MS17-013 – Critical: Security Update for Microsoft Graphics Component (4013075) – Version: 1.1

Severity Rating: Critical
Revision Note: V1.1 (March 24, 2017): Bulletin published.
Summary: This security update resolves vulnerabilities in Microsoft Windows, Microsoft Office, Skype for Business, Silverlight and Microsoft Lync. The most serious of these vulnerabilities could allow remote code execution if a user either visits a specially crafted website or opens a specially crafted document. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights.

Categories: Uncategorized Tags:

MS17-013 – Critical: Security Update for Microsoft Graphics Component (4013075) – Version: 1.1

Severity Rating: Critical
Revision Note: V1.1 (March 24, 2017): Bulletin published.
Summary: This security update resolves vulnerabilities in Microsoft Windows, Microsoft Office, Skype for Business, Silverlight and Microsoft Lync. The most serious of these vulnerabilities could allow remote code execution if a user either visits a specially crafted website or opens a specially crafted document. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights.

Categories: Uncategorized Tags:

A new best practice to protect technology supply chain integrity

This post is authored by Mark Estberg, Senior Director, Trustworthy Computing. 

The success of digital transformation ultimately relies on trust in the security and integrity of information and communications technology (ICT). As ICT systems become more critical to economic prosperity, governments and organizations around the world are increasingly concerned about threats to the technology supply chain. These concerns stem from fear that an adversary might tamper with or manipulate products during development, manufacture, or delivery. This poses a challenge to the technology industry: If our products are to be fully trusted, we must be able to provide assurance to our customers that the technology they reviewed and approved before deployment is the same software that is running on their computers.

To increase confidence, organizations have increasingly turned to source code analysis through direct inspection of the supply chain by a human expert or an automated tool. Source code is a set of computer instructions written in a programming language that humans can read. This code is converted (or compiled) into a binary file of instructions—a language of zeroes and ones that machines can process and execute, or executable. This conversion of human-readable code to machine-readable code, however, raises the unsettling question of whether the machine code—and ultimately the software program running on computers—was built from the same source code files that the expert or tool analyzed. There has been no efficient and reliable method to answer this, even for open source software. Until now.

At Microsoft, we have developed a way to definitively demonstrate that a compiled machine-readable executable was generated from the same human-readable source code that was reviewed. It’s based on the concept of a “birth certificate” for binary files, which consists of unique numbers (or hash values) that are cryptographically strong enough to identify individual source code files.

As source code is compiled in Visual Studio, the compiler assigns the source code a hash value generated in such a way that it is virtually impossible that any other code will produce the same hash value. By matching hash values from the compiler to those generated from the examined source code files, we can verify that the executable code did indeed result from the original source code files.

This method is described in more detail in Hashing Source Code Files with Visual Studio to Assure File Integrity. The paper gives a full description of the new Visual Studio switch for choosing a hashing algorithm, suggested scenarios where such hashes might prove useful, and how to use Visual Studio to generate these source code hashes.

Microsoft believes that the technology industry must do more to assure its stakeholders of the integrity of software and the digital supply chain. Our work on hashing is both a way to help our customers and a way to further how the industry is addressing this growing problem:

  • This source file hashing can be employed when building C, C++, and C# executable programs in Visual Studio.
  • Technology providers can use unique hash value identifiers in their own software development for tracking, processing, and controlling source code files that definitively demonstrate a strong linkage to the specific executable files.
  • Standards organizations can include in their best practices the requirement to take this very specific and powerful step toward authenticity.

We believe that capabilities such as binary source file hashing are necessary to establish adequate trust to fulfill the potential of digital transformation. Microsoft is committed to building trust in the technology supply chain and will continue to innovate with our customers, partners and other industry stakeholders.

Practical applications of digital birth certificates

There are many practical applications for our binary source file hashing capability, including these:

  • Greater assurance through automated scanning. As an automated analysis tool scans the source code files, it can also generate a hash value for each of the files being scanned. Matching hash values from the compiler with hash values generated by the analysis not only definitively demonstrates that they were compiled into the executable code, but that the source code files were scanned with the approved tool.
  • Improved efficiency in identifying vulnerabilities. If a vulnerability is identified in a source file, the hash value of the source file can be used to search among the birth certificates of all the executable programs to identify programs likely to include the same vulnerability.

To learn more about evolving threats to the ICT supply chain, best practices, and Microsoft’s strategy, check out our webinar, Supply Chain Security: A Framework for Managing Risk.

Categories: Uncategorized Tags:

3 ways to outsmart attackers by using their own playbook

This blog post was authored by Andrej Budja, Frank Brinkmann, Heath Aubin, Jon Sabberton and Jörg Finkeisen from the Cybersecurity Protection Team, part of the Enterprise Cybersecurity Group.

The security landscape has changed.

Attackers often know more about the target network and all the ways they can compromise an organization than the targeted organization itself. As John Lambert writes in his blog, “Defenders think in lists. Attackers think in graphs. As long as this is true, attackers win”.

Attackers do think in graphs. Unfortunately, most organizations still think in lists and apply defenses based on asset value, rather than the security relationships between the assets.

So, what can you do to level the playing field? Use the attackers’ playbook against them!

Get ahead by creating your own graph

Start by reading John Lambert’s blog post, then do what attackers do – graph your network. At Microsoft, we are using graphs to identify potential attack paths on our assets by visualizing key assets and security relationships.

While we have not published our internal tools (you can find some similar open source tools on the Internet), we have created a special cybersecurity engagement delivered by our global Microsoft Services team, called Active Directory Hardening (ADH).

The ADH offer uses our tools to help discover and analyze privileged account exposure and provide transition assistance for deviations from the privileged administration recommendations used at Microsoft. The ADH provides assistance by reducing the number of highly privileged Active Directory (AD) administrative accounts and transitioning them into a recommended AD administration model.

Break connections in your graph

Once you have the graph for your AD accounts, you will notice clusters as well as the different paths attackers can use to move laterally on your network. You will want to implement security controls to close those paths. One of the most effective ways to reduce the number of paths is by reducing the number of administrators (this includes users that are local administrators on their workstations) and by using dedicated, hardened workstations for all privileged users – we call these Privileged Access Workstations (PAWs).

These PAWs are deployed from a clean source and make use of modern security controls available in Windows 10. Because PAWs are not used as general purpose workstations (no email and Internet browsing allowed), they provide high security assurances for sensitive accounts and block popular attack techniques. PAWs are recommended for administration of identity systems, cloud services, and private cloud fabric as well as sensitive business functions.

You can develop and deploy PAWs on your own by following our online guide, or you can engage Microsoft Services to help accelerate your adoption of PAWs using our standard PAW offering.

Bolster your defenses

PAWs provide excellent protection for your privileged users. However, they are less effective when your highest privileged accounts (Domain Administrators and Enterprise Administrators) have already been compromised. In this situation, you need to provide Domain Administrators a new, clean, and trusted environment from which they can regain control of the compromised network.

Enhanced Security Administrative Environment (ESAE) builds upon guidance and security controls from PAWs and adds additional controls by hosting highly-privileged accounts and workstations in a dedicated administrative forest. This new, minimal AD forest provides stronger security controls that are not possible in the production environment with PAWs. These controls are used to protect your most privileged production domain accounts. For more information about the ESAE administrative forest and security concepts, please read ESAE Administrative Forest Design Approach.

Conclusion

“If you know your enemy and know yourself you need not to fear the results of hundreds of battles”, Sun Tzu, Chinese general, military strategist, 6th Century BCE.

Protecting your valuable assets against sophisticated adversaries is challenging, but it can be made easier by learning from attackers and using their playbook. Our teams are working daily on the latest cybersecurity challenges and sharing our knowledge and experience. Discover more information in the following resources:

About the Cybersecurity Protection Team

Microsoft invests more than a billion dollars each year to build security into our products and services. One of the investments is the global Enterprise Cybersecurity Group (ECG) which consists of cybersecurity experts helping organizations to confidently move to the cloud and modernize their enterprises.

The Cybersecurity Protection Team (CPT) is part of ECG, and is a global team of Cybersecurity Architects that develops, pilots, and maintains cybersecurity offerings that protect your critical assets. The team works closely with other Microsoft teams, product groups, and customers to develop guidance and services that help protect your assets.

Categories: Uncategorized Tags:

MS16-JUL – Microsoft Security Bulletin Summary for July 2016 – Version: 1.2

Revision Note: V1.2 (March 17, 2017): For MS16-087, added a Known Issues reference to the Executive Summaries table. If you are using network printing in your environment, after you apply the 3170005 security update you may receive a warning about installing a printer driver, or the driver may fail to install without notification. For more information about the update and the known issue, see Microsoft Knowledge Base Article 3170005.
Summary: This bulletin summary lists security bulletins released for July 2016.

Categories: Uncategorized Tags:

MS16-084 – Critical: Cumulative Security Update for Internet Explorer (3169991) – Version: 1.1

Severity Rating: Critical
Revision Note: V1.1 (March 17, 2017): Bulletin published.
Summary: This security update resolves vulnerabilities in Internet Explorer. The most severe of the vulnerabilities could allow remote code execution if a user views a specially crafted webpage using Internet Explorer. An attacker who successfully exploited the vulnerabilities could gain the same user rights as the current user. If the current user is logged on with administrative user rights, an attacker could take control of an affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.

Categories: Uncategorized Tags:

MS16-JUL – Microsoft Security Bulletin Summary for July 2016 – Version: 1.2

Revision Note: V1.2 (March 17, 2017): For MS16-087, added a Known Issues reference to the Executive Summaries table. If you are using network printing in your environment, after you apply the 3170005 security update you may receive a warning about installing a printer driver, or the driver may fail to install without notification. For more information about the update and the known issue, see Microsoft Knowledge Base Article 3170005.
Summary: This bulletin summary lists security bulletins released for July 2016.

Categories: Uncategorized Tags:

MS16-084 – Critical: Cumulative Security Update for Internet Explorer (3169991) – Version: 1.1

Severity Rating: Critical
Revision Note: V1.1 (March 17, 2017): Bulletin published.
Summary: This security update resolves vulnerabilities in Internet Explorer. The most severe of the vulnerabilities could allow remote code execution if a user views a specially crafted webpage using Internet Explorer. An attacker who successfully exploited the vulnerabilities could gain the same user rights as the current user. If the current user is logged on with administrative user rights, an attacker could take control of an affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.

Categories: Uncategorized Tags:

MS17-017 – Important: Security Update for Windows Kernel (4013081) – Version: 1.0

Severity Rating: Important
Revision Note: V1.0 (March 14, 2017): Bulletin published.
Summary: This security update resolves vulnerabilities in Microsoft Windows. The vulnerabilities could allow elevation of privilege if an attacker runs a specially crafted application.

Categories: Uncategorized Tags:

MS17-MAR – Microsoft Security Bulletin Summary for March 2017 – Version: 1.0

Categories: Uncategorized Tags:

MS17-013 – Critical: Security Update for Microsoft Graphics Component (4013075) – Version: 1.0

Severity Rating: Critical
Revision Note: V1.0 (March 14, 2017): Bulletin published.
Summary: This security update resolves vulnerabilities in Microsoft Windows, Microsoft Office, Skype for Business, Silverlight and Microsoft Lync. The most serious of these vulnerabilities could allow remote code execution if a user either visits a specially crafted website or opens a specially crafted document. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights.

Categories: Uncategorized Tags:

MS17-020 – Important: Security Update for Windows DVD Maker (3208223) – Version: 1.0

Severity Rating: Important
Revision Note: V1.0 (March 14, 2017): Bulletin published.
Summary: This security update resolves an information disclosure vulnerability in Windows DVD Maker. The vulnerability could allow an attacker to obtain information to further compromise a target system.

Categories: Uncategorized Tags:

3123479 – SHA-1 Hashing Algorithm for Microsoft Root Certificate Program – Version: 2.0

Revision Note: V2.0 (March 14, 2017): Advisory rereleased to announce that the changes described in this advisory have been reverted as of November 2016. This is an informational change only.
Summary: Microsoft is announcing a policy change to the Microsoft Root Certificate Program.

Categories: Uncategorized Tags:

MS17-022 – Important: Security Update for Microsoft XML Core Services (4010321) – Version: 1.0

Severity Rating: Important
Revision Note: V1.0 (March 14, 2017): Bulletin published.
Summary: This security update resolves a vulnerability in Microsoft Windows. The vulnerability could allow information disclosure if a user visits a malicious website. However, in all cases an attacker would have no way to force a user to click a specially crafted link. An attacker would have to convince a user to click the link, typically by way of an enticement in an email or Instant Messenger message.

Categories: Uncategorized Tags:

MS17-012 – Critical: Security Update for Microsoft Windows (4013078) – Version: 1.0

Severity Rating: Critical
Revision Note: V1.0 (March 14, 2017): Bulletin published.
Summary: This security update resolves vulnerabilities in Microsoft Windows. The most severe of the vulnerabilities could allow remote code execution if an attacker running inside a virtual machine runs a specially crafted application.

Categories: Uncategorized Tags:

MS17-018 – Important: Security Update for Windows Kernel-Mode Drivers (4013083) – Version: 1.0

Severity Rating: Important
Revision Note: V1.0 (March 14, 2017): Bulletin published
Summary: This security update resolves vulnerabilities in Microsoft Windows. The vulnerabilities could allow elevation of privilege if an attacker logs on to an affected system and runs a specially crafted application that could exploit the vulnerabilities and take control of an affected system.

Categories: Uncategorized Tags:

MS17-009 – Critical: Security Update for Microsoft Windows PDF Library (4010319) – Version: 1.0

Severity Rating: Critical
Revision Note: V1.0 (March 14, 2017): Bulletin published.
Summary: This security update resolves vulnerabilities in Microsoft Windows. The vulnerabilities could allow information disclosure if a user views specially crafted PDF content online or opens a specially crafted PDF document.

Categories: Uncategorized Tags:

MS17-016 – Important: Security Update for Windows IIS (4013074) – Version: 1.0

Severity Rating: Important
Revision Note: V1.0 (March 14, 2017): Click here to enter text.
Summary: This security update resolves a vulnerability in Microsoft Windows. The vulnerability could allow remote code execution if an attacker with access to the local system executes a malicious application. An attacker who successfully exploited this vulnerability could gain the same user rights as the current user. Users whose accounts are configured to have fewer user rights on the system could be less impacted than those who operate with administrative user rights.

Categories: Uncategorized Tags:

MS17-007 – Critical: Cumulative Security Update for Microsoft Edge (4013071) – Version: 1.0

Severity Rating: Critical
Revision Note: V1.0 (March 14, 2017): Bulletin published.
Summary: This security update resolves vulnerabilities in Microsoft Edge. The most severe of the vulnerabilities could allow remote code execution if a user views a specially crafted webpage using Microsoft Edge. An attacker who successfully exploited these vulnerabilities could take control of an affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.

Categories: Uncategorized Tags:

MS17-014 – Important: Security Update for Microsoft Office (4013241) – Version: 1.0

Severity Rating: Important
Revision Note: V1.0 (March 14, 2017): Bulletin published.
Summary: This security update resolves vulnerabilities in Microsoft Office. The most severe of the vulnerabilities could allow remote code execution if a user opens a specially crafted Microsoft Office file. An attacker who successfully exploited the vulnerabilities could run arbitrary code in the context of the current user. Customers whose accounts are configured to have fewer user rights on the system could be less impacted than those who operate with administrative user rights.

Categories: Uncategorized Tags: