Black Hat: Microsoft incorporates BlueHat Prize finalist defensive tech & releases EMET 3.5 Preview

Las Vegas – It has only been a few months since the close of the BlueHat Prize entry period and today Microsoft announced that it has already incorporated one of the BlueHat Prize finalist’s defensive technologies. It’s designed to mitigate attacks that leverage Return Oriented Programming (ROP), into its latest Enhanced Mitigation Experience Toolkit (EMET) 3.5 Technology Preview. EMET is a tool that systems administrators can use to help mitigate vulnerabilities and detect exploitation attempts, further protecting customers.

According to MSRC, “We often talk about exploit economics – the idea that increasing the difficulty of attack makes it more expensive (in terms of time and effort) and begins discouraging exploitation. EMET 3.5 is a great example of exploit economics in action as it offers protection for entire classes of vulnerabilities. EMET also provides defenses that protect assets from unknown threats.”

A year ago this week during the Black Hat security conference, Microsoft announced the BlueHat Prize and challenged the security community to think outside the box and focus on defensive innovation. The three finalists are Jared DeMott, Ivan Fratric and Vasilis Pappas. The grand prize is $200,000, the second prize is $50,000, and the third prize is an MSDN subscription valued at $10,000. On Thursday, July 26, 2012, Microsoft will announce the BlueHat Prize grand prize winner at its Black Hat Researcher Appreciation Party. I’ll be there to take a few pictures and give you a summary of finalists’ entries.

All three of the BlueHat finalists submitted prototype mitigations that help prevent exploits that use Return Oriented Programming (ROP) techniques. The Microsoft Security Response Center announced that the “new Tech Preview of EMET offers four new checks based on Ivan Fratric’s ROP exploit mitigation to help prevent attacks utilizing ROP techniques.” This quick turnaround, “the fact that the BlueHat Prize has gone from contest announcement to real protection for customers within a single calendar year shows the positive impact of collaboration with the security community.” 

Microsoft has also released its annual Microsoft Security Response Center Progress Report [PDF]. The report “provides overviews, statistics and a behind-the-scenes look into the work of the MSRC team throughout the past year.” Some of the highlights include:

• The impact of including one of the BlueHat Prize finalist’s technologies into the EMET 3.5 Technology Preview
• A rare behind-the-scenes look into the process of releasing an out-of-band security bulletin.
• An overview of Coordinated Vulnerability Disclosure (CVD), the future of vulnerability reporting and tracking that helps organizations to automate vulnerability content intake and prioritization.
• A look into how the company investigates third-party vulnerabilities and coordinates the release of security updates through Microsoft Vulnerability Research (MSVR).
• Statistics about Microsoft Security Bulletins, including a breakdown of the bulletins issued and Common Vulnerabilities and Exposures addressed since 2006.
• An overview of the Microsoft Active Protections Program (MAPP), including testimonials from MAPP partners.
• Data from the Microsoft Exploitability Index, including an overview of the index and breakdown of the ratings numbers since the launch of the Index in October 2008.

Meanwhile, life at the Rio in Las Vegas is heating up with “strange” warning alerts over the intercom, dining room lights and casino TVs “randomly” flashing off and on. It’s not ghosts in Vegas; the hackers are here for Def Con bringing fun and good times!

Like this? Here’s more posts:

• EFF: Americans may not realize it, but many are in a face recognition database now
• HOPE 9: Whistleblower Binney says the NSA has dossiers on nearly every US citizen
• NSA Whistleblower Drake: You’re automatically suspicious until proven otherwise
• Mobile Phone Surveillance Out of Control: Cops Collected 1.3 Million Customer Records
• High tech car theft: 3 minutes to steal keyless BMWs
• TSA lawlessly snubs federal court ruling for 1 year! Interview with Jim Harper
• Gov’t surveillance ‘unreasonable’ & violated the 4th amendment ‘at least once’
• Domestic drones: security and privacy game changer
• NSA claims it would violate Americans’ privacy to say how many of us it spied on
• Independence Day: Ghosts of SCOTUS on the fundamental right to privacy
• Windows 8 technology shift: The coming end of Win32 apps
• Going Dark in the Golden Age of Cyber-Surveillance?
• Exploiting Windows: Upcoming Black Hat Briefings

Follow me on Twitter @PrivacyFanatic