Archive for the ‘Defense-in-depth’ Category

New Research Paper: Pre-hijacking Attacks on Web User Accounts

May 23rd, 2022 No comments

In 2020, MSRC awarded two Identity Project Research Grants to support external researchers working to further strengthen the security of identity protocols and systems. Today we are pleased to release the results of the first of these projects. This research, led by independent security researcher Avinash Sudhodanan, investigated account pre-hijacking – a new class of …

New Research Paper: Pre-hijacking Attacks on Web User Accounts Read More »

Verifying update hashes

November 13th, 2012 No comments

Some of you may have noticed us improving our defense-in-depth practices for bulletins by supplying sha1 and sha2 hashes in the Knowledge Base (KB) articles. This has been most visible in the KB with the addition of the “File hash information” section, but it is also noted in the Frequently Asked Questions (FAQ) section of each bulletin for convenience.

From PowerShell you can easily leverage the .Net  Cryptographic Services to define a get-sha256 function like Mike Wilbur has done here. And though it should go without saying, I will say it anyhow – you should not use script or code from untrusted sources.

function get-sha256 {param($file);[system.bitconverter]::tostring([System.Security.Cryptography.sha256]::create().computehash([]::openread((resolve-path $file)))) -replace “-“,””

Let’s verify the hashes for the MS12-071:

After downloading the msu files we can simply iterate through the directory listing getting the sha2 hash for each file.

If you prefer not to use the .Net Cryptographic Services you could also verify sha1 hashes with the File Checksum Integrity Verifier utility available in KB 841290.

Though most people will not find the need to go to these lengths as automatic updates stream line the process of providing a secure means of distributing updates, we continually work to raise the bar as part of our ongoing drive to evaluate defense-in-depth efforts and provide improvements.

Thank you,

Dustin Childs
Group Manager
Microsoft Trustworthy Computing


August 2012 Bulletin Release

August 14th, 2012 No comments

Security Advisory 2661254 – Update For Minimum Certificate Key Length
Before we get into the details of this month’s bulletin release, let’s take a look at an important change on how Windows deals with certificates that have RSA keys of less than 1024 bits in length.

We’ve been talking about this subject since June, and today we are announcing the availability of an update to Windows that restricts the use of certificates with RSA keys less than 1024 bits in length with Security Advisory 2661254. As noted in the advisory, this update will be available in the Download Center as well as the Microsoft Update Catalog. This allows enterprise administrators to download and import the update into WSUS for testing before widely deploying the update throughout their enterprise. The security advisory includes instructions on how to configure the update and provides general guidance on what steps customers should take to become more secure. This update is planned to be released via Windows Update starting in October 2012.

For additional details on these defense-in-depth changes to how Windows deals with certificates please visit Public Key Infrastructure (PKI) blog.

Security Updates
For this Update Tuesday we are releasing nine security bulletins – five Critical-class and four Important – addressing 26 vulnerabilities in Microsoft Windows, Internet Explorer, Exchange Server, SQL Server, Server Software, Developer Tools, and Office. For those who need to prioritize deployment, we recommend focusing on the these three critical updates first:

MS12-060 (Windows Common Controls)
Multiple software products utilize Windows Common Controls , and the issues addressed in this bulletin affect Office, SQL Server, Server Software, and Developer Tools. We’re aware of limited, targeted attacks attempting to exploit this vulnerability, but we haven’t seen public proof-of-concept code published. These are important factors to consider when determining deployment priority and Microsoft recommends that customers test and deploy this update as soon as possible.

MS12-052 (Internet Explorer)
This security update addresses four privately disclosed issues, none of which are currently known to be under active attack. Successful exploitation of these issues could result in the execution of code with the privileges of the current user. You may notice that one of the issues addressed in the Cumulative Security Update for Internet Explorer is also listed in MS12-056 for the JScript and VBScript Engines. Since this issue affects both IE and Windows components, you will need to apply both updates to ensure the issue has been addressed on your system.

MS12-054 (Windows Networking Components)
This security update addresses three issues related to the Remote Administration Protocol (RAP) and one issue affecting the Print Spooler. The impact from these issues ranges from Denial of Service (DoS) to Remote Code Execution (RCE). All of these issues were reported to us through coordinated disclosure and we have no reports of these issues being exploited. As with our other top-priority bulletins, we encourage customers to test and deploy this update as soon as possible.

Of the remaining six bulletins, two are also rated as critical: one addressing issues affecting the Remote Desktop Protocol and the other affecting Exchange Server. The remaining four bulletins are all Important-class issues touching on Windows and Office.

Security Update Re-release
Last month, we published MS12-043 to address issues affecting Microsoft XML Core Services. The July release provided updates for Microsoft XML Core Services 3.0, 4.0, and 6.0. This month, we are re-releasing MS12-043 with additional updates for Microsoft XML Core Services 5.0. This re-release does not affect the previous updates for versions 3.0, 4.0, and 6.0.

Please watch the video below for an overview of this month’s bulletins and you can find more information about this month’s security updates on the Microsoft Security Bulletin Summary web page.

As always, we recommend that customers deploy all security updates as soon as possible. Below is our deployment priority guidance to further assist customers in their deployment planning (click for larger view)


Our risk and impact graph provides an aggregate view of this month’s severity and exploitability index (click for larger view). For insightful details about the Exploitability Index and additional bulletin nuances, please see the Security Research & Defense (SRD) blog.

You can find more information about this month’s security updates on the Microsoft Security Bulletin Summary web page. Thanks for reading and join us tomorrow (Wednesday, August 15, 2012) at 11 a.m. PDT for a live webcast with Jonathan Ness and Dustin Childs, who will be sharing greater details about these bulletins and our other announcements this month. As always, they will be answering bulletin-related questions live during the webcast. You may register for that one-hour event here.

Yunsun Wee
Trustworthy Computing

December 2010 Advance Notification Service is released

December 9th, 2010 Comments off

Hi everyone. Mike Reavey from the MSRC here. Today we’re releasing
our Advance
Notification Service
for the December 2010 security bulletin
release. As we do every month, we’ve given information about the coming
December release and provided links to detailed information so you can plan
your deployment by product, service pack level, and severity.  However, since this is the last release for
the year, I thought it would also be good time to take a look back at the security
releases we’ve had over the last 12 months.

First, for December we’re releasing 17 updates addressing 40
vulnerabilities in Microsoft Windows, Office, Internet Explorer, SharePoint and
Exchange. Of the 17, two bulletins are rated Critical, 14 are rated Important,
and one is rated Moderate. As always, we recommend that customers
review the ANS summary page
for more information and prepare for the testing and deployment of these
bulletins as soon as possible.

Looking back over 2010, that brings the total bulletin count
to 106, which is more bulletins than we have released in previous years. This
is partly due to vulnerability reports in Microsoft products increasing
slightly, as indicated by our latest Security
Intelligence Report
. This isn’t really surprising when you think about
product life cycles and the nature of vulnerability research. Microsoft
supports products for up to ten years. (One of our most popular operating
systems from the turn of the century, XP SP2, reached its end-of-support life
in mid-2010, in fact.) Vulnerability research methodologies, on the other hand,
change and improve constantly. Older products meeting newer attack methods,
coupled with overall growth in the vulnerability marketplace, result in more
vulnerability reports. Meanwhile, the percentage of vulnerabilities reported to
us cooperatively continues to remain high at around 80 percent; in other words,
for most vulnerabilities we’re able to release a comprehensive security update
before the issue is broadly known.

At the end of the day, Microsoft’s primary focus is to
release reliable, high-quality updates to our customers.  Feedback from customers indicate that this is
the most important factor in minimizing disruption and allowing them to deploy
our updates quickly – even more important than the overall number of security

Back to this month’s bulletins. We’re addressing two
issues this month that have attracted interest recently. First, we will be closing
the last Stuxnet-related issues this month. This is a local Elevation of
Privilege vulnerability and we’ve seen no evidence of its use in active
exploits aside from the Stuxnet malware. We’re also addressing
the Internet Explorer vulnerability described in Security
Advisory 2458511
. Over the past month, Microsoft and our MAPP
partners actively monitored the threat landscape surrounding this vulnerability
and the total number of exploit attempts we monitored remained pretty low.
Furthermore, customers running Internet Explorer 8 remained protected by
default due to the extra protection provided by Data Execution Prevention
(DEP). On that note, I want to point you to a new post on the Security Research
& Defense team blog describing the
effectiveness of DEP and ASLR
against the types of exploits we see in the
wild today.  

We encourage customers to review this month’s bulletins and
to prioritize their installation according to the needs of their
environment.  (And, of course, for most
home users these updates will be installed automatically.)  If you have questions, join us next Wednesday
(December 15) when Jonathan Ness and Jerry Bryant will host a live webcast
covering the December bulletins. They’ll go into detail about the release and
answer your bulletin-related questions live on the air. Register at the link

Date: Wednesday, December 15
Time: 11:00 a.m. PST (UTC -8)
Registration: 1032454441


Mike Reavey
Director, MSRC