Black Hat this year was really great. We spent a lot of time talking to people and getting new perspectives on the security landscape and of course, we announced the BlueHat Prize contest. The reaction to the contest was outstanding. In fact, within the first 24 hours, we had already received a few submissions and a bunch of questions indicating a lot of interest in winning the $200,000 grand prize.

Based on the questions, it was clear there were a couple of areas where we needed to provide more clarity. For example, who owns the technology, Microsoft or the inventor? The answer is the inventor. You can find answers to most of your questions in the official rules at www.bluehatprize.com but we also held a webcast today to go over some of the common questions. In the video below, Katie Moussouris sat down with me to address questions like “Can I make more than one submission?” and “What if my idea requires a compiler change?”

View this video as a WMV

<div><img alt="DCSIMG" id="DCSIMG" width="1" height="1" src="http://m.webtrends.com/dcsygm2gb10000kf9xm7kfvub_9p1t/njs.gif?dcsuri=/nojavascript&WT.js=No"/></div>

// <![CDATA[ document.write(""); // ]]>  

The deadline to enter the contest is 12 a.m. PDT April 1, 2012 at which time our internal panel of judges will pick the top three entries. We’ll fly all three to Black Hat USA 2012, where we will announce the grand prize winner. We will provide periodic updates along the way both on this blog and via our Twitter handle, @MSFTSecResponse.

Thanks!

Jerry Bryant

Group Manager, Response Communications

Trustworthy Computing Group

We all know Black Hat can be a tough crowd, and wearing the blue badge can at times amplify that - making the positive response really pleasant. But it wasn't altogether unexpected.  Each of the then-new programs-the Microsoft Active Protections Program (MAPP), Microsoft Exploitability Index and Microsoft Vulnerability Research (MSVR)-were fueled by, and designed to address, customer needs.  And recognizing the collaborative nature of two of the programs, we'd spent months getting feedback and support within the community, from customers to vendors to researchers, to get into a position to make the announcements that day. 

Today, the MSRC released its second annual progress report on those programs-"Building a Safer, More Trusted Internet through Information Sharing"-and we're excited to share the results.

Some highlights:

• MAPP now has 65 members worldwide, providing protections for hundreds of millions of customers.
• MSVR identified and privately coordinated vulnerabilities with 32 and 19 vendors in the first and second years of operations respectively.
• Of the 349 Exploitability Index ratings provided for vulnerabilities resolved by Microsoft, there has been only one revision, which involved a reduction in risk assessment severity.

Speaking of the success and impact of MAPP, we couldn't be more thrilled with the announcement today that Adobe Systems Incorporated will begin sharing early warning details on their vulnerabilities through MAPP beginning this fall. Two years ago, there was broad feedback throughout the industry-from analysts, customers, and partners-that MAPP was a game-changer, shifting competitive advantage away from the bad guys (criminals, attackers) to the good guys (protection providers, customers). For the first time, protection providers were able to operate together on a massive scale, developing and preparing protections for their customers to be made available upon release of Microsoft security vulnerabilities -- and ahead of the exploits developed by attackers. Today, we believe the same game has been raised a level with Adobe helping to advance protection time, giving an upper hand to the global network of defenders in the battle against online crime.

Many of you have already read Matt Thomlinson's introduction last week of our new policy of coordinated vulnerability disclosure and Katie Moussouris' expansion on the concept and the need for reframing the community's approach and mindset from the subjective language of "responsible" to the collaborative label of "coordinated." I don't intend to rehash that here, except to say that we look forward to continuing the dialogue on this new policy at Black Hat and beyond. This move didn't happen overnight as we believe it is reflective of a broader groundswell within the community that's been underway for some time. We're encouraged by the overwhelming volume of support behind the shift as evidenced in Katie's post and in interactions and response since then.

Even with more concerted attention on community-based defense and this growing sense of shared responsibility throughout the security community, attackers will still continue to case systems and applications looking for vulnerabilities. The stakes are high and criminals won't relent.  So today, we're also announcing the Enhanced Mitigation Experience Toolkit (EMET). 

EMET is a free tool that provides a way for IT professionals to add some of the latest security mitigations -- such as DEP, mandatory ASLR and export address table (EAT) filtering -- to software to protect against exploits of vulnerabilities.  It helps harden existing applications from current exploit techniques without requiring any recoding. Look for an SRD blog post in August announcing availability of the new toolkit on the Microsoft Download Center.

More details on each of these announcements can be found at our Black Hat Press Site: http://www.microsoft.com/presspass/events/blackhat/.

Every Black Hat is different, but year after year one of the highlights of the show for Microsoft is continuing the conversation with researchers, partners and customers, and then acting on it. This is a community that is bound together by a common purpose-that is to improve the security landscape. It used to be enough to expect others to make that happen; but today, no one is exempt from helping to ensure the safety of the Internet. We're in this together, and we're better together. If you're at the show, pay us a visit at the booth or say hello when you see us; in any case, we look forward to hearing from you and continuing this work together.

Dave Forstrom, Director, Microsoft Trustworthy Computing

Coordinated Vulnerability Disclosure (CVD):   Newly discovered vulnerabilities in hardware, software, and services are disclosed directly to the vendors of the affected product, to a CERT-CC or other coordinator who will report to the vendor privately, or to a private service that will likewise report to the vendor privately. The finder allows the vendor an opportunity to diagnose and offer fully tested updates, workarounds, or other corrective measures before detailed vulnerability or exploit information is shared publicly. If attacks are underway in the wild, earlier public vulnerability details disclosure can occur with both the finder and vendor working together as closely as possible to provide consistent messaging and guidance to customers to protect themselves.

Responsibility is still imperative, but it is a shared responsibility across the community of security researchers, security product providers and other software vendors. Each member of this community of defenders plays a role in improving the overall security of the computing ecosystem.  

CVD does not represent a huge departure from the current definition of "responsible disclosure," and we would still view vulnerability details being released broadly outside these guidelines as putting customers at unnecessary levels of risk. However, CVD does allow for more focused coordination on how issues are addressed publicly. CVD's core principles are simple: vendors and finders need to work closely toward a resolution; extensive efforts should be made to make a timely response; and only in the event of active attacks is public disclosure, focused on mitigations and workarounds, likely the best course of action -- and even then it should be coordinated as closely as possible. 

As Microsoft shifts its philosophy to this new approach, we are asking the broader security community to embrace the purpose of this shift, which is ultimately about minimizing customer risk-not amplifying it. This distinction is critical. We recognize it's possible that very limited attacks may be happening without our knowledge. However, we fundamentally believe (and our experience over the last 10 years has shown) that once vulnerability details are released publicly, the probability of exploitation rises significantly. Without coordination in place to provide a security update or tested workarounds, risk to customers is greatly amplified. 

It is evident from listening to those on both extremes of the disclosure argument that there is one thing that we are all trying to do: protect customers. We've been working with the security community closely for years to coordinate our actions for the benefit of customers. Coordinated vulnerability disclosure will help keep users safe.

For further perspective on CVD and how we see it working, please see Katie Moussouris' Ecostrat blog post at http://blogs.technet.com/b/ecostrat/archive/2010/07/22/coordinated-vulnerability-disclosure-bringing-balance-to-the-force.aspx.

Thank you,

Matt Thomlinson
General Manager, Trustworthy Computing Security

We have released Security Advisory 2219475, addressing the vulnerability in the Windows Help and Support Center function in Windows XP and Windows Server 2003. We are not aware of any active attacks at this time. Customers running Windows Vista, Windows 7, Windows Server 2008 and Windows Server 2008 R2 are not vulnerable to this issue or at risk of attack.

We recommend that customers follow the guidance in the Advisory, noting the mitigations and workarounds.  The Security Research and Defense team has a blog with more technical details about this issue.  

As always, Microsoft strives to work with security researchers to address vulnerabilities in our software. This helps ensure that customers receive comprehensive, high-quality updates before cyber criminals learn of - and work to exploit - a vulnerability. Responsible disclosure protects the computer ecosystem and individual computer users from harm.

We are actively working with partners in our Microsoft Active Protections Program (MAPP) to provide information that they can use to provide broader protections to customers. Anyone believed to have been affected by this issue can visit: http://support.microsoft.com and should contact the national law enforcement agency in their country. 

We will continue to share updates on this blog and through our Twitter feed (@msftsecresponse).

Thanks,

Jerry Bryant
Group Manager, Response Communications

We are aware of a publicly disclosed vulnerability affecting Windows XP and Windows Server 2003. We are not aware of any current exploitation of this issue and customers running Windows Vista, Windows 7, Windows Server 2008, and Windows Server 2008 R2, are not vulnerable to this issue, or at risk of attack.

This issue was reported to us on June 5^th, 2010 by a Google security researcher and then made public less than four days later, on June 9^th, 2010.  Public disclosure of the details of this vulnerability and how to exploit it, without giving us time to resolve the issue for our potentially affected customers, makes broad attacks more likely and puts customers at risk

One of the main reasons we and many others across the industry advocate for responsible disclosure is that the software vendor who wrote the code is in the best position to fully understand the root cause. While this was a good find by the Google researcher, it turns out that the analysis is incomplete and the actual workaround Google suggested is easily circumvented. In some cases, more time is required for a comprehensive update that cannot be bypassed, and does not cause quality problems. 

We recognize that researchers across the entire industry are a vital part of identifying issues and continually improving security, and we continue to ask researchers to work with us through responsible disclosure to help minimize the risk to customers while improving security.

We have initiated our emergency response process and will continue to monitor the threat landscape for any signs of attack against this issue. Our Microsoft Active Protections Program (MAPP) partners have detailed information about this vulnerability and are developing protections where possible.

Update: customers can follow guidance in Security Advisory 2219475 to protect against this issue.

Update 6/25/2010:
The security researcher who disclosed this vulnerability has expressed concerns regarding the inclusion of his employer’s name in relation to this vulnerability.  While there continues to be a difference of opinion, we have included both this researcher’s view and our view in this blog post. His point of view is that he reported the vulnerability not as an employee, but as an individual action by him as an independent researcher.

At Microsoft we do not believe that its feasible to disassociate the two.  We believe the actions of employees, when related to the work they are doing at a technology company, should reflect the policies of their employer. 

Despite these differences of opinion, we continue an open dialog with this researcher and ask the security researcher community to continue working with us to help protect customers.

Customers running SharePoint Server 2007 or SharePoint Services 3.0 are encouraged to review and apply the mitigations and workarounds discussed in the Security Advisory. These include restricting access to the SharePoint help.aspx XML files and enabling the Internet Explorer 8 XSS filter in the intranet zone.

We are actively working with partners in our Microsoft Active Protections Program (MAPP) to provide information that they can use to provide broader protections to customers.

As always, Microsoft strives to work with security researchers to address vulnerabilities in our software. This helps ensure that customers receive comprehensive, high-quality updates before cyber criminals learn of – and work to exploit – a vulnerability. Responsible disclosure protects the computer ecosystem and individual computer users from harm.

Anyone believed to have been affected by this issue can visit: http://support.microsoft.com and should contact the national law enforcement agency in their country. 

We will continue to share updates on this blog and through our Twitter feed (@msftsecresponse).

Thanks,

Jerry Bryant
Group Manager, Response Communications

*This posting is provided "AS IS" with no warranties, and confers no rights.*

Today we released MS10-018 out-of-band due to increases in attacks against Internet Explorer 6 and Internet Explorer 7 using the vulnerability discussed in Security Advisory 981374. I want to reiterate that Internet Explorer 8 is not affected by this issue so customers using this version are not affected by these attacks and we continue to encourage customers to upgrade to the newer version because it provides more security and protection.

MS10-018 is a typical cumulative update for Internet Explorer and was originally going to be released during the normal update cycle on the 13^th of April. The Internet Explorer team accelerated testing of this update due to the growing attacks against the publicly disclosed vulnerability (CVE-2010-0806), and the update has reached the appropriate quality bar for distribution to customers. Releasing the update early provides Internet Explorer 6 and 7 customers protection against the active attacks and provides users of all versions of Internet Explorer protection against nine other vulnerabilities. I clarify this in the following video:

More listening and viewing options: Windows Media Video (WMV) Windows Media Audio (WMA) iPod Video (MP4) MP3 Audio High Quality WMV (2.5 Mbps) Zune Video (WMV)

Here is a simplified view of the ten vulnerabilities and their aggregate severity on Internet Explorer 6, 7, and 8:

* Vulnerability under active attack.

This table demonstrates what we have been saying about the improved security and protection offered in Internet Explorer 8 and why we continue to encourage customers to upgrade.

Since we announced yesterday that we would be releasing this bulletin out-of-band, we have been asked if it addresses the vulnerability that was used in the “pwn2own” contest at the CanSecWest security conference last week. We are still investigating that issue at this time so we do not have an update available. In accordance with the contest rules, the vulnerabilities used are responsibly disclosed so that the respective vendors can produce updates to protect their customers before the vulnerabilities can be used by criminals. Microsoft continues to encourage responsible disclosure and we are a sponsor of the CanSecWest conference because we believe in working closely with security researchers to protect customers and the entire computing ecosystem.

If you can, please join Adrian Stone and I today for a live webcast where we will cover the details of this bulletin and take customer questions live. Here is the registration information:

Date: Tuesday March 30, 2010
Time: 1:00 p.m. PST (UTC -8)
Registration: https://msevents.microsoft.com/CUI/EventDetail.aspx?EventID=1032448112

Jerry Bryant
Group Manager – Response Communications

*This posting is provided "AS IS" with no warranties, and confers no rights*

Today we released Security Advisory 981169 to address the VBScript issue involving Windows Help files that we blogged about yesterday. To reiterate what we said in that post, we are not aware of any active attacks at this time and the following operating systems are not affected by this issue: Windows 7, Windows Server 2008 R2, Windows Server 2008, and Windows Vista.

Our investigation is ongoing. Users on older versions of Windows should review the Security Advisory for mitigations and workarounds for this issue. Additionally, our Security Research & Defense team provides a detailed analysis of the issue and the available workarounds on their blog. User education is a key factor in this scenario given the amount of user interaction required to reach the vulnerability.

Our teams are working to address the issue and once we complete our investigation, we will take appropriate action to protect customers. This may include releasing an update out-of-band. We will provide further updates as they become available.

Thanks,

Jerry Bryant
Sr. Security Communications Manager Lead

*This posting is provided "AS IS" with no warranties, and confers no rights.*

This month, we released 13 new bulletins which address 33 vulnerabilities in Windows, Internet Explorer and Microsoft Office. Since we published this information in our advance notification (ANS) last Thursday, we have been asked “is this the most bulletins Microsoft has ever released”? The short answer to that question is yes. However, we have, on several occasions, released between 10 and 12 bulletins so this is business as usual. All of our updates go through extensive quality testing and when they reach the bar for broad distribution, we schedule them for release.

As we noted in the ANS last week, two of the updates address open Security Advisories. MS09-050 addresses the SMBv2 issue in Security Advisory 975497 and MS09-053 addresses the IIS issue discussed in Security Advisory 975191.

Another issue being addressed this month that has received some public attention has to do with security certificates used for authentication. The vulnerabilities being addressed by Security Bulletin MS09-056 could allow spoofing if an attacker gains access to the certificate used by the end user for authentication. We are aware that a rogue certificate was distributed in a public forum but we are not aware of any attempts to use this to attack users.

Below is the severity summary and exploitability index for the 13 new bulletins. We also refer to this as the overall risk and impact summary. As you can see, eight of the bulletins have a rating of Critical. Of those eight, six have an exploitability index rating of 1, which means we believe it is highly likely that we will see exploit code in the wild within the first 30 days from the date of release.

To help with deployment planning, we started publishing our guidance (beginning last month) on which bulletins should be considered first for deployment. Obviously one size does not fit all and each customer will need to consider their own unique situations in addition to this guidance. Our approach is to take a combination of the severity, the exploitability index rating, the range of products affected, and potential mitigations to group these in to a priority 1, 2 or 3. Our Security Research & Defense team, who represent some of the best security researchers in the world, play a key role in this every month as well.

Most of this month’s updates require a restart, so please refer to the bulletins when you’re planning your deployment to ensure you’re fully protected. We want to specifically note that MS09-050 requires a restart but will not prompt you to do so if you install the update manually.

As we do every month, Adrian Stone and I provide a high-level overview of this month’s bulletin release in the following video:

Other listening and viewing options: Windows Media Video (WMV) Windows Media Audio (WMA) iPod Video (MP4) MP3 Audio High Quality WMV (2.5 Mbps) Zune Video (WMV)

This month we are also re-releasing MS08-069, vulnerability in Microsoft XML Core Services could allow remote code execution (955218) to add detection for Windows 7 and Windows Server 2008 R2. This component does not ship with these platforms but many applications install it in order to use its functionality.

Finally, you may also notice a change in the severity rating since the advance notification for several versions of Windows in the .NET bulletin (MS09-061). We have elevated the severity of these products from Important to Critical. We do not typically make changes after the advance notification goes out but during our ongoing investigation to protect customers, we determined that this was the appropriate rating for these products when certain versions of the .NET Framework are installed on them.

We encourage all customers to join us tomorrow when Adrian and I will go in to detail on each bulletin and, along with a room full of subject matter experts, answer all of your questions live. So if you can, please join us at 11:00 a.m. PDT (UTC -7). You can register for the webcast at this link.

Thanks!

Jerry Bryant

Update – Resource links:

• Assessing the risk of the October security bulletins – Security Research & Defense blog
• MS09-051: A note on the affected platforms – Security Research & Defense blog
• MS09-050: Exploit timeline for SMB2 RCE vulnerability – Security Research & Defense blog
• MS09-054: Extra info on the attack surface for the IE security bulletin – Security Research & Defense blog
• MS09-061: More information about the .NET security bulletin – Security Research & Defense blog
• Scanti-ly Clad – Another Rogue Stripped by MSRT – Microsoft Malware Protection Center blog

Update (10/13) Changed the number of vulnerabilities addressed to 33 from 34. CVE-2009-2493 was counted in both MS09-055 and MS09-060.

*This posting is provided "AS IS" with no warranties, and confers no rights*