1. Forum
  2. League10
  3. Microsoft Sec. Bulletin

  • Microsoft Security Newsletter - May 2014

    From Lord Time@TIME to All on Thu May 29 14:57:53 2014
    Microsoft Security Newsletter - May 2014



    Trustworthy Computing | May 2014
    Microsoft Security Newsletter



    Welcome to May’s Security Newsletter!

    Our newsletter this month focuses on threat intelligence and security guidance for enterprise organizations. Earlier this month, Microsoft released its biannual cybersecurity report, the

    http://www.microsoft.com/sir
    Microsoft Security Intelligence Report . One of the noteworthy items to come out of the report was the threefold increase in deception tactics used to compromise systems worldwide, which is now the top threat facing enterprise environments worldwide. Taking advantage of people’s desire to get a
    good deal, cybercriminals are bundling malware with free programs or software downloaded online.



    One of the most common pieces of deceptive download bundles contained
    malicious software that quietly abused the victim’s computer by performing clickfraud. Clickfraud makes cybercriminals money by pretending to be a person clicking on ads from your computer or by redirecting your search results.



    Deceptive downloads are a problem that is global in scope. In fact, deceptive downloads were one of the top threats in 105 out of 110 countries/regions studied worldwide. In the second half of 2013, programs known to use deceptive downloads were encountered by more than 60 out of every 1,000 systems worldwide. The good news is that there are some best practices people can take to help protect against deceptive tactics:


    -
    Use newer software that provides enhanced protections.


    -
    Keep all of the software installed on your system up-to-date. This includes software from Microsoft, Adobe, Oracle, and others.


    -
    When downloading files or software online, make sure that you are doing so
    from a trusted vendor.


    -
    Run up-to-date antimalware.


    -
    Think before you click: don’t click on links or open attachments from untrusted sources.


    -
    Back up your files.



    Of course, these are just a few of the many key learnings from the latest. For more information on threat intelligence for your country/region, I encourage you to visit

    http://www.microsoft.com/sir
    http://www.microsoft.com/sir .



    Best regards,

    Tim Rains, Director

    Microsoft
    Trustworthy
    Computing



    Have feedback on how we can improve this newsletter? Email us at mailto:secnlfb@microsoft.com
    secnlfb@microsoft.com and share your ideas.



    Top Stories


    http://blogs.technet.com/b/trustworthycomputing/archive/2014/05/22/protecting- data-and-privacy-in-the-cloud.aspx

    Protecting Data and Privacy in the Cloud

    Learn how a privacy-inclusive approach to engineering informs how Microsoft designs, creates, and operates services by downloading the new white paper entitled, http://download.microsoft.com/download/2/0/A/20A1529E-65CB-4266-8651-1B57B0E42D AA/Protecting-Data-and-Privacy-in-the-Cloud.pdf

    Protecting Data and Privacy in the Cloud . The paper outlines MicrosoftÆs approach and processes to helping to ensure that customer data in enterprise services like Windows Azure, Office 365, Dynamics CRM Online, and Windows Intune, remains private.


    http://www.microsoft.com/en-us/download/details.aspx?id=26828
    Toward a Trusted Supply Chain: A Risk Based Approach to Managing Software Integrity

    Explore a simple framework for the pragmatic inclusion of software integrity risk management practices in the product development process and online services operations.


    http://www.microsoft.com/en-us/download/details.aspx?id=3251
    Critical Infrastructure Protection Concepts and Continuum

    Find out how trustworthy policies and plans, resilient operations, and innovative investments—enabled by trusted collaboration—form a continuum for protecting critical infrastructure.


    http://www.microsoft.com/en-us/download/details.aspx?id=42677
    Security Trends in Retail Organizations

    Download a new report that identifies security trends in retail organizations and outlines key findings and recommendations around cloud computing and safe, secure practices.




    Security Guidance



    http://technet.microsoft.com/en-us/security/dn727114
    Security Tip of the Month: Mitigate the Risk of Deceptive Downloads

    Cybercriminals are perpetually trying different techniques to distribute malware and potentially unwanted software. One technique we are increasingly seeing at the Microsoft Malware Protection Center is the use of legitimate or "clean" software to deliver malicious payloads. In fact, this deceptive download tactic was one of the main drivers for an increase in malware encounter rates in the last half of 2013. The latest
    LINK
    Microsoft Security Intelligence Report indicates that the primary culprit was LINK
    Win32/Sefnit , a Trojan family that affected worldwide malware encounter rates after its malicious files were bundled with clean software downloads.



    Recently, we have seen a new twist on this deceptive tactic: previously clean applications that suddenly change their behavior and start installing malware or adware. This infection vector poses new security considerations because files that were previously determined as clean can change their behavior without warning and deliver malicious content or steal confidential information.



    There are any number of reasons why clean software makes this switch to malicious behavior, but some of the more common include:


    -
    The software’s control/update servers are hacked (for example, by a
    brute force attack against weak passwords, through the use of stolen credentials, by the actions of a rogue employee, or through other vulnerabilities).


    -
    The software is purchased for the purpose of delivering malicious content.


    -
    The software’s command and control server domains expire and are then registered by other parties.


    The Filcout deception


    This switch from clean to malicious behavior was first encountered in some third-party browser extensions early last year. In this case, certain popular extensions were purchased and ownership was transferred. The new extension owner would push out an update to change the functionality of the extension, thus forcing it to render advertisements or spy on the userÆs browsing activities.



    More recently we have seen other software exhibiting a similar behavior. The most notable case is the addition of a new layer of deception to Sefnit with the use of the previously clean application that we detect as Win32/Filcout. Filcout is our detection for malicious software that claims to find the right program to run an unknown file type. Initially this program showed no signs of malicious behavior and gained a large installation base. At this stage, the application appeared innocuous from an enterprise security perspective.



    However, in late March 2014, its behavior changed without warning. The software’s update mechanisms began responding with instructions to install Sefnit. Sefnit detections grew from 20,000 unique computer detections per day, to more than 900,000 within a two-week period as its malicious files were installed on millions of computers across the globe.



    Microsoft Security Software detects and removes Sefnit, and once the
    connection to Filcout was identified we began detecting and removing the application. These detections were updated for all computers protected with
    our real-time security products and the stand-alone Malicious Software Removal tool (MSRT). To date the MSRT has removed Filcout from more than 9.4 million computers.



    Mitigating the risk


    As seen in the Filcout case, behavior changes from previously clean applications can have the potential to affect the security and confidentiality of enterprise systems. The potential risk also raises several considerations when assessing software for internal use û including the reputation of the publisher.



    One of the best ways to help protect against this type of malware delivery is to take the stance that a breach might be unavoidable.



    It is also advisable to record and store full packet captures according to a retention policy. Aggregated network captures should be stored for a longer duration. Together, this data is important in breach response to identify the infected computers and stolen data, and it may be used to detect future breaches by running new NIDS signatures against historical data.



    Preventing the risk of a breach in the first place is still very important, and there are several recommendations that can help protect enterprise systems from attacks such as this:


    -
    For the major browsers, use the application-policy settings to implement an extension whitelist. This can prevent extensions from being installed into browsers unless they are on an approved list.


    -
    Implement a software installation policy. This policy should include a process where employees must request approval before using software on the corporate network. The approval process should evaluate the request from a security and
    a legal perspective.


    -
    Include employee computer security training in the employee onboarding
    program, and refresh it on a set timeframe.


    -
    Monitor and enforce corporate policy compliance.


    -
    Run up-to-date, real-time security software to help detect and remove malware and potentially unwanted software.


    http://technet.microsoft.com/library/dn736041.aspx
    Windows RT 8.1 in the Enterprise: Security

    Learn how to leverage the security technologies in Windows RT 8.1, to help ensure that the devices are protected from the first time they are turned on. Explore how best to utilize smart cards, device encryption, BitLocker To Go, SmartScreen, Windows Defender, Windows Firewall, Network Access Protection and more.


    http://blogs.technet.com/b/srd/archive/2014/05/13/load-library-safely.aspx
    Load Libraries Safely

    Dynamically loading libraries in an application can lead to vulnerabilities if not secured properly. Get advice from the MSRC Engineering team on how to load a library using LoadLibraryEx() API and make use of options to make it safe.




    This Month's Security Bulletins


    May 2014 Security Bulletins


    Critical

    -MS14-021:2965111
    https://technet.microsoft.com/library/security/ms14-021

    Security Update for Internet Explorer

    -MS14-022:2952166
    https://technet.microsoft.com/library/security/ms14-022

    Vulnerabilities in Microsoft SharePoint Server Could Allow Remote Code Execution

    -MS14-029:2962482
    https://technet.microsoft.com/library/security/ms14-029

    Security Update for Internet Explorer



    Important

    -MS14-023:2961037
    https://technet.microsoft.com/library/security/ms14-023

    Vulnerabilities in Microsoft Office Could Allow Remote Code Execution

    -MS14-024:2961033
    https://technet.microsoft.com/library/security/ms14-024

    Vulnerability in a Microsoft Common Control Could Allow Security Feature
    Bypass

    -MS14-025:2962486
    https://technet.microsoft.com/library/security/ms14-025

    Vulnerability in Group Policy Preferences Could Allow Elevation of Privilege

    -MS14-026:2958732
    https://technet.microsoft.com/library/security/ms14-026

    Vulnerability in .NET Framework Could Allow Elevation of Privilege

    -MS14-027:2962488
    https://technet.microsoft.com/library/security/ms14-027

    Vulnerability in Windows Shell Handler Could Allow Elevation of Privilege

    -MS14-028:2962485
    https://technet.microsoft.com/library/security/ms14-028

    Vulnerability in iSCSI Could Allow Denial of Service


    May 2014 Security Bulletin Resources:

    - http://blogs.technet.com/b/msrc/archive/2014/05/13/the-may-2014-security-update s.aspx


    Microsoft Security Response Center (MSRC) Blog Post

    -
    http://www.youtube.com/watch?v=LKBwbueqBKM
    Security Bulletin Webcast

    -
    http://blogs.technet.com/b/msrc/p/may-2014-security-bulletin-q-a.aspx

    Security Bulletin Webcast Q&A



    Security Events and Training



    https://msevents.microsoft.com/CUI/EventDetail.aspx?EventID=1032587832
    BYOD: Leverage Existing Infrastructure to Secure and Manage PCs and Devices Thursday, June 5, 2014 – 12:00PM Pacific Time

    Learn how to manage all your PCs and devices in a unified environment that gives you the ability to ensure that end users have the applications they need on the devices on their choice when they need them—while also enabling you to classify and further protect your data to meet compliance and security requirements.


    https://msevents.microsoft.com/CUI/EventDetail.aspx?EventID=1032572980 Microsoft Webcast: Information about the June 2014 Security Bulletin Release Wednesday, June 11, 2014 – 11:00AM Pacific Time

    Join this webcast for a brief overview of the technical details of June 2014’s Microsoft security bulletins. Ask questions and get answers from Microsoft security experts.






    Essential Tools


    -
    http://technet.microsoft.com/security/bulletin
    Microsoft Security Bulletins

    -
    http://technet.microsoft.com/security/advisory
    Microsoft Security Advisories

    -
    http://technet.microsoft.com/solutionaccelerators/cc835245.aspx
    Security Compliance Manager

    -
    http://www.microsoft.com/security/sdl/adopt/starterkit.aspx
    Microsoft Security Development Lifecycle Starter Kit

    -
    http://support.microsoft.com/kb/2458544
    Enhanced Mitigation Experience Toolkit

    -
    http://www.microsoft.com/security/pc-security/malware-removal.aspx
    Malicious Software Removal Tool

    -
    http://technet.microsoft.com/security/cc184924.aspx
    Microsoft Baseline Security Analyzer


    Security Centers


    -
    http://technet.microsoft.com/security
    Security TechCenter

    -
    http://msdn.microsoft.com/security
    Security Developer Center

    -
    http://www.microsoft.com/security/msrc/default.aspx
    Microsoft Security Response Center

    -
    http://www.microsoft.com/security/portal/
    Microsoft Malware Protection Center

    -
    http://www.microsoft.com/privacy
    Microsoft Privacy

    -
    http://support.microsoft.com/select/default.aspx?target=hub&c1=10750 Microsoft Security Product Solution Centers


    Additional Resources


    -
    http://www.microsoft.com/about/twc/en/us/blogs.aspx
    Trustworthy Computing Security and Privacy Blogs

    -
    http://www.microsoft.com/security/sir
    Microsoft Security Intelligence Report

    -
    http://www.microsoft.com/security/sdl
    Microsoft Security Development Lifecycle

    -
    http://technet.microsoft.com/library/cc162838.aspx
    Malware Response Guide

    -
    http://technet.microsoft.com/security/bb980617.aspx
    Security Troubleshooting and Support Resources

    -
    http://www.microsoft-careers.com/go/Trustworthy-Computing-Jobs/194701/ Trustworthy Computing Careers




    microsoft.com/about/twcTrustworthy Computing




    This is a monthly newsletter for IT professionals and
    developers–bringing security news, guidance, updates, and community resources directly to your inbox. If you would like to receive less technical security news, guidance, and updates, please subscribe to the Microsoft Security for Home Computer Users Newsletter.



    (c) 2014 Microsoft Corporation
    http://www.microsoft.com/About/Legal/EN/US/IntellectualProperty/Copyright/defa ult.aspx

    Terms of Use |
    http://www.microsoft.com/About/Legal/EN/US/IntellectualProperty/Trademarks/EN- US.aspx

    Trademarks


    Microsoft respects your privacy. To learn more please read our online http://go.microsoft.com/fwlink/?LinkId=248681
    Privacy Statement .



    If you would prefer to no longer receive this newsletter, please http://click.email.microsoftemail.com/m_hcp.aspx?qs=0bb7f39debca1b0ad10fb2e924b 6311d344a0079e5cc587f4d16330b7c3cc8e7aa3d48879950d85d33a47e9a9586dfefd285dcac31 618dc83bcb13be2c8358eb332451395b844a857d8a8d9aa7f71fd2c12b67a36c90d95e&oneClick =newsletter

    click here .



    To set your contact preferences for other Microsoft communications http://click.email.microsoftemail.com/m_hcp.aspx?qs=0bb7f39debca1b0ad10fb2e924b 6311d344a0079e5cc587f4d16330b7c3cc8e7aa3d48879950d85d33a47e9a9586dfefd285dcac31 618dc83bcb13be2c8358eb332451395b844a857d8a8d9aa7f71fd2c12b67a36c90d95e

    click here .



    Microsoft Corporation

    One Microsoft Way

    Redmond, WA 98052 USA
    ---
    ■ Synchronet ■ Time Warp of the Future BBS - Home of League 10 IBBS Games