Microsoft said Tuesday that its investigation has turned up no evidence that anything in its November security updates should be causing users to encounter a so-called "black screen of death."
"Microsoft has investigated reports that its November security updates made changes to permissions in the registry that that are resulting in system issues for some customers," Microsoft security response communications lead Christopher Budd said in a statement. "The company has found those reports to be inaccurate and our comprehensive investigation has shown that none of the recently released updates are related to the behavior described in the reports."
Microsoft said it was not contacted by British security firm Prevx before that company went public with its claims. Microsoft said it has reached out to them to let them know the results of its investigation.
The company said on Monday that it would look into the matter, but issued an update later in the day saying it could not verify any issues.
"Our support organization is also not seeing this as an issue," Budd said on Tuesday. "The claims also do not match any known issues that have been documented in the security bulletins or (knowledge base) articles.
Update, 3:15 p.m. PT: Prevx posted an updated blog saying that it has done additional testing.
"Having narrowed down a specific trigger for this condition we've done quite a bit of testing and re-testing on the recent Windows patches," the comapny said. "Since more specifically narrowing down the cause we have been able to exonerate these patches from being a contributory factor."
The company also offered up a mea culpa to Redmond and said it also recommends users keep patching their systems promptly. "We apologize to Microsoft for any inconvenience our blog may have caused."
Microsoft 's new Security Essentials software has passed at least one exam so far--a review by security testing firm AV-Test.org.
Using the latest version and definition updates of Microsoft Security Essentials (MSSE) downloaded from the Web, AV-Test ran the product through a series of tests on Sept. 29 and 30 to judge its effectiveness at fighting malware.
(Credit:
AV-Test.org)
To check static known malware, AV-Test pitted Security Essentials against the most recent WildList, a sampling of 3,732 viruses and other threats compiled by the WildList Organization. Microsoft's product successfully detected and blocked all of the samples in both manual and active scanning.
AV-Test also threw its current set of 545,034 viruses, worms, Trojans, and other threats at Security Essentials. MSSE successfully caught 536,535 samples for an overall good detection score of 98.44 percent.
In AV-Test's battle against adware and spyware, Security Essentials stopped 12,935 out of 14,222 samples, earning a detection grade of 90.95 percent. No false positives came up in a scan of over 600,000 clean files from Windows, MS Office, and other commonly used programs.
To check dynamic malware, which is based on its behavior rather than static lists, AV-Test found that MSSE had no "dynamic detection" in place as the software failed to find any of the recently released malware used in the test. AV-Test noted that other standalone antivirus products don't include behavior-based detection either, although that feature is typically found in full security suites.
MSSE also found and eliminated all 25 rootkits that AV-Test threw at it.
Security Essentials did only a fair job of cleaning up infections. Facing 25 different malware samples, the product removed all active components as part of its repair process. But in many cases, some remnants of the malware were left behind, as inactive executable files or empty Registry keys.
Finally, AV-Test found that the speed of Security Essentials scanning was about average compared with that of other security products.
AV-Test's review of Security Essentials was run on Windows XP with SP3, Windows Vista with SP2, and Windows 7 RTM, both the U.S. English and German 32-bit editions. A series of papers on the methodology used by AV-Test in its testing process are at the company's Web site.
CNET's Seth Rosenblatt also looked at Security Essentials this week, while CNET News reporter Ina Fried has said the beta version of the product recently saved her from a Koobface attack.
Microsoft has released version 1.0 of Security Essentials, the successor to Live OneCare. Originally known as Morro, Security Essentials retains the core features of OneCare, but abandons the additional heft of a firewall, performance tuning, and backup and restore options in exchange for making the program free. Rather than taking aim at full-featured security suites made by Symantec or Eset, the features available in Security Essentials indicate that Microsoft is aiming to compete with basic-but-free security apps.
For the select 75,000 public beta testers who got their hands on the program when the limited public beta was offered in June, there will be few appreciable differences between the beta and the final version. For the rest of the planet, Security Essentials features key defenses that are boilerplate for any respectable security program.
Features
It uses both definition file and real-time defenses against viruses and spyware, and also offers rootkit protection. The program's reputation-based detection and software signature-based detection seem to rely heavily on Microsoft SpyNet, the unfortunately named cloud-based service that compares file behavior across computers running various Microsoft operating systems.
The official version 1.0 of Microsoft Security Essentials looks identical to the popular limited beta version from June 2009.
(Credit: Screenshot by Seth Rosenblatt/CNET)SpyNet was introduced in Windows Vista and extended to Windows 7, but Microsoft Security Essentials is the only way to access the network on Windows XP. Unlike other security vendors that allow customers to take advantage of the benefits of their behavioral detection engines while opting out of submitting information, there's no way to do that with SpyNet.
You can choose between two SpyNet memberships. Basic submits to Microsoft the detected software's origins, your response to it, and whether that action was successful, while the Advanced membership submits all that plus the location on your hard drive of the software in question, how it operates, and how it has impacted your computer. Both basic and advanced warn users that personal data might be "accidentally" sent to Microsoft, although they promise to neither identify nor contact you. Opting out of SpyNet, however, is not an option in Security Essentials.
Security Essentials benefits greatly from having a simple, streamlined interface. There are four tabs, each with a concise and understandable label: Home, Update, History, and Settings. The program also uses easy-to-grasp labels, imported from OneCare: green for all good, yellow for warning, and red for an at-risk situation.
From the Home window, you can run a Quick Scan, Full Scan, or Custom Scan, and a link at the bottom of the pane lets you change the scheduled scan. The Custom Scan lets users select specific folders or drives to scan, but it doesn't allow for customizing the type of scan used. For example, you're not going to be able to choose to scan only for rootkits or heuristics, as you can with other security programs. The program installs a context-menu option for on-the-fly scanning in Windows Explorer, too.
The Update pane manages the definition file updates, with a large action button, and History provides access to a spreadsheet-style list of All detection items, your Quarantine, and items you've Allowed to run. Although it's a basic layout, this no-frills approach to security could prove appealing to computer users who are overwhelmed by more detailed security choices.
Users can choose between two options for SpyNet, but no way to not contribute to it.
(Credit: Screenshot by Seth Rosenblatt/CNET)The Settings window allows users to further customize the program by scheduling scans, toggling default actions to take against threats, adjusting real-time protection settings, creating whitelists of excluded files, file types, and processes, and the aforementioned SpyNet options. There's also an Advanced option which is still fairly basic: here you can set Security Essentials to scan archives, removable drives, create a system restore point, or allow all users to view the History tab.
Security Essentials comes pre-configured to run a scan weekly at two in the morning, when your Microsoft thinks your system is likely to be idle. New malware signatures are downloaded once per day by default, although you can manually instigate a definition file update through the update tab. Attachments and downloaded files will be automatically scanned by Security Essentials.
Help is only available in the form of the standard offline Help manual that comes with all Microsoft programs. There's nothing fancy here.
Performance
I found that it installed in less than one minute, and completed its first Quick Scan in less than 30 seconds. The Full Scan took more than an hour to reach the halfway point, and this was borne out by tests performed by CNET Labs' benchmarks. Microsoft Security Essentials actually sped up the boot time of our test computer by more than two seconds, and it sped up the shut-down time by more than two and a half seconds. However, compared to major security vendors it was significantly slower at scanning--Security Essentials took 2,340 seconds to scan, whereas most scans would clock in between 1,000 and 1,100 seconds.
The program comes with a few options for customization, but not many.
(Credit: Screenshot by Seth Rosenblatt/CNET)In our iTunes decoding test it scored similarly to its competition, about 7 seconds slower than an unsecured computer. In our MS Office test and media multitasking tests it was faster than some--503 seconds versus 552 seconds for Norton AntiVirus 2010 in the Office test, and 844 seconds versus 876 seconds for Trend Micro Internet Security Pro in the media test.
While running the Full Scan, I noticed that it took up about 86 MB of RAM. However, it felt far lighter, and I was able to perform resource-intensive tasks like uploading photos without any noticeable freezes.
Third-party virus detection efficacy scores were not available at the time of writing, and it's not currently clear whether Security Essentials shares the same detection engine as Live OneCare. However, CNET reporter Ina Fried mentioned that Security Essentials stopped her from accidentally coming down with a case of Koobface.
Conclusion
Microsoft Security Essentials is a lightweight security app that people might turn to for a number of key reasons. It's easy on the system resources, it's easy to figure out how to use, and it comes pre-configured. It only works on legally licensed Microsoft computers, which is understandable but potentially leaves a large segment of the unprotected population still unprotected. You can't opt out of contributing to SpyNet, which isn't understandable at all. Overall, it's recommended for those who want something to set and ignore, but users who want more robust configuration choices or don't want to contribute to the cloud should look elsewhere.
Microsoft plans to release the final version of its free antivirus software soon, according to a note sent to testers late Sunday.
"The final version of Microsoft Security Essentials will be released to the public in the coming weeks," Microsoft said in the note.
(Credit:
CNET News)
Microsoft first announced its plans for the product, then code-named Morro, last November, at the same time the company said it was scrapping its paid Windows Live OneCare product.
Public beta testing of Security Essentials started in June, with Microsoft reaching its goal of 75,000 testers just one day after it issued a call for them.
On a personal note, I've been using the product on several machines since June, and I like the way--unlike other antivirus programs--it doesn't make a spectacle of itself, just quietly doing its thing. I often forget it is running on a machine, yet it did save my bacon a couple weeks back when I almost caught Koobface from a friend on Facebook.
Microsoft issued a formal security advisory late Tuesday on a reported zero-day flaw in Windows Vista and Windows Server 2008. However, the software maker also said that the flaw does not affect the final version of Windows 7, contrary to earlier reports.
"Microsoft is investigating new public reports of a possible vulnerability in Microsoft Server Message Block (SMB) implementation," Microsoft said in the advisory. "We are not aware of attacks that try to use the reported vulnerabilities or of customer impact at this time."
The flaw could allow an attacker to gain control of a system, although Microsoft said that "most attempts to exploit this vulnerability will cause an affected system to stop responding and restart."
The software maker said it is working with security software partners to provide information that can be used to create protections. Once its investigation is wrapped up, Microsoft said it will take action, which could include releasing a patch during its next monthly cycle or doing an "out-of-band" release, if necessary. Tuesday was Microsoft's monthly release for patches, which included five critical Windows updates addressing eight vulnerabilities.
The software maker said the latest issue affects the "release candidate" version of Windows 7, but not the final version that was completed in July. Also, the recently completed Windows Server 2008 R2 is not vulnerable, Microsoft said, nor are the earlier Windows XP and Windows 2000 operating systems.
Microsoft is already dealing with a separate, still unpatched flaw reported last week. Attacks have already been seen based on that vulnerability. Microsoft has taken issue with the fact that that flaw, like the latest one, was reported publicly as opposed to being privately disclosed to Microsoft, giving the company time to patch it.
Microsoft on Tuesday issued five critical Windows-related updates as part of its monthly Patch Tuesday release.
While the issues affect different versions of Windows differently, Microsoft said none of the issues apply to the final version of Windows 7, which Microsoft wrapped up in July.
The five bulletins address eight vulnerabilities. According to Symantec Security Response research manager Ben Greenbaum, the two vulnerabilities most likely to be used by attackers involve the way Windows handles ASF and MP3 media files. "We've seen similar exploits in the past and all a user would have to do is visit a compromised Web site hosting one of these malicious files, which could be an MP3, WMA or WMV file, and they could become infected."
McAfee Avert Labs director Dave Marcus said that two of the flaws, in particular, relate to serious security vulnerabilities in the networking components of Window Vista, Windows Server 2008 and Windows Server 2003 that could allow for malicious software to spread from one PC to another.
"These vulnerabilities are the most likely to be exploited by malicious code and are two of the best worm candidates that we've seen since Conficker," Marcus said in a statement. "That said, all of today's security bulletins address vulnerabilities that could allow an attacker to take complete control of a vulnerable PC."
In addition, Microsoft said it is re-releasing a bulletin from last month to address an additional control found to be vulnerable to an issue with the Microsoft Active Template Library.
Greenbaum noted that Microsoft has yet to issue a patch for a zero-day flaw in Internet Information Services that was made public last week. "Until a patch for this is issued, as a temporary workaround we suggest IT administrators using IIS 5.0 and 6.0 turn off anonymous write access immediately," Greenbaum said. "We also recommend using a firewall and restricting access to creating directories. Those using IIS 7.0 with FTP Service version 6.0 installed should upgrade to FTP Service version 7.5."
There are already some attacks being seen based on that flaw.
"While the company will not release an update this month, it will do so once it has reached an appropriate level of quality for broad distribution," Microsoft said.
Meanwhile, Microsoft said Tuesday that it is investigating another zero-day issue, this one a reported flaw in Windows Vista and Windows 7.
As for the patches Microsoft did release on Tuesday, Qualys CTO Wolfgang Kandek noted that some of the bulletins are interesting in that they either affect only newer operating systems or are more critical on later versions--the reverse of what is normally the case. Overall, he said, five Windows patches should keep IT workers busy.
"Due to the criticality of the patches and wide coverage of the operating system, this will be a busy day for IT administrators," Qualys CTO Wolfgang Kandek said in an e-mail.
Microsoft on Monday said it is looking into a report of a flaw in some versions of its Internet Information Services product that could allow an attacker to gain control of a system.
In a statement, a Microsoft representative said the company "is investigating new public claims of a possible vulnerability in IIS 5 and IIS 6 File Transfer Protocol (FTP)."
Microsoft said it is not aware of any attacks using the vulnerability. "We will take steps to determine how customers can protect themselves, should we confirm the vulnerability."
According to IDG News Service, code for exploiting the unpatched flaw was posted to the Milw0rm Web site. IDG said the exploit appears to affect primarily older versions of IIS--and only when the FTP function is enabled.
Once it is done with its investigation, Microsoft said, it will decide how to address the matter, which could include a security update as part of its monthly Patch Tuesday or an out-of-cycle update.
In a posting on Monday, the U.S. Computer Emergency Readiness Team (US-CERT) suggested IT administrators "disable anonymous write access to the FTP server to help mitigate the vulnerability" but added that "a proper impact analysis should be performed prior to taking defensive measures."
Microsoft on Tuesday released nine patches, five of them critical, to plug holes in Windows and other software products.
The nine patches actually relate to 19 separate vulnerabilities in Windows, the .Net Framework, Microsoft Office, Microsoft Visual Studio, Microsoft ISA Server, Microsoft BizTalk Server, and Remote Desktop Client for Mac.
Among the issues addressed is one that Microsoft warned about last month--a vulnerability related to the Office Web Components that help users put spreadsheets, charts, and other documents onto the Web. At the time, Microsoft said it was already seeing attacks based on the flaw, which affects Office XP, Office 2003, Internet Security and Acceleration Server 2004 and 2006, as well as Office Small Business Accounting 2006.
More information on that issue and the others addressed with this month's patches is available in a bulletin on Microsoft's Web site.
As is its practice, Microsoft said last week that the patches were coming.
Symantec senior research manager Ben Greenbaum noted that many of the vulnerabilites this month related to so-called ActiveX controls and added that many of the holes could be exploited just by getting a user to visit a Web page that has malicious code.
"All of the ActiveX issues patched this month could be easily exploited and can impact even the average computer user," Greenbaum said in an e-mail. "For example, any user who has Microsoft Office on their machine could be vulnerable to the Microsoft Office Web Components vulnerabilities. Similarly, every user with Windows XP SP3 or Vista could also be susceptible to one of the Remote Desktop Connection issues."
Actually, not all versions of Office are affected, as the Web components issue does not affect the latest version--Office 2007. For a list of Office programs affected, see this security bulletin.
In any case, McAfee and Lumension both noted that it continues to be a long, hard summer for IT professionals who have had to deal with a large number of regular patches and some unscheduled ones as well from Microsoft and others.
"There's no break from patching this summer," McAfee Avert Labs' Dave Marcus said in a statement. "Microsoft is playing catchup with these patches as cybercriminals have already used some of the serious vulnerabilities to commandeer vulnerable Windows computers."
Lumension analyst Paul Henry said there had been some fear that the patches would go further, addressing some kernel-level issues. But even still, he said the latest crop of patches will bring their fair share of headaches.
"After a summer of heavier-than-normal Patch Tuesdays, the last thing IT workers need is yet another large batch of patches from Microsoft," Henry said in a statement. "Unfortunately, that is exactly what we got today as Microsoft released a total of nine security updates, five of which are critical and seven of which require disruptive restarts."
Microsoft released an emergency patch on Tuesday to protect Internet Explorer users from a hole in technology used to build ActiveX controls and other Web application components that has been targeted in attacks.
A critical patch for all versions of IE will protect consumers, while a security update for Visual Studio will help developers fix the controls and components they built that could be affected.
Microsoft also has had discussions with Adobe, Sun, and Google about some components involving their software that are affected, said Mike Reavey, director of the Microsoft Security Response Center. He declined to elaborate.
Internet Explorer users running Flash Player and Shockwave Player are vulnerable, Adobe said in a blog post that contains links to the Adobe security bulletins for those products.
A Google representative said the company has been working with Microsoft on the issues but declined to comment further. And a Sun representative did not respond to a call seeking comment.
Cisco will release free software updates for any of its software that is affected by the vulnerability and is making available workarounds that mitigate the issue, the company said in a detailed advisory.
The company released two security updates that deal with a vulnerability in Microsoft's Active Template Library, which is used to build components for Web applications and which could be targeted to take control of computers of Web surfers visiting sites hosting malicious code.
The critical update, MS-09034, is targeted at IE users and the other, MS-09035, is targeted at Visual Studio developers and is rated moderate. It affects Visual Studio 2005 and 2008.
"A library can get used in a lot of places, and vulnerabilities in libraries are challenging," Reavey said. "It's an industry-wide problem when (vulnerabilities) do happen."
"The vulnerability is in the controls, not IE, however to provide protections while developers update the controls, IE (versions that are patched will block attacks)," he said.
The company warned on Friday that a security update would come on Tuesday instead of waiting for the next Patch Tuesday cycle on August 11. This is only the ninth out-of-band release Microsoft has had, according to Reavey.
Microsoft first warned about the ActiveX issue on July 6, saying a vulnerability in its Video ActiveX Control could allow an attacker to take control of a PC if the user visits a malicious Web site and attackers were exploiting the hole. The company offered a workaround for the issue.
During the July Patch Tuesday release the following week, Microsoft still did not have a patch ready and was recommending a manual "kill bit" method to disable ActiveX, or sending customers to a "Fix it for me" Web site.
However, researchers figured out a way to get around the kill bit protection mechanism, thus rendering it ineffective and exposing the system to attack, said Eric Schultze, chief technology officer at Shavlik Technologies.
"Some security researchers found that they were able to bypass the kill bit function and still execute certain controls," he said in a statement on Tuesday. "A presentation on how this is done is slated for tomorrow afternoon at the Black Hat Conference" in Las Vegas.
"We were aware of limited attacks on the Microsoft kill bit control where the underlying issue was this vulnerability. As a result of those attacks we released the bulletin to protect customers...but that created chatter," Reavey said. "We saw more details released and we had these updates ready so we released them now instead of waiting for (attacks) to get worse."
The IE patch also resolves three privately reported vulnerabilities that could allow remote code execution if a user views a specially crafted Web page using the browser.
Tyler Reguly, senior security researcher for nCircle, criticized Microsoft for not fixing the underlying issue with a proper patch and said the update could put other software vendors at risk. "Although Microsoft has protected against the kill bit bypass and has patched the public ATL vulnerabilities, there has been no mention or reference to fixing the issue in msvidctl.dll itself," he wrote in a statement. "One has to question what the release of the ATL patch means for other software vendors," he added. "We also have to wonder if they are now more vulnerable than they were previously. They now have to obtain this patch and recompile and release their tools. This means until that process can occur, malicious individuals can reverse the patches to pinpoint each of the vulnerabilities and target third-party software. It's a race to see who will get there first, and the vendors didn't get a head start."
In response, a Microsoft representative provided this comment: "As part of our overall response to the ATL issue, we are continuing our investigation for Microsoft components and controls that may be affected by the ATL issue and will update customers as appropriate throughout the process." More information about the vulnerabilities and fixes is in this advisory. Microsoft also scheduled a Webcast at 1 p.m. PDT on Tuesday to answer customer questions.
Updated at 5:53 p.m. PDT with Adobe and Cisco information, Microsoft response to nCircle; and at 11:52 a.m. and 1:20 p.m. with reaction, more background, and a comment from Google.
One year after launching three security programs designed to improve security industry-wide, Microsoft is finding that more security patches are beating exploits out the door.
Meanwhile, the Microsoft Security Response Center said that of the 50 security bulletins it published from October 2008 to June 2009, patches were released in response to 138 vulnerabilities. Of those, 17 had public exploit code available at the time of the release, and for 67, consistent exploit code was likely to be written, according to the software giant.
In the 50 security bulletins published from October 2008 to June 2009, Microsoft released security updates in response to 138 vulnerabilities; these updates resulted in 140 Exploitability Index ratings.
(Credit: Microsoft)The news comes after Microsoft announced on Friday that it would be releasing security updates on Tuesday--outside of its monthly patch cycle--for a critical vulnerability in Internet Explorer and a moderate vulnerability in Visual Studio.
Meanwhile, Microsoft has yet to plug a critical ActiveX hole in Office that it warned two weeks ago attackers were exploiting to take control of PCs by luring Internet Explorer users to malicious Web sites. It was the third zero-day hole announced by Microsoft in less than two months.
In August 2008, the Microsoft Security Response Center announced three security programs to help improve security for customers, partners, and others. The company issued a progress report on Monday in advance of the Black Hat security conferences set to begin on Tuesday in Las Vegas.
Through its Microsoft Active Protections Program (MAPP), Microsoft supplies vulnerability information to 45 partners prior to the monthly Microsoft Patch Tuesday security updates. MAPP partner and network security provider Sourcefire issues protections based on the information for about 95 percent of the monthly Microsoft security bulletins.
Before MAPP, it took about eight hours to reverse-engineer, develop proof-of-concept code, and build the exploit detection for a vulnerability, which is about the time it takes for a savvy attacker to generate exploit code after a vulnerability has been disclosed, Microsoft said.
Now, it takes only about two hours, according to Sourcefire. Sourcefire developers only have to write the detection code because Microsoft provides the rest, meaning that patches are typically released hours ahead of any exploits, Microsoft said.
In estimating how exploitable vulnerabilities are, Microsoft said it has had a 99 percent reliability rate. Of 140 ratings in the Microsoft Exploitability Index, also released last year, there has only been one revision that dropped the severity of the vulnerability, the company said.
For the third program, Microsoft Vulnerability Research (MSVR), Microsoft researchers work to find holes in third-party software. From June 2008 until June 2009 the MSVR team identified software vulnerabilities affecting 32 vendors, Microsoft said.
Of the holes found in the outside software, 86 percent were critical or important and 13 percent have been fixed, while 5 percent are in the process of being resolved, according to Microsoft. The MSVR team and Microsoft security researcher Billy Rios were credited with finding holes recently fixed in the Apple Safari browser.
"We're seeing attacks get more complex," said Mike Reavey, director of the Microsoft Security Response Center. "There's a race between attackers and defenders and collaboration is needed in the industry."
Microsoft is unveiling this week Microsoft Office Visualization Tool, which offers a graphical view of Office binary file formats so programmers can better see where vulnerabilities and malware might be embedded within an Office document.
Microsoft also is announcing Project Quant, an online spreadsheet tool designed to help IT administrators estimate the costs associated with software update management.
