This is the first of a series of blog entries to give some insight into the Microsoft Security Response Center (MSRC) business and how we work with security researchers and vulnerability reports.
The Microsoft Security Response Center actively recognizes those security researchers who help us to protect our several billion customers and their endpoints in several ways.

This is the first of a series of blog entries to give some insight into the Microsoft Security Response Center (MSRC) business and how we work with security researchers and vulnerability reports.

The Microsoft Security Response Center actively recognizes those security researchers who help us to protect our several billion customers and their endpoints in several ways. We split our acknowledgments into three distinct categories, CVE qualified submissions, online services, and bug bounty. It is possible that a single submission will be acknowledged by one or more of these categories. We update our acknowledgements each month with the latest findings and submissions.

When it comes to recognizing our researchers through Coordinated Vulnerability Disclosure (CVD), if the finding that was submitted was impactful enough to be addressed in our monthly bulletin release (more on that in our next blog) it will be assigned a CVE number that is credited to the researcher. The researcher and their associated CVE are acknowledged monthly here in the MSRC Security Update Guide.

Our Online Services Security Researcher Acknowledgements credit those researchers who are involved with making our online platforms safer by not only submitting their findings, but also working closely with us to fix vulnerabilities discovered during their research. We draw an immense body of knowledge and capability through direct engagement with security researchers who test and evaluate our online services spaces. Together with our Operational Security Assessment work, we are constantly improving our offerings and providing a secure experience to our customers globally.

Finally, the Microsoft Bug Bounty program offers a unique acknowledgment platform to reward security researchers with cash and other prizes for submitting their findings inside of our eligible bounty programs. Security researchers (aka “Bounty Hunters”) can potentially earn anywhere between five hundred dollars and two hundred fifty thousand dollars for each submission to the Microsoft Bug Bounty program. Currently we offer nine different bounty programs where there is an opportunity to earn money for submissions.

The security community is full of great research and insight, we all succeed when we come together on a common platform. We appreciate working with security researchers to better customer security and ensure our products and services continue to evolve with the threat landscape. Public acknowledgements are just one way we want to interact and support security research in the community. A big thank you to all the researchers that have and continue to engage directly with us.

Our next blog entry will look at what sort of reports go into our monthly security update cycle. Stay tuned.

Phillip Misner,

Principal Security Group Manager

Microsoft Security Response Center

Inside the MSRC – How we recognize our researchers

本記事は、Microsoft Secure ブログ “How to disrupt attacks caused by social engineering” (2018 年 1 月 10 日 米国時間

ソーシャル エンジニアリングによって引き起こされる攻撃を途絶させる方法

本記事は、Microsoft Secure ブログ “Microsoft teams up with law enforcement and other partners to disrupt Gamarue (Andromeda)

マイクロソフト、法執行機関などとの連携により Gamarue (Andromeda) を撲滅

本記事は、Microsoft Secure のブログ “Windows Defender ATP machine learning and AMSI: Unearthing script-based attacks that ‘live off the land’”

Windows Defender ATP の機械学習と Antimalware Scan Interface: スクリプトを悪用した「環境寄生型」攻撃の検出

本記事は、Microsoft Secure ブログ “Understanding the performance impact of Spectre and Meltdown mitigations on Windows Systems”

Windows システム上の Spectre および Meltdown に対する緩和策のパフォーマンスへの影響について

本記事は、Windows Security のブログ “Making Microsoft Edge the most secure browser with Windows Defender Application Guard” (2017 年 10 月 23 日 米国時間

Windows Defender Application Guard で Microsoft Edge を最もセキュアなブラウザーに

A regression affecting Adobe Flash Player version 27.0.0.187 (and earlier versions) causes the unintended reset of the global settings preference file when a user clears browser data.

Security updates available for Flash Player | APSB17-42

Bulletin ID

Date Published

Priority

APSB17-42

December 12, 2017

2

Adobe has released a security update for Adobe Flash Player for Windows, Macintosh, Linux and Chrome OS. This update addresses a regression that could lead to the unintended reset of the global settings preference file.  

Product

Version

Platform

Adobe Flash Player Desktop Runtime

27.0.0.187 and earlier versions

Windows, Macintosh

Adobe Flash Player for Google Chrome

27.0.0.187 and earlier versions

Windows, Macintosh, Linux and Chrome OS 

Adobe Flash Player for Microsoft Edge and Internet Explorer 11

27.0.0.187 and earlier versions

Windows 10 and 8.1

Adobe Flash Player Desktop Runtime

27.0.0.187 and earlier versions

Linux

To verify the version of Adobe Flash Player installed on your system, access the About Flash Player page, or right- click on content running in Flash Player and select "About Adobe (or Macromedia) Flash Player" from the menu. If you use multiple browsers, perform the check for each browser you have installed on your system.

Adobe categorizes these updates with the following priority ratings and recommends users update their installation to the latest version:

Note:

*   Adobe recommends users of the Adobe Flash Player Desktop Runtime for Windows, Macintosh and Linux update to Adobe Flash Player 28.0.0.126 via the update mechanism within the product \[1\] or by visiting the Adobe Flash Player Download Center.
*   Adobe Flash Player installed with Google Chrome will be automatically updated to the latest Google Chrome version, which will include Adobe Flash Player 28.0.0.126 for Windows, Macintosh, Linux and Chrome OS.
*   Adobe Flash Player installed with Microsoft Edge and Internet Explorer 11 for Windows 10 and 8.1 will be automatically updated to the latest version, which will include Adobe Flash Player 28.0.0.126.
*   Please visit the Flash Player Help page for assistance in installing Flash Player.

\[1\] Users who have selected the option to 'Allow Adobe to install updates' will receive the update automatically. Users who do not have the 'Allow Adobe to install updates' option enabled can install the update via the update mechanism within the product when prompted.

Vulnerability Category

Vulnerability Impact

Severity

CVE Number

Business Logic Error

Unintended reset of global settings preference file

Moderate

CVE-2017-11305

CVE-2017-11305: Adobe Security Bulletin

A memory corruption vulnerability exists in the .PSD parsing functionality of ACDSee Ultimate 10.0.0.292. A specially crafted .PSD file can cause an out of bounds write vulnerability resulting in potential code execution. An attacker can send a specific .PSD file to trigger this vulnerability.

**Summary**

A memory corruption vulnerability exists in the .PSD parsing functionality of ACDSee Ultimate 10.0.0.292. A specially crafted .PSD file can cause an out of bounds write vulnerability resulting in potential code execution. An attacker can send a specific .PSD file to trigger this vulnerability.

**Tested Versions**

ACDSee Ultimate 10,0,0,292 (IDE\_PSD 5,7,690,1)

**Product URLs**

https://www.acdsee.com

**CVSSv3 Score**

8.8 - CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

**CWE**

CWE-787: Out-of-bounds Write

**Details**

Code responsible for the vulnerability is provided below:

        .text:00000000000D8756                 movsxd  rdx, dword ptr [rcx+64h]     ; zero
        .text:00000000000D875A                 mov     rax, [rcx+80h]               ; rcx+0x80 = points to location in PSD file
        .text:00000000000D8761                 movzx   eax, word ptr [rax+rdx*2]    ; 16-bit value from the file
        .text:00000000000D8765                 mov     rdx, [rcx+88h]
        .text:00000000000D876C                 rol     ax, 8                        ; rol the value
        .text:00000000000D8770                 movzx   esi, ax
        .text:00000000000D8773                 mov     r8d, esi                     ; size argument for memmove = from the PSD file
        .text:00000000000D8776                 call    before_memmove
    

And this is how it looks in action (before & after actual memmove):

        0:006> g
        Breakpoint 0 hit
        IDE_PSD+0xc83df:
        00000000`027983df e84c0b0500      call    IDE_PSD!IEP_ShowPlugInDialog+0x4d090 (00000000`027e8f30)
        0:006> r
        rax=0000000000002201 rbx=0000000000002201 rcx=000000000266eb50
        rdx=0000000003e86a73 rsi=000000000266eb50 rdi=00000000026365e0
        rip=00000000027983df rsp=0000000003e7fbe0 rbp=0000000003e7fd48
         r8=0000000000002201  r9=00000000025bfc0c r10=0000000000000000
        r11=0000000000000246 r12=0000000003e7fed0 r13=00000000025bfc0c
        r14=0000000003e7fd60 r15=0000000000000000
        iopl=0         nv up ei ng nz ac pe cy
        cs=0033  ss=002b  ds=002b  es=002b  fs=0053  gs=002b             efl=00000293
        IDE_PSD+0xc83df:
        00000000`027983df e84c0b0500      call    IDE_PSD!IEP_ShowPlugInDialog+0x4d090 (00000000`027e8f30)
        0:006> !heap -triage
        **********************************************************
        ** !heap: Searching all heaps for errors...               
        **********************************************************
    
        ** !heap: Analyzing heap at 00000000004c0000...
        ** !heap: Analyzing heap at 0000000000010000...
        ** !heap: Analyzing heap at 00000000001d0000...
        ** !heap: Analyzing heap at 0000000000450000...
    
    
    
        ** !heap: The extension did not find any heap errors.
        ...
    
        0:006> p
        (11538.f0a8): Access violation - code c0000005 (first chance)
        First chance exceptions are reported before any exception handling.
        This exception may be expected and handled.
        IDE_PSD!IEP_ShowPlugInDialog+0x4d0e7:
        00000000`027e8f87 f3a4            rep movs byte ptr [rdi],byte ptr [rsi]
        0:006> !heap -triage
        **********************************************************
        ** !heap: Searching all heaps for errors...               
        **********************************************************
    
        ** !heap: Analyzing heap at 00000000004c0000...
        ** !heap: Analyzing heap at 0000000000010000...
        ** !heap: Analyzing heap at 00000000001d0000...
        ** !heap: Analyzing heap at 0000000000450000...
    
    
        ** !heap: The following heaps have invalid free lists. This means
                  that the neighbors of one element in the list did not point
                  back to the element: either Element->Flink->Blink != Element,
                  or Element->Blink->Flink != Element.
        ** !heap: Corrupt free lists are quite common. They almost always result
                  from use-after-free errors in the application.
        ** !heap: To view the erroneous entry and its neighbors in the list:
                  dt ntdll!_LIST_ENTRY <element>
    
        Heap address        Erroneous element   Element flink       Element blink
        ----------------------------------------------------------------------------
        4c0000              4c0150              2637080             266fa50             
    
        ** !heap: The following heap entries have a block size that does not
                  match the previous block size field of the next block. This
                  is sometimes the result of user corruption, but occasionally
                  it can be detected if an unrelated exception occurs while
                  executing heap code.
        ** !heap: To view the state of the invalid blocks:
                  !heap -i <heap address>
                  !heap -i <entry address>
    
                                                                    Next block's
        Heap address        Entry address       Entry size (B)      prev. size (B)
        ----------------------------------------------------------------------------
        4c0000              266eb40             2f0                 1b380               
    

In short byte value is taken directly from the .PSD file (see address 0x007BE521). This value is later used as a size argument to memmove function. This gives the attacker the opportunity to cause a memory corruption, potentially resulting in code execution.

**Crash Information**

        0:006> !analyze -v
        *******************************************************************************
        *                                                                             *
        *                        Exception Analysis                                   *
        *                                                                             *
        *******************************************************************************
    
        *** ERROR: Module load completed but symbols could not be loaded for ACDSeeQVUltimate10.exe
        GetUrlPageData2 (WinHttp) failed: 12002.
    
        DUMP_CLASS: 2
    
        DUMP_QUALIFIER: 0
    
        FAULTING_IP: 
        IDE_PSD!IEP_ShowPlugInDialog+4d0e7
        00000000`02568f87 f3a4            rep movs byte ptr [rdi],byte ptr [rsi]
    
        EXCEPTION_RECORD:  (.exr -1)
        ExceptionAddress: 0000000002568f87 (IDE_PSD!IEP_ShowPlugInDialog+0x000000000004d0e7)
           ExceptionCode: c0000005 (Access violation)
          ExceptionFlags: 00000000
        NumberParameters: 2
           Parameter[0]: 0000000000000001
           Parameter[1]: 0000000002411000
        Attempt to write to address 0000000002411000
    
        FAULTING_THREAD:  000105d0
    
        DEFAULT_BUCKET_ID:  INVALID_POINTER_WRITE
    
        PROCESS_NAME:  ACDSeeQVUltimate10.exe
    
        ERROR_CODE: (NTSTATUS) 0xc0000005 - <Unable to get error code text>
    
        EXCEPTION_CODE: (NTSTATUS) 0xc0000005 - <Unable to get error code text>
    
        EXCEPTION_CODE_STR:  c0000005
    
        EXCEPTION_PARAMETER1:  0000000000000001
    
        EXCEPTION_PARAMETER2:  0000000002411000
    
        FOLLOWUP_IP: 
        IDE_PSD!IEP_ShowPlugInDialog+4d0e7
        00000000`02568f87 f3a4            rep movs byte ptr [rdi],byte ptr [rsi]
    
        WRITE_ADDRESS:  0000000002411000 
    
        WATSON_BKT_PROCSTAMP:  582f5f4b
    
        WATSON_BKT_PROCVER:  10.0.0.292
    
        PROCESS_VER_PRODUCT:  ACDSee Quick View
    
        WATSON_BKT_MODULE:  IDE_PSD.apl
    
        WATSON_BKT_MODSTAMP:  58218de5
    
        WATSON_BKT_MODOFFSET:  118f87
    
        WATSON_BKT_MODVER:  5.7.690.1
    
        MODULE_VER_PRODUCT:  ACD Systems IDE_PSD
    
        BUILD_VERSION_STRING:  10.0.15063.296 (WinBuild.160101.0800)
    
        MODLIST_WITH_TSCHKSUM_HASH:  449bbde9d140f90322f58e961035076a2b0f0991
    
        MODLIST_SHA1_HASH:  7a77586ab89477d2f40e21cc3f068770c76d961c
    
        NTGLOBALFLAG:  70
    
        APPLICATION_VERIFIER_FLAGS:  0
    
        PRODUCT_TYPE:  1
    
        SUITE_MASK:  272
    
        DUMP_TYPE:  fe
    
        ANALYSIS_SESSION_HOST:  CLAB
    
        ANALYSIS_SESSION_TIME:  07-25-2017 07:26:45.0873
    
        ANALYSIS_VERSION: 10.0.15063.400 amd64fre
    
        THREAD_ATTRIBUTES: 
        OS_LOCALE:  PLK
    
        PROBLEM_CLASSES: 
    
            ID:     [0n292]
            Type:   [@ACCESS_VIOLATION]
            Class:  Addendum
            Scope:  BUCKET_ID
            Name:   Omit
            Data:   Omit
            PID:    [Unspecified]
            TID:    [0x105d0]
            Frame:  [0] : IDE_PSD!IEP_ShowPlugInDialog
    
            ID:     [0n265]
            Type:   [INVALID_POINTER_WRITE]
            Class:  Primary
            Scope:  DEFAULT_BUCKET_ID (Failure Bucket ID prefix)
                    BUCKET_ID
            Name:   Add
            Data:   Omit
            PID:    [Unspecified]
            TID:    [0x105d0]
            Frame:  [0] : IDE_PSD!IEP_ShowPlugInDialog
    
        BUGCHECK_STR:  APPLICATION_FAULT_INVALID_POINTER_WRITE
    
        PRIMARY_PROBLEM_CLASS:  APPLICATION_FAULT
    
        LAST_CONTROL_TRANSFER:  from 00000000025183e4 to 0000000002568f87
    
        STACK_TEXT:  
        00000000`03d3fbd8 00000000`025183e4 : 00000000`023d8b50 00000001`40238da9 00000000`023d8b58 00000000`023d84b8 : IDE_PSD! 
    IEP_ShowPlugInDialog+0x4d0e7
        00000000`03d3fbe0 00000000`0251877b : 00000000`023d7520 00000000`00002201 00000000`00000001 ffffffff`fffffffe : IDE_PSD+0xc83e4
        00000000`03d3fc10 00000000`02515def : 00000000`023d7520 00000000`03d3fd48 00000000`03d3fd48 00000000`00000000 : 
    IDE_PSD+0xc877b
        00000000`03d3fc50 00000000`02518213 : 00000000`00000000 00000000`023d7520 00000000`0064c5f0 00000001`401bd008 : 
    IDE_PSD+0xc5def
        00000000`03d3fc90 00000001`401acdbf : 00000000`0064c5f0 00000000`03d3fd71 00000000`03d3fd48 00000001`401b0000 : 
    IDE_PSD+0xc8213
        00000000`03d3fcd0 00000001`401c9745 : 00000000`0064c5f0 00000000`023d7520 00000000`00000000 00000000`023d7fd0 : 
    ACDSeeQVUltimate10+0x1acdbf
        00000000`03d3fd10 00000001`401bc1bd : 00000000`00000000 00000000`0235ea30 00000000`00000000 00000000`00000000 : 
    ACDSeeQVUltimate10+0x1c9745
        00000000`03d3fdd0 00000001`401c0945 : 00000000`0235fc20 00000000`0235fc20 00000000`03d3fe69 00000000`00000000 : 
    ACDSeeQVUltimate10+0x1bc1bd
        00000000`03d3fe20 00000001`401c01e3 : 00000000`000003e8 00000000`00000064 00000000`00000000 00000000`00000000 : 
    ACDSeeQVUltimate10+0x1c0945
        00000000`03d3fed0 00007ffd`9fe80369 : 00000000`0064cd00 00000000`00000000 00000000`00000000 00000000`00000000 : 
    ACDSeeQVUltimate10+0x1c01e3
        00000000`03d3ff30 00007ffd`a0e12774 : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : ucrtbase!
    o__strtoui64+0x59
        00000000`03d3ff60 00007ffd`a3000d51 : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : KERNEL32!
    BaseThreadInitThunk+0x14
        00000000`03d3ff90 00000000`00000000 : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : ntdll!
    RtlUserThreadStart+0x21
    
    
        THREAD_SHA1_HASH_MOD_FUNC:  ea01bd33229d66a5f1d22bb545fdac8802f7cf90
    
        THREAD_SHA1_HASH_MOD_FUNC_OFFSET:  2f0e27bb3643b0d9059835fad340f4d638abbbe1
    
        THREAD_SHA1_HASH_MOD:  3ddf4d56361b571b2ae71e9ce081ed7be9782865
    
        FAULT_INSTR_CODE:  8b49a4f3
    
        SYMBOL_STACK_INDEX:  0
    
        SYMBOL_NAME:  IDE_PSD!IEP_ShowPlugInDialog+4d0e7
    
        FOLLOWUP_NAME:  MachineOwner
    
        MODULE_NAME: IDE_PSD
    
        IMAGE_NAME:  IDE_PSD.apl
    
        DEBUG_FLR_IMAGE_TIMESTAMP:  58218de5
    
        STACK_COMMAND:  ~6s ; kb
    
        FAILURE_BUCKET_ID:  INVALID_POINTER_WRITE_c0000005_IDE_PSD.apl!IEP_ShowPlugInDialog
    
        BUCKET_ID:  APPLICATION_FAULT_INVALID_POINTER_WRITE_IDE_PSD!IEP_ShowPlugInDialog+4d0e7
    
        FAILURE_EXCEPTION_CODE:  c0000005
    
        FAILURE_IMAGE_NAME:  IDE_PSD.apl
    
        BUCKET_ID_IMAGE_STR:  IDE_PSD.apl
    
        FAILURE_MODULE_NAME:  IDE_PSD
    
        BUCKET_ID_MODULE_STR:  IDE_PSD
    
        FAILURE_FUNCTION_NAME:  IEP_ShowPlugInDialog
    
        BUCKET_ID_FUNCTION_STR:  IEP_ShowPlugInDialog
    
        BUCKET_ID_OFFSET:  4d0e7
    
        BUCKET_ID_MODTIMEDATESTAMP:  58218de5
    
        BUCKET_ID_MODCHECKSUM:  29f466
    
        BUCKET_ID_MODVER_STR:  5.7.690.1
    
        BUCKET_ID_PREFIX_STR:  APPLICATION_FAULT_INVALID_POINTER_WRITE_
    
        FAILURE_PROBLEM_CLASS:  APPLICATION_FAULT
    
        FAILURE_SYMBOL_NAME:  IDE_PSD.apl!IEP_ShowPlugInDialog
    
        WATSON_STAGEONE_URL:  http://watson.microsoft.com/StageOne/ACDSeeQVUltimate10.exe/10.0.0.292/582f5f4b/IDE_PSD.apl/
         5.7.690.1/58218de5/c0000005/00118f87.htm?Retriage=1
    
        TARGET_TIME:  2017-07-25T05:26:52.000Z
    
        OSBUILD:  15063
    
        OSSERVICEPACK:  296
    
        SERVICEPACK_NUMBER: 0
    
        OS_REVISION: 0
    
        OSPLATFORM_TYPE:  x64
    
        OSNAME:  Windows 10
    
        OSEDITION:  Windows 10 WinNt SingleUserTS
    
        USER_LCID:  0
    
        OSBUILD_TIMESTAMP:  unknown_date
    
        BUILDDATESTAMP_STR:  160101.0800
    
        BUILDLAB_STR:  WinBuild
    
        BUILDOSVER_STR:  10.0.15063.296
    
        ANALYSIS_SESSION_ELAPSED_TIME:  6c05
    
        ANALYSIS_SOURCE:  UM
    
        FAILURE_ID_HASH_STRING:  um:invalid_pointer_write_c0000005_ide_psd.apl!iep_showplugindialog
    
        FAILURE_ID_HASH:  {ca7d345a-b6e4-ca4d-3ae4-d7874c5593c1}
    
        Followup:     MachineOwner
        ---------
    

**Timeline**

2017-08-08 - Vendor Disclosure  
2018-12-08 - Public Release

CVE-2017-2886: TALOS-2017-0393 || Cisco Talos Intelligence Group

Multiple buffer overflows in Active Management Technology (AMT) in Intel Manageability Engine Firmware 8.x/9.x/10.x/11.0/11.5/11.6/11.7/11.10/11.20 allow attacker with local access to the system to execute arbitrary code with AMT execution privilege.

Tag

#microsoft