Category Archives: Security

Auto Added by WPeMatico

Previewing support for same-site cookies in Microsoft Edge

Yesterday’s Windows Insider Preview build (build 17672) introduces support for the SameSite cookies standard in Microsoft Edge, ahead of a planned rollout in Microsoft Edge and Internet Explorer. Same-site cookies enable more protection for users against cross-site request forgery (CSRF) attacks.
Historically, sites such as example.com that make “cross-origin” requests to other domains such as microsoft.com have generally caused the browser to send microsoft.com’s cookies as part of the request. Normally, the user benefits by being able to reuse some state (e.g., login state) across sites no matter from where that request originated. Unfortunately, this can be abused, as in CSRF attacks. Same-site cookies are a valuable addition to the defense in depth against CSRF attacks.
Sites can now set the SameSite attribute on cookies of their choosing via the Set-Cookie header or by using the document.cookie JavaScript property, thus preventing the default browser behavior of sending cookies in cross-site requests either in all cross-site requests (via the “strict” value) or only in some less sensitive requests (via the “lax” value).
More specifically, if the strict attribute is specified for when a same-site cookie is set, it will not be sent for any cross-site request, which includes clicking on links from external sites. Since the logged-in state is stored as a SameSite=Strict cookie, when a user clicks such a link it will initially appear as if the user is not logged in.
On the other hand, if the lax attribute is specified for when a same-site cookie is set, it will not be sent for cross-origin sub-resource requests such as images. However, the SameSite=Lax cookies will be sent when navigating from an external site, such as when a link is clicked.
This feature is backwards compatible―that is, browsers that don’t support same-site cookies will safely ignore the additional attribute and will simply use the cookie as a regular cookie.
We continuously work to improve our support of standards towards a more interoperable web. Although same-site cookies is not yet a finalized standard at the Internet Engineering Task Force (IETF), we believe the feature is stable and compelling enough to warrant an early implementation as the standardization process progresses.
To broaden the security benefits of this feature, we plan to service Microsoft Edge and Internet Explorer 11 on the Windows 10 Creators Update and newer to support same-site cookies as well, allowing sites to rely on same-site cookies as a defense against CSRF and other related cross-site timing and cross-site information-leakage attacks.
— Ali Alabbas, Program Manager, Microsoft Edge
— Gabriel Montenegro, Program Manager, Windows Networking
— Brent Mills, Program Manager, Internet Explorer

Windows Hello and FIDO2 Security Keys enable secure and easy authentication for shared devices

We have been on a journey to eliminate passwords. Today, we are delighted to announce an important milestone.
Microsoft has been aligned with the Fast Identity Online (FIDO) working group from the start, the alliance represents 250 organizations from various industries on a joint mission to replace passwords with an easy to use strong credential. With the recent ratification of FIDO2 security keys by the FIDO working group, we’re updating Windows Hello to enable secure authentication for many new scenarios.
FIDO2 Security Key
Imagine a helpdesk scenario where an employee can walk up to any device and simply log in using Windows Hello and not username and password. Another scenario is hospital medical staff that need access a patient records on a device no matter where the patient is located. Or a public-sector organization that wants secure authentication on devices while adhering to security policies and directives where the users credential needs to be physically separate from the device itself.
Microsoft and its partners have been working together on FIDO2 security keys for Windows Hello to enable easy and secure authentication on shared devices. Security keys allow you to carry your credential with you and safely authenticate to an Azure AD joined Windows 10 PC that’s part of your organization. A user can walk up to any device belonging to the organization and authenticate in a secure way – no need to enter a username and password or set-up Windows Hello beforehand. Unlike traditional passwords, these keys rely on high-security, public-key cryptography to provide strong authentication. These keys have all the benefits of a Trusted Platform Module (TPM) while also being portable enabling the increasing number of mobile workers.
FIDO2 compliant security keys provide secure authentication, independent of the form factor. The security key holds your credential and can be protected with an additional second factor like fingerprint (integrated into the security key) or a PIN to be entered at the Windows sign-in.
Our partners are working on a variety of security key form factors. Some examples include USB security keys and NFC enabled smartcards, just to name a few. We are looking forward to seeing new form factors and possibly applications on your phone that comply with the FIDO2 specification.
Here’s a glimpse into the security keys from our partners we’ve been working closely with
Yubico – Security key for Windows Hello

HID – Security key for Windows Hello

Feitian – Security key for Windows Hello with biometric sensor

The Windows Hello FIDO2 Security Key feature is now in limited preview. Please let us know if you would like to be added to the waitlist.

New capabilities of Windows Defender ATP further maximizing the effectiveness and robustness of endpoint security

Our mission is to empower every person and every organization on the planet to achieve more. A trusted and secure computing environment is a critical component of our approach. When we introduced Windows Defender Advanced Threat Protection (ATP) more than two years ago, our target was to leverage the power of the cloud, built-in Windows security capabilities and artificial intelligence (AI) to enable our customers’ to stay one step ahead of the cyber-challenges.
With the next update to Windows 10, we are further expanding Windows Defender ATP to provide richer capabilities for businesses to improve their security posture and solve security incidents more quickly and efficiently. Let’s dive in into these new capabilities in more detail.
Automatic investigation and remediation of threats
Now you can go from alert to remediation in minutes—at scale! Automated investigation and response dramatically reduces the volume of alerts that security analysts need to handle. It uses artificial intelligence to investigate alerts, exercise in minutes sophisticated playbooks mimicking the best human analysts’ decisions and forensic processes, determine if a threat is active, its origin and then decide the appropriate steps to automatically remediate it. When Windows Defender ATP identifies that the incident includes multiple machines, it automatically expands the investigation across the entire scope of breach and performs the required actions on those in parallel. Threat investigation and remediation decisions can be taken automatically by Windows Defender ATP based on extensive historical data collected, stored and analyzed in our cloud (“time travel”).

With the new security automation capabilities, Windows Defender ATP can now prevent and find breaches; it can fix them. These actions can be set to run automatically for simple, clear-cut cases, or can be reviewed prior to execution. Either way, time and effort are saved by SecOps, enabling those talented professionals to focus on more complex and strategic problems. In addition, the organization’s security team moves faster, thereby better executing on their critical mission.
Microsoft 365 conditional access based on device-risk
If a threat gets detected, the next logical step would be to block access to your sensitive business data from the device while the threat is still active. This is now possible! We worked with our colleagues from the Microsoft Intune and Azure Active Directory (AAD) team, to enrich one of our most popular security scenarios of Microsoft 365 conditional access.
Available in the next update, the dynamic machine risk level can be used to define corporate access policies and prevent risk to corporate data.
As an example, if a bad threat lands on your endpoints, even using the most advanced file less attacks, Windows Defender ATP can detect it and automatically protect your precious corporate information through conditional access. In parallel, Windows Defender ATP will start an automated investigation to quickly remediate the threat. Once the threat is remediated, based on the preference set (automatic or reviewed), the risk level is set back to “no risk” – and access is granted again.

With Windows Defender ATP, you can now control access based on the risk level of the device itself, helping to ensure devices are always trusted.
Advanced hunting
When it comes to more complex issues, security analysts seek rich optics and the right tools to quickly hunt and investigate. We developed a new, powerful query-based search that we call Advanced Hunting designed to unleash the hunter in you.
With Advanced Hunting, you can proactively hunt and investigate across your organization’s data. From now process creation, file modification, machine login, network communication, registry update, remediation actions and many other event types – are entities you can now easily query, correlate and intersect. Advanced hunting is an integral part of our investigation experience, so your hunting results, such as machines and files, can leverage the rich set of features we already provide in Windows Security Center (correlate with worldwide information, VT data, trigger block or containment actions etc.)
To help you get started, we added a set of sample queries within the tool, and we also have a project on GitHub which contains additional sample queries.
Here’s a sample query which hunts for persistence or privilege escalation done by attaching a debugger process to Windows accessibility processes.
RegistryEvents
| where RegistryKey startswith @"HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows NTCurrentVersionImage File Execution Options"

    and RegistryValueName contains "debugger"

    and isnotempty(RegistryValueData)

// Parse the debugged process name from the registry key

| parse RegistryKey with @"HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows NTCurrentVersionImage File Execution Options" DebuggedFile

| where DebuggedFile in~ ("utilman.exe","osk.exe","magnify.exe","narrator.exe","displayswitch.exe","atbroker.exe","sethc.exe", "helppane.exe")

| project Technique="AttachedDebugger", DebuggedFile, DebuggerCommandline=RegistryValueData, InitiatingProcessCommandLine, EventTime, ComputerName
Signal sharing across the Intelligent Security Graph
Our services also learn from each other. Through the Microsoft Intelligent Security Graph (ISG) we share detections to automatically update our protection and detection mechanism across Microsoft 365 and orchestrate remediation. For example, if a threat gets detect by any of the Windows Defender ATP components, that threat will instantly be blocked if it is encountered through an email that is protected by Office 365 ATP – and the other way around.

When it comes to investigating threats, other Microsoft ATP services might have information important to understanding the full picture. We are excited to share that we are expanding how Windows, Office, and now Azure Advanced Threat Protection (ATP) work together. We are providing wider Advanced Threat Protection coverage across identities (Azure ATP), apps and data (Office 365 ATP) and devices (Windows Defender ATP). This means relevant information is displayed right at your fingertips and seamless navigation between the consoles without losing context.
We added improved prevention for ransomware, exploits and advanced attacks.
Attackers are using new techniques like “fileless” attacks to compromise and deliver ransomware and other types of malware. To address these types of threats we significantly improved our existing exploit protection and behavior monitoring techniques which are already consistently earning top scores on independent tests to protect from these scenarios. Cloud protection has also been updated to inspect and block a broader range of content types (e.g.: java scripts, macros, and documents) regardless of whether it was downloaded from the web, USB stick, etc.
We’ve added new capabilities to prevent unauthorized lateral movement and new techniques to address aggressive ransomware attacks that attempt to render devices unbootable through boot sector tampering (e.g.: NotPetya).
Faster performance and reaction times to fast-moving outbreaks have also been added. The Intelligent Security Graph can now be used to instantly update devices with the latest dynamic intelligence as soon as a new outbreak is detected.  We’ve also added new accelerated memory scanning capability which takes advantage of Intel’s Threat Detection Technology (TDT). This capability leverages Intel’s integrated graphics processor to live-scan memory for advanced threats offering improved performance, user experience, and better battery life.
Microsoft Secure Score
We all know that fixing a problem before it happens, is the best way to keep you safe. Windows Secure Score does this by helping you run reports on your devices’ security posture and providing actionable recommendations, ensuring your entire organization is fortified against the next attack. But we know that the security state of devices is not everything, that’s why we display your Secure Score across Windows and Office in a single view with the Microsoft Secure Score.

If you’re worried about the latest threat, we’ve got you covered with a new dashboard that provides insights about the exposure level of your organization – currently for the Meltdown and Spectre vulnerability, so you can easily understand what machines are still exposed. This includes information about your network, operating system updates, and microcode level information against these threats.
Windows Defender ATP today
These new Windows Defender ATP innovations place an emphasis on leveraging intelligence, cloud, and analytics to build deeper levels of advanced threat protection for our customers. We are expanding the platform coverage beyond Windows 10: Windows Defender ATP is now built into Windows Server 2019, is currently in private preview for Windows 7 and 8.1 with general availability coming soon, and extends across macOS, Linux, iOS, and Android devices through our Microsoft Intelligent Security Association.
All these new capabilities are already available in Public Preview today. Sign up for a 90-day trial of Windows Defender ATP today or enable Preview features on existing tenants.

Mitigating speculative execution side-channel attacks in Microsoft Edge and Internet Explorer

Today, Google Project Zero published details of a class of vulnerabilities which can be exploited by speculative execution side-channel attacks. These techniques can be used via JavaScript code running in the browser, which may allow attackers to gain access to memory in the attacker’s process.
Microsoft has issued security updates (KB4056890) with mitigations for this class of attacks. As part of these updates, we are making changes to the behavior of supported versions of Microsoft Edge and Internet Explorer 11 to mitigate the ability to successfully read memory through this new class of side-channel attacks.
Initially, we are removing support for SharedArrayBuffer from Microsoft Edge (originally introduced in the Windows 10 Fall Creators Update), and reducing the resolution of performance.now() in Microsoft Edge and Internet Explorer from 5 microseconds to 20 microseconds, with variable jitter of up to an additional 20 microseconds. These two changes substantially increase the difficulty of successfully inferring the content of the CPU cache from a browser process.
We will continue to evaluate the impact of the CPU vulnerabilities published today, and introduce additional mitigations accordingly in future servicing releases.  We will re-evaluate SharedArrayBuffer for a future release once we are confident it cannot be used as part of a successful attack.
— John Hazen, Principal PM Lead, Microsoft Edge

Microsoft Edge extensions, one year later

It has been a little more than a year since Microsoft first shipped the number one requested feature for Microsoft Edge – extensions! Today, we are excited to share a few updates on the progress we have made since then, and a quick look at what’s planned for the future, as we continue to listen to feedback from customers and partners.
We heard loud and clear that extensions like ad blockers, password managers, and key productivity enhancements are important to our customers to make the browser meet their needs. Throughout 2016, we worked closely with a small group of partners to launch a core set of highly-requested extensions through the Windows Store as part of the Windows 10 Anniversary Update. The first extensions in the Windows Store were AdBlock, Adblock Plus, Amazon Assistant, Evernote Web Clipper, LastPass, Mouse Gestures, Office Online, OneNote Web Clipper, Page Analyzer, Pinterest Save Button, Reddit Enhancement Suite, Save to Pocket and Translator for Microsoft Edge.

Enabling more powerful extensions
When we shipped this first batch of extensions, the response from our customers and enthusiasts was tremendous. Still, many of you were immediately ready for the list to grow, and have often asked when a personal favorite extension will show up.
Before we could enable a wider ecosystem of extensions for our customers, we needed to improve the capabilities of our extensions platform to allow new categories of extensions and more features for existing extensions. Over the past year, we’ve been focused on a few key engineering investments to add new capabilities:
Native Messaging (supported from EdgeHTML 15) allows an extension to communicate with a UWP application installed on the system, enabling apps to integrate with more sophisticated functionality outside of the browser, which enables more advanced password management and other features.
Bookmarks (supported from EdgeHTML 15) allowing an to access your favorites (with associated permissions.)
Improved APIs – In addition to new APIs like bookmarks, we improved and fleshed out the existing API classes already supported, which combined meant we support over 30% more APIs than in the initial release.
Fundamentals – Astute observers of our release notes and active testers in the Insider program may have noticed that some preview builds break extensions temporarily. The Insider program is key for us to see how experimental features are working on a build with real users, including helping us where we were falling short. We have used that data to improve the reliability and performance of our extension platform and will continue to focus on improving these fundamentals in future releases.
We’re always evaluating additional API support for future releases. You can see the extensions APIs that we currently support at our Extension API roadmap, as well as those that are under consideration (for example, Downloads and Notifications). We’re keen to hear your feedback on what’s most important to your extensions – let us know on UserVoice or via Twitter at MSEdgeDev.
Building a thoughtfully curated ecosystem
We have taken a purposefully metered approach as we onboard new extensions. Extensions are one of the most substantial features in a new browser, and we have a high bar for quality. Because extensions interact so closely with the browser, we have been very attuned to the security, performance, and reliability of Microsoft Edge with these extensions enabled. Starting with a small group of the most popularly requested extensions has allowed us to mature our extension ecosystem as alongside our extension platform, as well as to build a smooth onboarding experience for developers over time.
As we’ve continued to work on the extensions platform, we sometimes get questions asking why the list of extensions isn’t growing faster. What gives?
We are extremely sensitive to the potential impact of extensions on your browsing experience and want to make sure that the extensions we do allow are high-quality and trustworthy. We want Microsoft Edge to be your favorite browser, with the fundamentals you expect – speed, power efficiency, reliability, security. Poorly written or even malicious add-ons for browsers remain a potential source of privacy, security, reliability and performance issues, even today. We want users to be confident that they can trust extensions in Microsoft to operate as expected. As such, we continue to evaluate each extension submission to ensure that it will bring value to our users and support our goals for a healthy ecosystem.
A growing catalog of trusted extensions
Today, in the Windows Store, our partners are offering over 70 extensions worldwide, and are adding more every week – including popular extensions like Grammarly, which launched earlier this week! As this list grows, we will continue to preview new functionality and experimental extensions starting with Windows Insiders for testing and feedback, followed by a broader release via the Windows Store, to ensure the quality of the end-to-end experience.
Looking forward, we continue to work closely with our developer partners to onboard new extensions into the Store. We continue to prioritize what APIs we should support, and what partners we should work with from user feedback, so please keep it coming! Thanks to our users and partners for a great year!
– Colleen Williams, Senior Program Manager, Microsoft Edge

Microsoft Edge Web Summit 2017 recordings are now available on Channel 9

Last week we welcomed hundreds of local developers and thousand of online viewers to our third annual Microsoft Edge Web Summit! Videos and slides from each session are now available to stream or download on Channel 9.
Learn about what’s new in EdgeHTML 16 in the keynote at Microsoft Edge Web Summit 2017.
Our sessions will bring you up to date on what’s in store for EdgeHTML 16, including learning how to use new and updated features like CSS Grid Layout, object-fit and object-position, WebVR, and the Web Payments API.

Learn about how to build faster websites with a fast and furious tour of web performance in the real world, and how to keep your development and testing on track with sonar, a new open-source, community-owned linting tool for the web. And make sense of the always-evolving web app landscape while blending the best of web and native with Progressive Web Apps.

Or go on a deep dive into the inner workings of the browser, to learn how we’re constantly rebuilding Microsoft Edge to be more secure, more accessible, and faster than ever, with every release we ship.

That’s just the beginning – there’s lots more to see on Channel 9, and we’ll have more to share about these topics and more in the coming weeks right here on the Microsoft Edge Dev Blog.
Thanks for joining us at Microsoft Edge Web Summit 2017 – we can’t wait to see you next year!
— Kyle Pflug, Senior Program Manager, Microsoft Edge

Automated Response for Windows Defender ATP

From C-level execs to Sec-Ops pros, our customers tell us they are overwhelmed with the rapid pace new cyber threats are released in the wild. That’s why at Microsoft staying ahead of the security challenges our customers are facing and shifting the industry to next-generation security defenses are critical strategies to addressing these threats.
Today, we’re announcing Windows Defender Advanced Threat Protection (ATP) will include automated investigation and remediation capabilities later this year. This takes enterprise security to a new level enabling our customers to move faster from device, data and insight to action against modern-day threats.
Understanding the security challenge
Since we announced Windows Defender Advanced Threat Protection, it has continually evolved with new detection capabilities, investigation and hunting tools and response options. With the Windows 10 Fall Creators Update,  new prevention capabilities were added, as well as capabilities to stop attacks as they happen, enabling companies to use the full power of the Windows security stack for preventative protection. We also enhanced our single pane of glass experience so security operations (SecOps) teams get full visibility into their Windows endpoint security and a rich toolset to take action using the Windows Defender ATP console.
Now 18 months since launching Windows Defender ATP, customers have more visibility into threats than ever before. In fact, Windows Defender ATP processes 970 million malicious security events per day per day from across the Microsoft enterprise and consumer eco-system, making the Intelligent Security Graph richer every day. This staggering figure shows the magnitude of the threat landscape being surfaced to customers, yet visibility is simply not enough.

From visibility to action
While detecting threats is half the battle, security teams are struggling to follow up on the volume of alerts they see. Research from analyst firm EMA found that 88 percent of organizations receive up to 500 alerts per day that are classified as “severe” or “critical”, and 60 percent only had three to five full-time employees (FTEs) working those alerts. 88 percent of participants said their teams could investigate only 25 or fewer severe/critical events per day. This leaves what David Monahan, research director for Security and Risk Management at EMA calls “a huge, and frankly insurmountable, daily gap.”
We can help – with built-in security automation in Windows Defender ATP
Following the recent acquisition of Hexadite, a leader in security automation, we are happy to announce we have successfully integrated Hexadite’s innovative security automation technology into Windows Defender ATP. This enables Windows Defender ATP customers to leverage state of the art AI technology to solve their alert volume challenges by letting Windows Defender ATP automatically investigate alerts, apply artificial intelligence to determine whether a threat is real and to determine what action to take, going from alert to remediation in minutes at scale. With this addition, Windows Defender ATP now covers the end-to-end threat lifecycle from detection to investigation and response automatically.
Here’s a sneak peek at what’s coming:

With the new security automation capabilities, Windows Defender ATP can not only find breeches; it can fix them. These actions can be run automatically for simple, clear-cut cases, or can be reviewed prior to execution. Either way, time and effort is saved by SecOps, enabling those talented professionals to focus on more complex and strategic problems. In addition, the organization’s security team moves faster, thereby better executing on their critical mission.
Try Windows Defender ATP today
The new WDATP automated response capabilities will be available for customers to preview later this year. Sign up for a 90-day trial of Windows Defender ATP today or enable Preview features on existing tenants.

Evolving our Windows approach to AV, thanks to partner feedback

Earlier this summer I shared that we believe in a healthy antivirus ecosystem working with us in protecting our shared customers from security threats. Our top priority is and always will be to protect our customers with security innovations for the Windows platform, increase our customers’ pre- and post-breach security stance, and provide a platform that offers choice.
Part of delivering on that commitment is listening and responding to feedback from our customers and partners. We work closely with AV partners like Kaspersky Lab, and at our Microsoft Virus Initiative forum last month, we made great progress in building upon our shared understanding of how we deliver Windows 10 updates and security experiences that help ensure the ongoing safety of Windows customers.
I’m pleased to share these discussions have helped us clarify our roadmap and implementation plans. As a result, we are making updates to our AV partner requirements today that reflect the interests of the community and our shared customers. We will also implement changes in the Windows 10 Fall Creators Update.
Here are some of the changes we are making to support our partners in delivering security protections to Windows customers.
We will work more closely with AV vendors to help them with compatibility reviews in advance of each feature update becoming available to customers. This means customers can expect we will have worked through compatibility issues with AV providers before offering the update to customers running that AV.
We will give AV partners better visibility and certainty around release schedules for feature updates. This includes increasing the amount of time AV partners will have to review final builds before the next Windows 10 feature update is rolled out to customers.
We will enable AV providers to use their own alerts and notifications to renew antivirus products before and after they have expired.
We have modified how Windows will inform users when their antivirus application has expired and is no longer protecting them. Instead of providing an initial toast notification that users could ignore, the new notification will persist on the screen until the user either elects to renew the existing solution or chooses to rely on Windows Defender or another solution provider.
We appreciate the feedback and continued dialogue with our partners and are pleased to have found common ground with Kaspersky Lab on the complaints raised in Russia and Europe. We look forward to our continued partnership with the industry.
Customers deserve the best and most up-to-date protection possible. Microsoft and our security partners share a commitment to keep them safe.