Security Advisor

Microsoft: Security is a Two-Way Street

Partners and users are equally responsible for making a secure Microsoft experience; Plus: IE lacks the security chops of rival browsers; HTML 5 may not be as secure as Microsoft points out; More.

• By Jabulani Leffall
• 08/01/2011

As Black Hat USA 2011 kicks off this week Microsoft's overlying message is that "a safer online experience can only be pursued when customers, the industry and the security and privacy community work together."

That push for greater transparency and collaboration across vendor, partner and competitor boundaries in the IT ecosystem is outlined in Redmond's Microsoft Security Response Center (MSRC) progress report, released on Monday.

In the report, the software giant does a little back patting on its own initiative to shore up teamwork across the technology aisles. Chief among the achievements it lauded was the success of its Microsoft Active Protections Program (MAPP), the ongoing Microsoft and Adobe Systems vulnerability remediation collaboration, and other updates on security development initiatives. Also included in the self-evaluation is the fact that Redmond beefed up its Exploitability Index, and its Coordinated Vulnerability Disclosure -- Microsoft's Vulnerability Research programs.

There was also some retrospective patch work for Patch Tuesday releases. The report says that during the 12 months from July 2010 through July 2011 Microsoft released a total of 117 security bulletins that covered 283 individual vulnerabilities. Normally this is no big deal as such numbers aren't particularly eye gouging or small enough to brag about. However, the impressive thing in this period is that there were only two out-of-band or off-cycle patches, which suggests Microsoft is getting better at rolling out its security updates and responding to vulnerabilities.

Older IE Versions Weaker than Other Browsers
Internet Explorer can't seem to catch a break lately. First there's the recent report saying that IE users have a lower IQ than people who launch a Web session on other browsers. And now, in another report (pdf),  Microsoft researchers are questioning the security IQ of older versions of IE compared to other browsers.

In the new report, Microsoft looked at how to exploit mitigation technologies like heap metadata protection, Address Space Layout Randomization (ASLR) and Structured Exception Handler Overwrite Protection (SECHOP). In cases where these much ballyhooed security tools are absent, hacker mayhem is present, the report asserts.

Specifically Redmond is urging partners and vendors to build their software around exploit mitigation technologies such as ASLR and SEHOP. Also, they should enable them by default and then measure them using the Security Development Lifecycle programs SDL BinScope tool.

New warnings on HTML 5
Microsoft was quick to point out that security in IE 9, which is set to run on the HTML 5 hypertext mark-up language code standards, is sound and that HTML5 is what makes the browser the fastest moving, most interactive browser in company history. But there are new security concerns around the standard, which is also known as the Web's "Mother toungue."

On Monday, in a 61-page document, European Network and Information Security Agency (ENISA) hinted that HTML 5 might not be up to snuff from a security standpoint.

According to the report, current HTML 5 design specs may enable an attacker to inject malicious HTML onto the page.

Revisions from the ENISA on the standard will be out in January.

Facebook Pays Bug Bounty
Hackers have long been known to seize a system remotely, hold it for ransom or launch a Denial of Service (DOS) attack, and leave a system locked until somebody pays up.

Facebook has decided to pay up, which would seem counterintuitive to deterring ambitious hackers with financial motivations. However, Facebook is actually offering about $500 to people who "responsibly disclose" bugs on this page.

One of the mainstays at the annual Pwn2own hacking contest, Charlie Millers calls this a "good start" as the social networking giant follows Google and open source collective Mozilla in pay-for-play arrangements with people turning in bugs. For the more complex and critical exploitables, Facebook is offering more than $500 -- but has not yet disclosed how much more.

Lumension: Look at the Application Layer
IT security folks and I have been saying for years that the new frontier for hackers isn't at the OS level but at the application layer -- where apps and programs run, particularly in regards to browser apps and third-party programs running in a Windows environment.

Lumension's Pat Clawson says as much in this recent post where he points to application whitelisting as a good place to start.

ecting critical apps, trusted apps and apps with the most vulnerabilities through whitelisting, Clawson suggests doing two things: Prioritize your IT assets and educating your middle management with concise procedures around security in the Windows processing environment.

Outside of what Lumension espouses, prioritization and education ensures two things. One, top data and IT assets will be protected first, and two, an audit trail of security regulations can be traced down the process level during security reviews to plug any potential holes.