Archive

Archive for the ‘Exploitability’ Category

August 2013 Security Bulletin Webcast, Q&A, and Slide Deck

August 19th, 2013 No comments

Today we’re publishing the August 2013 Security Bulletin Webcast Questions & Answers page.  We fielded 13 questions on various topics during the webcast, with specific bulletin questions focusing primarily on Exchange Server (MS13-061) and Windows Kernel (MS13-063).  There were 3 additional questions during the webcast that we were unable to answer on air, and we have also answered those on the Q&A page.

We invite our customers to join us for the next public webcast on Wednesday, September 11, 2013, at 11 a.m. PDT (UTC -8), when we will go into detail about the September bulletin release and answer questions live on the air.

Customers can register to attend the webcast at the link below:

Date: Wednesday, September 11, 2013
Time: 11:00 a.m. PDT (UTC -7)
Register:
Attendee Registration

Thanks,

Dustin Childs
Group Manager, Response Communications
Microsoft Trustworthy Computing

 

 

August 2013 Security Bulletin Webcast, Q&A, and Slide Deck

August 19th, 2013 No comments

Today we’re publishing the August 2013 Security Bulletin Webcast Questions & Answers page.  We fielded 13 questions on various topics during the webcast, with specific bulletin questions focusing primarily on Exchange Server (MS13-061) and Windows Kernel (MS13-063).  There were 3 additional questions during the webcast that we were unable to answer on air, and we have also answered those on the Q&A page.

We invite our customers to join us for the next public webcast on Wednesday, September 11, 2013, at 11 a.m. PDT (UTC -8), when we will go into detail about the September bulletin release and answer questions live on the air.

Customers can register to attend the webcast at the link below:

Date: Wednesday, September 11, 2013
Time: 11:00 a.m. PDT (UTC -7)
Register:
Attendee Registration

Thanks,

Dustin Childs
Group Manager, Response Communications
Microsoft Trustworthy Computing

 

 

August 2012 Security Bulletin Webcast, Q&A, and Slide Deck

August 18th, 2012 No comments

Hello.

Today we’re publishing the August 2012 Security Bulletin Webcast Questions & Answers page. During the webcast, we fielded twelve questions focusing primarily on MS12-060 covering Windows Common Controls,  MS12-052 regarding Internet Explorer, and Security Advisory 2661254 addressing trust certificates with RSA keys less than 1024 bit key lengths. Three additional questions were answered after the webcast. All questions are included on the Q&A page.

We invite our customers to join us for the next public webcast on Wednesday, September 12th at 11 a.m. PDT (-7 UTC), when we will go into detail about the September bulletin release and answer questions live on the air.

Customers can register to attend at the link below:

Date: Wednesday, September 12, 2012

Time: 11:00 a.m. PDT (UTC -7)

Register: AttendeeRegistration

Thanks,

Yunsun Wee

Director, Trustworthy Computing.

Announcing the BlueHat Prize for Advancement of Exploit Mitigations

July 28th, 2011 No comments

Protecting the general computing ecosystem is a really tough job, and given some of the media headlines, it’s easy to get discouraged and wallow in the problems. It seems like we’re constantly bombarded with statistics measuring the number of bugs, vulnerabilities, or attacks in an attempt to build an accurate “state of the state.” The popular question of late seems to be “Is the ecosystem getting more or less secure?”

In my role, I talk with a lot of customers.  In fact, we had recent meetings on Microsoft’s campus with CSOs from some of the world’s largest companies.  While the topic sometimes starts with the “state of the state” and recent changes in the threat landscape, they always end up in the same place —customers want to discuss and collaborate on solutions, rather than wallowing in the problems.

We’ve collaborated with many of the thousands of brilliant security researchers across the globe over the years, and they’ve helped us improve the security of our products & services.  There are also hundreds of security providers in the industry that we work closely with. In fact, three years ago we took an unconventional approach to security challenges by creating the Microsoft Active Protections Program (MAPP) to help unify this group of defenders.  This program shifted advantage to the good guys by promoting collaboration within the industry, even among competitors, in order to quickly build defensive technologies for over a billion of our shared customers around the world.

The success of that program – which inspired industry collaboration – got us thinking about whether we could do something similar for the security research community. Our goal was to inspire new lines of research in areas that have the most impact and leverage in protecting customers. That means not building incentives to find single bugs, but instead rewarding work on innovative solutions that could mitigate entire classes of attacks.

Today, I am pleased to announce the BlueHat Prize to inspire security researchers to seek innovations in exploit mitigation technologies. This is the first and largest incentive prize ever offered by Microsoft, and possibly the industry, for defensive computer security technology. In the age of increased risk of attacks on personal, corporate and government computer systems, Microsoft recognizes the need to encourage and nurture innovation in the area of exploit mitigations. At Microsoft, we believe in hiring the best and brightest minds in security to help us improve the security of our products and services, but also recognize it will take a “global village” to address today’s security challenges.

With over a quarter million dollars in cash and prizes, Microsoft believes the BlueHat Prize will motivate the community and foster even more collaboration with researchers throughout the security industry. To understand more about this competition, please visit Katie Moussouris’ EcoStrat blog or the BlueHat Prize contest page.

-Matt Thomlinson

Q&A from May 2011 Security Bulletin Webcast

May 12th, 2011 No comments

Hello,

Today we published the May Security Bulletin Webcast Questions & Answers page. We fielded twelve questions on various topics during the webcast, including bulletins released and the Malicious Software Removal Tool.  There were two questions during the webcast that we were unable to answer and we have included those questions and answers on the QA page.

We invite our customers to join us for the next public webcast on Wednesday, June 15th at 11am PDT (-8 UTC), when we will go into detail about the June bulletin release and answer questions live on the air.

Customers can register to attend at the link below:

Date: Wednesday, June 15, 2011
Time: 11:00 a.m. PDT (UTC -8)

Register:
Attendee Registration

 



 

Thanks –

Jerry Bryant

Group Manager, Response Communications
Trustworthy Computing Group

Exploitability Index Improvements & Advance Notification Service for May 2011 Bulletin Release

May 5th, 2011 No comments

Hello everyone,

Today we are announcing changes to Microsoft’s Exploitability Index.

Since October 2008, we have used the Exploitability Index to provide customers with valuable exploitability analysis for our security bulletins, and starting Tuesday this information will become even more comprehensive for those who use Microsoft’s latest platforms.

The Exploitability Index assesses the likelihood of functional exploit code being developed for a particular vulnerability. By providing the index information month over month, we’re helping customers prioritize the security updates that matter to them. The Exploitability Index will continue to provide an aggregate exploitability rating across all affected products, and the improvements made to Exploitability Index will now offer additional information to help customers prioritize bulletins, specifically for the most recent platforms, e.g. Windows 7 Service Pack 1 and Office 2010.

For example, the Exploitability Index for CVE-2011-0097, a security issue addressed by MS11-021in the April 2011 release, originally rated a “1 – Consistent Exploit Code Likely”. However, under the previous system, the Exploitability Index did not specifically illustrate that customers using Excel 2010 were at less risk; with Excel 2010, CVE-2011-0097 would rate a “2 – Inconsistent Exploit Code Likely”. In fact, our research has shown that 37 percent of the vulnerabilities addressed since July 2010 have had similar results; the latest platform was either entirely unaffected, or significantly more difficult to exploit.

Maarten Van Horenbeeck, senior security program manager, goes into more depth around the background of Exploitability Index and the value of these improvements in the MSRC blog post: “Exploitability Index Improvements Now Offer Additional Guidance

Additionally, we’re providing advanced notification on the release of a Critical security bulletin addressing a vulnerability in Windows, and an Important bulletin addressing two vulnerabilities in Microsoft Office. As usual, the bulletin release is scheduled for the second Tuesday of the month, May 10, at approximately 10 a.m. PDT.

For all the latest information, you can also follow the MSRC team on Twitter at @MSFTSecResponse.

 

Thanks,
Pete Voss
Sr. Response Communications Manager
Microsoft Trustworthy Computing

Exploitability Index Improvements Now Offer Additional Guidance

May 5th, 2011 No comments

Exploitability Index Improvements Now Offer Additional Guidance

In October of 2008, Microsoft published its first Exploitability Index: a rating system that helps customers identify the likelihood that a specific vulnerability would be exploited within the first 30 days after bulletin release.

As of this month, we are making some changes to the rating system to make vulnerability assessment more clear and digestible for customers. Specifically, we will be publishing two Exploitability Index ratings per vulnerability- one for the most recent platform, the other as an aggregate rating for all older versions of the software. This change makes it easier for customers on recent platforms to determine their risk given the extra security mitigations and features built in to Microsoft’s newest products; under the previous system, vulnerabilities were given an aggregate rating across all product versions.

 

How do we build an Exploitability Index?

Each vulnerability rating is based on a thorough review by the MSRC Engineering team, as well as close cooperation with a number of key partners. The ratings are qualitative: our team does an in-depth technical analysis of the vulnerability in question, and identifies the likelihood that an experienced exploit developer would be able to exploit the vulnerability. Some great examples of these types of reviews can be found on the SRD blog here and here.

We have received feedback in the past that the Exploitability Index did not take into account more recent mitigations implemented in our operating systems. For instance, Windows 7 hosts Address Space Layout Randomization (ASLR), a mitigation technique which repositions code fragments in memory, and makes it much harder for an attacker to write a reliable exploit. This functionality is not available by default on older operating systems such as Windows XP.

If consistent exploit code was considered likely for any supported version, despite being made significantly more difficult with ASLR, the Exploitability Index rating of that vulnerability would receive Microsoft’s highest rating of “1,” indicating that a reliable exploit within 30 days is likely. While this is accurate for the older version, it does not correctly reflect risk for users with Windows 7.

 

Rating the Latest Platform Separately from Older Platforms

As of this month, we will split out the Exploitability Index into a rating for the most recent version of the software, and an aggregate rating for all older versions. In the scenario above, the rating for Windows 7 could be “2″ whereas the rating for all other platforms would be “1”. This more accurately reflects risk to customers that keep their environment updated with the latest product releases.

 

Assessing Denial of Service Risk

An additional item we are now providing with the Exploitability Index, is an assessment of the Denial of Service risk a vulnerability poses. In the case of remote code execution vulnerabilities, an issue that is difficult to exploit may still be used to crash a computer. Even when an attacker cannot control memory addresses sufficiently to execute code, he may still be able to corrupt memory sufficiently to stop the computer from responding.

For IT administrators, it is important to understand whether the denial of service will be “permanent,” in which case the program or operating system exits unexpectedly, such that the system will need to be restarted; or “temporary,” in which case the program or operating merely becomes unresponsive during the attack, but eventually recovers. In the example table below, for CVE-2011-0673, the table indicates that an attacker who attempts to exploit the service, even when failed, may render the system entirely unavailable. For administrators of internet-facing services, this can often be the difference between a highly important, and insignificant vulnerability.

 

An Example of Our New Exploitability Index Rating System

To help you prepare for these changes in the May release, we are providing an example of these changes applied to three different CVEs from the April Bulletin Release:

Bulletin

CVE

CVE Title

Code Execution Exploitability Assessment for Latest Software Release1

 

Code Execution Exploitability Assessment for Older Software Release2

DOS  Exploitability Assessment3

Key Notes

MS11-021

CVE-2011-0097

 

Excel Integer Overrun Vulnerability

2 – Inconsistent exploit code likely

1 – Consistent exploit code likely

Temporary

(None)

MS11-029

CVE-2011-0041

 

GDI+ Integer Overflow Vulnerability

Not affected

1 – Consistent exploit code likely

Temporary

 (None)

MS11-034

CVE-2011-0673

Win32k Null Pointer De-reference vulnerability

Not affected

 

1 – Consistent exploit code likely

Permanent

(None)

 

1 The Latest Software Release refers to the latest supported release of the software as listed in both the “Affected Software” and “Non-Affected Software” tables in the bulletin

2 The Older Software Release refers to any other version of the software as listed in both the “Affected Software” and “Non-Affected Software” tables in the bulletin

In the case of CVE-2011-0097, the most recent version of Microsoft Office, additional mitigations are in place that would make exploitation less reliable. For CVE-2011-0041, the latest version of the product, Windows 7, was not affected at all.

CVE-2011-0673 is a local elevation of privilege vulnerability which could lead to a permanent Denial of Service, and may require the machine to be restarted in order to restore functionality. Again, the latest version of the product was not affected by this issue.

In the table, the “Latest Software Release” is always the very latest version listed across both the “Affected Software” and “Non-Affected Software” tables in the security bulletin. The Exploitability Index Assessment for the “Older Software Release” is always the highest rating across any other platform listed in either of these tables. In the case of a complex security bulletin, where for instance both Microsoft Office and Microsoft Windows are affected, the Exploitability Index Assessment for the “Latest Software Release” will be the highest across both software products.

For instance, if the exploitability index assessment for Windows 7 Service Pack 1 is “1,” and for Office 2010 is “2,” the rating in the “Latest Software Release” column will be “1”.

 

A historical perspective

At Microsoft, we have been collecting ratings internally in this way for the last eight months. Out of a total of 256 ratings, we found that 97 issues were less serious, or not applicable on the latest version of the product. In contrast, only seven cases affected the most recent product version and not the older platforms.

 

Some changes, but the same goal

Our goal in publishing Exploitability Index ratings is to make it easier for enterprises to prioritize which updates to install first. We understand that some customers may not be able to install all updates at the same time. By giving an assessment of the exploitability and impact, of an issue, we hope to support IT administrators in making rational decisions on which security updates to install first. We hope these changes prove useful in your monthly assessment of our security updates!

 

Maarten Van Horenbeeck
Senior Security Program Manager
EcoStrat