swiat

Assessing risk for the February 2014 security updates

Tuesday, February 11, 2014

Today we released seven security bulletins addressing 31 unique CVE’s. Four bulletins have a maximum severity rating of Critical while the other three have a maximum severity rating of Important. We hope that the table below helps you prioritize the deployment of the updates appropriately for your environment. Bulletin Most likely attack vector Max Bulletin Severity Max Exploit-ability Likely first 30 days impact Platform mitigations and key notes MS14-010(Internet Explorer) Victim browses to a malicious webpage.

• Attack Vector
• Risk Asessment

Assessing risk for the January 2014 security updates

Tuesday, January 14, 2014

Today we released four security bulletins addressing six CVE’s. All four bulletins have a maximum severity rating of Important. We hope that the table below helps you prioritize the deployment of the updates appropriately for your environment. Bulletin Most likely attack vector Max Bulletin Severity Max exploit-ability rating Likely first 30 days impact Platform mitigations and key notes MS14-002(NDProxy, a kernel-mode driver) Attacker able to run code at a low privilege level inside an application sandbox exploits this vulnerability to elevate privileges to SYSTEM.

• Rating
• Risk Asessment

Software defense: mitigating common exploitation techniques

Wednesday, December 11, 2013

In our previous posts in this series, we described various mitigation improvements that attempt to prevent the exploitation of specific classes of memory safety vulnerabilities such as those that involve stack corruption, heap corruption, and unsafe list management and reference count mismanagement. These mitigations are typically associated with a specific developer mistake such as writing beyond the bounds of a stack or heap buffer, failing to correctly track reference counts, and so on.

• ASLR
• Defense-in-depth
• Exploitation
• Mitigation

Assessing risk for the December 2013 security updates

Tuesday, December 10, 2013

Today we released eleven security bulletins addressing 24 CVE’s. Five bulletins have a maximum severity rating of Critical while the other six have a maximum severity rating of Important. We hope that the table below helps you prioritize the deployment of the updates appropriately for your environment. Bulletin Most likely attack vector Max Bulletin Severity Max XI Likely first 30 days impact Platform mitigations and key notes MS13-096(GDI+ TIFF parsing) Victim opens malicious Office document.

• Attack Vector
• Exploitability
• Risk Asessment

MS13-098: Update to enhance the security of Authenticode

Tuesday, December 10, 2013

Today we released MS13-098, a security update that strengthens the Authenticode code-signing technology against attempts to modify a signed binary without invalidating the signature. This update addresses a specific instance of malicious binary modification that could allow a modified binary to pass the Authenticode signature check. More importantly, it also introduces further hardening to consider a binary “unsigned” if any modification has been made in a certain portion of the binary.

• Spoofing
• Trust decision

MS13-106: Farewell to another ASLR bypass

Monday, December 09, 2013

Today we released MS13-106 which resolves a security feature bypass that can allow attackers to circumvent Address Space Layout Randomization (ASLR) using a specific DLL library (HXDS.DLL) provided as part of Microsoft Office 2007 and 2010. The existence of an ASLR bypass does not directly enable the execution of code and does not represent a risk by itself, since

• ASLR
• Bypass
• Exploit
• HXDS.DLL
• MS13-106

Assessing risk for the November 2013 security updates

Tuesday, November 12, 2013

Today we released eight security bulletins addressing 19 CVE’s. Three bulletins have a maximum severity rating of Critical while the other five have a maximum severity rating of Important. We hope that the table below helps you prioritize the deployment of the updates appropriately for your environment. Bulletin Most likely attack vector Max Bulletin Severity Max Exploit-ability Likely first 30 days impact Platform mitigations and key notes MS13-090(ActiveX killbit) Victim browses to a malicious webpage.

• Attack Vector
• Rating
• Risk Asessment

Introducing Enhanced Mitigation Experience Toolkit (EMET) 4.1

Tuesday, November 12, 2013

In June 2013, we released EMET 4.0 and customer response has been fantastic. Many customers across the world now include EMET as part of their defense-in-depth strategy and appreciate how EMET helps businesses prevent attackers from gaining access to computers systems. Today, we’re releasing a new version, EMET 4.1, with updates that simplify configuration and accelerate deployment.

• EMET
• Mitigation

Security Advisory 2868725: Recommendation to disable RC4

Tuesday, November 12, 2013

In light of recent research into practical attacks on biases in the RC4 stream cipher, Microsoft is recommending that customers enable TLS1.2 in their services and take steps to retire and deprecate RC4 as used in their TLS implementations. Microsoft recommends TLS1.2 with AES-GCM as a more secure alternative which will provide similar performance.

• Schannel

Security Advisory 2880823: Recommendation to discontinue use of SHA-1

Tuesday, November 12, 2013

Microsoft is recommending that customers and CA’s stop using SHA-1 for cryptographic applications, including use in SSL/TLS and code signing. Microsoft Security Advisory 2880823 has been released along with the policy announcement that Microsoft will stop recognizing the validity of SHA-1 based certificates after 2016. Background Secure Hashing Algorithm 1 (SHA-1) is a message digest algorithm published in 1995 as part of NIST’s Secure Hash Standard.