Development Suite. This bounty is particularly interesting because the libraries and functions included in .NET enable developers to write their own programs with great security and stability, increasingly on many Operating Systems. This will extend to all supported platforms, initially including Linux and OS X, with some current exclusions to non-Windows platforms. You can find more information in the FAQs, .NET program terms and the .NET team’s blog. The highlights are as follows:

  • .NET Core and ASP.NET Beta 8 and any subsequent Betas or Release Candidates during the bounty period

  • Presently includes supported platforms on Windows, OS X and Linux

  • The bounty will run October 20, 2015 – January 20, 2016

  • Bounty payouts will range from $500 USD to $15,000 USD

These additions to the Microsoft Bounty Program will be part of the rigorous security programs at Microsoft. Bounties will be worked alongside the Security Development Lifecycle (SDL), Operational Security Assurance (OSA) framework, regular penetration testing of our products and services, and Security and Compliance Accreditations by third party audits.

As always, the most up-to-date information about the Microsoft Bounty Programs can be found at and in the associated terms and FAQs.

Happy Hacking!

Jason Shirk

Enhanced Mitigation Experience Toolkit (EMET) version 5.5 Beta is now available, 15 Oct 2015 16:13:23 +0000 Mitigation Experience Toolkit (EMET) version 5.5 Beta is now available

The Enhanced Mitigation Experience Toolkit (EMET) benefits enterprises and all computer users by helping to protect against security threats and breaches that can disrupt businesses and daily lives. It does this by anticipating, diverting, terminating, blocking, or otherwise invalidating the most common actions and techniques adversaries might use to compromise a computer. In this way, EMET can help protect your computer systems even from new and undiscovered threats before they are formally addressed by security updates and antimalware software.

EMET 5.5 Beta release includes new functionality and updates from EMET 5.2, including:

  • Windows 10 compatibility
  • Better configuration of various mitigations via GPO
  • EAF/EAF+ pseudo-mitigation performance improvements
  • Support for Windows 10’s new Untrusted font mitigation
  • Various bug fixes


Benefits of EMET

Helps raise the bar against attackers. EMET helps protect against new and undiscovered threats even before they are formally addressed through security updates or antimalware software. EMET includes many security mitigations that complement other defense in-depth security measures, such as Windows Defender and antivirus software. EMET installs with default protection profiles, which are XML files that contain preconfigured settings for common Microsoft and third-party applications.

Works well for the enterprise. Enterprise IT professionals can easily deploy EMET through Microsoft System Center Configuration Manager and apply Group Policies in Windows Active Directory to comply with enterprise account, user, and role policies. EMET is highly customizable and administrators can choose which applications to protect with each mitigation technique.

EMET can even provide mitigation protections for legacy enterprise software that cannot easily be rewritten, or where the source code is not available.

The reporting capabilities in EMET are provided through a component called the EMET Agent, which allows enterprises to create logs and notifications for audit purposes. EMET customer support is available through Microsoft Premier Support Services. For more information on deploying EMET, visit the EMET Knowledge Base Article: KB2458544

Helps protect in a wide range of scenarios. EMET works for a range of Windows client and server operating systems and is compatible with most commonly used third-party applications, from productivity software to music players. When users browse secure HTTPS sites on the Internet or log on to popular social media sites, EMET can help further protect by validating Secure Sockets Layer (SSL) certificates against a set of administrator-defined rules.

Security mitigation technologies are designed to make it more difficult for an attacker to exploit vulnerabilities in a given piece of software. EMET enables customers to leverage these security mitigation technologies on their systems and provides several unique benefits:

No source code needed: EMET enables administrators to apply several of the available mitigations built-in to Windows (such as Data Execution Prevention) for individual applications without recompilation. This is especially useful for deploying mitigations on legacy software that was written before the mitigations were available, or when source code is not available.

Highly configurable: EMET provides a high degree of granularity by allowing mitigations to be individually applied on a per process basis. There is no need to enable the mitigations on an entire product or suite of applications. This is helpful in situations where a process is not compatible with a particular mitigation technology. When that happens, the administrator can simply turn that mitigation off for that process.

Helps harden legacy applications: It’s not uncommon to have a hard dependency on old legacy software that cannot easily be rewritten and needs to be phased out slowly. Unfortunately, this can easily pose a security risk as legacy software is notorious for having security vulnerabilities. While the real solution to this is migrating away from the legacy software, EMET can help manage the risk while this is occurring by making it harder for hackers to exploit vulnerabilities in the legacy software.

Helps verify SSL certificate trust while surfing websites: Given the increase in incidents of Certificate Authorities allowing the creation of fraudulent SSL certificates used to perform man-in-the middle attacks, EMET offers the possibility to enforce a set of pinning rules that can verify SSL certificates of specified domains against their issuing Root CA (configurable certificate pinning).

Allows granular plugin ‘deny list’ within applications: Modules and plugins, when loaded into an application, can increase its exposure to vulnerabilities and, consequently, to potential attacks. EMET addresses this by allowing the administrator to create ‘deny lists’ to prevent unwanted modules and plugins from loading within an application.

Ease of use: The policy for system wide mitigations can be seen and configured with EMET's graphical user interface, the command line tool or via Group Policy. There is no need to locate and decipher registry keys, or run platform dependent utilities. With EMET it is possible to adjust settings with a consistent interface regardless of the underlying platform.

The toolkit includes several pseudo mitigation technologies aimed at disrupting current exploit techniques. These pseudo mitigations are not robust enough to stop future exploit techniques, but can help prevent systems from being compromised by many of the exploits currently in use. The mitigations are also designed so that they can be easily updated as attackers start using new exploit techniques.

Mitigations in Windows 10

One of EMET’s original goals was to be a testbed for mitigations to add to the operating system. With Windows 10 we have implemented many features and mitigations that can make EMET unnecessary on devices running Windows 10. EMET is most useful to help protect down-level systems, legacy applications, and to provide Anti-ROP protection for 3rd party software that may not yet be recompiled using CFG.

Some of the Windows 10 features that provide equivalent (or better) mitigations than EMET are:

Device Guard: Device Guard is a combination of enterprise-related hardware and software security features that, when configured together, will lock a device down so that it can only run trusted applications. Device Guard provides hardware-based zero day protection for all software running in kernel mode, thus protecting the device and Device Guard itself from tampering, and app control policies that prevent untrusted software from running on the device.

Control Flow Guard (CFG): As developers compile new apps, CFG analyzes and discovers every location that any indirect-call instruction can reach.  It builds that knowledge into the binaries (in extra data structures – the ones mentioned in a dumpbin/loadconfig display).  It also injects a check, before every indirect-call in your code, that ensures the target is one of those expected, safe locations.  If that check fails at runtime, the operating system closes the program.

AppLocker: AppLocker is an application control feature introduced in Windows 7 that helps prevent the execution of unwanted and unknown applications within an organization's network while providing security, operational, and compliance benefits. AppLocker can be used in isolation or in combination with Device Guard to control which apps from trusted publishers are allowed to run.

For more information on Windows 10 security features please review the Windows 10 Security overview whitepaper on TechNet.

EMET 5.5 Beta and Edge

Given the advanced technologies used to protect Microsoft Edge, including industry leading sandboxing, compiler, and memory management techniques, EMET 5.5 mitigations do not apply to Edge.


We welcome feedback via Microsoft Connect.

Install EMET 5.5 Beta today!

We want to particularly thank FireEye for partnering with us.


Announcing BlueHat v15 Conference, 14 Oct 2015 15:33:22 +0000 are happy to announce the 15th version of the Microsoft BlueHat Security Conference set for January 12-13, 2016.  The annual security conference brings internal and external speakers to educate and engage Microsoft’s engineering community and their executives.  Work is under way currently to set the schedule for this event.  Attendance at BlueHat is open to Microsoft full time employees, contingent staff, and invited researchers, luminaries, partners, and customers.

Call for Papers

The Content Advisory Board invites thought leaders, security experts, and partners to submit original and challenging content for the security conference.  From your research to perspectives and ideas we are looking for content that will engage the engineering focused audience and executives.  We particularly invite submissions that have specific calls to action.  This year we would like to focus content around the following topics:

  • Public, Dedicated, or Hybrid Cloud service security

  • Mobile Application Security

  • Advanced Persistent Threats & Threat Intelligence

  • Mitigation and Sandbox Escapes or Defenses

  • Authentication Technologies

  • Consumer Privacy

  • New Attack Surface Areas

A limited number of presentation spaces are available and all submissions will be reviewed by the Content Advisory Board on a rolling basis until all talk slots are filled.  We ask that all submissions be presented in abstract form no later than October 31st.  Deadlines for full content will be later in December.  Presentations should target 30 or 60 minute format with no more than three speakers specified.  Some presentations will be selected to present to Microsoft executives in a smaller format in addition to the large format at the event.  Speakers will be informed of their acceptance via email.

Submit your presentation abstracts to to be considered as a potential BlueHat speaker!

Conference Registration

Attendance at BlueHat v15 Conference is by invitation only. All invited attendees will receive an email with registration link and conference agenda in November.

What’s New with Microsoft Threat Modeling Tool 2016, 08 Oct 2015 02:02:27 +0000 more »]]>Threat modeling is an invaluable part of the Security Development Lifecycle (SDL) process. We have discussed in the past how applying a structured approach to threat scenarios during the design phase of development helps teams more effectively and less expensively identify security vulnerabilities, determine risks from those threats, and establish appropriate mitigations.

The Microsoft Threat Modeling Tool 2016 is a free tool to help you find threats in the design phase of software projects. It’s available as a free download from the Microsoft Download Center. This latest release simplifies working with threats and provides a new editor for defining your own threats. Microsoft Threat Modeling Tool 2016 has several improvements.

  • New Threat Grid
  • Template Editor
  • Migrating Existing Data Flow Diagrams

New Threat Grid

The threat grid has been overhauled. Now you can sort and filter on any column. You can easily filter the grid to show threats for any flow. You can sort on the interaction column if you want to group all the threats for each flow. You can sort on the changed by column if you want to find that threat you just edited.

Template Editor

Microsoft Threat Modeling Tool 2016 comes with a base set of threat definitions using STRIDE categories. This set includes only suggested threat definitions and mitigations which are automatically generated to show potential security vulnerabilities for your data flow diagram. To offer more flexibility, Microsoft Threat Modeling Tool 2016 gives users the option to add their own threats related to their specific domain. This means users can extend the base set of threat definitions using the template editor.

The template editor also allows users to modify the stencils available on the drawing surface.  If you have a stencil you would like to make available for your DFDs, you can add it.  If you need another stencil property, you can add that.

Migrating Existing Data Flow Diagrams

Threat modeling is an iterative process. Development teams create threat models which evolve over time as systems and threats change. We wanted to make sure the new version supports this flow. Microsoft Threat Modeling Tool 2016 will load any threat model from Microsoft Threat Modeling Tool 2014, in the .tm4 format. Threat models created with v3 version of the tool (.tms format) must be migrated to the Microsoft Threat Modeling Tool 2014 format (.tm4) before they can be loaded in Microsoft Threat Modeling Tool 2016.  Microsoft Threat Modeling Tool 2014 offers a migration tool for threat models created with version 3.1.8. (NOTE: For migrating threat models from v3.1.8 only, Microsoft Visio 2007 or later is required).

Additional Information

We hope these new enhancements in Microsoft Threat Modeling Tool 2016 will provide greater flexibility and help enable you to effectively implement the SDL process in your organization.

Thank you to all who helped in shipping this release through internal and external feedback. Your input was critical to improving the tool and customer experience.

For more information and additional resources, visit:


Alex Armanasu is an Engineer on the Secure Development Tools team at Microsoft. He’s responsible for the Threat Modeling component of the Security Development Lifecycle (SDL).

What makes a good Microsoft Defense Bounty submission?, 08 Sep 2015 09:57:37 +0000 of Microsoft’s longstanding strategies toward improving software security continues to involve investing in defensive technologies that make it difficult and costly for attackers to exploit vulnerabilities. These solutions generally have a broad and long lasting impact on software security because they focus on eliminating classes of vulnerabilities or breaking the exploitation primitives that attackers rely on. This also helps improve software security over the long run because it shifts the focus away from the hand-to-hand combat of finding, fixing, and servicing individual vulnerabilities and instead accepts the fact that complex software will undoubtedly have vulnerabilities.

To further emphasize our commitment to this strategy and to cast a wider net for defensive ideas, Microsoft awarded the BlueHat Prize in 2012 and subsequently started the ongoing Microsoft Defense Bounty in June, 2013 which has offered up to $50,000 USD for novel defensive solutions. Last month, we announced that we will now award up to $100,000 USD for qualifying Microsoft Defense Bounty submissions. This increase further affirms the value that we place on these types of defensive solutions and we’re hopeful this will help encourage more research into practical defenses.

In this blog post, we wanted to take this opportunity to explain how we evaluate defensive solutions and describe the characteristics that we look for in a good defense. There are a few key dimensions that we evaluate solutions based on, specifically: robustness, performance, compatibility, agility, and adoptability. Keeping these dimensions in mind when developing a defense should increase the likelihood of the defense being deemed a good candidate for the Microsoft Defense Bounty and will also go a long way toward increasing the likelihood of the defense being integrated and adopted in practice.

Criteria for evaluating defensive solutions


The first and most important criteria deals with the security impact of the defense. After all, the defense must have an appreciable impact on making it difficult and costly to exploit vulnerabilities in order for it to be worth pursuing.

We evaluate robustness in terms of:

  • The impact the defense will have on modern classes of vulnerabilities and/or exploits.  A good defense should eliminate a common vulnerability class or break a key exploitation technique or primitive used by modern exploits. 

  • The level of difficulty that attackers will face when adapting to the defense.  A good defense should include a rigorous analysis of the limitations of the defense and how attackers are likely to adapt to it. Defenses that offer only a small impediment to attackers are unlikely to qualify.


The second most important criteria deals with the impact the defense is expected to have on performance. Our customers expect Windows and the applications that run on Windows to be highly responsive and performant. In most cases, the scenarios where we are most interested in applying defenses (e.g. web browsers) are the same places where high performance is expected. As such, it is critical that defenses have minimal impact on performance and that the robustness of a defense justifies any potential performance costs.

Since performance impact is measured across multiple dimensions, it is not possible to simply distill the requirements down into a single allowed regression percentage. Instead, we evaluate performance in context using the following guide posts:

  • Impact on industry standard benchmarks. There are various industry standard benchmarks that evaluate performance in common application workloads (e.g. browser DOM/JS benchmarks). Although SPEC CPU benchmarks can provide a good baseline for comparing defense solutions, we find that it is critical to evaluate performance impact under real-world application workloads. 

  • Impact on runtime performance. This is measured in terms of CPU time and elapsed time either in the context of benchmarks or in common application scenarios (e.g. navigating to top websites in a browser). Defenses with low impact on runtime performance will rate higher in our assessment. 

  • Impact on memory performance. This is measured in terms of the how the defense affects various aspects of memory footprint including commit, working set, and code size. Defenses with low impact on memory performance will rate higher in our assessment.


One of the reasons that Windows has been an extremely successful platform is because of the amount of care that has been taken to retain binary compatibility with applications. As such, it is critical that defenses retain compatibility with existing applications or that there is a path for enabling the defense in an opt-in fashion. Rebuilding the world (e.g. all binaries that run on Windows) is not an option for us in general. As such, defenses are expected to be 100% compatible in order to rate highly in our assessment.

In particular, we evaluate compatibility in terms of the following:

  • Binary interoperability. Any defense must be compatible with legacy applications/binaries or it must support enabling the defense on an opt-in basis.  If an opt-in model is pursued, then the defense must generally support legacy binaries (such as legacy DLLs) being loaded by an application that enables the defense. In the case where the defense requires binaries to be rebuilt in order to be protected, the protected binaries must be able to be loaded on legacy versions of Windows that may not support the defense at runtime. 

  • ABI compliant. Related to the above, any defense that alters code generation or runtime interfaces must be compliant with the ABI (e.g. cannot break calling conventions or other established contracts). For example, details on the x64 ABI for Windows can be found here

  • No false positives. Defenses must not make use of heuristics or other logic that may be prone to false positives (and thus result in application compatibility issues).


Given the importance of binary compatibility and the long term implications of design decisions, we also need to take care to ensure that we are afforded as much flexibility as possible when it comes to making changes to defenses in the future. In this way, we pay close attention to the agility of the design and implementation associated with a defense.  Defenses that have good properties in terms of agility are likely to rate higher in our assessment.


All defenses carry some cost with them that dictates how easy it will be to build them and integrate them into the platform or applications. This means we must take into account the engineering cost associated with building the defense and we must assess the taxes that may be inflicted upon developers and systems operators when it comes to making use of the defense in practice. For example, defenses that require developers to make code changes or system operators to manage complex configurations are less desirable. Defenses that have low engineering costs and minimize the amount of friction to enable them are likely to rate higher in our assessment.


The criteria above are intended to help provide some transparency and insight into the guidelines that we use when evaluating the properties of a defense both internally at Microsoft and for Microsoft’s Defense Bounty program. It’s certainly the case that we set a high bar in terms of what we expect from a defensive solution, but we believe we have good reasons for doing so that are grounded both in terms of the modern threat landscape and our customer’s expectations.

We strongly encourage anyone with a passion for software security to move “beyond the bugs” and explore opportunities to invest time and energy into developing novel defenses. Aside from being a challenging and stimulating problem space, there is now also the potential to receive up to $100,000 USD for your efforts in this direction through the Microsoft Defense Bounty program. The impact that these defenses can have on reducing the risk associated with software vulnerabilities and helping keep people safe is huge.

Matt Miller

Microsoft Security Response Center


Defending against CVE-2015-1769: a logical issue exploited via a malicious USB stick, 11 Aug 2015 15:37:20 +0000

Today Microsoft released update MS15-085 to address CVE-2015-1769, an important severity security issue in Mount Manager. It affects both client and server versions, from Windows Vista to Windows 10.

The goal of this blog post is to provide information on the detection guidance to help defenders detect attempts to exploit this issue.


Detection Guidance

As part of the update, we are also shipping an event log to help defenders detect attempts to use this vulnerability on their systems. The event log will be triggered every time a malicious USB that relies on this vulnerability, is mounted on the system. If such an event is recorded, it means that attempt to exploit the vulnerability is blocked. So once the update is installed, companies auditing event logs will be able to use this as detection mechanism.

These events are logged under “System” channel and is reported as an error.

Note: Multiple events may be raised for single exploit attempt.

After installing the update, exploitation attempts will result in the Event (ID:100) generated with MountMgr or Microsoft-Windows-MountMgr, as its source. The CVE associated with this vulnerability will also be logged for further reference. Note that this error code can also be logged in other extremely rare circumstances. So, while there is a very small chance that this event log could be generated in non-malicious scenarios, there is a high probability that an exploitation attempt is the cause of the event.

- Axel Souchet, Vishal Chauhan from MSRC Vulnerabilities and Mitigations Team

Advances in Scripting Security and Protection in Windows 10 and PowerShell V5, 10 Jun 2015 11:25:59 +0000 the last several releases of Windows, we’ve been working hard to make the platform much more powerful for administrators, developers, and power users alike. PowerShell is an incredibly useful and powerful language for managing Windows domains. Unfortunately, attackers can take advantage of these same properties when performing “post-exploitation” activities (actions that are performed after a system has been compromised).

The PowerShell team, recognizing this behavior, have significantly advanced security focused logging and detection in Windows 10 and PowerShell v5. Some capabilities take advantage of new functionality in Windows 10, others are available on Windows 8.1 and Windows Server 2012R2 with KB3000850, and the functionality that is specific to PowerShell v5 will be available on Windows 7 and Windows Server 2008R2 when the next version of the Windows Management Framework is released.

Scripting transparency for Antimalware engines

Antimalware engines traditionally focus the majority of their attention on files that applications (or the system) open. Scripts have historically been difficult for antimalware engines to evaluate because scripts can be so easily obfuscated. Unless the antimalware engine can emulate the particular scripting language, it will not be able to deobfuscate the script to view the actual payload.

A new Windows 10 feature, the Antimalware Scan Interface (AMSI), lets applications become active participants in malware defense. Applications can now request antimalware evaluation of any content – not just files on disk. This gives script engines (and other applications) the ability to request evaluation of deobfuscated scripts and to request evaluation of content entered directly in to the console.

For more information about the Antimalware Scan Interface, see


PowerShell Logging Improvements

Given the incredible power of PowerShell’s shell and scripting language, we’ve made major advancements in PowerShell’s transparency for PowerShell v5:

Improved over-the-shoulder transcription

Previous versions of PowerShell provided the ability to transcript sessions. Unfortunately, transcripting was not globally configurable, could be easily disabled, and only worked in the interactive PowerShell console. The result was that transcripting was not very practical for detecting malicious activity.

For PowerShell v5 and Windows 8.1/2012R2 with KB3000850, the following changes have been made for transcripting:

  • Can now be configured as a system-wide group policy
  • Provides better information about the session than the previous transcription functionality
  • Transcription works in both non-interactive and interactive PowerShell sessions

Deep script block logging

Previous versions of PowerShell provided “pipeline logging”, a mechanism to log all commands invoked (with the parameters). The way this information was logged made it difficult to use for security auditing and detection. In PowerShell v5 and Windows 8.1/2012R2 with KB3000850, PowerShell gains a new security focused logging mechanism called “Script Block Logging”.

A “script block” is the base level of executable code in PowerShell. Even when a script is obfuscated, it must eventually be transformed from an obfuscated script block back in to a deobfuscated script block containing its malicious payload.

PowerShell now provides the option to log all script blocks to the event log prior to executing them. In the case of obfuscated scripts, both the obfuscated and deobfuscated script blocks will end up being logged. This gives defenders the ability to see exactly what PowerShell code is being run on their systems.

Protected Event Logging

One concern when you increase logging on a machine is that the information you’ve logged may contain sensitive data. If an attacker compromises that machine, this sensitive information in the event log may be a gold mine of credentials, confidential systems, and more. To help address this concern, we’ve added Protected Event Logging to Windows 10, which lets participating applications encrypt sensitive data as they write it to the event log. You can then decrypt and process these logs once you’ve moved them to a more secure and centralized log collector.

Miscellaneous Security Improvements

Additional security features added to PowerShell v5 include:

  • Encryption and decryption cmdlets using the Cryptographic Message Syntax (CMS) standard
  • Secure code generation APIs for developers
  • “Constrained PowerShell” for systems that implement AppLocker policies


For more information about PowerShell’s transparency improvements, Protected Event Logging, and other PowerShell security improvements, see



Joe Bialek (MSRC Engineering), Lee Holmes (PowerShell)

EMET 5.2 is available (update), 16 Mar 2015 12:57:00 +0000, we’re releasing the Enhanced Mitigation Experience Toolkit (EMET) 5.2, which includes increased security protections to improve your security posture. You can download EMET 5.2 from or directly from here.

Following is the list of the main changes and improvements:

  • Control Flow Guard: EMET’s native DLLs have been compiled with Control Flow Guard (CFG). CFG is a new feature introduced in Visual Studio 2015 (and supported by Windows 8.1 and Windows 10) that helps detect and stop attempts of code hijacking. EMET native DLLs (i.e. EMET.DLL) are injected into the application process EMET protects. Since we strongly encourage 3rd party developers to recompile their application to take advantage of this very latest security technology, we have compiled EMET with CFG. More information on CFG are available at this Visual C++ Team blog entry.
  • VBScript in Attack Surface Reduction: the configuration for the Attack Surface Reduction (ASR) mitigation has been improved to stop attempts to run the VBScript extension when loaded in the Internet Explorer's Internet Zone. This would mitigate the exploitation technique known as “VBScript God Mode” observed in recent attacks.
  • Enhanced Protected Mode/Modern IE: EMET now fully supports alerting and reporting from Modern Internet Explorer, or Desktop IE with Enhanced Protected Mode mode enabled.

Your feedback is always welcome, as it helps us improve EMET. Feel free to reach out to us by sending an email to

3/16/2015 UPDATE: We have received reports of certain customers experiencing issues with EMET 5.2 in conjunction with Internet Explorer 11 on Windows 8.1. We recommend customers that downloaded EMET 5.2 before March 16th, 2015 to download it again via the link below, and to uninstall the previous EMET 5.2 before installing the new one.

- The EMET Team

MS15-011 & MS15-014: Hardening Group Policy, 10 Feb 2015 10:50:00 +0000 we are releasing MS15-011 & MS15-014 which harden group policy and address network access vulnerabilities that can be used to achieve remote code execution (RCE) in domain networks. The MS15-014 update addresses an issue in Group Policy update which can be used to disable client-side global SMB Signing requirements, bypassing an existing security feature built into the product. MS15-011 adds new functionality, hardening network file access to block access to untrusted, attacker controlled shares when Group Policy refreshes on client machines. These two updates are important improvements that will help safeguard your domain network.

What’s the risk, i.e., what’s the attack scenario?

Let’s looks at one of the typical attack scenarios as outlined in the below diagram.

This is an example of a  ‘coffee shop’ attack scenario, where an attacker would attempt to make changes to a shared network switch in a public place and can direct the client traffic an attacker-controlled system.

  1. In this scenario, the attacker has observed traffic across the switch and found that a specific machine is attempting to download a file located at the UNC path: \\\Share\Login.bat .

  2. On the attacker machine, a share is set up that exactly matches the UNC path of the file requested by the victim: \\*\Share\Login.bat.

    1. The attacker will have crafted the contents of Login.bat to execute arbitrary, malicious code on the target system. Depending on the service requesting Login.bat, this could be executed as the local user or as the SYSTEM account on the victim’s machine.

  3. The attacker then modifies the ARP table in the local switch to ensure that traffic intended for the target server is now routed through to the attacker’s machine.

  4. When the victim’s machine next requests the file, the attacker’s machine will return the malicious version of Login.bat.

    This scenario also illustrates that this attack cannot be used broadly across the internet – an attacker need to target a specific system or group of systems that request files with this unique UNC.

What were the Group Policy vulnerabilities?

An RCE vulnerability existed in how Group Policy received and applied policy data when connecting to a domain. Concurrently, a vulnerability existed whereby Group Policy could fail to retrieve valid security policy and instead apply a default, potentially less secure, group policy. This could, in turn, be used to disable the domain enforced SMB Signing policy.

What did we fix under MS15-014?

The risk of circumventing SMB Signing was fixed by correcting how Group Policy would behave when it fails to retrieve a current, valid security policy. After applying the fix, Group Policy will no longer fall back to defaults and will instead the last known good policy if a security policy retrieval fails.

What did we harden under MS15-011?

While SMB Signing safeguards against Man-In-The-Middle attacks, with the vulnerabilities like the above in Group Policy it is possible to disable it. But more importantly, SMB Client doesn’t require SMB Signing by default so it is possible to direct the domain related traffic, especially the unencrypted traffic, to attacker controlled machines and serve malicious content to the victims in response. To block this kind of attacks we added the ability to harden the UNC path access within domain network.

Universal Naming Convention (UNC) is a standardized notation that Windows uses to access file resources; in most cases these resource are located on a remote server. UNC allows the system to access files using the standard path format: \\<hostname>\<sharename>\<objectname>, for example, \\\fileshare\passwords.txt, without requiring the application or user to understand the underlying transport technology used to provide access to the file. In this way, the UNC client in Windows abstract network file technologies, such as SMB and WebDAV, behind a familiar file path syntax. UNC paths are used in Windows in everything from printers to file shares, providing an attacker a broad surface to explore and attack. To properly address this weakness in UNC, we had to improve UNC to allow a server to authenticate itself to a client, thereby allowing the client machine to trust the content coming from the target system and be protected from malicious file shares.

How did we harden it?

When an application or service attempts to access a file on a UNC path, the Multiple UNC Provider (MUP) is responsible for enumerating all installed UNC Providers and selecting one of them to satisfy all I/O requests for specified the UNC path. On a typical Windows client installation, MUP would try the Server Message Block (SMB) protocol first, but if the SMB UNC Provider is unable to establish an SMB connection to the server, then MUP would try the next UNC Provider and so on until one of them is able to establish a connection (or there are no remaining UNC providers, in which case the request would fail). 

In most scenarios, the security of the server is paramount: the server stores sensitive data, so file transfer protocols are designed in such a way that the server validates the client’s identity and performs appropriate access checks before allowing the client to read from or write to files. The trust boundary when Group Policy applies computer and/or user policies is completely reversed: the sensitive data is the client’s configuration and the remote server has the capability of changing the client’s configuration via transmission of policy files and/or scripts. When Group Policy is retrieving data from the policy server, it important that the client performs security checks to validate the server’s identity and prevent data tampering between the client and the server (in addition to the normal security checks performed by the server to validate the client’s credentials). It is also important that MUP only send requests for Group Policy files to UNC Providers that support these client-side checks, so as to prevent the checks from being bypassed when the SMB UNC provider is unable to establish a connection to the server. 

Group Policy isn’t necessarily the only service for which these extra client-side security checks are important. Any application or service that retrieves configuration data from a UNC path, and/or automatically runs programs or scripts located on UNC paths could benefit from these additional security checks. As such, we’ve added new feature, UNC Hardened Access, along with a corresponding Group Policy setting in which MUP can be configured to require additional security properties when accessing configured UNC paths. 

When UNC Hardened Access is configured, MUP starts handling UNC path requests in a slightly different manner: 

Each time MUP receives a request to create or open a file on a UNC path, it evaluates the current UNC Hardened Access Group Policy settings to determine which security properties are required for the requested UNC path. The result of this evaluation is utilized for two purposes: 

  1. MUP only considers UNC Providers that have indicated support for all of the required security properties. Any UNC Providers that do not support all of the security properties required via the UNC Hardened Access configuration for the requested UNC path will simply be skipped.

  2. Once a UNC Provider is selected by MUP, the required security properties are passed to that UNC Provider via an Extra Create Parameter (ECP). UNC Providers that opt-in to UNC Hardened Access must respect the required security properties indicated in the ECP; if the selected UNC Provider is unable to establish a connection to the server in a manner that satisfies these requirements (e.g. due to lack of server support), then the selected UNC Provider must fail the request.

Even 3rd party applications and services can take advantage of this new feature without additional code changes; simply add the necessary configuration details in Group Policy. If a UNC Provider is able to establish a connection to the specified server that meets the required security properties, then the application/service will be able to open handles as normal; if not, opening handles would fail, thus preventing insecure access to the remote server.

Please refer to for details on configuring the UNC Hardened Access feature.

Consider the following scenario:

  • Contoso maintains an Active Directory domain named with two Domain Controllers (DCs) named and

  • A laptop is joined to the aforementioned domain.

  • Group Policy is configured to apply a Group Policy Object (GPO) to the laptop that configures UNC Hardened Access for the paths \\*\NETLOGON and \\*\SYSVOL such that all access to these paths require both Mutual Authentication and Integrity.

  • Group Policy is configured to apply a GPO to the laptop that runs the script located at \\\NETLOGON\logon.cmd each time a user logs on to the machine.


With the above configuration, when a user successfully logs onto the laptop and the laptop has any network access, Group Policy will attempt to run the script located at \\\NETLOGON\logon.cmd, but behind the scenes, MUP would only allow the script to be run if the file could be opened and transmitted securely:

  1. MUP receives a request to open the file at \\\NETLOGON\logon.cmd.

  2. MUP notices that the requested path matches \\*\NETLOGON and paths that match \\*\NETLOGON are configured to require both Mutual Authentication and Integrity. UNC Providers that do not support UNC Hardened Access or indicate that they do not support both Mutual Authentication and Integrity are skipped.

  3. The Distributed File Server Namespace (DFS-N) client detects that the requested UNC path is a domain DFS-N namespace and begins its process of rewriting the UNC path (all DFS-N requests will be subject to the same security property requirements identified by MUP in step 2):

    1. The DFS-N client uses the DC Locator service and/or DFS-N DC Referral requests (depending on the OS version) to identify the name of a DC on the domain (e.g.

    2. DFS rewrites the path using the selected DC (e.g. \\\NETLOGON\logon.cmd becomes \\\NETLOGON\logon.cmd). Since Mutual Authentication is required and the target is expected to be a DC, DFS utilizes a special Kerberos Service Principal Name (SPN) to verify that the name retrieved in the previous step is indeed the name of a DC (if the name is not a DC, Kerberos authentication would fail due to an unknown SPN)

    3. If there are additional DFS-N links in the specified UNC path, the DFS-N client continues iterating and replacing paths to DFS-N links with paths to available targets until it has a UNC path that does not have any remaining DFS-N links.

  4. The final UNC path is passed back to MUP to select a UNC Provider to handle the request. MUP selects the SMB UNC provider since DCs utilize SMB to share the NETLOGON and SYSVOL shares.

  5. The SMB UNC Provider establishes an authenticated session with the selected SMB Server (if an authenticated session is not already present). If the authenticated session is not mutually authenticated (e.g. authentication was performed utilizing the NTLM protocol), then SMB UNC Provider would fail the request to open logon.cmd since mutual authentication requirement identified in step 2 could not be met.

  6. The SMB UNC Provider enables SMB Signing on all requests related to logon.cmd since MUP informed SMB that integrity is required for this request. Any attempts to tamper with the SMB requests or responses would invalidate the signatures on the requests/responses, thus allowing the receiving end to detect the unauthorized modifications and fail the SMB requests.

In this scenario, the client-side requirement of end-to-end mutual authentication and integrity protects the laptop from running a logon script located on a malicious server via the following security checks:

  • The requirement for Mutual Authentication ensures that the connection is not redirected to an unexpected (and potentially malicious) SMB Server when SMB Client attempts to establish a connection to the requested UNC path.

  • The requirement for Integrity enables SMB Signing, even if the SMB Client does not require SMB Signing for all paths by default. This protects the system against on-the-wire tampering that can be used to change the contents of the logon.cmd script as it is transmitted between the selected DC and the laptop.

  • The combined requirements for both Mutual Authentication and Integrity ensures that the final rewritten path selected by DFS-N Client matches a path allowed by the DFS-N namespace configuration and that spoofing and/or tampering attacks cannot cause DFS-N client to rewrite the requested UNC path to a UNC path hosted by an unexpected (and potentially malicious) server.

Without these client-side protections, ARP, DNS, DFS-N, or SMB requests sent via Group Policy over untrusted networks could potentially cause the Group Policy service to run a the logon.cmd script from the wrong SMB Server.

How do I configure to protect myself/my users?

Once the update included as part of the bulletin MS15-011 is installed, follow the instructions at to ensure your systems are adequately protected. MS15-014 will install and provide protection without any additional configuration.

Please note that the Offline Files feature is not available on paths for which the UNC Hardened Access feature is enabled. 

A word on CVD and fixing difficult problems

In many regards, this security ‘fix’ is more accurately described as completely new functionality in Windows. Adding something of this scale posed a unique challenge to security response. Software vulnerabilities are typically more narrowly constrained in both investigation and remediation – and most response is structured to address that scope. Among the benefits of Coordinated Vulnerability Disclosure (CVD) is it provides for greater flexibility and deeper collaboration with researchers to take the necessary time and perspective to deliver the most complete security solutions to customers. In this case we tackled a vulnerability that required a much greater scope in engineering to deliver a solution.

Most vulnerabilities reported to the MSRC are bugs in a single component, which are investigated, understood, and fixed within industry accepted response times. Creating the new functionality of UNC Hardening, however, required an entirely new architecture which increased development time and necessitated extensive testing. Thanks to CVD, and the close collaboration with the passionate security researchers who reported the vulnerability, Microsoft had sufficient time to build the right fix for a complicated issue. If the security researchers were not willing to refrain from disclosure until our fix was ready, customers would have been put at risk.


Microsoft offers its appreciation to the CVD community and a special thanks to the reporters of the issue which has resulted in UNC Hardening: Jeff Schmidt of JAS Global Advisors, Dr. Arnoldo Muller-Molina of simMachines, The Internet Corporation for Assigned Names and Numbers (ICANN) and Luke Jennings from MWR Labs.


  • Geoffrey Antos (Windows), Brandon Caldwell (MSRC), Stephen Finnigan (MSRC), Swamy Gangadhara (MSRC)

Please note that the Offline Files feature is not available on paths for which the UNC Hardened Access feature is enabled.

New Version of BinScope Binary Analyzer, 20 Nov 2014 19:50:11 +0000 more »]]>We are delighted to announce the availability of an updated version of the BinScope Binary Analyzer, Microsoft BinScope version 2014. BinScope is a tool used during the Security Development Lifecycle (SDL) verification phase. It is available as a free download from the Microsoft Download Center here.

BinScope was designed to help detect potential vulnerabilities that can be introduced into Binary files. The checks it implements examine application binary files to identify coding and build practices that can potentially render the application vulnerable to attack or to being used as an exploit attack vector.

The specific changes in BinScope 2014 Update include:

  • Correctly handles CompilerWarningsCheck with the use of –W4 on the command line.
  • Correctly processes the warning levels which are explicitly enabled from the command line.
  • The __declspec(safebuffers) check no longer fires on GsDriverEntry for x86 drivers.
  • ATL version check now fails on known bad ATL headers only; no longer produces failures on unknown ATL headers.
  • Removed deprecated switches from showing as part of /?.
  • Allows new-line delimited file lists getting parsed as response files.

BinScope 2014 Update is inclusive of all the improvements that were part of BinScope 2014, such as:

Improved Diagnostic Messages

A key focus for BinScope 2014 was to ensure that diagnostic messages are clear and actionable for engineers when a potential vulnerability is detected. We believe that being able to quickly understand not only the potential issue but its mitigation is key.

New Minimum Compiler and Minimum Linker Version Switch

By default, BinScope 2014’s CompilerVersionCheck adheres to the compiler and linker versions defined in the SDL guidance. However, we recognize that compiler and linker versions will evolve over time, as a result two new command line switches were added. These switches, known as /MinimumCompilerVersion and /MinimumLinkerVersion, provide the ability to adjust the minimum linker and compiler versions that BinScope will detect when running the CompilerVersionCheck.

Increased Performance

Another important focus for us was to improve the performance of BinScope when executing a scan, particularly with large binaries. As a result, we have been able to improve the scanning performance of BinScope by up to 4 times.

Other changes in BinScope 2014 include:

  • Removal of the Graphical User Interface (GUI).
  • Removal of directory scanning, instead individual binary paths should be provided.
  • General bug fixes.

For more information and additional resources, visit:

Additional information about CVE-2014-6324, 18 Nov 2014 10:17:42 +0000

Today Microsoft released update MS14-068 to address CVE-2014-6324, a Windows Kerberos implementation elevation of privilege vulnerability that is being exploited in-the-wild in limited, targeted attacks. The goal of this blog post is to provide additional information about the vulnerability, update priority, and detection guidance for defenders. Microsoft recommends customers apply this update to their domain controllers as quickly as possible.

Vulnerability Details

CVE-2014-6324 allows remote elevation of privilege in domains running Windows domain controllers. An attacker with the credentials of any domain user can elevate their privileges to that of any other account on the domain (including domain administrator accounts).

The exploit found in-the-wild targeted a vulnerable code path in domain controllers running on Windows Server 2008R2 and below. Microsoft has determined that domain controllers running 2012 and above are vulnerable to a related attack, but it would be significantly more difficult to exploit. Non-domain controllers running all versions of Windows are receiving a “defense in depth” update but are not vulnerable to this issue.

Before talking about the specific vulnerability, it will be useful to have a basic understanding of how Kerberos works.


One point not illustrated in the diagram above is that both the TGT and Service Ticket contain a blob of data called the PAC (Privilege Attribute Certificate). A PAC contains (among other things):

  • The user’s domain SID
  • The security groups the user is a member of


When a user first requests a TGT from the KDC, the KDC puts a PAC (containing the user’s security information) into the TGT. The KDC signs the PAC so it cannot be tampered with. When the user requests a Service Ticket, they use their TGT to authenticate to the KDC. The KDC validates the signature of the PAC contained in the TGT and copies the PAC into the Service Ticket being created.

When the user authenticates to a service, the service validates the signature of the PAC and uses the data in the PAC to create a logon token for the user. As an example, if the PAC has a valid signature and indicates that “Sue” is a member of the “Domain Admins” security group, the logon token created for “Sue” will be a member of the “Domain Admins” group.

CVE-2014-6324 fixes an issue in the way Windows Kerberos validates the PAC in Kerberos tickets. Prior to the update it was possible for an attacker to forge a PAC that the Kerberos KDC would incorrectly validate. This allows an attacker to remotely elevate their privilege against remote servers from an unprivileged authenticated user to a domain administrator.


Update Priority

  1. Domain controllers running Windows Server 2008R2 and below
  2. Domain controllers running Windows Server 2012 and higher
  3. All other systems running any version of Windows


Detection Guidance

Companies currently collecting event logs from their domain controllers may be able to detect signs of exploitation pre-update. Please note that this logging will only catch known exploits; there are known methods to write exploits that will bypass this logging.


The key piece of information to note in this log entry is that the “Security ID” and “Account Name” fields do not match even though they should. In the screenshot above, the user account “nonadmin” used this exploit to elevate privileges to “TESTLAB\Administrator”.

After installing the update, for Windows 2008R2 and above, the 4769 Kerberos Service Ticket Operation event log can be used to detect attackers attempting to exploit this vulnerability. This is a high volume event, so it is advisable to only log failures (this will significantly reduce the number of events generated).


After installing the update, exploitation attempts will result in the “Failure Code” of “0xf” being logged. Note that this error code can also be logged in other extremely rare circumstances. So, while there is a chance that this event log could be generated in non-malicious scenarios, there is a high probability that an exploitation attempt is the cause of the event.



The only way a domain compromise can be remediated with a high level of certainty is a complete rebuild of the domain. An attacker with administrative privilege on a domain controller can make a nearly unbounded number of changes to the system that can allow the attacker to persist their access long after the update has been installed. Therefore it is critical to install the update immediately.


Additional Notes

Azure Active Directory does not expose Kerberos over any external interface and is therefore not affected by this vulnerability.


Joe Bialek, MSRC Engineering

IoT Security Does Not Have to be an Oxymoron – Part 2, 10 Nov 2014 17:03:55 +0000 more »]]>As my colleague Kevin Sullivan wrote in part 1 of this two-part series, the Internet of Things (IoT) holds great promise for organizations and consumers. But like many new technologies, it brings with it a number of security and privacy challenges. The industry can work to help address many of these challenges by building on some of the lessons learned from decades of experience connecting traditional computing devices to the Internet, as well as understanding the unique challenges that the IoT presents.

Among those unique challenges is the diversity of devices encompassing the IoT, that range from very simple devices that only transmit data, to complex devices with processors and sophisticated software. Before millions or billions of these devices are deployed across the world, some security and privacy fundamentals need to be carefully considered including:

  • Insecure design: Some of the early IoT devices I have seen in the market today have not been designed with security in mind. Some of these devices lack basic security capabilities, while others have security capabilities, but they are inappropriate for all the scenarios that the device can be used in. It’s also easy to imagine that some IoT devices have been released with insecure default settings.
  • Disclosure of personal information: When devices, sensors, appliances, etc., are connected to the Internet (or when physically accessible), it can raise concerns that everyday activities, preferences, and sensitive information, could be monitored and disclosed without proper authorization. Additional concerns arise with the possibility that data gathered from IoT devices could be correlated with other sources of data and used for purposes, such as the creation of self-learning autonomous systems, without the appropriate consent from the data owner.
  • Limited ability to receive updates and change configurations: Keeping systems up-to-date with security updates is one of the most effective security practices today. As vulnerabilities are discovered and attackers attempt to exploit them, it’s critically important that vendors have a well thought through response plan and the capability to update and reconfigure systems to mitigate these attacks. Not all IoT devices are going to be the same. Different devices are going to have different hardware and software, and subsequently different capabilities. Some devices might have limited update capabilities or might not even have an operating system. What’s the plan to update a t sensor that doesn’t have a full operating system installed on it? This type of requirement needs careful consideration.
  • Insecure data: How IoT devices store and transmit data is another important consideration. Securing data communications, including authentication, and encrypting data at rest, have become common expectations for systems today. The ability to manage settings for such security features is also a common expectation. Many IoT devices might be connected to networks that are themselves insecure making how well these devices protect data in untrusted or hostile environments a consideration.

What should industry do to help address security and privacy related to IoT? Building software with security in mind during every phase of development has proven to be very effective – something that can inform the development process for IoT devices as well. Among the unique challenges for the IoT is the diversity of devices encompassing the IoT, which range from very simple devices that only transmit data, to complex devices with processors and sophisticated software. Broadly applicable design considerations should include:

  • Secure by design, secure in development and secure in deployment (SD3): This is the same mantra we started in Trustworthy Computing at Microsoft many years ago. IoT devices and services should be designed and developed in manner that improves security and privacy during the lifecycle of the device by applying secure software development processes such as Microsoft’s Security Development Lifecycle.
  • Secure communications: Presumably, in the future many IoT devices will operate on the public Internet or on other networks where they may face a variety of threats to data confidentiality. IoT devices and services should utilize strong encryption techniques to protect data, and networks should use the latest communication protocols and up-to-date security architecture. On IoT devices that host third-party applications, the security of these communications needs to be addressed as well. Some more primitive IoT devices will lack the ability to perform encryption themselves. In such cases, one possible solution would be to design the device to allow its data to be encrypted by an intermediary gateway device on the local network before the data is sent over the Internet.
  • Manageability and security updates: Many IoT devices will likely be built for single purpose applications and will have limited input/output capabilities to manage the device. IoT devices need to be designed to apply important functionality and security updates, preferably with the option of automatic updates requiring little or no administrator interaction. Devices should be designed to respond to security issues impacting devices, services, or applications. Awareness of the security or privacy issues related to other services and devices with dependencies should also be accounted for in update planning. IoT devices lacking the physical requirements for manageability and updates should be designed to allow security management by an intermediary gateway device on the local network before the data is sent over the Internet – as one possible solution.
  • Privacy and data use: Because of the potential volume of personal or proprietary data that can be produced and stored by the IoT, both consumers and businesses will insist that the privacy of their information be protected. IoT products should take privacy-impacting collection and use of data into consideration from the earliest stages of design through development and deployment. IoT devices and services that seek to collect data pertaining to people should undergo appropriate scrutiny and evaluation for privacy concerns. Companies should also consider how they manage the commercial sharing of data as the IoT becomes a platform for trading information.
  • Appropriate level of cloud service capacity: Cloud services will need to be designed for a significantly higher number of simultaneous connections and greater volumes of data traffic given the expected proliferation of IoT devices. If cloud services are unable to manage the expected data flows generated by the IoT, they could be overwhelmed.

What should consumers do to protect their security and privacy related to IoT?

  • Evaluate security and privacy at purchase: Understand what security and privacy controls the device and services provide.
  • With updatable devices, keep software/firmware for your devices up-to-date: If the device offers automatic updates, consumers should enable them. Otherwise, consumers should check the manufacturer’s website regularly for new security updates.
  • Stay informed: Be aware and learn more about IoT devices and services.

You can learn more about Microsoft’s Internet of Things strategy here.

Trust me, I’m a cloud vendor, 14 Oct 2014 17:42:26 +0000 more »]]>I visited my sister and her family a while ago and somehow ended up playing a game with my seven year-old niece. I forget what it was called now, but the objective was to describe colors without being able to relate them to an object. In other words, describe the color blue without referring to the sea, or the sky.

Try it. It’s tough. Though apparently not for seven year-olds.

Don’t ask me how, because I really don’t know, but on the drive home the game got me thinking about the concept of trust and how it relates to the cloud and cloud services. Just how do you explain something as ethereal as trust and yet come across as genuine and well, trustworthy?

In today’s environment, winning and retaining their customers’ trust is every cloud provider’s ambition. But how do you earn the right to be trusted? What do you say? Somehow starting a conversation with the words ‘trust me’ seems to have the opposite effect.

Here’s another phrase: actions speak louder than words. And that is what we have tried to do at Microsoft – set out the things we do to make our cloud services more secure, private and reliable. With 200 online and cloud services serving a billion customers and 20 million businesses in more than 76 countries/regions we know that organizations won’t use technology they don’t trust.


Security and privacy have been ingrained into our culture for more than a decade. It’s part of our DNA. To help our customers decide whether they can trust our cloud we invite them to consider our efforts in four main categories: cybersecurity, data privacy, compliance and transparency.

There’s a lot to cover in each of these categories, but, as I learned playing the colour game with my niece, there’s a benefit in brevity. Over the next few weeks I’ll cover each of these in a bit more detail, starting with cybersecurity.


Cybersecurity is engineered into Microsoft products and services from the initial design stage using the Security Development Lifecycle (SDL) – a holistic and comprehensive software development process for writing more secure and privacy-enhanced code, and enabling more reliable products and services. We invented the SDL and today it is broadly regarded as the industry standard for writing more secure software. Many of its key elements have been adopted by organizations including the Government of India as well as commercial entities, including Itron, MidAmerican Energy, Adobe and Cisco as the basis for their secure development regimen. Our SDL was also recognized as a case study on how to do software security development in the ISO standard 27034-1.

To help protect against Internet-based security threats and continuously assess and enhance the security of our services, we utilize Operational Security Assurance (OSA). OSA combines the knowledge from our security development and security response programs, with the experience of running hundreds of thousands of servers in data centers around the world. This depth of experience helps make Microsoft cloud-based services’ infrastructure more resilient to attack by decreasing the amount of time needed to prevent, detect, and respond to real and potential Internet-based security threats, thereby increasing the security for our customers.

For many years, we have incorporated encryption into our products and services to help protect customers from online criminals and hackers. However, since June of 2013, public concern about the methods governments use to collect data has led many organizations to be concerned about the privacy of their information. We not only understand the concerns our customers have, we share them. While we have no direct evidence that customer data has been breached by unlawful and unauthorized government access, we are addressing this concern head on by pursuing a comprehensive engineering effort to strengthen the encryption of customer data across our networks and services.

Although this is a significant engineering effort given the large number of services we offer and the hundreds of millions of customers we serve, we are committed to moving quickly. Many services already benefit from strong encryption in all or part of the lifecycle. For example, is protected by best in class security such as Transport Layer Security (TLS) and Perfect Forward Secrecy (PFS) encryption for both outbound and inbound email. We are also expanding encryption across all our services to provide best in class encryption solutions for data in transit between a user and the service, data in transit between data centers, data at rest, and end-to-end communications between users. And for customers looking for another layer of protection, we have also invested in giving customers the ability to use their own encryption mechanisms to encrypt their data.

Please look in on the Cyber Trust Blog next week when I’ll talk further about what we are doing specifically in the area of data privacy.

Oh. You’re this color when you’re sad and yet when you look up on a sunny day it makes you happy. That’s how a seven year old girl explains blue.


Trust: what’s it all about?, 09 Oct 2014 18:52:15 +0000 more »]]>Today I delivered a keynote about trust in the cloud at the Cybersecurity Expo 2014 event in London. I’ve been thinking about how to tackle a topic like ‘trust’ and how it applies to cloud computing. I don’t know about you, but when someone you don’t know very well says ‘you can trust me,’ I kind of feel the opposite. I believe that actions speak louder than words.

With that in mind, I approached the topic by talking about four key areas that Microsoft believes are important for cloud service providers to demonstrate trustworthiness; areas that Microsoft delivers in the 200+ cloud services customers use today. As I did with the delegates today, I invite readers to consider cloud provider efforts in four main categories: cybersecurity, data privacy, compliance and transparency.

For Cybersecurity, Microsoft works to protect, detect and respond to threats against customers. We have invested in developing more secure products and services for more than a decade via the Security Development Lifecycle (SDL) – a holistic and comprehensive software development process that we created to help write more secure and privacy-enhanced code and enable more reliable products and services. Today the SDL is regarded as the industry standard for writing more secure software and is included as a case study in the ISO standard 27034-1.

Our online services adhere to a rigorous set of security and privacy controls that govern operations and support through a process called Operational Security Assurance (OSA). We have strong data encryption polices that help to protect our customers, partners and internal data within our networks. In support of this, in July we provided examples of how we are expanding encryption across our services to help protect customer data:

  • Office 365 – Provides message encryption, an email service that allows you to send encrypted mail to anyone.
  • Microsoft Azure – ExpressRoute, enables customers to access Azure services from their premises without having to traverse the Internet.
  • – Protection is provided by Transport Layer Security (TLS) encryption for both outbound and inbound email. has also enabled Perfect Forward Secrecy (PFS) encryption support for sending and receiving mail.
  • OneDrive has enabled Perfect Forward Secrecy (PFS) encryption.

Microsoft has a global, 24×7 incident response team that works to mitigate the effects of cyberattacks and malicious activity. The incident response team follows established procedures for incident management, communication, and recovery, and uses discoverable and predictable interfaces internally and to customers. We also proactively partner with law enforcement to combat cybercrime through our Digital Crimes Unit.

Our commitment to data privacy begins at the development stage and is part of the SDL as well as a set of internal guidelines, called the Microsoft Privacy Standard. As a result, our enterprise cloud services include world-class privacy features like Data Loss Prevention (DLP), Rights Management Services (RMS), and various controls that help customers manage risks to their data. As a result, we are currently the only cloud vendor whose commercial contracts meet the European Union Data Protection Authorities’ stringent standards for international transfers of data, a fact recognized by the “Article 29 Working Party”.

Third-party certifications help demonstrate compliance readiness to customers, auditors and regulators. Independent third-party companies, such as Deloitte and the British Standards Institution (BSI), regularly assess and verify our capabilities and adherence to a comprehensive set of requirements. Our structured approach to compliance is built on commitment to comply with a broad range of certifications, in many cases setting the pace for others to follow.

In March 2013, as part of our commitment to increased transparency, we began publishing details on the number of demands we receive each year in our Law Enforcement Requests Report and providing clear documentation of our established practices in responding to government legal demands for customer data.

It is important to recognize that the threat landscape will continue to evolve to keep pace with advances in security and data protection – that’s a given. Microsoft remains committed to protecting customer data through innovation and collaboration to help manage risk from cybercriminals.

For more information on our cloud services, check out

Vuln Hunt: Find the Security Vulnerability Challenge #2, 09 Oct 2014 16:27:43 +0000 more »]]>Ex-Netscape engineer Jamie Zawinski has a great quote about regular expressions. He said: “Some people, when confronted with a problem, think ‘I know, I’ll use regular expressions.’ Now they have two problems.” That’s certainly true for this week’s Security Vuln Hunt. Two points are possible, plus an extra bonus point.  The question:


The programmer here has written an input validation regex to test whether a given string matches the format of a URL, and while we should give him credit for designing his application to validate input, the particular regex pattern that he’s using is vulnerable to a denial of service attack.

The subexpression (\.[a-zA-Z0-9\-\._]+){2,} in the pattern contains a grouping expression with repetition (\.[a-zA-Z0-9\-\._]+) that is itself repeated via the expression {2,}. The worst-case operation time for such a regex construction is exponential time O(2n), and this could allow an attacker to craft a relatively short input value that would hang the application in an exponential processing loop.

Give yourself a point if you found the regular expression denial-of-service (ReDoS) vulnerability in the code.

Give yourself a point if you used the SDL Regex Fuzzer ( to find the vulnerability. These types of vulnerabilities are extremely difficult to find through manual code inspection, so why not take advantage of free tools that are available to help you?

Finally, give yourself a bonus point if you realized that in .NET 4.5, you can limit the amount of time that Regex spends trying to find matches by setting a matchTimeout value in the Regex constructor. This is an excellent defense-in-depth measure against ReDoS attacks.

Next week, we’ll look a sneaky SQL Injection vulnerability.

BlueHat v14 is almost here, 06 Oct 2014 18:01:00 +0000’s that time of year and BlueHat v14 is almost upon us. As always, BlueHat is an opportunity for us to bring the brightest minds in security together, both internal and external, to discuss and tackle some of the hardest problems facing the industry today. Through this conference, our engineering teams get deep technical information and education on the latest threats from proven industry experts.

BlueHat kicks off on October 9th where we will spend the day focusing on researcher methodologies such as fuzzing, red team assessments, malware analysis and BIOS attacks. On the second day, we will have three tracks starting with Security & Identity, followed by State of the Hack (focusing on next generation of advanced persistent threats and web exploit detection) and then finally, we will end with Security in Deployed Environments.

We are very excited about interaction between Microsoft engineers and other top security experts who are coming to speak at the event. Here is a list of their talks:

*Please note that this schedule is subject to change.

October 9th, 2014





9:00 AM

9:40 AM

Chris Betz


9:40 AM

10:20 AM

Stefano Zanero

Botintime – Phoenix: DGA-based Botnet Tracking and Intelligence
Its common knowledge that a malicious domain automatically generated will not become popular and also an attacker will register a domain with a Top Level Domain that does not require clearance. Hence, we use phoenix which filters out domains likely to be generated by humans. The core of Phoenix is its ability to separate DGA from non-DGA domains, using linguistic features.

10:20 AM 10:35 AM Break

10:35 AM

11:15 AM

Scott Longheyer

Government Snooping Potentially Now Constitutes an Advance Persistent Threat
Security is the application of Privacy’s intentions, so open the pocketbook and check your ciphers. Gain a deeper understanding of Microsoft’s position on privacy and how online services intend to protect customer data.

11:15 AM

11:55 AM

Stefano Zanero

Jackdaw talk – Automatic Malware Behavior Extraction and Tagging
This talk will focus on our approach for extracting (interesting) behavior specifications in an automatic way from a large collection of (untagged) malware. If you wonder why? It’s because we believe in giving support to the analyst by providing a list of important behaviors, with a rough explanation, to prioritize the analysis.

11:55 AM

12:55 PM


12:55 PM

1:15 PM

Xeno Kovah

UEFI – What would it take to enable global firmware vulnerability & integrity checking?
This talk will describe what actions are being taken to improve security for PC firmware, and what different groups in Microsoft can do to help.

1:15 PM

1:35 PM

Yuriy Bulygin

UEFI – Summary of Attacks against BIOS and Secure Boot
A variety of attacks targeting platform firmware have been discussed publicly, drawing attention to the pre-boot and firmware components of the platform such as BIOS and SMM, UEFI secure boot and Full Disk Encryption solutions. This talk will detail and organize some of the attacks and how they work. We will cover attacks against BIOS write protection, attacks leveraging hardware configuration against SMM memory protections, attacks using vulnerabilities in SMI handlers, attacks against BIOS update implementations, attacks bypassing secure boot, and various other issues. We will describe underlying vulnerabilities and how to assess systems for these issues. After watching, you should understand how these attacks work, how they are mitigated, and how to verify if your system has any of these problems.

1:35 PM

2:15 PM

Josh Thomas

Behind the NDA: How to attack a product under deadline
This talk will focus on a brief security assessment of the Windows Phone / Nokia Lumia platforms with the intent of exploring attack methodologies. This talk will focus on how we as consultants approach a new problem / technology and how we can quickly become productive on new and previously unknown / unexplored hardware and software components.

2:15 PM

2:35 PM

Sergey Bratus, Julian Bangert

Defining and Enforcing Intent Semantics at ABI level
Dominant OS security policy designs treat a process as an opaque entity that has a "bag" of permissions to access some OS resources at any time, in any order. Now that the sensitive data that we most want to protect may never touch the filesystem or even cross a process boundary, these designs fail at their purpose. We introduce a design that has a much higher granularity of protection, yet is compatible with existing ABI, standard build chains, and binary utilities.

2:35 PM

2:50 PM


2:50 PM

3:30 PM

Andrew Ruef

Build It Break It Competition
We created a competition where students design and implement secure programs, and identify bugs in each other’s programs. We’ll talk about the design of the competition, the data we’ve gathered from executing the competition, our plans for future competitions, and what the data is telling us about software security, programming languages, education, and software development.

3:30 PM

4:10 PM

Ram Shankar Siva Kumar, John Walton

Subverting machine learning detections for fun and profit
If you are using Machine learning in your feature, it can be attacked! This talk is a primer on Adversarial Machine learning wherein we show how attackers can manipulate machine learning systems to get the result they want you to see. You will learn how to protect yourself and detect such attacks. You don’t need to know about Machine learning to attend this talk – we’ve got you covered.

4:10 PM

4:40 PM

Lightning Talks


October 10th, 2014

9:00 AM

10:00 AM

Lightning Talks & Breakfast

10:00 AM

10:40 AM

Benjamin Delpy, Chris Campbell,
Skip Duckwall

The Attacker's View of Windows Authentication and Post Exploitation part 1
This talk will focus on the how Windows authentication works in the real world and what are the popular attacks against it. You will learn the thought process of attackers in the real world and how it differs from a defender’s perspective. We’ll also cover post-exploitation tools and techniques such as Mimikatz. Finally, we’ll discuss next steps – How do you design services that are breach-resistant and make authentication harder to crack.

10:40 AM

11:20 AM

Benjamin Delpy, Chris Campbell,
Skip Duckwall

The Attacker's View of Windows Authentication and Post Exploitation part 2

11:20 AM

11:35 AM


11:35 AM

12:15 PM

Ho John Lee

Privacy and Security in a Personalized Services World
An introduction and discussion of current policy issues around personalized mobile and cloud-based knowledge services. In this talk you will learn about some of the privacy and policy issues associated with large scale, cloud based personalization that are different from those in web search, email, or social networks. I will also present some concepts and patterns for building mobile and personalized services that honor individual user data obligations while also enabling offline data analysis and global, low latency serving infrastructure.

12:15 PM

12:55 PM

Bo Qu

The failure and success in IE fuzzing
The road to success is often paved with failure. In this presentation we will discuss the mistakes and challenges we overcame while developing our fuzzer that has successfully discovered over 100 vulnerabilities in Internet Explorer.
Welcome to the school of hard knocks!

12:55 PM

1:55 PM


1:55 PM

2:35 PM

John Walton

Next Generation Advanced Persistent Threat™
What will tomorrow’s threat landscape, look like?  How can attacks become even more advanced than we are observing today? What will the adversary’s arsenal contain?  The Next Generation Advanced Persistent Threat™ talk will peer into the future and these exact questions.  Come discover how we will continue to be outmaneuvered during every phase of the cyber kill chain

2:35 PM

2:55 PM

David Finn

Fighting Cybercrime with Big Data
The Microsoft Digital Crimes Unit (“DCU”) is a team of about 100 people, including former prosecutors, law enforcement officials, security analysts, investigators, attorneys, and intelligence analysts, dedicated to the fight against global cybercrime. In this presentation about DCU’s CSI-like blend of crime fighting and technology, find out how Big Data and analytics is revolutionizing everything DCU does – helping protect internet users, and disrupting and dismantling criminal organizations all over the world.   

2:55 PM

3:10 PM


3:10 PM

3:30 PM

Alexandra Savelieva, Daniel Eshner,
Nuwan Ginige, Mohammad Usman

Data Isolation In Multitenant Cloud Environment
In our talk, you’ll learn about a new solution that we built to address the problem of managing access to data across various fabrics and processing environments to mitigate top security threats of a cloud-based distributed application platform shared by multiple partners, including isolation of mutually distrustful tenant applications running side-by-side on a commodity server.

3:30 PM

4:30 PM

Daniel Edwards

Engineer's guide to DDOS
Are you ready to discuss DDoS?  Can your online service be weaponized to attack?  It’s already happened to others.  Is yours next?

Vuln Hunt: Find the Security Vulnerability Challenge #1, 02 Oct 2014 16:19:18 +0000 more »]]>Whether it’s a riddle, puzzle, or detective mystery novel, most of us like to solve a good brain teaser. As security and program experts, these types of conundrums keep us on our toes. During the next few weeks, I’ll share some of my favorites, and see if you can find the security vulnerability. For this first one, let’s take a look at authenticated encryption. Two points are possible for solving this stumper, plus an extra bonus point.  Question:


First off, let’s give one point to the programmer, who realized that many encryption algorithms do not in themselves provide any integrity protection.

Encryption prevents an eavesdropper “Eve” from reading the message that Alice sends to Bob, but contrary to popular belief, it does not prevent Eve from intercepting and tampering with that message. (There are notable exceptions such as Galois/Counter Mode (GCM) and Counter with CBC-MAC (CCM) encryption modes, but for the purposes of this question we will assume that a non-authenticated encryption mode such as Cipher-block Chaining (CBC) was used.)

We also give a point to the programmer for using an encrypt-then-MAC design.

Alternative approaches (MAC-then-encrypt and encrypt-and-MAC) are extremely dangerous and have led to several serious security vulnerabilities: read Moxie Marlinspike’s blog post on the “Cryptographic Doom Principle” if you’d like to delve deeper. Give yourself a point if you realized that an encrypt-then-MAC approach is not a security bug.

However, although the programmer correctly validates the HMAC before decrypting, he does so a byte at a time and returns false as soon as he gets a mismatched byte. This means that a tampered HMAC value will fail slightly faster if the first byte is wrong than if the first byte is right. A persistent attacker may be able to exploit this timing difference to craft a valid HMAC for a tampered message. Give yourself a point if you found this timing attack vulnerability in the for-loop.

Finally, although it’s not a security “bug” per se, give yourself a bonus point if you noted that this code uses hardcoded cryptographic algorithms and is therefore not cryptographically agile.

All crypto weakens over time, and while HMAC-SHA256 is considered a strong algorithm now, that may change in the future (and perhaps suddenly). You should plan for this eventuality now and avoid hardcoding cryptographic algorithms into your code: see “Cryptographic Agility” for more details.

While finding a solution can be entertaining, it can also be serious business when it comes to security. For us, the goal is to provide even greater protection for data across all the great Microsoft services you use and depend on every day.

Next week, we’ll take a look at regular expressions.

Vuln Hunt: Find the Security Vulnerability Challenge, 25 Sep 2014 18:15:54 +0000 more »]]>There’s a saying that many people have heard, “If it was snake, it would have bitten you.” More often than not, that’s the case with software vulnerabilities. A security class bug can often be so subtle in a program that human reviews, static code analysis and other sophisticated tools might not find it. Yet at the same time, finding that vulnerability can be critical, especially if it is exploitable.

During the next several weeks, in our ‘Vuln Hunt: Find the Security Vulnerability Challenge,’ we’ll share a few light-hearted examples from our Microsoft security experts that illustrate how subtle security vulnerabilities can be. Some of the examples they will share, can make even the savviest of us take a second look. Let’s see how well you do in with our first challenge that takes a look at authenticated encryption.

If you haven’t already, I also encourage you to check out another great security story “Life in Digital Crosshairs; the dawn of the Microsoft Security Development Lifecycle.” This story is about the industry-leading Security Development Lifecycle (SDL) which has been helping public and private organizations for the past 10 years, change their engineering cultures and develop more secure software, and help find where the vulnerabilities may be.

Enjoy the challenge!

Bug Bounty Evolution: Online Services, 23 Sep 2014 10:31:57 +0000 marks the next evolution in bounty programs at Microsoft as we launch the Microsoft Online Services Bug Bounty program starting with Office 365. In our mobile first, cloud first world, this is an exciting and logical evolution to our existing bug bounty programs.

Office 365 is the first of our online services groups to launch a bounty for vulnerabilities found in their services and we will bring others into the program as we go forward. For a list of eligible services and program terms, please visit Of course, any vulnerabilities discovered in any Microsoft products or services can and should be reported according to our Coordinated Vulnerability Disclosure guidelines to us by emailing

We invite you to also read the Office 365 blog post here where our colleagues there discuss some of what they are hoping to see as a result of this program. Our goal with bounty programs is ultimately unchanged and that is to uncover issues and protect customers as quickly as possible and as always, partnering with the security research community offers us the broadest way to do that.

Happy Hunting!

Akila Srinivasan

Cyberspace 2025 Student Essay Contest, 15 Sep 2014 10:01:38 +0000

Posted by: Kevin Sullivan, Principal Security Strategist, Trustworthy Computing

When Sam Coxwell submitted his entry to last year’s Microsoft cybersecurity essay contest, he was focused on one thing, winning.  His entry “Cybercrime: Why does it pay, and what can we do about it?” centered on the future of cybersecurity policy research.  It was one of 48 entries we received from students around the world researching the complexities that impact cybersecurity policy.

Today, we’re kicking off this year’s contest, the  Cyberspace 2025 Essay contest.  This year, we want to hear from University students who are conducting original research on how they see the future of cyberspace.  The inspiration for this topic comes from our recently published paper, Cyberspace 2025: Today’s Decisions, Tomorrow’s Terrain, where we consider the impact that such factors as demographics, education, immigration, regulation, technology, collaboration, and even trade will have on the future landscape of cyberspace and cybersecurity. Additionally, the report showed that even in a borderless internet, countries and regions can be on different paths depending on policy choices. If policy makers could see into the future, could it better inform their decision making today?  Microsoft believes that identifying and implementing the right public policies today, can significantly impact a country’s or region’s cyberspace tomorrow. 

Cybersecurity is a policy priority for many governments, yet there is limited understanding of how policy choices made today, will impact a country’s cyberspace tomorrow.   Its why Microsoft’s Global Security Strategy and Diplomacy (GSSD) team works on a variety of research projects like Cyberspace 2025, in addition to collaborating with students at top Universities, like the University of Washington’s Jackson School of International Studies who are applying complex theories and classroom study to contemporary issues to broaden the understanding of the global policy landscape.

If you, or a student you know, have conducted or plan to conduct such research, enter our Cyberspace 2025 essay contest for a chance to win a $5,000 cash prize.*  We want to know your predictions for the future of cyberspace.  What will be the main issues at stake?  Who will be making cybersecurity policies and how? 

Our judges will look for the submission/entry to address one or more of the questions below. Preference will be given to responses that integrate quantitative analysis using publically-available cybersecurity data, such as Microsoft’s Security Intelligence Report (SIR):

  • What will be the priority cybersecurity issues in 2025?
  • Who are the priority stakeholders in securing cyberspace (e.g. industry, governments, NGOs, etc.)? What new entrants may there be? How will their roles evolve over the next decade?
  • What should be the primary objectives of these stakeholders? How will conflicting objectives, such as national versus international policies be reconciled?
  • What are the priority actions that stakeholders should take to improve cybersecurity by the year 2025?
  • What impacts will ensuring—or failing to ensure—cybersecurity have on societies and economies in the year 2025?

For Sam, his entry resulted in more than prize money. “After graduating I landed a job with the Ontario government, and part of my portfolio is working on an e-commerce strategy for the province.”

We look forward to hearing from future cybersecurity policy leaders on how they would tackle these challenges. To enter, visit the Microsoft Cyberspace 2025 Student Contest web page for all the details.  Entries must be received by 11:59pm PDT on January 15, 2015.

*For more information, including official rules of the contest, please visit:

Risk Meets Reward: Windows Phone 8.1 Security Overview, 11 Sep 2014 09:04:00 +0000 cars, intergalactic travel, and transporters are not the commonplace items in 2014 that were envisioned for the future throughout the twentieth century. Still, when considering the shoe phone from the television series “Get Smart” through to the fairly limited functionality of the Star Trek communicator, mobile phones might be the single best example of technology that has lived up to our science fiction dreams. Not only can we make calls from nearly anywhere, but we now have access at our fingertips to data that enables both productive remote work experiences and for many people, the ability to fully experience the web with no secondary device. Remote workers can now complete tasks that would previously have required extensive travel or access to an office while sipping a latte at their favorite espresso bar. But with reward comes risk.

We are infatuated with the technology, but we are also aware that mobile devices can pose a serious threat if not managed correctly. Mobile commerce, banking, and corporate data can present serious risks if a device is stolen or compromised. To make things even more confusing mobile security is often poorly communicated to the average user and commonly requires a leap of faith for even for the technically savvy. For enterprise administrators who are considering a Bring Your Own Device (BYOD) deployment, much needs to be done to bring their confidence to the level of their internal systems whose deliberate access is typically controlled by strict policies. 

Microsoft is working hard to provide a platform that customers can feel confident in and is differentiated in its approach to mobile security and privacy. Last year we talked about the Importance of Smartphone Security on the Microsoft Security blog, and since that time it has become even more relevant. The recent release of the Windows Phone 8.1 Security Overview, a document that defines the strides that Microsoft has made for the Windows Phone platform, articulates the security design, capabilities, and functionality such as.

  • The Microsoft Security Development Lifecycle (SDL) is fully integrated within the mobile operating system’s design, build processes, and ongoing code maintenance, and the security technologies from Windows 8.1 around storage, encryption, authentication, and management provide parity with the desktop operating system.
  • Windows Phone 8.1 leverages over 10 years of experience and innovation to provide a mobile solution with an end to end security strategy that benefits from trustworthy hardware capabilities such as Unified Extensible Firmware Interface (UEFI) and Trusted Platform Module (TPM), which allow devices to leverage Trusted Boot, BitLocker encryption, and virtual smart cards for Information Rights Management (IRM) and multi-factor Authentication.
  • The Windows Phone operating system implements a defense-in-depth approach that also secures apps to prevent their potential use by attackers. The Windows Phone Store app architecture isolates apps to prevent a malicious app from affecting other apps or from directly accessing critical operating system resources to help prevent the installation of malware on devices. Windows Phone further mitigates these risks by providing a secured and controlled mechanism for users to acquire trustworthy apps.
  • Windows Phone benefits from the security model of the cloud based Windows Phone Store, which includes strict assurance and screening process for all apps, as well as the rigorous requirements of Microsoft’s other cloud based services, such as Operational Security Assurance (OSA)
  • Windows Phone 8.1 includes numerous and granular device configuration policies that fully support Device Management Synchronization Markup Language version 1.2, which is the Open Mobile Alliance standard for Mobile Device Management (MDM), so you can leverage Microsoft’s native management tools, like Intune and Microsoft System Center 2012 R2 Configuration Manager or most popular publicly available MDM solutions. For more information on the built-in mobile device management client in Windows Phone you can check out the Windows Phone 8.1 Mobile Device Management Overview.
  • Windows Phone also simplifies device retirement with multiple remote wiping capabilities that allow you to remotely wipe an entire device or granularly target specific information, such as line-of-business side-loaded apps.

The Windows Phone security efforts and commitment have made the platform a superior choice for secured smartphone devices.  Microsoft’s level of investment in securing Windows Phone 8.1 devices against threats, protecting data, and securing access to resources to address the threats of today and tomorrow really is unprecedented. To learn more on Windows Phone security check out the Windows Phone 8.1 Security Overview.

Tim Rains
Trustworthy Computing

Industry Vulnerability Disclosures Trending Up, 03 Sep 2014 09:31:00 +0000 vulnerability disclosure, as the term is used in the Microsoft Security Intelligence Report, is the revelation of a software vulnerability to the public at large. Disclosures can come from a variety of sources, including publishers of the affected software, security software vendors, independent security researchers, and even malware creators.

The vulnerability disclosure data in the Security Intelligence Report is compiled from vulnerability disclosure data that is published in the National Vulnerability Database (NVD). This database is the US government’s repository of standards-based vulnerability management data. The NVD represents all disclosures that have a published Common Vulnerabilities and Exposures (CVE) identifier.

Industry-wide vulnerability disclosures trending upwards
Figure 1 illustrates the vulnerability disclosure trend across the entire industry since 2011. Between 2011 and the end of 2013 vulnerability disclosure counts ranged from a low of 1,926 in the second half of 2011 to a high of 2,588 in the first half of 2012; there were more than 4,000 vulnerability disclosures across the entire industry each year during this period. For additional context, the peak period for industrywide vulnerability disclosures was 2006-2007 when 6,000 – 7,000 vulnerabilities were disclosed each year. Vulnerability disclosures across the industry in the second half of 2013 (2H13) were up 6.5 percent from the first half of the year, and up 12.6 percent from the second half of 2012.

Figure 1: Industrywide vulnerability disclosures from the first half of 2011 (1H11) to the second half of 2013 (2H13)

Not all vulnerabilities are equal – there are differences in severity and access complexity as illustrated in figures 2 and 3.

Vulnerability severity trends
The Common Vulnerability Scoring System (CVSS) is a standardized, platform-independent scoring system for rating IT vulnerabilities. The CVSS base metric assigns a numeric value between 0 and 10 to vulnerabilities according to severity, with higher scores representing greater severity. Vulnerabilities that scored 9.9 or greater represented 6.2 percent of all vulnerabilities disclosed in the second half of 2013. This percentage represents a significant decrease from the first half of the year, when vulnerabilities that scored 9.9 or greater accounted for 12.4 percent of all vulnerabilities. Medium severity vulnerability disclosures increased 19.1 percent between the first half and second half of 2013, and accounted for 59.3 percent of total disclosures in the second half of the year. In general, mitigating the most severe vulnerabilities first is a security best practice. Vulnerabilities that scored 9.9 or greater represent 6.2 percent of all vulnerabilities disclosed in the second half of 2013, as Figure 3 illustrates.

This percentage represents a significant decrease from the first half of the year, when vulnerabilities that scored 9.9 or greater accounted for 12.4 percent of all vulnerabilities. Vulnerabilities that scored between 7.0 and 9.8 increased to 25.3 percent in the second half of 2013 from 24.4 percent in the first half of the year.

Figure 2 (left): Industrywide vulnerability disclosures by severity, 1H11–2H13; Figure 3 (right): Industrywide vulnerability disclosures in 2H13, by severity


Vulnerability access complexity trends
Some vulnerabilities are easier to exploit than others. This is a characteristic that’s not captured in the aforementioned severity ratings. Vulnerability complexity is an important factor to consider in determining the magnitude of the threat that a vulnerability poses. A high-severity vulnerability that can only be exploited under very specific and rare circumstances might require less immediate attention than a lower-severity vulnerability that can be exploited more easily.

The CVSS assigns each vulnerability a complexity ranking of Low, Medium, or High. Figure 4 shows complexity trends for vulnerabilities disclosed since the first half of 2011 (1H11). Note that Low complexity in Figure 4 indicates greater risk, just as High severity indicates greater risk in Figure 2.

Figure 4 (right): Industrywide vulnerability disclosures by access complexity, 1H11–2H13

Disclosures of those vulnerabilities that are the easiest to exploit, low-complexity vulnerabilities, accounted for 43.5 percent of all disclosures in the second half of 2013, a decrease from 52.9 percent in the first half of the year. Disclosures of medium-complexity vulnerabilities accounted for 51.9 percent of all disclosures in the second half of 2013, an increase from 41.9 percent in the first half of the year. Disclosures of high-complexity vulnerabilities decreased to 4.6 percent of all disclosures in the second half of 2013, down from 5.3 percent in the first half of the year.

Operating system, browser, and application vulnerabilities
Comparing operating system vulnerabilities to non-operating system vulnerabilities that affect other components requires determining whether a particular program or component should be considered part of an operating system. This determination is not always simple and straightforward, given the componentized nature of modern operating systems. Some programs (media players, for example) ship by default with some operating system software but can also be downloaded from the software vendor’s website and installed individually. Linux distributions, in particular, are often assembled from components developed by different teams, many of which provide crucial operating functions such as a graphical user interface (GUI) or Internet browsing.

To facilitate analysis of operating system and browser vulnerabilities, the Microsoft Security Intelligence Report distinguishes among four different kinds of vulnerabilities:

  • Core operating system vulnerabilities are those with at least one operating system product enumeration (“/o”) in the NVD that do not also have any application product enumerations (“/a”).
  • Operating system application vulnerabilities are those with at least one /o product enumeration and at least one /a product enumeration listed in the NVD, except as described in the next bullet point.
  • Browser vulnerabilities are those that affect components defined as part of a web browser, including web browsers such as Internet Explorer and Apple’s Safari that ship with operating systems, along with third-party browsers such as Mozilla Firefox and Google Chrome.
  • Other application vulnerabilities are those with at least one /a product enumeration in the NVD that do not have any /o product enumerations, except as described in the previous bullet point.

Figure 5 shows industrywide vulnerabilities for operating systems, browsers, and applications since the first half of 2011 (1H11)

  • Vulnerabilities in applications other than web browsers and operating system applications increased 34.4 percent in the second half of 2013 (2H13) and accounted for 58.1 percent of total disclosures for the period.
  • Operating system vulnerabilities increased 48.1 percent in 2H13, going from last place to second. Overall, operating system vulnerabilities accounted for 17.6 percent of total disclosures for the period. After reaching a high point in 1H13, operating system application vulnerabilities decreased 46.3 percent in 2H13, and accounted for 14.7 percent of total disclosures for the period. 
  •  Browser vulnerability disclosures decreased 28.1 percent in 2H13 and accounted for 9.6 percent of total disclosures for the period.

Microsoft vulnerability disclosures
Figure 6 shows vulnerability disclosures for Microsoft and non-Microsoft products since 1H11.

Figure 6: Vulnerability disclosures for Microsoft and non-Microsoft products, 1H11–2H13

Microsoft vulnerability disclosures remained mostly stable, increasing from 174 disclosures in 1H13 to 177 in 2H13, an increase of 1.7 percent. The Microsoft percentage of all disclosures across the industry fell slightly over the same period, from 7.3 percent of all industrywide disclosures in 1H13 to 7.0 in 2H13, because of a larger increase in disclosures from other software publishers. This data highlights the importance of keeping all software up-to-date, not just Microsoft software.

Microsoft has been able to maintain relatively low vulnerability disclosure counts by using the Microsoft Security Development Lifecycle (SDL) – a software development methodology and toolset that is mandatory for all Microsoft products and services. In fact, Microsoft’s SDL celebrated its 10 year milestone this year. If you’d like more details on this story, check out an article we recently published called “The Secret of the SDL.”   

Another interesting pivot on vulnerability data is examining which vulnerabilities actually get exploited by attackers. Data on exploitation is typically much harder to get than vulnerability disclosure data, which is why many people try to use disclosure counts as a type of proxy for what’s happening in the threat landscape. A recently published study on exploit activity tells us that most vulnerabilities in Microsoft software can’t be exploited, for a number of reasons. I published a series of articles based on this new research, that Microsoft’s Security Science team conducted, on vulnerability exploitation that helps us understand the what, who, when, and how of exploitation.

What vulnerabilities attackers are trying to exploit most often:
Keeping Oracle Java updated continues to be high security ROI

Who exploits vulnerabilities first:
Who Exploits Vulnerabilities: the Path from Disclosure to Mass Market Exploitation

When vulnerabilities get exploited:
When Vulnerabilities are Exploited: the Timing of First Known Exploits for Remote Code Execution Vulnerabilities

How are vulnerabilities being exploited:
How Vulnerabilities are Exploited: the Root Causes of Exploited Remote Code Execution CVEs

Tim Rains
Trustworthy Computing

Topics from Cybersecurity Bootcamp #1 – Cyber Hygiene, 29 Aug 2014 10:30:41 +0000 past week I was privileged to attend Stanford’s inaugural cybersecurity boot camp, where two dozen congressional staffers joined academic and industry experts to discuss ways to protect he government, the public and industry from cyber threats.

For me, it was encouraging to see congressional staff members deeply engaged in security and threat discussions on a range of cybersecurity topics and it was a good reminder of how broad a topic it really is.  With that in mind, I thought it would be interesting to extract a few of the topics from the boot camp and discuss them more deeply here on the security blog.

Dr. Jane Holl Lute on Cyber Hygiene

The opening session for the boot camp was led by Dr. Jane Holl Lute, a former deputy secretary of Homeland Security, current president of the Council on CyberSecurity (CCS), and a consulting professor at Stanford's Center for International Security and Cooperation.

Dr. Lute told the bootcamp participants that the Internet is about the power to connect, not to protect, and stressed the importance of cyber hygiene in mitigating threats. 

She emphasized the idea that industry and government can do better – that we know a lot, but we're just not doing it. When asked questions about the path forward, Dr. Lute repeatedly evangelized the need for companies to carry out basic cyber hygiene and promoted the core priorities launched in a Cyber Hygiene Campaign earlier this year by the CCS and the Center for Internet Security (CIS), working with the National Governors Association Governors Homeland Security Advisors Council.

Council on Cybersecurity’s Critical Security Controls

Dr. Lute, in her work with the Council on Cybersecurity, has worked on defining, publishing and updating guidance in the area of security controls since 2009.  The latest publication is “The Critical Security Controls for Effective Cyber Defense v5”, available for download The publication is key to the first phase of their Cyber Hygiene Campaign, which prioritizes the top five actions that address the most critical areas – which the campaign asserts can prevent 80 percent of all known attacks.

NOTE: I've searched for a reference or study that establishes the 80 percent claim and haven't found anything related to the CCS security controls. I speculate that the number and associated claim may be derived from the correlation with the Australian DSD4 controls – see below for more details on this.

The prioritized controls identified by the campaign are:

  1. Inventory authorized and unauthorized devices
  2. Inventory authorized and unauthorized software
  3. Develop and manage secure configurations for all devices
  4. Conduct continuous (automated) vulnerability assessment and remediation
  5. Actively manage and control the use of administrative privileges

In my personal opinion, these are easy to articulate, but relatively high level in terms of putting into operation.  Because of that, I call out the “First Five Quick Wins” recommended in the Critical Security Controls document. The document recommends these five sub-controls as having the most immediate impact in mitigating attacks:

  • application whitelisting (CSC 2)
  • use of standard, secure system configurations (found in CSC 3)
  • patch application software within 48 hours (found in CSC 4)
  • patch system software within 48 hours (found in CSC 4)
  • reduce number of users with administrative privilege (CSC 3 and CSC 12)

Coincidentally, these align closely with the top 4 mitigation strategies for which the Australian Signals Directorate won the 2011 U.S. National Cybersecurity Innovation Award.

Australian Signals Directorate Strategies to Mitigate Targeted Cyber Intrusions

In February 2010, the Australian Defence Signals Directorate (DSD) published a list of 35 strategies to mitigate against targeted cyber intrusions they had analyzed in 2009.  They found (archived copy of 2010 report) that at least 70% of intrusions that the DSD responded to in 2009 could have been prevented if organizations had implemented their first four controls. In July 2011, the DSD published an updated report (archived copy of 2011 report) that found that the top four strategies would have prevented at least 85% of the intrusions the DSD responded to during 2010.

The latest report (February 2014) now generally asserts that the effectiveness of the top four strategies remains high and would have, if implemented as a package, mitigated at least 85% of cyber intrusions which the Australian Signals Directorate (ASD) responds to. The top four strategies are:

  1. application whitelisting of permitted/trusted programs
  2. patch applications. patch/mitigate “extreme risk” vulnerabilities within two days. use the latest versions.
  3. patch operating system vulnerabilities. patch/mitigate “extreme risk” vulnerabilities within two days. use the latest suitable operating system.
  4. restrict administrative privileges to operating systems and applications based upon user duties.  users should use a separate unprivileged account for email and browsing.

Final Thoughts and Considerations

Whether we are talking about the Council on Cybersecurity security controls or the DSD mitigation strategies, there is clearly some industry alignment on the best practices for threat mitigation that organizations should be prioritizing. I agree and endorse these “cyber-hygiene” basic steps.

But … what about individual users?

The security controls and mitigation strategies are all targeted at organizations.  Government departments or private sector enterprises can and should implement them and yes, that does have a cumulative beneficial effect on the ecosystem, but it doesn’t really provide actionable guidance for individual users.

Would similar cyber hygiene steps help with home users? Everyone loves to talk about the threat from zero-days, but when my colleagues and I analyzed real world exploits in our 2011 Security Intelligence Report, we found that less than 1 percent of exploits in the first half of 2011 were against zero-day vulnerabilities — software vulnerabilities that are successfully exploited before the vendor has published a security update or “patch.” In contrast, 99 percent of all attacks during the same period distributed malware through familiar techniques, such as social engineering and unpatched vulnerabilities. Basically, we found that the most common threats can be mitigated through good security practices by individuals too.

So, in closing, let me translate the “DSD top 4” into some cyber hygiene guidance that individual users can apply:

  1. Only install applications from reputable sources, such as the official device Stores or boxed product from known, reputable vendors.  Avoid “alternative app stores” and untrusted download sites and especially avoid “cracked” software, as they are frequently compromised with malware.
  2. Accept application updates when available, especially from official app stores. Do not accept offered updates from web sites, instead initiate updates yourself using official updaters or at the vendor web site.
  3. Turn on operating system auto-updates and accept them when notified. Make sure you shut down and reboot on any day when you are notified of an update to ensure they are applied.
  4. Use a standard user account for all day-to-day computing.  Have a separate dedicated admin account for performing administrative tasks and only use it for that.

Just like the DSD has 35 mitigation strategies and not just the top 4, there are other things that individuals can do beyond these four (e.g. antivirus software), but these would be a great start for individual cyber-hygiene.

Best regards, Jeff (@securityjones)

Major Rights Management Update to Office and Azure, 28 Aug 2014 16:41:00 +0000 many of the CISOs I talk to regularly, data leakage prevention continues to be a topic of high interest. Whether using either a cloud service or an on premise solution there are a number of reasons that it is important to protect the workplace documents you share with others. To date, data protection technologies have become increasingly more complex in order to support the number of devices and platforms that are intended to consume the content. In some cases we have seen organizations forgo these vital controls simply due to a lack of graceful and/or effective solutions.

If this is a concern that your organization has been facing, then I strongly encourage you to check out the new Azure Rights Management features that were revealed in this new blog post by the Microsoft Rights Management (RMS) Team.  The article details an update to Rights Management Services (RMS) and discusses a number of new features that they have added in response to industry trends and, more importantly, direct customer feedback from their Customer Advisory Board.

A common customer ask is that Microsoft provide built-in support for RMS into Microsoft Office on the most common platforms that customers ask for including Windows, Mac OS X, iPhone, iPad, Android phone, Android Tablet, and Windows Phone. Microsoft is working to provide a comprehensive solution, but customers can now use the RMS app for Windows new Share Protected button (below) to support the secured sharing of Office documents in advance of the native Office support.

Here is an example of this same RMS protected spreadsheet being rendered on multiple platforms, including Windows, Mac OS X, iPhone, iPad, Android phone, Android Tablet, and Windows Phone.

There are a number of other features that you may also find important, such as:

  • A new admin console to create, manage, and learn about policy templates.
  • The ability to leverage new RMS features without cloud dependency to keep your encryption keys on premise.
  • Improved logging capabilities to allow you to keep track of your sensitive data.

For additional details on the new RMS features and for links to supporting content and downloads, you should visit this the Microsoft RMS team blog: Major Update: Improved Office file support + Service improvements

Tim Rains
Trustworthy Computing

What will cybersecurity look like in 2025?, Part 3: How Microsoft is shaping the future of cybersecurity, 26 Aug 2014 08:58:21 +0000’s post concludes our three-part series on Cyberspace 2025: Today’s Decisions, Tomorrow’s Terrain which presented three views of the world and cyberspace in 2025—Plateau, Peak, and Canyon.

  • PEAK – the Peak scenario represents a world of innovation, where information and communications technology (ICT) fulfills its potential to strengthen governance models, economies and societies
  • PLATEAU –  the Plateau scenario is a “status quo” world, in which political, economic and societal forces can both bolster and hinder technological progress
  • CANYON – the Canyon scenario is a metaphor for an isolated world, characterized by unclear, ineffective government policies and standards, rooted in protectionist stances

Microsoft is optimistic about the future of cybersecurity.  We believe that public and private sector leaders working together can chart a course that enhances the security, privacy, and reliability of cyberspace in 2025 and expands ICT opportunity for economies in all stages of development.  That’s why we support legislation that facilitates the free flow of information, builds trust, and encourages innovation. Because data increasingly flows across geopolitical borders, the company favors greater standardization and better worldwide alignment of privacy regulations, policies, and standards.

In the U.S., Microsoft has long supported reform of the Electronic Communications Privacy Act (ECPA). We are an active member of the Digital Due Process Coalition and have testified before both the House and Senate about the need to update the Act so that it strikes the right balance between privacy and the needs of law enforcement. Protecting privacy and the free flow of information is critical as people and organizations increasingly store information in the cloud.

The EU Cybersecurity Strategy also represents an important step forward and it represents a significant level of cooperation across the Commission. Raising the security baseline across 28 member states and working to foster international cybersecurity norms with non-EU governments and the private sector are very important areas of focus and will take a sustained commitment from all stakeholders – public and private.

Society experiences the benefits of ICT with improved cybersecurity as a result of continual innovation and collaboration across industrial sectors and international borders.

Of course, most of would want to see the Peak scenario to come to fruition, but the myriad policy decisions that ultimately enable such a scenario are complex. Navigating the future terrain of cyberspace requires a sound understanding of the trends across people, data, and devices and the relationships among them.

There is no one-size-fits-all answer for attaining the Peak scenario. However, Microsoft invites governments to thoughtfully consider their unique national situations—which of these scenarios they are trending toward, which scenario they want to come to fruition, and how are they are planning to achieve it. We encourage public and private sector leaders to prioritize these key areas if they truly want to work towards a Peak scenario:

  • Governance models that provide clear policy direction and a national or regional framework for cybersecurity. Ideally, these models will include commitments to an open, free Internet where privacy is protected, harmonization of cybersecurity laws and standards internationally, and support of global free trade.
  • Talent development that is supported by strategic investments in infrastructure and research and development. These investments should balance talent mobility and retention, with an emphasis on educating a modern workforce that can sustain innovation.
  • Global cooperation that advances cybersecurity risk management and coordination among stakeholders both domestically and internationally, with a focus on developing global norms that support stability and security in cyberspace.

Throughout the history of our company, we have worked with governments to help them build and deploy more secure IT infrastructure and services to protect their citizens and national economies.   We work with governments, businesses, and other industry leaders to help enforce and shape legislative proposals, harmonize laws across jurisdictions, develop responsible business practices, and strengthen self-regulatory mechanisms that lead to greater protections for individuals and their personal information.

If you haven’t already, I encourage you to get more information at

Tim Rains
Trustworthy Computing

What will cybersecurity look like in 2025?, Part 2: Microsoft envisions an optimistic future, 20 Aug 2014 09:02:21 +0000 future of cybersecurity will be influenced by more than just technical factors like the spread of malware, or even targeted cyber-attacks.  Global responses to social issues such as population growth, educational investments, or even trade liberalization will also play a significant role. 

Continuing our series examining what cybersecurity will look like in the year 2025, let’s look at how the technology and social policy decisions addressing important issues, will influence three scenarios we believe could emerge in the next 10 years —Peak, Plateau, and Canyon.  Each of which are demonstrated in our report, Cyberspace 2025: Today’s Decisions, Tomorrow’s Terrain.

According to the report, growth will likely have the biggest impact on cybersecurity.  Growth means more people, more devices, more connectivity, and more data.  India, for example, will experience growth of more than 3,000 percent in its total number of broadband subscriptions, from about 20 million in 2012 to more than 700 million. In contrast, during the same period, the entire European Union (28 countries/regions) will add only 105 million new broadband subscriptions, from nearly 143 million in 2012 to 248 million in 2025.

By the year 2025, our data also shows that emerging economies will have overtaken developed countries as the larger market for in-home consumer electronics, with emerging economies comprising over 60 percent of the total global market. This shift will require global technology suppliers to adapt their products to these new markets. Market regulators then will need to consider how to attract a combination of global and local suppliers to meet this demand.  If they don’t it will lead to what we call a “Plateau,” or even “Canyon” scenario.

The Plateau scenario is characterized by asymmetry. Political, economic, and societal forces both bolster and hinder technological progress and cybersecurity. Some governments have inconsistent policies and standards with varied levels of stakeholder participation and international cooperation, while other governments form clusters of open trade and foreign direct investment (FDI). Some countries are able to leverage technology to advance economic and socioeconomic development, while other countries are left behind technologically, unable to fulfill the potential of ICT. This fragmented and uneven approach to governance and the economy leads to a less than optimal global cybersecurity landscape.

The Canyon scenario is characterized by obstructionist government policies and standards, protectionist stances, and isolation. This significantly restricts trade and FDI and undermines relationships across industrial sectors within countries as well as between countries. In this scenario, economic and technology growth is slower, with limited adoption of ICT and deep failures in cybersecurity.

As the cloud becomes increasingly necessary to the development and delivery of critical services, so too will the desire of some governments to regulate it. Balancing key national interests such as the protection of critical infrastructure and ensuring the security, privacy
and reliability of data will become an important topic of debate. It can lead what we call a “Peak” scenario.

The Peak scenario is characterized by clear, effective government policies and standards across economies, and strong collaboration between governments to support open trade and promote FDI. This is a scenario of innovation, in which ICT fulfills its potential to strengthen governance models, economies, and societies. The actions of governments, businesses, and societal organizations foster the widespread and rapid adoption of technology. The political, economic, and social support leads to accelerated economic and technology growth and improved global cybersecurity.

This video helps illustrate these concepts:

Microsoft is optimistic about the future of cybersecurity.  This report gives policymakers, business leaders and other decision makers a framework for evaluating today’s policy decisions. Making more data-driven decisions and dedicating resources to support them can create a less daunting and more navigable terrain towards cyberspace for 2025, today, tomorrow, and beyond.  Once countries have an understanding of which scenario they are trending toward, they will next need to think about their regional topography in cyberspace and what mix of Canyon, Plateau and Peak scenarios they may face. 

Our Cyberspace 2025 series concludes next week with Microsoft’s policy recommendations helping create a Peak Cyberspace for 2025.

Tim Rains
Trustworthy Computing

IE increases protections, implements “out-of-date ActiveX control blocking”, 13 Aug 2014 09:41:00 +0000 week, Internet Explorer announced important changes it will be making to better protect customers from cybercriminal attacks.  Beginning on September 9, Internet Explorer will block out-of-date ActiveX controls, such as older versions of the Oracle Java Runtime Environment (JRE) as part of the August 2014 release of MS14-051 Cumulative Security Update for Internet Explorer (2976627).  ActiveX controls are small programs, sometimes called add-ons that are used by web sites to serve up content, like videos and games, and let you interact with content like toolbars.  While ActiveX controls have become increasingly popular over time, many of these applications are neglected or left unpatched for long periods of time potentially leaving people exposed and vulnerable to attack from cybercriminals.  This is because many ActiveX controls that exist today are not automatically updated. 

Data from the latest Microsoft Security Intelligence Report provides insight into the scale of this problem.  In 2013, Oracle Java Runtime Environment (JRE) exploits accounted for between 84.6 and 98.5 percent of exploit kit-related detections each month. More details are available in this article: Keeping Oracle Java updated continues to be high security ROI.

Many customers rely on Java based applications that might be affected by this change, so it is strongly recommended that customers test the update and verify that they are running the latest version.

To better protect customers from the risk posed by out of date ActiveX controls, Internet Explorer 8 through Internet Explorer 11 will introduce a new security feature, called out-of-date ActiveX control blocking.  By default, this feature warns users, with options to update the control or override the warning. When Internet Explorer blocks an outdated ActiveX control, you will see a notification bar similar to the below, depending on your version of Internet Explorer:

 Internet Explorer 9 through Internet Explorer 11

Keeping all applications running on your system up to date is a security best practice and ActiveX controls are no exception.  Internet Explorer will use a Microsoft-hosted file, versionlist.xml, to determine whether an ActiveX control should be stopped from loading, and this file will be updated with newly-discovered out-of-date ActiveX controls over time. For in-depth information on the security enhancements coming to Internet Explorer designed to better protect you, I encourage you to check out the following resources and create a plan to validate and test your environment prior to September 9:  KB2991000 Update to block out-of-date ActiveX controls in Internet Explorer, the article Out-of-date ActiveX Control Blocking, and the IE Blog post entitled “Internet Explorer begins blocking out-of-date ActiveX controls."

Tim Rains
Trustworthy Computing

What will cybersecurity look like in 2025?, Part 1: The catalysts that will shape the future, 11 Aug 2014 13:35:00 +0000 challenges are emerging not just from the commonly recognized sources – criminals, malware, or even targeted cyber-attacks – they can grow from public policies as well. 

A research report we released last month, Cyberspace 2025: Today’s Decisions, Tomorrow’s Terrain, seeks to look over the horizon and beyond technical trends to anticipate future catalysts for change as well as equip policy makers for tomorrow’s digital landscape.

Our research forecasts that by 2025, two billion new Internet users will come online, for a total of 4.7 billion people online. Nearly 75 percent of these Internet users will hail from emerging economies. During the same period, social and demographic trends, such as the growing need for a highly-skilled workforce and increases in aging populations, will create new layers of challenge for policymakers already grappling with societal dependence on the Internet.  For example:

  • Internet users in the EU will reach 466 million by 2025, representing a 25 percent jump. However, BRIC (Brazil, Russia, India, and China) countries will grow to 2.1 billion internet users—a 142 percent increase.
  • The percentage of the EU population using the Internet will grow from 74 percent in 2012 to 90 percent in 2005. By comparison, BRIC countries rise from 30 percent to 67 percent of the population over the same time period.
  • Mobile Internet subscriptions in the EU will nearly double (91 percent increase).
  • STEM graduates in the EU are expected to increase by 64 percent, however total R&D spending will only increase by 15 percent.

The below Infographic illustrates some of these trends:

Cyberspace 2025 explores the impact these trends will have on cybersecurity by creating three global scenarios—Peak, Plateau, and Canyon—that could emerge in the next 10 years as a result of technology and social policy decisions addressing important global issues. Stay tuned as I plan to explore each of the three scenarios, as well as some of the implications for policy.

Tim Rains
Trustworthy Computing

Now Available: Enhanced Mitigation Experience Toolkit (EMET) 5.0, 31 Jul 2014 09:19:00 +0000 we are pleased to announce  the general availability of our Enhanced Mitigation Experience Toolkit (EMET) 5.0.  It has been almost five years since we released the first version of the tool and so much has changed since then.  Thanks to the overwhelming support, feedback and demand from our community, the tool has evolved quite a bit and now includes a number of new mitigations, expanded compatibility, user friendly UI, additional reporting capabilities, customer support through Microsoft Premier Support Services and more. 

EMET is a free security mitigation tool designed to help IT Professionals and developers protect against emerging threats targeting vulnerabilities that are either unknown or for which a security update has not yet been applied.  It is compatible with the most commonly used third-party applications at home and in the enterprise.  EMET effectively works by enabling security mitigations to be applied to applications without the need for recompilation.  This has proved to be very effective for customers, especially in cases where IT professionals need to deploy mitigations on software that was written before the mitigations were available or in cases where source code is not available.  Here is a glimpse on what some of our customers are saying about EMET:

“EMET breaks commodity malware and raises the cost of developing exploits for more sophisticated attackers. System administrators should consider adding EMET to their environment as an additional exploit mitigation layer.”- Brad Arkin, Chief Security Officer at Adobe Systems

“EMET prevents malware from exploiting vulnerabilities, period! There are many documented cases showing how EMET blocked new malware found in the wild. EMET is a must-have for your workstations.” – Didier Stevens, Contraste Europe NV and author of HeapLocker

"We use only Windows on our desktops, and only with EMET.”- Brad Spengler

EMET 5.0, released today includes several enhancements.   The latest tool comes with new mitigations and capabilities that build on previous versions including:

New Mitigation: Attack Surface Reduction
Provides a mechanism to help block specific modules or plug-ins within an application, in certain conditions. For example, customers can now configure EMET to prevent their browser from loading Java plug-ins on external websites, while still continuing to allow Java plug-ins on their internal company websites.

New Mitigation: Export Address Table Filtering (EAF+)
Introduces two new methods for helping disrupt advanced attacks. For example, EAF+ adds a new “page guard” protection to help prevent memory read operations, commonly used as information leaks to build exploitations.

New configuration options for additional flexibility
Offers new user interface (UI) options so that customers can configure how each mitigation applies to applications in their environment, taking into account their enterprise frameworks and requirements. As an example, users can configure which specific memory addresses to protect with the HeapSpray Allocation mitigation using EMET 5.0.

Many enterprise IT professionals deploy EMET through Microsoft System Center Configuration Manager and apply Group Policies in Windows Active Directory to comply with enterprise account, user, and role policies. With version 5.0, propagating EMET configuration changes via Group Policy becomes even easier, as we have improved how EMET handles configuration changes, when applied in an enterprise network.

The new Microsoft EMET Service is another feature our enterprise customers will find helpful in monitoring status, and logs of any suspicious activity. With this new service, our customers can use industry standard processes, such as Server Manager dashboard of Windows Server, for monitoring.

Additionally, IT Professionals can now turn on a setting in EMET 5.0 to block users from navigating to websites with untrusted, fraudulent certificates, helping protect from Man-In-The-Middle attacks.

New default settings provide protections from the get-go
EMET’s Deep Hooks capability helps protect the interactions between an application and the operating system, in other words the Application Processing Interfaces (APIs). In EMET 5.0, Deep Hooks is turned on by default, helping provide stronger protections by default. Furthermore, this default setting is now compatible with a wider range of productivity, security and business software.

If you are looking for a powerful tool to help protect your organization from emerging threats then I encourage you to download the tool today.

Tim Rains
Trustworthy Computing

SAFECode on Confidence: One Size Does Not Fit All, 23 May 2014 15:00:00 +0000http://marcbook.local/wds/playground/cybertrust/2014/05/23/safecode-on-confidence-one-size-does-not-fit-all/Read more »]]>In a recent post by SAFECode, a non-profit organization of software vendors dedicated to increasing trust in information and communications technology products by improving security and assurance methods, Eric Baize of EMC and Steve Lipner of Microsoft discuss the challenging subject of trustworthiness of acquired software.  How a customer gains confidence in acquired software is a frequently asked question of developers.  The latest SAFECode blog discusses three approaches that a customer can use to assess the security of acquired software with varying levels of confidence.

BlueHat v13 is Coming, 06 Dec 2013 15:34:00 +0000 week, starting Thursday, we’ll be hosting our 13th edition of BlueHat. I’m always so impressed with the level of knowledge we attract to each BlueHat, and while the event is invite-only, we’ll be sharing glimpses into the event via this blog and the hashtag #BlueHat.

For each of the past six years I have had the honor to work among some of the most talented engineers I have ever met, here at Microsoft. I am inspired by the mission we embrace in securing our products, devices, and services. There are few other vantage points with as broad a footprint on the internet, since one of Microsoft’s early mottos helped put “a computer in every home.” Our job in the Microsoft Security Response Center (MSRC) is to help protect the customers who use the technology that the rest of the company works so hard to create. In everything we do in the MSRC, we strive to fulfill our mission to help insure the security and privacy of over a billion computer systems and our customers worldwide.

In 2005, we started the BlueHat conference to educate the developers and executives of Microsoft about current and emerging threats. The idea was to bring the hackers and security researchers to us, and in doing so foster an environment where the bidirectional exchange of ideas around the balance between security and functionality could meet fertile ground in the famed “hallway track.” We hand-pick just a small number of speakers and external attendees to concentrate on learning from them in most cases, and the chance to teach some of them from what we have learned, to help enhance the security and privacy of the Internet as a whole.

This year is no different in that we have invited speakers chosen to educate, amaze, and work with Microsoft to help us understand the emerging security threats to us and our customers. Together, we will rise to face the most important challenges in helping to secure the global Internet ecosystem.

Beginning on Dec 12, 2013, we’ll begin this year’s BlueHat by focusing on the threat landscape, learning about determined adversaries to help us defend our own network and assets, and tools to detect and mitigate attacks. Next we’ll welcome some of the world’s top experts to discuss devices and services, from low-level hardware to web services, to help us build products, devices, and services that are more secure from the ground up.

Finally, we’ll close out the conference with a thought-provoking track that I like to call the “Persistence of Trust,” where we will discuss the core elements that comprise the trust we rely on to support what the Internet has become – a global information sharing network that humanity uses to exchange goods, services, money, and most importantly, ideas. To support these functions, we must strengthen the technology that underlies and supports that trust, and we must design products, devices, and services that are resistant to security and privacy breaches. 

Here’s a quick overview of the planned speaker lineup for the two days of BlueHat v13.

Day 1: Thursday, December 12

Microsoft Technical Fellow, Anders Vinberg, will open BlueHat’s first track, Threat Landscape. Anders will talk about a broad assurance initiative for the next wave, covering Windows Server and System Center, in close alignment with the Core OS team, identity, Office and Azure. Next, we’ll set the stage with a talk from FireEye’s Zheng Bu and YiChong Lin designed to walk us through the techniques of the average and not so average targeted attacker, and show us ways to detect and combat the adversary. Microsoft Partner Development Manager, Mario Goertzel, will then speak to some of the hard problems that we face in antimalware – specifically, how we equip customers and partners with the right tools and analysis to help us all defend our networks and assets. Closing out the Threat Landscape track, Microsoft Principal Security Program Manager Lead, Graham Calladine, and Microsoft Senior Security Software Development Engineer, Thomas Garnier, will walk us through what attackers are doing now, how our current products and practices work against us, and how we can change this.

After lunch, the Devices & Services track kicks off with Josh Thomas, whose DARPA-funded research will reveal some hardware-level universal attacks that are possible on mobile devices. Next up we will have Microsoft’s first Mitigation Bypass Bounty recipient, James Forshaw talk about executing unsigned code on the Surface RT, without jailbreaking it. Next, Microsoft Principal Software Development Engineer, Lee Holmes, will talk with us about PowerShell. Chris Tarnovsky will then discuss Semiconductor devices and their backward steps in physical security through higher common criteria ratings. Next up, we’ll hear from Microsoft Partner Development Manager, Chris Kaler, and Microsoft Senior Program Manager, Serge Mera, about the latest in Message Analyzer. Mario Heiderich will then take us into the wilds of JavaScript MVC and templating frameworks. The afternoon will wrap up with a call to action from our own Russ McRee, followed by several lightning talks.

Day 2: Friday, December 13

Taking into consideration the inevitable socializing from the night before, we’re giving our attendees a slow morning. Between 9:00 AM and 12:00 noon we’ll have a recovery brunch with mimosas, lightning talks, and the famed hallway track. I’ll be the Day 2 keynote opening the track Persistence of Trust, at 12:30 noon. My talk will focus on security strategy at Microsoft, what we’re doing in terms of our defensive industry partner programs like MAPP, and of course, I’ll provide an update on our strategic Bounty programs. I’ll then handoff to Justin Troutman, who will talk about Mackerel, a cryptographic design and development framework based on the premise that real-world cryptography is not about cryptography at all; it’s about products. Peter Gutmann, famed researcher with the University of Auckland, New Zealand, will take the stage and illuminate the psychology of computer insecurity. After a short break, Alex Stamos, CTO of Artemis Internet, and Tom Ritter, Principal Security Engineer with iSEC Partners, will awaken us with tales life after elliptic curve crypto’s coming extinction. From Bromium Labs we’ll hear from Rahul Kashyap and Rafal Wojtczuk, who will discuss and demonstrate how to reliably break out of various popular sandboxes. Finally, closing BlueHat v13, renowned security and privacy expert and advocate of human rights, Morgan Marquis-Boire will explore what I call the elephant in the room, as he discusses the surveillance landscape and coercion resistant design.

As chair of the BlueHat content board, I would be remiss in my duty to the mission of BlueHat if I ignored the revelations of the summer of 2013, and the concerns about government surveillance of the internet. Hence, we will be continuing our internal dialog with a conversation with Morgan and others in attendance on how to design products, devices, and services that are more resistant to abuse and surveillance.  For us, and for over a billion of our customers worldwide, this issue transcends borders and politics. We are a global company and part of a global community, and as such we will continue to work with our customers, partners, and even our competitors to ensure a safer, more trustworthy Internet for all.

From the age of the great worms, to the evolution of more sophisticated and targeted attacks, to the era where modern warfare takes place on not only the information superhighway, but also on the civilian streets of the Internet, we will serve faithfully in our mission to help protect our customers from security and privacy breaches, no matter the adversary.


BlueHat is coming. Brace yourselves.


Katie Moussouris

Senior Security Strategist

Microsoft Security Response Center

(that’s a zero)


Bounty Evolution: $100,000 for New Mitigation Bypass Techniques Wanted Dead or Alive, 01 Nov 2013 10:20:00 +0000 who know me personally or follow me on Twitter are familiar with my obsession with karaoke. I do it as often as I can rope people into going with me, never forcing anyone to sing, though invariably everyone does – or at least sings from the sidelines to the songs they know. One of my all-time favorite songs is Bon Jovi’s Wanted Dead or Alive, and it’s the song in my head as I write this post. By the end, I hope to have a few more people singing along. Go ahead and load it into the playlist as you read on.

Today, Microsoft is announcing the first evolution of its bounty programs, first announced in June of 2013. We are expanding the pool of talent who can participate and submit novel mitigation bypass techniques and defensive ideas to include responders and forensic experts who find active attacks in the wild. That means more people can “sing along” to earn big bounty payouts than ever before.

Today’s news means we are going from accepting entries from only a handful of individuals capable of inventing new mitigation bypass techniques on their own, to potentially thousands of individuals or organizations who find attacks in the wild. Now, both finders and discoverers can turn in new techniques for $100,000.

Our platform-wide defenses, or mitigations, are a kind of shield that protects the entire operating system and all the applications running on it. Individual bugs are like arrows.  The stronger the shield, the less likely any individual bug or arrow can get through. Learning about “ways around the shield,” or new mitigation bypass techniques, is much more valuable than learning about individual bugs because insight into exploit techniques can help us defend against entire classes of attack as opposed to a single bug – hence, we are willing to pay $100,000 for these rare new techniques.

Building upon the success of our strategic bounty programs, Microsoft is evolving the bounty landscape to the benefit of our customers. The bounty programs we have created are designed to change the dynamics and the economics of the current vulnerability market. We currently do this in a few ways:

  1. Offering bounties for bugs when other buyers typically are not buying them (e.g. during the preview/beta period) allows Microsoft to get a number of critical bugs out of the market before they are widely traded in grey or black markets and subsequently used to attack customers.

  2. Offering researchers a $100,000 bounty to teach us new mitigation bypass techniques enables us to build better defenses into our products faster and to provide workarounds and mitigations through tools such as EMET.

  3. Evolving our bounty programs to include responders and forensic experts, who can turn in techniques that are being used in active attacks, enables us to work on building better defenses in to our products. We will work whenever possible with our MAPP program and engage our community network of defenders to help mitigate these attacks more rapidly.

In this new expansion of Microsoft’s bounty programs, organizations and individuals are eligible to submit Proof-of-Concept code and technical analysis of exploits they find in active use in the wild for our standard bounty amount of up to $100,000. Participants would also be eligible for up to $50,000 in addition if they also submit a qualifying defense idea. The submission criteria for both programs are similar – but the source may be different.

To participate in the expanded bounty program, organizations must pre-register with us before turning in a submission by emailing us at doa [at] Microsoft [dot] com. After you preregister and sign an agreement, then we’ll accept an entry of technical write-up and proof of concept code for bounty consideration.

We want to learn about these rare new exploitation techniques as early as possible, ideally before they are used, but we’ll pay for them even if they are currently being used in targeted attacks if the attack technique is new – because we want them dead or alive.

This evolution of our bounty programs is designed to further disrupt the vulnerability and exploit markets. Currently, black markets pay high prices for vulnerabilities and exploits based on factors that include exclusivity and longevity of usefulness before a vendor discovers and mitigates it.  By expanding our bounty program, Microsoft is cutting down the time that exploits and vulnerabilities purchased on the black market remain useful, especially for targeted attacks that rely on stealthy exploitation without discovery.

We shall see how the song plays out, but I for one am excited for more singers to step up to the microphone, or to sing out from the sidelines.


Katie Moussouris

Senior Security Strategist and karaoke MC

Microsoft Security Response Center
(that’s a zero)

Congratulations to James Forshaw Recipient of Our First $100,000 Bounty for New Mitigation Bypass Techniques!, 08 Oct 2013 09:47:00 +0000 to James Forshaw for coming up with a new exploitation technique to get our first ever $100,000 bounty. A security vulnerability researcher with Context Information Security, James already came in hot with design level bugs he found during the IE11 Preview Bug Bounty, and we’re thrilled to give him even more money for helping us improve our platform-wide security by leaps.

Coincidentally, one of our brilliant engineers at Microsoft, Thomas Garnier, had also found a variant of this class of attack technique. Microsoft engineers like Thomas are constantly evaluating ways to improve security, but James’ submission was of such high quality and outlined some other variants such that we wanted to award him the full $100,000 bounty.

While we can’t go into the details of this new mitigation bypass technique until we address it, we are excited that we will be better able to protect customers by creating new defenses for future versions of our products because we learned about this technique and its variants.

The reason we pay so much more for a new attack technique versus for an individual bug is that learning about new mitigation bypass techniques helps us develop defenses against entire classes of attack. This knowledge helps us make individual vulnerabilities less useful when attackers try to use them against customers. When we strengthen the platform-wide mitigations, we make it harder to exploit bugs in all software that runs on our platform, not just Microsoft applications.

If you have a new mitigation bypass technique that can defeat our latest platform-wide mitigations, or new defense idea, and would like to participate in our bounty programs, please see the official guidelines here. For a technical description of an exploitation technique that would have qualified, please read the SRD blog by Matt Miller and William Peteroy here. If you have an idea that’s in scope, please send in your whitepaper and proof of concept code to secure [at] Microsoft [dot] com.

We’re not done evolving our freshly minted bounty programs, which have now paid out over $128,000. Watch this blog for future developments as we continue to hone the biggest ongoing vendor bounty program in the industry.

Until then, our special thanks go to James: Congratulations and well done! You not only made history by receiving a total of $109,400 from our bounty programs, you’re also helping us make our customers safer from entire classes of attack. On behalf of over a billion people worldwide — Thank you and way to go!!


Katie Moussouris

Senior Security Strategist, Microsoft Security Response Center
(that’s a zero)

Bounty News Update: Bountiful Harvest, 04 Oct 2013 13:21:00 +0000 is a season traditionally associated with a harvest after planting the seeds and tending the crops. Today I’m proud to announce the names of six very smart people who have helped us make our products more secure by participating in our new bounty programs.  When we launched our bounty programs in June this year, we had a few strategic goals in mind:

  • Increase the win-win between the hacker/security researcher community and Microsoft’s customers, and build relationships with new researchers in the process
  • Receive more vulnerability reports earlier in the release cycle of our products, ideally during the beginning of the preview (or beta) period
  • Learn about new exploitation techniques that can be used to defeat our platform-wide defenses, so we can build protections against entire classes of attack

Now that we have permission from the bounty program recipients to publish their names and bounty amounts, I’ll list them all here. You may have seen a few congratulatory and celebratory tweets; we wanted to officially acknowledge these security researchers who have helped our customers by participating in our bounty programs.


On behalf of over a billion customers, THANK YOU!
James Forshaw
Ivan Fratric
Jose Antonio Vazquez Gonzalez
Masato Kinugawa
Fermin J. Serna
Peter Vreugdenhil


I am also thrilled to highlight a few of our bounty program results:


We’ve worked with so many bright security researchers through the years, and are thrilled that through the bounty programs, we received reports from researchers who had never reported to us directly before. This means we have even more great minds interested in working directly with us to help make our products more secure.

IE11 Preview Bug Bounty:

During the first 30 days of the IE11 preview period we received several vulnerabilities that qualified for a bounty, in contrast to the first 30 days of the IE10 beta, when we did not receive any bulletin-class reports. The Preview period is a great time for us to receive these reports because we can address these issues earlier. Oftentimes, researchers typically do not report these findings until after code was released to manufacturing. With these submissions, we will be able to address these vulnerabilities earlier in the process providing a more secure version of Internet Explorer

As the leaves turn colors and the temperatures cool off, I’m happy to be sharing the bountiful harvest of our programs, started as seeds planted in early summer. It’s been a great first three months of Microsoft’s bounty programs, and we’re overjoyed that our programs have been met with great participation and enthusiasm from the hacker community.

Stay tuned for more news coming soon!

Katie Moussouris
Senior Security Strategist, Microsoft Security Response Center  (that’s a zero)

MAPP Initiatives Update – Knowledge Exchange Platform, 16 Sep 2013 09:45:00 +0000 little more than a month ago, we announced some new initiatives for the Microsoft Active Protections Program (MAPP). One of those announcements was “MAPP for Responders.” The initial response has been extremely positive, so we wanted to provide more information on how we are moving this program forward.

Since the announcement, we’ve been working towards launching two initiatives as a single beta with a limited set of customers and partners. The first is the pilot of the MAPP Scanner service that we previously announced.  The second initiative is a beta of a completely new automated knowledge exchange platform. We alluded to this platform in our first post and want to give some additional details on this project.

Simply put, this is a distributed platform that runs as a web service that provides the ability to automate the sharing and consumption of threat information in machine readable formats. As mentioned before, the platform supports the STIX and TAXII open specifications developed by MITRE, but it has been designed to support any message exchange services and message formats that partners decide to implement. This helps to accomplish multiple goals, but here are two highlights:

First, the platform will empower the industry by facilitating the sharing of threat information and enabling knowledge exchange scenarios that do not exist today. As a platform, customers and partners will have the flexibility to share and consume data with granular control.

Second, the platform has been designed to be extremely extensible, with a modular plugin architecture that will allow for an unlimited number of services to be built on top of and supported by it.

Figures 1 – 3 illustrate some of the sharing scenarios enabled by the platform:


Figure 1 Publisher Subscriber


Figure 2 Peer to Peer


Figure 3 Hub and Spoke

We have designed this platform to integrate into existing environments acting as an interchange point between both external and internal services and data formats. The platform enables real-time information sharing, and because the data is machine-readable, organizations can choose to automatically push the data into their network protection systems.

I mentioned a limited beta with qualified customers and partners and wanted to list some of the criteria for participation. In addition to being able to sign required agreements and having a dedicated incident response team, participants in the initial beta will be required to provide a feed of threat data into the system. The beta will operate in phases with each lasting approximately 3 months. We expect to conduct three to four phases, expanding to more participants as we progress.

Many customers have already contacted us concerning participation and we will be following up with all of you very soon. For those enterprise customers who are interested in finding out more, the best path is to talk to your Microsoft Technical Account Manager (TAM). Other incident responders can send a note to

Keep an eye on this blog for future updates and announcements. We expect this work to go on for several months and are looking forward to input from participants to help shape the future of automated knowledge exchange.


Jerry Bryant
Senior Security Strategist Lead
Microsoft Trustworthy Computing

New MAPP Initiatives, 29 Jul 2013 09:58:00 +0000 everyone,

Some of you may recall the launch of the Microsoft Active Protections Program (MAPP) back in 2008, when we began giving antivirus vendors security bulletin information early, so that they could develop and test signatures for vulnerabilities and be ready to release them when our bulletins were published. MAPP was our answer to a common phrase used back then: “Update Tuesday, exploit Wednesday.” This was a time when exploit writers had developed full automation for reverse engineering our security updates and building exploits. Security vendors received information at the same time as everyone else and had to then develop and test signatures before applying the updates. MAPP gave the security vendors, the “good guys,” a head start against the “bad guys.” In the years since its inception, MAPP has been successful in allowing these vendors to release protections when we release the updates so that our customers have the time they need to test and deploy them.

Along the way, MAPP has also become a key part of our incident response process when we find new exploits in the wild. During these incidents, we are able to help MAPP partners quickly build protections for our common customers by providing them with detailed detection guidance. In most cases, this allows for a significant level of protection for customers while we are working to address the issue with a permanent fix.

Since the program launched, there has been little external change to how it operates. Internally, we have made slight adjustments to how the program is managed but by and large, it is the same program it was in 2008 and the same program our partners still say is essential to their operations. For example:

“The MAPP program helps Trend Micro in strengthening further, its defenses against cyber criminals. This timely information sharing works great in providing our customers the best and accurate protection with least false positives,” said Raimund Genes, CTO, Trend Micro.

“The data from MAPP has proven to be a valuable source of information ahead of the curve allowing us to better deliver faster protection against 0-day vulnerabilities to our customers.” — Peter Szabo, Senior Threat Researcher, SophosLabs Canada

“MAPP provides us with advanced notification of vulnerabilities, as well as actionable information that allows us to even more quickly build protection for our customers. This saves us significant cycles, and MAPP’s valuable information sharing fully supports our threat-centric approach to cybersecurity.” – Matt Watchinsksi, Vice President of Vulnerability Research, Sourcefire

Even with this level of success, we are always evaluating our programs. Today, we are introducing a few changes based on the changing threat landscape and feedback from our partners.

MAPP for Security Vendors

First, in order to have a clear definition of the existing MAPP program and be able to convey how the new programs differ, we are now calling what the world today knows as MAPP, “MAPP for Security Vendors.” Here is an outline of how the traditional MAPP program will look going forward:

The MSRC has a history of gathering and acting on feedback from our customers and partners. For example, the Software Update Validation Program (SUVP) allows qualified enterprises to test our security updates in a non-production environment and give us feedback on those updates before we release them. This partnership with our customers extends our internal testing to include many of the custom applications enterprises run in their networks.

In much the same way, we are implementing MAPP Validate as part of MAPP for Security Vendors, which will allow qualified security vendors to give feedback on our detection guidance before distributing it to the broader MAPP community. This is a community-based initiative that will help to streamline the development and use of detection guidance in order to facilitate faster and higher quality protections for customers.

Next, our partners say they are getting clear business value from the one-day head start we give them to develop protections. But sometimes, building, testing, and deploying quality signatures takes additional time. So, on top of streamlining and improving the quality of detection guidance, we are expanding the signature development window from one to three business days for MAPP partners who meet certain stringent criteria. For example, partners must have at least a two-year track record of completing the reporting requirements of the program and a demonstrated willingness to partner back with us as they find new issues in the wild that we need to respond to quickly. Entry-level MAPP partners will still only receive information one day early. As always, we take customer security very seriously. Any partner found to have leaked information, either inadvertently or knowingly, is subject to removal from all parts of the program or, depending on the outcome of an investigation, subject to entry-level status only.

MAPP for Responders

Across the industry, it is recognized that targeted attacks are one of the primary threats to enterprises, governments and other entities. Incident responders, including response companies, CSIRTs, ISACs, and security vendors, represent the front lines in the fight to detect, respond, and remediate these attacks. Through this new program, MAPP for Responders, we are working to build new partnerships and community collaborations that will enable strategic knowledge exchange. Microsoft intends to contribute to this effort by sharing threat indicators such as malicious URLs, file hashes, incident data and relevant detection guidance. Employing a “give to get” model, the community will benefit when data they provide is enriched by aggregating it with data from others.

How is MAPP for Responders different from MAPP for Security Vendors? At a high level, the former targets detection and remediation while the latter is all about developing protections. The information we plan to share with response partners is focused more on threat intelligence than specifically on vulnerabilities. Where these two programs come together is around incident response. Arming more defenders against targeted attacks is a key part of our overall strategy.

Effective knowledge exchange requires automation and a common format. To accomplish this, we plan to support Mitre’s STIX (Structured Threat Information Expression) and TAXII (Trusted Automated eXchange of Indicator Information) specifications. As open specifications for the formatting and transport of information, STIX and TAXII are starting to see broad adoption. Regardless of format, we want to serve customers by facilitating the flow of threat intelligence to organizations who can capitalize on it. As such, we will also seek to build transforms for other commonly used formats. This effort is currently in development and we intend to launch a pilot in the near future.

MAPP Scanner

The MSRC employs some of the brightest engineers in the industry, the sort who build tools such as !exploitable, OffVis, and EMET. MAPP Scanner, currently in a closed pilot program, is a content-based vulnerability scanner developed by our security engineers to aid in investigating incidents. We are introducing MAPP Scanner as a cloud-based service that can be used to scan Office documents, PDF files, Flash movies, and suspect URLs, to determine if they are attempting to exploit a vulnerability.

MAPP Scanner performs both static and active analysis to determine if files are attempting to exploit a vulnerability. It spins up virtual machines for every supported version of Windows and opens content in supported versions of the appropriate application. MAPP Scanner can help find a known vulnerability and return the CVEs and affected platforms for that issue, while also flagging suspicious activity not associated with a known vulnerability for deeper analysis. As a result, MAPP Scanner is extremely effective in identifying previously unknown vulnerabilities while at the same time dramatically improving the ability and efficiency of responders investigating an incident.

Making this technology available to partners who are likely to be subjected to targeted attacks and those who work with them to investigate and remediate security incidents increases the likelihood of new attacks and attack vectors being discovered. It also aids in the efficiency of investigations which speeds up the process of identifying and deploying the appropriate protections.

Going Forward

As with Microsoft’s other security initiatives, such as the BlueHat Prize and our new bounty programs, the mission for MAPP is simple: mitigate entire classes of attack and protect customers. We have a long history of working across many different communities to drive this mission and will continue to do so. We also have a lot of other initiatives we are working on so going forward, you can expect to hear more announcements from us impacting this space.

Jerry Bryant
Senior Security Strategist

Microsoft Trustworthy Computing

Nine to tide you over: Video highlights from BlueHat v12, 09 Apr 2013 12:52:00 +0000 has been nearly four months since we gathered in Redmond for BlueHat v12, and we’ve almost caught up on our sleep. As we prepare for what promises to be a momentous year for the BlueHat program – culminating in December with BlueHat v13 – we’ve selected nine of the most compelling, talked-about, or just plain chewy talks from last year’s festivities to share with you.

  • Fraud and Abuse: A Survey of Life on the Internet Today –> WATCH IT ON DEMAND
    Ellen Cram Kowalczyk, Principal Security Program Manager Lead, Microsoft

    Kowalczyk kicked off BlueHat v12 in the morning with a look at two of the most difficult security issues facing our customers today. When you’re in the process of becoming the leading devices and services company, this is the sort of thing that’s on your mind every morning.

  • Social Authentication –> WATCH IT ON DEMAND
    Alex Rice, Product Security, Facebook

    Over the past year, Facebook engineers have been working on various attempts to expand authentication from “something you know” to “someone you know.” Rice’s talk demonstrates some of the results and details the lessons his company has learned along the way.

  • Scriptless Attacks: Stealing the Pie Without Touching the Sill –> WATCH IT ON DEMAND
    Mario Heiderich, Dr.-Ing, Ruhr-University in Bochum, Germany

    Removing JavaScript from the cross-site scripting equation doesn’t necessarily take away the XSS pain, as Dr. Heiderich demonstrates. Learn how attackers can use seemingly benign features to build side-channel attacks that can measure and exfiltrate data from even well-protected sites – and find out what can be done to stop it.

  • Sh*t My Cloud Evangelist Says… Just Not My CSO –> WATCH IT ON DEMAND
    Chris Hoff, Senior Director and Security Architect, Juniper Networks

    In front of an audience evenly divided between developers and security folk, Chris Hoff laid out the differences in worldview between the two – yes, there are a few – and how those translate into the world of cloud computing. More secure? Less secure? Let the debate begin…

  • Don’t Stand So Close to Me: An Analysis of the NFC Attack Surface –> WATCH IT ON DEMAND
    Charlie Miller, Systems Software Engineer, Twitter

    Near-field communication (NFC) technology is growing in popularity, with mobile devices leading the communications charge. But when you tap your phone to an NFC-enabled terminal to make a credit-card payment, how do you know you haven’t been owned – or worse? Miller looks at how NFC technology expands the potential attack surface for mobile devices.

  • Building Trustworthy Windows Store Apps –> WATCH IT ON DEMAND
    David Ross, Principal Software Security Engineer, Microsoft and Crispin Cowan, Senior Program Manager, Windows Security, Microsoft

    The Windows Store environment is designed to protect consumers’ machines and data from individual apps, but that puts serious responsibility on developers to use secure coding practices. Ross and Cowan look at what that means and how developers can approach the challenge without tears.

    Matthew Garrett, Senior Software Engineer, Nebula

    The Unified Extensible Firmware Interface (UEFI) brings far greater security to the firmware environment, letting developers build security policies that extend all the way into the most basic layers of shipped code. But do we lose platform differentiation in the process? Garrett details why that’s not necessarily the case.

  • Pass the Hash and Other Credential Theft and Reuse: Preventing Lateral Movement and Privilege Escalation –> WATCH IT ON DEMAND
    Patrick Jungles, Security Program Manager, Microsoft

    Credential theft and re-use attacks have gained in popularity in recent years, and there’s nothing tastier for some attackers than your delicious, delicious hashes. Jungles, the Microsoft PM who led the company-wide workgroup that researched and released our recent pass-the-hash whitepaper, presents an overview of the group’s findings.

  • Why Johnny Can’t Patch: And What We Can Do About It –> WATCH IT ON DEMAND
    David Seidman, Senior Security Program Manager, Microsoft

    Microsoft works hard to develop and release security bulletins as soon as we’re aware of a vulnerability that needs addressing. So how is it some users remain vulnerable to issues for which the cure has existed for months, if not years? Seidman dives deep into who doesn’t patch, why, and what might change their ways.

Enjoy! We’re looking forward to BlueHat v13 – Return to your “C:\>”(s). We suspect there will be a lot to talk about.

Emily Anderson
Security Program Manager, MSRC, Microsoft

On the Shoulders of Blue Giants, 13 Dec 2012 09:40:00 +0000

Katie Moussouris

Senior Security Strategist Lead, Head of Microsoft’s Security Community and Strategy Team

Cool vulns, BlueHat, soldering irons, quantum teleportation

Rudeness, socks-n-sandals, licorice

BlueHat v12 here in Redmond is in full swing – it started yesterday for full-time Microsoft employees only, and continues today as we welcome our invited guests from beyond Microsoft. I’m excited to see and contribute to this year’s content as it unfolds on stage, and even more excited for all the side meetings that take place here in the hallways of the event.  It makes sense for us to take a moment to recognize the people who have contributed to BlueHat over the years, as well as to look forward to where we are going in terms of security community outreach at Microsoft in the years to come.

The BlueHat conference itself was groundbreaking in 2005, when the first group of hackers were invited by Window Snyder and Andrew Cushman to speak directly to Microsoft developers and executives about the products in which they were able to find security vulnerabilities. Back then, no major vendors had formally hosted an internal security conference before, but doing events like BlueHat is now an accepted industry practice for many major vendors.

We as an industry owe Window and Andrew our thanks for blazing this path, and also many thanks to the people over the years who have developed the BlueHat conference to be what it is today. That list includes but is not limited to Kymberlee Price, Celene Temkin, Dana Hehl, Sarah Blankinship, Mike Reavey and, most recently, Emily Anderson. Part of what makes BlueHat special to the speakers and attendees are the personal touches and vision that each person on the list above contributed.

One of the elements that makes BlueHat such a vital part of our overall security community outreach at Microsoft is the “hallway track.” This is where the invited guests and the Microsoft folks can dive deeper into the topics that are being presented, or diverge into other topics entirely – sometimes with far-reaching effects on improving security by leaps and bounds. As the conference has evolved over the years, some of the people we invite are here to meet with Microsoft engineers and to learn from the content that is presented, such as the MAPP partners we invite. It is the exchange of ideas that can help improve our products, as well as the products of others who are in attendance, that continues to make BlueHat special.

Many other conversations that will take place in the hallways at BlueHat over this week and beyond will help shape security defense for another generation of the Microsoft computing ecosystem. The relationships being forged and reinforced among Microsoft product teams, security engineers, and the external security research community in these halls will likely bear fruit in terms of helping to improve security for existing and future products and services.

There is an old saying that can be paraphrased as “If we can see a little further out into the horizon, it because we are standing on the shoulders of giants.”  Even as we face some familiar and not-so-familiar security frontiers such as online service security, mobile computing device security, app store security, and the ever-present human factor being exploited via social engineering attacks, we as members of a holistic global computing ecosystem will continue to benefit from the multi-directional exchange of ideas that happen at BlueHat.

Our team continues to expand the ways and means by which we facilitate these pivotal conversations, standing on the shoulders of “blue giants” who have built the security community outreach programs like the BlueHat conference itself, and our worldwide security conference sponsorship program.  As we evolve and grow, we add new programs to the overall outreach strategy to help us get better at security today and in the future. An example of a new program we added recently is the BlueHat Prize contest for security defense, for which this year we gave away over $260,000 in cash prizes for ideas in platform-level defense.  As I said on stage at BlueHat Wednesday morning, Microsoft will continue to invest in security defense challenges — and the next iteration of the BlueHat Prize contest will be announced around the time of the BlackHat USA conference next summer.

So to those who came before, thank you, and to those who will come after, enjoy the view.  I, for one, can’t wait to see what’s just over the horizon, and it’s looking very blue.

Katie Moussouris
Senior Security Strategist, MSRC

Announcing BlueHat v12, 21 Nov 2012 14:50:00 +0000 days are getting shorter, the holidays are getting nearer, and looming on the horizon is a trio of 12’s – it’s almost time for the 12th BlueHat Conference, on tap for the twelfth month of 2012. We have a terrific lineup of speakers from both inside and outside the company; there’s nothing much we can do about the weather in Seattle in mid-December, but indoors we have compelling work to do on making the cloud, mobile devices, the Internet, and the rest of the computing ecosystem, safer for customers.

Here’s a quick overview of the planned speaker lineup for the two days of BlueHat v12. For more detail, please check back here in the weeks between now and the conference.

Day 1: Thursday, December 13

We’ll open the conference’s first track, Anti-Fraud & Abuse, with author and Microsoft Technical Fellow Mark Russinovich. Mark will also be joining attendees for a lunchtime book-signing (have you read Trojan Horse yet?). He’ll be followed in the morning by Microsoft’s Ellen Cram Kowalczyk, speaking on fraud and abuse, and specifically looking at life on the Internet today.  Facebook’s Alex Rice will give attendees a look into how the world’s biggest social-networking site handles attempts to abuse its users. After a short break, Christopher Hadnagy, author of “Social Engineering: The Art of Human Hacking,” joins us to discuss the role social engineering plays in successful (and unsuccessful) fraud attempts. Finally, Microsoft’s Alex Weinert will give us a look at his work at Microsoft on anti-fraud.

After lunch, the Cloud & Online Services track kicks off with Mario Heiderich, who’ll cover how, after sustained efforts to mitigate XSS and similar cross-site scripting attacks, an attack surface remains (and what can be done about that). He’s followed by Chris Hoff of Juniper Networks, speaking frankly about what cloud evangelists know…but won’t tell CSOs. We’ll have a break and rejoin the action with MSRC Engineering’s own Gavin Thomas, who looks at better security through Microsoft HPC Server and Windows Azure, followed by Tim Maletic and Chris Pogue of Trustwave discussing OPFOR. The afternoon wraps up with a call to action from Mark, followed by several lightning talks on subjects sure to surprise and delight.

Day 2: Friday, December 14

We’re giving you all a later start (9:45 AM), taking into consideration your socializing the night before. MSEC program manager and emcee, Leigh Honeywell, will open the second day of conference at 9:45 AM, with the Vices & Devices track. She’ll turn the floor over to Charlie Miller, who’s currently playing a major part in Twitter’s security push; he’ll talk about attack surfaces in the NFC (near-field communications) protocol stack. After a short break, Microsoft’s David Ross and Crispin Cowan dive into the world of Windows 8 applications. Matt Garrett of Red Hat joins us to answer “Why UEFI?” Lunch will feature an Online Services Security and Compliance (OSSC) Lunch n’ Learn, focusing on managing security risk to Microsoft’s global online services.

Friday afternoon brings the conference’s final track, Hot Topics, with a combination of guests, current Microsoft employees, and alumni on tap. First, James Forshaw of Context Information Security discusses the allure for security researchers of managed languages. Next, Fermín Serna – once a Microsoft colleague, now at Google – speaks of current thinking on information-leak vulnerabilities. After a break, MSRC senior security program manager David Seidman explains why some users simply won’t, don’t, or can’t apply security updates – whatever the consequences. The afternoon will close with Mat Honan, Senior Writer for Wired, whom we think will put the conference’s conversations and revelations in perspective as he describes how all the issues we’ve discussed can touch the lives of the customers we aim to protect.

Thanks –

Emily Anderson
Security Program Manager, MSRC

BlueHat: Something Old, Something New, All Blue, 24 Oct 2012 17:04:00 +0000

Katie Moussouris

Senior Security Strategist Lead, Head of Microsoft’s Security Community and Strategy Team

Cool vulns, BlueHat, soldering irons, quantum teleportation

Rudeness, socks-n-sandals, licorice

Reflecting on my past five years at Microsoft (I know! How time flies!), I can see with fresh perspective just how far we’ve come, while staying true to our goals of helping to protect customers and the computing ecosystem. I just recently returned from maternity leave and launched right into conference season with a bang, speaking at several conferences where I had the opportunity to hang out with old and new friends in the security researcher community. As Microsoft completes its tenth year of working with the broader security community as part of our Trustworthy Computing tenet, it’s a good time to look at how the relationship has developed so far.

Our on-campus BlueHat Briefings started back in 2005. At the time we had two key goals: to expose our own developers and technical contacts to smart researchers both inside and outside our very large company, and to give researchers a conduit to the developers and tech folk who might not yet appreciate the value of thinking like an attacker. As you might guess, at the beginning there was suspicion and maybe even a little fear on both sides, as researchers came to Redmond, and executives and product teams came out of their comfort zones, to talk honestly about security.  But it worked, and others follow the model with similar conferences of their own now. And even as we prepare for the twelfth edition of the Briefings, it’s still great watching a researcher explain an issue directly to the developers responsible for writing the code to fix it.

Since then, the BlueHat Briefings have evolved into part of a larger strategy to play well within the community and improve the broader computing ecosystem. In addition to the Briefings, we provide direct financial sponsorship and support for other industry events around the world – this year, 20 or so conferences across 12 countries.  Some improvements in relations with individual researchers have been simple, like establishing our bulletin acknowledgement policy and Online Services Acknowledgements policy to recognize researchers who report issues directly to us. We recognize individual talent in other ways, offering contracts for penetration testing of products in development – in fact, many of the current pen-testing contracts in effect at Microsoft right now were born from researchers that have shown their talents by reporting issues to MSRC.  Sometimes, we’re able to hire this talent to Microsoft as well; we have great talent from the researcher community working here, and we’re always looking for more. And we don’t stop finding ways to work meaningfully with the community. This past summer, we awarded $260,000 to researchers as a part of the first-ever BlueHat Prize. This prize offers financial rewards to researchers to develop security defenses that can take out entire classes of attacks.

In seven weeks we will gather together at our 12th BlueHat Briefings here in Redmond and have this opportunity for the bidirectional exchange of ideas among people who are passionate about security, both inside and outside of Microsoft.  We have gone from listening and learning from the community to being a true part of it. As the landscape has changed, we’ve evolved our response and engagements and will continue to do so.

Where does this working relationship with this community — and the future of security research — go over the next 10 years? We’ll focus on building cool products that the researcher community will inevitably help us secure, in their own way – by reporting issues to us via Coordinated Vulnerability Disclosure, by coming to educate and “exploitain” our developers and executives at the BlueHat Briefings, and by working for Microsoft and becoming part of our internal security community to help us defend over a billion computer systems worldwide. We’re excited to imagine what the next decade will look like and how we’ll work together, and I’m just as curious today about what is next in the cobra-mongoose battle between attackers and defenders as I was when I joined this company over five years ago.

Stay tuned for the speaker line-up as we move closer to the event. I look forward to welcoming the next members of our elite group – our BlueHat community – as we evolve and grow together.

Katie Moussouris
Senior Security Strategist Lead

The BlueHat Prize V1.0 – And the Winners Are…, 26 Jul 2012 14:40:00 +0000

Katie Moussouris

Senior Security Strategist Lead, Head of Microsoft’s Security Community and Strategy Team

Cool vulns, BlueHat, soldering irons, quantum teleportation

Rudeness, socks-n-sandals, licorice

As we wrap up the first BlueHat Prize contest, we wanted to share what we learned while running the first competition, from a major vendor, offering a large cash prize for defensive security research. Not only did we get to motivate the development of technical mitigation technology, but we also achieved some valuable non-technical goals as well.

We’ll announce the winners in this post, so scroll down if you can’t wait.

Bonus #1: We identified security defense talent that we may never have encountered otherwise, and helped the world get to know them too.

Some of the contestants were certainly well-known names in the security research community; some were people we had never heard of before. Running the BlueHat Prize contest allowed us insight into a greater number of people who are doing some deep thinking in the areas of security mitigation technology. This not only helps Microsoft find and work with talented people, but the spotlight that we can help shine on all of these contestants will hopefully help them market their ideas and talent so that the entire security industry can benefit and improve.

Bonus #2: We aligned some of the top “offensive security” minds to work with us on defense – with excellent results.

I often say that some of the best defenders come from the “offense” side of the security equation. I believe that you truly have to understand how to break into systems in order to devise effective plans for how to defend those systems. One of the goals we set out to accomplish with this contest was to create both an incentive and an opportunity for fame and fortune in the area of security defensive research that never existed at this scale before. We are very happy that the security community responded positively to our challenge, and some great minds chose to participate.

With those positive bonus outcomes we will not wait any longer to announce the winners. For an in-depth technical analysis of the winning entries, with the contest judging criteria applied, please see Matt Miller’s blog post on the SRD blog.


Vasilis Pappas wins $200,000 for his idea, kBouncer – an efficient and fully transparent ROP mitigation technique.

Ivan Fratric wins $50,000 for his idea, ROPGuard – a system that can detect and prevent the currently used forms of return-oriented programming (ROP) attacks at runtime. 

Jared DeMott wins an MSDN subscription, valued at $10,000, and was also surprised on stage live with a check for $10,000 cash for his idea, /ROP – a system that lowers the effect of address space disclosures and mitigates known ROP exploits. 


So what is next for the BlueHat Prize?

Check the BlueHat Prize website in the next several weeks for an updated page that will include information on the other contest entries. These beautiful minds all deserve the thanks and attention of the security community, and we are excited to provide them with a venue to showcase their defensive security ideas.

One thing is certain – we will continue to invest in security defense at Microsoft, and we will continue to offer cash incentives to the security community for helping Microsoft, and the rest of the industry, to help improve the state of security for the entire ecosystem. In sports, as in life, a great team understands both offense and defense. To address the security threats of today and tomorrow, we as an industry need to appreciate both.

 – Katie Moussouris

Senior Security Strategist, MSRC

The BlueHat Prize Survey at BlackHat – Submit Security Defense Questions for a Chance to Win $5000, 16 Jul 2012 00:00:00 +0000


Katie Moussouris

Senior Security Strategist Lead, Head of Microsoft’s Security Community and Strategy Team

Cool vulns, BlueHat, soldering irons, quantum teleportation

Rudeness, socks-n-sandals, licorice


As we inch closer to Black Hat in Vegas this year, we wanted to kick off the ten-day countdown to our first BlueHat Prize contest winners’ announcement with an invitation to those attending Black Hat. Microsoft is conducting a survey at our Black Hat booth to find out what the security community thinks are the most important industry-wide security issues that need answers. When
you participate in the survey at our booth, we’ll enter you into our BlueHat Prize Question Sweepstakes for a chance to win $5,000 USD*!

We will give away $5,000 twice per day at random drawings at our booth On July 25 and July 26, – once around lunch and once at the end of each day, for a total of $20,000 USD in cash.

The official rules are found here, but here are some highlights:

• The only way to enter this contest is to visit the Microsoft booth in person at Black Hat and submit a question.
• Only one entry per person is allowed (we’ll scan your conference badge, so no funny business!).
• Valid entries in the sweepstakes must be a defense-oriented security question that could potentially be used in a future BlueHat Prize contest.
• The issue you submit should be industry-wide, e.g., “Design a defense technology or strategy to defend against social engineering.” or “What would be the best approach to defend against DDoS?”

While we may not use the specific defense-oriented questions gathered in this sweepstakes, the survey will help us shape a future BlueHat Prize contest with the input from the broader security community. We know not everyone makes it to Black Hat, but we do think there is a decent sampling of various security industry representatives there, so as a survey it works as a
decent sample set. If you’d like to let your thoughts be heard, even if you are not at Black Hat, feel free to join the conversation on Twitter with the hashtag #BlueHatPrize.

As for when we will announce what the next BlueHat Prize contest will be, stay tuned for that news on this blog after Black Hat. For those of you attending Black Hat in person this year, start thinking about what you believe is the biggest industry-wide security issue that needs a great defense. Microsoft may use your idea in our next BlueHat Prize contest, and you might
win $5000!

Katie Moussouris

Senior Security Strategist, MSRC

*No Purchase Necessary. Open only to registered event attendees 14+.Game ends 7/26/12. For additional details, see Official Rules posted on-site at the Microsoft booth.

BlueHat Prize v1.0 Finalists – One of These People Will Win $200,000 (AKA Mad Loot)!, 21 Jun 2012 00:00:00 +0000

Katie Moussouris

Senior Security Strategist Lead, Head of Microsoft’s Security Community and Strategy Team

Cool vulns, BlueHat, soldering irons, quantum teleportation

Rudeness, socks-n-sandals, licorice

When we announced the BlueHat Prize on August 3, 2011, we did something that no major vendor had ever done before – offer a large cash prize for defensive security research. While a few vendors and others were offering relatively small cash incentives for security researchers to find and report individual vulnerabilities, we decided that, as a platform provider, Microsoft would be most effective if it sought out new, platform-level, defensive technologies that could possibly help defend against entire classes of vulnerabilities. These defenses could help protect our own applications, and have the potential to protect third-party applications that run on our platform.

We received 20 entries to our inaugural BlueHat Prize contest, a response and participation from the security research community that exceeded our expectations. We now know contestants emerged from different areas of the security community – some from academia, some recognized names in the hacker community, and some from other venues entirely. Interestingly, about half of the entries poured in during the last few days – and even the last few hours and minutes— of the contest entry period. Also of note, most of the top-rated entries were among those last-minute submissions, perhaps substantiating the old adage that brilliance emerges under the glaring pressure of a looming deadline. One thing we learned from this experience was not to set future contest deadlines for midnight on a Sunday!

Getting down to business, here are the names of the three finalists, in alphabetical order:

Jared DeMott

Ivan Fratric

Vasilis Pappas

We will award the prizes to the winners at a 10 p.m. ceremony at our researcher appreciation party on July 26, 2012. We have notified the finalists that they have made it to the finals. The finalists won’t know who won which prize – the grand prize of $200,000 USD, the second prize of $50,000 USD, and the third prize of an MSDN subscription, valued at $10,000 USD – until we reveal it to them and the world live on July 26.

You can read a little about each of them and their proposed solutions on our BlueHat Prize contest site. After the contest is over, we’ll also be putting up the names and abstracts of the other contestants, so stay tuned for that update sometime after Black Hat.

For now, please join us as we congratulate all the contestants, and especially the three finalists. We appreciate their hard work, and are excited that we can help showcase their ideas that can help make advancements in platform-level security defense.

- Katie Moussouris

Senior Security Strategist, MSRC

Inside the MAPP program, 02 May 2012 22:39:00 +0000


Maarten Van Horenbeeck

Senior Program Manager

Slicing covert channels, foraging in remote memory pools, and setting off page faults

The crackling sound of crypto breaking, warm vodka martni

Hi everyone,

Maarten here – my team manages the Microsoft Active Protections Program (MAPP) at Microsoft. MAPP gives defenders a head start by sharing vulnerability information with them so that protection signatures are ready at the same time as security updates.

Recently we have seen a fair amount of discussion around the MAPP program. We know that many customers and partners have questions about how MAPP works and how it helps protect customers, therefore I wanted to take this opportunity to explain how we work to facilitate the creation of active protections.

Our goal with MAPP is to have a transparent, effective program in place. As such, we routinely evaluate MAPP partners to ensure they are adhering to program guidelines, taking action to correct any partner deviations from our program charter. We are also continually looking to strengthen our technical and legal controls to help protect our customers.

Why the MAPP program?

Microsoft developed the MAPP program in 2008 in response to an increase in reverse-engineering occurring around our monthly security update releases. We recognized that there were many tools available that enabled security researchers and attackers alike to very quickly identify the root cause of a vulnerability, given the update binaries. We noted that defenders, such as antivirus or intrusion prevention vendors, were in a race against attackers to reverse-engineer our updates in order to create protection signatures.

Before the MAPP program, defenders were at a disadvantage because detecting exploits is difficult, especially if a security vendor does not have full information on the types of conditions that may trigger successful exploitation. A vendor could write a signature for every attack file they receive, but they would need to respond to every file individually, or spend significant amounts of time reverse- engineering our security updates themselves. By providing technical details about a vulnerability directly to defenders, we strengthen their ability to create more effective and accurate signatures in a shorter timeframe.

MAPP also helps to provide a first line of defense for customers who need, or want, to do their own testing prior to deploying our updates. Microsoft thoroughly tests security updates prior to release, however, we do not have the ability to test with all Line of Business applications that corporations develop in-house.

Given the fact that some customers prefer to perform in-house testing, which may delay installation of the security update, we sought partners that our customers already deployed , and could help protect against exploitation of software vulnerabilities. We found those partners in the anti-malware and intrusion prevention industries.

How does the MAPP program work?

Microsoft operates the MAPP program, free of charge, for security vendors that meet our minimum requirements on both the capability they have to protect customers and the number of customers they represent. One can find detailed information on our admission criteria here. We carefully vet and validate these criteria prior to admitting a new partner.

Each month, our team of security engineers work diligently to create information for our partners that helps them detect the exploitation of security vulnerabilities in our products. This data includes, but is not always limited to:

  • A detailed technical write-up on the vulnerability;
  • A step-by-step process that they can follow to parse an affected file format, or network protocol, that identifies which elements need to have particular values, or exceed specific boundaries, in order to trigger the security vulnerability;
  • Information on how to detect the vulnerability, or exploitation thereof (e.g. event log entries, or stack traces);
  • A Proof-of-Concept file that is in itself not malicious, but contains the specific condition that will trigger the vulnerability. Partners can leverage this file to test detection signatures they develop using the step-by-step process we provide.

We provide this information to participating vendors shortly in advance of the release of a security update. We base the timeframe on partners’ ability to release effective protections, while limiting the risk, should the information be inadvertently disclosed.

Once we provide the information, our engineers remain available to discuss, in detail, steps security vendors can take to detect exploitation of a vulnerability.

Our team also follows up with the partner vendors to better understand which vulnerabilities attackers are  exploiting in the wild, and where we need to improve guidance to account for specific exploitation methods. We regularly update guidance after the initial release to help increase the ability of partners to protect customers.

How the MAPP program helps protect customers

The MAPP program helps vendors build comprehensive detection for vulnerabilities that Microsoft acknowledges or addresses in a security bulletin. MAPP partners are not permitted to release their protection in advance of the security update release.

For example, In the case of an Office exploit, our detection guidance will describe how to parse the Office file and validate which part of the file, and which elements need to be malformed in order to trigger the vulnerability. Without MAPP data, vendors would –in many cases— need to “guess” which values could trigger a crash, and which could not, which reduces the effectiveness of their signatures.

Detection technology developed using MAPP data tends to be more accurate and more comprehensive than detection built without access to the information. Each month after the bulletin release, Microsoft follows up with each vendor individually to track the use of MAPP guidance across the signature base of our partners. When we identify that certain guidance is difficult to implement for our partner base, we work with partners to understand how we can improve the program and enable them to detect these threats more effectively.

The vulnerability addressed in MS10-087, CVE-2010-3333 is a good example. This particular issue affected our Rich Text Format (RTF) parser in Microsoft Office. Given we have had a small sample of bulletins in this particular component; many vendors did not have an effective way of parsing the file type. We worked with our MAPP vendors to develop a tool that would quickly identify malicious files, and distributed it to our partners, despite previously addressing the issue in a security update.

Risks and limitations

We recognize that there is the potential for vulnerability information to be misused. In order to limit this as much as possible, we have strong non-disclosure agreements (NDA)with our partners. Microsoft takes breaches of its  NDAs very seriously. When partners do not successfully protect our intellectual property, we take action, which may include removing the partner from our program.

In addition, we make sure to only release data shortly in advance of the security update. Prior to MAPP, vendors released detection within hours to days following the release of a security update. Today, we send MAPP data to our partners just as far in advance as they need to get that work done, only now, the protection is usually available when we release the update.

But MAPP also has its limitations. For instance, MAPP does not protect against the exploitation of unknown, zero-day vulnerabilities. In order for MAPP to be effective, Microsoft must be aware of the vulnerability before it can distribute guidance to its MAPP partners.

Additionally, MAPP is only useful to the degree that a product can protect against exploitation of the vulnerability. Intrusion Prevention Vendors may not always be best-positioned to detect exploits for Office vulnerabilities, as they may be encoded in a number of different ways across the network. In the same vein, host-based anti-malware products are often not best-positioned to protect against network- based exploits, such as the recent RDP vulnerability.

We recommend our customers work closely with their protection vendors to understand the abilities and limitations of each individual product.

The Value of MAPP

We believe that helping to strengthen community-based defense is key to protecting customers. The MAPP program provides a critical head-start to defenders, while working to minimize risk.

Microsoft is committed to helping customers by providing protection vendors across a wide variety of security industries with valuable protection information. The MAPP program is an important part of this strategy. While risk can never be completely eliminated, we believe the benefits of the program to our customers far outweigh the risks.



Maarten Van Horenbeeck
Senior Program Manager, Microsoft Security Response Center

BlueHat Prize entries: The final tally is…, 03 Apr 2012 17:54:00 +0000

Katie Moussouris

Senior Security Strategist Lead, Head of Microsoft’s Security Community and Strategy Team

Cool vulns, BlueHat, soldering irons, quantum teleportation

Rudeness, socks-n-sandals, licorice

The entries are in! After a last-minute wave of fresh entries to the first-ever BlueHat Prize, the final count for this year’s contest stands at twenty qualified proposals. The final entry reached our inboxes at 11:51pm on April 1. (Unfortunately, a contest entry that arrived 17 minutes later – at eight minutes after 11:59pm on April 2 – had to be disqualified out of fairness to the others, and to keep our competition in compliance with Washington State’s rules for such events.)


And now? Now begins the hard and exciting part – evaluating the received entries. The BlueHat Prize Board now starts the judging process, examining, testing and discussing each entry. We expect some lively arguments and look forward to introducing the competition winners to the world at Black Hat in July. In the meantime, we truly thank everyone who delivered a contest entry, as well as everyone who spent time thoughtfully considering the issue.


Talk to you in July –

Katie Moussouris

Senior Security Strategist, Microsoft Security Response Center.

Peace Games – BlueHat Prize Update and Countdown, 26 Mar 2012 11:55:00 +0000

Katie Moussouris

Senior Security Strategist Lead, Head of Microsoft’s Security Community and Strategy Team

Cool vulns, BlueHat, soldering irons, quantum teleportation

Rudeness, socks-n-sandals, licorice

In the film WarGames, an artificial intelligence program named Joshua asked the main character, a teenage hacker, the now famous question, “Shall we play a game?” When Microsoft announced the BlueHat Prize at the Black Hat Briefings in Las Vegas last summer, we asked a different question of the security researchers of the world, focused on defense.

Microsoft is offering over $250,000 in cash and prizes to security researchers who submit the best new security defense technology that meets the contest criteria. The top prize is $200,000 in cash, and the “mad loot” still could be yours!

With just under a week left in the entry period for the contest, which closes April 1, security researchers still have time to enter the competition to win the first and largest prize a vendor has offered for security defense research.

The ability to defeat the latest exploit mitigation technologies on various platforms is an extremely rare skill, as we have seen with several existing competitions that focus on vulnerability exploitation. Taking that knowledge to the level of helping to design new or enhanced mitigation technologies to help defend against exploit techniques like heapspray or Return Oriented Programming (ROP) was a challenge that we were hoping would garner at least as much interest.

The BlueHat Prize contest has exceeded our expectations for participation. So far we’ve had ten entries to the competition, the last four of which arrived over the past couple of weeks – an impressive showing, considering the difficulty of the problem we posed and the very small estimated number of individuals worldwide who possess the knowledge and expertise to seriously compete.

The entries cover a wide variety of ideas designed to help defend against different exploitation techniques, and it’s been great to see fresh insight into these technical areas. We’ve also been excited to see who the contestants are who have chosen to compete for the prize – some of them are security researchers with great track records in the security community, some are from academia, and some are from other venues altogether.

For those beautiful minds who have yet to enter their ideas for the contest, here are some highlights from the official rules:

- Complete entries must be received by midnight Pacific Time April 1, 2012.

- Complete entries must include a verbal description of the idea in English, as well as prototype code to show the exploit mitigation idea in action.

- For an entry to be valid, one of the criteria is that it should not be public at the time of entry (i.e., it must be new). However, a valid entry can be a new improvement on existing exploit mitigation techniques.

- If you have more questions, see the FAQ on the BlueHat Prize website or, if you don’t see your question answered there, contact the BlueHat Prize team.

With over $250,000 in cash and prizes on the line, we are excited that the first BlueHat Prize contest has already garnered great participation. One of my favorite quotes is from the great hockey player Wayne Gretzky, and it applies here for sure: “You miss 100% of the shots you don’t take.”

So, shall we play a game?

-Katie Moussouris

Senior Security Strategist, Microsoft Security Response Center

Follow Katie on Twitter.