A couple of weeks ago I posted over on the EcoStrat Blog detailing a bit of what my team in the Microsoft Security Response Center (MSRC) does in addition to the recent work ICASI members have been doing with CVRF. For those of you interested feel free to check out the Making Sense of the Random & Mining For Gold post. Among other things, that post got me thinking about how there is plenty to cover just in regards to reporting vulnerabilities to MSRC and how we handle issues reported to firstname.lastname@example.org. Perhaps when I have a few moments of spare time I can put together a blog post on that topic alone.
In my EcoStrat post, I talked about how our job can sometimes be like mining for gold. After recently returning from the CanSecWest conference, I can say that sometimes this job is also like having gold nuggets tossed at you willingly by others. I love having the opportunity to get out of the mother ship and talk to security researchers that are actively working to help make our products better, by finding vulnerabilities and reporting them to us responsibly, so we can address the issues while not putting customers at risk. Being able to have the face-to-face interaction is invaluable for us here in the MSRC. I will never turn down and opportunity to listen to what other security researchers are working on, and what they think about the state of the industry, our products, and how Microsoft and the MSRC can do more to make the computing ecosystem more secure.
I also hope that every once and a while there is an opportunity for us as a company to put some gold back in the till. The sharing of our SDL framework, the knowledge gained as a result of some of the growing pains we experienced learning to improve the security of our products, and the recent launch of the Microsoft SDL Pro Network are some examples of where we are doing this on the SDL front. Another example is when recently a colleague of mine at CanSecWest, Jason Shirk, unveiled another contribution to that endeavor.
Jason, a Security Program Manager over in the Security Research Team that works on a lot of our fuzzing efforts, took the wraps off of the !Exploitable tool (Bang Exploitable) for those in attendance at the conference. Basically, !Exploitable is a plug-in for the Windows debugger that categorizes crash information and estimates the potential exploitability of a possible vulnerability.
Check out the article where Jason talks a bit more about !Exploitable and how it works. It is cool stuff and it is available for download over on CodePlex. One of the things that Jason says is that essentially tools like !Exploitable help to provide a means for us be on the same page in terms of what exploitability means for a potential issue. He is definitely right and I can say from the various types of vulnerability reports my team receives at email@example.com that this can be a major challenge we encounter.
!Exploitable helps developers make their code more secure and helps us all by giving a common starting point from which to have the "Is it exploitable?" conversation and that is definitely worth a few deposits into the till, in my opinion.