Security Research

Threat Complexity Requires New Levels of Collaboration

Monday, July 27, 2009

When complex security issues that affect multiple vendors arise, calling them “challenging” is an understatement. We created the Microsoft Vulnerability Research Program (MSVR) to meet those challenges, learn from those experiences and strengthen the ties of our community of defenders across the industry in the process. As the state of software security matures beyond straightforward issues such as buffer overflows and elevation of privilege, we are working diligently towards a new level of cross-industry collaboration on a scale never seen before.

Read More

• Black Hat
• Community-based Defense
• EcoStrat
• Microsoft Vulnerability Research (MSVR)
• MSRC Ecosystem Strategy
• Responsible Disclosure
• Security Assurance
• Security Ecosystem
• Security Research

The year-end review – well, sort of :)

Sunday, July 26, 2009

Handle: Cap’n Steve IRL: Steve Adegbite Rank: Senior Security Program Manager Lead Likes: Reverse Engineering an obscene amount of code and ripping it up on a snowboard Dislikes: Not much but if you hear me growl…run Hey! It’s that time of year again for all of us to pack up and head out to the desert to reconnect, discuss, and plan for the future, or at least what we think will be the future of security.

Read More

• Black Hat
• Community-based Defense
• Exploitability
• Exploitability Index
• Microsoft Active Protections Program (MAPP)
• Microsoft Vulnerability Research (MSVR)
• Mitigations
• MSRC
• MSRC Ecosystem Strategy
• Responsible Disclosure
• Security Advisory
• Security Bulletin
• Security Conference Engagement
• Security Ecosystem
• Security Engineering
• Security Research
• Security Tools

Stainless steel bridge

Monday, June 15, 2009

Hi! Manuel Caballero here. I had the pleasure of penetration testing (pen-testing) the previous versions of Microsoft Silverlight, and now, for the last three weeks, I’ve been playing around with the beta version of Silverlight 3. When I say, “the pleasure”, I really mean it. Playing with Silverlight means to play with a plug-in that, from a security point of view, was born being already mature.

Read More

• Internet Explorer (IE)
• Security Research
• Silverlight

Announcing the BlueHat Security Forum: EU Edition

Tuesday, June 02, 2009

Handle: C-Lizzle IRL: Celene Temkin Rank: Program Manager 2 & BlueHat Project Manager Likes: Culinary warfare, BlueHat hackers and responsible disclosure Dislikes: Acts of hubris, MySpace, orange mocha Frappaccinos! Hey folks! I know this is typically the time of year when birds are chirping, the rain is _supposed _to be letting up, and those of you in the BlueHat network who are normally invited to attend the Spring BlueHat conference are asking yourselves, “Why did MSRC start doing the con only once a year?

Read More

• Attack
• BlueHat Security Briefings
• Community-based Defense
• EcoStrat
• Malicious Software (Malware)
• MSRC
• MSRC Ecosystem Strategy
• Security Conference Engagement
• Security Development Lifecycle (SDL)
• Security Ecosystem
• Security Research
• Watering Hole

Token Kidnapping finally patched!

Tuesday, April 14, 2009

Here I am again writing on MS BlueHat blog, this time about Token Kidnapping. The first time I talked about Token kidnapping was a long time ago and now after a year the issues detailed in the presentation are finally fixed. Let’s see what happened. Before the first public Token Kidnapping presentation I talked to MS about the topics it included, I mentioned that there were design issues and that some issues were already known.

Read More

• BlueHat Security Briefings
• Microsoft Windows
• Responsible Disclosure
• Security Bulletin
• Security Research

!exploitable Crash Analyzer Now Available

Wednesday, April 01, 2009

At BlueHat v8 in October 2008, Dave Weinstein, Jason Shirk and Lars Opstad presented the topic of when it’s okay to stop fuzzing (Fuzzed Enough? When It’s OK to Put the Shears Down). As part of that presentation, Dave talked about a technique used within Microsoft for triaging and categorizing crashes.

Read More

• BlueHat Security Briefings
• Security Engineering
• Security Research
• Threat Modeling

Learning by our mistakes

Monday, January 12, 2009

Mike Andrews here. With a very broad brush, the vulnerabilities we see can be split into two categories – flaws and bugs. Flaws are inherent problems with the design of a system/application – Dan Kaminskys’ DNS vulnerability would be a good example. Bugs, on the other hand, are issues with the implementation of the software, and the classic example would be a buffer overflow.

Read More

• BlueHat Security Briefings
• Malicious Software (Malware)
• Security Research

Good Things Come in Blue Packages

Thursday, November 20, 2008

Hello everyone, Celene Temkin here from the MSRC Ecosystem Strategy Team. BlueHat v8: C3P0wned ended a month ago and the success of the con lives on in the outstanding training and networking done between Microsoft employees and external speakers and guests. I’m happy to say the speaker video interviews, podcasts, anecdotes and archives are live on the BlueHat TechNet Page.

Read More

• Attack
• BlueHat Security Briefings
• Security Conference Engagement
• Security Research

State of the Union

Thursday, October 16, 2008

I spent a lot of time trying to think about what to write for a BlueHat pre-conference blog entry and had a pretty hard time focusing on one topic. To handle this, I decided to comment on the state of security. While I’ve found plenty of things to be excited about with security, including improved awareness, ~~~~enhanced vendor responsiveness to issues (although some still lag behind), increasing global awareness of security concerns, etc.

Read More

• Attack
• Attack Vector
• Black Hat
• BlueHat Security Briefings
• Community-based Defense
• Emerging Threat
• Security Conference Engagement
• Security Engineering
• Security Research