Skip to main content
MSRC

Mitigations

MS09-013 and MS09-014: NTLM Credential Reflection Updates for HTTP clients

Tuesday, April 14, 2009

This month we are taking another step towards blocking NTLM reflection attacks by releasing MS09-014 for Internet Explorer and MS09-013 for Windows. This is the third update related to NTLM credential reflection we have released, and I thought it would be good to go into a bit more detail on why this update was needed, how it relates to the previous updates (MS08-068 and MS08-076), and the severity of the issue.

Released build of Internet Explorer 8 blocks Dowd/Sotirov ASLR+DEP .NET bypass

Monday, March 23, 2009

Last summer at BlackHat Vegas, Alexander Sotirov and Mark Dowd outlined several clever ways to bypass the Windows Vista defense-in-depth protection combination of DEP and ASLR in attacks targeting Internet Explorer. One approach they presented allowed attackers to use .NET framework DLL’s to allocate executable pages of memory at predictable locations within the iexplore.

Enhanced GS in Visual Studio 2010

Friday, March 20, 2009

In a previous post we noted some stack-based vulnerabilities, such as MS08-067, that GS was not designed to mitigate due to the degree of control available to an attacker. However, other vulnerabilities such as the ANI parsing vulnerability in MS07-017 would have been mitigated if the GS cookie protection had been applied more broadly.

GS cookie protection – effectiveness and limitations

Monday, March 16, 2009

The Microsoft C/C++ compiler supports the GS switch which aims to detect stack buffer overruns at runtime and terminate the process, thus in most cases preventing an attacker from gaining control of the vulnerable machine. This post will not go into detail about how GS works, so it may be helpful to refer to these MSDN articles for an overview and loads of detail on how GS works and what a GS cookie is.

More information about the new Excel vulnerability

Tuesday, February 24, 2009

This morning, we posted Security Advisory 968272 notifying of a new Excel binary file format vulnerability being exploited in targeted attacks. We wanted to share more information about the vulnerability to help you assess risk and protect your environment. Office 2007 being targeted The current attacks we have seen target users of Office 2007 running an earlier version of Windows (Windows 2000, XP, 2003).

Preventing the Exploitation of Structured Exception Handler (SEH) Overwrites with SEHOP

Monday, February 02, 2009

One of the responsibilities of Microsoft’s Security Engineering Center is to investigate defense in depth techniques that can be used to make it harder for attackers to successfully exploit a software vulnerability. These techniques are commonly referred to as exploit mitigations and have been delivered to users in the form of features like /GS, Data Execution Prevention (DEP), and Address Space Layout Randomization (ASLR).

Clarification on the various workarounds from the recent IE advisory

Friday, December 12, 2008

Today Microsoft revised the Workarounds section of Security Advisory 961051. We wanted to share more detail about the vulnerability and explain the additional workarounds here to help you protect your computers. Information about the vulnerability The vulnerability is caused by memory corruption resulting from the way Internet Explorer handles DHTML Data Bindings.

MS08-068: SMB credential reflection defense

Tuesday, November 11, 2008

Today Microsoft released a security update, MS08-068, which addresses an NTLM reflection vulnerability in the SMB protocol. The vulnerability is rated Important on most operating systems, except Vista and Windows Server 2008 where it has a rating of Moderate. This blog post is intended to explain why the issue is less severe on Vista and Windows Server 2008, and provide some additional details to help people determine the risk they face in their environment.

Most common questions that we've been asked regarding MS08-067

Saturday, October 25, 2008

Since the release we have received several great questions regarding MS08-067 (http://www.microsoft.com/technet/security/Bulletin/MS08-067.mspx), thus we decided to compile answers for them. We still want to encourage everyone to apply the update. Can the vulnerability be reached through RPC over HTTP? No, the vulnerability cannot be reached through RPC over HTTP. RPC over HTTP is an end-to-end protocol that has three roles: client, proxy and server.

More detail about MS08-067, the out-of-band netapi32.dll security update

Thursday, October 23, 2008

Today Microsoft released a security update that fixes a remote code execution vulnerability in the Windows Server Service. This is a serious vulnerability and we have seen targeted attacks using this vulnerability to compromise fully-patched Windows XP and Windows Server 2003 computers so we have released the fix “out of band” (not on the regular Patch Tuesday).