Microsoft Security Blog

The official Microsoft blog for discussing industry and Microsoft security topics.

Microsoft Security Blog

  • #TBT : Be Safer–Run as Standard User

    For #ThrowBackThursday, I thought it would be good to pull out an old but goodie. The original post is from back before the blog evolved into the Microsoft Security Blog and was still called “Jeff Jones Security Blog”. I’m including the full original text below, but this guidance applies today to whatever PC you are running. I hope you enjoy and welcome any comments you might have here or on @MSFTSecurity . Best regards, Jeff Be Safer - Run as Standard User I do my work...
  • New Strategies and Features to Help Organizations Better Protect Against Pass-the-Hash Attacks

    Posted by Matt Thomlinson, Vice President, Microsoft Security

    Today, we released new guidance to help our customers address credential theft, called Mitigating Pass-the-Hash and Other Credential Theft, version 2. The paper encourages IT professionals to “assume breach” to highlight the need for the use of holistic planning strategies and features in Microsoft Windows to become more resilient against credential theft attacks. This paper builds on our previously released guidance and mitigations for Pass-the-Hash (PtH) attacks. 

    Given that organizations must continue to operate after a breach, it is critical for them to have a plan to minimize the impact of successful attacks on their ongoing operations. Adopting an approach that assumes a breach will occur, ensures that organizations have a holistic plan in place before an attack occurs. A planned approach enables defenders to close the seams that attackers are aiming to exploit.

    The guidance also underscores another important point - that technical features alone may not prevent lateral movement and privilege escalation. In order to substantially reduce credential theft attacks, organizations should consider the attacker mindset and use strategies such as identifying key assets, implementing detection mechanisms, and having a breach recovery plan. These strategies can be implemented in combination with Windows features to provide a more effective defensive approach, and are aligned to the well-known National Institute of Standards and Technology (NIST) Cybersecurity Framework.  Read more

  • The Secret of the SDL

    “We all knew what the problems were, but the real issue was, things were getting worse and worse. How were we going to get ahead of this?  That’s what we really had to go fix.” – Steve Lipner, Partner Director of Program Management at Microsoft.

    When researchers at a small firm called eEye Digital Security noticed a nasty self-replicating code known today as “Code Red,” little did they know that this worm named after a flavor of Mountain Dew, would also kick off the tech industry’s best security model.  Its stories like this one, captured in the new in depth magazine “Life in the Digital Crosshairs; the dawn of the Microsoft Security Development Lifecycle,” that chronicles how the Microsoft Security Development Lifecycle (SDL) has been helping public and private organizations for the past 10 years, change their engineering cultures and develop more secure software.

    “Our Secure Product Lifecycle is analogous to Microsoft’s Security Development Lifecycle,” says Brad Arkin, chief security officer at Adobe.  “We value this process and the information it helps protect.” read more

  • Microsoft Takes Legal Action to fight Malware: Bladabindi and Jenxcus

    Today, Microsoft filed a civil suit against a Dynamic DNS provider in the U.S. (Vitalwerks Internet Solutions, LLC (doing business as and identified two individuals who are believed to have used this DNS provider to spread and control dangerous malware (Bladabindi and Jenxcus) to unsuspecting victims. Bladabindi or Jenxcus was encountered more than 7.4 million times over the past twelve months worldwide.

    The two people identified allegedly used social media to flaunt their creation and the dissemination of two well-known types of malware, known by the Microsoft Malware Protection Center (MMPC) as Jenxcus and BladabindiRead more

  • How Vulnerabilities are Exploited: the Root Causes of Exploited Remote Code Execution CVEs

    It is impossible to completely prevent vulnerabilities from being introduced during the development of large-scale software projects. As long as human beings write software code, mistakes that lead to imperfections in software will be made – no software is perfect. Some imperfections simply prevent the software from functioning exactly as intended, but other bugs may present vulnerabilities.

    Manual code reviews performed by developers and testers, in concert with automated tools such as fuzzers and static analysis tools, are very helpful techniques for identifying vulnerabilities in code. But these techniques cannot find every vulnerability in large scale software projects. As developers build more functionality into their software, their code becomes more and more complex. The challenge of finding vulnerabilities in very complex code is compounded by the fact that there are an infinite number of ways that developers can make coding errors that can create vulnerabilities, some of which are very, very subtle.

    Have you ever wondered what a vulnerability looks like? To illustrate how subtle a security vulnerability can be, the following small code sample contains a vulnerability that is difficult to find using code reviews or tools or both. Read more

  • Microsoft Interflow: a new Security and Threat Information Exchange Platform

    Today, the Microsoft Security Response Center (MSRC) announced the private preview of Microsoft Interflow. This is a security and threat information exchange platform for cybersecurity analysts and researchers.

    Interflow provides an automated machine-readable feed of threat and security information that can be shared across industries and community groups in near real-time. This platform provides this information using open specifications STIX™ (Structured Threat Information eXpression), TAXII™ (Trusted Automated eXchange of Indicator Information), and CybOX™ (Cyber Observable eXpression standards). This enables Interflow to integrate with existing operational and analytical tools that many organizations use through a plug-in architecture. It has the potential to help reduce the cost of defense by automating processes that are currently performed manually. 

    You can get more information on Microsoft Interflow on the MSRC blog, and as well as in this FAQ and at

  • When Vulnerabilities are Exploited: the Timing of First Known Exploits for Remote Code Execution Vulnerabilities

    One of the questions I get asked from time to time is about the days of risk between the time that a vulnerability is disclosed and when we first see active exploitation of it; i.e. how long do organizations have to deploy the update before active attacks are going to happen?  Trustworthy Computing’s Security Science team published new data that helps put the timing of exploitation into perspective, in the recently released Microsoft Security Intelligence Report volume 16.

    The Security Science team studied exploits that emerged for the most severe vulnerabilities in Microsoft software between 2006 and 2013. The exploits studied were for vulnerabilities that enable remote code execution. The timing of the release of the first known exploit for each remote code execution vulnerability was examined and the results were put into three groups. Read more

  • Who Exploits Vulnerabilities: the Path from Disclosure to Mass Market Exploitation

    Vulnerabilities are weaknesses in software that enable an attacker to compromise the integrity, availability, or confidentiality of the software or the data that it processes. Some of the worst vulnerabilities allow attackers to exploit the compromised system by causing it to run malicious code without the user’s knowledge.  New research in the latest volume of the Microsoft Security Intelligence Report, volume 16, provides insight into the journey that remote code execution (RCE) exploits take between their first use and their eventual inclusion in criminal exploit kits that seek to attack systems on a mass scale.

    The parties that initially disclose vulnerabilities are not always the same parties that go on to develop and use exploits that take advantage of them. Vulnerability disclosures originate from a variety of sources, from dangerous disclosures (such as from malicious exploit developers and vulnerability sellers) to limited beneficial disclosures (such as the affected software vendors themselves and security researchers who are committed to coordinated vulnerability disclosure).

    To explore how exploits make their way into criminal hands, Microsoft analyzed exploits targeting the 16 RCE vulnerabilities in various software products that had known exploits discovered between January 2012 and February 2014. Read more

  • New Guidance for Securing Public Key Infrastructure

    Public Key Infrastructure (PKI) is used as a building block to provide key security controls, such as data protection and authentication for organizations. Many organizations operate their own PKI to support things like remote access, network authentication and securing communications.

    The threat of compromise to IT infrastructures from attacks is evolving. The motivations behind these attacks are varied, and compromising an organization’s PKI can significantly help an attacker gain access to the sensitive data and systems they are after.

    To help enterprises design PKI and protect it from emerging threats, Microsoft IT has released a detailed technical reference document - “Securing Public Key Infrastructure.” Read more

  • Keeping Oracle Java updated continues to be high security ROI

    New data from the recently-published Security Intelligence Report volume 16 (SIRv16) suggests that keeping Java up-to-date with security updates is one of the most effective ways to protect environments from attackers.  One of the most popular tactics attackers use to try to exploit vulnerabilities in Java is using exploit kits.  

     Exploit kits used by cybercriminals to attack software have been around since at least 2006 in various forms. In 2010, the initial release of the Blackhole exploit kit made it easier than ever to configure and operate malicious websites designed to try to infect unpatched systems with malware. I have written about this particular exploit kit before: The Rise of the “Blackhole” Exploit Kit: The Importance of Keeping All Software Up To Date. Read more.