Microsoft Security Response Center (MSRC) Progress Report 2013

July 2012 June 2013

A report from the Microsoft Security Response Center (MSRC) on the progress of various security initiatives to foster deeper industry collaboration, increase community-based defenses, and better protect customers.

Trustworthy Computing | MSRC Progress Report 2013

Microsoft Security Response Center (MSRC) Progress Report 2013 (c) 2013 Microsoft Corporation. All rights reserved. This document is provided "as-is." Information and views expressed in this document, including URL and other Internet Web site references, may change without notice. You bear the risk of using it. Some examples are for illustration only and are fictitious. No real association is intended or inferred. This document does not provide you with any legal rights to any intellectual property in any Microsoft product. You may copy and use this document for your internal, reference purposes.

Trustworthy Computing | MSRC Progress Report 2013

Contents
Authors Foreword The Vulnerability and Exploit Marketplace Microsoft Active Protections Program (MAPP) Microsoft Security Bulletin Statistics Microsoft Exploitability Index Behind the scenes with an Internet Explorer zero-day vulnerability Microsoft Vulnerability Research Enhanced Mitigation Experience Toolkit (EMET) 4.0 Internet Explorer 11 Preview Bug Bounty Summary 4 5 6 7 11 13 17 20 23 26 27

Trustworthy Computing | MSRC Progress Report 2013

Authors
Bill Barlowe Microsoft Security Response Center Dustin Childs Microsoft Trustworthy Computing Angela Gunn Microsoft Security Response Center Jonathan Ness Microsoft Security Response Center William Peteroy Microsoft Security Response Center Mike Reavey Microsoft Security Response Center Jerry Bryant Microsoft Security Response Center Gerardo Di Giacomo Microsoft Security Response Center Katie Moussouris Microsoft Security Response Center Mark Oram1 Microsoft Security Response Center Georgeo Pulikkathara Microsoft Trustworthy Computing

Former Microsoft employee, who contributed to the MSRC Progress Report 2013

Trustworthy Computing | MSRC Progress Report 2013

Foreword
Welcome to the 2013 Microsoft Security Response Center (MSRC) Progress Report, which covers the 12 months ending June 2013. This fiscal year saw some important changes to key MSRC programs, as well as new additions to help us better protect our customers. The cybersecurity threat landscape is constantly evolving, and we at the MSRC, in an ongoing effort to help keep customers safe, continue to adjust our strategies in an effort to make it increasingly more costly and challenging for criminals to attack our customers. As our most recent Microsoft Security Intelligence Report (SIR) indicates, most exploits attackers use today target older vulnerabilities that weve already addressed. This reality is one of the key drivers behind the growing vulnerability and exploit marketplace we see today, as determined cybercriminals seek outand are willing to pay increasingly high prices forinformation about vulnerabilities and exploits they can use to keep their attacks undetected for as long as possible. To help thwart this trend, we recently began making plans for some enhancements to our Microsoft Active Protections Program (MAPP) to better enable its global network of defenders to stay a step ahead of targeted attacks. Coordinated Vulnerability Disclosure (CVD) has gone from idea to practice to policy, and vulnerability information sharing through MAPP has allowed MAPP partners to more efficiently and effectively produce protection for millions of Microsoft customers on a regular basis. In this report, we detail portions of an end-to-end strategy to the MAPP program to remove vulnerabilities from the marketplace, take away entire attack vectors, and improve detection capabilities on a global level to decrease the shelf life of new attack techniques. One of our most exciting developments this year has been the announcement of three new Microsoft bounty programs: the Mitigation Bypass Bounty, the BlueHat Bonus for Defense, and the Internet Explorer 11 Preview Bug Bounty. By providing monetary incentives for direct reporting by security researchers, we hope to learn about novel defense bypass techniques, new exploitation techniques that affect Windows 8.1, and previously unknown issues in Internet Explorer 11 before those products reach the general marketplace. Meanwhile, we continue to maintain and support the CVD guidelines. The MSRC has pioneered and led the industry in the area of security response for many years, which sometimes means having to respond at inopportune times. This years report includes a write up by William Peteroy on his work to release Microsoft Security Bulletin MS13-008 over the Christmas holiday, balancing a visit from out-of-town relatives with attention to a significant security update. We hope you enjoy reading it, along with the rest of the information in this latest report. Mike Reavey Senior Director, Microsoft Trustworthy Computing

Trustworthy Computing | MSRC Progress Report 2013

The Vulnerability and Exploit Marketplace

In 2011, Microsoft announced the BlueHat Prize contest, a competition that challenges the security community to design novel defensive technologies that could help protect against entire classes of attacks. Microsoft presented the three winners with a total of $260,000 USD in prize money, and one of the winning ideas has already been incorporated into the Enhanced Mitigation Experience Toolkit (EMET).2 (See page 23 for more information about EMET 4.0 and the new mitigations.) Microsoft has since introduced three new bounty programs to provide further incentives for security experts to focus on defensive research. We designed these new bounty programs to help us learn as early as possible about new exploitation techniques being used against our latest platforms and vulnerabilities in Internet Explorer 11 Preview. We believe these new programs will help security researchers to harmonize their efforts with the work we do to help defend our customers. The three new programs are as follows: Mitigation Bypass Bounty. Microsoft will pay up to $100,000 USD for unique exploitation techniques against protections built into the latest available version of Windows; at launch time, that was Windows 8.1 Preview, released to the public in June 2013. Learning about new exploitation techniques earlier helps Microsoft improve security by leaps, instead of doing so one vulnerability at a time. This is an ongoing program, and not tied to any event or contest. BlueHat Bonus for Defense. Microsoft will pay up to $50,000 USD for defensive ideas that accompany a qualifying Mitigation Bypass Bounty submission. Doing so highlights our continued support of defense, and provides a way for the research community to help protect over a billion computer systems worldwide from vulnerabilities that may not have even been discovered. Internet Explorer 11 Beta Bug Bounty. Microsoft will pay up to $11,000 USD for critical vulnerabilities that affect Internet Explorer 11 Preview running on the latest version of Windows (Windows 8.1 Preview). The entry period for this program was the first 30 days of the Internet Explorer 11 beta period, June 26July 26, 2013. Learning about critical vulnerabilities in IE 11 as early as possible during the public beta helps Microsoft to secure the newest version of the browser, even before customers have deployed it broadly. Visit www.microsoft.com/bountyprograms to learn more about these programs, including guidelines and FAQs.

See www.microsoft.com/security/bluehatprize/ for more information about the contest and the three winning entries.

Trustworthy Computing | MSRC Progress Report 2013

Microsoft Active Protections Program (MAPP)

MAPP provides us with advanced notification of vulnerabilities, as well as actionable information that allows us to even more quickly build protection for our customers. This saves us significant cycles, and MAPP's valuable information sharing fully supports our threat-centric approach to cybersecurity.
Matt Watchinski Vice President of Vulnerability Research Sourcefire

Determined Adversaries and Targeted Attacks,3 a Microsoft white paper released in June 2012, discussed a common belief that a well-resourced and determined adversary will usually be successful in attacking systems, even if the target has invested in its defensive posture. It advised that an effective risk management strategy balances investments in prevention, detection, containment, and recovery. MAPP has always been (and will continue to be) focused on prevention, and we routinely make incremental changes to the program to better enable its global network of defenders to counter targeted attacks, profit-driven criminal elements, exploit frameworks, and new methods for waging broad, opportunistic attacks. As part of our ongoing strategic development of MAPP, we are expanding the program and adding initiatives that focus on improving detections of attacks, which will in turn enable the MAPP community to produce improved protections for customers. The MAPP program works with a broad range of partners. Some MAPP partners collect a significant amount of threat information from a range of product suites deployed throughout the world. Others collect less data, due to a more regional focus or fewer customers that opt into reporting threat data back to security vendors. Some partners have been around for years, while others have entered the security marketplace only recently. This diverse community of defenders requires a varied approach by Microsoft to help maximize how we can work together to protect the ecosystem.

http://aka.ms/targetedattacks

Trustworthy Computing | MSRC Progress Report 2013

To more efficiently coordinate detection and prevention efforts with and between this diverse base of partners, Microsoft is expanding MAPP in three primary areas. The traditional MAPP program is being rebranded as MAPP for Security Vendors, and significantly updated. MAPP for Responders is a new MAPP program focused on enabling and exchanging information with incident response partners. MAPP Scanner is a new service that MAPP partners can use to rapidly assess suspect files and URLs.

The MAPP program helps Trend Micro in strengthening further its defenses against cyber criminals. This timely information sharing works great in providing our customers the best and accurate protection with least false positives. We continue to appreciate Adobes presence on the program and wish more vendors followed the same approach in vulnerability information sharing to make our cyber world safer.
Raimund Genes CTO Trend Micro

MAPP for Security Vendors The original MAPP partnership is being enhanced with the introduction of a new initiative, MAPP Validation, which seeks to engage the MAPP Threats continue to evolve and we should community in assessing our detection guidance evolve with them. The only way to do that is to prior to distribution. MAPP Validation will operate have steadfast learning, comprehensive much like the Software Update Validation research, and having the right affiliation. As we Program (SUVP), in which Microsoft partners with continue to grow in knowledge, MAPP enterprises to evaluate security updates in a test continuously gives us the advantage of being environment. MAPP Validation partners are the first responder against emerging threats. security vendors that provide products designed Our customers can rest assured that we will to service a broad range of customers and needs. always be there for them. MAPP Validation will help ensure that the detection guidance we release to the broader Raul Alvarez Senior Security Researcher MAPP community will allow for the most efficient Fortinet Technologies production of protections possible.

Trustworthy Computing | MSRC Progress Report 2013

Microsoft also continues to make changes and improvements to the MAPP for Security Vendors program as a whole. One of the more frequent requests we hear from our MAPP partners is for more time to produce protections before we release our monthly security updates. For those partners We are privileged to be part of MAPP, which with a trusted history in MAPP and who are provides a valuable service in helping us gauge consistent in meeting the requirements of the the nature and impact of new threats, typically program, we will begin sharing detection before they are manifested in the wild, and in guidance 3 business days before our usual update providing commensurate protection to our release day on the second Tuesday of each clients in a timely fashion. We would like to take month, at approximately the same time that we this opportunity to thank the MAPP team, and issue our advance notification of the Microsoft we look forward to our collaboration in the 4 products that will be receiving updates. Entryfuture. level MAPP partners will continue to receive Samir Mody vulnerability information 1 day before updates are Senior Manager Threat Control Lab released. In all cases, partners will continue to be K7Computing prohibited from releasing protections until after the security updates are released. MAPP for Responders Today, there are many types of response organizations around the world that focus on intrusion prevention and incident response, including private organizations, Government response teams, and industry collaborations. These institutions share a common need for information to help them The data from MAPP has proven to be a detect and mitigate threats. Microsoft is valuable source of information ahead of the establishing MAPP for Responders as a curve allowing us to better deliver faster mechanism for sharing relevant feeds of technical protection against 0-day vulnerabilities to our threat indicators, including malicious URLs, file customers. hashes, incident data, and detection guidance. It Peter Szabo will also act as a forum for partners to share more Senior Threat Researcher general threat information, such as trends SophosLabs Canada involving which industries are being targeted and apparent developments in threat sponsor requirements. Why is this important? Threat information is valuable in detecting and disrupting attacks if it can be rapidly and reliably shared for the purpose of common defense. Today it is rare for this type of information to be shared by security companies and affected entities; companies are often inclined to hold onto the information to gain a competitive advantage, or to avoid sharing information about

See technet.microsoft.com/security/gg309152.aspx for more information about the Microsoft Security Bulletin Advance Notification Service.

Trustworthy Computing | MSRC Progress Report 2013

compromised or vulnerable systems that might be bad for business. MAPP for Responders will work to build a community for information exchange to counter the activities of determined adversaries. MAPP Scanner MAPP Scanner is a cloud based service that allows for Office documents, PDF files, and URLs to be scanned for content-based attacks, taking advantage of Microsofts extensive knowledge of its own products and close security cooperation with industry partners. In addition to performing static analysis on submissions, MAPP Scanner conducts active analysis to determine if a submission is attempting to exploit a vulnerability. By making this technology available to partners who work with the targets of content based attacks to investigate and remediate such incidents, Microsoft hopes to increase the likelihood of Thanks to the MAPP program, we can new attacks and attack vectors being discovered. Coupled detect security incidents more with our Mitigation Bypass Bounty program, we believe proactively. The most effective thing is MAPP Scanner will dramatically increase the cost attackers protecting our customers from zeromust pay to use exploits effectively, thereby reducing day attacks. It could be helpful to seize attack activity across the ecosystem. evidence in an incident response quickly. We are very pleased to use this MAPP Scanner is currently in a pilot phase with MAPP program for our various products. security vendor and response partners, and will help to
Jeongwoo Park AhnLab, Inc.

significantly reduce the amount of analytical effort MAPP partners must perform to determine if a submission is malicious.

Trustworthy Computing | MSRC Progress Report 2013

10

Microsoft Security Bulletin Statistics

The most publicly visible work that the MSRC performs is coordinating the development, testing, and release of Microsoft security updates that address vulnerabilities in our software. This section describes some of the key vulnerability trends involving Microsoft software during the 12 months from July 2012 through June 2013. It provides some forward-looking thoughts on future trends, and highlights tools and processes that organizations can use to help minimize the potential for disruption caused by security update deployment. Vulnerabilities are weaknesses in software that enable an attacker to compromise the integrity, availability, or confidentiality of that software or the data it processes. The disclosure of a vulnerability is the revelation of a vulnerability to the software vendor, or to the public at large. Disclosures can come from various sources, including software publishers, security software companies, independent security researchers, technical support and product discussion forums, and those who create malicious software (also known as malware). As long as human beings write software code, no software will be perfect, and it is impossible to completely prevent vulnerabilities from being introduced during the development of large-scale software projects. Some imperfections (or bugs) simply prevent the software from functioning exactly as intended, but other bugs may present vulnerabilities. Not all vulnerabilities are equal; for example, some vulnerabilities wont be exploitable because defenses built into the software can prevent an attacker from taking advantage of them. Nevertheless, some percentage of the vulnerabilities that exist in a given piece of software could be exploitable.5 Many software developers address vulnerabilities by releasing security updates. Microsoft has led the way in establishing mature and proven processes to help ensure that high-quality security updates are developed, tested, and released globally in a timely and predictable manner. See the white paper Software Vulnerability Management at Microsoft for more details on these processes. During the 12 months ending June 2013, Microsoft released a total of 92 security bulletins to address 246 individual vulnerabilities. Software vulnerabilities are enumerated and documented in the Common Vulnerabilities and Exposures (CVE) list,6 a standardized repository of vulnerability information. Among the security bulletins7 released during this period were two out-of-band updates, both affecting versions of Internet Explorer: MS12-063, released on September 21, 2012 and MS13-008, released on January 14, 2013. (See Behind the scenes with an Internet Explorer zero-day vulnerability on page 17 for a look at the process behind the release of MS13-008.)

www.microsoft.com/security/msrc/whatwedo/updates.aspx cve.mitre.org 7 http://technet.microsoft.com/en-us/security/rss/advisory

5 6

Trustworthy Computing | MSRC Progress Report 2013

11

Figure 1. Bulletins issued and CVEs addressed, 1H071H138

180 160 140 153 130 161

CVEs and Security Bulletins Issued

120 100 80 60 78 58 36 42 27 47 41 97 85 104

114

110 93

85

Bulletins CVEs

65 52 48 51 42 41

51 35 34

40
20 0

1H07

2H07

1H08

2H08

1H09

2H09

1H10

2H10

1H11

2H11

1H12

2H12

1H13

The nomenclature used to refer to different reporting periods is nHyy, where nH refers to either the first (1) or second (2) half of the year, and yy denotes the year. For example, 2H12 represents the period covering the second half of 2012 (July 1 through December 31), and 1H13 represents the period covering the first half of 2013 (January 1 through June 30).
8

Trustworthy Computing | MSRC Progress Report 2013

12

Microsoft Exploitability Index

Each month, Microsoft provides Microsoft Exploitability Index9 (XI) ratings for each of the vulnerabilities addressed by that months Microsoft Security Bulletins. The XI rating system is intended to help customers prioritize security bulletin deployment by providing information on the likelihood that a given vulnerability will be exploited within the first 30 days of the update's release. Although most customers use the severity ratings to identify which updates are most worthy of their attention, the Exploitability Index offers additional technical detail that can help security and software deployment teams maximize the benefit of their security resources.
Figure 2. Part of the Exploitability Index table from the April 2013 Microsoft Security Bulletin Summary

The Exploitability Index uses three levels to communicate to customers the likelihood of functioning exploit code being developed. Microsoft continuously evaluates the level descriptions, and modifies them when appropriate to simplify and clarify the assessments. Currently, the levels are defined as follows: 1 Exploit code likely. This rating means that MSRC analysis shows that exploit code could be created, allowing an attacker to consistently exploit the vulnerability. For example, an attacker could use the exploit to remotely execute code repeatedly, in a way that produces the same results each time. This exploitability would make the vulnerability an attractive target for attackers, and therefore more likely that exploit code would be created. This designation is also used for vulnerabilities that are already being actively exploited. Customers who review the security bulletin and determine its applicability to their own environment could treat such a vulnerability with a higher priority. 2 Exploit code would be difficult to build. This rating means that MSRC analysis shows that exploit code could be created, but that an attacker would likely have difficulty creating the code. Such difficulty might be the result of the need for expertise and sophisticated timing information, and/or varied results when targeting the affected product. For example, an exploit could cause remote code execution, but may only work one out of 10 times, or one out of 100 times, depending on the state of
9

For more information on the Microsoft Exploitability Index, see technet.microsoft.com/security/cc998259.

Trustworthy Computing | MSRC Progress Report 2013

13

the computer being targeted and the quality of the exploit code. Although an attacker may increase the consistency of their results by having better understanding and control of the target environment, the unreliable nature of this vulnerability makes it a less attractive target for attackers. Customers who review the security bulletin and determine its applicability within their environment should treat this as a material update. If customers are prioritizing against other highly exploitable vulnerabilities, they could rank this lower in their deployment priority. 3 Exploit code unlikely. This rating means that MSRC analysis shows that successfully functioning exploit code is unlikely to be released. It might be possible for exploit code to be released that could trigger the vulnerability and cause abnormal functionality, but it is unlikely that an attacker would be able to create an exploit that could fully exploit the vulnerability. Because vulnerabilities of this type require significant investment by attackers to be useful, the risk of exploit code being created and used within 30 days of a bulletin release is much lower. Therefore, customers who review the security bulletin to determine its applicability within their environment could prioritize this update below other vulnerabilities within a release. Customers can use XI ratings along with the other information included with each security bulletin to identify the updates that most affect their business in a given month, which may affect their decisions about which updates to deploy first. For example, consider March 2013, when Microsoft released seven security bulletins. Of these, four bulletins were given an overall XI of 1, the most severe level. Security Bulletin MS13-027 is rated as Important, but has an XI of 1, whereas MS13-023 is rated as Critical, but only has an overall XI of 2. Even though the impact of MS13-027 is potentially greater, we recommended installing MS13-023 first due to its increased risk of exploitability.10 XI ratings are accompanied by Denial of Service (DoS) exploitability assessments, which indicate vulnerabilities that can be exploited to cause either temporary or permanent DoS conditions, as explained in Figure 3:
Figure 3. DoS exploitability assessment used by the Exploitability Index DoS exploitability assessment Temporary Short definition Exploitation of this vulnerability may cause the operating system or application to become temporarily unresponsive, until the attack is halted, or to exit unexpectedly but automatically recover. The target returns to the normal level of functionality shortly after the attack is finished. Exploitation of this vulnerability may cause the operating system or application to become permanently unresponsive, until it is restarted manually, or to exit unexpectedly without automatically recovering.

Permanent

There are also certain issues that do not receive XI ratings at all. Starting in 2012, Microsoft established a Security Feature Bypass (SFB) vulnerability classification11 to identify rare cases in which an attacker could potentially bypass a security feature in order to exploit another vulnerability. In most cases,
For more information on assessing the risk for the March 2013 security updates, see blogs.technet.com/b/srd/archive/2013/03/12/assessingrisk-for-the-march-2013-security-updates.aspx. 11 See MS13-006: Vulnerability in Microsoft Windows Could Allow Security Feature Bypass for an example of a Security Feature Bypass update.
10

Trustworthy Computing | MSRC Progress Report 2013

14

following Microsofts guidelines for best security practices can largely mit igate any potential impact from this class of vulnerability. Since the XI is designed to provide guidance on the potential for code execution only, SFB issues are not assigned a XI rating. Microsoft Exploitability Index statistics The 92 security bulletins published from July 2012 to June 2013 resulted in 266 Exploitability Index ratings, as shown in the following table.
Figure 4. Microsoft Exploitability Index ratings, July 2012 June 2013 Exploitability Index Rating 1- Exploit code likely 2 Exploit code would be difficult 3 Exploit code unlikely Not affected Not applicable Latest software release 59 17 16 105 8 Older software releases 104 56 27 14 4

Of these ratings, none were revised after release. An examination of different possible deployment scenarios illustrates how the Exploitability Index can help save organizations money and allow them to better allocate their resources:
Figure 5. Security bulletin deployment events under different scenarios, July 2012 June 2013 Deployment Scenario Deploy all bulletins within 30 days Deploy only Critical bulletins within 30 days of release Deploy only Critical bulletins with an XI of 1 on release day Deploy only critical bulletins with an XI of 1 on release day, when all systems are on the most recent product release Deployment events 92 36 32 21

While Microsoft recommends deploying all security bulletins in a timely fashion, Figure 5 illustrates how Exploitability Index ratings can help customers save time and money by prioritizing deployments. During this twelve-month period, a customer that prioritized deploying critical updates with an Exploitability Index rating of 1, and used the most recent Windows client and server versions exclusively, could have deployed just 21 updates at the highest priority level, and used a less expensive non-urgent deployment process for the remaining 71 updates. Microsoft recommends that customers install all applicable security updates, including bulletins with an exploitability index of 3 or a severity rating of Moderate. Exploitation techniques change over time, and newly developed techniques can make it easier for an attacker to exploit vulnerabilities that had previously been more difficult to successfully exploit. Nevertheless, prioritization decisions will be made

Trustworthy Computing | MSRC Progress Report 2013

15

within each organization and that time and resources may often be limited. The Exploitability Index allows customers that face such limitations to better prioritize their update deployments.

Trustworthy Computing | MSRC Progress Report 2013

16

Behind the scenes with an Internet Explorer zero-day vulnerability

Most Microsoft security bulletins are released on the second Tuesday of each month, a consistent and predictable schedule designed to help IT departments plan security update rollouts in advance of release and to deploy them with minimal disruption. On rare occasions, when the serious nature of a vulnerability justifies departing from this predictable schedule, Microsoft releases an out-of-band security bulletin to address the vulnerability in advance of the next scheduled update. On January 14, 2013, Microsoft released Security Bulletin MS13-008 out-of-band to address a vulnerability in certain versions of Internet Explorer. In this section, MSRC case program manager William Peteroy describes his experience helping to put the bulletin together. I am fortunate to work at the MSRC as a case program manager (PM) for Internet Explorer. This means that I handle all of the publicly or privately reported security issues and vulnerabilities for Internet Explorer, perform triage and risk assessment, and shepherd these issues through our internal and external response. I enjoyed reading case PM Jeremy Tinders tale in last years MSRC Progress Report of the heroic work and long hours that he and others on the MSRC team put in to publish an out-ofband security bulletin during the 2011 Christmas holiday. I never expected that Id have a similar tale to tell 12 months later. My story begins in late December 2012, like Jeremys, with my parents visiting from out of town for the Christmas holiday. I still had work to do, though, and from reading information security news and hanging out on Internet Relay Chat (IRC), I picked up some talk about a new series of attacks that exploited a zero-day vulnerability in certain versions of Internet Explorer. At this point it became fairly evident that my holiday was about to get a lot more interesting. Vulnerabilities in Internet Explorer are particularly challenging to respond to, as they are often what we refer to internally as RCE, or remote code execution, vulnerabilities. Attackers typically plant such exploits in an inline frame on a malicious or compromised Web page. When an Internet user visits the page with a vulnerable browser, the exploit corrupts the memory used by Internet Explorer in such a way as to allow the attacker to execute arbitrary code on the computer in the security context of the victim. The most insidious such attacks take the form of what security researchers call watering hole attacks, in which the attackers use techniques such as SQL injection and errors in popular Web publishing products to compromise Web sites that users already trust and visit regularly. Many such attacks involve vulnerabilities in third-party add-ons, such as Adobe's Flash Player or Oracle's Java Runtime Environment; however, some of the most severe exploit zero-day vulnerabilities (those for which no security update has been published) reside in the browser itself. Because attackers can exploit these vulnerabilities to run malicious code without requiring any interaction on the part of the victim

Trustworthy Computing | MSRC Progress Report 2013

17

other than simply browsing to an affected Web site, these are rated as Critical vulnerabilities, the most severe type of vulnerabilities that we deal with at the MSRC. When I received a Software Security Incident Response Process (SSIRP) notification email, my suspicions were confirmed, and I knew we were in for some late hours. In cases like this one where quick response is vital, the MSRC uses the SSIRP to understand security incidents quickly, provide customers with timely and relevant information about it, and deliver security updates and other material as appropriate to restore normal operation. Being pulled into a SSIRP feels about the same as a friend signing you up for a marathon and letting you know the night before. I made some phone calls to the folks that I work with in the Internet Explorer product group who would be integral in the process of confirming the root cause of the vulnerability, as well as developing and testing a fix, then spent some time rallying the team and getting notes together for the initial meeting. One of the first things that I learned at Microsoft is that making quality software is not an easy task. When there is a clock running to protect customers with a fix for a vulnerability in the wild (being used against customers), it doesn't make that job any easier. I reserved a CVE vulnerability ID number, CVE2012-4792, to track the vulnerability itself, and started to dive into the details of the technical situation with the help of the MSRC Engineering team (MSRC-E) and the Internet Explorer engineering team. The issue itself had to do with a vulnerability in the way Internet Explorer performed reference counting on Web pages. Under certain circumstances, Internet Explorer could be made to attempt to reference and use a page element that had already been deleted and for which the memory storing it had been freed. An attacker could use this vulnerability to create a specially crafted Web page that could force Internet Explorer to execute malicious code in the context of the browser. I also started the process of drafting a security advisory to inform our customers as soon as possible about what we knew and how they could protect themselves, and sending it to internal partners for review. Because software doesnt get released into a void, we make a lot of effort at Microsoft to provide customers with the best information possible about ongoing and up-to-date security-related developments pertaining to our products. Microsoft Security Advisories are one of the mechanisms we use to provide this information. A security bulletin that included more information and the update code itself would come later. Much of this early work could be done over the telephone, which allowed me to work on the vulnerability while continuing to pursue a mostly normal holiday celebration with my family. I had moved to Seattle earlier in 2012, and my fiance and I were fortunate to have my parents come and join us for the holidays. We had planned a fairly busy schedule for taking my parents to see the sights of our new home in the Northwest, which led to me taking part in the SSIRP conference calls from interesting locations like the Queen Anne neighborhood close to the Space Needle and Seattles historic Pike Place Market. On December 29, 2012, we published Microsoft Security Advisory 2794220 to inform the public that we were aware of the issue and working towards a fix.

Trustworthy Computing | MSRC Progress Report 2013

18

Once root cause analysis was complete, I worked with the Internet Explorer PM to get the software update developed in the smallest amount of time possible. Once the code was complete, I delivered the update code and root cause analysis to our MSRC-E Defense team. The Defense team works with the exploits and samples that we have collected concomitantly with partners to develop the in-memory shims that we ship as Microsoft Fix it Solutions to break exploits we see being used against customers. As we were doing our work, exploit writers were staying busy too. On December 31, 2012, we revised Microsoft Security Advisory 2794220 to include the Fix it Solution, in response to the appearance of exploit code in some of the exploitation tools that get traded between malware authors and prospective attackers. The revised security advisory would enable our high-risk or highly concerned customers to take more effective steps to protect themselves in advance of the upcoming security bulletin release. With the exploit and the Fix it Solution available publicly, all of my efforts went to working with the test and release teams on the security update. We would be testing and publishing update code for 31 different configurations overall, covering Internet Explorer versions 6, 7, and 8 running on different Windows versions, service pack levels, and processor architectures. Each of these 31 update packages had to meet our quality assurance bar and be signed off on individually. I finally got to take a breather on Monday, January 14, 2013, when we released Microsoft Security Bulletin MS13-008 to customers worldwide via Windows Update and other channels. To put that sort of release into perspective, the package was downloaded to 286 million software installations. All in all, it made for a very busy few weeks for myself, the Internet Explorer team, and the rest of our internal and external partners, but ultimately it was very rewarding to be able to put so much time and effort toward something good for so many global customers, especially over the holiday. -William Peteroy, Microsoft Security Response Center

Trustworthy Computing | MSRC Progress Report 2013

19

Microsoft Vulnerability Research

The five year milestone of the Microsoft Vulnerability Research (MSVR) program brought an expansion of the types of issues on which Microsoft advises the ecosystem, as well as increased case volume and long-overdue recognition for in-house finders contributing to the program. MSVR provides a mechanism by which Microsoft developers and security researchers can inform vendors outside the company of flaws found in third-party products and Web sites. The program is guided by the tenets of Coordinated Vulnerability Disclosure, a company-wide practice that promotes private, secure channels of communication allowing vendors to patch issues quickly and accurately, with minimal trouble to the consumer and minimal chance of exposing the vulnerability to potential attackers.
Figure 6. The MSVR response process

When a Microsoft employee finds a likely vulnerability in a third-party product or site, he or she then informs the MSVR team, which coordinates communications about the issue between Microsoft (or the employee) and security teams at the other company. MSVR monitors progress as the vulnerability is tested, analyzed, and eventually fixed by the other company. Once thats accomplished, MSVR may choose to issue an advisory confirming the fix and directing customers to further information. From July 2012 to June 2013, MSVR issued 21 such advisories:

Trustworthy Computing | MSRC Progress Report 2013

20

Figure 7. MSVR advisories issued from July 2012 to June 2013 Advisory Number MSVR12-010 MSVR12-011 MSVR12-012 MSVR12-013 MSVR12-014 MSVR12-015 MSVR12-016 MSVR12-017 MSVR12-018 MSVR12-019 MSVR12-020 MSVR12-021 MSVR13-001 MSVR13-002 MSVR13-003 MSVR13-004 MSVR13-005 MSVR13-006 MSVR13-007 MSVR13-008 MSVR13-009 Advisory Title Vulnerability in Cisco WebEx Player Could Allow Remote Code Execution Vulnerabilities in Nullsoft Winamp Could Allow Arbitrary Code Execution Safari Content-Disposition Handling Could Allow Cross-site Scripting Vulnerability in Foxit Reader Could Allow Arbitrary Code Execution Vulnerabilities in SumatraPDF Reader Could Allow Arbitrary Code Execution Memory Corruption in Google SketchUp Could Allow Arbitrary Code Execution Vulnerabilities in Ektron CMS Could Allow Arbitrary Code Execution Vulnerabilities in FFmpeg Libavcodec Could Allow Arbitrary Code Execution Memory Corruption in Symantec Ghost Could Allow Arbitrary Code Execution Oracle AutoVue DGN Parsing Could Allow Arbitrary Code Execution Oracle AutoVue DXF Parsing Could Allow Arbitrary Code Execution Memory Corruption in QuickTime Could Allow Arbitrary Code Execution Vulnerability in Lenovo ThinkPad Bluetooth with Enhanced Data Rate Software Could Allow Arbitrary Code Execution Vulnerability in VMware OVF Tool Could Allow Arbitrary Code Execution Vulnerability in VMware VMCI.sys Could Allow Local Elevation of Privilege Vulnerability in DjVuLibre Could Allow Remote Code Execution Vulnerability in SumatraPDF Reader Could Allow Remote Code Execution Memory Corruption in Nitro Reader Could Allow Arbitrary Code Execution Heap Corruption in Nitro Reader Could Allow Arbitrary Code Execution Cisco Security Service IPC Message Heap Corruption Could Allow Elevation of Privilege Cisco Security Service File Verification Bypass Could Allow Elevation of Privilege Date 7/17/2012 7/17/2012 8/21/2012 8/21/2012 9/18/2012 9/18/2012 10/16/2012 10/16/2012 11/20/2012 11/20/2012 11/20/2012 12/18/2012 1/15/2013 2/19/2013 2/19/2013 3/19/2013 4/16/2013 5/21/2013 5/21/2013 6/18/2013 6/18/2013

Microsoft does not reveal vulnerability details to the public before a vendor issues remediation, unless there is significant evidence of active attacks on the vulnerability in the wild. (To date, MSVR has never yet had cause to release an advisory under those circumstances.) Microsoft also does not issue advisories on every issue addressed. Advisories are archived at www.microsoft.com/technet/security/advisory/MSVRarchive.mspx and may be revised as required to reflect new guidance or further information. MSVR program statistics Since July 2012, MSVR has taken delivery on 48 software vulnerability reports from 18 employees, affecting 26 third parties. In December 2012, MSVR began taking delivery on reports of cross-site scripting (XSS) issues on third-party sites, and to inform a subset of affected site proprietors. So far, the program has received reports on over 1000 affected sites and has ramped up an effort to reach out to critically affected sites with information and guidance.

Trustworthy Computing | MSRC Progress Report 2013

21

 In early 2013, a second pilot program, Microsoft App Response, launched to determine how MSVRs program can best be extended to applications hosted in Windows online applications store and onward to online application stores offered for other Microsoft products. The pilot program took delivery on 59 potential issues and has reached out to the appropriate vendors to request updates to their apps. All issues processed by the non-pilot portion of MSVR in the course of the year were rated as Critical or Important in severity, according to our bug bar. Over the past five years, MSVR has taken vulnerability reports from over 65 unique finders. At the annual BlueHat security conference on the Redmond campus in December 2012, MSVR unveiled and distributed a challenge coin to honor all finders who reported at least one reproducible vulnerability over the course of the program.
Figure 8. Front (left) and back (right) of MSVR challenge coin

For more information, please see the Microsoft Vulnerability Research page at microsoft.com/security/msrc/collaboration/research.aspx.

Trustworthy Computing | MSRC Progress Report 2013

22

Enhanced Mitigation Experience Toolkit (EMET) 4.0

The Enhanced Mitigation Experience Toolkit (best known as EMET) started as a lab project almost four years ago. Version 3.0, released in May of 2012, introduced features to easily deploy and configure EMET in an enterprise environment, transforming it from a lab tool to one that IT departments could deploy with confidence in their own environments. Recently, the MSRC began to suggest the use of EMET as a workaround for zero-day exploits discussed in Microsoft Security Advisories and it has proved to be very effective: in fact, EMET stopped exploits in the wild for all four of the most recently released security advisories that involved memory corruption vulnerabilities. Government agencies, media outlets, and other companies have joined us in recommending EMET as an effective mitigation tool that can help organizations increase the security of their systems.
Figure 9. The Enhanced Mitigation Experience Toolkit (EMET), version 4.0

Microsoft took another step to raise the profile of EMET in February 2013 when we announced the availability of official support for Premier and Professional customers, a development that many of our customers welcomed. We were particularly proud when the US Defense Information Systems Agency (DISA) included EMET in the Security Technical Implementation Guide (STIG) for Windows 8. STIGs are configuration standards for Department of Defense information assurance systems and play a critical role in locking down military systems and software that might be vulnerable to attack. All this interest in EMET inspires us every day, and we do our best to improve it. Every time we start planning a new version of EMET we ask ourselves a simple question: What can we do to better protect our global customers? In the MSRC, we deal with vulnerabilities, attacks, and exploitation techniques on a daily basis, which gives us a valuable perspective on the threat landscape and the trends that are likely to affect the computing ecosystem in the future. The information we gain

Trustworthy Computing | MSRC Progress Report 2013

23

from this directly informs our planning and design thoughts as we work to develop the feature set for the new version. We know that for a product to be effective, it needs to not only offer something valuable, but be usable and scalable as well, so we pay close attention to the feedback we receive from our customers as they tell us how they use EMET, what works, and what doesnt. This process culminated in June 2013 with the release of EMET 4.0, an improved and expanded version that includes several new features that we believe our customers will find useful and valuable. Some of these features include: Certificate Trust. Attacks that leverage the certificate trust hierarchy have become more common within the last few years. In more than one instance, attackers have compromised a root certificate authority (CA) and issued malicious digital certificates in the root CAs name. The Certificate Trust feature in EMET 4.0 introduces a SSL/TLS certificate pinning mechanism that can be used to check certificates against a configurable list of domains and corresponding root CAs. If a certificate detected for a Web site was issued by a different root CA than the one that is expected for the domain, EMET alerts the user to the possibility of an attack. Early Warning Program. When this feature is enabled, EMET sends information to Microsoft whenever it detects and blocks an exploit. Typically, new zero-day exploits are discovered when a security researcher or company notices them being hosted on watering hole Web sites or spread through phishing emails. Once an exploit is discovered, there is no way to obtain a count of victims, or to know how long attackers have been using it. The MSRC hopes to use the Early Warning Program to fill in some of these gaps by collecting information that can be used to identify and respond to new vulnerabilities more quickly than has been previously possible. Enterprise customers that use tools such as Microsoft Desktop Optimization Pack or System Center Operations Manager Agentless Monitoring will be able to forward EMETs generated error reports to their on -premise servers, and will be able to investigate attacks that have been detected inside their environment. Since EMET also protects non-Microsoft software, Microsoft will use information gathered about zero-day exploits in third-party software to work with the affected vendor through the Microsoft Vulnerability Research program. New mitigations. In 2012 Microsoft held the BlueHat Prize, which awarded over $260,000 USD for the best defense technologies to mitigate the exploitation of memory corruption vulnerabilities. We received several excellent submissions, most of them related to countering Return Oriented Programming (ROP), a commonly used technique in exploits to bypass the Data Execution Prevention (DEP) security feature in Windows. We took some of those ideas and implemented them in a July 2012 Technical Preview release of EMET. In EMET 4.0, these mitigations have been hardened and improved in terms of performance and compatibility. As exploitation techniques evolve over time, we have also added additional ROP-related mitigations targeted at new techniques that we have recently observed. Audit Mode. This is a new feature that has been added to EMET 4.0 based on feedback received from customers. Previous versions of EMETs mitigations have sometimes caused compatibility issues

Trustworthy Computing | MSRC Progress Report 2013

24

with certain specific software programs, especially older ones. When a mitigation is incompatible with an application, EMET often erroneously detects the incompatibility as an attack and terminates the application, disrupting the user experience. Audit Mode enables administrators to deploy EMET into a production environment for purposes of monitoring and evaluating its behavior and compatibility with existing software. When Audit Mode is enabled, EMET does not terminate the affected process once a mitigation is triggered, enabling administrators to determine whether any compatibility issues are present. Once the administrators have a clear understanding on what mitigations generate compatibility issues with the applications deployed in their environment, EMETs configuration can be fine-tuned and it can finally be deployed in Stop Mode, its default behavior. In addition to these new features, many mitigations have been improved and hardened in EMET 4.0, many application compatibility issues have been solved, and the user interface has been improved. We believe these new features and enhancements, along with the other features that have been a part of EMET for years, make what many IT department will find to be an indispensable assistant in their efforts to keep their environments safe.

Trustworthy Computing | MSRC Progress Report 2013

25

Internet Explorer 11 Preview Bug Bounty

As stated earlier in the report, in June 2013, Microsoft launched three new cash-payout bounty programs designed to help us learn as early as possible about novel exploitation techniques that work against several of our newest products specifically, the latest public versions of Windows and Internet Explorer. Two of those programs, the Mitigation Bypass Bounty and the BlueHat Bonus for Defense, are ongoing; we look forward to discussing the results of those offerings in the future. The third program, the Internet Explorer 11 Preview Bounty program, pays up to $11,000 for critical vulnerabilities. The information presented below represents results from the first three weeks of the Bounty period (that is, through July 17 2013). Bug-bounty programs have been launched throughout the software industry since 2004. As we considered how bounties might best be incorporated into Microsofts development process, we noted that most third-party vulnerability brokers were not paying for vulnerabilities spotted in beta (preview) software. Thats understandable from one point of view: since beta software is by definition in flux, entities who might hope to make use of such vulnerabilities may find that the affected code has been corrected in the normal course of development. For exactly that reason, we were drawn to the idea of offering a bounty during the beta period, when potential problems could most easily be averted in the normal course of development - if only we were aware of them. One of the programs primary goals was to capture bulletin-class vulnerabilities during the earliest period in which Internet Explorer 11 was easily available via download to researchers and interested hobbyists, but well before it was released to the general public and deployed widely in corporate environments. We reasoned that this window would provide the best balance between giving sufficient time for researchers to submit vulnerabilities and reserving sufficient time for Internet Explorers developers to address as many of those vulnerabilities as early as possible. Our initial results indicate that the balance was right. Between June 26 and July 17 2013, we received 19 submissions to the Preview Bounty program. (In comparison, we received no submissions at all for Internet Explorer 9 or 10 during the first month of their respective public preview periods.) After intake and triage, entries were submitted to a judging panel composed of security experts from both inside and outside Microsoft, even as the Internet Explorer 11 Preview testing and development teams started work to mitigate and mend the vulnerabilities uncovered. We confirmed the first submitted vulnerability and notified its finder on July 10 2013 ironically, a finder well-known to us as one of the winners of our previous BlueHat Prize competition. Security research is a small world. For more information on the Internet Explorer 11 Preview Bounty submission guidelines, visit microsoft.com/bountyprograms. To monitor progress on all our bounty programs past and present, visit blogs.technet.com/bluehat.

Trustworthy Computing | MSRC Progress Report 2013

26

Summary
Program refinements to Microsofts security initiatives and programs are focused to better protect our global customers computer systems, while providing customers with critical information to better manage their computer security and privacy. New programs, such as MAPP for Responders and tools like MAPP Scanner, are ways to improve industry collaboration with incident response partners to help rapidly assess suspect files and URLs. MAPP will continue to be a strategic asset for security software providers worldwide. The Exploitability Index (XI) ratings continue to be a valuable part of the Microsoft monthly security bulletin release cycle. Customers use the XI ratings along with the other information included with each security bulletin to identify the updates that most affect their business in a given month. EMET 4.0 has proven to be effective in stopping zero day exploits. EMET stopped exploits in the wild for all four of the most recently released security advisories that involved memory corruption vulnerabilities. Government agencies, media outlets, and other companies have joined us in recommending EMET as an effective mitigation tool that can help organizations increase the security of their systems. The Internet Explorer 11 Bug Bounty program is one of several unique ways that Microsoft continue to work to meet the threats our customers face in an ever change threat landscape. To date this program has been well received, and we expect to have more data and program specific information soon. The threat landscape will continue to evolve and increase in complexity, especially as attackers look for new technologies to exploit. Microsofts increased collaboration with industry partners and our customers will be key to helping provide safer, more trusted computing experiences. Long term, its industry collaboration that will help better protect our customers where the combined efforts of industry, Governments, and community bases defenses work together to help keep our computing systems secure.

Trustworthy Computing | MSRC Progress Report 2013

27