Roger Halbheer on Security » Incidents

What Microsoft can teach Apple about security response

Roger Halbheer — Wed, 09 May 2012 14:01:41 +0000

I guess, I do not have to comment this – right?

What Microsoft can teach Apple about security response

To quote the summary:

Microsoft just released seven security updates to fix 23 vulnerabilities in Windows and other products. In February, Apple released a massive update that covered 51 vulnerabilities and also introduced an embarrassing security flaw. The contrast is striking.

Roger

Keep all your software updated and current

Roger Halbheer — Fri, 13 Apr 2012 06:48:45 +0000

I know that I keep going and going on that. When I talk to customers and mainly to providers of the critical infrastructure about security, one of the key things to me is to keep the software updated. It is about patching and it is about staying on the latest version of your software. To me, today Windows XP is a huge risk out there. It was an outstanding operating system when it was launched but it is definitely outdated if you think about how the threat landscape looked like only 5-10 years ago. I am aware of the fact that not all systems can be upgraded because of compatibility issues, a vendor might not even exist anymore. Then these systems need definitely be shielded in different ways to keep them as far off the network as possible.

The reason for this post is, that I still see a lot of customers who developed a really good practice for handling Microsoft updates but not for the rest. I just read these two articles this morning:

So, make sure you cover all your software including third-party apps and open source.

Roger

Security Updates and Exploit Code

Roger Halbheer — Mon, 19 Mar 2012 19:18:01 +0000

CORRECTION:So far there is “only” Proof of Concept code in the wild, no real exploit.

In our last update cycle we published the security bulletin MS12-020 Vulnerabilities in Remote Desktop Could Allow Remote Code Execution. Relatively soon after the release, there was a public exploit code available – we informed here: Proof-of-Concept Code available for MS12-020.

This would not necessarily make me blog as it is a fairly common scenario – unfortunately. In all the different discussion lists internally, I realized that a there was a lot of confusion and nervousness internally and with our customers, which I definitely can understand.

I just wanted to make sure, that you understand and see all the resources you have available to take an informed decision. We basically give you two assessments: A Severity Rating and Vulnerability Impact and an Exploitability Index:

The Security Rating and Vulnerability Impact describes how severe the vulnerability is and is described here in detail. If there are default mitigations in place, there is a chance that a vulnerability rating is lower. What is important is, that our assessment is always based on a default, out-of-the-box installation. If you decide to switch off the firewall, obviously there is a good chance that your risk is higher than flagged in our assessment.
The Exploitability Index shows how likely we think an exploit is. We provide this information since late 2008 but it seems still not too well known – it is described here. You always find it in the bulletin summary per month.

Let’s apply this now to MS12-020 described above: The security rating is “critical”, which is the highest possible rating we have and the exploitability index is on “1 – Exploit code likely”. So, in this case we have a critical vulnerability and we expected a working exploit code to hit the net – unfortunately we have proven to be right.

This is in no means to criticize anybody, it is more to give you all the information to take the right decisions upfront. This update was definitely one you want to set extremely high on your priority list…

Roger

EMET–Protection Against Zero-Days

Roger Halbheer — Sun, 23 Oct 2011 22:27:33 +0000

The Enhanced Mitigation Experience Toolkit is definitely not new but I recently realized that not too many people know about it – and they should. EMET helps you to raise your shields against zero-days and any exploit in the wild. I do not say that it is a silver bullet but it is definitely going into this direction – a little bit.

You can find all the necessary information on EMET here:

That’s the article on our support website: The Enhanced Mitigation Experience Toolkit
Here a TechNet blog post: New version of EMET is now available
To download EMET v 2.1
And a BlueHat session

Before you start, please make sure that you have the Bitlocker recovery key ready (you are running Bitlocker, don’t you?) or that you suspend Bitlocker for the time of the configuration as EMET might change your Data Execution Prevention settings, which change your bootloader, which invalidates the Bitlocker signature, which needs to be proven.

I always love to strengthen my policies and see when something breaks and how. I started to use it and it actually provides you a fairly straight-forward interface with what is running and in which state:

You can then configure your applications and define on which level you want them to be protected. It might then happen that this pops up:

I wont tell you which application it was but I was a little bit scared…

Anyway, if you did not use it yet, I think you should!

Roger

Microsoft Malware Protection Center on Facebook and Twitter

Roger Halbheer — Thu, 28 Jul 2011 12:14:09 +0000

I know, I have been fairly slow in blogging currently but I was fairly busy with a few cool projects (which I will disclose later) and – time flies if you are having fun

Just a quick one:

The MMPC on Facebook and Twitter

The Microsoft Malware Protection Center (MMPC) officially launched its Facebook page and Twitter account. From this Welcome page, you can read the latest blog posts, see the latest Twitter feeds, and find out what threats most affect your desktop.

Roger

A Security Comparison: Microsoft Office vs. Oracle Openoffice

Roger Halbheer — Tue, 19 Apr 2011 09:40:25 +0000

Actually, there is not much to say about this. It is a blog post by CanegieMellon called A Security Comparison: Microsoft Office vs. Oracle Openoffice and just does what it says. However, I do not particularly like the security comparison of products built solely on vulnerabilities as this shows only one side of the equation – an important one but only one.

For all the ones still claiming that Open Source software creates less vulnerabilities, here you find the some stats on Office:

Interesting, hmm….

Roger

Microsoft Security Update Guide, Second Edition

Roger Halbheer — Mon, 28 Mar 2011 15:32:40 +0000

A while ago we released the Microsoft Security Update Guide to explain how we release security updates and how you should/could work with our updates. It encompasses these themes:

Get to know the security update release process
Learn how to evaluate risk
See how to mitigate security risks
Understand how quickly you need to apply updates
Assess your update
Get ongoing security

If you are somehow linked to the security update process in your organization, you should download it and look at it here: Microsoft Security Update Guide, Second Edition

Roger

Infrastructure Planning and Design Guide for Malware Response

Roger Halbheer — Sun, 20 Feb 2011 16:25:52 +0000

A new version of this guide went live – I think something, you should look at. There is a metrology and a process in detail:

So, if you want to learn more: http://technet.microsoft.com/en-us/library/cc162838.aspx

Roger

Fighting a Botnet

Roger Halbheer — Thu, 17 Feb 2011 19:42:49 +0000

Microsoft Malware Protection Center published a document on Battling the Zbot Threat, a special edition of the Security Intelligence Report. It is a very good document, worth looking at.

This is the intro (to make you curious for more):

This document provides an overview of the Win32/Zbot family of password-stealing trojans. The document examines the background of Win32/Zbot, its functionality, how it works, and provides telemetry data and analysis from calendar year 2010 about how this threat is detected and removed by Microsoft antimalware products and services.

Roger

Security Intelligence Report v9 is online

Roger Halbheer — Wed, 13 Oct 2010 15:46:05 +0000

Usually I blog intensively on the release of the Security Intelligence Report. However, this time I am out of office and have just little time to give you insight. We spent a lot of work to make it more comprehensive and give you a more stable view over quite some time. So there is a great opportunity to see trends regarding different figures like the Malware Infection Rates.

Additionally we re-designed the website. This is the most comprehensive report in the industry, so you should look into it: Security Intelligence Report

Roger