Archive

Archive for the ‘SmartScreen’ Category

MSRT April release features Bedep detection

As part of our ongoing effort to provide better malware protection, the Microsoft Malicious Software Removal Tool (MSRT) release this April will include detections for:

In this blog, we’ll focus on the Bedep family of trojans.

 

The bothersome Bedep

Win32/Bedep was first detected in November 25, 2014 as a malware family made up of DLLs which has been distributed by Angler Exploit Kit. Microsoft detects Angler as:

JS/Axpergle and HTML/Axpergle have been known to carry and drop Bedep around by redirecting unsuspecting users to compromised websites.

Bedep is bothersome not only because it is carried around by an exploit kit, but because it also connects to a remote server to do the nasty:

All of the above malware families have these in common: they steal your personal information and send them to the hacker, watch what you do online, drops other malware onto your PC, and update them too.

  • Collect information about your PC to send it off to the malware perpetrator
  • Update the downloaded malware

The good thing is, Windows Defender detects and removes Bedep and its variants.

This threat has been prevalent in North America, and various parts of Latin America, Europe, and Southeast Asia.

BedepGeoDist3

Figure 1: The map shows Win32/Bedep’s prevalence in North America, Latin America, Europe, and South East Asia in the last six months.

 

BedepPie 

Figure 2: The pie chart shows the Bedep distribution among the top 10 countries for the past six months

 

The exploit shellcode sometimes loads Bedep directly in the memory from the Angler Exploit Kit, without being written to disk. However, it gets written to disk at other times.

It can either be installed as 32bit DLL (Backdoor:Win32/Bedep.A) or 64bit DLL (Backdoor:Win64/Bedep.A), depending on the affected Windows OS version.

This threat is initially loaded by shellcode running in an exploited browser process (for example, iexplore.exe). Then, the threat downloads a copy of itself and injects that into explorer.exe.

We have observed that the first exploit is not enough. The attacker needs more exploits to bypass the OS or browser’s layered defenses. As a precaution, you should always be careful on clicking the User Account Control (UAC) prompts.

We’ve also seen that Bedep can drop itself as %ProgramData%<{CLSID}><filename>.dll

Example path and file names: C:ProgramData{9A88E103-A20A-4EA5-8636-C73B709A5BF8}acledit.dll.

It then creates the following registry entries:

In subkey: HKEY_CURRENT_USERCLSID%Random CLSID%InprocServer32

Example: HKEY_CURRENT_USERCLSID{F6BF8414-962C-40FE-90F1-B80A7E72DB9A}InprocServer32

Sets value: “ThreadingModel

With data: “Apartment

Sets value: “”

With data: %Bedep Filename%

Example: “C:ProgramData{9A88E103-A20A-4EA5-8636-C73B709A5BF8}acledit.dll

In subkey: HKEY_CURRENT_USERDriveShellExFolderExtensions%Random CLSID%

Example: HKEY_CURRENT_USERDriveShellExFolderExtensions{F6BF8414-962C-40FE-90F1-B80A7E72DB9A}

Sets value: “DriveMask

With data: dword:ffffffff

 

For details about various Bedep variants, see the following malware encyclopedia entries:

 

Mitigation and prevention

To help stay protected from Bedep and other threats, use an up-to-date Windows Defender for Windows 10 as your antimalware scanner, and ensure that MAPS has been enabled.

Though trojans have been a permanent fixture in the malware ecosystem, there’s still something that you or your administrators can proactively do:

 

Jonathan San Jose

MMPC

MSRT April release features Bedep detection

As part of our ongoing effort to provide better malware protection, the Microsoft Malicious Software Removal Tool (MSRT) release this April will include detections for:

In this blog, we’ll focus on the Bedep family of trojans.

 

The bothersome Bedep

Win32/Bedep was first detected in November 25, 2014 as a malware family made up of DLLs which has been distributed by Angler Exploit Kit. Microsoft detects Angler as:

JS/Axpergle and HTML/Axpergle have been known to carry and drop Bedep around by redirecting unsuspecting users to compromised websites.

Bedep is bothersome not only because it is carried around by an exploit kit, but because it also connects to a remote server to do the nasty:

All of the above malware families have these in common: they steal your personal information and send them to the hacker, watch what you do online, drops other malware onto your PC, and update them too.

  • Collect information about your PC to send it off to the malware perpetrator
  • Update the downloaded malware

The good thing is, Windows Defender detects and removes Bedep and its variants.

This threat has been prevalent in North America, and various parts of Latin America, Europe, and Southeast Asia.

BedepGeoDist3

Figure 1: The map shows Win32/Bedep’s prevalence in North America, Latin America, Europe, and South East Asia in the last six months.

 

BedepPie 

Figure 2: The pie chart shows the Bedep distribution among the top 10 countries for the past six months

 

The exploit shellcode sometimes loads Bedep directly in the memory from the Angler Exploit Kit, without being written to disk. However, it gets written to disk at other times.

It can either be installed as 32bit DLL (Backdoor:Win32/Bedep.A) or 64bit DLL (Backdoor:Win64/Bedep.A), depending on the affected Windows OS version.

This threat is initially loaded by shellcode running in an exploited browser process (for example, iexplore.exe). Then, the threat downloads a copy of itself and injects that into explorer.exe.

We have observed that the first exploit is not enough. The attacker needs more exploits to bypass the OS or browser’s layered defenses. As a precaution, you should always be careful on clicking the User Account Control (UAC) prompts.

We’ve also seen that Bedep can drop itself as %ProgramData%<{CLSID}><filename>.dll

Example path and file names: C:ProgramData{9A88E103-A20A-4EA5-8636-C73B709A5BF8}acledit.dll.

It then creates the following registry entries:

In subkey: HKEY_CURRENT_USERCLSID%Random CLSID%InprocServer32

Example: HKEY_CURRENT_USERCLSID{F6BF8414-962C-40FE-90F1-B80A7E72DB9A}InprocServer32

Sets value: “ThreadingModel

With data: “Apartment

Sets value: “”

With data: %Bedep Filename%

Example: “C:ProgramData{9A88E103-A20A-4EA5-8636-C73B709A5BF8}acledit.dll

In subkey: HKEY_CURRENT_USERDriveShellExFolderExtensions%Random CLSID%

Example: HKEY_CURRENT_USERDriveShellExFolderExtensions{F6BF8414-962C-40FE-90F1-B80A7E72DB9A}

Sets value: “DriveMask

With data: dword:ffffffff

 

For details about various Bedep variants, see the following malware encyclopedia entries:

 

Mitigation and prevention

To help stay protected from Bedep and other threats, use an up-to-date Windows Defender for Windows 10 as your antimalware scanner, and ensure that MAPS has been enabled.

Though trojans have been a permanent fixture in the malware ecosystem, there’s still something that you or your administrators can proactively do:

 

Jonathan San Jose

MMPC

Combating social engineering tactics, like cookiejacking, to stay safer online

May 28th, 2011 No comments

You may have seen articles recently that highlight a social engineering technique called “cookiejacking” and how a particular instance may currently affect Internet Explorer.

It’s important to note that we have not seen widespread attacks related to this specific case. However we take security very seriously and to ensure customers are protected, we are working on an update to Internet Explorer.

Cookiejacking is a variant of an industry-wide attack type known as clickjacking. All Internet browsers are potentially susceptible to clickjacking which is a form of social engineering attack, so as well as talking about this issue we wanted to highlight some more general best practices for staying safe online.

We also wanted to put this specific issue in context. In order to be exposed to risk a number of things would need to happen. You’d need to be tricked into interacting with malicious content on a website. Only after this could a third party steal cookies from a website that you were previously logged into. While this threat has been demonstrated by a security researcher, to date we are not aware of any actual attacks online.

The InPrivate Browsing feature in Internet Explorer will prevent cookies from earlier browsing sessions being stored on your PC, and mean they are not vulnerable to cookiejacking even in the circumstances described.

This is a form of social engineering attack and these kinds of threats will remain a concern for Internet users on all browsers. Software vulnerabilities are not needed for these kinds of threats to be successful so it is always a good idea to follow best practices – regardless of the browser you are using – in order to stay safe..

Some social engineering scams can be easily recognized by containing any of the following:

  • Odd messages from friends on social networking sites to participate in games or offers you must act upon immediately.
  • Alarmist messages and threats of account closures.
  • Promises of money for little or no effort.
  • Deals that sound too good to be true.
  • Requests to donate to a charitable organization after a disaster that has been in the news.
  • Bad grammar and misspellings.

To learn more about identifying social engineering scams and how to protect against them, please see Microsoft’s guidance on email and web scams. One of the basic rules on the Internet, as in life, is to use common sense and be suspicious of contacts from strangers, things that don’t look quite right or offers that appear too good to be true.

Internet Explorer includes some industry leading features to help protect against other forms of socially engineered attacks.

Our SmartScreen filter technology helps detect phishing websites. SmartScreen Filter can also help protect you from installing malicious software or malware, which are programs that demonstrate illegal, viral, fraudulent, or malicious behavior.

As well as the SmartScreen service, we’ve also invested in Microsoft Security Essentials, – free anti-virus software for Windows customers. In addition, we work with other anti-virus vendors around the world to share information about software security issues which allows them to develop better protections, faster, for their customers. This is what we refer to as community based defense.

Socially engineered attacks are criminal activities and Microsoft fights these battles on the legal front as well. Our Digital Crimes Unit (DCU) works with law enforcement and government agencies daily to take down major botnets that are responsible for huge amounts of spam and social engineering attacks across the Internet.

Social engineering is a threat across the industry, and at Microsoft we’re diligently working to help keep customers safe online.

Combating social engineering tactics, like cookiejacking, to stay safer online

May 28th, 2011 No comments

You may have seen articles recently that highlight a social engineering technique called “cookiejacking” and how a particular instance may currently affect Internet Explorer.

It’s important to note that we have not seen widespread attacks related to this specific case. However we take security very seriously and to ensure customers are protected, we are working on an update to Internet Explorer.

Cookiejacking is a variant of an industry-wide attack type known as clickjacking. All Internet browsers are potentially susceptible to clickjacking which is a form of social engineering attack, so as well as talking about this issue we wanted to highlight some more general best practices for staying safe online.

We also wanted to put this specific issue in context. In order to be exposed to risk a number of things would need to happen. You’d need to be tricked into interacting with malicious content on a website. Only after this could a third party steal cookies from a website that you were previously logged into. While this threat has been demonstrated by a security researcher, to date we are not aware of any actual attacks online.

The InPrivate Browsing feature in Internet Explorer will prevent cookies from earlier browsing sessions being stored on your PC, and mean they are not vulnerable to cookiejacking even in the circumstances described.

This is a form of social engineering attack and these kinds of threats will remain a concern for Internet users on all browsers. Software vulnerabilities are not needed for these kinds of threats to be successful so it is always a good idea to follow best practices – regardless of the browser you are using – in order to stay safe..

Some social engineering scams can be easily recognized by containing any of the following:

  • Odd messages from friends on social networking sites to participate in games or offers you must act upon immediately.
  • Alarmist messages and threats of account closures.
  • Promises of money for little or no effort.
  • Deals that sound too good to be true.
  • Requests to donate to a charitable organization after a disaster that has been in the news.
  • Bad grammar and misspellings.

To learn more about identifying social engineering scams and how to protect against them, please see Microsoft’s guidance on email and web scams. One of the basic rules on the Internet, as in life, is to use common sense and be suspicious of contacts from strangers, things that don’t look quite right or offers that appear too good to be true.

Internet Explorer includes some industry leading features to help protect against other forms of socially engineered attacks.

Our SmartScreen filter technology helps detect phishing websites. SmartScreen Filter can also help protect you from installing malicious software or malware, which are programs that demonstrate illegal, viral, fraudulent, or malicious behavior.

As well as the SmartScreen service, we’ve also invested in Microsoft Security Essentials, – free anti-virus software for Windows customers. In addition, we work with other anti-virus vendors around the world to share information about software security issues which allows them to develop better protections, faster, for their customers. This is what we refer to as community based defense.

Socially engineered attacks are criminal activities and Microsoft fights these battles on the legal front as well. Our Digital Crimes Unit (DCU) works with law enforcement and government agencies daily to take down major botnets that are responsible for huge amounts of spam and social engineering attacks across the Internet.

Social engineering is a threat across the industry, and at Microsoft we’re diligently working to help keep customers safe online.

Combating social engineering tactics, like cookiejacking, to stay safer online

May 28th, 2011 No comments

You may have seen articles recently that highlight a social engineering technique called “cookiejacking” and how a particular instance may currently affect Internet Explorer.

It’s important to note that we have not seen widespread attacks related to this specific case. However we take security very seriously and to ensure customers are protected, we are working on an update to Internet Explorer.

Cookiejacking is a variant of an industry-wide attack type known as clickjacking. All Internet browsers are potentially susceptible to clickjacking which is a form of social engineering attack, so as well as talking about this issue we wanted to highlight some more general best practices for staying safe online.

We also wanted to put this specific issue in context. In order to be exposed to risk a number of things would need to happen. You’d need to be tricked into interacting with malicious content on a website. Only after this could a third party steal cookies from a website that you were previously logged into. While this threat has been demonstrated by a security researcher, to date we are not aware of any actual attacks online.

The InPrivate Browsing feature in Internet Explorer will prevent cookies from earlier browsing sessions being stored on your PC, and mean they are not vulnerable to cookiejacking even in the circumstances described.

This is a form of social engineering attack and these kinds of threats will remain a concern for Internet users on all browsers. Software vulnerabilities are not needed for these kinds of threats to be successful so it is always a good idea to follow best practices – regardless of the browser you are using – in order to stay safe..

Some social engineering scams can be easily recognized by containing any of the following:

  • Odd messages from friends on social networking sites to participate in games or offers you must act upon immediately.
  • Alarmist messages and threats of account closures.
  • Promises of money for little or no effort.
  • Deals that sound too good to be true.
  • Requests to donate to a charitable organization after a disaster that has been in the news.
  • Bad grammar and misspellings.

To learn more about identifying social engineering scams and how to protect against them, please see Microsoft’s guidance on email and web scams. One of the basic rules on the Internet, as in life, is to use common sense and be suspicious of contacts from strangers, things that don’t look quite right or offers that appear too good to be true.

Internet Explorer includes some industry leading features to help protect against other forms of socially engineered attacks.

Our SmartScreen filter technology helps detect phishing websites. SmartScreen Filter can also help protect you from installing malicious software or malware, which are programs that demonstrate illegal, viral, fraudulent, or malicious behavior.

As well as the SmartScreen service, we’ve also invested in Microsoft Security Essentials, – free anti-virus software for Windows customers. In addition, we work with other anti-virus vendors around the world to share information about software security issues which allows them to develop better protections, faster, for their customers. This is what we refer to as community based defense.

Socially engineered attacks are criminal activities and Microsoft fights these battles on the legal front as well. Our Digital Crimes Unit (DCU) works with law enforcement and government agencies daily to take down major botnets that are responsible for huge amounts of spam and social engineering attacks across the Internet.

Social engineering is a threat across the industry, and at Microsoft we’re diligently working to help keep customers safe online.

Security and Internet Explorer

March 11th, 2011 Comments off

While the Internet is an amazing resource in terms of the information you can find and things you can do today, it’s important to also be smart about how you browse. A browser can be a great tool in helping you stay safe when you go online.

Most online attacks fall into one of the three situations:

1. Malware that relies on social engineering to spread

2. Attacks directed against your browser or your operating system

3. Attacks directed towards the websites you visit

Let me spend some time describing what I mean by each of these, and also how Internet Explorer can help protect you from each of these types of attacks.

Helping Protect You from Socially Engineered Attacks

A term that you may hear on occasion within the security realm is “socially engineered attacks.” What this means is an attacker uses clever techniques to get you to lower your guard and trick you into doing something that makes you vulnerable to an attack. The idea here is that they aren’t looking for weaknesses in code; rather, they’re trying to fool you into a trap.

The ways in which we see this play out are varied; it may be that you get spam – that is to say an email from a fake bank that actually takes you to a malicious site, or an email supposedly from a friend that encourages you to download a file which may contain malware. To help keep you safe from such types of attacks, Internet Explorer comes with the Smart Screen filter technology, which has been improved even more with Internet Explorer 9. SmartScreen makes it harder for someone to trick you into opening a malicious page, or con you with a phishing site. This technology checks to see if the site you’re visiting is suspected of hosting malicious code and subsequently prevents you from continuing on to that page. Internet Explorer 9 goes one step further by warning you only when you download applications that may be of higher risk.

Technologies like this can make a big difference in helping to keep you safe online. In December, NSS Labs reported that Internet Explorer offers the best protection against the spread of socially-engineered malware. As you can see in the below chart, Internet Explorer 8 (90%) and Internet Explorer 9 (99%) offer significantly more protection than other browsers.

image

Mitigating Attacks on Your Browser and PC

Internet Explorer also helps protect against deliberate attacks where bad code is hosted on a site that is designed to exploit weaknesses in the software on your PC. Among all the lines of code that make up software, there can be vulnerabilities. The Internet Explorer team designed its browser with security in mind, and in comparison to other browsers, Internet Explorer has fewer vulnerabilities. The chart below illustrates the number of publicly known vulnerabilities in 2010 divided by each browser, according to the National Vulnerability Database.

image

*Data source: National Vulnerability Database. Data is based upon the most recently shipped versions available during this time period. In the case of Chrome, versions 5, 6, 7, & 8 were all released during this time period.

At Microsoft, products are built with a secure-by-design approach, where security is designed into the product from the ground up. The result of this effort is a browser that includes specific features to help people stay secure and technologies that help insulate the browser against exploits. In addition to Microsoft’s security processes, which includes the Security Development Lifecycle, Software Security Incident Response Process (SSIRP), and monthly security bulletins, some ways in which you might see this at a product level include features such as Protected Mode, Data Execution Prevention, and many others, both in Internet Explorer 8, and the soon to be released Internet Explorer 9.

Protecting Against the Compromised Websites

This last scenario is when an attacker that has compromised a site that you visit in a way that interferes with how your browser relates to the site. This type of an attack is called a cross-site scripting attack. In this instance, an attacker gets an unsuspecting server to load special code on your browser that allows the attacker to do anything from monitoring your keystrokes to performing actions on your behalf on the site. Internet Explorer has built in a Cross-Site Script Filter that makes such attacks more difficult and helps protect you.

The upcoming release of Internet Explorer 9 contains even more features designed to help keep you safer such as ActiveX Filtering and Application Reputation. More information on how Microsoft technologies can keep you secure can be found here.

Security and Internet Explorer

March 11th, 2011 No comments

While the Internet is an amazing resource in terms of the information you can find and things you can do today, it’s important to also be smart about how you browse. A browser can be a great tool in helping you stay safe when you go online.

Most online attacks fall into one of the three situations:

1. Malware that relies on social engineering to spread

2. Attacks directed against your browser or your operating system

3. Attacks directed towards the websites you visit

Let me spend some time describing what I mean by each of these, and also how Internet Explorer can help protect you from each of these types of attacks.

Helping Protect You from Socially Engineered Attacks

A term that you may hear on occasion within the security realm is “socially engineered attacks.” What this means is an attacker uses clever techniques to get you to lower your guard and trick you into doing something that makes you vulnerable to an attack. The idea here is that they aren’t looking for weaknesses in code; rather, they’re trying to fool you into a trap.

The ways in which we see this play out are varied; it may be that you get spam – that is to say an email from a fake bank that actually takes you to a malicious site, or an email supposedly from a friend that encourages you to download a file which may contain malware. To help keep you safe from such types of attacks, Internet Explorer comes with the Smart Screen filter technology, which has been improved even more with Internet Explorer 9. SmartScreen makes it harder for someone to trick you into opening a malicious page, or con you with a phishing site. This technology checks to see if the site you’re visiting is suspected of hosting malicious code and subsequently prevents you from continuing on to that page. Internet Explorer 9 goes one step further by warning you only when you download applications that may be of higher risk.

Technologies like this can make a big difference in helping to keep you safe online. In December, NSS Labs reported that Internet Explorer offers the best protection against the spread of socially-engineered malware. As you can see in the below chart, Internet Explorer 8 (90%) and Internet Explorer 9 (99%) offer significantly more protection than other browsers.

image

Mitigating Attacks on Your Browser and PC

Internet Explorer also helps protect against deliberate attacks where bad code is hosted on a site that is designed to exploit weaknesses in the software on your PC. Among all the lines of code that make up software, there can be vulnerabilities. The Internet Explorer team designed its browser with security in mind, and in comparison to other browsers, Internet Explorer has fewer vulnerabilities. The chart below illustrates the number of publicly known vulnerabilities in 2010 divided by each browser, according to the National Vulnerability Database.

image

*Data source: National Vulnerability Database. Data is based upon the most recently shipped versions available during this time period. In the case of Chrome, versions 5, 6, 7, & 8 were all released during this time period.

At Microsoft, products are built with a secure-by-design approach, where security is designed into the product from the ground up. The result of this effort is a browser that includes specific features to help people stay secure and technologies that help insulate the browser against exploits. In addition to Microsoft’s security processes, which includes the Security Development Lifecycle, Software Security Incident Response Process (SSIRP), and monthly security bulletins, some ways in which you might see this at a product level include features such as Protected Mode, Data Execution Prevention, and many others, both in Internet Explorer 8, and the soon to be released Internet Explorer 9.

Protecting Against the Compromised Websites

This last scenario is when an attacker that has compromised a site that you visit in a way that interferes with how your browser relates to the site. This type of an attack is called a cross-site scripting attack. In this instance, an attacker gets an unsuspecting server to load special code on your browser that allows the attacker to do anything from monitoring your keystrokes to performing actions on your behalf on the site. Internet Explorer has built in a Cross-Site Script Filter that makes such attacks more difficult and helps protect you.

The upcoming release of Internet Explorer 9 contains even more features designed to help keep you safer such as ActiveX Filtering and Application Reputation. More information on how Microsoft technologies can keep you secure can be found here.

Security and Internet Explorer

March 11th, 2011 No comments

While the Internet is an amazing resource in terms of the information you can find and things you can do today, it’s important to also be smart about how you browse. A browser can be a great tool in helping you stay safe when you go online.

Most online attacks fall into one of the three situations:

1. Malware that relies on social engineering to spread

2. Attacks directed against your browser or your operating system

3. Attacks directed towards the websites you visit

Let me spend some time describing what I mean by each of these, and also how Internet Explorer can help protect you from each of these types of attacks.

Helping Protect You from Socially Engineered Attacks

A term that you may hear on occasion within the security realm is “socially engineered attacks.” What this means is an attacker uses clever techniques to get you to lower your guard and trick you into doing something that makes you vulnerable to an attack. The idea here is that they aren’t looking for weaknesses in code; rather, they’re trying to fool you into a trap.

The ways in which we see this play out are varied; it may be that you get spam – that is to say an email from a fake bank that actually takes you to a malicious site, or an email supposedly from a friend that encourages you to download a file which may contain malware. To help keep you safe from such types of attacks, Internet Explorer comes with the Smart Screen filter technology, which has been improved even more with Internet Explorer 9. SmartScreen makes it harder for someone to trick you into opening a malicious page, or con you with a phishing site. This technology checks to see if the site you’re visiting is suspected of hosting malicious code and subsequently prevents you from continuing on to that page. Internet Explorer 9 goes one step further by warning you only when you download applications that may be of higher risk.

Technologies like this can make a big difference in helping to keep you safe online. In December, NSS Labs reported that Internet Explorer offers the best protection against the spread of socially-engineered malware. As you can see in the below chart, Internet Explorer 8 (90%) and Internet Explorer 9 (99%) offer significantly more protection than other browsers.

image

Mitigating Attacks on Your Browser and PC

Internet Explorer also helps protect against deliberate attacks where bad code is hosted on a site that is designed to exploit weaknesses in the software on your PC. Among all the lines of code that make up software, there can be vulnerabilities. The Internet Explorer team designed its browser with security in mind, and in comparison to other browsers, Internet Explorer has fewer vulnerabilities. The chart below illustrates the number of publicly known vulnerabilities in 2010 divided by each browser, according to the National Vulnerability Database.

image

*Data source: National Vulnerability Database. Data is based upon the most recently shipped versions available during this time period. In the case of Chrome, versions 5, 6, 7, & 8 were all released during this time period.

At Microsoft, products are built with a secure-by-design approach, where security is designed into the product from the ground up. The result of this effort is a browser that includes specific features to help people stay secure and technologies that help insulate the browser against exploits. In addition to Microsoft’s security processes, which includes the Security Development Lifecycle, Software Security Incident Response Process (SSIRP), and monthly security bulletins, some ways in which you might see this at a product level include features such as Protected Mode, Data Execution Prevention, and many others, both in Internet Explorer 8, and the soon to be released Internet Explorer 9.

Protecting Against the Compromised Websites

This last scenario is when an attacker that has compromised a site that you visit in a way that interferes with how your browser relates to the site. This type of an attack is called a cross-site scripting attack. In this instance, an attacker gets an unsuspecting server to load special code on your browser that allows the attacker to do anything from monitoring your keystrokes to performing actions on your behalf on the site. Internet Explorer has built in a Cross-Site Script Filter that makes such attacks more difficult and helps protect you.

The upcoming release of Internet Explorer 9 contains even more features designed to help keep you safer such as ActiveX Filtering and Application Reputation. More information on how Microsoft technologies can keep you secure can be found here.

Protecting Browsers with Defense In Depth Techniques

March 26th, 2010 Comments off

Posted on half of Pete LePage on the Internet Explorer team.

Protecting Windows customers is an absolute priority for the Internet Explorer engineering team.  That’s why we work hard to make sure our browser has some of the best safety and privacy features available today.  We’ve spent a lot of time talking about some of the more visible safety and privacy features like our SmartScreen Filter, that protects users from socially engineered malware and phishing attacks; or the InPrivate features that put you in control of how you share your information.

But there are a number of other features that aren’t as visible and help prevent vulnerabilities from being exploited, though some are only available on newer platforms like Windows Vista or Windows 7.  For example, Protected Mode helps ensure exploited code cannot access system or other resources.  Address Space Layout Randomization (ASLR)helps prevent attackers from getting memory addresses to use in buffer overflow situations.  Data Execution Prevention (DEP) helps to foil attacks by preventing code from running in memory that is marked non-executable.  These defense in depth protections are designed to make it significantly harder for attackers to exploit vulnerabilities. 

One way to think about what defense in depth techniques do is similar to the features offered by fire-proof safes that make them last longer in a fire.  Without defense in depth techniques, a fire-proof safe may only protect its contents for an hour or two.  A stronger fire-proof safe with several defense in depth features still won’t guarantee the valuables forever, but adds significant time and protection to how long the contents will last.

Recently, there has been some news from some security researchers about how they’ve managed to bypass DEP or ASLR in Internet Explorer (and Firefox as well).  But like the fire-proof safe example above, defense in depth techniques aren’t designed to prevent every attack forever, but to instead make it significantly harder to exploit a vulnerability.  Defense in depth features, including DEP and ASLR continue to be highly effective protection mechanisms.

Internet Explorer 8 on Windows 7 helps protect users with all of these defense in depth features, and there is nothing that you have to do to enable them – they’re on by default.  That’s one of the reasons why we encourage users to make sure they’re running the latest and most up-to-date software.

Protecting Browsers with Defense In Depth Techniques

March 26th, 2010 No comments

Posted on half of Pete LePage on the Internet Explorer team.

Protecting Windows customers is an absolute priority for the Internet Explorer engineering team.  That’s why we work hard to make sure our browser has some of the best safety and privacy features available today.  We’ve spent a lot of time talking about some of the more visible safety and privacy features like our SmartScreen Filter, that protects users from socially engineered malware and phishing attacks; or the InPrivate features that put you in control of how you share your information.

But there are a number of other features that aren’t as visible and help prevent vulnerabilities from being exploited, though some are only available on newer platforms like Windows Vista or Windows 7.  For example, Protected Mode helps ensure exploited code cannot access system or other resources.  Address Space Layout Randomization (ASLR)helps prevent attackers from getting memory addresses to use in buffer overflow situations.  Data Execution Prevention (DEP) helps to foil attacks by preventing code from running in memory that is marked non-executable.  These defense in depth protections are designed to make it significantly harder for attackers to exploit vulnerabilities. 

One way to think about what defense in depth techniques do is similar to the features offered by fire-proof safes that make them last longer in a fire.  Without defense in depth techniques, a fire-proof safe may only protect its contents for an hour or two.  A stronger fire-proof safe with several defense in depth features still won’t guarantee the valuables forever, but adds significant time and protection to how long the contents will last.

Recently, there has been some news from some security researchers about how they’ve managed to bypass DEP or ASLR in Internet Explorer (and Firefox as well).  But like the fire-proof safe example above, defense in depth techniques aren’t designed to prevent every attack forever, but to instead make it significantly harder to exploit a vulnerability.  Defense in depth features, including DEP and ASLR continue to be highly effective protection mechanisms.

Internet Explorer 8 on Windows 7 helps protect users with all of these defense in depth features, and there is nothing that you have to do to enable them – they’re on by default.  That’s one of the reasons why we encourage users to make sure they’re running the latest and most up-to-date software.

Protecting Browsers with Defense In Depth Techniques

March 26th, 2010 No comments

Posted on half of Pete LePage on the Internet Explorer team.

Protecting Windows customers is an absolute priority for the Internet Explorer engineering team.  That’s why we work hard to make sure our browser has some of the best safety and privacy features available today.  We’ve spent a lot of time talking about some of the more visible safety and privacy features like our SmartScreen Filter, that protects users from socially engineered malware and phishing attacks; or the InPrivate features that put you in control of how you share your information.

But there are a number of other features that aren’t as visible and help prevent vulnerabilities from being exploited, though some are only available on newer platforms like Windows Vista or Windows 7.  For example, Protected Mode helps ensure exploited code cannot access system or other resources.  Address Space Layout Randomization (ASLR)helps prevent attackers from getting memory addresses to use in buffer overflow situations.  Data Execution Prevention (DEP) helps to foil attacks by preventing code from running in memory that is marked non-executable.  These defense in depth protections are designed to make it significantly harder for attackers to exploit vulnerabilities. 

One way to think about what defense in depth techniques do is similar to the features offered by fire-proof safes that make them last longer in a fire.  Without defense in depth techniques, a fire-proof safe may only protect its contents for an hour or two.  A stronger fire-proof safe with several defense in depth features still won’t guarantee the valuables forever, but adds significant time and protection to how long the contents will last.

Recently, there has been some news from some security researchers about how they’ve managed to bypass DEP or ASLR in Internet Explorer (and Firefox as well).  But like the fire-proof safe example above, defense in depth techniques aren’t designed to prevent every attack forever, but to instead make it significantly harder to exploit a vulnerability.  Defense in depth features, including DEP and ASLR continue to be highly effective protection mechanisms.

Internet Explorer 8 on Windows 7 helps protect users with all of these defense in depth features, and there is nothing that you have to do to enable them – they’re on by default.  That’s one of the reasons why we encourage users to make sure they’re running the latest and most up-to-date software.

End to End Trust and Windows 7

April 21st, 2009 No comments

I attended Scott Charney’s keynote this morning at RSA – Moving Towards End to End Trust: A Collaborative Effort. I would assume that many of the readers of this blog are not familiar with the End to End Trust story. In a nutshell, End to End trust is Microsoft’s vision for creating a safer, more trusted Internet. It’s a great vision, but it’s also a big job that requires a commitment and focus on the fundamentals—fundamentals that will help deliver the most secure and privacy-enhanced versions of software and services that we have ever delivered. We’re also not going it alone. End to End Trust requires broad collaboration within the industry and Microsoft will continue to share our best practices with the IT communities of our customers.

Scott talked about how hard we are working across Microsoft to deliver technology innovations that move the needle towards a trusted stack, with security rooted in hardware and an identity metasystem (a big word that means a way of trusting people are who they say they are on the Internet). Even with progress, people still need strong defense in depth security technologies and Scott talked about how Microsoft’s Identity and Security Division is delivering integrated identity and security business solutions today to our customers. But maybe the most interesting thing he touched on was how technology innovations alone are not enough. Innovation also needs to align with political, economic and IT forces to enable the change that is truly needed.

End to End trust is a vision of what’s possible if we collectively work together, and it can help address real world problems that people face every day such as ID theft, online fraud and child safety. If you want to learn more about End to End Trust, visit http://www.microsoft.com/endtoendtrust to find out the entire story.

Windows7_h_rgb

Now, let’s talk about Windows 7 and the progress we’re making to deliver End to End Trust in the Windows platform. In my blog post yesterday on how Windows 7 helps enable the mobile workforce, I wrote about technologies like DirectAccess, BitLocker To Go, and AppLocker. Each of these technologies plays a part in helping us enable End to End Trust, whether it is strong machine and user authentication with DirectAccess or limiting running software on a system to known, trusted applications with AppLocker. But there are other technologies that help us as well:

Biometric Framework
Fingerprint scanners are becoming more and more common in standard laptop configurations—my laptop came standard with one. Windows 7 helps ensure that fingerprint readers work well and that they are easy to set up and use. This is accomplished by taking the common code that everyone needs to write and standardizing it in the platform so that biometric hardware vendors can concentrate on the code they need to write to make their device work and not have to worry about how it ties into Windows. This new framework makes logging on to Windows using a fingerprint more reliable across different hardware providers and makes fingerprint reader configurations are easy to modify. This puts the user in control of how they log on to Windows 7 and manage the fingerprint data stored on their PC.

Improved Smart Card Support
Password-based authentication has well-understood security limitations; however, deploying strong authentication technologies like smart cards remains a challenge for many. Windows 7 enhances the smart card infrastructure advances made in Windows Vista through support of Plug and Play. This eases deployment of smart card infrastructures because drivers for both smart cards and smart card readers are automatically installed, without the need for administrative permissions or user interaction. I think this new behavior is going to ease the deployment of strong, two-factor authentication for many organizations.

BitLocker
I’m a big fan of BitLocker, it helps prevent a thief who boots another operating system or runs a software hacking tool from breaking into my laptop if they happen to get a hold of it. This holds true for both the operating system volume (C: drive) and my data volume (D: drive). Most customers I talk to love the encryption protection that BitLocker provides, but many are not aware that BitLocker also does integrity checking of early boot components to help ensure that the system has not been tampered with and that the encrypted drive has not been swapped out to another computer. This integrity checking ties back into the “security rooted in hardware” that is a part of End to End Trust. This integrity checking utilizes a Trusted Platform Module (a smart card like chip on the system motherboard) to help protect the encryption keys utilized by BitLocker. This is true for BitLocker in Windows 7 as well as Windows Vista.

We’ve also listened to feedback and made enhancements to Windows 7 BitLocker to provide a better experience for IT Pros and for end users. One of the simple enhancements we made is to right-click enable the BitLocker protection of a disk volume. Now I can go to Windows Explorer and right click any disk volume, including my removable BitLocker To Go volumes, and encrypt them right there without having to go to the Control Panel.

Another big change was the addition of Data Recovery Agent (DRA) support for all protected volumes. The DRA is a certificate-based data recovery agent that can be utilized to recover the contents of any BitLocker protected volume. Since the group policy settings are separate for Operating System Drives, Fixed Data Drives, and Removable Data Drives, customers have flexibility in how they want to configure their recovery options for the different threats that each separate drive type may experience.

With BitLocker and BitLocker To Go, enterprises can rest assured that their information and data is secure, no matter where their employees are working. I know I feel better knowing my laptop and all of my USB sticks are protected!

Internet Explorer 8

I know folks are more concerned than ever about protecting themselves while online, particularly form identity theft, malware, and other potentially dangerous online threats. I feel like we have done a lot in the platform and the security technologies we have been talking about this week (Firewall, DirectAccess, BitLocker To Go and AppLocker) are a part of the protection equation. But Internet Explorer 8 is also another huge piece of the equation as users spend more time online, in their browsers. IE 8 is the most secure web browser on the market and provides another, vital layer of defense against online threats.

We built upon the phishing protection in Internet Explorer 7 with the SmartScreen Filter, which now adds protection from malware – a threat that is growing significantly faster than phishing.

We also built in support for protecting users against type-1 (or “reflection) Cross-Site Scripting (XSS) attacks. XSS threats try to exploit vulnerabilities in the websites we visit and are quickly becoming one of the most prevalent ways web sites can be compromised. The bad news for you and I is that an XSS attack can help a bad guy steal our usernames and passwords for our online bank accounts or other confidential information. The XSS filter in IE 8 uses heuristics to detect such attacks and, when they are detected, prevent their execution. This should help you and I safe from the most common form of XSS attacks in use today.

Another innovation concerns ClickJacking. While a lot or people have heard of phishing attacks, a new kind of phishing attack called ClickJacking is on the rise. ClickJacking occurs where an attacker’s web page deceives a person into clicking on content from another website without realizing it – so they’re clicking on something that, for instance, buys something from the site, changes settings on their browser, or provides advertisements that these cybercriminals get paid for. ClickJacking Protection in IE is a feature that allows Web site content owners to put a tag in a page header that will help prevent ClickJacking.

I think the IE team has done a great job with the security in IE 8 and love that it puts people in control of their safety and privacy and helps protect them from new online threats. For those of you who are interested, there is a lot more security goodness in IE 8 on the IE blog and via these links:

Got To Run

I feel great about Windows 7 and the security enhancements we have been able to make. Hopefully as you learn more about the security work that we have put into it, you will reach the same conclusion that I have: Windows 7 is the most robust platform we have ever delivered, it helps support End to End trust, helps keep you and I safe, and was designed to prevent malware from getting onto our PCs to begin with.

There is a lot going on here at RSA and I want to go spend some more time seeing what’s new and exciting. I’ll be back with some of my impressions of RSA in a bit.