Archive

Archive for the ‘vulnerabilities’ Category

#AVGater vulnerability does not affect Windows Defender Antivirus, MSE, or SCEP

On November 10, 2017, a vulnerability called #AVGater was discovered affecting some antivirus products. The vulnerability requires a non-administrator-level account to perform a restore of a quarantined file.

Windows Defender Antivirus and other Microsoft antimalware products, including System Center Endpoint Protection (SCEP) and Microsoft Security Essentials (MSE), are not affected by this vulnerability.

This vulnerability can be exploited to restore files that have been detected and quarantined by an antivirus product. To exploit this, malicious applications, including those launched by user-level accounts without administrator privileges, create an NTFS junction from the %System% folder to folder where the quarantined file is located. This NTFS junction can trigger the antivirus product to attempt to restore the file into the %System% folder.

This is a relatively old attack vector. By design, Microsoft antimalware products, including Windows Defender Antivirus, have never been affected by this vulnerability because it does not permit applications launched by user-level accounts to restore files from quarantine. This is part of the built-in protections against this and other known user-account permissions vulnerabilities.

Read more about Windows Defender Antivirus and the rest of our Windows Defender protection products at the following links:

 

*Edited 11/17/2017 to include other Microsoft antimalware products

 


Talk to us

Questions, concerns, or insights on this story? Join discussions at the Microsoft community and Windows Defender Security Intelligence.

Follow us on Twitter @WDSecurity and Facebook Windows Defender Security Intelligence.

 

Keep Microsoft software up to date — and everything else too

September 14th, 2016 No comments

Many of the CIOs and CISOs that I talk to, have, over time, developed mature vulnerability assessment methodologies and security updating processes. But frequently, I find that the focus of these processes is squarely on keeping Microsoft operating systems and browsers up to date. Of course vulnerabilities in popular operating systems or browsers have the potential to affect a broad audience. Another reason for this focus is that Microsoft has made updating relatively easy by offering updates via Windows Update, Microsoft Update, and via various tools like Windows Server Update Services and others.

But data from our latest Security Intelligence Report suggests that customers need to keep all of their software up-to-date, not just Microsoft software.

In the last half of 2015 there were nearly 3,300 vulnerability disclosures across the industry, of which 305 were in Microsoft products. With more than 90 percent of reported vulnerabilities occurring outside the Microsoft portfolio, organizations need to monitor their entire technology stack to minimize their risk.

Microsoft products accounted for less than 10 percent of industrywide vulnerabilities in the second half of 2015.

Microsoft products accounted for less than 10 percent of industrywide vulnerabilities in the second half of 2015.

This is consistent with previous years as well. The software industry worldwide includes thousands of vendors, and historically, vulnerabilities for Microsoft software have accounted for between three and ten percent of disclosures in any six-month period.

To find out what’s happening in the world of software vulnerabilities across your IT environment, take some time to review our latest Security Intelligence Report and the information available through the National Vulnerability Database (NVD), the U.S. government’s repository of standards-based vulnerability management data. And for a high-level look at the top ten trends and stats that matter most to security professionals right now, be sure and download our 2016 Trends in Cybersecurity e-book.

As strong as your weakest link: A look at application vulnerability

September 6th, 2016 No comments

When it comes to patching and updating software vulnerabilities, operating systems and web browsers seem to get all the love.

But in reality, vulnerabilities in those two types of software usually account for a minority of the publicly disclosed vulnerabilities published in the National Vulnerability Database (NVD), the U.S. government’s repository of standards-based vulnerability management data.

Where are the rest of the vulnerabilities? The majority are in applications (i.e. software that doesn’t ship as part of operating systems or browsers), and unless you’re spending time protecting those too, your application layer could be a big chink in your IT armor. CIOs, CISOs and their security teams need to focus on assessing and patching known vulnerabilities in all business apps, or they could in fact be missing the bulk of the vulnerabilities that exist in their environments.

Vulnerabilities in applications other than web browsers and operating system applications accounted for 44.2% of all disclosures in the second half of 2015.

Vulnerabilities in applications other than web browsers and operating system applications accounted for 44.2% of all disclosures in the second half of 2015.

But separating core OS applications and web browsers from the rest of the application layer can be a bit murky. Comparing vulnerabilities that affect a computer’s operating system to vulnerabilities that affect other components, such as applications and utilities, requires a determination of whether the affected component is part of an operating system. This determination is not always simple and straightforward, given the componentized nature of modern operating systems.

For example, some programs (like photo editors) ship by default with operating system software, but can also be downloaded from the software vendor’s website and installed individually. Linux distributions, in particular, are often assembled from components developed by different teams, many of which provide crucial operating functions such as a graphical user interface (GUI) or Internet browsing.

To help companies navigate this issue and facilitate analysis of operating system and browser vulnerabilities, the Microsoft Security Intelligence Report distinguishes among four different kinds:

  • Core operating system vulnerabilities are those with at least one operating system platform enumeration in the NVD that do not also have any application platform enumerations.
  • Operating system application vulnerabilities are those with at least one OS platform enumeration and at least one application platform enumeration listed in the NVD, except for browsers.
  • Browser vulnerabilities are those that affect components defined as part of a web browser, including web browsers such as Internet Explorer and Apple’s Safari that ship with operating systems, along with third-party browsers such as Mozilla Firefox and Google Chrome.
  • Other application vulnerabilities are those with at least one application platform enumeration in the NVD that do not have any OS enumerations, except for browsers.

With those distinctions in mind, the latest SIR reports that disclosures of vulnerabilities in applications decreased in the second half of 2015, but remained the most common type of vulnerability during the period, accounting for 44.2 percent of all disclosures — a big number that any organization’s security team should be paying attention to.

Meanwhile, the other categories are important too. Core operating system vulnerability disclosures increased dramatically from the first half of the year, moving into second place at 24.5 percent. Operating system application disclosures decreased slightly to account for 18.6 percent, while browser disclosures increased by more than a third to account for 12.8 percent.

The key to keeping any organization safe is to stay on top of all disclosures, no matter which part of the stack they belong in. To stay on top of possible vulnerabilities across your software stack, take a look at our latest Security Intelligence Report and the information available through the NVD. And for a high-level look at the top 10 trends and stats that matter most to security professionals right now, be sure and download our 2016 Trends in Cybersecurity e-book.

Rise in severe vulnerabilities highlights importance of software updates

August 17th, 2016 No comments

In the context of computer security, vulnerabilities are weaknesses in software that could allow an attacker to compromise the integrity, availability, or confidentiality of either the software itself or the system it’s running on. Some of the worst vulnerabilities allow attackers to exploit the compromised system by causing it to run malicious code without the user’s knowledge. The effects of this can range from the annoying (experiencing unwanted pop-up ads) to the catastrophic (leaking sensitive customer information).

For this reason, disclosing vulnerabilities to the public as they are found is an important part of the software industry. It’s an effort that goes well beyond the software companies who develop the code. Disclosures can come from a variety of sources, including publishers of the affected software, security software vendors, independent security researchers, and even malware creators.

Attackers and the malware they create routinely attempt to use unpatched vulnerabilities to compromise and victimize organizations, so it’s imperative that CIOs, CISOs and the rest of an organization’s security team pay close attention to disclosures as they are announced. Doing so can help the security team understand if their IT environment is at increased risk, and whether putting new mitigations in place is warranted.

Industry-wide vulnerability disclosures each half year into the second half of 2015

Industry-wide vulnerability disclosures each half year into the second half of 2015

This year the importance of tracking disclosures was highlighted as vulnerability disclosures across the industry increased 9.4 percent between the first and second half of 2015, to almost 3,300.

Even more troubling, disclosures of high-severity vulnerabilities increased 41.7 percent across the industry in the second half of 2015, to account for 41.8 percent of the total — the largest share for such vulnerabilities in at least three years.

These are the vulnerabilities that security teams dread as they enable attackers to gain easy access to software, PCs, devices, and servers. For organizations that work with sensitive customer data or that must comply with security regulations to maintain contracts, the results of such an infection are potentially dire.

Vendors with a known vulnerability in their products will generally issue a patch to close the door, so staying abreast of those updates is a critical concern for security professionals. With over 6,000 vulnerabilities publicly disclosed per year across the industry, it’s important that organizations assess all software in their IT environment and ensure that it is updated.

For an analysis of vulnerabilities disclosed in the latter half of 2015, take a look at our latest Security Intelligence Report and the information available through the NVD. And for a high-level look at the top 10 trends and stats that matter most to security professionals right now, be sure and download our 2016 Trends in Cybersecurity e-book.

Learn more at Microsoft Secure.

Categories: cybersecurity, security, vulnerabilities Tags:

Economies of scale: A perspective on cross-platform vulnerabilities

July 31st, 2012 No comments

A year ago, we published a blog post titled ‘Backdoor Olyx – is it malware on a mission for Mac?‘. It explored the intriguing questions that lay behind this backdoor’s discovery, delivery and targets. We provided our observations and analysis, and suggested that this threat was used in a targeted attack against unknown victims. However, we found no clue at that time as to ‘how’ the threat was installed to its targets – an important missing piece that we’ve continued to investigate over time.

As shown in the timeline below, a succeeding variation of threats can be identified with the same suggested attack tactic – exploiting known vulnerabilities in software to install a backdoor to its target.

Upon closer inspection of this event, we observed that this malicious code may be delivered via the Web by exploiting Java vulnerabilities (referred to in CVE-2011-3544 and CVE-2012-0507). The second form of delivery we observed was via email attachment, where the malware distributors may attempt to take advantage of known Word document vulnerabilities (referred to in CVE-2010-3333) and the vulnerabilities resolved with the release of Microsoft Security Bulletin MS09-027. It is also important to point out that these vulnerabilities affect multiple platforms, and in this case, affect both Windows and Mac.

This observation is limited and based on the samples we identified, acquired and processed, however, this understanding provides us with an opportunity to recognize a trend we can describe as economies of scale in cross-platform vulnerabilities. This method of distribution allows the attacker to maximize their capability on multiple platforms. Thus, regardless of a particular attacker’s motive, the value and demand for these vulnerabilities is likely to persist – we know for a fact that Java vulnerabilities CVE-2011-3544 and CVE-2012-0507 are widely used by cybercriminals’ in exploit kits, such as Blacole/Blackhole.

If we look at this trend, then we start to notice that the following vulnerabilities in Java, Adobe PDF and Flash, and Microsoft Office documents, listed in the table below, may be used to target and attack multiple platforms. Note that these vulnerabilities have been patched; appropriate security updates for them have been released.

This highlights the importance of keeping security software up-to-date, and ensuring operating system and 3rd party security patches are installed (soon after they become available) in order to reduce the risk of malware infection. And, this best practice should extend to all devices and platforms, especially those in large enterprise networks.

Methusela Cebrian Ferrer
MMPC Melbourne

Security and Internet Explorer

March 11th, 2011 Comments off

While the Internet is an amazing resource in terms of the information you can find and things you can do today, it’s important to also be smart about how you browse. A browser can be a great tool in helping you stay safe when you go online.

Most online attacks fall into one of the three situations:

1. Malware that relies on social engineering to spread

2. Attacks directed against your browser or your operating system

3. Attacks directed towards the websites you visit

Let me spend some time describing what I mean by each of these, and also how Internet Explorer can help protect you from each of these types of attacks.

Helping Protect You from Socially Engineered Attacks

A term that you may hear on occasion within the security realm is “socially engineered attacks.” What this means is an attacker uses clever techniques to get you to lower your guard and trick you into doing something that makes you vulnerable to an attack. The idea here is that they aren’t looking for weaknesses in code; rather, they’re trying to fool you into a trap.

The ways in which we see this play out are varied; it may be that you get spam – that is to say an email from a fake bank that actually takes you to a malicious site, or an email supposedly from a friend that encourages you to download a file which may contain malware. To help keep you safe from such types of attacks, Internet Explorer comes with the Smart Screen filter technology, which has been improved even more with Internet Explorer 9. SmartScreen makes it harder for someone to trick you into opening a malicious page, or con you with a phishing site. This technology checks to see if the site you’re visiting is suspected of hosting malicious code and subsequently prevents you from continuing on to that page. Internet Explorer 9 goes one step further by warning you only when you download applications that may be of higher risk.

Technologies like this can make a big difference in helping to keep you safe online. In December, NSS Labs reported that Internet Explorer offers the best protection against the spread of socially-engineered malware. As you can see in the below chart, Internet Explorer 8 (90%) and Internet Explorer 9 (99%) offer significantly more protection than other browsers.

image

Mitigating Attacks on Your Browser and PC

Internet Explorer also helps protect against deliberate attacks where bad code is hosted on a site that is designed to exploit weaknesses in the software on your PC. Among all the lines of code that make up software, there can be vulnerabilities. The Internet Explorer team designed its browser with security in mind, and in comparison to other browsers, Internet Explorer has fewer vulnerabilities. The chart below illustrates the number of publicly known vulnerabilities in 2010 divided by each browser, according to the National Vulnerability Database.

image

*Data source: National Vulnerability Database. Data is based upon the most recently shipped versions available during this time period. In the case of Chrome, versions 5, 6, 7, & 8 were all released during this time period.

At Microsoft, products are built with a secure-by-design approach, where security is designed into the product from the ground up. The result of this effort is a browser that includes specific features to help people stay secure and technologies that help insulate the browser against exploits. In addition to Microsoft’s security processes, which includes the Security Development Lifecycle, Software Security Incident Response Process (SSIRP), and monthly security bulletins, some ways in which you might see this at a product level include features such as Protected Mode, Data Execution Prevention, and many others, both in Internet Explorer 8, and the soon to be released Internet Explorer 9.

Protecting Against the Compromised Websites

This last scenario is when an attacker that has compromised a site that you visit in a way that interferes with how your browser relates to the site. This type of an attack is called a cross-site scripting attack. In this instance, an attacker gets an unsuspecting server to load special code on your browser that allows the attacker to do anything from monitoring your keystrokes to performing actions on your behalf on the site. Internet Explorer has built in a Cross-Site Script Filter that makes such attacks more difficult and helps protect you.

The upcoming release of Internet Explorer 9 contains even more features designed to help keep you safer such as ActiveX Filtering and Application Reputation. More information on how Microsoft technologies can keep you secure can be found here.

Security and Internet Explorer

March 11th, 2011 No comments

While the Internet is an amazing resource in terms of the information you can find and things you can do today, it’s important to also be smart about how you browse. A browser can be a great tool in helping you stay safe when you go online.

Most online attacks fall into one of the three situations:

1. Malware that relies on social engineering to spread

2. Attacks directed against your browser or your operating system

3. Attacks directed towards the websites you visit

Let me spend some time describing what I mean by each of these, and also how Internet Explorer can help protect you from each of these types of attacks.

Helping Protect You from Socially Engineered Attacks

A term that you may hear on occasion within the security realm is “socially engineered attacks.” What this means is an attacker uses clever techniques to get you to lower your guard and trick you into doing something that makes you vulnerable to an attack. The idea here is that they aren’t looking for weaknesses in code; rather, they’re trying to fool you into a trap.

The ways in which we see this play out are varied; it may be that you get spam – that is to say an email from a fake bank that actually takes you to a malicious site, or an email supposedly from a friend that encourages you to download a file which may contain malware. To help keep you safe from such types of attacks, Internet Explorer comes with the Smart Screen filter technology, which has been improved even more with Internet Explorer 9. SmartScreen makes it harder for someone to trick you into opening a malicious page, or con you with a phishing site. This technology checks to see if the site you’re visiting is suspected of hosting malicious code and subsequently prevents you from continuing on to that page. Internet Explorer 9 goes one step further by warning you only when you download applications that may be of higher risk.

Technologies like this can make a big difference in helping to keep you safe online. In December, NSS Labs reported that Internet Explorer offers the best protection against the spread of socially-engineered malware. As you can see in the below chart, Internet Explorer 8 (90%) and Internet Explorer 9 (99%) offer significantly more protection than other browsers.

image

Mitigating Attacks on Your Browser and PC

Internet Explorer also helps protect against deliberate attacks where bad code is hosted on a site that is designed to exploit weaknesses in the software on your PC. Among all the lines of code that make up software, there can be vulnerabilities. The Internet Explorer team designed its browser with security in mind, and in comparison to other browsers, Internet Explorer has fewer vulnerabilities. The chart below illustrates the number of publicly known vulnerabilities in 2010 divided by each browser, according to the National Vulnerability Database.

image

*Data source: National Vulnerability Database. Data is based upon the most recently shipped versions available during this time period. In the case of Chrome, versions 5, 6, 7, & 8 were all released during this time period.

At Microsoft, products are built with a secure-by-design approach, where security is designed into the product from the ground up. The result of this effort is a browser that includes specific features to help people stay secure and technologies that help insulate the browser against exploits. In addition to Microsoft’s security processes, which includes the Security Development Lifecycle, Software Security Incident Response Process (SSIRP), and monthly security bulletins, some ways in which you might see this at a product level include features such as Protected Mode, Data Execution Prevention, and many others, both in Internet Explorer 8, and the soon to be released Internet Explorer 9.

Protecting Against the Compromised Websites

This last scenario is when an attacker that has compromised a site that you visit in a way that interferes with how your browser relates to the site. This type of an attack is called a cross-site scripting attack. In this instance, an attacker gets an unsuspecting server to load special code on your browser that allows the attacker to do anything from monitoring your keystrokes to performing actions on your behalf on the site. Internet Explorer has built in a Cross-Site Script Filter that makes such attacks more difficult and helps protect you.

The upcoming release of Internet Explorer 9 contains even more features designed to help keep you safer such as ActiveX Filtering and Application Reputation. More information on how Microsoft technologies can keep you secure can be found here.

Security and Internet Explorer

March 11th, 2011 No comments

While the Internet is an amazing resource in terms of the information you can find and things you can do today, it’s important to also be smart about how you browse. A browser can be a great tool in helping you stay safe when you go online.

Most online attacks fall into one of the three situations:

1. Malware that relies on social engineering to spread

2. Attacks directed against your browser or your operating system

3. Attacks directed towards the websites you visit

Let me spend some time describing what I mean by each of these, and also how Internet Explorer can help protect you from each of these types of attacks.

Helping Protect You from Socially Engineered Attacks

A term that you may hear on occasion within the security realm is “socially engineered attacks.” What this means is an attacker uses clever techniques to get you to lower your guard and trick you into doing something that makes you vulnerable to an attack. The idea here is that they aren’t looking for weaknesses in code; rather, they’re trying to fool you into a trap.

The ways in which we see this play out are varied; it may be that you get spam – that is to say an email from a fake bank that actually takes you to a malicious site, or an email supposedly from a friend that encourages you to download a file which may contain malware. To help keep you safe from such types of attacks, Internet Explorer comes with the Smart Screen filter technology, which has been improved even more with Internet Explorer 9. SmartScreen makes it harder for someone to trick you into opening a malicious page, or con you with a phishing site. This technology checks to see if the site you’re visiting is suspected of hosting malicious code and subsequently prevents you from continuing on to that page. Internet Explorer 9 goes one step further by warning you only when you download applications that may be of higher risk.

Technologies like this can make a big difference in helping to keep you safe online. In December, NSS Labs reported that Internet Explorer offers the best protection against the spread of socially-engineered malware. As you can see in the below chart, Internet Explorer 8 (90%) and Internet Explorer 9 (99%) offer significantly more protection than other browsers.

image

Mitigating Attacks on Your Browser and PC

Internet Explorer also helps protect against deliberate attacks where bad code is hosted on a site that is designed to exploit weaknesses in the software on your PC. Among all the lines of code that make up software, there can be vulnerabilities. The Internet Explorer team designed its browser with security in mind, and in comparison to other browsers, Internet Explorer has fewer vulnerabilities. The chart below illustrates the number of publicly known vulnerabilities in 2010 divided by each browser, according to the National Vulnerability Database.

image

*Data source: National Vulnerability Database. Data is based upon the most recently shipped versions available during this time period. In the case of Chrome, versions 5, 6, 7, & 8 were all released during this time period.

At Microsoft, products are built with a secure-by-design approach, where security is designed into the product from the ground up. The result of this effort is a browser that includes specific features to help people stay secure and technologies that help insulate the browser against exploits. In addition to Microsoft’s security processes, which includes the Security Development Lifecycle, Software Security Incident Response Process (SSIRP), and monthly security bulletins, some ways in which you might see this at a product level include features such as Protected Mode, Data Execution Prevention, and many others, both in Internet Explorer 8, and the soon to be released Internet Explorer 9.

Protecting Against the Compromised Websites

This last scenario is when an attacker that has compromised a site that you visit in a way that interferes with how your browser relates to the site. This type of an attack is called a cross-site scripting attack. In this instance, an attacker gets an unsuspecting server to load special code on your browser that allows the attacker to do anything from monitoring your keystrokes to performing actions on your behalf on the site. Internet Explorer has built in a Cross-Site Script Filter that makes such attacks more difficult and helps protect you.

The upcoming release of Internet Explorer 9 contains even more features designed to help keep you safer such as ActiveX Filtering and Application Reputation. More information on how Microsoft technologies can keep you secure can be found here.