Microsoft Security Newsletter - March 2014



Trustworthy Computing | March 2014
Microsoft Security Newsletter



Welcome to March’s Security Newsletter!


Our newsletter this month focuses on the importance of demanding secure software from your software or services providers. With the explosion of technology over the past decade, I frequently come across applications that
are rushed to market with little thought given to security. Software providers are eager to make a quick return on their investment and may not recognize the long term consequences it can have to their reputation in the event that one
of their customers is compromised by malware or cyber attacks. The potential impact can be even more significant if their software becomes widely adopted. Microsoft learned this lesson early on during the days of malware threats like Code Red. The

http://www.microsoft.com/sdl
Microsoft Security Development Lifecycle (SDL) was born from these lessons. The SDL is designed to reduce the number and severity of vulnerabilities in software and is a mandatory process through which all Microsoft products and services must pass. You can learn more about the evolution of the SDL in the never-before-told story, "

http://www.sdlstory.com/
Life in the Digital Crosshairs ."



Because of its effectiveness, Microsoft has made the

http://www.microsoft.com/download/details.aspx?id=12379
SDL process available for free to the public so that software developers both large and small can benefit from security development best practices. Whether you’re developing an application for a smartphone, tablet, PC, or other computing device, you can apply SDL principles to improve that applicationÆs state of security. Learn more about the benefits of incorporating the SDL into your development process in our

http://aka.ms/cfkgqh
SDL Chronicles .



In this fast moving technology market, providers are developing applications based on customer demand or priority which is why demanding secure software starts with you. Ask your software provider if they are using a security development process. If not, you should think twice about the security of that software. Don’t let security be an afterthought and potentially expose your organization to increased risks from malware and other threats.




Best regards,

Tim Rains, Director

Microsoft
Trustworthy
Computing



Have feedback on how we can improve this newsletter? Email us at mailto:secnlfb@microsoft.com
secnlfb@microsoft.com and share your ideas.



Top Stories


http://blogs.technet.com/b/security/archive/2014/03/24/cyber-threats-to-window s-xp-and-guidance-for-small-businesses-and-individual-consumers.aspx

Cyber Threats to Windows XP and Guidance for Small Businesses and Consumers

It’s been well publicized that on April 8th, 2014 Microsoft discontinues product support for Windows XP. While many organizations have recently finished, or are in the process of finishing, the migration to Windows 7 or Windows 8, others have no plans to update their Windows XP systems. Get
insight on the specific threats to Windows XP-based systems that attackers may attempt after end of support to better understand the risks involved with remaining on Windows XP, and benefits of immediately upgrading to a more
secure version of Windows, or accelerate existing plans to do so.

http://blogs.technet.com/b/security/archive/2014/03/20/threat-modeling-a-retai l-environment.aspx

Threat Modeling a Retail Environment

In the wake of high profile attacks on organizations in the retail industry, Microsoft cybersecurity and retail experts have teamed up to provide guidance that identifies some of the unique threats and challenges faced by companies
in the retail industry, and suggests some appropriate mitigations.

http://blogs.technet.com/b/srd/archive/2014/03/12/when-aslr-makes-the-differen ce.aspx

When ASLR Makes the Difference

Explore the importance of enabling Address Space Layout Randomization mitigation (ASLR) in modern software, and see how it can be used to mitigate two real exploits seen in the world today.




Security Guidance



http://technet.microsoft.com/security/dn642434.aspx
Security Tip of the Month: Increase Your Microsoft SDL I.Q.
Ken Malcolmson, Group Manager, Microsoft Trustworthy Computing

This year is the tenth anniversary of the creation of

http://www.microsoft.com/sdl
Microsoft’s Security Development Lifecycle . Over the last decade the technology-agnostic SDL has been refined and improved based on real-world feedback, made available free of charge for anyone to adapt and adopt in their own environment, and most recently been declared to meet or exceed the
guidance published in
http://blogs.msdn.com/b/sdl/archive/2013/05/14/microsoft-sdl-conforms-to-iso-i ec-27034-1-2011.aspx

ISO/IEC 27034-1 , the first international standard to address secure software development requirements.



The free SDL guidance, tools and resources have been downloaded more than a million times and adopted by organizations large and small around the world.
In today’s landscape, where concerns over supply chain security, protecting customer data and personally identifiable information, and
defending against malicious attackers are keeping IT professionals and
managers awake at night, the SDL offers a flexible and adaptable secure development framework that can be introduced into any development environment. As a result, here are 10 of the top resources that can help you better understand and utilize the SDL in your organization.


-
http://www.microsoft.com/download/details.aspx?id=12379
The Simplified SDL – detailed walkthrough of the core concepts and activities involved in the SDL process


-
http://www.microsoft.com/security/sdl/discover/sdlagile.aspx
SDL for Agile –
guidance on adopting SDL in Agile development environments


-
http://www.microsoft.com/security/sdl/adopt/tools.aspx
SDL Tools –
free tools to utilize in each phase of the SDL


-
http://aka.ms/D5akge
Microsoft Security Development Lifecycle Adoption: Why and How – downloadable report by the Edison Group on the use of secure development in
the financial sector


-
http://www.microsoft.com/download/details.aspx?id=38842
Secure Software Trends in Healthcare –
explores risks associated with the move to electronic healthcare records and the importance of secure application development to the healthcare sector


-
http://www.microsoft.com/download/details.aspx?id=39363
Secure Software Development Trends in the Oil & Gas Sectors – discusses how a holistic approach to software development can help mitigate many of the risks oil and gas organizations face


-
http://www.microsoft.com/download/details.aspx?id=38843
The emergence of software security standards: ISO/IEC 27034-1:2011 and your organization –
Reavis Consulting LLC research report that examines the importance of ISO/IEC 20734 to software developers and customers, and how to leverage the SDL to
help deliver more secure applications and services


-
http://www.microsoft.com/download/details.aspx?id=16853
Aligning the Microsoft SDL with PCI DSS/PCI PA-DSS Compliance Activity
– explains how the SDL can help you meet some of the requirements of the Payment Card Industry Data Security Standard (PCI DSS) and the Payment Application Data Security Standard (PA-DSS)


-
http://www.microsoft.com/download/details.aspx?id=11942
Aligning Microsoft SDL Security Practices with the HIPAA Security Rule
– describes how the SDL can help you comply with some requirements of
the administrative simplification provision of the Health Insurance
Portability and Accountability Act and its implementing regulations (HIPAA), including the Security Standards for Protecting Electronic Protected Health Information (HIPAA Security Rule) and the Standards for Privacy of
Individually Identifiable Health Information (Privacy Rule)


-
http://www.microsoft.com/sdl
www.microsoft.com/sdl –
your destination for SDL guidance, tools, and support


http://www.microsoft.com/security/sdl/adopt/tools.aspx
Microsoft SDL Tools

Get to know the many free tools that will help you perform SDL security activities. Watch a

http://msevents.microsoft.com/CUI/VideoDisplay.aspx?EventId=1032519498
short overview of the Microsoft SDL toolset then learn how to use some of the tools included in the toolset with these short demos:


-
http://msevents.microsoft.com/CUI/VideoDisplay.aspx?EventId=1032516805
SDL Threat Modeling Tool - http://msevents.microsoft.com/CUI/VideoDisplay.aspx?EventId=1032516370 MSF-Agile+SDL Process Template for Visual Studio Team System

-
http://msevents.microsoft.com/CUI/VideoDisplay.aspx?EventId=1032519492 Anti-Cross Site Scripting (XSS) Library - http://msevents.microsoft.com/CUI/VideoDisplay.aspx?EventId=1032515679
SDL Process Template

-
http://msevents.microsoft.com/CUI/VideoDisplay.aspx?EventId=1032517608
Banned.h Header File - http://msevents.microsoft.com/CUI/VideoDisplay.aspx?EventId=1032516191
SDL Regex Fuzzer

-
http://msevents.microsoft.com/CUI/VideoDisplay.aspx?EventId=1032519469
BinScope Binary Analyzer - http://msevents.microsoft.com/CUI/VideoDisplay.aspx?EventId=1032519337
SiteLock ATL Template

-
http://msevents.microsoft.com/CUI/VideoDisplay.aspx?EventId=1032515811
Code Analysis for C/C++ - http://msevents.microsoft.com/CUI/VideoDisplay.aspx?EventId=1032519530
FxCop Overview

http://msdn.microsoft.com/magazine/dd347831.aspx
Getting Started with the SDL Threat Modeling Tool

Get step-by-step guidance on how to start the thread modeling process using
the SDL Threat Modeling Tool, keep track of progress using the tool’s reporting features, and think about the thread modeling process overall.


http://msdn.microsoft.com/magazine/dn169079.aspx
Using the SDL for LOB Windows Store Apps

Learn how to build security into your Windows Store app development project from the beginning by using the SDL to complete a risk assessment and define the security/privacy requirements for your app. Ready to build your app using SDL principles? Check out

http://msdn.microsoft.com/magazine/dn237309.aspx
Using the SDL for a LOB Windows 8 App, Part 2 for practical guidance on developing an attack surface analysis and an attack surface reduction, and performing a software architectural risk analysis (more commonly known at Microsoft as a threat model).

http://blogs.msdn.com/b/bryang/archive/2011/04/26/applying-the-sdl-to-windows- azure.aspx

Applying the SDL to Windows Azure

Find guidance to help you better understand the role that the SDL plays in producing secure and high quality code as well as moving an application "to
the cloud" in a secure manner.


http://social.msdn.microsoft.com/Forums/en-US/home?forum=sdlprocess Microsoft SDL Forum

Whether you are new to the SDL, or an experienced user, find support for
common issues encountered when implementing the SDL or get help with a new issue from a community of secure development experts.




This Month's Security Bulletins


March 2014 Security Bulletins


Critical

-MS14-012:2925418 https://technet.microsoft.com/en-us/security/bulletin/MS14-012

Cumulative Security Update for Internet Explorer

-MS14-013:2929961 https://technet.microsoft.com/en-us/security/bulletin/MS14-013

Vulnerability in Microsoft DirectShow Could Allow Remote Code Execution



Important

-MS14-014:2932677 https://technet.microsoft.com/en-us/security/bulletin/MS14-014

Vulnerability in Silverlight Could Allow Security Feature Bypass

-MS14-015:2930275 https://technet.microsoft.com/en-us/security/bulletin/MS14-015

Vulnerabilities in Windows Kernel-Mode Driver Could Allow Elevation of Privilege

-MS14-016:2934418 https://technet.microsoft.com/en-us/security/bulletin/MS14-016

Vulnerability in Security Account Manager Remote (SAMR) Protocol Could Allow Security Feature Bypass


March 2014 Security Bulletin Resources:

- http://blogs.technet.com/b/msrc/archive/2014/03/11/the-march-2014-security-upda tes.aspx


Microsoft Security Response Center (MSRC) Blog Post

-
http://www.youtube.com/watch?v=jYyh1AtW4m4
Security Bulletin Webcast

-
http://blogs.technet.com/b/msrc/p/march-2014-security-bulletin-q-a.aspx

Security Bulletin Webcast Q&A



Security Events and Training



https://msevents.microsoft.com/CUI/EventDetail.aspx?EventID=1032510991
MSDN Webcast: Microsoft SDL and Mobile Security (Level 300)

Learn how to apply Microsoft SDL practices to mobile application development, specifically the requirements, design, and verification phases. Explore security requirements and approved tools as well as basic mobile threat modeling, secure coding practices, and penetration testing (pentesting) mobile applications for Android and iOS. The presentation also briefly outlines some defensive coding techniques to protect against the weaknesses that are caused by common development pitfalls.


https://msevents.microsoft.com/CUI/EventDetail.aspx?EventID=1032572978 Microsoft Webcast: Information about the April 2014 Security Bulletin Release Wednesday, April 9, 2014 – 11:00AM Pacific Time

Join this webcast for a brief overview of the technical details of April’s Microsoft security bulletins. Ask questions and get answers from Microsoft security experts.


http://northamerica.msteched.com/
TechEd North America 2014
May 12-15, 2014 – Houston, Texas

In 2014, Microsoft is bringing together the best of TechEd and the Microsoft Management Summit (MMS) to help skilled technology professionals increase
their technical expertise, share best practices, and interaction with
Microsoft and a variety of industry experts and their peers. Explore the security aspects of data platforms and business intelligence, datacenter and infrastructure management, people-centric IT, Windows (devices and Windows Phone), and much more.

http://northamerica.msteched.com/Register
Register today .


https://msevents.microsoft.com/CUI/EventDetail.aspx?EventID=1032572979 Microsoft Webcast: Information about the May 2014 Security Bulletin Release Wednesday, May 14, 2014 – 11:00AM Pacific Time

Join this webcast for a brief overview of the technical details of May 2014’s Microsoft security bulletins. Ask questions and get answers from Microsoft security experts.






Essential Tools


-
http://technet.microsoft.com/security/bulletin
Microsoft Security Bulletins

-
http://technet.microsoft.com/security/advisory
Microsoft Security Advisories

-
http://technet.microsoft.com/solutionaccelerators/cc835245.aspx
Security Compliance Manager

-
http://www.microsoft.com/security/sdl/adopt/starterkit.aspx
Microsoft Security Development Lifecycle Starter Kit

-
http://support.microsoft.com/kb/2458544
Enhanced Mitigation Experience Toolkit

-
http://www.microsoft.com/security/pc-security/malware-removal.aspx
Malicious Software Removal Tool

-
http://technet.microsoft.com/security/cc184924.aspx
Microsoft Baseline Security Analyzer


Security Centers


-
http://technet.microsoft.com/security
Security TechCenter

-
http://msdn.microsoft.com/security
Security Developer Center

-
http://www.microsoft.com/security/msrc/default.aspx
Microsoft Security Response Center

-
http://www.microsoft.com/security/portal/
Microsoft Malware Protection Center

-
http://www.microsoft.com/privacy
Microsoft Privacy

-
http://support.microsoft.com/select/default.aspx?target=hub&c1=10750 Microsoft Security Product Solution Centers


Additional Resources


-
http://www.microsoft.com/about/twc/en/us/blogs.aspx
Trustworthy Computing Security and Privacy Blogs

-
http://www.microsoft.com/security/sir
Microsoft Security Intelligence Report

-
http://www.microsoft.com/security/sdl
Microsoft Security Development Lifecycle

-
http://technet.microsoft.com/library/cc162838.aspx
Malware Response Guide

-
http://technet.microsoft.com/security/bb980617.aspx
Security Troubleshooting and Support Resources

-
http://www.microsoft-careers.com/go/Trustworthy-Computing-Jobs/194701/ Trustworthy Computing Careers




microsoft.com/about/twcTrustworthy Computing




This is a monthly newsletter for IT professionals and
developers–bringing security news, guidance, updates, and community resources directly to your inbox. If you would like to receive less technical security news, guidance, and updates, please subscribe to the Microsoft Security for Home Computer Users Newsletter.



(c) 2014 Microsoft Corporation
http://www.microsoft.com/About/Legal/EN/US/IntellectualProperty/Copyright/defa ult.aspx

Terms of Use |
http://www.microsoft.com/About/Legal/EN/US/IntellectualProperty/Trademarks/EN- US.aspx

Trademarks


Microsoft respects your privacy. To learn more please read our online http://go.microsoft.com/fwlink/?LinkId=248681
Privacy Statement .



If you would prefer to no longer receive this newsletter, please http://pages.email.microsoftemail.com/page.aspx?QS=38dfbe491fab00ea380afe73db21 804e1836ec2291e123ed&emailid=287962&memberid=10030559&jobid=2808079&listid=8857 87&listname=Subscription_10030559_1109&subscriberkey=lordtime@tds.net&emailaddr =lordtime@tds.net&subscriberid=328026660

click here .



To set your contact preferences for other Microsoft communications http://click.email.microsoftemail.com/m_hcp.aspx?qs=0bb7f39debca1b0ad10fb2e924b 6311d344a0079e5cc587f4d16330b7c3cc8e7aa3d48879950d85d33a47e9a9586dfefd285dcac31 618dc80b009c01748ecaa4714359575051b41defed5ca8e873b7a50cb067fc5e511728

click here .



Microsoft Corporation

One Microsoft Way

Redmond, WA 98052 USA
---
■ Synchronet ■ Time Warp of the Future BBS - Home of League 10 IBBS Games