Black Hat: Microsoft incorporates BlueHat Prize finalist defensive tech & releases EMET 3.5 Preview

A year ago at Black Hat security conference, Microsoft announced the BlueHat Prize. Today it released EMET 3.5 (Enhanced Mitigation Experience Toolkit) technology preview which incorporated one of the BlueHat Prize finalist's defensive technologies.

Las Vegas - It has only been a few months since the close of the BlueHat Prize entry period and today Microsoft announced that it has already incorporated one of the BlueHat Prize finalist's defensive technologies. It's designed to mitigate attacks that leverage Return Oriented Programming (ROP), into its latest Enhanced Mitigation Experience Toolkit (EMET) 3.5 Technology Preview. EMET is a tool that systems administrators can use to help mitigate vulnerabilities and detect exploitation attempts, further protecting customers.

According to MSRC, "We often talk about exploit economics - the idea that increasing the difficulty of attack makes it more expensive (in terms of time and effort) and begins discouraging exploitation. EMET 3.5 is a great example of exploit economics in action as it offers protection for entire classes of vulnerabilities. EMET also provides defenses that protect assets from unknown threats."

A year ago this week during the Black Hat security conference, Microsoft announced the BlueHat Prize and challenged the security community to think outside the box and focus on defensive innovation. The three finalists are Jared DeMottIvan Fratric and Vasilis Pappas. The grand prize is $200,000, the second prize is $50,000, and the third prize is an MSDN subscription valued at $10,000. On Thursday, July 26, 2012, Microsoft will announce the BlueHat Prize grand prize winner at its Black Hat Researcher Appreciation Party. I'll be there to take a few pictures and give you a summary of finalists' entries.

All three of the BlueHat finalists submitted prototype mitigations that help prevent exploits that use Return Oriented Programming (ROP) techniques. The Microsoft Security Response Center announced that the "new Tech Preview of EMET offers four new checks based on Ivan Fratric's ROP exploit mitigation to help prevent attacks utilizing ROP techniques." This quick turnaround, "the fact that the BlueHat Prize has gone from contest announcement to real protection for customers within a single calendar year shows the positive impact of collaboration with the security community." 

Microsoft has also released its annual Microsoft Security Response Center Progress Report [PDF]. The report "provides overviews, statistics and a behind-the-scenes look into the work of the MSRC team throughout the past year." Some of the highlights include:

  • The impact of including one of the BlueHat Prize finalist's technologies into the EMET 3.5 Technology Preview
  • A rare behind-the-scenes look into the process of releasing an out-of-band security bulletin.
  • An overview of Coordinated Vulnerability Disclosure (CVD), the future of vulnerability reporting and tracking that helps organizations to automate vulnerability content intake and prioritization.
  • A look into how the company investigates third-party vulnerabilities and coordinates the release of security updates through Microsoft Vulnerability Research (MSVR).
  • Statistics about Microsoft Security Bulletins, including a breakdown of the bulletins issued and Common Vulnerabilities and Exposures addressed since 2006.
  • An overview of the Microsoft Active Protections Program (MAPP), including testimonials from MAPP partners.
  • Data from the Microsoft Exploitability Index, including an overview of the index and breakdown of the ratings numbers since the launch of the Index in October 2008.

Meanwhile, life at the Rio in Las Vegas is heating up with "strange" warning alerts over the intercom, dining room lights and casino TVs "randomly" flashing off and on. It's not ghosts in Vegas; the hackers are here for Def Con bringing fun and good times!

Like this? Here's more posts:

Follow me on Twitter @PrivacyFanatic

Copyright © 2012 IDG Communications, Inc.

Subscribe today! Get the best in cybersecurity, delivered to your inbox.