Security Research & Defense
Information from Microsoft about vulnerabilities, mitigations and workarounds, active attacks, security research, tools and guidance
Postings are provided "AS IS" with no warranties, and confers no rights.
Get alerts when we update our blog!
Attack Surface Reduction
Enhanced Mitigation Experience Toolkit
Internet Explorer (IE)
safe for initialization
safe for scripting
Windows Media components
Browse by Tags
Security Research & Defense
Reports of DEP being bypassed
Yesterday we heard reports of a commercially available exploit that bypasses DEP. This exploit was made available to a limited number of major security vendors (Antivirus, IDS, and IPS vendors) and government CERT agencies. We wanted to use this opportunity to give an overview of current customer risk...
20 Jan 2010
Preventing the exploitation of user mode heap corruption vulnerabilities
Over the past few months we have discussed a few different defense in depth mitigations (like GS [ pt 1 , pt2 ], SEHOP , and DEP [ pt 1 , pt 2 ]) which are designed to make it harder for attackers to successfully exploit memory safety vulnerabilities in software. In addition to the mitigations that we...
4 Aug 2009
MS08-001 (part 3) – The case of the IGMP network critical
This is the final post in the three-part series covering MS08-001. In this post we’ll look at the IGMP vulnerability (CVE-2007-0069) and why we think successful exploitation for remote code execution is not likely. This vulnerability is around Windows’ handling of the IGMP and MLD protocols. These...
9 Jan 2008
New Internet Explorer vulnerability affecting all versions of IE
Today we released Security Advisory 2488013 to notify customers of a new publicly-disclosed vulnerability in Internet Explorer (IE). This vulnerability affects all versions of IE. Exploiting this vulnerability could lead to unauthorized remote code execution inside the iexplore.exe process. Proof...
23 Dec 2010
Technical Analysis of the Top BlueHat Prize Submissions
Now that we have announced the winners of the first BlueHat Prize competition, we wanted to provide some technical details on the top entries and explain how we evaluated their submissions. Speaking on behalf of the judges, it was great to see people thinking creatively about defensive solutions to important...
27 Jul 2012
CVE-2013-3893: Fix it workaround available
Today, we released a Fix it workaround tool to address a new IE vulnerability that had been actively exploited in extremely limited, targeted attacks. This Fix it makes a minor modification to mshtml.dll when it is loaded in memory to address the vulnerability. This Fix it workaround tool is linked from...
17 Sep 2013
Software defense: mitigating common exploitation techniques
In our previous posts in this series, we described various mitigation improvements that attempt to prevent the exploitation of specific classes of memory safety vulnerabilities such as those that involve stack corruption , heap corruption , and unsafe list management and reference count mismanagement...
12 Dec 2013
SEHOP per-process opt-in support in Windows 7
In a previous blog post we discussed the technical details of Structured Exception Handler Overwrite Protection (SEHOP) which is an exploit mitigation feature that was first introduced in Windows Vista SP1 and Windows Server 2008 RTM. SEHOP prevents attackers from being able to use the Structured Exception...
21 Nov 2009
Running in the wild, not for so long
Over the weekend we received a report from our partners about a possible unpatched Internet Explorer vulnerability being exploited in the wild. The exploit code uses a memory corruption bug triggered from a webpage but it deeply leverages a Flash SWF file in order to achieve reliable exploitation and...
11 Jul 2013
Safe Unlinking in the Kernel Pool
The heap in user mode has a number of different measures built in to make exploiting heap overrun vulnerabilities more challenging. Similar checks have been in debug versions of the kernel pool for some time to aid driver debugging. Windows 7 RC is the first version of Windows with some of these integrity...
26 May 2009
Released build of Internet Explorer 8 blocks Dowd/Sotirov ASLR+DEP .NET bypass
Last summer at BlackHat Vegas, Alexander Sotirov and Mark Dowd outlined several clever ways to bypass the Windows Vista defense-in-depth protection combination of DEP and ASLR in attacks targeting Internet Explorer. One approach they presented allowed attackers to use .NET framework DLL’s to allocate...
23 Mar 2009
MS13-037 addressing Pwn2own vulnerabilities
MS13-037 addresses a number of vulnerabilities in Internet Explorer, several of which were reported to us by the TippingPoint Zero Day Initiative (ZDI) program. We’ve gotten questions from customers about the specific vulnerabilities purchased by ZDI from the CanSecWest pwn2own contest. We’d...
14 May 2013
Update on the SMB vulnerability situation
We’d like to give everyone an update on the situation surrounding the new Microsoft Server Message Block Version 2 (SMBv2) vulnerability affecting Windows Vista and Windows Server 2008. Easy way to disable SMBv2 First exploit for code execution released to small number of companies Mitigations...
18 Sep 2009
Preventing the Exploitation of Structured Exception Handler (SEH) Overwrites with SEHOP
One of the responsibilities of Microsoft’s Security Engineering Center is to investigate defense in depth techniques that can be used to make it harder for attackers to successfully exploit a software vulnerability. These techniques are commonly referred to as exploit mitigations and have been delivered...
3 Feb 2009
Shellcode Analysis via MSEC Debugger Extensions
In a previous post we provided some background on the !exploitable Crash Analyzer which was released earlier this year. One of the things that we didn’t mention is that !exploitable is just one of the debugger commands exported by the MSEC debugger extension . This extension also contains some additional...
6 Jun 2009
New Bounty Program Details
Today we announced the upcoming Mitigation Bypass Bounty, the BlueHat Bonus for Defense, and the Internet Explorer 11 Preview Bug Bounty program. It’s very exciting to finally take the wraps off of these initiatives and we are anticipating some great submissions from the security research community...
19 Jun 2013
Assessing the risk of public issues currently being tracked by the MSRC
At Microsoft, as at most large software vendors, we are likely to have publicly known issues under investigation at any given time. This is what we do on the Security Research & Defense team. Recently we’ve seen confusion from folks trying to make sense of some of the current public issues...
8 Jan 2011
New version of EMET is now available
Today we are pleased to announce a new version of the Enhanced Mitigation Experience Toolkit (EMET) with brand new features and mitigations. Users can click here to download the tool free of charge. The Enhanced Mitigation Experience Toolkit enables and implements different techniques to make successful...
18 May 2011
MS09-017: An out-of-the-ordinary PowerPoint security update
Security update MS09-017 addresses the PowerPoint (PPT) zero-day vulnerability that has recently been used in targeted attacks. We issued security advisory 969136 with workarounds on April 2nd after we first saw the exploits in-the-wild abusing this vulnerability. We also published an SRD blog entry...
12 May 2009
On the effectiveness of DEP and ASLR
DEP (Data Execution Prevention) and ASLR (Address Space Layout Randomization) have proven themselves to be important and effective countermeasures against the types of exploits that we see in the wild today. Of course, any useful mitigation technology will attract scrutiny, and over the past year there...
8 Dec 2010
Mitigating the LdrHotPatchRoutine DEP/ASLR bypass with MS13-063
Today we released MS13-063 which includes a defense in depth change to address an exploitation technique that could be used to bypass two important platform mitigations: Address Space Layout Randomization (ASLR) and Data Execution Prevention (DEP). As we’ve described in the past , these mitigations...
12 Aug 2013
© 2014 Microsoft Corporation.
Privacy & Cookies