Microsoft Security Blog

The official Microsoft blog for discussing industry and Microsoft security topics.

June, 2014

  • Microsoft Takes Legal Action to fight Malware: Bladabindi and Jenxcus

    Today, Microsoft filed a civil suit against a Dynamic DNS provider in the U.S. (Vitalwerks Internet Solutions, LLC (doing business as No-IP.com) and identified two individuals who are believed to have used this DNS provider to spread and control dangerous malware (Bladabindi and Jenxcus) to unsuspecting victims. Bladabindi or Jenxcus was encountered more than 7.4 million times over the past twelve months worldwide.

    The two people identified allegedly used social media to flaunt their creation and the dissemination of two well-known types of malware, known by the Microsoft Malware Protection Center (MMPC) as Jenxcus and BladabindiRead more

  • How Vulnerabilities are Exploited: the Root Causes of Exploited Remote Code Execution CVEs

    It is impossible to completely prevent vulnerabilities from being introduced during the development of large-scale software projects. As long as human beings write software code, mistakes that lead to imperfections in software will be made – no software is perfect. Some imperfections simply prevent the software from functioning exactly as intended, but other bugs may present vulnerabilities.

    Manual code reviews performed by developers and testers, in concert with automated tools such as fuzzers and static analysis tools, are very helpful techniques for identifying vulnerabilities in code. But these techniques cannot find every vulnerability in large scale software projects. As developers build more functionality into their software, their code becomes more and more complex. The challenge of finding vulnerabilities in very complex code is compounded by the fact that there are an infinite number of ways that developers can make coding errors that can create vulnerabilities, some of which are very, very subtle.

    Have you ever wondered what a vulnerability looks like? To illustrate how subtle a security vulnerability can be, the following small code sample contains a vulnerability that is difficult to find using code reviews or tools or both. Read more

  • Microsoft Interflow: a new Security and Threat Information Exchange Platform

    Today, the Microsoft Security Response Center (MSRC) announced the private preview of Microsoft Interflow. This is a security and threat information exchange platform for cybersecurity analysts and researchers.

    Interflow provides an automated machine-readable feed of threat and security information that can be shared across industries and community groups in near real-time. This platform provides this information using open specifications STIX™ (Structured Threat Information eXpression), TAXII™ (Trusted Automated eXchange of Indicator Information), and CybOX™ (Cyber Observable eXpression standards). This enables Interflow to integrate with existing operational and analytical tools that many organizations use through a plug-in architecture. It has the potential to help reduce the cost of defense by automating processes that are currently performed manually. 

    You can get more information on Microsoft Interflow on the MSRC blog, and as well as in this FAQ and at www.microsoft.com/interflow.

  • When Vulnerabilities are Exploited: the Timing of First Known Exploits for Remote Code Execution Vulnerabilities

    One of the questions I get asked from time to time is about the days of risk between the time that a vulnerability is disclosed and when we first see active exploitation of it; i.e. how long do organizations have to deploy the update before active attacks are going to happen?  Trustworthy Computing’s Security Science team published new data that helps put the timing of exploitation into perspective, in the recently released Microsoft Security Intelligence Report volume 16.

    The Security Science team studied exploits that emerged for the most severe vulnerabilities in Microsoft software between 2006 and 2013. The exploits studied were for vulnerabilities that enable remote code execution. The timing of the release of the first known exploit for each remote code execution vulnerability was examined and the results were put into three groups. Read more

  • Who Exploits Vulnerabilities: the Path from Disclosure to Mass Market Exploitation

    Vulnerabilities are weaknesses in software that enable an attacker to compromise the integrity, availability, or confidentiality of the software or the data that it processes. Some of the worst vulnerabilities allow attackers to exploit the compromised system by causing it to run malicious code without the user’s knowledge.  New research in the latest volume of the Microsoft Security Intelligence Report, volume 16, provides insight into the journey that remote code execution (RCE) exploits take between their first use and their eventual inclusion in criminal exploit kits that seek to attack systems on a mass scale.

    The parties that initially disclose vulnerabilities are not always the same parties that go on to develop and use exploits that take advantage of them. Vulnerability disclosures originate from a variety of sources, from dangerous disclosures (such as from malicious exploit developers and vulnerability sellers) to limited beneficial disclosures (such as the affected software vendors themselves and security researchers who are committed to coordinated vulnerability disclosure).

    To explore how exploits make their way into criminal hands, Microsoft analyzed exploits targeting the 16 RCE vulnerabilities in various software products that had known exploits discovered between January 2012 and February 2014. Read more

  • New Guidance for Securing Public Key Infrastructure

    Public Key Infrastructure (PKI) is used as a building block to provide key security controls, such as data protection and authentication for organizations. Many organizations operate their own PKI to support things like remote access, network authentication and securing communications.

    The threat of compromise to IT infrastructures from attacks is evolving. The motivations behind these attacks are varied, and compromising an organization’s PKI can significantly help an attacker gain access to the sensitive data and systems they are after.

    To help enterprises design PKI and protect it from emerging threats, Microsoft IT has released a detailed technical reference document - “Securing Public Key Infrastructure.” Read more

  • Keeping Oracle Java updated continues to be high security ROI

    New data from the recently-published Security Intelligence Report volume 16 (SIRv16) suggests that keeping Java up-to-date with security updates is one of the most effective ways to protect environments from attackers.  One of the most popular tactics attackers use to try to exploit vulnerabilities in Java is using exploit kits.  

     Exploit kits used by cybercriminals to attack software have been around since at least 2006 in various forms. In 2010, the initial release of the Blackhole exploit kit made it easier than ever to configure and operate malicious websites designed to try to infect unpatched systems with malware. I have written about this particular exploit kit before: The Rise of the “Blackhole” Exploit Kit: The Importance of Keeping All Software Up To Date. Read more.

  • Regional Threat Assessments: New Interactive Capabilities

    If you follow our blog, then you are likely aware that we recently released Volume 16 of the Microsoft Security Intelligence Report.  What you may not be aware of is that with this release, we overhauled the Regional Threat Assessment section of our website to give visitors a much more robust interactive digital experience. This blog post is intended to provide a summary of the enhancements that are now available. Read more

  • Microsoft Digital Crimes Unit Partners with FBI to Fight Zeus Malware

    Today the FBI announced the disruption of GameOver Zeus, a variant of the infamous Zeus family of malware. As part of this action, Microsoft’s Digital Crimes Unit worked with the FBI and industry partners to remove the malware so that infected computers can no longer be used for harm. Zeus, also known as Win32/Zbot, is a family of trojans that is designed to steal personal and financial information, give attackers access and control of compromised systems, and has been used to spread ransomware.

    You can get all the details of this effort right from the Microsoft Digital Crimes Unit.