Defense-in-depth

New Research Paper: Pre-hijacking Attacks on Web User Accounts

Monday, May 23, 2022

In 2020, MSRC awarded two Identity Project Research Grants to support external researchers working to further strengthen the security of identity protocols and systems. Today we are pleased to release the results of the first of these projects. This research, led by independent security researcher Avinash Sudhodanan, investigated account pre-hijacking – a new class of attacks affecting websites and other online services.

Read More

• Attack
• Defense-in-depth
• Mitigations
• Security Research

Software defense: mitigating common exploitation techniques

Wednesday, December 11, 2013

In our previous posts in this series, we described various mitigation improvements that attempt to prevent the exploitation of specific classes of memory safety vulnerabilities such as those that involve stack corruption, heap corruption, and unsafe list management and reference count mismanagement. These mitigations are typically associated with a specific developer mistake such as writing beyond the bounds of a stack or heap buffer, failing to correctly track reference counts, and so on.

Read More

• ASLR
• Defense-in-depth
• Exploitation
• Mitigation

Mitigating the LdrHotPatchRoutine DEP/ASLR bypass with MS13-063

Monday, August 12, 2013

Today we released MS13-063 which includes a defense in depth change to address an exploitation technique that could be used to bypass two important platform mitigations: Address Space Layout Randomization (ASLR) and Data Execution Prevention (DEP). As we’ve described in the past, these mitigations play an important role in making it more difficult and costly for attackers to exploit vulnerabilities.

Read More

• Defense-in-depth
• DEP
• Exploitation
• Mitigation

Verifying update hashes

Tuesday, November 13, 2012

Some of you may have noticed us improving our defense-in-depth practices for bulletins by supplying sha1 and sha2 hashes in the Knowledge Base (KB) articles. This has been most visible in the KB with the addition of the “File hash information” section, but it is also noted in the Frequently Asked Questions (FAQ) section of each bulletin for convenience.

Read More

• Announcements
• Defense-in-depth
• Security

August 2012 Bulletin Release

Tuesday, August 14, 2012

Security Advisory 2661254 - Update For Minimum Certificate Key Length Before we get into the details of this month’s bulletin release, let’s take a look at an important change on how Windows deals with certificates that have RSA keys of less than 1024 bits in length. We’ve been talking about this subject since June, and today we are announcing the availability of an update to Windows that restricts the use of certificates with RSA keys less than 1024 bits in length with Security Advisory 2661254.

Read More

• ActiveX
• Advisory
• Bulletins
• Defense-in-depth
• Exploitability Index
• Internet Explorer (IE)
• Malicious Software Removal Tool (MSRT)

MS12-060: Addressing a vulnerability in MSCOMCTL.OCX's TabStrip control

Tuesday, August 14, 2012

Today we released MS12-060, addressing a potential remote code execution vulnerability in MSCOMCTL.OCX, the binary included with a number of Microsoft products to provide a set of common ActiveX controls. Limited, targeted attacks exploiting CVE-2012-1856 MS12-060 is on the list of high priority updates for this month for two reasons: we are aware of very limited, targeted attacks taking advantage of CVE-2012-1856 and we expect to see new attacks taking advantage of this vulnerability in days ahead.

Read More

• Attack
• Classid
• Clsid
• Defense-in-depth
• EMET
• Mitigations

Microsoft's continuing work on digital certificates

Tuesday, July 10, 2012

Over the past several months, Microsoft has made changes both to our own internal PKI practices and to the Windows Update channel (client-side and server-side) PKI handling. You’ve likely already read about those changes on the MSRC blog, the Microsoft Update blog, and in the associated KB articles (949104, 2720211).

Read More

• Defense-in-depth
• PKI

Introducing EMET v3

Tuesday, May 15, 2012

We are pleased to announce the release of a new version of our Enhanced Mitigation Experience Toolkit (EMET) - EMET 3.0. EMET it is a free utility that helps prevent vulnerabilities in software from being successfully exploited for code execution. It does so by opt-ing in software to the latest security mitigation technologies.

Read More

• Defense-in-depth
• EMET
• Mitigations
• Security Tools

Inside the MAPP program

Wednesday, May 02, 2012

Handle: Cluster IRL: Maarten Van Horenbeeck Rank: Senior Program Manager Likes: Slicing covert channels, foraging in remote memory pools, and setting off page faults Dislikes: The crackling sound of crypto breaking, warm vodka martni Hi everyone, Maarten here - my team manages the Microsoft Active Protections Program (MAPP) at Microsoft.

Read More

• Defense-in-depth
• Microsoft Active Protections Program (MAPP)
• Mitigations

MS12-027: Enhanced protections regarding ActiveX controls in Microsoft Office documents

Tuesday, April 10, 2012

Security Update MS12-027 addresses a code execution vulnerability in MSCOMCTL.OCX, the Windows Common Controls ActiveX control. By default, this component is included with all 32-bit versions of Microsoft Office. We’d like to cover the following topics in this blog post: Limited, targeted attacks leveraging this vulnerability Mitigations in recent versions of Office to reduce the risk Extra protections to block all or specific ActiveX controls in Office documents The new Office 2010 kill bit feature Limited, targeted attacks leveraging this vulnerability

Read More

• ActiveX
• Clsid
• Defense-in-depth
• Microsoft Office
• Mitigations
• Workarounds