Microsoft Extends SmartScreen To Foil Malvertising and Exploit Kits

itwbennett writes: With the latest update for Windows 10, Microsoft has extended SmartScreen to block drive-by attacks in Microsoft Edge and Internet Explorer 11, the Microsoft Edge Team said Wednesday in a blog post. The new capability is based on the security intelligence that Microsoft receives from multiple products such as Microsoft Edge, Internet Explorer, Bing, Windows Defender and the Enhanced Mitigation Experience Toolkit (EMET). Thanks to this data, which includes behavioral telemetry, SmartScreen can even detect attacks that exploit zero-day vulnerabilities, according to Microsoft. The company is also revoking trust for a bunch of certificate authorities starting in January.

Re:This extends that & more to any webbound ap

[Shoten]

Yeah, great. It does all of that, and yet...it gets posted by an AC.

Must miss! Or, as a wise man named Rick James once said..."I wish I had more hands so I could give FOUR THUMBS DOWN!"

Re:Any bets how long before it's been worked aroun

[Shoten]

Each windows has been a kind of sieve, it's been plenty of holes to plug, and before they get even close finishing they get new one to start with. And in case Windows 10 is actually last windows ever, they will certainly reinvent wheel within the platform again and again so much that merry go around will continue forever.

It doesn't matter. It helps, and that is an improvement.

In the beginning, there were firewalls. And they were good. But then other attacks came about which were in no way hindered by firewalls...in fact, we're talking about those kinds of attacks right now. So firewalls aren't a magic bullet...would you run a network that was wide open to the Internet and not have one in place?

Or, taking the alternative view, what would you use as a compensating approach to accomplish the same thing? And if you have one in mind, are you sure that there will never be a way to work around it?

How about sandboxing the browser?

MS has done well with having the web browser run in a low security context, but it might be good to take a step further than that and have the browser run from in its own VM or container, with limited access, such as a subdirectory of the Downloads directory or similar, so the browser is not just with a lower security context, it has a completely different filesystem than the user. Tab/window separation would be important as well, similar to how Google Chrome runs each tab in a separate process.

Re:How about sandboxing the browser?

[The-Ixian]

Well, on the Windows Weekly podcast, Mary Jo Foley has indicated that containerization will likely be a future addition to Windows 10 just like it is in Server 2016.

I would fully expect several Windows components to begin to take advantage of this.

For a second there I read that

[future+assassin]

as Smoke Screen and Tin Foil.

Re:Any bets how long before it's been worked aroun

[The-Ixian]

Exactly this.

Each new security feature is additive.

The thing is, SmartScreen has always been kind of useless. I can count on my right hand how many times I have seen a SmartScreen alert and all of those were false positives or because SmartScreen couldn't phone home or something.

Anyway, any improvement to this technology is welcome.

Does anyone actually care?

[fahrbot-bot]

Personally, I only use IE at work to access internal sites that require it. When browsing the real Intertubes - either at work or home - I use Firefox with NoScript and several other Add-Ons that help keep me protected and private and in control of my browsing experience - or, at least, I believe relatively much more so than IE can.

Re:Does anyone actually care?

[The-Ixian]

Well, actually you can do a type of NoScript using group policy and kill bits for all corporate IE users. The central management of IE makes it ideal for our corporate environment. Instead of allowing any user to add any exception they want, we have a process by which we will vet the exception case and add it to a global allow list.

We, of course, do not allow Flash or Java to be invoked in the browser and we use the Intranet, Trusted and Internet zone profiles built into IE to restrict other aspects of web browsing.

I think that IE can be just as safe (or more so) than any other browser.

Improvements to SmartScreen will be a welcome addition to the toolbox.

Adblock to beat them to it

[penguinoid]

Adblock has been blocking malvertising and all kinds of zero day exploits for ages already. It does this by blocking advertisers that don't thoroughly vet the ads they serve against fraud and malware, and also advertisers that don't accept responsibility for any damages caused by malicious ads.

SmartScreen is a joke

[Striek]

I personally have had nothing but problems with SmartScreen. The thing is so complex that nobody at Microsoft seems to know exactly how it works. I've lost count of the number of mailservers I've set up that are refused by SmartScreen, and despite numerous attempts at resolving the problem with Microsoft Deliverability Support, nothing ever gets through. Every response is a generic "We understand you have questions regarding the deliverability of your email, and therefore its content", despite information provided to the contrary, explaining that this is an IP reputation issue. They simply don't care if your company cannot send mail to their users. They really don't.

The thing is so complex that even Microsoft's Deliverability Support team can't tell you why your mailservers mails get rejected. And worse than that, it blatantly violates RFC2821, specifically:

6.1 Reliable Delivery and Replies by Email

      When the receiver-SMTP accepts a piece of mail (by sending a "250 OK"
      message in response to DATA), it is accepting responsibility for
      delivering or relaying the message. It must take this responsibility
      seriously. It MUST NOT lose the message for frivolous reasons, such
      as because the host later crashes or because of a predictable
      resource shortage.

      If there is a delivery failure after acceptance of a message, the
      receiver-SMTP MUST formulate and mail a notification message. This
      notification MUST be sent using a null ("") reverse path in the
      envelope. The recipient of this notification MUST be the address
      from the envelope return path (or the Return-Path: line). However,
      if this address is null (""), the receiver-SMTP MUST NOT send a
      notification.

    -snip-

SmartScreen will silently drop emails, even after accepting them for delivery. Their postmaster website then tells you that you are required to be RFC2821 compliant.

SmartScreen is a joke. Its filtering policies are far too agressive, and if it decides to drop your emails, you're SOL. Believe me, I've tried to get through to them. Too many legitimate emails are silently dropped / marked as spam, and too much spam gets through (IMHO). My advice for Microsoft to improve SmartScreen is this - You do not own the email system. Design your mail system to work well with others. Tell postmasters why their mail is not being delivered, and offer effective remedies. As long as their filtering system silently drops emails with no notification of why, and their deliverability support people can't help, their mail system will remain a joke.

I gave up on SmartScreen ages ago. I now route all mail destined for Microsoft domains through Amazon SES. It's far less hassle than getting Microsoft to actually accept the message.

A better idea

[slashmydots]

MAAAAAAAAYBE they should go specifically after the ad networks hosting the "we're microsoft, your computer is broke, call us" scam ad networks instead of drive by download malware, which is barely even a thing anymore. You know, since the scammers are PRETENDING TO BE THEM, you would think they'd care.

Re:Does anyone actually use IE?

[Thraxy]

I use it at least 3-4 times a year to go to mozilla.org