Microsoft Security Blog

The official Microsoft blog for discussing industry and Microsoft security topics.

June, 2013

  • Security Development Conference 2013: Highlights (Part 2)

    In today’s digital world, organizations simply cannot afford to conduct business online without taking security into account.  Whether you buy or sell software, security has to be a top priority.  It’s just good business.  In part one of this series we touched on security standards as an important topic that was discussed at the Security Development Conference last month.  In this part of the series, we share insights on the importance of security to organizations that conduct business online. 

    While at the Security Development Conference, I had an opportunity to sit down with Edna Conway, Chief Security Officer, Global Supply Chain for Cisco and discuss how they think about security in the context of the supply chain.   Edna discusses how security is the first and most important node of the supply chain at Cisco.  She shares how they embed security early on into the design and development stage of a product’s concept.  Watch this short video to hear more about how Cisco embeds software security into its portfolio of products.  Read more.

  • Security Development Conference 2013: Highlights (Part 1)

    Almost 70 years ago, government officials met in San Francisco and formed the United Nations, as a result of growing concerns around international peace and security.  Interestingly enough, last month, Microsoft hosted the Security Development Conference 2013  in San Francisco, CA where security professionals from hundreds of organizations around the world met to discuss proven security development practices that can help reduce organizational risk.

    While at the event, I had an opportunity to meet with several distinguished security leaders and discuss advancements that are being made across the industry.  For those of you that missed the conference, I encourage you to follow this series as we dive deeper into some of the hot topics to surface from this year’s conference. 

    One of the topics that generated a lot of discussion at the conference was the emergence of secure software development standards, specifically ISO 27034.  While at the conference, Microsoft announced its Declaration of Conformity with ISO 27034-1.  Check out this short video as we hear from Scott Charney, Corporate Vice President for Trustworthy Computing and Steve Lipner, Partner Director of Program Management at Microsoft on the significance of this standard.  Read more.

  • The Importance of Smartphone Security

    It’s no surprise that mobile phone usage has exploded over the past decade.  According to a study by ITU, there are roughly 6.8 billion mobile cellular subscriptions worldwide today.  As technology becomes more and more woven into the fabric of society, smartphone usage has become an increasingly common extension for desktop computing devices.  Employees are configuring their personal smartphones to access company information and IT Professionals often struggle with how to manage the protection of corporate data. 

    This dynamic has created new opportunities for cybercrime.  Cybercriminals are increasingly targeting smartphone devices using a variety of tactics for malicious intent.  These tactics include the repackaging of popular applications with malicious code for download in app stores or marketplaces, malicious URLs designed to deceive users into downloading apps or provide personal information, or leveraging erroneous SMS messages or “smishing” as a means to drive up a smartphone subscriber’s bill. Read more.

  • Now Available: Enhanced Mitigation Experience Toolkit (EMET) Version 4.0

    Today we released a new version of our Enhanced Mitigation Experience Toolkit (EMET 4.0).  EMET is a free mitigation tool designed to help IT Professionals and developers prevent vulnerabilities in software from being successfully exploited. The tool works by protecting applications via the latest security mitigation technologies built into Windows, even in cases where the developer of the application didn’t opt to do this themselves. By doing so, it enables a wide variety of software to be made significantly more resistant to exploitation – even against zero day vulnerabilities and vulnerabilities for which an update has not yet been applied.

    EMET has been a very popular tool among customers trying to manage risk associated with insecure applications they have in their environments.  Over the past year we have seen some attackers evolve their tactics in ways that we believe can be mitigated with a tool like EMET. We have also received feedback from a number of customers on how we could make EMET better fit their needs.  This information has been invaluable in enhancing the latest version of the tool.  EMET 4.0, released today, incorporates a number of new enhancements including protection against Man in the Middle attacks leveraging the Public Key Infrastructure (PKI), and hardening of Return-Oriented Programming (ROP) mitigations.  This version also addresses some known compatibility issues and is designed to work with some of our latest technologies such as Internet Explorer 10 and Windows 8. Read more

  • Targeted Attacks Video Series

    Many of the CISOs I talk to tell me that “Advanced Persistent Threats” (APT) style attacks are among their top concerns.  As I have written about before, the problem with the term APT is that it doesn’t describe this category of threats very accurately.  This makes it harder to understand and mitigate this type of threat.  Many of the threats we see in this category are not any more “advanced” or technically sophisticated than many of the broad-based attacks currently in use on the Internet.  At Microsoft we find that a more accurate and useful term for this category of threat is “targeted attacks by determined adversaries”.  The vast majority of these attacks use unpatched vulnerabilities for which updates are available, weak passwords, and social engineering to compromise systems.

    Microsoft has released a series of whitepapers that are designed to help organizations understand and manage the risk posed by targeted attacks by determined adversaries.  Read more.

  • Security Intelligence Report v14 on the Road: Malaysia, India and Singapore

    While on the road in Asia, I had an opportunity to meet with security professionals from Malaysia, India and Singapore to discuss regional threat trends based on data from our latest Microsoft Security Intelligence Report.  These discussions and an analysis of the threat landscape for Asia are summarized below. Read more.

  • Students - This is the last week to Enter the Cybersecurity 2020 Essay Contest

    Have you considered what cybersecurity policy choices have the most impact on cybersecurity outcomes? If so, this is the last week to enter our Cybersecurity 2020 essay contest for a chance to win the $5,000.00 cash prize!

    To enter, send an email to with your essay in Microsoft Word format and include the following information: first name, last name, email address, and school / university. Entries must be received by 11:59 p.m. Pacific Time (PT) on June 14, 2013.  For more information, including official rules of the contest, please visit:

  • Now available - "Windows Server 2012 Security from End to Edge and Beyond"

    You might recall back in November, I wrote an article that discussed a new book for IT Professionals releasing in the coming months entitled “Windows Server 2012 Security from End to Edge and beyond.”  The book is now available and you can obtain a copy through online retails such as Amazon or Barnes & NobleRead more

  • Security Intelligence Report v14 on the Road: Hong Kong S.A.R.

    According to the recently released Microsoft Security Intelligence Report volume 14, Hong Kong continues to enjoy one of the lowest malware infection rates in the world.  Figure 1 illustrates how Hong Kong’s infection rate has trended from the third quarter of 2011 (3Q11) to the fourth quarter of 2012 (4Q12).  The Microsoft Malicious Software Removal Tool (MSRT) found 2.2 systems infected with malware for every 1,000 systems scanned in the fourth quarter of 2012 while the worldwide average was 6.0 during the same period. Read more

  • European Union check-up: Locations with Lowest Infection Rates in the EU and What We Can Learn From Them

    In the first part of this series on the threat landscape in the European Union (EU) I examined threats found in the location with the highest malware infection rate, Romania.  In the second part of the series I discussed malicious websites that are hosted in the EU.  In this final article in the series I will look at the EU member states that have the lowest malware infection rates and share insights that other, more infected locations, might use to improve. The analysis in all three of these articles leverages data from the recently released Microsoft Security Intelligence Report volume 14 (SIRv14) and previous volumes and focuses on the fourth quarter of 2012 (4Q12). 

    Before looking at the locations with the lowest malware infection rates in the EU, first let’s look at how threat categories and families have been trending in the EU as a whole during the eighteen month period between the third quarter of 2011 (3Q11) and the fourth quarter of 2012 (4Q12).  Figure 1 illustrates how threat categories have been trending in the EU.  In my opinion, the most serious concern is the upward trend in exploit activity in the EU.  Increased levels of drive-by download attacks and parser exploit attacks are major contributors to this trend.  I discuss these attacks in more detail below.  The other disconcerting trend is the consistently high levels of, and recent uptick in, detections of Miscellaneous Potentially Unwanted Software.  Much of this looks to be related to increased usage of tools that enable software piracy.  Read more