Archive

Archive for September, 2016

Too few women in cybersecurity: a gap in our protections that must be addressed

This post was authored by Angela Mckay, Director of Cybersecurity Policy, CPP US

I started working in the cybersecurity space in almost 15 years ago, first as an engineer for BellSouth Telecommunications and then supporting the Department of Homeland Security’s (DHS) Office of Cybersecurity and Communications in several key roles at Booz Allen Hamilton, before joining Microsoft in 2008. In those years I learned that in at least one respect I was unusual, even exceptional: unlike most of my colleagues and peers, I was a woman.

Diversity in cybersecurity matters for a very practical reason. Those seeking to breach cybersecurity are willing and able to exploit any flawed thinking, any inadvertent blind spot. Cybersecurity teams that fall into group-think or are blind to alternative ways of working through challenges are more likely to miss things and enable hostile actors. Teams that include people with different expertise, backgrounds, genders, ages, cultures are more likely to deliver robust cybersecurity outcomes; implicit assumptions can be more easily challenged and the fullest range of insights on what can go wrong (and hence what can be done) can be gathered.

Diversity also matters from a business perspective. Microsoft’s goal of empowering every person and organization across the world means that our technology needs to reflect the different needs and perspectives of the people who will use it. These perspectives and requirements cross cultural, gender, social and age lines, and our teams need to be able to cross those lines too, even in cybersecurity.
Recently, I had an opportunity to host an event, “Women in Cybersecurity: Opportunities and Experiences” at the Microsoft offices in Washington, D.C. The event addressed the concerning deficit of women in the cybersecurity arena and also explored avenues for making a career in this field attractive for a more diverse range of people.

Fred Humphries, who leads Microsoft’s U.S. government affairs, made an excellent point in his opening remarks: achieving gender balance in the cybersecurity workforce is important but part of doing so is better acknowledging women already active in the sector. Events such as “Women in Cybersecurity” should be a platform for pushing for that acknowledgement. So I’d like to take a moment to acknowledge the impressive women I was honored to join as moderator for a discussion of the practical challenges and opportunities for women in the cybersecurity field.

Brooke Hunter is chief of staff and director of strategic initiatives at New America’s Open Technology Institute. Her career path started in policy-related work in Washington D.C., not just on technology but on media and workplace diversity.

Valecia Maclin, director of cybersecurity and special missions at Raytheon, began (like me) as an engineer, transitioning into the cybersecurity space at a time when it was moving from being a technical, backroom issue to a significant business, government and societal concern.

Dena Graziano, Symantec’s director of federal government affairs started in the policy space, working on Capitol Hill, including for the House Homeland Security Committee and the Judiciary Committee, all of which brought her into privacy and security sphere.

Emily Schneider, cybersecurity consultant at Deloitte & Touche LLP, entered cybersecurity from a distinctly non-technical background, studying literature before going to law school and supporting federal clients in the identity management sector.

As the panel itself shows, there are multiple career paths into the cybersecurity sector for women, so the question is what is hindering our numbers and contributions?

All the panelists found common ground on the challenges facing women. Even with technical experience and skill, the importance of speaking confidently was underscored as a way of ensuring different, opinions were heard. The ability to ask questions and insist on answers was also seen as essential, especially in more technical areas.

The panel discussion and the event’s group exercises and side-bar conversations, confirmed my belief that cybersecurity can and must benefit from diverse contributions from diverse people. By setting clear professional as well as personal priorities, women in particular can and should build strong careers in this space, not least because they (we) are well suited to foster collaboration in increasingly diverse cybersecurity teams. It is, therefore, up to businesses, from leaders like Microsoft to fresh start-ups, to encourage women to engage in the cybersecurity field, and it is up to women to take on the opportunities that cybersecurity offers.

Categories: Uncategorized Tags:

Modern browsers are closing the door on Java exploits, but some threats remain

September 26th, 2016 No comments

Was 2015 the year the industry finally eradicated Java exploitation? Well, not quite, but the good news is we’re getting there.

It should be no surprise that encounters with Java exploits continued to decrease significantly in the second half of 2015 — All of the most commonly encountered exploits target vulnerabilities that were addressed with security updates years ago. While Java was once the vehicle of choice for attackers, modern browser technologies have rendered such exploits largely ineffective.

This is good news for IT security teams is that they can now concentrate more resources on emerging threats like those that have been targeting Adobe Flash. Despite the positive trend, it doesn’t mean organizations can ignore the threat of Java exploits entirely. As you can see in the graph below, some of the more common Java-based threats are still out there. While they are occurring much less frequently than they were years ago, organizations still need to ensure they are protected.

The fact that these numbers continue to decline is likely due to several important changes in the way web browsers evaluate and execute Java applets. The default web browser in Windows 10 is Microsoft Edge, which does not support Java or other ActiveX plug-ins at all. This in effect eliminates the possibility of Java exploits being delivered within the browser.

Other browsers are also built to eliminate or mitigate exploits:

  • As of September 1, 2015, Google Chrome stopped supporting the NPAPI plug-in architecture that many Java applets rely upon due to security concerns. Like Edge, Chrome no longer works with most Java-based plug-ins.
  • Mozilla Firefox currently allows users to disable Java applets by deselecting “Enable JavaScript” under its Content tab, and has announced that it will also discontinue NPAPI support by the end of 2016.
  • Internet Explorer 11 provides a mechanism to validate that a webpage is safe before allowing embedded Java applets. Further updates to Internet Explorer released in 2014 hardened the browser against Java exploitation by reducing use-after-free exploits and blocking out-of-date ActiveX controls.

Persistent threats

The fact that new browsers are flexing muscles in the security space is good news, but the bad news is that some threats still persist. The chart above shows that each of these exploits is in decline, but they are all risks that security teams should be aware of, especially where there are out-of-date Java installations:

  • CVE-2012-1723. This is the most common individual Java exploit we encountered in late 2015, and one we discussed way back in 2012. It works by tricking the Java Runtime Environment (JRE) into treating one type of variable like another type. Oracle confirmed the existence of the vulnerability in June 2012, and addressed it the same month with its June 2012 Critical Patch Update. The vulnerability was observed being exploited in the wild beginning in early July 2012, and has been used in a number of exploit kits.
  • CVE-2010-0840 is a JRE vulnerability that was first disclosed in March 2010 and addressed by Oracle with a security update the same month. The vulnerability was previously exploited by some versions of the Blackhole exploit kit (detected as JS/Blacole), which has been inactive in recent years.
  • CVE-2012-0507 allows an unsigned Java applet to gain elevated permissions and potentially have unrestricted access to a host system outside its sandbox environment. The vulnerability is a logic error that allows attackers to run code with the privileges of the current user, which means that an attacker can use it to perform reliable exploitation on other platforms that support the JRE, including Apple Mac OS X, Linux, VMWare, and others. Oracle released a security update in February 2012 to address the issue.
  • CVE-2013-0422 first appeared in January 2013 as a zero-day vulnerability. CVE-2013-0422 is a package access check vulnerability that allows an untrusted Java applet to access code in a trusted class, which then loads the attacker’s own class with elevated privileges. Oracle published a security update to address the vulnerability on January 13, 2013. For more information about CVE-2013-0422 is available here.
  • In addition, Obfuscator is a generic detection for programs that have been modified by malware obfuscation, often in an attempt to avoid detection by security software. Files identified as Java/Obfuscator can represent exploits that target many different Java vulnerabilities.

For a thorough analysis on the state of malware in the latter half of 2015, take a look at our latest Security Intelligence Report. And for a high-level look at the top ten trends and stats that matter most to security professionals right now, be sure and download our 2016 Trends in Cybersecurity e-book.

MS16-107 – Critical: Security Update for Microsoft Office (3185852) – Version: 2.0

Severity Rating: Critical
Revision Note: V2.0 (September 22, 2016): Bulletin revised to announce the availability of the 14.6.8 update for Microsoft Office for Mac 2011 (3186805) and the 15.25 update for Microsoft Office 2016 for Mac (3186807). Customers running affected Mac software should install the appropriate update for their product to be protected from the vulnerabilities discussed in this bulletin. Customers running other Microsoft Office software do not need to take any action. See Microsoft Knowledge Base Article 3186805 and Microsoft Knowledge Base Article 3186807 for more information and download links.
Summary: This security update resolves vulnerabilities in Microsoft Office. The most severe of the vulnerabilities could allow remote code execution if a user opens a specially crafted Microsoft Office file. An attacker who successfully exploited the vulnerabilities could run arbitrary code in the context of the current user. Customers whose accounts are configured to have fewer user rights on the system could be less impacted than those who operate with administrative user rights.

Categories: Uncategorized Tags:

MS16-107 – Critical: Security Update for Microsoft Office (3185852) – Version: 2.0

Severity Rating: Critical
Revision Note: V2.0 (September 22, 2016): Bulletin revised to announce the availability of the 14.6.8 update for Microsoft Office for Mac 2011 (3186805) and the 15.25 update for Microsoft Office 2016 for Mac (3186807). Customers running affected Mac software should install the appropriate update for their product to be protected from the vulnerabilities discussed in this bulletin. Customers running other Microsoft Office software do not need to take any action. See Microsoft Knowledge Base Article 3186805 and Microsoft Knowledge Base Article 3186807 for more information and download links.
Summary: This security update resolves vulnerabilities in Microsoft Office. The most severe of the vulnerabilities could allow remote code execution if a user opens a specially crafted Microsoft Office file. An attacker who successfully exploited the vulnerabilities could run arbitrary code in the context of the current user. Customers whose accounts are configured to have fewer user rights on the system could be less impacted than those who operate with administrative user rights.

Categories: Uncategorized Tags:

Hacks for sale: Exploit kits provide easy avenue for unskilled attackers

September 19th, 2016 No comments

One of the most common cyber-attack vehicles we’ve seen over the years involves so-called “exploit kits.” These are collections of exploits bundled together and sold as commercial software or as a service.

A typical kit includes a collection of web pages with exploits for several vulnerabilities in popular web browsers, browser add-ons, or other types of software. When an attacker installs the kit on a web server, visitors to the attacker’s malicious webpage who don’t have appropriate security updates installed are at risk of their computers being compromised through drive-by download attacks.

One reason exploit kits are so dangerous to both consumers and businesses is that an attacker needn’t be a skilled hacker to use one. Prospective attackers can buy or rent exploit kits on malicious hacker forums and other outlets. Lower skilled attackers can use the kits to perform sophisticated attacks, which contributes to the fact that they have become so widespread over time. In fact, exploit kits accounted for four of the ten most commonly encountered threats during the second half of 2015 according to our 2016 Trends in Cybersecurity e-book.

What can you do to protect your organization?

To protect your organization, it’s important that your security teams understand which exploits and exploit kits are being used most often by attackers. The graphic below shows the most frequently encountered exploits noted in our latest Security Intelligence Report, and we detail three of the more common exploits, and the kits they are a part of, below.

Most frequently encountered exploits noted in our latest Security Intelligence Report

Most frequently encountered exploits noted in our latest Security Intelligence Report

Exploit Kit: Axpergle
A.K.A.: Angler

Axpergle is the most common exploit, commonly found in the Angler exploit kit. It targets Internet Explorer, Adobe Flash Player and Java. Exploit kit authors frequently change the exploits included in their kits in an effort to stay ahead of software publishers and security software vendors. Exploits targeting zero-day vulnerabilities — those for which no security update has yet been made available by the vendor — are highly sought after by attackers, and the Axpergle authors added several zero-day Flash Player exploits to the kit in 2015.

Exploit Kit: HTML/Meadgive
A.K.A.: RIG

Other exploit kits were encountered at much lower levels. Encounters involving the RIG exploit kit (also known as Redkit, Infinity, and Goon, and detected as HTML/Meadgive) more than doubled from summer to fall of 2015, but remained far below those involving Angler.

Exploit Kit: Win32/Anogre
A.K.A.: Sweet Orange

Encounters involving the Sweet Orange kit (detected as Win32/Anogre), the second most commonly encountered exploit kit in the first quarter of 2015, decreased to negligible levels by the end of the year.

Take the first step — Keep software up to date

Keeping your software up to date is one of the most effective defenses against exploit kits and their ever-evolving attacks.

To keep up with all the latest news about exploit kits, as well as viruses, malware and other known threats, make sure to bookmark the Microsoft Malware Protection Center blog for frequent updates. And for a high-level look at the top 10 trends and stats that matter most to security professionals right now, be sure and download the 2016 Trends in Cybersecurity e-book.

Keep Microsoft software up to date — and everything else too

September 14th, 2016 No comments

Many of the CIOs and CISOs that I talk to, have, over time, developed mature vulnerability assessment methodologies and security updating processes. But frequently, I find that the focus of these processes is squarely on keeping Microsoft operating systems and browsers up to date. Of course vulnerabilities in popular operating systems or browsers have the potential to affect a broad audience. Another reason for this focus is that Microsoft has made updating relatively easy by offering updates via Windows Update, Microsoft Update, and via various tools like Windows Server Update Services and others.

But data from our latest Security Intelligence Report suggests that customers need to keep all of their software up-to-date, not just Microsoft software.

In the last half of 2015 there were nearly 3,300 vulnerability disclosures across the industry, of which 305 were in Microsoft products. With more than 90 percent of reported vulnerabilities occurring outside the Microsoft portfolio, organizations need to monitor their entire technology stack to minimize their risk.

Microsoft products accounted for less than 10 percent of industrywide vulnerabilities in the second half of 2015.

Microsoft products accounted for less than 10 percent of industrywide vulnerabilities in the second half of 2015.

This is consistent with previous years as well. The software industry worldwide includes thousands of vendors, and historically, vulnerabilities for Microsoft software have accounted for between three and ten percent of disclosures in any six-month period.

To find out what’s happening in the world of software vulnerabilities across your IT environment, take some time to review our latest Security Intelligence Report and the information available through the National Vulnerability Database (NVD), the U.S. government’s repository of standards-based vulnerability management data. And for a high-level look at the top ten trends and stats that matter most to security professionals right now, be sure and download our 2016 Trends in Cybersecurity e-book.

3174644 – Updated Support for Diffie-Hellman Key Exchange – Version: 1.0

Categories: Uncategorized Tags:

3181759 – Vulnerabilities in ASP.NET Core View Components Could Allow Elevation of Privilege – Version: 1.0

Revision Note: V1.0 (September 13, 2016): Advisory published.
Summary: Microsoft is releasing this security advisory to provide information about a vulnerability in the public versions of ASP.NET Core MVC 1.0.0. This advisory also provides guidance on what developers can do to help ensure that their applications are updated correctly.

Categories: Uncategorized Tags:

MS16-112 – Important: Security Update for Windows Lock Screen (3178469) – Version: 1.0

Severity Rating: Important
Revision Note: V1.0 (September 13, 2016): Bulletin published.
Summary: This security update resolves a vulnerability in Microsoft Windows. The vulnerability could allow elevation of privilege if Windows improperly allows web content to load from the Windows lock screen.

Categories: Uncategorized Tags:

MS16-116 – Critical: Security Update in OLE Automation for VBScript Scripting Engine (3188724) – Version: 1.0

Severity Rating: Critical
Revision Note: V1.0 (September 13, 2016): Bulletin published.
Summary: This security update resolves a vulnerability in Microsoft Windows. The vulnerability could allow remote code execution if an attacker successfully convinces a user of an affected system to visit a malicious or compromised website. Note that you must install two updates to be protected from the vulnerability discussed in this bulletin: The update in this bulletin, MS16-116, and the update in MS16-104.

Categories: Uncategorized Tags:

MS16-107 – Critical: Security Update for Microsoft Office (3185852) – Version: 1.0

Severity Rating: Critical
Revision Note: V1.0 (September 13, 2016): Bulletin published.
Summary: This security update resolves vulnerabilities in Microsoft Office. The most severe of the vulnerabilities could allow remote code execution if a user opens a specially crafted Microsoft Office file. An attacker who successfully exploited the vulnerabilities could run arbitrary code in the context of the current user. Customers whose accounts are configured to have fewer user rights on the system could be less impacted than those who operate with administrative user rights.

Categories: Uncategorized Tags:

MS16-104 – Critical: Cumulative Security Update for Internet Explorer (3183038) – Version: 1.0

Severity Rating: Critical
Revision Note: V1.0 (September 13, 2016): Bulletin published.
Summary: This security update resolves vulnerabilities in Internet Explorer. The most severe of the vulnerabilities could allow remote code execution if a user views a specially crafted webpage using Internet Explorer. An attacker who successfully exploited the vulnerabilities could gain the same user rights as the current user. If the current user is logged on with administrative user rights, an attacker could take control of an affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.

Categories: Uncategorized Tags:

MS16-114 – Important: Security Update for Windows SMBv1 Server (3185879) – Version: 1.0

Severity Rating: Important
Revision Note: V1.0 (September 13, 2016): Bulletin published.
Summary: This security update resolves a vulnerability in Microsoft Windows. On Windows Vista, Windows Server 2008, Windows 7, and Windows Server 2008 R2 operating systems, the vulnerability could allow remote code execution if an authenticated attacker sends specially crafted packets to an affected Microsoft Server Message Block 1.0 (SMBv1) Server. The vulnerability does not impact other SMB Server versions. Although later operating systems are affected, the potential impact is denial of service.

Categories: Uncategorized Tags:

MS16-115 – Important: Security Update for Microsoft Windows PDF Library (3188733) – Version: 1.0

Severity Rating: Important
Revision Note: V1.0 (September 13, 2016): Bulletin published.
Summary: This security update resolves vulnerabilities in Microsoft Windows. The vulnerabilities could allow information disclosure if a user views specially crafted PDF content online or opens a specially crafted PDF document.

Categories: Uncategorized Tags:

MS16-113 – Important: Security Update for Windows Secure Kernel Mode (3185876) – Version: 1.0

Severity Rating: Important
Revision Note: V1.0 (September 13, 2016): Bulletin published.
Summary: This security update resolves a vulnerability in Microsoft Windows. The vulnerability could allow information disclosure when Windows Secure Kernel Mode improperly handles objects in memory.

Categories: Uncategorized Tags:

MS16-SEP – Microsoft Security Bulletin Summary for September 2016 – Version: 1.0

Categories: Uncategorized Tags:

MS16-110 – Important: Security Update for Microsoft Windows (3178467) – Version: 1.0

Severity Rating: Important
Revision Note: V1.0 (September 13, 2016): Bulletin published.
Summary: This security update resolves multiple vulnerabilities in Microsoft Windows. The most severe of the vulnerabilities could allow remote code execution if an attacker creates a specially crafted request and executes arbitrary code with elevated permissions on a target system.

Categories: Uncategorized Tags:

3174644 – Updated Support for Diffie-Hellman Key Exchange – Version: 1.0

Categories: Uncategorized Tags:

MS16-111 – Important: Security Update for Windows Kernel (3186973) – Version: 1.0

Severity Rating: Important
Revision Note: V1.0 (September 13, 2016): Click here to enter text.
Summary: This security update resolves vulnerabilities in Microsoft Windows. The vulnerabilities could allow elevation of privilege if an attacker runs a specially crafted application on a target system.

Categories: Uncategorized Tags:

MS16-105 – Critical: Cumulative Security Update for Microsoft Edge (3183043) – Version: 1.0

Severity Rating: Critical
Revision Note: V1.0 (September 13, 2016): Bulletin published.
Summary: This security update resolves vulnerabilities in Microsoft Edge. The most severe of the vulnerabilities could allow remote code execution if a user views a specially crafted webpage using Microsoft Edge. An attacker who successfully exploited the vulnerabilities could gain the same user rights as the current user. Customers whose accounts are configured to have fewer user rights on the system could be less impacted than users with administrative user rights.

Categories: Uncategorized Tags: