Microsoft Security Response Center Blog

Predictions for 2014 and the December 2013 Security Bulletin Webcast, Q&A, and Slide Deck

Monday, December 16, 2013

Today we’re publishing the December 2013 Security Bulletin Webcast Questions & Answers page. We answered 17 questions in total, with the majority of questions focusing on the Graphics Component bulletin (MS13-096), Security Advisory 2915720 and Security Advisory 2905247. We also wanted to note a new blog on the Microsoft Security Blog site on the top cyber threat predications for 2014.

• Bulletin Webcast
• Customer Questions
• Q&A

Software defense: mitigating common exploitation techniques

Wednesday, December 11, 2013

In our previous posts in this series, we described various mitigation improvements that attempt to prevent the exploitation of specific classes of memory safety vulnerabilities such as those that involve stack corruption, heap corruption, and unsafe list management and reference count mismanagement. These mitigations are typically associated with a specific developer mistake such as writing beyond the bounds of a stack or heap buffer, failing to correctly track reference counts, and so on.

• ASLR
• Defense-in-depth
• Exploitation
• Mitigation

Assessing risk for the December 2013 security updates

Tuesday, December 10, 2013

Today we released eleven security bulletins addressing 24 CVE’s. Five bulletins have a maximum severity rating of Critical while the other six have a maximum severity rating of Important. We hope that the table below helps you prioritize the deployment of the updates appropriately for your environment. Bulletin Most likely attack vector Max Bulletin Severity Max XI Likely first 30 days impact Platform mitigations and key notes MS13-096(GDI+ TIFF parsing) Victim opens malicious Office document.

• Attack Vector
• Exploitability
• Risk Asessment

MS13-098: Update to enhance the security of Authenticode

Tuesday, December 10, 2013

Today we released MS13-098, a security update that strengthens the Authenticode code-signing technology against attempts to modify a signed binary without invalidating the signature. This update addresses a specific instance of malicious binary modification that could allow a modified binary to pass the Authenticode signature check. More importantly, it also introduces further hardening to consider a binary “unsigned” if any modification has been made in a certain portion of the binary.

• Spoofing
• Trust decision

Omphaloskepsis and the December 2013 Security Update Release

Tuesday, December 10, 2013

There are times when we get too close to a topic. We familiarize ourselves with every aspect and nuance, but fail to recognize not everyone else has done the same. Whether you consider this myopia, navel-gazing, or human nature, the effect is the same. I recognized this during the recent webcast when someone asked the question – “What’s the difference between a security advisory and a security bulletin?

• Microsoft Exchange
• Microsoft Office
• Microsoft Windows
• Monthly bulletin release
• Risk Assessment
• Security Bulletin
• Security Update

MS13-106: Farewell to another ASLR bypass

Monday, December 09, 2013

Today we released MS13-106 which resolves a security feature bypass that can allow attackers to circumvent Address Space Layout Randomization (ASLR) using a specific DLL library (HXDS.DLL) provided as part of Microsoft Office 2007 and 2010. The existence of an ASLR bypass does not directly enable the execution of code and does not represent a risk by itself, since

• ASLR
• Bypass
• Exploit
• HXDS.DLL
• MS13-106

Security Advisory 2916652 released, Certificate Trust List updated

Monday, December 09, 2013

Microsoft is updating the Certificate Trust List (CTL) for all supported releases of Microsoft Windows to remove the trust of a mis-issued third-party digital certificate, which could be used to spoof content and perform phishing or man-in-the-middle attacks against web properties. With this action, customers will be automatically be protected against this issue.

• Advisory

BlueHat v13 is Coming

Friday, December 06, 2013

This week, starting Thursday, we’ll be hosting our 13th edition of BlueHat. I’m always so impressed with the level of knowledge we attract to each BlueHat, and while the event is invite-only, we’ll be sharing glimpses into the event via this blog and the hashtag #BlueHat. For each of the past six years I have had the honor to work among some of the most talented engineers I have ever met, here at Microsoft.

Advance Notification Service for December 2013 Security Bulletin Release

Thursday, December 05, 2013

Today we’re providing advance notification for the release of 11 bulletins, five Critical and six Important, for December 2013. The Critical updates address vulnerabilities in Internet Explorer, Windows, Microsoft Exchange and GDI+. The Critical update for GDI+ fully addresses the publicly disclosed issue described in Security Advisory 2896666. This release won’t include an update for the issue described in Security Advisory 2914486.

• ANS
• Internet Explorer (IE)
• Microsoft Exchange
• Microsoft Office
• Microsoft Windows
• Security Bulletins

Microsoft Releases Security Advisory 2914486

Wednesday, November 27, 2013

Today we released Security Advisory 2914486 regarding a local elevation of privilege (EoP) issue that affects customers using Microsoft Windows XP and Server 2003. Windows Vista and later are not affected by this local EoP issue. A member of the Microsoft Active Protections Program (MAPP) found this issue being used on systems compromised by a third-party remote code execution vulnerability.

• Advisory
• Attack
• Microsoft Windows
• Security
• Security Advisory