Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Risk

Microsoft Attack Surface Analyzer Catalogs Threats

Free tool helps developers, IT personnel, and security audit teams review threats posed by software installed on a Windows PC.

11 Security Sights Seen Only At Black Hat
11 Security Sights Seen Only At Black Hat
(click image for larger view and for slideshow)
What's the information security threat posed by any given piece of software that's installed on a Windows machine?

To help businesses answer that question, Microsoft last week released its free Attack Surface Analyzer 1.0 tool. "The purpose of this tool is to help software developers, independent software vendors (ISVs), and IT professionals better understand changes in Windows systems' attack surface resulting from the installation of new applications," according to a blog post written by Microsoft's Monty LaRue and Jimmie Lee, who are part of its trustworthy computing security group.

The tool analyzes newly added--or changed since the last scan--files and registry keys, as well as Microsoft ActiveX controls, services, process threads, and open ports, among other parameters. "Unlike many tools that analyze a system based on signatures or known vulnerabilities, Attack Surface Analyzer looks for classes of security weaknesses Microsoft has seen when applications are installed on the Windows operating system, and it highlights these as issues," according to LaRue and Lee. "The tool also gives an overview of changes to the system that Microsoft considers important to the security of the platform, and it highlights these changes in the attack surface report."

Attack Surface Analyzer will collect attack data from Windows Vista, Windows 7, Windows 8, as well as various versions of Windows Server 2008 and 2012 systems. Using the .NET Framework 4, all of those systems--bar Vista--can also be used to analyze the collected data and generate related reports.

[ Learn Microsoft Windows Support Call Scams: 7 Facts. ]

Microsoft had released a beta version of the tool for general use early last year. Microsoft said the latest version incorporates a number of performance enhancements and bug fixes, results in a lower number of false positives, has a better graphical user interface, and now includes in-depth documentation. Beta users, however, will need to start with fresh data collection, as Microsoft said the latest version won't work with any previously collected baseline or application scans.

In recent years, Microsoft has been working to reduce the attack surface of its own applications by getting serious about secure coding, as well as adding the latest attack mitigation technologies into its products. Those include data execution prevention (DEP), which helps block arbitrary code execution, as well as address space layout randomization (ASLR), which makes it difficult for attackers to locate objects--such as DLL files--that would make it easier for them to launch a successful exploit.

On a related note, Microsoft last month released a new version of its Enhanced Mitigation Experience Toolkit (EMET), now at v3.5, which allows newer mitigation technologies to be applied to older products. "It takes mitigations that exist in later versions of Windows--like ASLR and DEP-- and it will allow you to run them on XP and Vista," said Mike Reavey, director of the Microsoft Security Response Center, in an interview at the Black Hat conference in Las Vegas last month. "So if you have an old version of Office that isn't aware of DEP, or even Adobe Reader, you can now apply DEP to that."

He said the latest version also incorporates four new defenses against return-oriented programming (ROP), which Microsoft gleaned thanks to its $250,000 BlueHat Prize. Ivan Fratric, a researcher at the University of Zagreb in Croatia, invented "ROPGuard," which watches for--and blocks at runtime--certain types of return-oriented programming attacks. Fratric ultimately took second place in the contest, winning $50,000.

Microsoft's Reavey said that the innovative ROP watch-guard technology demonstrated the benefit of having vendors work with independent security researchers, via such programs as the BlueHat prize. "That shows the power that's available if you partner with this community," he said.

Comment  | 
Print  | 
More Insights
Comments
Oldest First  |  Newest First  |  Threaded View
COVID-19: Latest Security News & Commentary
Dark Reading Staff 11/19/2020
New Proposed DNS Security Features Released
Kelly Jackson Higgins, Executive Editor at Dark Reading,  11/19/2020
How to Identify Cobalt Strike on Your Network
Zohar Buber, Security Analyst,  11/18/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win an Amazon Gift Card! Click Here
Latest Comment: He hits the gong anytime he sees someone click on an email link.
Current Issue
2021 Top Enterprise IT Trends
We've identified the key trends that are poised to impact the IT landscape in 2021. Find out why they're important and how they will affect you today!
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-29071
PUBLISHED: 2020-11-25
An XSS issue was found in the Shares feature of LiquidFiles before 3.3.19. The issue arises from the insecure rendering of HTML files uploaded to the platform as attachments, when the -htmlview URL is directly accessed. The impact ranges from executing commands as root on the server to retrieving se...
CVE-2020-29072
PUBLISHED: 2020-11-25
A Cross-Site Script Inclusion vulnerability was found on LiquidFiles before 3.3.19. This client-side attack requires user interaction (opening a link) and successful exploitation could lead to encrypted e-mail content leakage via messages/sent?format=js and popup?format=js.
CVE-2020-26241
PUBLISHED: 2020-11-25
Go Ethereum, or "Geth", is the official Golang implementation of the Ethereum protocol. This is a Consensus vulnerability in Geth before version 1.9.17 which can be used to cause a chain-split where vulnerable nodes reject the canonical chain. Geth's pre-compiled dataCopy (at 0x00...04) co...
CVE-2020-26242
PUBLISHED: 2020-11-25
Go Ethereum, or "Geth", is the official Golang implementation of the Ethereum protocol. In Geth before version 1.9.18, there is a Denial-of-service (crash) during block processing. This is fixed in 1.9.18.
CVE-2020-26240
PUBLISHED: 2020-11-25
Go Ethereum, or "Geth", is the official Golang implementation of the Ethereum protocol. An ethash mining DAG generation flaw in Geth before version 1.9.24 could cause miners to erroneously calculate PoW in an upcoming epoch (estimated early January, 2021). This happened on the ETC chain on...