Security Research & Defense

Information from Microsoft about vulnerabilities, mitigations and workarounds, active attacks, security research, tools and guidance

Security Research & Defense

  • MS15-011 & MS15-014: Hardening Group Policy

    Today we are releasing MS15-011 & MS15-014 which harden group policy and address network access vulnerabilities that can be used to achieve remote code execution (RCE) in domain networks. The MS15-014 update addresses an issue in Group Policy update which can be used to disable client-side global SMB Signing requirements, bypassing an existing security feature built into the product. MS15-011 adds new functionality, hardening network file access to block access to untrusted, attacker controlled shares when Group Policy refreshes on client machines. These two updates are important improvements that will help safeguard your domain network.

    What’s the risk, i.e., what’s the attack scenario?

    Let’s looks at one of the typical attack scenarios as outlined in the below diagram.

    This is an example of a  ‘coffee shop’ attack scenario, where an attacker would attempt to make changes to a shared network switch in a public place and can direct the client traffic an attacker-controlled system.

    1. In this scenario, the attacker has observed traffic across the switch and found that a specific machine is attempting to download a file located at the UNC path: \\\Share\Login.bat .

    2. On the attacker machine, a share is set up that exactly matches the UNC path of the file requested by the victim: \\*\Share\Login.bat.

      1. The attacker will have crafted the contents of Login.bat to execute arbitrary, malicious code on the target system. Depending on the service requesting Login.bat, this could be executed as the local user or as the SYSTEM account on the victim’s machine.

    3. The attacker then modifies the ARP table in the local switch to ensure that traffic intended for the target server is now routed through to the attacker’s machine.

    4. When the victim’s machine next requests the file, the attacker’s machine will return the malicious version of Login.bat.

      This scenario also illustrates that this attack cannot be used broadly across the internet – an attacker need to target a specific system or group of systems that request files with this unique UNC.

    What were the Group Policy vulnerabilities?

    An RCE vulnerability existed in how Group Policy received and applied policy data when connecting to a domain. Concurrently, a vulnerability existed whereby Group Policy could fail to retrieve valid security policy and instead apply a default, potentially less secure, group policy. This could, in turn, be used to disable the domain enforced SMB Signing policy.

    What did we fix under MS15-014?

    The risk of circumventing SMB Signing was fixed by correcting how Group Policy would behave when it fails to retrieve a current, valid security policy. After applying the fix, Group Policy will no longer fall back to defaults and will instead the last known good policy if a security policy retrieval fails.

    What did we harden under MS15-011?

    While SMB Signing safeguards against Man-In-The-Middle attacks, with the vulnerabilities like the above in Group Policy it is possible to disable it. But more importantly, SMB Client doesn’t require SMB Signing by default so it is possible to direct the domain related traffic, especially the unencrypted traffic, to attacker controlled machines and serve malicious content to the victims in response. To block this kind of attacks we added the ability to harden the UNC path access within domain network.

    Universal Naming Convention (UNC) is a standardized notation that Windows uses to access file resources; in most cases these resource are located on a remote server. UNC allows the system to access files using the standard path format: \\<hostname>\<sharename>\<objectname>, for example, \\\fileshare\passwords.txt, without requiring the application or user to understand the underlying transport technology used to provide access to the file. In this way, the UNC client in Windows abstract network file technologies, such as SMB and WebDAV, behind a familiar file path syntax. UNC paths are used in Windows in everything from printers to file shares, providing an attacker a broad surface to explore and attack. To properly address this weakness in UNC, we had to improve UNC to allow a server to authenticate itself to a client, thereby allowing the client machine to trust the content coming from the target system and be protected from malicious file shares.

    How did we harden it?

    When an application or service attempts to access a file on a UNC path, the Multiple UNC Provider (MUP) is responsible for enumerating all installed UNC Providers and selecting one of them to satisfy all I/O requests for specified the UNC path. On a typical Windows client installation, MUP would try the Server Message Block (SMB) protocol first, but if the SMB UNC Provider is unable to establish an SMB connection to the server, then MUP would try the next UNC Provider and so on until one of them is able to establish a connection (or there are no remaining UNC providers, in which case the request would fail). 

    In most scenarios, the security of the server is paramount: the server stores sensitive data, so file transfer protocols are designed in such a way that the server validates the client’s identity and performs appropriate access checks before allowing the client to read from or write to files. The trust boundary when Group Policy applies computer and/or user policies is completely reversed: the sensitive data is the client’s configuration and the remote server has the capability of changing the client’s configuration via transmission of policy files and/or scripts. When Group Policy is retrieving data from the policy server, it important that the client performs security checks to validate the server’s identity and prevent data tampering between the client and the server (in addition to the normal security checks performed by the server to validate the client’s credentials). It is also important that MUP only send requests for Group Policy files to UNC Providers that support these client-side checks, so as to prevent the checks from being bypassed when the SMB UNC provider is unable to establish a connection to the server. 

    Group Policy isn’t necessarily the only service for which these extra client-side security checks are important. Any application or service that retrieves configuration data from a UNC path, and/or automatically runs programs or scripts located on UNC paths could benefit from these additional security checks. As such, we’ve added new feature, UNC Hardened Access, along with a corresponding Group Policy setting in which MUP can be configured to require additional security properties when accessing configured UNC paths. 

    When UNC Hardened Access is configured, MUP starts handling UNC path requests in a slightly different manner: 

    Each time MUP receives a request to create or open a file on a UNC path, it evaluates the current UNC Hardened Access Group Policy settings to determine which security properties are required for the requested UNC path. The result of this evaluation is utilized for two purposes: 

    1. MUP only considers UNC Providers that have indicated support for all of the required security properties. Any UNC Providers that do not support all of the security properties required via the UNC Hardened Access configuration for the requested UNC path will simply be skipped.

    2. Once a UNC Provider is selected by MUP, the required security properties are passed to that UNC Provider via an Extra Create Parameter (ECP). UNC Providers that opt-in to UNC Hardened Access must respect the required security properties indicated in the ECP; if the selected UNC Provider is unable to establish a connection to the server in a manner that satisfies these requirements (e.g. due to lack of server support), then the selected UNC Provider must fail the request.

    Even 3rd party applications and services can take advantage of this new feature without additional code changes; simply add the necessary configuration details in Group Policy. If a UNC Provider is able to establish a connection to the specified server that meets the required security properties, then the application/service will be able to open handles as normal; if not, opening handles would fail, thus preventing insecure access to the remote server.

    Please refer to for details on configuring the UNC Hardened Access feature.

    Consider the following scenario:

    • Contoso maintains an Active Directory domain named with two Domain Controllers (DCs) named and

    • A laptop is joined to the aforementioned domain.

    • Group Policy is configured to apply a Group Policy Object (GPO) to the laptop that configures UNC Hardened Access for the paths \\*\NETLOGON and \\*\SYSVOL such that all access to these paths require both Mutual Authentication and Integrity.

    • Group Policy is configured to apply a GPO to the laptop that runs the script located at \\\NETLOGON\logon.cmd each time a user logs on to the machine.


    With the above configuration, when a user successfully logs onto the laptop and the laptop has any network access, Group Policy will attempt to run the script located at \\\NETLOGON\logon.cmd, but behind the scenes, MUP would only allow the script to be run if the file could be opened and transmitted securely:

    1. MUP receives a request to open the file at \\\NETLOGON\logon.cmd.

    2. MUP notices that the requested path matches \\*\NETLOGON and paths that match \\*\NETLOGON are configured to require both Mutual Authentication and Integrity. UNC Providers that do not support UNC Hardened Access or indicate that they do not support both Mutual Authentication and Integrity are skipped.

    3. The Distributed File Server Namespace (DFS-N) client detects that the requested UNC path is a domain DFS-N namespace and begins its process of rewriting the UNC path (all DFS-N requests will be subject to the same security property requirements identified by MUP in step 2):

      1. The DFS-N client uses the DC Locator service and/or DFS-N DC Referral requests (depending on the OS version) to identify the name of a DC on the domain (e.g.

      2. DFS rewrites the path using the selected DC (e.g. \\\NETLOGON\logon.cmd becomes \\\NETLOGON\logon.cmd). Since Mutual Authentication is required and the target is expected to be a DC, DFS utilizes a special Kerberos Service Principal Name (SPN) to verify that the name retrieved in the previous step is indeed the name of a DC (if the name is not a DC, Kerberos authentication would fail due to an unknown SPN)

      3. If there are additional DFS-N links in the specified UNC path, the DFS-N client continues iterating and replacing paths to DFS-N links with paths to available targets until it has a UNC path that does not have any remaining DFS-N links.

    4. The final UNC path is passed back to MUP to select a UNC Provider to handle the request. MUP selects the SMB UNC provider since DCs utilize SMB to share the NETLOGON and SYSVOL shares.

    5. The SMB UNC Provider establishes an authenticated session with the selected SMB Server (if an authenticated session is not already present). If the authenticated session is not mutually authenticated (e.g. authentication was performed utilizing the NTLM protocol), then SMB UNC Provider would fail the request to open logon.cmd since mutual authentication requirement identified in step 2 could not be met.

    6. The SMB UNC Provider enables SMB Signing on all requests related to logon.cmd since MUP informed SMB that integrity is required for this request. Any attempts to tamper with the SMB requests or responses would invalidate the signatures on the requests/responses, thus allowing the receiving end to detect the unauthorized modifications and fail the SMB requests.

    In this scenario, the client-side requirement of end-to-end mutual authentication and integrity protects the laptop from running a logon script located on a malicious server via the following security checks:

    • The requirement for Mutual Authentication ensures that the connection is not redirected to an unexpected (and potentially malicious) SMB Server when SMB Client attempts to establish a connection to the requested UNC path.

    • The requirement for Integrity enables SMB Signing, even if the SMB Client does not require SMB Signing for all paths by default. This protects the system against on-the-wire tampering that can be used to change the contents of the logon.cmd script as it is transmitted between the selected DC and the laptop.

    • The combined requirements for both Mutual Authentication and Integrity ensures that the final rewritten path selected by DFS-N Client matches a path allowed by the DFS-N namespace configuration and that spoofing and/or tampering attacks cannot cause DFS-N client to rewrite the requested UNC path to a UNC path hosted by an unexpected (and potentially malicious) server.

    Without these client-side protections, ARP, DNS, DFS-N, or SMB requests sent via Group Policy over untrusted networks could potentially cause the Group Policy service to run a the logon.cmd script from the wrong SMB Server.

    How do I configure to protect myself/my users?

    Once the update included as part of the bulletin MS15-011 is installed, follow the instructions at to ensure your systems are adequately protected. MS15-014 will install and provide protection without any additional configuration.


    A word on CVD and fixing difficult problems

    In many regards, this security ‘fix’ is more accurately described as completely new functionality in Windows. Adding something of this scale posed a unique challenge to security response. Software vulnerabilities are typically more narrowly constrained in both investigation and remediation – and most response is structured to address that scope. Among the benefits of Coordinated Vulnerability Disclosure (CVD) is it provides for greater flexibility and deeper collaboration with researchers to take the necessary time and perspective to deliver the most complete security solutions to customers. In this case we tackled a vulnerability that required a much greater scope in engineering to deliver a solution.

    Most vulnerabilities reported to the MSRC are bugs in a single component, which are investigated, understood, and fixed within industry accepted response times. Creating the new functionality of UNC Hardening, however, required an entirely new architecture which increased development time and necessitated extensive testing. Thanks to CVD, and the close collaboration with the passionate security researchers who reported the vulnerability, Microsoft had sufficient time to build the right fix for a complicated issue. If the security researchers were not willing to refrain from disclosure until our fix was ready, customers would have been put at risk.


    Microsoft offers its appreciation to the CVD community and a special thanks to the reporters of the issue which has resulted in UNC Hardening: Jeff Schmidt of JAS Global Advisors, Dr. Arnoldo Muller-Molina of simMachines, The Internet Corporation for Assigned Names and Numbers (ICANN) and Luke Jennings from MWR Labs.


    • Geoffrey Antos (Windows), Brandon Caldwell (MSRC), Stephen Finnigan (MSRC), Swamy Gangadhara (MSRC)

  • Additional information about CVE-2014-6324

    Today Microsoft released update MS14-068 to address CVE-2014-6324, a Windows Kerberos implementation elevation of privilege vulnerability that is being exploited in-the-wild in limited, targeted attacks. The goal of this blog post is to provide additional information about the vulnerability, update priority, and detection guidance for defenders. Microsoft recommends customers apply this update to their domain controllers as quickly as possible.

    Vulnerability Details

    CVE-2014-6324 allows remote elevation of privilege in domains running Windows domain controllers. An attacker with the credentials of any domain user can elevate their privileges to that of any other account on the domain (including domain administrator accounts).

    The exploit found in-the-wild targeted a vulnerable code path in domain controllers running on Windows Server 2008R2 and below. Microsoft has determined that domain controllers running 2012 and above are vulnerable to a related attack, but it would be significantly more difficult to exploit. Non-domain controllers running all versions of Windows are receiving a “defense in depth” update but are not vulnerable to this issue.

    Before talking about the specific vulnerability, it will be useful to have a basic understanding of how Kerberos works.


    One point not illustrated in the diagram above is that both the TGT and Service Ticket contain a blob of data called the PAC (Privilege Attribute Certificate). A PAC contains (among other things):

    • The user’s domain SID
    • The security groups the user is a member of


    When a user first requests a TGT from the KDC, the KDC puts a PAC (containing the user’s security information) into the TGT. The KDC signs the PAC so it cannot be tampered with. When the user requests a Service Ticket, they use their TGT to authenticate to the KDC. The KDC validates the signature of the PAC contained in the TGT and copies the PAC into the Service Ticket being created.

    When the user authenticates to a service, the service validates the signature of the PAC and uses the data in the PAC to create a logon token for the user. As an example, if the PAC has a valid signature and indicates that “Sue” is a member of the “Domain Admins” security group, the logon token created for “Sue” will be a member of the “Domain Admins” group.

    CVE-2014-6324 fixes an issue in the way Windows Kerberos validates the PAC in Kerberos tickets. Prior to the update it was possible for an attacker to forge a PAC that the Kerberos KDC would incorrectly validate. This allows an attacker to remotely elevate their privilege against remote servers from an unprivileged authenticated user to a domain administrator.


    Update Priority

    1. Domain controllers running Windows Server 2008R2 and below
    2. Domain controllers running Windows Server 2012 and higher
    3. All other systems running any version of Windows


    Detection Guidance

    Companies currently collecting event logs from their domain controllers may be able to detect signs of exploitation pre-update. Please note that this logging will only catch known exploits; there are known methods to write exploits that will bypass this logging.


    The key piece of information to note in this log entry is that the “Security ID” and “Account Name” fields do not match even though they should. In the screenshot above, the user account “nonadmin” used this exploit to elevate privileges to “TESTLAB\Administrator”.

    After installing the update, for Windows 2008R2 and above, the 4769 Kerberos Service Ticket Operation event log can be used to detect attackers attempting to exploit this vulnerability. This is a high volume event, so it is advisable to only log failures (this will significantly reduce the number of events generated).


    After installing the update, exploitation attempts will result in the “Failure Code” of “0xf” being logged. Note that this error code can also be logged in other extremely rare circumstances. So, while there is a chance that this event log could be generated in non-malicious scenarios, there is a high probability that an exploitation attempt is the cause of the event.



    The only way a domain compromise can be remediated with a high level of certainty is a complete rebuild of the domain. An attacker with administrative privilege on a domain controller can make a nearly unbounded number of changes to the system that can allow the attacker to persist their access long after the update has been installed. Therefore it is critical to install the update immediately.


    Additional Notes

    Azure Active Directory does not expose Kerberos over any external interface and is therefore not affected by this vulnerability.


    Joe Bialek, MSRC Engineering

  • MS14-072: .NET Remoting Elevation of Privilege Vulnerability

    Today Microsoft shipped MS14-072 to the .NET Framework to address an Elevation of Privilege (EOP) vulnerability in the .NET Remoting feature. This update fixes a specific issue in .NET Remoting that permitted specially crafted remote endpoints to take advantage of this vulnerability.

    What is .NET Remoting?

    .NET Remoting is a layer within the .NET Framework that facilitates communication between application domains (AppDomains). This permits managed objects to communicate across AppDomain, process, or machine boundaries.  Objects can be passed by-reference across these boundaries.  When methods are called on these objects, control again passes across the boundary to execute within the boundary where the object originated. Refer to .NET Remoting for more details.

    Typical use of this is a .NET Remoting service that returns objects by-reference to the client.  When the client invokes methods on these objects, code is executed on the server.  Similarly, a client can pass an object by-reference to the service, and when that service invokes methods on that object, code executes on the client.


    Use WCF instead of .NET Remoting

    .NET Remoting is a legacy technology that is inherently less secure than WCF. It is unable to preserve isolation of trust levels across the client/server boundary, allowing specially crafted messages to exploit the use of by-reference objects to achieve an elevation of privilege.  It also uses a legacy serialization technology that makes the server vulnerable to denial-of-service attacks. Because of this we recommend developers of distributed applications based on .NET Remoting to consider porting their code to Windows Communication Foundation (WCF) which is more secure.

    The boundary transparency in .NET Remoting makes it possible for a remote untrusted endpoint to take control of a .NET Remoting service. Because the service typically executes with full privileges, this permits a remote endpoint with lower privileges to elevate themselves using functionality exposed by .NET Remoting services. Within a completely trusted environment, this is normally not a problem.  But if the .NET Remoting service is exposed to untrusted remote endpoints, this becomes an issue as it crosses the security boundary.

    Read about how .NET Remoting works to know more information around why we recommend moving away from it.

    The Windows Communication Foundation (WCF) unified programming model is designed to be robust when communicating with untrustworthy endpoints. In many cases this may be a small exercise to move to the newer, more supported technology. The MSDN article entitled How to: Migrate Managed-Code .NET Remoting to WCF provides a number of examples and code samples to help ease this transition process.


    Securing .NET Remoting services

    Moving to newer technology takes time, meanwhile here are some steps to make .NET Remoting service more secure:

    This enables encryption and digital signatures if the remoting system determines that the channel implements ISecurableChannel.

    • Always authenticate clients and encrypt the communication streams:

    There is no authentication or encryption by default, developers have to do this explicitly.

    • Keep the permission level of the .NET Remoting service at minimum to what is required so as to avoid having a big security boundary.


    - Swamy Gangadhara (MSRC) & Ron Cain (.NET)

  • Assessing Risk for the November 2014 Security Updates

    Today we released fourteen security bulletins addressing 33 unique CVE’s. Four bulletins have a maximum severity rating of Critical, eight have a maximum severity rating of Important, and two have a maximum severity rating of Moderate. This table is designed to help you prioritize the deployment of updates appropriately for your environment.


    Most likely attack vector

    Max Bulletin Severity

    Max Exploitability

    Deployment Priority

    Platform mitigations and key notes


    (Windows OLE Component

    User opens malicious Office document.





    CVE-2014-6352 used in limited, targeted attacks in the wild.



    A malicious user sends specially crafted packets to an exposed service.




    Internally found during a proactive security assessment.

    (Internet Explorer)

    User browses to a malicious webpage.





    User opens malicious Word document.




    Office 2010 and later versions are not affected by any of the vulnerabilities in this bulletin.


    User browses to a malicious webpage.




    Only MSXML 3 is vulnerable.


    User opens a malicious link.




    This is a Cross Site Scripting vulnerability.



    User opens a malicious PDF document with Adobe Reader.




    CVE-2014-4077 used in one targeted attack in the wild to bypass Adobe Reader Sandbox via binary hijacking using malicious DIC file.


    (Windows Audio Service)

    User browses to a malicious webpage.




    Local elevation of privilege only, could potentially be utilized as a sandbox escape.



    An authenticated Windows user runs a malicious program on the target system.




    Local elevation of privilege only.


    (.NET Framework)

    Attacker sends malicious data to a vulnerable web application.




    Applications not using .NET Remoting are not vulnerable.



    A whitelist-only site could be accessed by an attacker not connected to the proper domain. A blacklist could be similarly bypassed.




    The vulnerability manifests itself in configurations where the Domain Name Restrictions whitelist and blacklist features are used with entries that contain wildcards.

    IP Address Restrictions are not affected



    An authorization audit log could be bypassed in some scenarios.




    The vulnerability only applies to failed AuthZ scenarios, and not to failed AuthN. For example, if a valid user logon is attempted for a user that does not have privilege to RDP into a server, that event log may not be recorded. Event logs will still be recorded if an invalid user or password is presented.



    An authenticated user could not be logged out in some configurations.




    Manifests itself in a specific configuration where the ADFS server is configured to use a SAML Relying Party with no sign-out endpoint configured.


    (Kernel Mode Drivers [win32k.sys])

    User browses to malicious webpage.




    The vulnerability leads to denial of service only.

    - Suha Can, MSRC Engineering


  • EMET 5.1 is available

    Today, we’re releasing the Enhanced Mitigation Experience Toolkit (EMET) 5.1 which will continue to improve your security posture by providing increased application compatibility and hardened mitigations. You can download EMET 5.1 from or directly from here. Following is the list of the main changes and improvements:

    • Several application compatibility issues with Internet Explorer, Adobe Reader, Adobe Flash, and Mozilla Firefox and some of the EMET mitigations have been solved.
    • Certain mitigations have been improved and hardened to make them more resilient to attacks and bypasses.
    • Added “Local Telemetry” feature that allows to locally save memory dumps when a mitigation is triggered.

    All the changes in this release are listed in Microsoft KB Article 3015976.

    If you are using Internet Explorer 11, either on Windows 7 or Windows 8.1, and have deployed EMET 5.0, it is particularly important to install EMET 5.1 as compatibility issues were discovered with the November Internet Explorer security update and the EAF+ mitigation. Alternatively, you can temporarily disable EAF+ on EMET 5.0. Details on how to disable the EAF+ mitigation are available in the User Guide. In general we recommend upgrading to the latest version of EMET to benefit from all the enhancements.

    We want to particularly thank Luca Davi, Daniel Lehmann, and Ahmad-Reza Sadeghi from System Security Lab at Technical University Darmstadt/CASED, and René Freingruber form SEC Consult for partnering with us.

    Your feedback is always welcome as it helps us improve EMET with each new release, so we encourage you to reach out using the Connect Portal or by sending an email to

    - The EMET Team

  • More Details About CVE-2014-4073 Elevation of Privilege Vulnerability

    Today Microsoft shipped MS14-057 to the .NET Framework in order to resolve an Elevation of Privilege vulnerability in the ClickOnce deployment service. While this update fixes this service, developers using Managed Distributed Component Object Model (a .NET wrapped around DCOM) need to take immediate action to ensure their applications are secure.

    Managed DCOM is an inherently unsafe way to perform communication between processes of different trust levels. Microsoft recommends moving applications to Windows Communication Foundation (WCF) for inter-process communication instead of using Managed DCOM. Exposing Managed DCOM containers or servers to lower trust callers can result in elevation of privilege vulnerabilities. Please note that DCOM is considered to be secure; only Managed DCOM is considered to be insecure.

    More Information:

    For more information around why we recommend moving away from Managed DCOM, it is helpful to understand how COM and DCOM work.

    COM is a platform-independent, programming language independent, object-oriented system for creating software components that interact. Traditional COM occurs within a single process boundary.

    DCOM is similar to normal COM except it allows for objects to be created in different processes or even different computers. This can be useful for distributed computing, or for scenarios where a client application needs to communicate with a server application.

    Unfortunately the communications wrapper that the .NET Framework uses to talk to DCOM (also known as Managed DCOM) is unable to maintain this security boundary. If you use managed code to implement either a server or a container, it’s possible for the remote end of the communication channel to take over the managed process. In scenarios where the interaction is taking place inside the same process or between two processes running with the same privilege, this isn’t a problem. However, when the processes communicating with each other run with different levels of privilege, this becomes an issue.

    Fortunately there is a solution for developers that rely on this functionality. The Windows Communication Foundation (WCF) unified programming model is designed to be robust when communicating with untrustworthy endpoints. In many cases this may be a small exercise to move to the newer, more supported technology. The MSDN article entitled How to: Migrate Managed-Code DCOM to WCF provides a number of examples and code samples to help ease this transition process.

    For MS14-057, Microsoft removed the ClickOne deployment service dependency on Managed DCOM. We suggest all developers do the same if they are currently using Managed DCOM to communicate between components running with different privilege.


    -Reid Borsuk (Product Security) and Joe Bialek (MSRC)

  • Assessing Risk for the October 2014 Security Updates

    Today we released eight security bulletins addressing 24 unique CVE’s. Three bulletins have a maximum severity rating of Critical, and five have a maximum severity rating of Important. This table is designed to help you prioritize the deployment of updates appropriately for your environment.


    Most likely attack vector

    Max Bulletin Severity

    Max exploitability

    Platform mitigations and key notes


    (Kernel mode drivers [win32k.sys])

    Attacker loads a malicious font on the user’s computer using an Office document or web browser which results in remote code execution.



    Exploitation of CVE-2014-4148 and CVE-2014-4113 detected in the wild.  CVE-2014-4148 is used for remote code execution. CVE-2014-4113 is used for elevation of privilege.

     CVE-2014-4113 is not exploitable on 32bit platforms if NULL-page mapping mitigation is enabled (configurable on Windows 7, enabled by default on Windows 8 an above).


    (Internet Explorer)

    Victim browses to a malicious webpage.



    Exploitation of CVE-2014-4123 detected in the wild. Used as a sandbox escape.

    No remote code execution vulnerabilities being addressed in this update are known to be under active attack.


    (.NET Framework)

    An attacker sends malicious data to a vulnerable web application.




    (Windows OLE Component)

    Victim opens malicious Office document that exploits the vulnerability resulting in a malicious executable being run.



    Exploitation of CVE-2014-4114 detected in the wild.

     Using a non-administrator account or setting UAC to “Always Prompt” helps mitigate the impact of this vulnerability.



    Victim opens a malicious Word document.





    (Kernel mode drivers [msmq.sys])

    Attacker running code at low privilege runs exploit binary to elevate to SYSTEM.



    This vulnerability only affects Windows Server 2003.


    (Kernel mode drivers [fastfat.sys])




    Requires the ability to physically plug a USB stick in to the computer.



    Victim opens a malicious link



    This is a Cross Site Scripting vulnerability. The XSS Filter, which is enabled by default in IE8-IE11 in the Internet Zone, prevents attempts to exploit this vulnerability.


    - Joe Bialek and Suha Can, MSRC Engineering


  • Assessing risk for the September 2014 security updates

    Today we released four security bulletins addressing 42 unique CVE’s. One bulletin has a maximum severity rating of Critical and the other three have maximum severity Important. This table is designed to help you prioritize the deployment of updates appropriately for your environment.

    Bulletin Most likely attack vector Max Bulletin Severity Max Exploitability Index Rating Platform mitigations and key notes

    (Internet Explorer)

    Victim browses to a malicious webpage. Critical 0

    Exploitation of CVE-2013-7331 detected in the wild as an information disclosure to determine whether EMET or a third party anti-malware product is installed prior to launching exploit for different vulnerability.

    No remote code execution vulnerabilities being addressed in this update are known to be under active attack.

    (Task Scheduler)

    Attacker running code at low privilege runs exploit binary to elevate to SYSTEM. Important 1  

    (.NET Framework)

    Attacker causes compute resource exhaustion denial of service on ASP.NET webserver by sending maliciously crafted HTTP/HTTPS requests. Important 3 Systems only affected if ASP.NET is explicitly installed, enabled, and registered with IIS.

    (Lync Server)

    Attacker causes Lync server to fail by sending maliciously crated SIP invite requests to victim Lync server. Important 3 Vulnerability is remote, unauthenticated denial-of-service but attacker must first have access to information present in a valid Lync Server meeting request.

    - Jonathan Ness, MSRC

  • Assessing risk for the August 2014 security updates

    Today we released nine security bulletins addressing 37 unique CVE’s. Two bulletins have a maximum severity rating of Critical while the other seven have a maximum severity rating of Important. This table is designed to help you prioritize the deployment of updates appropriately for your environment.

    Bulletin Most likely attack vector Max Bulletin Severity Max exploit-ability Likely first 30 days impact Platform mitigations and key notes

    (Internet Explorer)

    Victim browses to a malicious webpage. Critical 0 Exploitation of CVE-2014-2817 detected in the wild.  Used as a sandbox escape.  

    (Media Center)

    On Media Center-equipped workstations (Win8.x Pro and all Win7 except Starter and Home Basic), victim opens malicious Office document or browses to malicious webpage that instantiates Media Center ActiveX control. Critical 2 Less likely to see reliable exploits developed within next 30 days. Server SKUs not affected. Windows 8 and Windows 8 RT not affected. Win7 Starter and Home Basic not affected.

    Our repro is via Office document (Important class vector) not via ActiveX control but we believe the code is reachable via ActiveX.



    Victim opens malicious OneNote file that creates a file in startup folder leading to arbitrary code execution on next login. Important 2 Less likely to see reliable exploits developed within next 30 days. OneNote 2010 and OneNote 2013 not affected. (Only OneNote 2007 affected.)

    (Kernel mode drivers [win32k.sys])

    Attacker running code at low privilege runs exploit binary to elevate to SYSTEM. Important 2 Less likely to see reliable exploits developed within next 30 days.  

    (Microsoft Installer)

    Attacker already running code at low privilege on a system where an MSI source location is available to low privilege users can tamper with the MSI and initiate a Repair operation to potentially run code as LocalSystem. Important 2 Less likely to see reliable exploits developed within next 30 days.  

    (SQL Server denial-of-service)

    Attacker able to authenticate at user level to SQL Server can run a TSQL batch command that causes a stack overrun that causes the server to stop responding. Important 2 Less likely to see reliable exploits developed within next 30 days.  


    Victim installs a malicious third party SharePoint app that could potentially run arbitrary JavaScript that is run as the victim user as a custom action. Important 2 Less likely to see reliable exploits developed within next 30 days.  

    (.NET Framework 2.0 ASLR bypass)

    Attacker combines this vulnerability with a (separate) code execution vulnerability to compromise a system. Important 2 Less likely to see reliable exploits developed within next 30 days. This vulnerability does not result in code execution directly. However, it is a component attackers could potentially use to assist in bypassing ASLR. This potential ASLR bypass is not known to be in use in real-world attacks.

    (LRPC ASLR bypass)

    Attacker already running code on a machine can combine this vulnerability with a (separate) code execution vulnerability to compromise a system by connecting to locally-listening service and filling address space to more accurately predict future memory allocation. Important 3 Unlikely to see reliable exploits developed within next 30 days. This vulnerability does not result in code execution directly. However, it is a component attackers could potentially use to assist in bypassing ASLR if attacker is already running code locally.

    - Jonathan Ness, MSRC

  • Announcing EMET 5.0

    Today, we are excited to announce the general availability of the Enhanced Mitigation Experience Toolkit (EMET) 5.0. As many of you already know, EMET is a free tool, designed to help customers with their defense in depth strategies against cyberattacks, by helping detect and block exploitation techniques that are commonly used to exploit memory corruption vulnerabilities. EMET 5.0 further helps to protect with two new mitigations and several other improvements. You can download EMET 5.0 from the Microsoft Download Center.

    Let’s start with the two new mitigations, which we initially introduced in EMET 5.0 Technical Preview: the Attack Surface Reduction (ASR), and the Export Address Table Filtering Plus (EAF+). We already described details about these two new mitigations in the Technical Preview announcement blog post, but let’s talk briefly about the improvements made during the preview period.

    Attack Surface Reduction (ASR)

    The ASR is a mechanism to block the usage of a specific modules or plug-ins within an application. For example, you can configure EMET 5.0 to prevent Microsoft Word from loading the Adobe Flash Player plug-in, or, with the support of security zones, you can use EMET 5.0 to prevent Internet Explorer from loading the Java plug-in on an Internet Zone website while continuing to allow Java on Intranet Zone websites.

    During the preview period we have performed several tests and collected your feedback to finalize the default configuration for this mitigation. We aimed at having a configuration that provided security, and at the same time, did not limit the user experience with the applications protected by EMET 5.0. By default, EMET 5.0 is configured to block some modules and plug-ins from being loaded by Internet Explorer while navigating to websites belonging to the Internet Zone, and to also block the Adobe Flash plug-in from being loaded by Microsoft Word, Excel, and PowerPoint. We have chosen modules that are commonly used in certain exploitation scenarios, but like all EMET features and mitigations, the ASR is completely configurable to satisfy everybody’s needs and to be tailored to specific systems’ requirements.

    Internet Explorer ASR default configuration

    Export Address Table Filtering Plus (EAF+)

    The EAF+ starts by the same concept as the existing Export Address Table Filtering (EAF) mitigation, but it amplifies its scope and robustness. During the Technical Preview, we have presented the EAF+ as an extension to the EAF. During the last couple of months we have made several improvements to it, and we decided that it should be a new mitigation on its own.

    As already mentioned in the Technical Preview blog post, when EAF+ is enabled it adds the following additional safeguards:

    • Perform additional integrity checks on stack registers and stack limits when export tables are read from certain lower-level modules
    • Prevent memory read operations on the PE header, sections, import/export table pointers of selected modules when they originate from suspicious code that may reveal memory corruption bugs used as “read primitives” for memory probing

    These improvements help detect and disrupt some current techniques used to dynamically discover ROP (Return Oriented Programming) gadgets and reliably execute code when a vulnerability is exploited.

    Additional improvements

    EMET 5.0 introduces many other improvements. Let’s go through them and see what customer benefits they add.

    64-bit Return Oriented Processing (ROP) mitigations

    Many ROP mitigations are now available also for 64-bit processes: Deep Hooks, Stack Pivot, Load Library, and MemProt. Although we have not yet detected exploits that use ROP techniques to exploit 64-bit applications, we decided to extend the anti-ROP mitigations to this architecture to be ready when the time comes.

    Strict checks for Certificate Trust rules

    The Certificate Trust’s pinning rules can now be configured with a more aggressive “blocking” mode (not enabled by default), so that EMET 5.0 can force Internet Explorer to terminate the SSL connection without sending session data instead of just detecting the untrusted certificate.

    Certificate Trust Blocking Rule option

    EMET Service

    We have added a new service, called EMET Service, which is taking in charge many duties that EMET Agent used to do in previous versions. The EMET Service, among other things, takes care of evaluating the Certificate Trust rules, appropriately dispatching EMET Agents in every user’s instance, and automatically applying Group Policy settings pushed through the network. Also, a service offers more resiliency and better ability to being monitored.

    Hardening and better application compatibility

    We have seen a technique to potentially bypass some of the EMET 4 mitigations. This technique is possible when a memory corruption within an EMET-protected application can be abused to overwrite selected memory areas and corrupt data belonging to EMET itself. We have also seen techniques aiming at disabling the EAF mitigation by invoking some specific API calls. In EMET 5.0 we worked to harden against potential bypass techniques.

    We also refactored many components of the EMET 5.0 engine, in order to maximize application compatibility, also with some popular anti-malware products, and reduce potential false-positives.

    We have done a lot of work to bring EMET 5.0 to life, and we want to thank all those who provided feedback during the Technical Preview time frame, either through or through the EMET Connect Portal (which we’ll continue to use). Your feedback helped to create a great version of EMET. Now, we are giving you back the product that you helped us build. We invite you then to download EMET 5.0, install it, and let us know what you think.

    The EMET Team:

    Adam Zabrocki, Andy Renk, Chengyun Chu, Cristian Craioveanu, Elia Florio, Elias Bachaalany, Gerardo Di Giacomo, Neil Sikka