Professional Documents
Culture Documents
A report from the Microsoft Security Response Center (MSRC) on the progress of various security initiatives to foster deeper industry collaboration, increase community-based defenses, and better protect customers.
Microsoft Security Response Center (MSRC) Progress Report 2013 (c) 2013 Microsoft Corporation. All rights reserved. This document is provided "as-is." Information and views expressed in this document, including URL and other Internet Web site references, may change without notice. You bear the risk of using it. Some examples are for illustration only and are fictitious. No real association is intended or inferred. This document does not provide you with any legal rights to any intellectual property in any Microsoft product. You may copy and use this document for your internal, reference purposes.
Contents
Authors Foreword The Vulnerability and Exploit Marketplace Microsoft Active Protections Program (MAPP) Microsoft Security Bulletin Statistics Microsoft Exploitability Index Behind the scenes with an Internet Explorer zero-day vulnerability Microsoft Vulnerability Research Enhanced Mitigation Experience Toolkit (EMET) 4.0 Internet Explorer 11 Preview Bug Bounty Summary 4 5 6 7 11 13 17 20 23 26 27
Authors
Bill Barlowe Microsoft Security Response Center Dustin Childs Microsoft Trustworthy Computing Angela Gunn Microsoft Security Response Center Jonathan Ness Microsoft Security Response Center William Peteroy Microsoft Security Response Center Mike Reavey Microsoft Security Response Center Jerry Bryant Microsoft Security Response Center Gerardo Di Giacomo Microsoft Security Response Center Katie Moussouris Microsoft Security Response Center Mark Oram1 Microsoft Security Response Center Georgeo Pulikkathara Microsoft Trustworthy Computing
Former Microsoft employee, who contributed to the MSRC Progress Report 2013
Foreword
Welcome to the 2013 Microsoft Security Response Center (MSRC) Progress Report, which covers the 12 months ending June 2013. This fiscal year saw some important changes to key MSRC programs, as well as new additions to help us better protect our customers. The cybersecurity threat landscape is constantly evolving, and we at the MSRC, in an ongoing effort to help keep customers safe, continue to adjust our strategies in an effort to make it increasingly more costly and challenging for criminals to attack our customers. As our most recent Microsoft Security Intelligence Report (SIR) indicates, most exploits attackers use today target older vulnerabilities that weve already addressed. This reality is one of the key drivers behind the growing vulnerability and exploit marketplace we see today, as determined cybercriminals seek outand are willing to pay increasingly high prices forinformation about vulnerabilities and exploits they can use to keep their attacks undetected for as long as possible. To help thwart this trend, we recently began making plans for some enhancements to our Microsoft Active Protections Program (MAPP) to better enable its global network of defenders to stay a step ahead of targeted attacks. Coordinated Vulnerability Disclosure (CVD) has gone from idea to practice to policy, and vulnerability information sharing through MAPP has allowed MAPP partners to more efficiently and effectively produce protection for millions of Microsoft customers on a regular basis. In this report, we detail portions of an end-to-end strategy to the MAPP program to remove vulnerabilities from the marketplace, take away entire attack vectors, and improve detection capabilities on a global level to decrease the shelf life of new attack techniques. One of our most exciting developments this year has been the announcement of three new Microsoft bounty programs: the Mitigation Bypass Bounty, the BlueHat Bonus for Defense, and the Internet Explorer 11 Preview Bug Bounty. By providing monetary incentives for direct reporting by security researchers, we hope to learn about novel defense bypass techniques, new exploitation techniques that affect Windows 8.1, and previously unknown issues in Internet Explorer 11 before those products reach the general marketplace. Meanwhile, we continue to maintain and support the CVD guidelines. The MSRC has pioneered and led the industry in the area of security response for many years, which sometimes means having to respond at inopportune times. This years report includes a write up by William Peteroy on his work to release Microsoft Security Bulletin MS13-008 over the Christmas holiday, balancing a visit from out-of-town relatives with attention to a significant security update. We hope you enjoy reading it, along with the rest of the information in this latest report. Mike Reavey Senior Director, Microsoft Trustworthy Computing
See www.microsoft.com/security/bluehatprize/ for more information about the contest and the three winning entries.
Determined Adversaries and Targeted Attacks,3 a Microsoft white paper released in June 2012, discussed a common belief that a well-resourced and determined adversary will usually be successful in attacking systems, even if the target has invested in its defensive posture. It advised that an effective risk management strategy balances investments in prevention, detection, containment, and recovery. MAPP has always been (and will continue to be) focused on prevention, and we routinely make incremental changes to the program to better enable its global network of defenders to counter targeted attacks, profit-driven criminal elements, exploit frameworks, and new methods for waging broad, opportunistic attacks. As part of our ongoing strategic development of MAPP, we are expanding the program and adding initiatives that focus on improving detections of attacks, which will in turn enable the MAPP community to produce improved protections for customers. The MAPP program works with a broad range of partners. Some MAPP partners collect a significant amount of threat information from a range of product suites deployed throughout the world. Others collect less data, due to a more regional focus or fewer customers that opt into reporting threat data back to security vendors. Some partners have been around for years, while others have entered the security marketplace only recently. This diverse community of defenders requires a varied approach by Microsoft to help maximize how we can work together to protect the ecosystem.
http://aka.ms/targetedattacks
To more efficiently coordinate detection and prevention efforts with and between this diverse base of partners, Microsoft is expanding MAPP in three primary areas. The traditional MAPP program is being rebranded as MAPP for Security Vendors, and significantly updated. MAPP for Responders is a new MAPP program focused on enabling and exchanging information with incident response partners. MAPP Scanner is a new service that MAPP partners can use to rapidly assess suspect files and URLs.
The MAPP program helps Trend Micro in strengthening further its defenses against cyber criminals. This timely information sharing works great in providing our customers the best and accurate protection with least false positives. We continue to appreciate Adobes presence on the program and wish more vendors followed the same approach in vulnerability information sharing to make our cyber world safer.
Raimund Genes CTO Trend Micro
MAPP for Security Vendors The original MAPP partnership is being enhanced with the introduction of a new initiative, MAPP Validation, which seeks to engage the MAPP Threats continue to evolve and we should community in assessing our detection guidance evolve with them. The only way to do that is to prior to distribution. MAPP Validation will operate have steadfast learning, comprehensive much like the Software Update Validation research, and having the right affiliation. As we Program (SUVP), in which Microsoft partners with continue to grow in knowledge, MAPP enterprises to evaluate security updates in a test continuously gives us the advantage of being environment. MAPP Validation partners are the first responder against emerging threats. security vendors that provide products designed Our customers can rest assured that we will to service a broad range of customers and needs. always be there for them. MAPP Validation will help ensure that the detection guidance we release to the broader Raul Alvarez Senior Security Researcher MAPP community will allow for the most efficient Fortinet Technologies production of protections possible.
Microsoft also continues to make changes and improvements to the MAPP for Security Vendors program as a whole. One of the more frequent requests we hear from our MAPP partners is for more time to produce protections before we release our monthly security updates. For those partners We are privileged to be part of MAPP, which with a trusted history in MAPP and who are provides a valuable service in helping us gauge consistent in meeting the requirements of the the nature and impact of new threats, typically program, we will begin sharing detection before they are manifested in the wild, and in guidance 3 business days before our usual update providing commensurate protection to our release day on the second Tuesday of each clients in a timely fashion. We would like to take month, at approximately the same time that we this opportunity to thank the MAPP team, and issue our advance notification of the Microsoft we look forward to our collaboration in the 4 products that will be receiving updates. Entryfuture. level MAPP partners will continue to receive Samir Mody vulnerability information 1 day before updates are Senior Manager Threat Control Lab released. In all cases, partners will continue to be K7Computing prohibited from releasing protections until after the security updates are released. MAPP for Responders Today, there are many types of response organizations around the world that focus on intrusion prevention and incident response, including private organizations, Government response teams, and industry collaborations. These institutions share a common need for information to help them The data from MAPP has proven to be a detect and mitigate threats. Microsoft is valuable source of information ahead of the establishing MAPP for Responders as a curve allowing us to better deliver faster mechanism for sharing relevant feeds of technical protection against 0-day vulnerabilities to our threat indicators, including malicious URLs, file customers. hashes, incident data, and detection guidance. It Peter Szabo will also act as a forum for partners to share more Senior Threat Researcher general threat information, such as trends SophosLabs Canada involving which industries are being targeted and apparent developments in threat sponsor requirements. Why is this important? Threat information is valuable in detecting and disrupting attacks if it can be rapidly and reliably shared for the purpose of common defense. Today it is rare for this type of information to be shared by security companies and affected entities; companies are often inclined to hold onto the information to gain a competitive advantage, or to avoid sharing information about
See technet.microsoft.com/security/gg309152.aspx for more information about the Microsoft Security Bulletin Advance Notification Service.
compromised or vulnerable systems that might be bad for business. MAPP for Responders will work to build a community for information exchange to counter the activities of determined adversaries. MAPP Scanner MAPP Scanner is a cloud based service that allows for Office documents, PDF files, and URLs to be scanned for content-based attacks, taking advantage of Microsofts extensive knowledge of its own products and close security cooperation with industry partners. In addition to performing static analysis on submissions, MAPP Scanner conducts active analysis to determine if a submission is attempting to exploit a vulnerability. By making this technology available to partners who work with the targets of content based attacks to investigate and remediate such incidents, Microsoft hopes to increase the likelihood of Thanks to the MAPP program, we can new attacks and attack vectors being discovered. Coupled detect security incidents more with our Mitigation Bypass Bounty program, we believe proactively. The most effective thing is MAPP Scanner will dramatically increase the cost attackers protecting our customers from zeromust pay to use exploits effectively, thereby reducing day attacks. It could be helpful to seize attack activity across the ecosystem. evidence in an incident response quickly. We are very pleased to use this MAPP Scanner is currently in a pilot phase with MAPP program for our various products. security vendor and response partners, and will help to
Jeongwoo Park AhnLab, Inc.
significantly reduce the amount of analytical effort MAPP partners must perform to determine if a submission is malicious.
10
11
114
110 93
85
Bulletins CVEs
65 52 48 51 42 41
51 35 34
40
20 0
1H07
2H07
1H08
2H08
1H09
2H09
1H10
2H10
1H11
2H11
1H12
2H12
1H13
The nomenclature used to refer to different reporting periods is nHyy, where nH refers to either the first (1) or second (2) half of the year, and yy denotes the year. For example, 2H12 represents the period covering the second half of 2012 (July 1 through December 31), and 1H13 represents the period covering the first half of 2013 (January 1 through June 30).
8
12
The Exploitability Index uses three levels to communicate to customers the likelihood of functioning exploit code being developed. Microsoft continuously evaluates the level descriptions, and modifies them when appropriate to simplify and clarify the assessments. Currently, the levels are defined as follows: 1 Exploit code likely. This rating means that MSRC analysis shows that exploit code could be created, allowing an attacker to consistently exploit the vulnerability. For example, an attacker could use the exploit to remotely execute code repeatedly, in a way that produces the same results each time. This exploitability would make the vulnerability an attractive target for attackers, and therefore more likely that exploit code would be created. This designation is also used for vulnerabilities that are already being actively exploited. Customers who review the security bulletin and determine its applicability to their own environment could treat such a vulnerability with a higher priority. 2 Exploit code would be difficult to build. This rating means that MSRC analysis shows that exploit code could be created, but that an attacker would likely have difficulty creating the code. Such difficulty might be the result of the need for expertise and sophisticated timing information, and/or varied results when targeting the affected product. For example, an exploit could cause remote code execution, but may only work one out of 10 times, or one out of 100 times, depending on the state of
9
13
the computer being targeted and the quality of the exploit code. Although an attacker may increase the consistency of their results by having better understanding and control of the target environment, the unreliable nature of this vulnerability makes it a less attractive target for attackers. Customers who review the security bulletin and determine its applicability within their environment should treat this as a material update. If customers are prioritizing against other highly exploitable vulnerabilities, they could rank this lower in their deployment priority. 3 Exploit code unlikely. This rating means that MSRC analysis shows that successfully functioning exploit code is unlikely to be released. It might be possible for exploit code to be released that could trigger the vulnerability and cause abnormal functionality, but it is unlikely that an attacker would be able to create an exploit that could fully exploit the vulnerability. Because vulnerabilities of this type require significant investment by attackers to be useful, the risk of exploit code being created and used within 30 days of a bulletin release is much lower. Therefore, customers who review the security bulletin to determine its applicability within their environment could prioritize this update below other vulnerabilities within a release. Customers can use XI ratings along with the other information included with each security bulletin to identify the updates that most affect their business in a given month, which may affect their decisions about which updates to deploy first. For example, consider March 2013, when Microsoft released seven security bulletins. Of these, four bulletins were given an overall XI of 1, the most severe level. Security Bulletin MS13-027 is rated as Important, but has an XI of 1, whereas MS13-023 is rated as Critical, but only has an overall XI of 2. Even though the impact of MS13-027 is potentially greater, we recommended installing MS13-023 first due to its increased risk of exploitability.10 XI ratings are accompanied by Denial of Service (DoS) exploitability assessments, which indicate vulnerabilities that can be exploited to cause either temporary or permanent DoS conditions, as explained in Figure 3:
Figure 3. DoS exploitability assessment used by the Exploitability Index DoS exploitability assessment Temporary Short definition Exploitation of this vulnerability may cause the operating system or application to become temporarily unresponsive, until the attack is halted, or to exit unexpectedly but automatically recover. The target returns to the normal level of functionality shortly after the attack is finished. Exploitation of this vulnerability may cause the operating system or application to become permanently unresponsive, until it is restarted manually, or to exit unexpectedly without automatically recovering.
Permanent
There are also certain issues that do not receive XI ratings at all. Starting in 2012, Microsoft established a Security Feature Bypass (SFB) vulnerability classification11 to identify rare cases in which an attacker could potentially bypass a security feature in order to exploit another vulnerability. In most cases,
For more information on assessing the risk for the March 2013 security updates, see blogs.technet.com/b/srd/archive/2013/03/12/assessingrisk-for-the-march-2013-security-updates.aspx. 11 See MS13-006: Vulnerability in Microsoft Windows Could Allow Security Feature Bypass for an example of a Security Feature Bypass update.
10
14
following Microsofts guidelines for best security practices can largely mit igate any potential impact from this class of vulnerability. Since the XI is designed to provide guidance on the potential for code execution only, SFB issues are not assigned a XI rating. Microsoft Exploitability Index statistics The 92 security bulletins published from July 2012 to June 2013 resulted in 266 Exploitability Index ratings, as shown in the following table.
Figure 4. Microsoft Exploitability Index ratings, July 2012 June 2013 Exploitability Index Rating 1- Exploit code likely 2 Exploit code would be difficult 3 Exploit code unlikely Not affected Not applicable Latest software release 59 17 16 105 8 Older software releases 104 56 27 14 4
Of these ratings, none were revised after release. An examination of different possible deployment scenarios illustrates how the Exploitability Index can help save organizations money and allow them to better allocate their resources:
Figure 5. Security bulletin deployment events under different scenarios, July 2012 June 2013 Deployment Scenario Deploy all bulletins within 30 days Deploy only Critical bulletins within 30 days of release Deploy only Critical bulletins with an XI of 1 on release day Deploy only critical bulletins with an XI of 1 on release day, when all systems are on the most recent product release Deployment events 92 36 32 21
While Microsoft recommends deploying all security bulletins in a timely fashion, Figure 5 illustrates how Exploitability Index ratings can help customers save time and money by prioritizing deployments. During this twelve-month period, a customer that prioritized deploying critical updates with an Exploitability Index rating of 1, and used the most recent Windows client and server versions exclusively, could have deployed just 21 updates at the highest priority level, and used a less expensive non-urgent deployment process for the remaining 71 updates. Microsoft recommends that customers install all applicable security updates, including bulletins with an exploitability index of 3 or a severity rating of Moderate. Exploitation techniques change over time, and newly developed techniques can make it easier for an attacker to exploit vulnerabilities that had previously been more difficult to successfully exploit. Nevertheless, prioritization decisions will be made
15
within each organization and that time and resources may often be limited. The Exploitability Index allows customers that face such limitations to better prioritize their update deployments.
16
17
other than simply browsing to an affected Web site, these are rated as Critical vulnerabilities, the most severe type of vulnerabilities that we deal with at the MSRC. When I received a Software Security Incident Response Process (SSIRP) notification email, my suspicions were confirmed, and I knew we were in for some late hours. In cases like this one where quick response is vital, the MSRC uses the SSIRP to understand security incidents quickly, provide customers with timely and relevant information about it, and deliver security updates and other material as appropriate to restore normal operation. Being pulled into a SSIRP feels about the same as a friend signing you up for a marathon and letting you know the night before. I made some phone calls to the folks that I work with in the Internet Explorer product group who would be integral in the process of confirming the root cause of the vulnerability, as well as developing and testing a fix, then spent some time rallying the team and getting notes together for the initial meeting. One of the first things that I learned at Microsoft is that making quality software is not an easy task. When there is a clock running to protect customers with a fix for a vulnerability in the wild (being used against customers), it doesn't make that job any easier. I reserved a CVE vulnerability ID number, CVE2012-4792, to track the vulnerability itself, and started to dive into the details of the technical situation with the help of the MSRC Engineering team (MSRC-E) and the Internet Explorer engineering team. The issue itself had to do with a vulnerability in the way Internet Explorer performed reference counting on Web pages. Under certain circumstances, Internet Explorer could be made to attempt to reference and use a page element that had already been deleted and for which the memory storing it had been freed. An attacker could use this vulnerability to create a specially crafted Web page that could force Internet Explorer to execute malicious code in the context of the browser. I also started the process of drafting a security advisory to inform our customers as soon as possible about what we knew and how they could protect themselves, and sending it to internal partners for review. Because software doesnt get released into a void, we make a lot of effort at Microsoft to provide customers with the best information possible about ongoing and up-to-date security-related developments pertaining to our products. Microsoft Security Advisories are one of the mechanisms we use to provide this information. A security bulletin that included more information and the update code itself would come later. Much of this early work could be done over the telephone, which allowed me to work on the vulnerability while continuing to pursue a mostly normal holiday celebration with my family. I had moved to Seattle earlier in 2012, and my fiance and I were fortunate to have my parents come and join us for the holidays. We had planned a fairly busy schedule for taking my parents to see the sights of our new home in the Northwest, which led to me taking part in the SSIRP conference calls from interesting locations like the Queen Anne neighborhood close to the Space Needle and Seattles historic Pike Place Market. On December 29, 2012, we published Microsoft Security Advisory 2794220 to inform the public that we were aware of the issue and working towards a fix.
18
Once root cause analysis was complete, I worked with the Internet Explorer PM to get the software update developed in the smallest amount of time possible. Once the code was complete, I delivered the update code and root cause analysis to our MSRC-E Defense team. The Defense team works with the exploits and samples that we have collected concomitantly with partners to develop the in-memory shims that we ship as Microsoft Fix it Solutions to break exploits we see being used against customers. As we were doing our work, exploit writers were staying busy too. On December 31, 2012, we revised Microsoft Security Advisory 2794220 to include the Fix it Solution, in response to the appearance of exploit code in some of the exploitation tools that get traded between malware authors and prospective attackers. The revised security advisory would enable our high-risk or highly concerned customers to take more effective steps to protect themselves in advance of the upcoming security bulletin release. With the exploit and the Fix it Solution available publicly, all of my efforts went to working with the test and release teams on the security update. We would be testing and publishing update code for 31 different configurations overall, covering Internet Explorer versions 6, 7, and 8 running on different Windows versions, service pack levels, and processor architectures. Each of these 31 update packages had to meet our quality assurance bar and be signed off on individually. I finally got to take a breather on Monday, January 14, 2013, when we released Microsoft Security Bulletin MS13-008 to customers worldwide via Windows Update and other channels. To put that sort of release into perspective, the package was downloaded to 286 million software installations. All in all, it made for a very busy few weeks for myself, the Internet Explorer team, and the rest of our internal and external partners, but ultimately it was very rewarding to be able to put so much time and effort toward something good for so many global customers, especially over the holiday. -William Peteroy, Microsoft Security Response Center
19
When a Microsoft employee finds a likely vulnerability in a third-party product or site, he or she then informs the MSVR team, which coordinates communications about the issue between Microsoft (or the employee) and security teams at the other company. MSVR monitors progress as the vulnerability is tested, analyzed, and eventually fixed by the other company. Once thats accomplished, MSVR may choose to issue an advisory confirming the fix and directing customers to further information. From July 2012 to June 2013, MSVR issued 21 such advisories:
20
Figure 7. MSVR advisories issued from July 2012 to June 2013 Advisory Number MSVR12-010 MSVR12-011 MSVR12-012 MSVR12-013 MSVR12-014 MSVR12-015 MSVR12-016 MSVR12-017 MSVR12-018 MSVR12-019 MSVR12-020 MSVR12-021 MSVR13-001 MSVR13-002 MSVR13-003 MSVR13-004 MSVR13-005 MSVR13-006 MSVR13-007 MSVR13-008 MSVR13-009 Advisory Title Vulnerability in Cisco WebEx Player Could Allow Remote Code Execution Vulnerabilities in Nullsoft Winamp Could Allow Arbitrary Code Execution Safari Content-Disposition Handling Could Allow Cross-site Scripting Vulnerability in Foxit Reader Could Allow Arbitrary Code Execution Vulnerabilities in SumatraPDF Reader Could Allow Arbitrary Code Execution Memory Corruption in Google SketchUp Could Allow Arbitrary Code Execution Vulnerabilities in Ektron CMS Could Allow Arbitrary Code Execution Vulnerabilities in FFmpeg Libavcodec Could Allow Arbitrary Code Execution Memory Corruption in Symantec Ghost Could Allow Arbitrary Code Execution Oracle AutoVue DGN Parsing Could Allow Arbitrary Code Execution Oracle AutoVue DXF Parsing Could Allow Arbitrary Code Execution Memory Corruption in QuickTime Could Allow Arbitrary Code Execution Vulnerability in Lenovo ThinkPad Bluetooth with Enhanced Data Rate Software Could Allow Arbitrary Code Execution Vulnerability in VMware OVF Tool Could Allow Arbitrary Code Execution Vulnerability in VMware VMCI.sys Could Allow Local Elevation of Privilege Vulnerability in DjVuLibre Could Allow Remote Code Execution Vulnerability in SumatraPDF Reader Could Allow Remote Code Execution Memory Corruption in Nitro Reader Could Allow Arbitrary Code Execution Heap Corruption in Nitro Reader Could Allow Arbitrary Code Execution Cisco Security Service IPC Message Heap Corruption Could Allow Elevation of Privilege Cisco Security Service File Verification Bypass Could Allow Elevation of Privilege Date 7/17/2012 7/17/2012 8/21/2012 8/21/2012 9/18/2012 9/18/2012 10/16/2012 10/16/2012 11/20/2012 11/20/2012 11/20/2012 12/18/2012 1/15/2013 2/19/2013 2/19/2013 3/19/2013 4/16/2013 5/21/2013 5/21/2013 6/18/2013 6/18/2013
Microsoft does not reveal vulnerability details to the public before a vendor issues remediation, unless there is significant evidence of active attacks on the vulnerability in the wild. (To date, MSVR has never yet had cause to release an advisory under those circumstances.) Microsoft also does not issue advisories on every issue addressed. Advisories are archived at www.microsoft.com/technet/security/advisory/MSVRarchive.mspx and may be revised as required to reflect new guidance or further information. MSVR program statistics Since July 2012, MSVR has taken delivery on 48 software vulnerability reports from 18 employees, affecting 26 third parties. In December 2012, MSVR began taking delivery on reports of cross-site scripting (XSS) issues on third-party sites, and to inform a subset of affected site proprietors. So far, the program has received reports on over 1000 affected sites and has ramped up an effort to reach out to critically affected sites with information and guidance.
21
In early 2013, a second pilot program, Microsoft App Response, launched to determine how MSVRs program can best be extended to applications hosted in Windows online applications store and onward to online application stores offered for other Microsoft products. The pilot program took delivery on 59 potential issues and has reached out to the appropriate vendors to request updates to their apps. All issues processed by the non-pilot portion of MSVR in the course of the year were rated as Critical or Important in severity, according to our bug bar. Over the past five years, MSVR has taken vulnerability reports from over 65 unique finders. At the annual BlueHat security conference on the Redmond campus in December 2012, MSVR unveiled and distributed a challenge coin to honor all finders who reported at least one reproducible vulnerability over the course of the program.
Figure 8. Front (left) and back (right) of MSVR challenge coin
For more information, please see the Microsoft Vulnerability Research page at microsoft.com/security/msrc/collaboration/research.aspx.
22
Microsoft took another step to raise the profile of EMET in February 2013 when we announced the availability of official support for Premier and Professional customers, a development that many of our customers welcomed. We were particularly proud when the US Defense Information Systems Agency (DISA) included EMET in the Security Technical Implementation Guide (STIG) for Windows 8. STIGs are configuration standards for Department of Defense information assurance systems and play a critical role in locking down military systems and software that might be vulnerable to attack. All this interest in EMET inspires us every day, and we do our best to improve it. Every time we start planning a new version of EMET we ask ourselves a simple question: What can we do to better protect our global customers? In the MSRC, we deal with vulnerabilities, attacks, and exploitation techniques on a daily basis, which gives us a valuable perspective on the threat landscape and the trends that are likely to affect the computing ecosystem in the future. The information we gain
23
from this directly informs our planning and design thoughts as we work to develop the feature set for the new version. We know that for a product to be effective, it needs to not only offer something valuable, but be usable and scalable as well, so we pay close attention to the feedback we receive from our customers as they tell us how they use EMET, what works, and what doesnt. This process culminated in June 2013 with the release of EMET 4.0, an improved and expanded version that includes several new features that we believe our customers will find useful and valuable. Some of these features include: Certificate Trust. Attacks that leverage the certificate trust hierarchy have become more common within the last few years. In more than one instance, attackers have compromised a root certificate authority (CA) and issued malicious digital certificates in the root CAs name. The Certificate Trust feature in EMET 4.0 introduces a SSL/TLS certificate pinning mechanism that can be used to check certificates against a configurable list of domains and corresponding root CAs. If a certificate detected for a Web site was issued by a different root CA than the one that is expected for the domain, EMET alerts the user to the possibility of an attack. Early Warning Program. When this feature is enabled, EMET sends information to Microsoft whenever it detects and blocks an exploit. Typically, new zero-day exploits are discovered when a security researcher or company notices them being hosted on watering hole Web sites or spread through phishing emails. Once an exploit is discovered, there is no way to obtain a count of victims, or to know how long attackers have been using it. The MSRC hopes to use the Early Warning Program to fill in some of these gaps by collecting information that can be used to identify and respond to new vulnerabilities more quickly than has been previously possible. Enterprise customers that use tools such as Microsoft Desktop Optimization Pack or System Center Operations Manager Agentless Monitoring will be able to forward EMETs generated error reports to their on -premise servers, and will be able to investigate attacks that have been detected inside their environment. Since EMET also protects non-Microsoft software, Microsoft will use information gathered about zero-day exploits in third-party software to work with the affected vendor through the Microsoft Vulnerability Research program. New mitigations. In 2012 Microsoft held the BlueHat Prize, which awarded over $260,000 USD for the best defense technologies to mitigate the exploitation of memory corruption vulnerabilities. We received several excellent submissions, most of them related to countering Return Oriented Programming (ROP), a commonly used technique in exploits to bypass the Data Execution Prevention (DEP) security feature in Windows. We took some of those ideas and implemented them in a July 2012 Technical Preview release of EMET. In EMET 4.0, these mitigations have been hardened and improved in terms of performance and compatibility. As exploitation techniques evolve over time, we have also added additional ROP-related mitigations targeted at new techniques that we have recently observed. Audit Mode. This is a new feature that has been added to EMET 4.0 based on feedback received from customers. Previous versions of EMETs mitigations have sometimes caused compatibility issues
24
with certain specific software programs, especially older ones. When a mitigation is incompatible with an application, EMET often erroneously detects the incompatibility as an attack and terminates the application, disrupting the user experience. Audit Mode enables administrators to deploy EMET into a production environment for purposes of monitoring and evaluating its behavior and compatibility with existing software. When Audit Mode is enabled, EMET does not terminate the affected process once a mitigation is triggered, enabling administrators to determine whether any compatibility issues are present. Once the administrators have a clear understanding on what mitigations generate compatibility issues with the applications deployed in their environment, EMETs configuration can be fine-tuned and it can finally be deployed in Stop Mode, its default behavior. In addition to these new features, many mitigations have been improved and hardened in EMET 4.0, many application compatibility issues have been solved, and the user interface has been improved. We believe these new features and enhancements, along with the other features that have been a part of EMET for years, make what many IT department will find to be an indispensable assistant in their efforts to keep their environments safe.
25
26
Summary
Program refinements to Microsofts security initiatives and programs are focused to better protect our global customers computer systems, while providing customers with critical information to better manage their computer security and privacy. New programs, such as MAPP for Responders and tools like MAPP Scanner, are ways to improve industry collaboration with incident response partners to help rapidly assess suspect files and URLs. MAPP will continue to be a strategic asset for security software providers worldwide. The Exploitability Index (XI) ratings continue to be a valuable part of the Microsoft monthly security bulletin release cycle. Customers use the XI ratings along with the other information included with each security bulletin to identify the updates that most affect their business in a given month. EMET 4.0 has proven to be effective in stopping zero day exploits. EMET stopped exploits in the wild for all four of the most recently released security advisories that involved memory corruption vulnerabilities. Government agencies, media outlets, and other companies have joined us in recommending EMET as an effective mitigation tool that can help organizations increase the security of their systems. The Internet Explorer 11 Bug Bounty program is one of several unique ways that Microsoft continue to work to meet the threats our customers face in an ever change threat landscape. To date this program has been well received, and we expect to have more data and program specific information soon. The threat landscape will continue to evolve and increase in complexity, especially as attackers look for new technologies to exploit. Microsofts increased collaboration with industry partners and our customers will be key to helping provide safer, more trusted computing experiences. Long term, its industry collaboration that will help better protect our customers where the combined efforts of industry, Governments, and community bases defenses work together to help keep our computing systems secure.
27