In my role, I talk with a lot of customers.  In fact, we had recent meetings on Microsoft’s campus with CSOs from some of the world’s largest companies.  While the topic sometimes starts with the “state of the state” and recent changes in the threat landscape, they always end up in the same place —customers want to discuss and collaborate on solutions, rather than wallowing in the problems.

We’ve collaborated with many of the thousands of brilliant security researchers across the globe over the years, and they’ve helped us improve the security of our products & services.  There are also hundreds of security providers in the industry that we work closely with. In fact, three years ago we took an unconventional approach to security challenges by creating the Microsoft Active Protections Program (MAPP) to help unify this group of defenders.  This program shifted advantage to the good guys by promoting collaboration within the industry, even among competitors, in order to quickly build defensive technologies for over a billion of our shared customers around the world.

The success of that program – which inspired industry collaboration - got us thinking about whether we could do something similar for the security research community. Our goal was to inspire new lines of research in areas that have the most impact and leverage in protecting customers. That means not building incentives to find single bugs, but instead rewarding work on innovative solutions that could mitigate entire classes of attacks.

Today, I am pleased to announce the BlueHat Prize to inspire security researchers to seek innovations in exploit mitigation technologies. This is the first and largest incentive prize ever offered by Microsoft, and possibly the industry, for defensive computer security technology. In the age of increased risk of attacks on personal, corporate and government computer systems, Microsoft recognizes the need to encourage and nurture innovation in the area of exploit mitigations. At Microsoft, we believe in hiring the best and brightest minds in security to help us improve the security of our products and services, but also recognize it will take a “global village” to address today’s security challenges.

With over a quarter million dollars in cash and prizes, Microsoft believes the BlueHat Prize will motivate the community and foster even more collaboration with researchers throughout the security industry. To understand more about this competition, please visit Katie Moussouris’ EcoStrat blog or the BlueHat Prize contest page.

-Matt Thomlinson

Today we published the May Security Bulletin Webcast Questions & Answers page. We fielded twelve questions on various topics during the webcast, including bulletins released and the Malicious Software Removal Tool.  There were two questions during the webcast that we were unable to answer and we have included those questions and answers on the QA page.

We invite our customers to join us for the next public webcast on Wednesday, June 15th at 11am PDT (-8 UTC), when we will go into detail about the June bulletin release and answer questions live on the air.

Customers can register to attend at the link below:

Date: Wednesday, June 15, 2011
Time: 11:00 a.m. PDT (UTC -8)
Register: Attendee Registration

Thanks -

Jerry Bryant

Group Manager, Response Communications
Trustworthy Computing Group

Today we are announcing changes to Microsoft’s Exploitability Index.

Since October 2008, we have used the Exploitability Index to provide customers with valuable exploitability analysis for our security bulletins, and starting Tuesday this information will become even more comprehensive for those who use Microsoft’s latest platforms.

The Exploitability Index assesses the likelihood of functional exploit code being developed for a particular vulnerability. By providing the index information month over month, we’re helping customers prioritize the security updates that matter to them. The Exploitability Index will continue to provide an aggregate exploitability rating across all affected products, and the improvements made to Exploitability Index will now offer additional information to help customers prioritize bulletins, specifically for the most recent platforms, e.g. Windows 7 Service Pack 1 and Office 2010.

For example, the Exploitability Index for CVE-2011-0097, a security issue addressed by MS11-021in the April 2011 release, originally rated a “1 – Consistent Exploit Code Likely”. However, under the previous system, the Exploitability Index did not specifically illustrate that customers using Excel 2010 were at less risk; with Excel 2010, CVE-2011-0097 would rate a “2 – Inconsistent Exploit Code Likely”. In fact, our research has shown that 37 percent of the vulnerabilities addressed since July 2010 have had similar results; the latest platform was either entirely unaffected, or significantly more difficult to exploit.

Maarten Van Horenbeeck, senior security program manager, goes into more depth around the background of Exploitability Index and the value of these improvements in the MSRC blog post: “Exploitability Index Improvements Now Offer Additional Guidance”

Additionally, we're providing advanced notification on the release of a Critical security bulletin addressing a vulnerability in Windows, and an Important bulletin addressing two vulnerabilities in Microsoft Office. As usual, the bulletin release is scheduled for the second Tuesday of the month, May 10, at approximately 10 a.m. PDT.

For all the latest information, you can also follow the MSRC team on Twitter at @MSFTSecResponse.

Thanks,
Pete Voss
Sr. Response Communications Manager
Microsoft Trustworthy Computing

In October of 2008, Microsoft published its first Exploitability Index: a rating system that helps customers identify the likelihood that a specific vulnerability would be exploited within the first 30 days after bulletin release.

As of this month, we are making some changes to the rating system to make vulnerability assessment more clear and digestible for customers. Specifically, we will be publishing two Exploitability Index ratings per vulnerability- one for the most recent platform, the other as an aggregate rating for all older versions of the software. This change makes it easier for customers on recent platforms to determine their risk given the extra security mitigations and features built in to Microsoft’s newest products; under the previous system, vulnerabilities were given an aggregate rating across all product versions.

How do we build an Exploitability Index?

Each vulnerability rating is based on a thorough review by the MSRC Engineering team, as well as close cooperation with a number of key partners. The ratings are qualitative: our team does an in-depth technical analysis of the vulnerability in question, and identifies the likelihood that an experienced exploit developer would be able to exploit the vulnerability. Some great examples of these types of reviews can be found on the SRD blog here and here.

We have received feedback in the past that the Exploitability Index did not take into account more recent mitigations implemented in our operating systems. For instance, Windows 7 hosts Address Space Layout Randomization (ASLR), a mitigation technique which repositions code fragments in memory, and makes it much harder for an attacker to write a reliable exploit. This functionality is not available by default on older operating systems such as Windows XP.

If consistent exploit code was considered likely for any supported version, despite being made significantly more difficult with ASLR, the Exploitability Index rating of that vulnerability would receive Microsoft’s highest rating of "1," indicating that a reliable exploit within 30 days is likely. While this is accurate for the older version, it does not correctly reflect risk for users with Windows 7.

Rating the Latest Platform Separately from Older Platforms

As of this month, we will split out the Exploitability Index into a rating for the most recent version of the software, and an aggregate rating for all older versions. In the scenario above, the rating for Windows 7 could be “2" whereas the rating for all other platforms would be "1”. This more accurately reflects risk to customers that keep their environment updated with the latest product releases.

Assessing Denial of Service Risk

An additional item we are now providing with the Exploitability Index, is an assessment of the Denial of Service risk a vulnerability poses. In the case of remote code execution vulnerabilities, an issue that is difficult to exploit may still be used to crash a computer. Even when an attacker cannot control memory addresses sufficiently to execute code, he may still be able to corrupt memory sufficiently to stop the computer from responding.

For IT administrators, it is important to understand whether the denial of service will be “permanent,” in which case the program or operating system exits unexpectedly, such that the system will need to be restarted; or “temporary,” in which case the program or operating merely becomes unresponsive during the attack, but eventually recovers. In the example table below, for CVE-2011-0673, the table indicates that an attacker who attempts to exploit the service, even when failed, may render the system entirely unavailable. For administrators of internet-facing services, this can often be the difference between a highly important, and insignificant vulnerability.

An Example of Our New Exploitability Index Rating System

To help you prepare for these changes in the May release, we are providing an example of these changes applied to three different CVEs from the April Bulletin Release:

¹ The Latest Software Release refers to the latest supported release of the software as listed in both the "Affected Software" and "Non-Affected Software" tables in the bulletin

² The Older Software Release refers to any other version of the software as listed in both the "Affected Software" and "Non-Affected Software" tables in the bulletin

In the case of CVE-2011-0097, the most recent version of Microsoft Office, additional mitigations are in place that would make exploitation less reliable. For CVE-2011-0041, the latest version of the product, Windows 7, was not affected at all.

CVE-2011-0673 is a local elevation of privilege vulnerability which could lead to a permanent Denial of Service, and may require the machine to be restarted in order to restore functionality. Again, the latest version of the product was not affected by this issue.

In the table, the "Latest Software Release" is always the very latest version listed across both the "Affected Software" and "Non-Affected Software" tables in the security bulletin. The Exploitability Index Assessment for the "Older Software Release" is always the highest rating across any other platform listed in either of these tables. In the case of a complex security bulletin, where for instance both Microsoft Office and Microsoft Windows are affected, the Exploitability Index Assessment for the "Latest Software Release" will be the highest across both software products.

For instance, if the exploitability index assessment for Windows 7 Service Pack 1 is "1," and for Office 2010 is "2," the rating in the “Latest Software Release” column will be "1”.

A historical perspective

At Microsoft, we have been collecting ratings internally in this way for the last eight months. Out of a total of 256 ratings, we found that 97 issues were less serious, or not applicable on the latest version of the product. In contrast, only seven cases affected the most recent product version and not the older platforms.

Some changes, but the same goal

Our goal in publishing Exploitability Index ratings is to make it easier for enterprises to prioritize which updates to install first. We understand that some customers may not be able to install all updates at the same time. By giving an assessment of the exploitability and impact, of an issue, we hope to support IT administrators in making rational decisions on which security updates to install first. We hope these changes prove useful in your monthly assessment of our security updates!

Maarten Van Horenbeeck
Senior Security Program Manager
EcoStrat

As we announced on Friday, today we released Security Bulletin MS10-046 out-of-band to address a vulnerability in Windows. This security update addresses a vulnerability in the handling of shortcuts that affects all currently supported versions of Windows XP, Vista, Windows 7, Windows Server 2008 and Windows Server 2008 R2. As our colleagues over in the MMPC have noted, several families of malware have been attempting to attack this vulnerability. The security update protects against attempts to exploit this issue.

For customers using automatic updates, this update will automatically be applied once it is released. Customers not using automatic updates should download, test and deploy this update as quickly as possible.

As we do with every bulletin release, we will be hosting a webcast to address your questions today at 1PM Pacific Time. Register now.

Thanks,

Christopher Budd

Sr. Security Response Communications Manager at Microsoft

Today, as part of our regular monthly security bulletin release cycle, we released 10 bulletins to address 34 total vulnerabilities in Windows, Microsoft Office (including SharePoint), Internet Explorer (IE), Internet Information Services (IIS), and the .NET Framework. Only three of these bulletins get our maximum severity rating of Critical. The rest are rated Important. However, we encourage customers to test and deploy all applicable security updates as soon as possible.

The three Critical bulletins get our highest deployment priority this month. Those are:

• MS10-033 is a remote code execution vulnerability in both Quartz.dll and Asycfilt.dll and is rated Critical on all supported versions of Windows. Specially crafted media files could trigger the vulnerability when a user visits a web page or opens a malicious file.
• MS10-034 is a cumulative update for ActiveX Kill Bits and is Critical on Windows 2000, XP, Vista, and Windows 7. There are two Microsoft controls we are applying Kill Bits for. Those are the Internet Explorer 8 Developer Tools control, and the Data Analyzer ActiveX control. The latter control is not installed by default. In addition, there are Kill Bits for four third-party controls. Please review the bulletin for additional details.
• MS10-035 is a cumulative update for Internet Explorer. Of the six vulnerabilities addressed in the bulletin, only one, an information disclosure vulnerability, is publicly known. This issue was identified in Security Advisory 980088. We remain unaware of any active attacks against this vulnerability.

In the video below, Adrian Stone and I go in to some detail on the three priority bulletins and explain why each should be at the top of your list to install:

Also, included below is the aggregate risk and impact slide for June. Note that we do not typically give an Exploitability Index rating for ActiveX Kill Bits but as stated, this update should be a high priority.

Here is our overall deployment priority information:

There are additional subtleties with specific bulletins that I want to discuss here to eliminate potential confusion:

• MS10-032 is an elevation of privilege issue in the affected Microsoft products. There is a potential remote vector if applications fail to properly request the length of the buffer when calling the affected API. All Microsoft applications make this call properly but there may be applications out there that do not. Regardless, installing this update addresses the issue for all vectors. See our Security Research & Defense (SRD) blog for more details on this one.
• MS10-036 is a COM validation update. The issue could result in an attack through ActiveX in Office applications. This is not a new attack vector but the underlying vulnerability is and the bulletin addresses it. For additional clarification, I want to point out that Office XP does not have the architecture needed for the update. However, for customers running Office XP on Windows XP or newer operating systems, we have made a shim available that protects against the vulnerability. The shim can be installed via a Microsoft FixIt which can be downloaded from KB983235.
• MS10-039 is a SharePoint related update, closing out Security Advisory 983438 which addressed an elevation of privilege vulnerability. We are not currently aware of any attacks against this issue.

As usual, our SRD team has written several blog posts that go in to details on some of this month's bulletins and I encourage customers to review those for additional insight: http://blogs.technet.com/b/srd.

If you have questions about the June bulletins, please attend our public webcast tomorrow which I will be hosting with Adrian Stone from the MSRC. We will go in to additional details on each bulletin and along with a room full of subject matter experts attempt to address all of your questions. Here's how to register:

When: Wednesday June 10, 2010 at 11:00 a.m. PDT (UTC -7)
Registration: https://msevents.microsoft.com/CUI/EventDetail.aspx?EventID=1032395226

I hope you can join us then.

Thanks!

Jerry Bryant
Group Manager, Response Communications

Follow us on Twitter: @MSFTSecResponse

Hi everyone,

As mentioned in our ANS blog post last week, today we are releasing 13 bulletins addressing 26 vulnerabilities. 11 bulletins affect Windows and 2 affect older versions of Microsoft Office.

In the post on Thursday, we mentioned that bulletins in the ANS listed as 1, 2, 3, and 6 were going to top our deployment priority list this month. We have also added MS10-015 (#12) to that list. It addresses Security Advisory 979682. We are aware of publicly available Proof-of-Concept code for this issue, but are not aware of any active attacks at this time. Here is the mapping from the bulletin numbers in the ANS to the released bulletin ID’s:

ANS Bulletin Number	Actual Bulletin Number
1	MS10-006
2	MS10-007
3	MS10-008
4	MS10-009
5	MS10-012
6	MS10-013
7	MS10-003
8	MS10-004
9	MS10-010
10	MS10-011
11	MS10-014
12	MS10-015
13	MS10-005

As always, it is recommended that customers deploy all security updates as soon as possible. Of the bulletins released this month, customers should prioritize and deploy MS10-006, MS10-007, MS10-008, MS10-013, and MS10-015, given Critical severity ratings and/or Exploitability Index ratings of 1 (“Consistent Exploit Code Likely”).

MS10-013, which addresses a Critical vulnerability in DirectShow, should be at the top of your list for testing and deployment. This issue is Critical on all supported versions of Windows except Itanium based server products and has an Exploitability Index rating of 1. To exploit the vulnerability, an attacker could host a malicious AVI file on a website and convince a user to visit the site, or send the file via email and convince the a user to open it.

MS10-006 is also Critical on all versions of Windows, except Windows Vista and Windows Server 2008, and addresses 2 vulnerabilities in SMB Client. One of the vulnerabilities has an Exploitability Index rating of 1. In the simplest scenario, a system connecting to a network file share is an SMB Client. The issue occurs during the client/server negotiation phase of the connection. In order to exploit this issue, an attacker would need to host a malicious server and convince a client system to connect to it. An attacker could also try to perform a man-in-the-middle attack by responding to SMB requests from clients. From our analysis of this issue, we expect attempts to exploit it would be more likely to result in a Denial of Service than in Remote Code Execution.

MS10-007 addresses a Critical vulnerability in Windows Shell Handler that affects Windows 2000, Windows XP, and Windows Server 2003. The attack vector is through a specially crafted link that appears to the ShellExecute API to be a valid link. This issue has not been publicly exposed but we give it an Exploitability Index rating of 1, so we urge customers on affected platforms to install it as soon as possible.

MS10-008 is the last one I will give some additional detail on. This is a cumulative update for ActiveX Killbits and is also Critical. You will notice in our Severity & Exploitability Index chart that we did not give this an Exploitability rating. That is because a Killbit is not an update that addresses the underlying vulnerability. It is a registry setting that keeps the vulnerable ActiveX control from running in Internet Explorer. We will give these an Exploitability rating of 1 if we are aware of active exploitation but in this case, we are not.

You can find more detailed information about these bulletins in several blog posts by our Security Research & Defense team at http://blogs.technet.com/srd.

With that, here are the Severity and Exploitability Index and Deployment Priority slides:

In the following video, Adrian Stone and I talk a little more about this month’s top priority bulletins:

More listening and viewing options: Windows Media Video (WMV) Windows Media Audio (WMA) iPod Video (MP4) MP3 Audio High Quality WMV (2.5 Mbps) Zune Video (WMV)

I would also encourage you to attend out public webcast tomorrow where we will go in to detail on all 13 bulletins. Here is the registration information:

Date: Wednesday, Feb 10
Time: 11:00 a.m. PST (UTC -8)
Registration: http://msevents.microsoft.com/CUI/EventDetail.aspx?EventID=1032427679

Hope you can join us!

Jerry Bryant
Sr. Security Communications Manager – Lead

*This posting is provided "AS IS" with no warranties, and confers no rights.*

Today we updated Security Advisory 979352 to let customers know that we are aware that exploit code for the vulnerability used in recent attacks against IE 6 users, has now been made public. Information on which versions of Internet Explorer are vulnerable and what customers can do to protect themselves is included in the updated Security Advisory.< ?xml:namespace prefix = o ns = "urn:schemas-microsoft-com:office:office" />

Our teams are continuing to work on an update and we will take appropriate action to protect customers when the update has met the quality bar for broad distribution. That may include releasing the update out-of-band.

Additionally our Security Research & Defense team has written up a blog with additional technical details on the exploit, the vulnerability, mitigations and workarounds.

We continue to recommend customers review the information in the Advisory, implement the workarounds and mitigations, consider updating to Internet Explorer 8 which includes important protections not present in IE 6, and follow the information on our Protect Your PC website.

Thanks,

Jerry Bryant

Senior Security Communications Manager Lead

*This posting is provided "AS IS" with no warranties, and confers no rights.*

Microsoft remains committed to taking the appropriate action to help protect our customers. We released Security Advisory 979352 to provide customers with actionable guidance and tools to help with  protections against exploit of this vulnerability. Microsoft has not seen widespread customer impact, rather only targeted and limited attacks exploiting IE 6 at this time. Our teams are currently working to develop an update and we will take appropriate action to protect customers when the update has met the quality bar for broad distribution. That may include releasing the update out of band.

It is important to note that complex attacks targeting specific corporate networks are becoming more prevalent in the threat landscape, therefore organizations should follow defense-in-depth best practices, and deploy multiple layers of protection to improve their security posture. In addition, Protected Mode in IE 7 on Windows Vista and later significantly reduces the ability of an attacker to impact data on a user’s machine. Customers should also enable Data Execution Prevention (DEP) which helps mitigate online attacks. DEP is enabled by default in IE 8 but must be manually enabled in prior versions.

Customers can also set Internet and Local intranet security zone settings to "High" to prompt before running ActiveX Controls and Active Scripting in these zones or configure Internet Explorer to prompt before running Active Scripting or to disable Active Scripting in the Internet and Local intranet security zone. You can find details on implementing these settings in the advisory.

Anyone believed to have been affected can visit: http://www.microsoft.com/protect/support/default.mspx and should contact the national law enforcement agency in their country. Those in the United States can contact Customer Service and Support at no charge using the PC Safety hotline at 1-866-727-2338 (PCSAFETY).  Additionally, customers in the United States should contact their local FBI office or report their situation at: www.ic3.gov. Customers should follow the guidance in the advisory and our Protect Your PC guidance of enabling a firewall, getting software updates, and installing antivirus software (learn more by visiting the Protect Your PC web site). International customers can find their Regional Customer Service Representative http://support.microsoft.com/common/international.aspx.

We are also working with our Microsoft Active Protections Program (MAPP), the Microsoft Security Response Alliance (MSRA), authorities and other industry partners to help provide broader protections for customers. Together with our partners, we will continue to monitor the threat landscape and will take action against any web sites that seek to exploit this vulnerability.

The Security Advisory will be updated with any new developments so if you are not already subscribed to our comprehensive alerts, please do so in order to be alerted by email when new information is added.

-Mike Reavey

*This posting is provided "AS IS" with no warranties, and confers no rights.*