We all know Black Hat can be a tough crowd, and wearing the blue badge can at times amplify that - making the positive response really pleasant. But it wasn't altogether unexpected.  Each of the then-new programs-the Microsoft Active Protections Program (MAPP), Microsoft Exploitability Index and Microsoft Vulnerability Research (MSVR)-were fueled by, and designed to address, customer needs.  And recognizing the collaborative nature of two of the programs, we'd spent months getting feedback and support within the community, from customers to vendors to researchers, to get into a position to make the announcements that day. 

Today, the MSRC released its second annual progress report on those programs-"Building a Safer, More Trusted Internet through Information Sharing"-and we're excited to share the results.

Some highlights:

• MAPP now has 65 members worldwide, providing protections for hundreds of millions of customers.
• MSVR identified and privately coordinated vulnerabilities with 32 and 19 vendors in the first and second years of operations respectively.
• Of the 349 Exploitability Index ratings provided for vulnerabilities resolved by Microsoft, there has been only one revision, which involved a reduction in risk assessment severity.

Speaking of the success and impact of MAPP, we couldn't be more thrilled with the announcement today that Adobe Systems Incorporated will begin sharing early warning details on their vulnerabilities through MAPP beginning this fall. Two years ago, there was broad feedback throughout the industry-from analysts, customers, and partners-that MAPP was a game-changer, shifting competitive advantage away from the bad guys (criminals, attackers) to the good guys (protection providers, customers). For the first time, protection providers were able to operate together on a massive scale, developing and preparing protections for their customers to be made available upon release of Microsoft security vulnerabilities -- and ahead of the exploits developed by attackers. Today, we believe the same game has been raised a level with Adobe helping to advance protection time, giving an upper hand to the global network of defenders in the battle against online crime.

Many of you have already read Matt Thomlinson's introduction last week of our new policy of coordinated vulnerability disclosure and Katie Moussouris' expansion on the concept and the need for reframing the community's approach and mindset from the subjective language of "responsible" to the collaborative label of "coordinated." I don't intend to rehash that here, except to say that we look forward to continuing the dialogue on this new policy at Black Hat and beyond. This move didn't happen overnight as we believe it is reflective of a broader groundswell within the community that's been underway for some time. We're encouraged by the overwhelming volume of support behind the shift as evidenced in Katie's post and in interactions and response since then.

Even with more concerted attention on community-based defense and this growing sense of shared responsibility throughout the security community, attackers will still continue to case systems and applications looking for vulnerabilities. The stakes are high and criminals won't relent.  So today, we're also announcing the Enhanced Mitigation Experience Toolkit (EMET). 

EMET is a free tool that provides a way for IT professionals to add some of the latest security mitigations -- such as DEP, mandatory ASLR and export address table (EAT) filtering -- to software to protect against exploits of vulnerabilities.  It helps harden existing applications from current exploit techniques without requiring any recoding. Look for an SRD blog post in August announcing availability of the new toolkit on the Microsoft Download Center.

More details on each of these announcements can be found at our Black Hat Press Site: http://www.microsoft.com/presspass/events/blackhat/.

Every Black Hat is different, but year after year one of the highlights of the show for Microsoft is continuing the conversation with researchers, partners and customers, and then acting on it. This is a community that is bound together by a common purpose-that is to improve the security landscape. It used to be enough to expect others to make that happen; but today, no one is exempt from helping to ensure the safety of the Internet. We're in this together, and we're better together. If you're at the show, pay us a visit at the booth or say hello when you see us; in any case, we look forward to hearing from you and continuing this work together.

Dave Forstrom, Director, Microsoft Trustworthy Computing

Next week, many of us here will be heading down to Las Vegas for Black Hat.  The MSRC, and other teams in Microsoft, have been attending Black Hat for years.  In fact, we've been sponsoring the show for the last eight years-the last five as a platinum sponsor. Some might ask why? It's funny, I can actually remember back in my days as an officer protecting networks in the U.S. Air Force, questioning why Microsoft had such a presence at the show. As much as I'd like to say it's because of the weather (after all, most of us are over here in the rainy Northwest), or because it's the largest security conference out there (it's not), or even better, because we so look forward to getting our next Pwnie Award-the truth is it's none of the above. Well, maybe just a bit on the Pwnie. But the reality is that to us, Black Hat has always been a reflection of, and driven by, the community-likeminded people from all walks of life and professions with a shared interest in advancing the state of security. They come together to share ideas, advance thinking, network and collaborate, and ultimately learn from one another.  We feel connected to that and always look forward to being a part of it.

So with the show fast approaching, I've taken some time to reflect on where the Microsoft Security Response Center is currently and where we see ourselves going with respect to security. Specifically, I've been thinking a lot about three areas: 1) our work to address vulnerabilities in our software, 2) our work with the security community and 3) our philosophy on vulnerability disclosure. Given the fact that each of these topics have recently garnered interest and fueled discussion in the community and media, I thought I'd share my thoughts.

Vulnerabilities and Time to Fix

Some will say that we take too long to fix our vulnerabilities. But it isn't all about time-to-fix: Our chief priority with respect to security updates is to minimize disruption to our customers and to help protect them from online criminal attackers. These customers own and operate a diverse ecosystem of nearly a billion systems worldwide. It's humbling to think about the responsibility this entails and yet we embrace the challenge. Even in the face of that, our overall track record shows the window of vulnerability is being reduced and we have additional plans to improve.

The Microsoft Security Response Center (MSRC) receives more than 100,000 e-mail messages per year at secure@microsoft.com - that's nearly 275 per day or 11 per hour. This is filtered down to approximately 1,000 legitimate investigations per year. Once a vulnerability has been confirmed, a comprehensive examination is undertaken to ensure that the reported vulnerability is addressed, other vulnerabilities that might exist in related code are identified and addressed, and no new vulnerabilities or bugs are introduced during this process.

But why don't we commit to fixed timelines? Because it is important to consider the overall customer risk when focusing on updating software for security issues. Most security updates released by the MSRC will be rapidly deployed to hundreds of millions of systems worldwide helping to protect customers from attacks in a very short timeframe. And the software being updated is being used by hundreds of thousands of applications on all sorts of hardware in all sorts of scenarios. So it is imperative that the update has been rigorously engineered and tested in order to avoid creating any type of disruption to these systems. During this time, the MSRC monitors for signs that the vulnerability, or variants, are being used in active attacks. The MSRC does this by using comprehensive telemetry systems as well as data and information provided by customers and partners around the world, and the rest of the industry. This approach helps Microsoft balance between the potential urgency of releasing an update for a particular vulnerability and ensuring high confidence that the update will address the vulnerability, all of its variants and maintain the functionality and stability that customers expect from the affected products.

Many times the issue that the finder reported is an indication of other similar vulnerabilities in that area of code. And the original issue may not be the most complicated, or even the most likely to get used in attacks. Microsoft tries to address vulnerabilities and all of their variants in as few updates as possible because they cost enterprise customers time, effort and money to re-assess and deploy multiple updates for issues that could potentially be addressed in a single update. The time it takes to complete a comprehensive examination helps to ensure the number of security updates Microsoft releases and needs to re-release is kept to a minimum, thus reducing the costs and potential disruption to enterprise customers' operations. Due to the increase in quality that Microsoft has achieved over the last five years, some enterprise customers deploy security updates with little or no testing, and hundreds of millions of consumers continue to use the Automatic Update client on their systems to ensure that they stay protected automatically.

For the majority of issues, we are able to release high quality and comprehensive security updates to customers well before any indication of attacks, and well before they are disclosed publicly. However, there are exceptions. In some cases attacks result, and when that happens, we have to compress testing to release updates quickly. Also, when there are attacks, we release workarounds in days that can block these attacks even without the updates. Usually these take the form of a "FixIt" that can protect customers with one click or be easily deployed throughout the enterprise.

However, there are cases that take much longer. In fact, last year at Black Hat there was a security event dealing with a vulnerability in a library called "ATL" or "Active Template Library." That issue affected not only multiple Microsoft product versions, but also several 3^rd party products and services. It took over a year to coordinate that release, and in the end, even the finders themselves understood and commented that with the complexity involved, taking over a year wasn't unreasonable. When seemingly simple security issues, such as a memory corruption bug, affect multiple different products, the coordination and calibration can drive longer timelines so no product, or customers of those products are left behind. And there have also been cases that are such deep architectural changes that they can take multiple years to fully resolve or may not be able to be resolved in some of our older products.  Usually these issues result from new threats emerging that product designs or assumptions couldn't anticipate.  Changing those assumptions for products that have been in market for several years does take time and coordination so customers and applications can work effectively with them.

Focusing on resolving security issues has and will always be a priority for us. And work to improve our processes will continue, but we must always strike a balance between timeliness and quality.

Working with the Security Community

The topic of how well Microsoft works with the security community is important to me personally, and to my team. Years ago, this was a very valid concern. I can remember being on the outside of Microsoft and watching researcher discussions noting how Microsoft wouldn't engage or was unresponsive. We've made dramatic changes on this front since the inception of Trustworthy Computing. At Microsoft we recognize, and appreciate, the unique value that security researchers play in identifying issues and helping the entire computing ecosystem improve from a security perspective. We also thank many in the community for their collaborative work over the years, and for nearly a decade we have demonstrated our commitment to working with them in an honest and transparent manner. We may not always agree on the severity and the amount of time it should take to develop and test an update that has to work with hundreds of millions of computers, but we do believe we're fair and open when working with researchers. It's not in our interest or the interest of our customers to behave any differently.

 Throughout the years we've seen researchers saying that if vendors really valued their work, we'd compensate them directly for the vulnerabilities they discover. That's a trend that's continued in recent weeks. We absolutely value the researcher ecosystem, and show that in a variety of ways. The most well-known is the fact that we acknowledge the researcher's work in our bulletins when a researcher has coordinated the release of vulnerability details with the release of a security update. And that's just the tip of the iceberg. We also work to make sure we can support the community's development by sponsoring and supporting nearly 50 security conferences in over 20 countries each year. 

Probably the community effort that started more of the deeper relationships we've built with researchers is our own little "hacker" conference we host at Redmond each year, called "BlueHat Security Briefings." Launched in 2004, this conference is aimed at bringing Microsoft security professionals and external security researchers together in a relaxed environment to promote the sharing of ideas, social networking and ultimately improving the security of Microsoft products. Key to the success of BlueHat and its benefit to our customers is the direct question-and-answer access that researchers get with the specific owners of the technology they're researching. In many cases, some of our direct competitors have sat on our stage at Microsoft and talked about problems in our products, directly to the folks that develop and manage them. And they've been able to get feedback on their research from the same folks as well.

The Shift to Coordinated Vulnerability Disclosure

If there's one area that has had had staying power in terms of driving polarized debate in the broader security community-as manifested in mainstream and social media this past month-it's in how to disclose vulnerability details.  Ideally, updates for those vulnerabilities are available for all customers before details are broadly available. This allows us to protect the end-users because they just get the updates automatically, and large Enterprises can analyze, prioritize and deploy updates to hundreds of thousands of systems quickly. When communication breakdowns and disagreements happen, resulting in vulnerability details disclosed by researchers before we release an update, those details are then used by criminals to attack our customers. The worst situation is when vulnerabilities aren't disclosed to the vendor at all, because then there's very little hope of broad protections ever getting released for all customers. 

Because of this range of situations, we also see a range of philosophies. Of course, Microsoft always supported the position that the best way to disclose issues is in a coordinated fashion, where details of the vulnerability are released in conjunction with an update that is broadly available for customers. This is known as "Responsible Disclosure." The term itself can be subjective because if either party doesn't abide by those terms, it is implied that they themselves are "irresponsible." Debate on this very issue of responsibility is understandable; however, it is important to remember that in the end we are dealing with customer safety issues - and we should all take that seriously. It is unfortunate these debates can make us lose focus on what is really important - protecting people using the Internet from harm.

Today, Matt Thomlinson, the general manager of Security at Trustworthy Computing, introduced a new disclosure philosophy Microsoft is adopting called Coordinated Vulnerability Disclosure http://blogs.technet.com/b/msrc/archive/2010/07/22/announcing-coordinated-vulnerability-disclosure.aspx .  Katie Moussouris, senior security strategist on the MSRC Ecosystem Strategy team, provides more information and insight on the necessity of this shift in disclosure philosophy and practice on the MSRC Ecosystem Strategy Team Blog http://blogs.technet.com/b/ecostrat/archive/2010/07/22/coordinated-vulnerability-disclosure-bringing-balance-to-the-force.aspx. You'll see from her post, we're not alone in acknowledging it is time for a change. Other vendors and researchers from the broader community of defenders are supportive and will be instrumental in making this shift a reality. So read the post, provide your feedback and then join us in making this an industry wide shift.

Now back to the catalyst for this post-Black Hat.  We're just a few days from the event itself and we'll likely see more themes develop once it kicks-off. But I hope the thoughts I've shared here provide some insights into our point of view on recent discussions in the community.

The realities of today's threat landscape point to a world that has shifted from a variety of participants with various motives to one of two sides-those who intend to harm or commit crime and those who intend to prevent harm and fight crime. As an industry and community, philosophical differences or competition aside, we should be in this together. Our own welfare as individuals and a collective community is at stake with unseen criminals who show no indication of backing down. It's our hope that this effort to shift to a shared responsibility of coordination and collaboration is something that is carried beyond Black Hat as we progress and evolve as a global community of defenders.

Hope to see you at Black Hat!

Mike Reavey
Director, MSRC

Coordinated Vulnerability Disclosure (CVD):   Newly discovered vulnerabilities in hardware, software, and services are disclosed directly to the vendors of the affected product, to a CERT-CC or other coordinator who will report to the vendor privately, or to a private service that will likewise report to the vendor privately. The finder allows the vendor an opportunity to diagnose and offer fully tested updates, workarounds, or other corrective measures before detailed vulnerability or exploit information is shared publicly. If attacks are underway in the wild, earlier public vulnerability details disclosure can occur with both the finder and vendor working together as closely as possible to provide consistent messaging and guidance to customers to protect themselves.

Responsibility is still imperative, but it is a shared responsibility across the community of security researchers, security product providers and other software vendors. Each member of this community of defenders plays a role in improving the overall security of the computing ecosystem.  

CVD does not represent a huge departure from the current definition of "responsible disclosure," and we would still view vulnerability details being released broadly outside these guidelines as putting customers at unnecessary levels of risk. However, CVD does allow for more focused coordination on how issues are addressed publicly. CVD's core principles are simple: vendors and finders need to work closely toward a resolution; extensive efforts should be made to make a timely response; and only in the event of active attacks is public disclosure, focused on mitigations and workarounds, likely the best course of action -- and even then it should be coordinated as closely as possible. 

As Microsoft shifts its philosophy to this new approach, we are asking the broader security community to embrace the purpose of this shift, which is ultimately about minimizing customer risk-not amplifying it. This distinction is critical. We recognize it's possible that very limited attacks may be happening without our knowledge. However, we fundamentally believe (and our experience over the last 10 years has shown) that once vulnerability details are released publicly, the probability of exploitation rises significantly. Without coordination in place to provide a security update or tested workarounds, risk to customers is greatly amplified. 

It is evident from listening to those on both extremes of the disclosure argument that there is one thing that we are all trying to do: protect customers. We've been working with the security community closely for years to coordinate our actions for the benefit of customers. Coordinated vulnerability disclosure will help keep users safe.

For further perspective on CVD and how we see it working, please see Katie Moussouris' Ecostrat blog post at http://blogs.technet.com/b/ecostrat/archive/2010/07/22/coordinated-vulnerability-disclosure-bringing-balance-to-the-force.aspx.

Thank you,

Matt Thomlinson
General Manager, Trustworthy Computing Security

During the July 2010 webcast, we fielded questions varying from the re-release of MS10-024 to answers for the error messages received during the application of MS10-041 and more.   Click  here to review the full Q&A page so you can see all of the answers that were provided for these and the other great questions from the July webcast.

Also, attached here is the link to the Q&A index page for your review -  in case you wanted to view any of the past 12 webcast Q&A's.

 As always, customers experiencing issues installing any of the updates this month should contact our Customer Service and Support group:

• Customers in the U.S. and Canada can receive technical support from Microsoft Product Support Services at 1-866-PCSAFETY. There is no charge for support calls that are associated with security updates.
• International customers can receive support from their local Microsoft subsidiaries. There is no charge for support that is associated with security updates. For more information about how to contact Microsoft for support issues, visit the International Support Web site.

Thanks!

Jerry Bryant

Group Manager, Response Communications

 Click here to register for next month's webcast.

We've also updated the advisory with new information regarding possible attack vectors. Finally, we have included a new workaround that customers can implement to help protect their environments: blocking the download of LNK and PIF files (note that these files can be transferred over WebDav, so be sure to account for this protocol if you implement this workaround).

As always, we encourage customers to review this new information and to evaluate it for their environment while our teams continue their work to develop a security update that addresses this vulnerability.

As always, we'll update the security advisory and this blog with new information as it becomes available.

Thanks,

Christopher Budd

Follow us on Twitter: @MSFTSecResponse

We have released Security Advisory 2286198, which addresses a publicly reported vulnerability in Windows Shell. Microsoft has found that this vulnerability is most likely to be exploited through removable drives. Currently, we have seen only limited, targeted attacks on this vulnerability.

In the wild, this vulnerability has been found operating in conjunction with the Stuxnet malware, a threat family already known to the Microsoft Malware Protection Center. The MMPC has a blog post with more technical discussion of Stuxnet.

We recommend that customers follow the guidance provided in the Security Advisory, making note of mitigations and tested workarounds. We will continue to investigate the vulnerability and, upon completion of that investigation, we will take appropriate action to protect our customers.

Customers should be aware that signatures in up-to-date versions of Microsoft Security Essentials, Microsoft Forefront Client Security, Windows Live OneCare, the Forefront Threat Management Gateway, and the Windows Live Safety Platform protect customers against the Stuxnet malware.

We are also actively working with members of our Microsoft Active Protections Program (MAPP) to provide information that they can use to provide broader protections to customers. Anyone believed to have been affected by this issue can visit: http://support.microsoft.com and should contact the national law enforcement agency in their country. 

We will continue to share updates on this blog and through our Twitter feed (@msftsecresponse).

Thanks,

Dave Forstrom
Director of Marketing Communications, Integrated Communications & Response

MS10-042 resolves a publicly disclosed and actively exploited vulnerability discussed in Security Advisory 2219475. The update addresses an issue in the Windows Help and Support Center feature included in Windows XP and Windows Server 2003. Even though this issue affects Server 2003, we have not found an attack vector on that platform so the severity rating is Low. Windows XP customers should install this update as soon as possible.

MS10-043 resolves a publicly disclosed vulnerability in the Canonical Display Driver (cdd.dll). Although it is possible that the vulnerability could allow code execution, successful code execution is unlikely due to memory randomization. In most scenarios, it is much more likely that an attacker who successfully exploited this vulnerability could cause a Denial of Service (DoS). Note that this bulletin affects only 64-bit versions of Windows 7 and Windows Server 2008 R2 with Windows Aero enabled. Aero is not installed by default on Server 2008 R2. We are not aware of any active attacks against this issue.

MS10-044 resolves two privately reported vulnerabilities in Microsoft Office Access ActiveX Controls. This issue could allow remote code execution if a customer with Access installed opened a specially crafted Office file, or viewed a Web page that instantiated Access ActiveX controls. This security update is rated Critical for supported editions of Microsoft Office Access 2003 and Microsoft Office Access 2007.

MS10-045 This security update resolves another privately reported vulnerability that could allow remote code execution if a customer opened an attachment in a specially crafted e-mail message using an affected version of Outlook -- Microsoft Outlook 2002, Microsoft Office Outlook 2003, or Microsoft Office Outlook 2007.

The following video provides an overview of these four bulletins:

Both Windows vulnerabilities and one Office vulnerability have Critical severity ratings, while the second Office vulnerability carries an Important severity rating.

As always, Microsoft recommends that customers test and deploy all security updates as soon as possible. We recommend that deployment priority be given to MS10-042 and MS10-045.

For a more in-depth look at these issues, our Security Research & Defense (SRD) team has taken a closer look at both these bulletins on its blog.

We also include one bulletin re-release, MS10-024, in this cycle. The re-release will address the issue previously noted in KB976323, in which the installation of the bulletin reset user-configured settings for SMTP servers on Windows Server 2008-based systems with Internet Information Services (IIS) installed. Users who have previously installed MS01-024 will not be offered the re-released update.

Today also marks the end of support for Windows XP Service Pack 2. Customers who have not migrated from this version are encouraged to upgrade immediately, either to Service Pack 3 or to Windows 7. In addition, after today's bulletin release, we will no longer provide support for all Windows 2000 products as we have reached the end of extended support.

More information about the security updates can be found on the Microsoft Security Bulletin summary webpage.  Our Exploitability Index provides additional information to help customers prioritize deployment of the monthly security bulletins.

Please join the monthly technical webcast to learn more about the May 2010 security bulletin release. The webcast is scheduled for Wednesday, July 14, 2010 at 11:00 a.m. PDT (UTC -7). Registration is available here.

Reminder: You can follow the team for late breaking news and updates on the threat landscape here: @MSFTSecResponse.

Thanks!

Jerry Bryant
Group Manager, Response Communications

• Two bulletins, both with a severity rating of Critical, affect Windows.
• Two of the bulletins affect Microsoft Office; of those, one carries a Critical severity rating and one is rated Important.

As always, we recommend that customers review the ANS summary page for more information and prepare for the testing and deployment of these bulletins as soon as possible.

We will close out two Security Advisories this month.

• We are closing Security Advisory 2028859 (Vulnerability in Canonical Display Driver Could Allow Remote Code Execution) in the July bulletins.
• We are also closing Security Advisory 2219475 (Vulnerability in Windows Help and Support Center Could Allow Remote Code Execution) with a comprehensive update that addresses the issue currently under attack.

Please join Adrian Stone and me for a public webcast on Wednesday. We'll go into detail about the bulletins and answer questions live on the air. Register at the link below:

Date: Wednesday, July 14
Time: 11:00 a.m. PDT (UTC -7)
Registration: https://msevents.microsoft.com/CUI/WebCastEventDetails.aspx?EventID=1032454299

Also, July marks the end of Microsoft support for the Windows 2000 and Windows XP SP2 platforms. Customers should actively seek out either a supported operating system or the latest service pack in order to keep receiving necessary security updates.

Thanks,

Jerry Bryant
Group Manager, Response Communications

Follow us on Twitter: @MSFTSecResponse

Updated July 9, 2010 to correct transposition concerning number of critical bulletins for Windows (accurately, two) and MS Office (accurately, one).