When complex security issues that affect multiple vendors arise, calling them “challenging” is an understatement. We created the Microsoft Vulnerability Research Program (MSVR) to meet those challenges, learn from those experiences and strengthen the ties of our community of defenders across the industry in the process. As the state of software security matures beyond straightforward issues such as buffer overflows and elevation of privilege, we are working diligently towards a new level of cross-industry collaboration on a scale never seen before. We must do so in order to provide our mutual customers with the best possible experience on our platform.
Several firsts and questions had to be met head-on by our relatively young MSVR program now celebrating its first birthday.
· How do we maintain and respect the overarching tenets of Responsible Disclosure while sharing the issue outside of Microsoft?
· How do we communicate openly and directly with multiple impacted parties while not putting customers at risk by a potential broad disclosure prior to the availability of mitigation?
· How do we translate an issue that we came to understand very well to third parties that may not have the same technical history or security response methodologies and practices that we do?
· Can we coordinate across the industry so that everyone is moving to the same goal of addressing the problem, despite differing development practices and engineering requirement timelines?
The talented security researchers that reported the issue to Microsoft had done so in a responsible manner with the goal of improving the ecosystem and helping us protect our customers. At the same time, it became clear to us that this was an industry-wide problem and that the best way to secure the ecosystem was to notify affected vendors while engineering efforts were underway here in Redmond. Microsoft is a supporter of Responsible Disclosure, which aims to allow affected vendors to understand and try to resolve their respective issues before discussing the details of the issue publicly. In this instance, MSVR’s actions demonstrated a variety of responsible disclosure recently dubbed "partial disclosure," when we alerted third-party vendors who we believed had controls compiled with our vulnerable ATL headers. In the past year of MSVR operations, we have acted in the Responsible Disclosure roles of Finder and Coordinator. The ATL issue required us to act in both of those roles, plus in the role of affected Vendor.
While we knew we had to disclose technical details to a broad group, the clock was also ticking as we began to see more and more details about this issue being discussed and discovered in the security community. The original security researchers that reported the issue to us worked with us diligently and patiently to continue acting responsibly with their understanding of the problem, while we began developing a process and technical tools to analyze our controls and look for a solution. At the same time, we began the process of identifying and analyzing the controls that are most commonly deployed but were developed by other vendors. It is at this point we felt that we had a viable way to individually engage as many of these affected vendors as possible to discuss the impact of the issue as it relates to their potentially vulnerable controls.
Due to their potential scope, library-related vulnerabilities can often stir uncertainty and concern in the industry, so we focused our efforts to understand the true depth and breadth of the impact. Our analysis indicated that the vast majority of controls that would impact our users could be addressed by a few key vendors in the ecosystem. With this in mind, MSVR reached out to vendors who had the broadest footprint in the ecosystem that we believed were affected by the issue. We also felt confident that the defense-in-depth engineering solutions being worked on here at Microsoft would help provide a safeguard against attacks and allow other vendors more time to modify and recompile their own controls.
Overall, our goals and objectives were straightforward, if not exactly effortless, and required us to also leverage many of the key lessons learned by the MSRC over the years. After we distilled the actions and goals down to their most elemental levels, it became clear we had to move quickly on several fronts, including:
· Coming up with our own defense-in-depth solution to help protect customers and mitigate the threat.
· Taking steps to identify quickly the affected third-party vendors who we thought had the broadest impact on our platform.
· Finding the right security contacts at the vendors who met those criteria.
· Packaging and disseminating the vulnerability information to them securely.
Our goals in doing so were to:
· Alert as many of the community of vendors who have affected controls as possible that there was an issue with ATL.
· Provide the third-party vendors with technical details necessary to perform the broad analysis of all of their controls to look for the vulnerability in their products.
· Support the third-party vendors in their analysis, answering their questions, and clarifying the issue when necessary.
· Coordinate with the major affected third parties in both the release of the updates, as well as with guidance for our mutual customers.
We learned a lot during this process. After all, evolution requires change in the way we think and in the way we act, which leads to growth. We will incorporate these lessons into MSVR processes moving forward. We have formed stronger relationships across organizations that MSVR has worked with on other issues in the past, and we have forged many new bonds with security teams across company boundaries. Overall, we are very pleased with the positive industry response, and we salute our counterparts in the security organizations of all the third-party vendors we have worked with during this historic collaboration, including but not limited to Adobe and Sun. We are also incredibly thankful and appreciative of Ryan Smith and David Dewey, the original security researchers that reported the issue to us responsibly, as it was a multidimensional challenge that required significant patience and understanding on their part as we determined how to best address the problem.
As we move forward toward the next challenges on the security horizon, we can anticipate deeper integration among the community of defenders, whether they work for Microsoft or a third-party vendor, whether they are security researchers or are members of a CERT – we can expect more collaboration. After all, progress towards securing our platform, as has been made with our own SDL, will naturally lead to attacks being more complex, more dependent on how applications interact with each other and with the underlying operating system, and therefore will require us all to look past our company logos and focus on that threat horizon.
I’m Adrian Stone, who ran the ATL coordination and is the new driver of the MSVR program since July 1, and I’m Katie Moussouris, founder of the MSVR program, and together with the security community, we look forward to advancing community-based defense and helping to usher in this new age of collaborative security for the good of all our customers.
OMG it’s great to be back in Vegas again – the shows, the shopping, the nightlife, and let’s not forget the talks at Black Hat, the old and new friends, the excitement and the drama. I can hardly wait to see what develops this year!
Last year at Black Hat, the Microsoft Security Response Center announced three new programs – Microsoft Active Protections Programs (MAPP), Microsoft Vulnerability Research (MSVR), and Microsoft Exploitability Index. I was honestly a bit nervous about how the programs would be received. Would the community ridicule them (and us)? Were the programs as solid as we thought they were? Would they stand the test of time? And most importantly, would they help advance community-based defense?
It’s a year later and I’m happy to report that the programs were not only well received, but have proven to be effective, accurate, and continue to deliver results. MAPP is changing the balance between attacker and defender, MSVR is raising the security of the overall ecosystem, and the Exploitability Index continues to provide customers with accurate, easy to understand, and actionable guidance. Today, MSRC published a report card – “Building a Safer, More Trusted Internet through Information Sharing” – that both summarizes these results and provides specifics around goals achieved. Read all about it here.
Today at Black Hat, MSRC also released a new set of tools and guidance aimed at continuing to advance community-based defense and simplify customers’ management of the risk environment.
First up, the Microsoft Security Update Guide - a one stop shop of information on Microsoft’s Patch Tuesday, including what information we release, best practices, and a framework to help make the complex patch management landscape more clear. It’s available for free download here.
On the tooling front, the MSRC Engineering team (owners of and contributors to the SRD blog) released the Microsoft Office Visualization Tool. Available for free download here, the new tool lowers the barrier to understanding the Office binary file format by allowing IT professionals, security researchers, and malware protection vendors to deconstruct .doc-, .xls- and .ppt-based targeted attacks.
Lastly, we’re pleased to point to the latest updates from Project Quant, a cost model program for patch management response collaboratively lead by Rich Mogulll (Securosis) and Jeff Jones (Microsoft). With the new information released today – Project Quant Report 1.0, Model Spreadsheet 1.0, and the Survey Report – the community is better able to improve their update practices by addressing many of the challenges organizations face optimizing their systems and maintaining security while striving to keeping costs down.
Black Hat is an exciting time and I’m thrilled to showcase the impact and continued progress of MSRC – and even more so to demonstrate how Trustworthy Computing continues to evolve in response to the changes in the threat landscape, and truly helps protects customers through community-based defense and collaboration.
See you at Caesars!
Andrew
Hey!
It’s that time of year again for all of us to pack up and head out to the desert to reconnect, discuss, and plan for the future, or at least what we think will be the future of security. It’s hard to predict what the next year will bring as the security landscape is ever-changing. This is probably why most of us “grey beards” in the security industry mark the Black Hat/Defcon conferences as the de facto year in review/preview of the next year for the state of security. These conferences have defined a lot of security strategies for a number of people for years. But I digressJ; I started to talk about the year-end review for the security landscape.
Looking back over the year, I am pleased to see that we have executed nicely on a couple of strategies we put into place to change the security landscape. The ones I am talking about are the three programs listed below that we launched last year around this time.
I am going to talk about the first two programs as I have been working on both of them for a bit. MSVR has been worked by my colleague Adrian who will be blogging on MSVR in the near future. He will update you about all the exciting things they have been doing over there.
So let’s begin. I want to talk to you first about the Exploitability Index. Like I said, the one-year anniversary is right around the corner and we have been getting a lot of positive feedback from customers on this new program. Looking back, I am happy to see that out of the 140 ratings we provided so far that we only had to revise one rating. The one rating we did change went from a high severity to a lower one (1 to 3).
Let me give some of our reasons for this. We are extremely cautious when we rate things and when in doubt, will tend to go with the higher rating. We want to make sure that those who are using our ratings are protected against exploitation. This is kind of like putting a deadbolt lock on your door even though you live right next to the police station – I would rather be safe than sorry. However, we are always looking for ways to improve our ratings, and we tend to seek out the critical areas where we can or need to improve.
There is no better place, in our mind, to get good feedback than from the security ecosystem. So we were extremely happy when iDefense took up the charge to review our Exploitability Index ratings for the first 120 days. I am sure you are thinking, "Is 120 days really enough time?" Well, it definitely gave a decent snapshot into how the program is progressing. I think it’s also a good timeframe for catching early process deficiencies and other issues. So let me highlight a few things that were discovered during the iDefense review.
Overall assessment: iDefense concluded that the Microsoft Exploitability Index was a step in the right direction. They felt that the Index provides clear value to customers in providing more risk mitigation information. iDefense also felt that it helps system administrators with the prioritization of their system-updating efforts, because with the Index, they can use another piece of information to help set their update schedule.
Out of the fifty-seven vulnerabilities reviewed by iDefense, they considered that only fourteen should have been rated differently. This is a ~75% percent similarity between their analyses and our own.
As with all early efforts, they did find some areas where they had suggestions for improvement. One area is with the rating differences mentioned above. We will be reviewing the reasons for the differences and will be looking at our present process to take their suggestions into account. Check out the full report here.
Now let’s talk about the Microsoft Active Protections Program, or as we call it in the hallways of building 27, “MAPP”. The MAPP program goals were to find a way to shorten the attack window for consumers. We wanted to be able provide enough “just in time” technical information on the vulnerabilities that we were updating every month to help defenders provide software protections faster. It didn’t make sense in our eyes to have verified defenders in the same boat as malicious attackers trying to understand and reverse-engineer our updates to build defenses for our mutual customers.
I am glad to say that we have exceeded our goal. In the program to date, we have 47 companies from around the world, with new partners added in Central and South America, Europe, Middle East, Africa, India, South East Asia, China, Korea, Japan, Australia, and New Zealand. This partner network global reach represents software protections that cover a range from tens of thousands to hundreds of millions of consumers. That is nothing to sneeze at! J It doesn’t stop there; we will continue to add more partners to ensure that we arm the defenders with information they need to protect you, our mutual customers. We have some more proof points on how we are shrinking that attack window, but don’t take my word for it, check out the testimonials from the MAPP members themselves in the year-end progress report from MSRC here.
Well, that’s it. Don’t forget to check out the iDefense paper located here and the MAPP paper here. And keep an eye on www.microsoft.com/twc/blogs for more Black Hat blogs from the front lines.
Til next time….
Steve
Within Microsoft, we have a community of security defenders.
Our internal community also discusses, debates, deploys, and disseminates security information. We don’t always agree; our perspectives and backgrounds are as diverse as the world we live in. We strive to understand and mitigate flaws in our own products and platforms, and also responsibly research vulnerabilities in third-party software most commonly used by Windows customers. We focus on many different areas, working on not only improving the security of Windows, but of the entire Windows ecosystem.
For me, security is more than a mindset or an end state, it is a mission. Security is a theme that has the power to unite organizations and individuals across teams across geographic and company boundaries. Within this mission, I, along with our internal community, strive to help ‘secure our planet’ by building bridges and creating opportunities for technical information exchange.
As we look to meeting with our security comrades from around the world in Vegas, we thought it would be interesting to highlight the perspectives and backgrounds of individuals within our internal security community of defenders and present them in short videos to be rolled out over the next week.
The Microsoft security community folks profiled answered two questions:
How did we become involved in security at Microsoft?
What changes have we seen at Microsoft security over the years?
As our challenges have evolved and become a great deal more complex, our collective communities must also rise to the occasion, evolving our security awareness and response. From our security community to yours, we hope you enjoy learning a little bit more about us as we work to understand more about you all.
And remember, in this digital age, what happens in Vegas doesn’t actually stay in Vegas. ;-)
Stay Secure! Sarah
P.S.: Check out our new Trustworthy Computing blog aggregator! (http://www.microsoft.com/mscorp/twc/blogs/default.mspx) This handy aggregator is a one-stop TwC resource for security and privacy blogging news at Microsoft. Add it to your RSS feeds to stay up to date on security updates, privacy, malware response, security science news and more.
*Postings are provided "AS IS" with no warranties, and confers no rights.*
Keep an eye out for more security personalities sharing their perspectives tomorrow and be sure to visit www.microsoft.com/twc/blogs for additional posts by Katie, Maarten and other TwC Security folks on the ground at Black Hat!
If you haven’t already, take a look at the previous video posts for additional perspectives from other key security community members. All videos will be available on http://edge.technet.com/ after Black Hat.
Konnichiwa!
I guess you are wondering why I said hello in Japanese. I have just recently returned from attending the 21st Forum of Incident Handling and Security Teams (FIRST) annual conference hosted in the awesome city of Kyoto in Japan. The city of Kyoto is beautiful. I was amazed at all the interesting palaces and temples located right in the middle of a modern city. It was truly awesome. What was even more awesome was the 21st FIRST Annual Conference. You have heard us here at Microsoft talk a lot lately about community-based defense initiatives. These initiatives drive the security ecosystem to work in a coordinated fashion to address security issues. This works best by creating a community that is built on trust and common goals. The common goal here is to build coordinated defense from attacks. FIRST is one such trusted, security-focused community. This is one reason why Microsoft supports their efforts. As a community of incident and security response teams, FIRST provides a trusted network to share information and provide coordination efforts that is all member-driven.
Most members work for larger companies but their efforts in the FIRST organization are at times above and beyond the duties of their jobs. FIRST relies on its member community to do a lot of work since it is a not-for-profit organization. The conferences are no different. This year the Japanese local teams of FIRST had the task of assisting the conference organizers set things up. Let me say they did an excellent job. It was surreal from the banquet to the mixer session; it was, in a word, “exquisite.” I personally loved the entertainment by a troupe of local taiko drummers. Check them out here.
It wasn’t all fun and games, though some of it was. Check out the picture above. As you can see, we got the rare chance to interact with the potential future security community thanks to Ziv Mador, a Microsoft security professional from the Microsoft Malware Protection Center (MMPC) group, who brought his family along to the conference. Thanks to Eyal and Ofer Mador who provided us a wonderful chance to show them how cool security professionals can be.
Back to business. As a member of the Steering Committee (SC), we meet year round. However, we usually conduct most annual business at the conference. That business can range from giving status updates on projects to providing the organization’s financial numbers. We also hold elections for the committee when an SC member’s term is up. This year, we elected two new members to the SC, joining the three current members of the committee.
Speaking of elections, I am glad that Microsoft views our participation in FIRST as a key thing. This is extremely good, as it seems I will be spending a fair bit more time working on the FIRST Steering Committee and Board of Directors. At this annual general meeting (AGM), I was elected to be the Chairman of the Steering Committee and President of the Board of Directors for FIRST. I look forward to stepping into these roles to help steer the organization toward its goals.
The conference tracks presented were great and focused on relevant problems faced by incident handling teams, from network monitoring to malware analysis.
We also conducted meetings of special interest groups (SIG) to cover in-depth problems and issues faced by members in the same interest and focus areas. These sessions are really great because you get to meet like-minded peers who are facing the same problems you face. The Law Enforcement SIG and Network Monitoring SIG were well attended this year.
You have heard Andrew Cushman talk about “Hallway Tracks” as a way to label all connections and conversations taking place outside of the presented tracks. The hallway tracks at the conference were golden. The amount of focused security discussion I had out in the hallway will have me set for a month with action items.
Well, that’s it for now. But before I go I wanted to take the time to introduce a new member to the EcoStrat Team. I want to welcome Karl Hanmore to the team. He comes to us from Auscert with a strong CERT background. He will be with us in Vegas at Black Hat… so see ya there!
-Steve