In my role, I talk with a lot of customers.  In fact, we had recent meetings on Microsoft’s campus with CSOs from some of the world’s largest companies.  While the topic sometimes starts with the “state of the state” and recent changes in the threat landscape, they always end up in the same place —customers want to discuss and collaborate on solutions, rather than wallowing in the problems.

We’ve collaborated with many of the thousands of brilliant security researchers across the globe over the years, and they’ve helped us improve the security of our products & services.  There are also hundreds of security providers in the industry that we work closely with. In fact, three years ago we took an unconventional approach to security challenges by creating the Microsoft Active Protections Program (MAPP) to help unify this group of defenders.  This program shifted advantage to the good guys by promoting collaboration within the industry, even among competitors, in order to quickly build defensive technologies for over a billion of our shared customers around the world.

The success of that program – which inspired industry collaboration - got us thinking about whether we could do something similar for the security research community. Our goal was to inspire new lines of research in areas that have the most impact and leverage in protecting customers. That means not building incentives to find single bugs, but instead rewarding work on innovative solutions that could mitigate entire classes of attacks.

Today, I am pleased to announce the BlueHat Prize to inspire security researchers to seek innovations in exploit mitigation technologies. This is the first and largest incentive prize ever offered by Microsoft, and possibly the industry, for defensive computer security technology. In the age of increased risk of attacks on personal, corporate and government computer systems, Microsoft recognizes the need to encourage and nurture innovation in the area of exploit mitigations. At Microsoft, we believe in hiring the best and brightest minds in security to help us improve the security of our products and services, but also recognize it will take a “global village” to address today’s security challenges.

With over a quarter million dollars in cash and prizes, Microsoft believes the BlueHat Prize will motivate the community and foster even more collaboration with researchers throughout the security industry. To understand more about this competition, please visit Katie Moussouris’ EcoStrat blog or the BlueHat Prize contest page.

-Matt Thomlinson

Over the years we’ve often talked about exploit mitigations – DEP, ASLR, SEHOP and so forth – as effective tools for improving computer security, reducing risk, preventing attacks, and minimizing operational disruption. Today we’re releasing a user’s guide to the toolbox: “Mitigating Software Vulnerabilities,” a white paper with practical information on choosing and enabling those mitigations. We hope this paper becomes an indispensable reference for developers, IT pros and end users looking for advice and answers concerning exploit mitigations. The paper, which is in PDF format, is available from the Download Center. For more insight, Matt Miller of the Microsoft Security Engineering Center has written about the paper on the SRD blog.

As I previously mentioned in the Advance Notification Blog on Thursday, today we are releasing four security bulletins, one of which is rated as Critical, and three of which are rated Important. These bulletins will increase protection by addressing 22 vulnerabilities in the following Microsoft products. We’ve marked one bulletin, MS11-053, as our highest deployment priority for the month:

• MS11-053 (Bluetooth Stack). This security bulletin resolves one privately reported vulnerability in the Windows Bluetooth Stack. This bulletin is rated Critical for Windows Vista and Windows 7 platforms. All prior versions of Windows are unaffected.

Despite its high deployment priority, we have assigned MS11-053 an Exploitability Index rating of 2. For more information on that decision, please see the SRD blog. We encourage all customers to apply this bulletin first, before deploying the rest of our July updates as soon as possible. Of note, consumers with Automatic Update enabled on their computers will not need to take any action; the tool ensures that the updates are applied and the systems protected.

The SRD blog also has insight from MSRC Engineering concerning MS11-056, an Important-level bulletin addressing five issues in Windows’ client/server runtime subsystem.

In this video, Jerry Bryant discusses this month's bulletins in further detail.

Below is our deployment priority guidance to further assist customers in their deployment planning (click for larger view).

Our risk and impact graph shows an aggregate view of this month's severity and exploitability index (click for larger view).

More information about this month's security updates can be found on the Microsoft Security Bulletin summary web page.  

Per our usual process, we’ll offer the monthly technical webcast on Wednesday, hosted by Jerry Bryant and Dustin Childs. I invite you to tune in and learn more about the July security bulletins, as well as other announcements made today. The webcast is scheduled for Wednesday, July 13, 2011 at 11 a.m. PDT, and the registration can be found here.

For all the latest information, you can also follow the MSRC team on Twitter at @MSFTSecResponse.

Thank you,

Angela Gunn
Trustworthy Computing.

Today we released Security Advisory 2416728 describing a publicly disclosed vulnerability in ASP.NET that affects all versions of the .NET Framework. At this time we are not aware of any attacks using this vulnerability and we encourage customers to review the advisory for mitigations and workarounds. Our Security Research & Defense team has written a blog post to explain how the workarounds work and have provided a script to help administrators determine if they have ASP.NET applications in vulnerable configurations.

We are continuing to investigate this issue and will update customers with new information as it becomes available as well as the MSRC blog. We are also working closely with our Microsoft Active Protections Program (MAPP) to help our partners build protections when and where possible.

We continue to encourage security researchers to coordinate vulnerability disclosure with software vendors. We believe public disclosure before a comprehensive update can be produced only leads to customer risk through criminal activity.

Thank you,

Jerry Bryant
Group Manager, Response Communications

We've also updated the advisory with new information regarding possible attack vectors. Finally, we have included a new workaround that customers can implement to help protect their environments: blocking the download of LNK and PIF files (note that these files can be transferred over WebDav, so be sure to account for this protocol if you implement this workaround).

As always, we encourage customers to review this new information and to evaluate it for their environment while our teams continue their work to develop a security update that addresses this vulnerability.

As always, we'll update the security advisory and this blog with new information as it becomes available.

Thanks,

Christopher Budd

Sr. Security Manager, Response Communications at Microsoft

Follow us on Twitter: @MSFTSecResponse

We are aware of a publicly disclosed vulnerability affecting Windows XP and Windows Server 2003. We are not aware of any current exploitation of this issue and customers running Windows Vista, Windows 7, Windows Server 2008, and Windows Server 2008 R2, are not vulnerable to this issue, or at risk of attack.

This issue was reported to us on June 5^th, 2010 by a Google security researcher and then made public less than four days later, on June 9^th, 2010.  Public disclosure of the details of this vulnerability and how to exploit it, without giving us time to resolve the issue for our potentially affected customers, makes broad attacks more likely and puts customers at risk

One of the main reasons we and many others across the industry advocate for responsible disclosure is that the software vendor who wrote the code is in the best position to fully understand the root cause. While this was a good find by the Google researcher, it turns out that the analysis is incomplete and the actual workaround Google suggested is easily circumvented. In some cases, more time is required for a comprehensive update that cannot be bypassed, and does not cause quality problems. 

We recognize that researchers across the entire industry are a vital part of identifying issues and continually improving security, and we continue to ask researchers to work with us through responsible disclosure to help minimize the risk to customers while improving security.

We have initiated our emergency response process and will continue to monitor the threat landscape for any signs of attack against this issue. Our Microsoft Active Protections Program (MAPP) partners have detailed information about this vulnerability and are developing protections where possible.

Update: customers can follow guidance in Security Advisory 2219475 to protect against this issue.

Update 6/25/2010:
The security researcher who disclosed this vulnerability has expressed concerns regarding the inclusion of his employer’s name in relation to this vulnerability.  While there continues to be a difference of opinion, we have included both this researcher’s view and our view in this blog post. His point of view is that he reported the vulnerability not as an employee, but as an individual action by him as an independent researcher.

At Microsoft we do not believe that its feasible to disassociate the two.  We believe the actions of employees, when related to the work they are doing at a technology company, should reflect the policies of their employer. 

Despite these differences of opinion, we continue an open dialog with this researcher and ask the security researcher community to continue working with us to help protect customers.

Customers running SharePoint Server 2007 or SharePoint Services 3.0 are encouraged to review and apply the mitigations and workarounds discussed in the Security Advisory. These include restricting access to the SharePoint help.aspx XML files and enabling the Internet Explorer 8 XSS filter in the intranet zone.

We are actively working with partners in our Microsoft Active Protections Program (MAPP) to provide information that they can use to provide broader protections to customers.

As always, Microsoft strives to work with security researchers to address vulnerabilities in our software. This helps ensure that customers receive comprehensive, high-quality updates before cyber criminals learn of – and work to exploit – a vulnerability. Responsible disclosure protects the computer ecosystem and individual computer users from harm.

Anyone believed to have been affected by this issue can visit: http://support.microsoft.com and should contact the national law enforcement agency in their country. 

We will continue to share updates on this blog and through our Twitter feed (@msftsecresponse).

Thanks,

Jerry Bryant
Group Manager, Response Communications

*This posting is provided "AS IS" with no warranties, and confers no rights.*

Shortly after we released the update we received several reports that it did not protect against the vulnerability reported to us. At that time, we pulled the update and notified customers. The main reason for pulling the update was to save a reboot for customers who had not yet installed it. The original issue was missed due to focusing on a variant of the original report early in the investigation. We are addressing this issue and plan to re-release the update next week.

Once we are sure of the exact day the update will be ready for re-release, we will post that information to our Twitter account: @MSFTSecResponse. This will go out as a major revision to the bulletin so there will be no advance notification mailer going out but those who have subscribed to our comprehensive notification service will receive an email when it is released. Subscribe here.

In the meantime, we continue to encourage customers who have Windows Media Services installed on Windows 2000 Server to review the mitigations and workarounds in the bulletin and to apply firewall best practices to reduce exposure.

Thanks,

Jerry Bryant
Group Manager, Response Communications

*This posting is provided "AS IS" with no warranties, and confers no rights*

MS10-025 is a security update that only affects Windows 2000 Server customers who have installed Windows Media Services (this is a non-default configuration). Today we pulled the update because we found it does not address the underlying issue effectively. We are not aware of any active attacks seeking to exploit this issue and are targeting a re-release of the update for next week.

Customers should review the bulletin for mitigations and workarounds and those with internet facing systems with Windows Media Services installed should evaluate and use firewall best practices to limit their overall exposure. We will continue to share updates here on the blog as available.

I’m writing to let you know that we have updated Security Advisory 981374 with new workaround information. We are aware that exploit code has been made public for this issue. As with our last update, Internet Explorer 8 remains unaffected by the vulnerability addressed in the advisory and we continue to encourage all customers to upgrade to this version.

On Wednesday we added a workaround to the advisory that helps to mitigate the vulnerability by disabling the peer factory class through the modification of a registry key. With today’s update, we have added a Microsoft Fix It to automate this workaround for Windows XP and Windows Server 2003 customers. As always, customers should test this thoroughly before deploying as certain functionality that depends on the peer factory class, such as printing from Internet Explorer and the use of web folders, may be affected.

We have seen speculation that Microsoft might release an update for this issue out-of-band. I can tell you that we are working hard to produce an update which is now in testing. This is a critical and time intensive step of the process as the update must be tested against affected versions of Internet Explorer on all supported versions of Windows. Additionally, each supported language version needs to be tested as well as testing against thousands of third party applications. We never rule out the possibility of an out-of-band update. When the update is ready for broad distribution, we will make that decision based on customer needs.

Please review the advisory for more information. We will keep you posted as additional information becomes available.

Jerry Bryant
Sr. Security Communications Manager Lead

*This posting is provided "AS IS" with no warranties, and confers no rights.*

Today we released Security Advisory 981169 to address the VBScript issue involving Windows Help files that we blogged about yesterday. To reiterate what we said in that post, we are not aware of any active attacks at this time and the following operating systems are not affected by this issue: Windows 7, Windows Server 2008 R2, Windows Server 2008, and Windows Vista.

Our investigation is ongoing. Users on older versions of Windows should review the Security Advisory for mitigations and workarounds for this issue. Additionally, our Security Research & Defense team provides a detailed analysis of the issue and the available workarounds on their blog. User education is a key factor in this scenario given the amount of user interaction required to reach the vulnerability.

Our teams are working to address the issue and once we complete our investigation, we will take appropriate action to protect customers. This may include releasing an update out-of-band. We will provide further updates as they become available.

Thanks,

Jerry Bryant
Sr. Security Communications Manager Lead

*This posting is provided "AS IS" with no warranties, and confers no rights.*