Microsoft Security Response Center Blog Alerts
This week, MSRC confirmed the presence of an active Linux worm leveraging a critical Remote Code Execution (RCE) vulnerability, CVE-2019-10149, in Linux Exim email servers running Exim version 4.87 to 4.91. Azure customers running VMs with Exim 4.92 are not affected by this vulnerability.
Azure has controls in place to help limit the spread of this worm from work we’ve already done to combat SPAM, but customers using the vulnerable software would still be susceptible to infection.
Customers using Azure virtual machines (VMs) are responsible for updating the operating systems running on their VMs. As this vulnerability is being actively exploited by worm activity, MSRC urges customers to observe Azure security best practices and patterns and to patch or restrict network access to VMs running the affected versions of Exim.
There is a partial mitigation for affected systems that can filter or block network traffic via Network Security Groups (NSGs). The affected systems can mitigate Internet-based ‘wormable’ malware or advanced malware threats that could exploit the vulnerability. However, affected systems are still vulnerable to Remote Code Execution (RCE) exploitation if the attacker’s IP Address is permitted through Network Security Groups.
It is for these reasons that we strongly advise that all affected systems – irrespective of whether NSGs are filtering traffic or not – should be updated as soon as possible.
Manager, Azure Incident Response
Microsoft Security Response Center (MSRC)
Earlier this week BlueHat Shanghai brought together security researchers and hundreds of cybersecurity professionals from China and across Asia to explore the latest topics in cybersecurity research. Including presentations from Qihoo 360, Baidu, Alibaba and the Chinese Academy of Sciences, BlueHat Shanghai highlighted incredibly talented Chinese researchers and focused on cutting edge topics including container and IoT security.
In the conference kick off, Eric Doerr (General Manager, MSRC) shared how researchers in China have helped protect Microsoft customers over the last year by reporting high impact vulnerabilities under Coordinated Vulnerability Disclosure. Many of these researchers qualified for bounty awards as well; Chinese researchers dominate the Microsoft Edge bounty program, and report a substantial portion of submissions made to the Windows Insider Preview bounty program.
Microsoft has long invested in security engineering and fortifying our products and services, while recognizing that partnerships with the worldwide research community plays an important role in securing Microsoft customers and the broader ecosystem. Expanding our BlueHat events to China is just one example of how we’re working to build and strengthen these partnerships and recognize the contributions of our community members. We’re also continuing to improve our security response and management operations to make it easier and more rewarding to work with the MSRC. In addition to the recent launch of the MSRC submission portal and increased bounty awards, we’re pleased to give researchers more choices in how they receive their bounty awards with the addition of Bugcrowd to Microsoft’s bounty payment provider options.
Eric highlighted some of the emerging areas of technology that are getting quick adoption by Microsoft customers like AI, GitHub and Dynamics, and the need for researchers around the world to increase their focus on these and other emerging areas of technology to continue to keep the world safe. As technology evolves, Microsoft’s security engineering practices keep pace to ensure our customers remain safe. And as we have done for two decades, we look forward to working with researchers around the world to tackle these new challenges.
Sylvie Liu & Jarek Stanley
Security Program Managers
Microsoft Security Response Center
BlueHat Shanghai brought together cybersecurity professionals from China and beyond!
On May 14, Microsoft released fixes for a critical Remote Code Execution vulnerability, CVE-2019-0708, in Remote Desktop Services – formerly known as Terminal Services – that affects some older versions of Windows. In our previous blog post on this topic we warned that the vulnerability is ‘wormable’, and that future malware that exploits this vulnerability could propagate from vulnerable computer to vulnerable computer in a similar way as the WannaCry malware spread across the globe in 2017.
Microsoft is confident that an exploit exists for this vulnerability, and if recent reports are accurate, nearly one million computers connected directly to the internet are still vulnerable to CVE-2019-0708. Many more within corporate networks may also be vulnerable. It only takes one vulnerable computer connected to the internet to provide a potential gateway into these corporate networks, where advanced malware could spread, infecting computers across the enterprise. This scenario could be even worse for those who have not kept their internal systems updated with the latest fixes, as any future malware may also attempt further exploitation of vulnerabilities that have already been fixed.
It's been only two weeks since the fix was released and there has been no sign of a worm yet. This does not mean that we’re out of the woods. If we look at the events leading up to the start of the WannaCry attacks, they serve to inform the risks of not applying fixes for this vulnerability in a timely manner.
Our recommendation remains the same. We strongly advise that all affected systems should be updated as soon as possible.
It is possible that we won’t see this vulnerability incorporated into malware.
But that’s not the way to bet.
Almost two months passed between the release of fixes for the EternalBlue vulnerability and when ransomware attacks began. Despite having nearly 60 days to patch their systems, many customers had not.
A significant number of these customers were infected by the ransomware.
March 14, 2017: Microsoft releases security bulletin MS17-010 which includes fixes for a set of SMBv1 vulnerabilities.
April 14 2017: ShadowBrokers publicly releases a set of exploits, including a wormable exploit known as 'EternalBlue' that leverage these SMBv1 vulnerabilities.
May 12, 2017: The EternalBlue exploit is used in ransomware attacks known as WannaCry. Hundreds of thousands of vulnerable computers across the globe are infected.
Simon Pope, Director of Incident Response, Microsoft Security Response Center (MSRC)
There are many dedicated people and organizations who contribute to the protection and security of our common customers. For years, Microsoft has recognized security researchers for helping protect the ecosystem. Now, we’re announcing the launch of a new program to better recognize and thank Microsoft Active Protections Program (MAPP) partners for all they do to protect our customers, including awards and evangelism based on their contributions.
MAPP provides better protections for customers through:
- Early access to monthly security release information, allowing partners to proactively apply protections prior to the release date
- Sharing of threat indicators
- Reporting vulnerabilities in Microsoft products and following Coordinated Vulnerability Disclosure (CVD)
In the last six months, MAPP partners have provided 430 unique vulnerability reports and submitted nearly 158 million threat indicators. This data helps Microsoft harden the ecosystem and better protect customers. Many of our partners work closely with us, providing information and samples for critical incidents allowing us to release security updates prior to any broad exploitation.
Starting July 1, 2019, Microsoft will publicly recognize the great work being done by these partners and the significant contributions they make to securing customers. All partners will receive a perpetual plaque in recognition of their MAPP team membership. Then, each quarter, partners have an opportunity to receive a bronze, silver, or gold tab to attach their plaque based on their contribution to program objectives, including submitting threat indicators, reporting vulnerabilities, and practicing CVD. During the annual Black Hat USA conference, we will also offer special recognition the top ten contributors in the MAPP program.
In addition to this new recognition program, we will use our social media presence to publicly evangelize these partners. A list of all MAPP partners can be found at https://aka.ms/mapp.
Thank you to all our MAPP partners for all you do to help protect our customers and secure the broader ecosystem.
Senior Security Strategist
Microsoft Security Response Center
Today Microsoft released fixes for a critical Remote Code Execution vulnerability, CVE-2019-0708, in Remote Desktop Services – formerly known as Terminal Services – that affects some older versions of Windows. The Remote Desktop Protocol (RDP) itself is not vulnerable. This vulnerability is pre-authentication and requires no user interaction. In other words, the vulnerability is ‘wormable’, meaning that any future malware that exploits this vulnerability could propagate from vulnerable computer to vulnerable computer in a similar way as the WannaCry malware spread across the globe in 2017. While we have observed no exploitation of this vulnerability, it is highly likely that malicious actors will write an exploit for this vulnerability and incorporate it into their malware.
Now that I have your attention, it is important that affected systems are patched as quickly as possible to prevent such a scenario from happening. In response, we are taking the unusual step of providing a security update for all customers to protect Windows platforms, including some out-of-support versions of Windows.
Vulnerable in-support systems include Windows 7, Windows Server 2008 R2, and Windows Server 2008. Downloads for in-support versions of Windows can be found in the Microsoft Security Update Guide. Customers who use an in-support version of Windows and have automatic updates enabled are automatically protected.
Out-of-support systems include Windows 2003 and Windows XP. If you are on an out-of-support version, the best way to address this vulnerability is to upgrade to the latest version of Windows. Even so, we are making fixes available for these out-of-support versions of Windows in KB4500705.
Customers running Windows 8 and Windows 10 are not affected by this vulnerability, and it is no coincidence that later versions of Windows are unaffected. Microsoft invests heavily in strengthening the security of its products, often through major architectural improvements that are not possible to backport to earlier versions of Windows.
There is partial mitigation on affected systems that have Network Level Authentication (NLA) enabled. The affected systems are mitigated against ‘wormable’ malware or advanced malware threats that could exploit the vulnerability, as NLA requires authentication before the vulnerability can be triggered. However, affected systems are still vulnerable to Remote Code Execution (RCE) exploitation if the attacker has valid credentials that can be used to successfully authenticate.
It is for these reasons that we strongly advise that all affected systems – irrespective of whether NLA is enabled or not – should be updated as soon as possible.
Simon Pope, Director of Incident Response, Microsoft Security Response Center (MSRC)
Today, we released security updates to provide additional protections against malicious attackers. As a best practice, we encourage customers to turn on automatic updates.
More information about this month’s security updates can be found on the Security Update Guide.Tags Security Advisory Security Update Update Tuesday
In 2018 The Microsoft Bounty Program awarded over $2,000,000 to encourage and reward external security research in key technologies to protect our customers. Building on that success, we are excited to announce a number of improvements in our bounty programs to better serve the security research community.
Faster bounty review – As of January 2019, the Cloud, Windows, and Azure DevOps programs now award bounties upon completion of reproduction and assessment of each submission, rather than waiting until the final fix has been determined. Shortening the time from submission to award determination is just one way we will get bounty rewards to researchers faster.
Faster bounty payments, with more payment options – Once a vulnerability submission has successfully qualified for bounty award, we want to ensure payments happen quickly. Microsoft is partnering with HackerOne for bounty payment processing and support to deliver bounty awards efficiently and with more options like PayPal, crypto currency, or direct bank transfer in more than 30 currencies. HackerOne also supports award splitting and charity donations. Additionally, Microsoft bounty awards processed through HackerOne will contribute to your overall reputation score on the HackerOne platform. To find out more about our new partnership with HackerOne, check out our FAQ page.
Vulnerability reports should still be sent to the Microsoft Security Response Center directly at email@example.com. Do not send reports of vulnerabilities in Microsoft products and services to HackerOne.
As we accelerate our bounty assessments and rewards, we ask that researchers continue to work with us to protect customers and follow Coordinated Vulnerability Disclosure guidelines.
Increasing awards and scope – Microsoft is rewarding more for vulnerability reports in multiple bounty programs; in January 2019 we raised top award levels from $15K to $50K for the Windows Insider Preview bounty and from $15K to $20K for the Microsoft Cloud Bounty program which includes Azure, O365, and other online services. We’ve also expanded the scope of the Cloud bounty and will continue to expand scope and rewards across our programs throughout the year. Check back regularly for new research areas and follow us on Twitter for bounty program announcements.
New policy for duplicates – Historically, external reports of internally known vulnerabilities were rewarded 10% of the eligible bounty award as the report did not inform us of a new and previously unknown issue. But understanding what external researchers are capable of discovering is valuable insight, and we want to reward researchers for their contributions whenever we can. Therefore, we have updated our policy on duplicate submissions. The first researcher to report a bounty-eligible vulnerability will receive the full eligible bounty award, even if it is internally known. There is no change to our policy regarding duplicate external reports of the same vulnerability.
Microsoft is committed to enhancing our Bounty Programs and strengthening our partnership with the security research community, and I look forward to sharing more updates and improvements in the coming months. As always, if you ever have any questions or concerns about the process, you can reach us at firstname.lastname@example.org.
Jarek Stanley, @JarekMSFT
Senior Program Manager
All Microsoft Bug Bounty Programs are subject to the terms and conditions outlined here.
The Microsoft Security Response Center is part of the defender community and on the front line of security response evolution. For more than twenty years, we have been engaged with security researchers working to protect customers and the global online community. For more information, please visit our website at www.microsoft.com/msrc and follow our Twitter page at @msftsecresponse.