Today is the day! At Blackhat in August we announced two significant changes to our bulletin release process and today it is the first time this actually kicks in.

Just to recapitulate: What did we change?

We introduced the Microsoft Active Protections Program which is to me a major shift in policy. Up to now we did our best to make sure that everybody got the information on a fixed vulnerability at the same time. Over time however, the threat landscape shifted dramatically. A few years ago it took the "researcher" (actually the bad guys are the ones we are concerned of) a few days to develop and exploit to any given vulnerability. Today we are at a few hours at best. Therefore we decided to change our policy and make the information about the vulnerability available to a well-defined and limited set of vendors just in time for them to prepare signatures. The idea is that these vendors can then protect their (and with that our) customers immediately at the moment of the release of the update.

I often get now the questions from customers: "We want this information as well, how can I join". As I stated above: We are talking about a well-defined and limited set of vendors. Here you find the set of criteria from the web page mentioned above:

• Execute a Non-Disclosure Agreement with Microsoft.
• Create active application-based or network-based protections commercially for Microsoft products. (Active protections are software security measures that that detect or defer intrusions into a Microsoft system or defend a Microsoft system from exploitation.)
• Serve a significant Microsoft customer base of 10,000 users or more.
• Not be a primary seller of a commercial products used to attack or weaken the security of networks or applications.
• Adhere to and practice some form of responsible disclosure.
• Agree to publish monthly protections only on the date of bulletin release, and not before.
• Not use program data directly in any product. (Copying and pasting program data is prohibited.)
• Agree to be featured as a member of the program in promotional materials about the program.

The second change is the Exploitability Index. This Index will make it easier for you to prioritize the Security Updates to be rolled out in your environment. This is actually something a lot of customers told us over and over again: They like the way we do Security Updates (at least if you can talk of "they like" when it comes to security updates J) but they would like to know how likely it is that we will see an exploit on the net. We are now doing our best to give you our assessment and we start this process as of today. So, if you look at today's bulletin overview you will see the index referring to three different levels:

• Consistent Exploit Code Likely: Analysis has shown that exploit code could be created in such a way that an attacker could consistently exploit that vulnerability. This would make the vulnerability an attractive target for attackers; therefore, it is more likely that exploit code would be created. As such, customers who have reviewed the security bulletin and have determined its applicability within their environment might treat a vulnerability with this value as a higher priority.
• Inconsistent Exploit Code Likely: Analysis has shown that exploit code could be created, but an attacker would likely experience inconsistent results, even when targeting the affected product. While an attacker may be able to increase the consistency of results by having better understanding and control of the target environment, the unreliable nature of this attack makes it a less attractive target for attackers. As such, customers who have reviewed the security bulletin and determined its applicability within their environment might treat a vulnerability with this value as an important update; however, if prioritizing against other highly exploitable vulnerabilities, they could choose to rank this lower in their deployment priority.
• Functioning Exploit Code Unlikely: Analysis has shown that exploit code which functions successfully is unlikely to be released. While an attacker could create exploit code that could trigger the vulnerability and cause abnormal behavior, it is unlikely that an attacker would be able to create an exploit that could successfully exercise the full impact of the vulnerability. Therefore, once customers have reviewed the security bulletin to determine its applicability within their environment, they might prioritize this update below other vulnerabilities within a release.

So, if you look at today's release, the situation looks as follows:

I hope that this really helps to protect our customers and the ecosystem. Your feedback is – as always – very welcome

Roger

It will be interesting how you see it. When I blogged on Suspended Jail for Hacking Tutorial in France, I got quite some negative feedback like “do you have nothing better to do than to go after these guys”, “why should it be illegal to publish such a tutorial” etc. So, where do you draw the line? I think I was clear about that in my last post and here again: If you have a clear tutorial to commit a criminal activity, this should be punished.

Now, a Turkish hacker was arrested because he published a video with a lot of tips how to skim ATMs: Turkish hacker arrested by FBI made video giving tips for installing ATM skimmers – is this now going too far as well for you? What about your bank account :-) ?

Roger

As you know (at least I hope that you do) we introduced Network Access Protection with Windows Server 2008. Thomas Shinder now published an article on WindowsSecurity.com about how to implement NAP and IPSec and Domain Isolation via Group Policies. It is a first part of a very good step-by-step guide:

Deploying IPsec Server and Domain Isolation using Windows Server 2008 Group Policy

Roger

It happens pretty often but this time it seems to be wider spread then normal as our traffic with regards to this issue is higher than usual: There is a mail circulating pretending that it is coming from Steve Lipner here at Microsoft telling you to install the attached update (see the mail below).

Just to re-enforce the message: Microsoft never ever (let's stress that again: never ever) distributes updates or any kind of software as attachment via e-mail. We link to our Websites and our updates are signed by us.

So, just delete these kind of messages without even reading them

Roger

P.S. Here is the version of today and this is a scam!

Dear Microsoft Customer,

Please notice that Microsoft company has recently issued a Security Update for OS Microsoft Windows. The update applies to the following OS versions: Microsoft Windows 98, Microsoft Windows 2000, Microsoft Windows Millenium, Microsoft Windows XP, Microsoft Windows Vista.

Please notice, that present update applies to high-priority updates category. In order to help protect your computer against security threats and performance problems, we strongly recommend you to install this update.

Since public distribution of this Update through the official website http://www.microsoft.com would have result in efficient creation of a malicious software, we made a decision to issue an experimental private version of an update for all Microsoft Windows OS users.

As your computer is set to receive notifications when new updates are available, you have received this notice.

In order to start the update, please follow the step-by-step instruction:

1. Run the file, that you have received along with this message.

2. Carefully follow all the instructions you see on the screen.

If nothing changes after you have run the file, probably in the settings of your OS you have an indication to run all the updates at a background routine. In that case, at this point the upgrade of your OS will be finished.

We apologize for any inconvenience this back order may be causing you.

Thank you,

Steve Lipner

Director of Security Assurance

Microsoft Corp.

-----BEGIN PGP SIGNATURE-----

Version: PGP 7.1

JQ7I212BN637GZCN5N4BQ788O7QIHVK97V5K9W0MB11N43ZOP9KVX5ZRKAZ9JLS5A

X660XXVLE4KT4M3F8ZUA3UQBOXE884ZMVX46RJEFY9FRVLCC2HIHKPM1Z1BALETSD

QP5N89G04E6Q5IYF312BTX55VM079X4O1XV7IW1A8K5K1EEQUSF2W58QR8YUF60S2

SAR4DXOITS53VUZ1B3O7VBCFIP4I0XLF91HF832YQUU7E274FCHIG35UDIN8FZX6W

V0RVB2F2WJMYEEE62QDKTA6PABR2ECI4GKE==

-----END PGP SIGNATURE-----

I already blogged a few times on MSAT (the Microsoft Security Assessment Tool). We just released a new version for it, version 4.

For those of you who do not know MSAT: MSAT is a free (stress: free) Risk Assessment Tool mainly targeted a Small and Medium Businesses to get a good understanding of their Business Risks vs. their IT Risks. So, it shows not only (as so often) the need where you should do more but also, where you basically invested more in security than your business actually needed.

If you look at the tool it looks by itself completely re-designed (which is is):

The reports themselves have proven to be very helpful for our customers. Therefore they are not that different but slightly improved. However, it is now easier to save them (Word and XPS):

Business Risk Profile vs. Defense in Depth Index

Scorecard 

 
Prioritized Action List

It is definitely worth looking at the tool

You can find it here

Roger