Swedish Windows Security User Group

Today, Microsoft is pleased to announce the private preview of Microsoft Interflow, a security and threat information exchange platform for analysts and researchers working in cybersecurity. Interflow uses industry specifications to create an automated, machine-readable feed of threat and security information that can be shared across industries and groups in near real-time. The goal of the platform is to help security professionals respond more quickly to threats. It will also help reduce cost of defense by automating processes that are currently performed manually. 

Microsoft’s ongoing active collaboration with the cybersecurity community has been a constant source of ideas and innovation for more than a decade. The Microsoft Active Protections Program (MAPP) was established in 2008 to provide security software providers with early access to software vulnerability information. Along the same lines, the inspiration for Interflow comes from the community. Today, data exchange difficulties – format mismatches, governance issues, and the complexity of data correlation – stand in the way of a more efficient incident response industry. Zheng Bu, VP of Security Research at FireEye, stated “what the cybersecurity community will benefit from is a more productive way to collaborate and take action. It is encouraging to see Microsoft invest in such a platform, and drive it forward for the greater good of the community.”

A collectively stronger cybersecurity ecosystem means better protection for consumers and businesses. There are many examples of alliances across industries, such as those established in the education and finance sectors. Recently, a similar cybersecurity alliance was formed in the retail industry. As retailers and others share threat indicators and take action rapidly, cyberattacks are either prevented, or their damage and spread are minimized. Interflow enables exactly this type of community and peer-based sharing, whether the communities are formed by the Computer Emergency Response Teams (CERTs) across the globe or by industry.

One may ask what exactly it means to share security and threat information using Interflow. The answer is simple: Interflow is a distributed system where users decide what communities to form, what data feeds to bring to their communities, and with whom to share data feeds. In addition, the use of open specifications STIX™ (Structured Threat Information eXpression), TAXII™ (Trusted Automated eXchange of Indicator Information), and CybOX™ (Cyber Observable eXpression standards) means that Interflow can integrate with existing operational and analytical tools through a plug-in architecture. This means there is no lock-in to proprietary data formats, appliances or subscriptions, all of which raise the cost of cybersecurity.

For many operating in the response community, reducing and managing the cost of defense in the face of exponentially increasing threat data is crucial. Running on Microsoft Azure public cloud, Interflow helps to reduce the cost of security infrastructure while allowing for rapid scale-out, a key premise of cloud computing. As Interflow automates the input and flow of security and threat data, organizations are able to prioritize analysis and action through customized watch lists, instead of bearing the cost of manual data compilation.

As early users of Interflow, various network security teams at Microsoft have experienced these kinds of benefits. Microsoft is planning to share the security and threat data used to protect our own products and services with the Interflow communities during the private preview. Organizations and enterprises with dedicated security incident response teams can inquire about the private preview through their Technical Account Managers or by emailing mappbeta@microsoft.com. Microsoft plans to make Interflow available to all members of MAPP in the future.

I said in the beginning that the cybersecurity community was the inspiration for Interflow. We look forward to working with the community to shape the roadmap forward. Today’s announcement is timed with the 26^th annual FIRST Conference in Boston, Massachusetts.  Attendees at the conference can stop by the Microsoft booth #8, observe a demo and discuss participation in the private preview of Interflow.

Finally, you can find answers to most commonly asked questions here, and learn how Interflow enables a collectively stronger cybersecurity community at www.microsoft.com/interflow.

Thanks,

Jerry Bryant
Lead Senior Security Strategist, Microsoft Security Response Center (MSRC)

Microsoft is committed to promoting a safer, more trusted Internet and providing monthly security updates is one of the ways our customers keep their devices and connections to the Internet more secure. Packaging updates together into a monthly bulletin cycle stems from customer feedback and offers a predictable way to help protect them against newly discovered threats.

Today, we are excited to introduce myBulletins, a new online security bulletin customization service.

We’ve also created myBulletins based on your feedback. It’s a customizable online service that offers IT professionals a personalized list of the Microsoft security bulletins that matter most to their organization. It is easy to use: simply visit myBulletins, log in to your Microsoft account, select the products and versions running in your environment, and a customized list of only those security bulletins is displayed.

To develop myBulletins, we asked if there was anything we could do differently to make applying security bulletins easier. We recognize that not all of the products covered in the monthly security bulletins may be operating in your environment. You shared that you needed the ability to cut through complexity and make decisions quickly. You wanted help identifying the information that is most relevant to your organization. We heard you and acted on your feedback.

Starting today, myBulletins will enable you to quickly find security bulletins using advanced search and filtering options. The online service prioritizes security bulletin deployment by release date, severity, and reboot requirements to aid in decision making. The service provides a dynamic list in a customizable dashboard that can be edited at any time, as well as downloaded to a Microsoft Excel report.

myBulletins is our way to deliver on the promise to make applying security updates as seamless as possible.

There are three simple steps to get started:

• Step 1: Visit myBulletins and sign-in with your Microsoft account

• Step 2: Build your profile by selecting the Microsoft products you want to see in your dashboard

• Step 3: View your personalized dashboard

We know that customers are best protected when all applicable updates are applied, which is why we think you should create a profile, use it, and let us know what you think by using the site feedback link. Our ears are open and we look forward to hearing about your myBulletins experience.

Tracey Pretorius
Director, Microsoft Trustworthy Computing

It is often said that attackers have an advantage, because the defenders have to protect every part of their systems all the time, while the attacker only has to find one way in.

This argument oversimplifies the security landscape and the real strength that defenders can achieve if they work together. While it’s true that it is difficult to defend against an adversary that targets a single victim, this isn’t the way most malicious actors work. It is easier and cheaper for malicious actors to reuse techniques, infrastructure and tools. Most malicious actors build capabilities that work across many targets and modify and reuse them.

This is where the industry has the most opportunity to evolve. Industry collaboration and information sharing is part of the solution, but the real key is finding a way to coordinate action. When an attack targeting dozens, hundreds, or thousands of systems occurs, identifying a similar aspect of that attack can begin to unravel it everywhere. The fact that attackers use the same or similar methodologies in many places can actually put them at a disadvantage.

Think of how different animals in the wild respond to attacks. Some respond as individuals and scatter in all directions. This allows predators to focus their attack on an individual and give chase. Yet this same attack unravels against animals who respond by forming a circle and standing their ground as a group. As long as they stick together, the predators are at a disadvantage – unable to separate and run down an individual.

This kind of coordinated defense, and more crucially action, is the key to our industry taking the next big leap in the fight against cyber-attacks. It’s not enough to share threat indicators such as yara signatures, IP addresses and malware hashes. What we really want to do is move defenders to take action that defends them and undermines an adversary’s attack. As an industry, we have to come together and decide on a set of standards or principles by which we’re going to not just share information, but use it.

So why hasn’t the industry moved towards actionable information sharing? In my opinion, we need to advance the current class of information sharing tools, processes, and technologies. Think of the Traffic Light Protocol. TLP tells us how sensitive the information is, and whether we can share it. What it doesn’t say is whether it’s ok to incorporate an IP address into a network defense system, or to ping the address, or to try and have the address taken down.

As an industry, we must work to design and adopt technologies and programs that facilitate a two-way conversation and enable actionable information sharing. This should be the start of partnerships, not where things end. Our tools can no longer just be streams of after-the-fact data that flow from one place to another in varied forms and formats. Appropriate action needs to be part of the dialog, and part of us working together.

Part of this transformation is happening today at Microsoft with our Microsoft Active Protections Program (MAPP). While MAPP initially started as an information-sharing effort amongst security vendors, it’s moving to a place where it provides a set of guidance for defenders to protect themselves. To truly evolve to the next level, it will mean shifting from sharing information one way to taking coordinated action. The Microsoft Malware Protection Center (MMPC) has recently talked about the concept and called for a coordinated malware eradication approach at this blog post.

When we get to that point, it won’t just be security vendors who are working to keep everyone safe. It will be the networks, the service providers, the government entities, the retailers, the banks, all enterprises of the world pulling together and sharing actionable threat information necessary for defeating the adversaries — consistently and permanently.

This will take a greater degree of trust than just information sharing. But to take that next big leap in enhancing our defense against cyber-attacks, it’s where we must begin.

Chris Betz
Senior Director
Microsoft Security Response Center (MSRC)

I’m here at the Moscone Center, San Francisco, California, attending the annual RSA Conference USA 2014. There’s a great crowd here and many valuable discussions. Our Microsoft Security Response Center (MSRC) engineering teams have been working hard on the next version of EMET, which helps customers increase the effort attackers must make to compromise a computer system.

I’m happy to announce the public release of the EMET 5.0 Technical Preview today from the RSA exhibit hall.

During last night’s RSA reception, conference attendees got a sneak preview of EMET 5.0 as demonstrated by Jonathan Ness, Chengyun Chu, Elia Florio and Elias Bachaalany from our EMET engineering team. If you missed it, we’ll have our EMET engineering team here all week at RSA demonstrating the current version of EMET 4.1, as well as the EMET 5.0 Technical Preview, at the Microsoft Booth (number 3005).

EMET anticipates the most common actions and techniques adversaries might use in compromising a computer, and can help protect the computer by diverting, terminating, blocking and invalidating those actions and techniques. In recent 0-days, EMET has been an effective mitigation against memory corruption. Having EMET installed and configured on computers meant that the computers were protected from those attacks.

EMET 5.0 Technical Preview adds new protections for enterprises on top of the 12 built-in security mitigations included in version 4.1. For instance, the new Attack Surface Reduction mitigation allows enterprises to better protect third-party and custom-built applications by selectively enabling Java, Adobe Flash Player and Microsoft or third-party plug-ins. At the Security Research and Defense blog, our engineering team provides a deep dive blog post on EMET 5.0 Technical Preview.

Since the first release of EMET in 2009, our customers and the security community have adopted EMET and provided us with valuable feedback. Your feedback both in forums and through Microsoft Premier Support Services, which provides enterprise support for EMET, has helped shape the new EMET capabilities to further expand the range of scenarios it addresses.

The same goes for EMET 5.0 Technical Preview. As we march towards the final release of EMET 5.0, we would like to invite you to download the EMET 5.0 Technical Preview at microsoft.com/emet to deploy in your test environments. Your feedback is valuable in shaping our roadmap. Please let us know what you think.

Finally, if you’re at the RSA Conference, please stop by our booth and share your feedback with Jonathan, Chengyun, Elia and Elias. We’d like to hear from you!

Thanks,
Chris Betz
Senior Director
Microsoft Security Response Center (MSRC)

Today we are kicking off a new challenge so you can showcase your security prowess and, if we can, help you build some more. Our BlueHat Challenge is a series of computer security questions, which increase in difficulty as you progress. Only the rare and talented engineer will be able to finish the Challenge on the first attempt. It’s not a contest, so there’s no cash involved here, but there will be some great answers we’ll recognize publicly and you could win yourself a big chunk of bragging rights. You can find complete details about this new program over on the Security Research & Defense blog.

Good luck, and I look forward to seeing your submissions. Show me what you’ve got!

Dustin Childs
Group Manager, Response Communications
Microsoft Trustworthy Computing 

Today we are kicking off a new challenge so you can showcase your security prowess and, if we can, help you build some more. Our BlueHat Challenge is a series of computer security questions, which increase in difficulty as you progress. Only the rare and talented engineer will be able to finish the Challenge on the first attempt. It’s not a contest, so there’s no cash involved here, but there will be some great answers we’ll recognize publicly and you could win yourself a big chunk of bragging rights. You can find complete details about this new program over on the Security Research & Defense blog.

Good luck, and I look forward to seeing your submissions. Show me what you’ve got!

Dustin Childs
Group Manager, Response Communications
Microsoft Trustworthy Computing 

Over the years, our customers have come to expect a certain regularity and transparency in both our security updates and the guidance that goes with them. One regular piece of communication about our work is a yearly progress report, which provides a look into the program updates and bulletin statistics from the Microsoft Security Response Center (MSRC). Our report covering July 2012 through June 2013 is available, and it provides a great look back over the past year and includes some exciting new program updates that will help enhance customer protections in the years to come. Here’s a few highlights…

Going Behind the Scenes

Over the last 12 months, we released 92 security bulletins, two of which, MS12-063 and MS13-008, were released out-of-band. In the report, MSRC’s own William Peteroy provides a rare behind-the-scenes look at the Software Security Incident Response Process (SSIRP) and making of MS13-008. As William puts it, “Being pulled into a SSIRP feels about the same as a friend signing you up for a marathon and letting you know the night before.” It isn’t all doom and gloom though. Within the first couple days of availability, the update was downloaded around 286 million times. William concluded, “Ultimately it was very rewarding to be able to put so much time and effort toward something good for so many people over the holiday.”

The latest MAPP enhancements

Collaborating on defense through the Microsoft Active Protections Program (MAPP) community currently helps protect more than 1 billion customers and significantly reduces the time it takes security vendors to create protections. This year, we’re enhancing our existing MAPP offerings in some exciting new ways that will result in more robust customer protections and better guidance for those helping to secure systems around the world.

MAPP for Security Vendors is our traditional MAPP program with some new enhancements. As part of our monthly security bulletin release process, we will engage certain members of the MAPP community to help validate our guidance prior to final release. Working with the community in this way helps to ensure our guidance works for the widest possible set of partners. In addition, we will share detections earlier to select MAPP partners who meet stringent criteria. We will work to provide these partners with information three business days before Update Tuesday to help them create better quality solutions for our common customers.

MAPP for Responders is a new way to share technical information and threat indicators to organizations focused on incident response and intrusion prevention. Getting this information into the hands of those closest to the events can be invaluable in detecting and disrupting attacks. Many attackers share information amongst themselves, and defenders should share knowledge to help prevent and contain issues as they occur. MAPP for Responders will work to build a community for information exchange to counter the activities of those who wish to do harm.

MAPP Scanner is a cloud-based service that allows Office documents, PDF files, and URLs to be scanned for threats, which increases the likelihood of us learning about new attacks and attack vectors sooner rather than later. This service leverages our own product knowledge and is what we use internally to kick off new investigations. This service is currently in pilot with a limited number of partners.

Over on the BlueHat blog, Jerry Bryant provides additional information about these changes and how they fit into our larger security strategy.

These new programs, along with the bounty programs we launched last month, are part of a broader end-to-end strategy to help protect customers. The goal is to eliminate entire classes of attacks by working closely with partners to build up defenses, making it increasingly difficult to target Microsoft’s platform.

On to Black Hat 2013

Later this week, we’ll be at the Black Hat USA conference at Caesars Palace in Las Vegas, NV. I hope you take a few moments to read the progress report and come by to discuss the finding with us at our booth – and at our Researcher Appreciation party. I always enjoy speaking with people face-to-face about our latest programs and all the work we do throughout Trustworthy Computing to help ensure they have the safest computing experience possible.

Thanks, and I’ll see you in Vegas.

Dustin Childs
Group Manager, Response Communications
Microsoft Trustworthy Computing

Over the years, our customers have come to expect a certain regularity and transparency in both our security updates and the guidance that goes with them. One regular piece of communication about our work is a yearly progress report, which provides a look into the program updates and bulletin statistics from the Microsoft Security Response Center (MSRC). Our report covering July 2012 through June 2013 is available, and it provides a great look back over the past year and includes some exciting new program updates that will help enhance customer protections in the years to come. Here’s a few highlights…

Going Behind the Scenes

Over the last 12 months, we released 92 security bulletins, two of which, MS12-063 and MS13-008, were released out-of-band. In the report, MSRC’s own William Peteroy provides a rare behind-the-scenes look at the Software Security Incident Response Process (SSIRP) and making of MS13-008. As William puts it, “Being pulled into a SSIRP feels about the same as a friend signing you up for a marathon and letting you know the night before.” It isn’t all doom and gloom though. Within the first couple days of availability, the update was downloaded around 286 million times. William concluded, “Ultimately it was very rewarding to be able to put so much time and effort toward something good for so many people over the holiday.”

The latest MAPP enhancements

Collaborating on defense through the Microsoft Active Protections Program (MAPP) community currently helps protect more than 1 billion customers and significantly reduces the time it takes security vendors to create protections. This year, we’re enhancing our existing MAPP offerings in some exciting new ways that will result in more robust customer protections and better guidance for those helping to secure systems around the world.

MAPP for Security Vendors is our traditional MAPP program with some new enhancements. As part of our monthly security bulletin release process, we will engage certain members of the MAPP community to help validate our guidance prior to final release. Working with the community in this way helps to ensure our guidance works for the widest possible set of partners. In addition, we will share detections earlier to select MAPP partners who meet stringent criteria. We will work to provide these partners with information three business days before Update Tuesday to help them create better quality solutions for our common customers.

MAPP for Responders is a new way to share technical information and threat indicators to organizations focused on incident response and intrusion prevention. Getting this information into the hands of those closest to the events can be invaluable in detecting and disrupting attacks. Many attackers share information amongst themselves, and defenders should share knowledge to help prevent and contain issues as they occur. MAPP for Responders will work to build a community for information exchange to counter the activities of those who wish to do harm.

MAPP Scanner is a cloud-based service that allows Office documents, PDF files, and URLs to be scanned for threats, which increases the likelihood of us learning about new attacks and attack vectors sooner rather than later. This service leverages our own product knowledge and is what we use internally to kick off new investigations. This service is currently in pilot with a limited number of partners.

Over on the BlueHat blog, Jerry Bryant provides additional information about these changes and how they fit into our larger security strategy.

These new programs, along with the bounty programs we launched last month, are part of a broader end-to-end strategy to help protect customers. The goal is to eliminate entire classes of attacks by working closely with partners to build up defenses, making it increasingly difficult to target Microsoft’s platform.

On to Black Hat 2013

Later this week, we’ll be at the Black Hat USA conference at Caesars Palace in Las Vegas, NV. I hope you take a few moments to read the progress report and come by to discuss the finding with us at our booth – and at our Researcher Appreciation party. I always enjoy speaking with people face-to-face about our latest programs and all the work we do throughout Trustworthy Computing to help ensure they have the safest computing experience possible.

Thanks, and I’ll see you in Vegas.

Dustin Childs
Group Manager, Response Communications
Microsoft Trustworthy Computing

Over the years, we’ve put a lot of work into helping secure the computing ecosystem and limiting the number of issues in our products. The security researcher community is critical to these efforts, as they help us find vulnerabilities in our software that we may have missed. 

Now we’re taking it even further. We’re launching three new bounty programs that will pay researchers for techniques that bypass built-in OS mitigations and protections, for defenses that stop those bypasses and for vulnerabilities in Internet Explorer 11 Preview. Please visit here for more details.

Best of luck and I look forward to seeing your submissions.

Dustin Childs
Group Manager, Response Communications
Microsoft Trustworthy Computing

We are committed to adapting our policies as the world evolves and with the new Windows Store, we evaluated how to best release security updates for Windows Store apps. Our goal is to have a quick, transparent and painless security update process. With this in mind, we will deliver high quality security updates for Windows Store apps as they become available. This applies to Microsoft apps that are installed using the Windows Store and to apps like Mail, which are preinstalled with Windows 8 but updated using the Windows Store. Providing security updates to these apps more frequently will allow us to add new functionality, fix issues and improve security. This will also help developers to avoid introducing new issues during the update process.

To ensure transparency, we will document all security updates for Microsoft apps in the Windows Store in a security advisory, which we will revise with each new security update release. The security update process itself will be identical to that of any other Windows Store app update—customers will simply click on the store tile and select the update.

You can read the full description of the new Windows Store App Updates Policy over on TechNet.

Thanks,
Mike Reavey
Senior Director, MSRC
Microsoft Trustworthy Computing

Some of you may have noticed us improving our defense-in-depth practices for bulletins by supplying sha1 and sha2 hashes in the Knowledge Base (KB) articles. This has been most visible in the KB with the addition of the “File hash information” section, but it is also noted in the Frequently Asked Questions (FAQ) section of each bulletin for convenience.

From PowerShell you can easily leverage the .Net  Cryptographic Services to define a get-sha256 function like Mike Wilbur has done here. And though it should go without saying, I will say it anyhow – you should not use script or code from untrusted sources.

function get-sha256 {param($file);[system.bitconverter]::tostring([System.Security.Cryptography.sha256]::create().computehash([system.io.file]::openread((resolve-path $file)))) -replace “-“,””
}

Let’s verify the hashes for the MS12-071:

After downloading the msu files we can simply iterate through the directory listing getting the sha2 hash for each file.

If you prefer not to use the .Net Cryptographic Services you could also verify sha1 hashes with the File Checksum Integrity Verifier utility available in KB 841290.

Though most people will not find the need to go to these lengths as automatic updates stream line the process of providing a secure means of distributing updates, we continually work to raise the bar as part of our ongoing drive to evaluate defense-in-depth efforts and provide improvements.

Thank you,

Dustin Childs
Group Manager
Microsoft Trustworthy Computing

Security Updates
Today we released six security bulletins to help protect our customers – four Critical, one Important, and one Moderate – addressing 19 vulnerabilities in Microsoft Windows Shell, Windows Kernel, Internet Explorer, Internet Information Services (IIS), .NET Framework, and Excel. For those who need to prioritize deployment, we recommend focusing on these two Critical updates first:

MS12-071 (Internet Explorer): This bulletin addresses three privately disclosed issues, none of which are currently known to be under active attack. Successful exploitation of these issues could result in code execution with the current user’s privileges. As such, we recommend the best practice of running applications with the least privileges possible in order to help mitigate potential risks. These issues do not affect Internet Explorer 10.

MS12-075 (Windows Kernel): This security update addresses three privately reported issues, none of which are currently known to be under active attack. This bulletin affects all supported versions of Microsoft Windows. The most severe issue could result in remote code execution if an attacker is able to lure a user to a website with a maliciously crafted TrueType font file embedded.

Security Update Re-release
In October we released Security Advisory 2749655 that addresses potential compatibility issues due to signature timestamps expiring before they should and noted we would be providing updates as they become available. Today we are providing one such update for MS12-046 (Visual Basic), which is now listed as available in the advisory. We have also released MS12-062 (System Center Configuration Manager 2007) to address an issue in the localization of resource files. Users who have already successfully installed the English versions of this update do not need to take any action.

You can find more information about this month’s security updates on the Microsoft Security Bulletin Summary web page. For an overview of the bulletins please watch the video below.

We recommend that customers deploy all security updates as soon as possible. Below is our deployment priority guidance to further assist customers in deployment planning (click for larger view).

Our risk and impact graph provides an aggregate view of this month’s severity and exploitability index (click for larger view).

Thanks for reading and join us tomorrow (Wednesday, Nov. 14, 2012) at 11 a.m. PST for a live webcast with Jeremy Tinder and myself, as we share greater details about these bulletins. As always, we will answer bulletin-related questions live during the webcast. You may register for that one-hour event here.

Thank you,

Dustin Childs
Group Manager
Microsoft Trustworthy Computing

Today, in conjunction with Adobe’s update process, we have revised Security Advisory 2755801 to address issues in Adobe Flash Player in Internet Explorer 10. Customers who have automatic updates enabled will not need to take any action because protections will be downloaded and installed automatically. Customers who do not use automatic updates should apply the guidance in the advisory immediately using update management software, or by checking the Microsoft Update service, to help ensure protection.

We remain committed to taking the appropriate actions to help protect customers and will continue to work closely with Adobe to deliver quality protections that are aligned with Adobe’s update process.

Dave Forstrom
Director
Microsoft Trustworthy Computing

We will release a Fix it in the next few days to address an issue in Internet Explorer, as outlined in the Security Advisory 2757760 that we released yesterday.  

While we have only seen a few attempts to exploit the issue, impacting an extremely limited number of people, we are taking this proactive step to help ensure Internet Explorer customers are protected and able to safely browse online.

The Fix it is an easy-to-use, one-click, full-strength solution any Internet Explorer user can install. It will not affect your ability to browse the Web, and it will provide full protection against this issue until an update is available.  It won’t require a reboot of your computer. 

This Fix it will be available for everyone to download and install within the next few days. Until then, we encourage folks to review the advisory and follow the other mitigations listed there.

Thanks,

Yunsun Wee,
Director, Trustworthy Computing

Protecting the general computing ecosystem is a really tough job, and given some of the media headlines, it’s easy to get discouraged and wallow in the problems. It seems like we’re constantly bombarded with statistics measuring the number of bugs, vulnerabilities, or attacks in an attempt to build an accurate “state of the state.” The popular question of late seems to be “Is the ecosystem getting more or less secure?”

In my role, I talk with a lot of customers.  In fact, we had recent meetings on Microsoft’s campus with CSOs from some of the world’s largest companies.  While the topic sometimes starts with the “state of the state” and recent changes in the threat landscape, they always end up in the same place —customers want to discuss and collaborate on solutions, rather than wallowing in the problems.

We’ve collaborated with many of the thousands of brilliant security researchers across the globe over the years, and they’ve helped us improve the security of our products & services.  There are also hundreds of security providers in the industry that we work closely with. In fact, three years ago we took an unconventional approach to security challenges by creating the Microsoft Active Protections Program (MAPP) to help unify this group of defenders.  This program shifted advantage to the good guys by promoting collaboration within the industry, even among competitors, in order to quickly build defensive technologies for over a billion of our shared customers around the world.

The success of that program – which inspired industry collaboration – got us thinking about whether we could do something similar for the security research community. Our goal was to inspire new lines of research in areas that have the most impact and leverage in protecting customers. That means not building incentives to find single bugs, but instead rewarding work on innovative solutions that could mitigate entire classes of attacks.

Today, I am pleased to announce the BlueHat Prize to inspire security researchers to seek innovations in exploit mitigation technologies. This is the first and largest incentive prize ever offered by Microsoft, and possibly the industry, for defensive computer security technology. In the age of increased risk of attacks on personal, corporate and government computer systems, Microsoft recognizes the need to encourage and nurture innovation in the area of exploit mitigations. At Microsoft, we believe in hiring the best and brightest minds in security to help us improve the security of our products and services, but also recognize it will take a “global village” to address today’s security challenges.

With over a quarter million dollars in cash and prizes, Microsoft believes the BlueHat Prize will motivate the community and foster even more collaboration with researchers throughout the security industry. To understand more about this competition, please visit Katie Moussouris’ EcoStrat blog or the BlueHat Prize contest page.

-Matt Thomlinson

Hello everyone,

Today we are announcing changes to Microsoft’s Exploitability Index.

Since October 2008, we have used the Exploitability Index to provide customers with valuable exploitability analysis for our security bulletins, and starting Tuesday this information will become even more comprehensive for those who use Microsoft’s latest platforms.

The Exploitability Index assesses the likelihood of functional exploit code being developed for a particular vulnerability. By providing the index information month over month, we’re helping customers prioritize the security updates that matter to them. The Exploitability Index will continue to provide an aggregate exploitability rating across all affected products, and the improvements made to Exploitability Index will now offer additional information to help customers prioritize bulletins, specifically for the most recent platforms, e.g. Windows 7 Service Pack 1 and Office 2010.

For example, the Exploitability Index for CVE-2011-0097, a security issue addressed by MS11-021in the April 2011 release, originally rated a “1 – Consistent Exploit Code Likely”. However, under the previous system, the Exploitability Index did not specifically illustrate that customers using Excel 2010 were at less risk; with Excel 2010, CVE-2011-0097 would rate a “2 – Inconsistent Exploit Code Likely”. In fact, our research has shown that 37 percent of the vulnerabilities addressed since July 2010 have had similar results; the latest platform was either entirely unaffected, or significantly more difficult to exploit.

Maarten Van Horenbeeck, senior security program manager, goes into more depth around the background of Exploitability Index and the value of these improvements in the MSRC blog post: “Exploitability Index Improvements Now Offer Additional Guidance”

Additionally, we’re providing advanced notification on the release of a Critical security bulletin addressing a vulnerability in Windows, and an Important bulletin addressing two vulnerabilities in Microsoft Office. As usual, the bulletin release is scheduled for the second Tuesday of the month, May 10, at approximately 10 a.m. PDT.

For all the latest information, you can also follow the MSRC team on Twitter at @MSFTSecResponse.

Thanks,
Pete Voss
Sr. Response Communications Manager
Microsoft Trustworthy Computing

On behalf of the Forefront Server Protection team at Microsoft, I am pleased to announce the release of Forefront Protection Server Management Console 2010 (FPSMC).

On December 17th, 2010 Microsoft shipped the Forefront Protection Server Management Console (FPSMC) to provide centralized management for the Forefront Protection 2010 for Exchange Server and Forefront Protection 2010 for SharePoint servers in your environment. FPSMC provides multi-server management through a browser-based interface, and supports the following features:

·         Signature redistribution

·         Policy (configuration) deployment

·         Centralized incident, spam, and engine version reporting

·         Centralized quarantine management

·         Auto discovery of new servers

·         Integration with Forefront Online Protection for Exchange

For a complete list of features included in this free release, along with directions for download and installation, please go to: http://www.microsoft.com/downloads/details.aspx?FamilyID=31f66155-50f0-4665-adc0-de94da027ed7

Andrew Schiano

Software Development Engineer in Test

On behalf of the Forefront Server Protection team at Microsoft, I am pleased to announce the release of Forefront Protection Server Management Console 2010 (FPSMC).

On December 17th, 2010 Microsoft shipped the Forefront Protection Server Management Console (FPSMC) to provide centralized management for the Forefront Protection 2010 for Exchange Server and Forefront Protection 2010 for SharePoint servers in your environment. FPSMC provides multi-server management through a browser-based interface, and supports the following features:

·         Signature redistribution

·         Policy (configuration) deployment

·         Centralized incident, spam, and engine version reporting

·         Centralized quarantine management

·         Auto discovery of new servers

·         Integration with Forefront Online Protection for Exchange

For a complete list of features included in this free release, along with directions for download and installation, please go to: http://www.microsoft.com/downloads/details.aspx?FamilyID=31f66155-50f0-4665-adc0-de94da027ed7

Andrew Schiano

Software Development Engineer in Test

On behalf of the Forefront Server Protection team at Microsoft, I am pleased to announce the release of Forefront Protection Server Management Console 2010 (FPSMC).

On December 17th, 2010 Microsoft shipped the Forefront Protection Server Management Console (FPSMC) to provide centralized management for the Forefront Protection 2010 for Exchange Server and Forefront Protection 2010 for SharePoint servers in your environment. FPSMC provides multi-server management through a browser-based interface, and supports the following features:

·         Signature redistribution

·         Policy (configuration) deployment

·         Centralized incident, spam, and engine version reporting

·         Centralized quarantine management

·         Auto discovery of new servers

·         Integration with Forefront Online Protection for Exchange

For a complete list of features included in this free release, along with directions for download and installation, please go to: http://www.microsoft.com/downloads/details.aspx?FamilyID=31f66155-50f0-4665-adc0-de94da027ed7

Andrew Schiano

Software Development Engineer in Test

On behalf of the Forefront Server Protection team at Microsoft, I am pleased to announce the release of Forefront Protection Server Management Console 2010 (FPSMC).

On December 17th, 2010 Microsoft shipped the Forefront Protection Server Management Console (FPSMC) to provide centralized management for the Forefront Protection 2010 for Exchange Server and Forefront Protection 2010 for SharePoint servers in your environment. FPSMC provides multi-server management through a browser-based interface, and supports the following features:

·         Signature redistribution

·         Policy (configuration) deployment

·         Centralized incident, spam, and engine version reporting

·         Centralized quarantine management

·         Auto discovery of new servers

·         Integration with Forefront Online Protection for Exchange

For a complete list of features included in this free release, along with directions for download and installation, please go to: http://www.microsoft.com/downloads/details.aspx?FamilyID=31f66155-50f0-4665-adc0-de94da027ed7

Andrew Schiano

Software Development Engineer in Test