Mitigations

Assessing risk for the February 2012 security updates

Tuesday, February 14, 2012

Today we released nine security bulletins. Four have a maximum severity rating of Critical with the other five having a maximum severity rating of Important. We hope that the table below helps you prioritize the deployment of the updates appropriately for your environment. Bulletin Most likely attack vector Max Bulletin Severity Max Exploit-ability Likely first 30 days impact Platform mitigations and key notes MS12-010(Internet Explorer) Victim browses to a malicious website.

Read More

• Attack Vector
• Exploitability
• Mitigations
• Rating
• Risk Asessment

More information on the impact of MS12-001

Tuesday, January 10, 2012

Today we released MS12-001, which addresses an issue that can enable an attacker to bypass a defense in depth feature known as SafeSEH. This bypass is limited in scope to applications that make use of binaries that were built with Microsoft Visual C++ .NET 2003 RTM. Binaries that have been built with Microsoft Visual C++ .

Read More

• Defense-in-depth
• Mitigations

Assessing the risk of the October 2011 security updates

Tuesday, October 11, 2011

Today we released eight security bulletins. Two have a maximum severity rating of Critical with the other six having a maximum severity rating of Important. We hope that the table below helps you prioritize the deployment of the updates appropriately for your environment. Bulletin Most likely attack vector Max Bulletin Severity Max Exploit-ability Likely first 30 days impact Platform mitigations and key notes MS11-081 (Internet Explorer) Victim browses to a malicious website.

Read More

• Attack Vector
• Mitigations
• Risk Asessment

Is SSL broken? – More about Security Bulletin MS12-006 (previously known as Security Advisory 2588513)

Monday, September 26, 2011

On January 10th, Microsoft released MS12-006 in response to a new vulnerability discovered in September in SSL 3.0 and TLS 1.0. Here we would like to give further information about the technique used to exploit this vulnerability and workaround options Microsoft has released if you discover a compatibility issue after installing the update.

Read More

• Attack Vector
• Mitigations
• Network protocol
• Risk Asessment
• Schannel
• Workarounds

Protecting yourself from attacks that leverage fraudulent DigiNotar digital certificates

Sunday, September 04, 2011

Last week, we released Security Advisory 2607712, notifying customers that fraudulent digital certificates had been issued by certificate authority DigiNotar. We’d like to follow up on that notification in this blog post by explaining more about the potential risks and actions you can take to protect yourself from any potential attacks that would leverage those fraudulent certificates.

Read More

• Attack Vector
• Man-in-the-Middle
• Mitigations
• Risk Asessment
• Workarounds

Vulnerabilities in DNS Server Could Allow Remote Code Execution

Tuesday, August 09, 2011

Today we released MS11-058 to address two vulnerabilities in the Microsoft DNS Service. One of the two issues, CVE-2011-1966, could potentially allow an attacker who successfully exploited the vulnerability to run arbitrary code on Windows Server 2008 and Windows Server 2008 R2 DNS servers having a particular DNS configuration. We’d like to share more detail in this blog post and help you make a risk decision for your environment.

Read More

• Attack Vector
• DNS
• Mitigations
• Network protocol
• Risk Asessment

Announcing the BlueHat Prize for Advancement of Exploit Mitigations

Wednesday, July 27, 2011

Protecting the general computing ecosystem is a really tough job, and given some of the media headlines, it’s easy to get discouraged and wallow in the problems. It seems like we’re constantly bombarded with statistics measuring the number of bugs, vulnerabilities, or attacks in an attempt to build an accurate “state of the state.

Read More

• Announcements
• Exploitability
• Mitigations

From Bounties to the BlueHat Prize – Evolutionary Thinking in Valuing Security Research

Wednesday, July 27, 2011

Handle: k8e IRL: Katie Moussouris Rank: Senior Security Strategist Lead, Head of Microsoft’s Security Community and Strategy Team Likes: Cool vulns, BlueHat, soldering irons, quantum teleportation Dislikes: Rudeness, socks-n-sandals, licorice Today on the MSRC blog, Matt Thomlinson announced the BlueHat Prize, the first and largest incentive prize Microsoft has ever offered to seek out and reward new ideas in computer security defense.

Read More

• BlueHat Security Briefings
• Community-based Defense
• EcoStrat
• Mitigations
• Security Ecosystem
• Security Research

A guide to exploit mitigations and the July 2011 security bulletin release

Tuesday, July 12, 2011

Hello all – Over the years we’ve often talked about exploit mitigations – DEP, ASLR, SEHOP and so forth – as effective tools for improving computer security, reducing risk, preventing attacks, and minimizing operational disruption. Today we’re releasing a user’s guide to the toolbox: “Mitigating Software Vulnerabilities,” a white paper with practical information on choosing and enabling those mitigations.

Read More

• Mitigations
• Security Bulletin
• Security bulletin release

Mitigating Software Vulnerabilities

Tuesday, July 12, 2011

How can you protect yourself, your business, and your customers when faced with an unknown or unpatched software vulnerability? This question can be difficult to answer but it is nevertheless worthy of thoughtful consideration. One particularly noteworthy answer to this question is provided in the form of exploit mitigation technologies such as DEP and ASLR, which are designed to make it difficult and costly for an attacker to exploit a software vulnerability.

Read More

• Defense-in-depth
• EMET
• Mitigations
• Security Science