One year ago this week we challenged the security community to take an unconventional focus on defensive innovation. We called that challenge the BlueHat Prize, and tomorrow night, we will award the grand prize of $200,000 to one of the finalists, either Jared DeMott, Ivan Fratric, or Vasilis Pappas. All three finalists submitted prototype mitigations that help prevent exploits that use Return Oriented Programming (ROP) techniques.

But that’s tomorrow night. Today, I’m excited to announce that we’ve already been able to incorporate one of these winning technologies into our free Enhanced Mitigation Experience Toolkit (EMET) 3.5 technology preview. The new Tech Preview of EMET offers four new checks based on Ivan Fratric’s ROP exploit mitigation to help prevent attacks utilizing ROP techniques. Considering the contest submission period closed April 1, I’m thrilled the team has been able to integrate the technology into EMET so quickly. The fact that the BlueHat Prize has gone from contest announcement to real protection for customers within a single calendar year shows the positive impact of collaboration with the security community. You can get additional details about this technology preview in the SRD blog and in the following video featuring Dustin Childs and Elias Bachaalany.

In the MSRC, we often talk about exploit economics – the idea that increasing the difficulty of attack makes it more expensive (in terms of time and effort) and begins discouraging exploitation. EMET 3.5 is a great example of exploit economics in action as it offers protection for entire classes of vulnerabilities. EMET also provides defenses that protect assets from unknown threats.

This week we also released our annual MSRC progress report, which covers from June 2011 through July 2012. This report highlights our collaboration with the security community and the industry at large through programs like Microsoft Active Protections Program (MAPP) and Microsoft Vulnerability Research (MSVR). Today, information shared through the MAPP community helps protect more than 1 billion customers and significantly reduces the time it takes security vendors to create protections. Through the MSVR program this year, we reported 96 vulnerabilities to 39 different vendors. You can read more about each of these programs (and more!) in the progress report.

I can’t wait to see the conclusion of the first BlueHat Prize tomorrow night, and I’m looking forward to all of the opportunities we’ll have to speak with partners, researchers, and customers at Black Hat. If you have time, swing by the Microsoft booth to say hello. While there, let us know what you think represents the most pressing industry-wide security issue and enter for your chance to win one of four $5,000 prizes as a part of our BlueHat Prize Question Sweepstakes. Check out the rules here.

I look forward to seeing you at Black Hat!

Matt Thomlinson
General Manager
Trustworthy Computing Security