Security Research & Defense

Details on the New TLS Advisory

Tuesday, February 09, 2010

Security Advisory 977377: Vulnerability in TLS Could Allow Spoofing In August of 2009, researchers at PhoneFactor discovered a vulnerability in the Transport Layer Security (TLS) and Secure Sockets Layer (SSL) protocols. As the issue is present in the actual TLS/SSL-standard, not only our implementation, Microsoft is working together with ICASI, the Industry Consortium for Advancement of Security on the Internet to address this vulnerability.

• IIS
• Mitigations
• Network protocol
• Risk Asessment
• Workarounds

MS10-006 and MS10-012: SMB security bulletins

Tuesday, February 09, 2010

Today we released two bulletins to address vulnerabilities in SMB. MS10-006 addresses two vulnerabilities in the SMBv1 client implementation, and MS10-012addresses four vulnerabilities in the SMB server implementation. In this blog entry, we want to help you understand the vulnerabilities and better prioritize the updates. What are the SMB server vulnerabilities and how could they be exploited?

• Network protocol
• SMB

MS10-007: Additional information and recommendations for developers

Tuesday, February 09, 2010

Today we are releasing MS10-007 to address a URL validation issue generally applicable to the ShellExecute API. How would a malicious user leverage this vulnerability? This issue involves how ShellExecute handles strings that appear to be legitimate URLs, but are malformed such that they result in execution of arbitrary code. Various technologies use ShellExecute to initiate a browser navigation.

• Defense-in-depth
• ShellExecute

Reports of DEP being bypassed

Wednesday, January 20, 2010

Yesterday we heard reports of a commercially available exploit that bypasses DEP. This exploit was made available to a limited number of major security vendors (Antivirus, IDS, and IPS vendors) and government CERT agencies. We wanted to use this opportunity to give an overview of current customer risk related to this DEP bypass.

• DEP
• Exploitability
• Exploitation
• Internet Explorer (IE)
• Mitigations
• MSHTML
• Risk Asessment

Additional information about DEP and the Internet Explorer 0day vulnerability

Monday, January 18, 2010

The new Internet Explorer security vulnerability described by Microsoft Security Advisory 979352 has received a lot of interest over the past few days. The Internet Explorer team is hard at work preparing a comprehensive security update to address the vulnerability and the MSRC announced today that as soon as the update is ready for broad distribution, it will be released.

Assessing risk of IE 0day vulnerability

Friday, January 15, 2010

Yesterday, the MSRC released Microsoft Security Advisory 979352 alerting customers to limited, sophisticated attacks targeting Internet Explorer 6 customers. Today, samples of that exploit were made publicly available. Before we get into the details I want to make one thing perfectly clear. The attacks we have seen to date, including the exploit released publicly, only affect customers using Internet Explorer 6.

• Attack
• DEP
• Exploitability
• Mitigations
• MSHTML
• Risk Asessment
• Zero-Day Exploit

MS10-001: Font file decompression vulnerability

Tuesday, January 12, 2010

MS10-001 addresses a vulnerability (CVE-2010-0018 ) in the LZCOMP de-compressor for Microtype Express Fonts. This blog aims to answer some questions regarding the updates we’ve made in this area. What is the issue? t2embed.dll improperly performs bounds-checking on lengths which are decoded from the LZCOMP bit-stream. This made it possible for a copy loop to violate the intended working buffer.

• Exploitability
• Font
• Mitigations
• Rating
• Risk Asessment
• Workarounds

Assessing the risk of the December security bulletins

Tuesday, December 08, 2009

This morning we released six security bulletins, three Critical and three Important, addressing 12 CVE’s. Please apply the Internet Explorer update right away as it poses the most risk of all the bulletins due to severity and exploitability. The Internet Explorer update addresses the vulnerability described by Security Advisory 977981. We hope that the table and commentary below will help you prioritize the deployment of the other updates appropriately.

• Attack Vector
• Exploitability
• Mitigations
• Rating
• Risk Asessment

Extended Protection for Authentication

Tuesday, December 08, 2009

This month, Microsoft is releasing several non-security updates that implement Extended Protection for Authentication as a mechanism to help safeguard authentication credentials on the Windows platform. These new updates are not security bulletins, but non-security updates that allow web clients using the Windows HTTP Services, IIS web servers and applications based on the HTTP Protocol Stack (http.

• Network protocol
• NTLM
• Risk Asessment

SEHOP per-process opt-in support in Windows 7

Friday, November 20, 2009

In a previous blog post we discussed the technical details of Structured Exception Handler Overwrite Protection (SEHOP) which is an exploit mitigation feature that was first introduced in Windows Vista SP1 and Windows Server 2008 RTM. SEHOP prevents attackers from being able to use the Structured Exception Handler (SEH) overwrite exploitation technique when attempting to exploit certain types of software vulnerabilities.

• Defense-in-depth
• Exploitation
• Mitigations
• Security Science