One of the questions I am often asked is regarding security updates for Windows systems that fail the Windows Genuine Advantage (WGA) check. In other words, who gets security updates? It’s an understandable question, and it has a very clear answer.
"Security updates are available to all systems."
It is just that simple. If Microsoft has provided a security update, you can install it on your system. This is still true even if your system fails the WGA validation check. There are also no WGA checks for service packs, update rollups, and important reliability and application compatibility updates. Paul Cooke, a Director in the Windows Client group, also stated this last year in his Windows Security Blog. On Windows Vista and Windows 7, available security updates can be accessed through Windows Update in Control Panel. On Windows XP, systems that fail a WGA check can still access security updates through Automatic Updates.
Keeping all Windows systems current on their security updates is a big part of keeping a healthy Windows ecosystem. After all, Conficker and Blaster don’t check for WGA. If you don’t have the right security updates, they just compromise your system and then spread to other systems. While a large part of my job is responding to vulnerability reports, it is always better to have proactively helped users stay secure.
So if you have ever wondered, now you know. You can always get security updates regardless of WGA validation. We at the MSRC are completely committed to ensuring our security updates go out to as many of our users as possible. So install those security updates without fear, and if you happen to run into me at a conference and want to hear everything else I do, just let me know. It is a story I love to tell. Just make sure you have an hour or two to spare. :-]
- Dustin
*Postings are provided "AS IS" with no warranties, and confers no rights.*
With this goal in mind, I’d like to introduce some of the new virtual members of our EcoStrat blogging team. In the future you’ll be hearing not just from the Partner and Security Outreach members that compose EcoStrat, but also from additional MSRC Operational Program Managers, Security Science team members, and Security Response Communications folks. Some of what they will be sharing will be from their own direct experiences with monthly release day, out of band releases, current research and conference trends, and our continued interactions with security community researchers, IT Pros, academics, governments and beyond. Each of these representatives and points of view provide an integral part of the security cog and together we continue to fight the good fight…working towards a more secure planet.
Get to know these new bloggers, visit the about page for more background, and get yourself ready for frequent future posts.
-Mike
Hi All, This is Dustin and Karl from the Microsoft Security Response Center (MSRC). Recently, we were fortunate enough to attend the Black Hat DC 2010 conference held in Washington, D.C. We wanted to share our personal highlights from this great conference and provide a bit of a weather report too.
Having attended several Black Hat conferences, there are two things attendees of this con can always look forward to: great talks and great people. Not only is it a chance to hear what some of the leading minds in the industry are working on, it is also a chance to get to know some of them on a personal level. Conversations in the hallways are every bit as engaging as in the presentations in the lecture rooms. It’s always great to see what people are working on and what matters to both conference presenters and attendees alike.
Speaking of the presenters, Black Hat DC encompassed over 25 speakers who presented on various topics covering a wide range of technologies and subjects. Since it’s impossible to attend all of the presentations, here are just a few we would like to highlight. Elie Bursztein and Jean-Michel Picod discussed Reversing DPAPI and Stealing Windows Secrets Offline and showed potential issues with the way Windows stores encrypted data on disk.
Matthieu Suiche presented Advanced Mac OS X Physical Memory Analysis and showed us how to use his amazing ninja forensics to retrieve machine and file information from potentially compromised hosts.
Dionysus Blazakis gave an amazing talk (Interpreter Exploitation: Pointer Inference and JIT Spraying) about a new technique he refers to as "JIT spraying" to bypass DEP and ALSR using publicly-known exploits. His presentation style and the technical information was delivered with the zeal of a Dan Brown novel. The folks in Midlandia never knew what hit ‘em.
Qing Wang’s presentation on document fuzzing was quite enjoyable and was a good snapshot of how things are currently being done in this area of security research.
Vincenzo Iozzo gave a superb talk on fuzzing techniques
that can be performed without knowledge of the user-input and the binary being fuzzed.
There were a lot of other talks that sounded great that we just couldn’t get to, so we’ll be poring through the papers posted on the Black Hat site to catch up. We also had a chance to make and renew friendships and partnerships.
There were a few major CERT teams attending the Black Hat DC conference. This is to me the most valuable benefit of major conferences, getting the “right people” in a common place at the same time. There were not as many folks as at some events, such as the GovCERT.NL symposium we blogged about here; however, the time spent with government CERT colleagues was valuable indeed. In addition to national CERT related activity, we managed to catch up with a number of security professionals within volunteer and “community-based defense” groups where we talked not only about the current technical challenges facing the community, but also about the broader social and political implications. It was interesting to hear a community that is generally focused on operational and technical matters starting to explore the broader implications of response to the threat environment, and brainstorming radical and non-standard approaches to mitigating current threats. This sort of community collaboration, with free exchange of ideas by smart people looking to revolutionize the way response is done in the future, will be interesting to watch.
As you may have heard, Washington experienced a bit of snow during the same week as Black Hat. It was actually around 30 inches (~75 cm). The snow came after Black Hat concluded, but many of us had our travel plans a bit disrupted. We were fortunate to be staying in a hotel that had power, as many people in the area had no electricity. It also gave us a great opportunity to get to know the hotel staff. This reflected one of the best things about attending these conferences. The technical presentations are always wonderful, but getting to know the people is what makes battling the elements worthwhile.
Speaking of which – we’re headed to CanSecWest in March, so catch up with us there!
- Dustin & Karl
What speaks English, Portuguese and Spanish, has a hundred set of eyes, and battles in the defense of good against evil on a daily basis? No, it’s not the mythological Chupacabra ;-)—it’s the BlueHat Security Forum: Buenos Aires Edition. With the Forum ~5 weeks away I’m pleased to share the speaker line up and content details for what is sure to be a an eventful security briefing.
The BlueHat Security Forum has evolved from the BlueHat Security Network. Since 2004, this network has been exclusive to security researchers (both inside and outside of Microsoft) who were invited to present their findings at the BlueHat Security Briefings in Redmond, Washington. With the launch of the BlueHat Security Forum in Brussels, Belgium in 2009 and through the 2010 Buenos Aires edition, we continue working to engage key members of the worldwide security ecosystem. The BlueHat Security Forum: Buenos Aires Edition on March 18 marks the next progression of this series. We look forward to working with local security advisors in various Latin American countries to bring a forum together to enhance this virtual community.
The primary objective of the BlueHat Security Forum is to build bridges between our Microsoft Security Leadership team, key Business Decision Makers and members of the security research community. The secondary objective is to participate in candid, actionable, and constructive input from key enterprise customers that will help Microsoft produce enterprise-ready, value-returning products and services.
Presenters from Microsoft include Andrew Cushman, Senior Director, Trustworthy Computing Security; Mike Reavey, Director of Microsoft Security Response Center; Damian Hasse, Principal Security Development Manager; and Mark Curphey, Product Unit Manager. Our external presenters and colleagues from the security ecosystem include Anchises Moraes Guimarães de Paula, Latin America Threat Intelligence Analyst, iDefense; Kristen Dennesen, Intelligence Analyst and Deputy of the International Cyber Intelligence Team iDefense; Pedro Varangot, Security Researcher, Corelabs; Chris Hoff, Director of Cloud and Virtualization Solutions, Data Center Solutions at Cisco Systems; Felix 'FX' Lindner, Head of Recurity Labs; Nelson Murilo, YSTS Co-founder, as well as our various attendees from the industry that will be participating in opt-in lightning talks.
By bringing the BlueHat brand into international hotbeds, our aim is to discuss opportunities for shared goals and foster cooperation from organizations and people who at times can be seen as rivals: security researchers and vendors, vulnerability buyers and protection providers, governments and private industry. Our agenda will address:
• Organized eCrime attacks, the vulnerability economy and the global threat landscape specific to Latin America • Effective practices for Cloud Security • Mobile (in)Security • The pitfalls of embedded device security in an enterprise environment • Social networks and the Web 2.0 community • Microsoft Security Response Center processes and integrating a Security Development Lifecycle
• Organized eCrime attacks, the vulnerability economy and the global threat landscape specific to Latin America
• Effective practices for Cloud Security
• Mobile (in)Security
• The pitfalls of embedded device security in an enterprise environment
• Social networks and the Web 2.0 community
• Microsoft Security Response Center processes and integrating a Security Development Lifecycle
Post Buenos Aires, don’t forget to save the date for BlueHat v10 this October 14-15, 2010 in Redmond, Washington. Stay tuned for more updates and information to be posted here and on the BlueHat Blog.
See ya,
Celene
Guten Morgen! Joe Hemmerlein hier vom Microsoft Security Response Center (MSRC). I just returned from Germany earlier this month, where I spent some time mingling with security researchers. It's customary that we share a bit of our experience at security conferences right here, on the EcoStrat blog - and this is my first posting.
Outside temperatures were around the freezing point in Berlin during the 26th Chaos Communication Congress (26C3), which is organized by the German Chaos Computer Club (CCC) and considered to be the European Hacker Con.
It’s only natural that physical borders start to blur when hackers from all over the world come together to participate in such a unique happening – 4 days and nights between Christmas and New Year – to work on projects together, give and attend talks, and have fun while suffering from collective deprivation of sleep. There is strong consensus that the latter is fought best through the influence of Club-Mate (dubbed "hacker soda" by some) which is a carbonated Yerba maté-based drink brewed in Germany. Club-Mate is the prime ingredient in the venue’s most favorite cocktail, Tschunk. This year’s conference motto, "Here Be Dragons", is a reference to historic seafaring folks who explored the unknown looking for new continents, treasures, and maybe even dragons.
The focus this year was on wireless telephony, net neutrality, the Internet protocol, and some cryptography – certainly relating to areas where Microsoft is active, but without any specific focus on our products. The titles of my personal top-five talks were Using OpenBSC for fuzzing of GSM handsets, cat /proc/sys/net/ipv4/f█ckups, Exposing Crypto Bugs through reverse engineering, WikiLeaks Release 1.0, and Security Nightmares; the latter of which was presented in German and simultaneously interpreted for non-German-speaking folks! Sessions could also be watched via a stream or listened to via the internal telephony system thanks to the 26C3 Phone Operation Center.
The recipe of communication seasoned with chaos to taste, and baked into the form of a Congress, again resulted in a unique blend of talks in the categories of society, hacking, making, science, culture and community. These categories merely give you an abstract idea of how diverse the field of hacking can be; contrary to common belief, hacking isn’t exclusively about breaking, it’s more about approaching the world in a curiously creative manner and a holistic view of how stuff works (or fails). Loads of hackers and häcksen, the latter being a German pun on the words hacker and hexe (which is German for witch), were just waiting to demonstrate and work on projects together, and discuss matters of – well - hacking. That tesla coil you built for a science project brings down your ethernet unless you use a specific packet size? How to make a tesla coil sing the Ghostbusters theme? Responsible disclosure vs. full disclosure? Different designs and materials for RepRap 3D printer extruder nozzles you’ve been experimenting with? Dismantling conspiracy theories over a couple of beers? All it takes is an open mind, some level of determination and creativity, and you’ll leave the con not only having made new friends, but also with many new ideas on what to do until the next con. Not only did I spend time attending talks or catching up with fellow hackers on the progress of projects, there was also plenty of quality time in talking shop with researchers, colleagues and other experts on the status quo and recent developments in security response.
Unfortunately, tickets sold out within a mere 12 hours. For those who didn’t get tickets or couldn’t make it to Berlin in the first place, Dragons everywhere was an experiment that allowed locations in Berlin or somewhere else on this planet to hook up to the congress network via VPN for remote participation. As most of the talks were recorded and released under a Creative Commons license for everyone to download legally, please excuse me now while I play catch-up! J See you next time!
-Joe Hemmerlein, Security Program Manager
It was in that capacity that I was privileged recently to attend the GovCERT.NL symposium, hosted by the Dutch Government CERT in the city of Rotterdam. What an event! The Dutch government CERT, GovCERT.NL, put on a truly world-class event. I cannot recall ever having been to an event so well-polished and professionally presented. The program was rich, varied, and robust, with a number of international and domestic speakers. But for me, the highlight was the interaction in the CERT community.
Although the symposium is primarily focused on meeting the needs of GovCERT.NL’s constituents, the attendance from much of the international CERT community makes the event all that much more dynamic. The national CERT community is a thriving and robust effort, allowing teams across national borders to work together and deliver collective results to provide more protection to the ecosystem. If you are in government, law enforcement, or industry and you don’t know your national CERT, you don’t know what you are missing! I was fortunate enough to meet with quite a number of national CERTs during this event from the European region and as far afield as Asia. This was most useful, as the MSRC is looking to engage more strongly with the community of national CERTs. In addition, Mike Reavey, Director of the MSRC, was also able to attend, and not only sat on a panel, but also spent time talking in depth with several CERTs about the issues facing the CERT community as well as how to develop better working relationships. It is this open dialogue and the coalescence of like-minded individuals that tends to be a hallmark of CERT-based events. In addition to formal meetings on the days before and after the symposium, it was clear that the global CERT representatives present were spending quality time sharing techniques, discussing common strategies, and building stronger interpersonal relationships. It is still the case that interpersonal relationships are the life-blood of this community, but there have also been some strong moves towards establishing organizational-level relationships with increasing bilateral and multilateral formal relations. I am keen to watch this grow, and will assist where I can.
I consider these groupings of CERTs to be invaluable. We have all heard that the Internet is a global thing, with no concept of borders or jurisdiction. While this may be the case, this also implies that there is no one responsible for looking after the problems on the Internet. I see the Internet as a global ecosystem, and in any ecosystem you need those who keep order. That is where I see the role for the National CERTs, tackling the problems of the Internet on a nation-by-nation basis. It is something that every country can do, take responsibility for their “own patch"; it is the Internet version of “think globally, act locally”. It is important also to realize that Internet security is not a problem that can be fixed by law enforcement, or any other group, alone. CERTs perform an important role, not only providing advice and guidance, but also assisting with coordination and remediation. A CERT from one country knows that they can reach out to a trusted partner in another country to resolve an issue and that means the CERT only needs to know their own constituents and their fellow CERTs. In the absence of such a network, every CERT would need to be able to communicate with every organization, and potentially every individual, to resolve issues.
For a great practical example of a CERT working locally to assist in protecting the global ecosystem, I would recommend that you look at the work being done by CERT-FI and their Autoreporter service. This service is a great example of a CERT, working with feeds from the globally community, taking responsibility for their constituency and working to remediate the threat within their own borders. This is the sort of work I feel all CERTs globally should be looking to when considering how to be an effective and contributing member in the global security community. This sort of activity has helped the Finnish IP space to become one of the “cleanest” in the world, as called out in the recent Microsoft Security Intelligence Report volume 7. Great work CERT-FI!
I hope to see those national CERTs, who are not already a part of Microsoft Security Cooperation Program for CERTs (SCPcert), look at joining this initiative, as a first step in building a deeper and more substantive operational relationship with Microsoft. It is from the bedrock of this program that I hope to find new and innovative ways to assist the CERT community in the shared responsibility of protecting the ecosystem.
In conclusion, the GovCERT.NL event was great to attend. It gave me a quick refresher on just how much potential there is within the CERT community globally to work together, and with industry, to increase the level of ecosystem-wide security. I am looking forward to my part in working with and helping foster this important community
-Karl Hanmore, Senior Security Strategist
.
Celene here from the MSRC Ecosystem Strategy Team. BlueHat v9: Through The Looking Glass ended just over a month ago and the success of the con lives on due to the outstanding training and networking between Microsoft employees, external speakers, and guests. I'm happy to say that the speaker video interviews and selected recorded presentations are now live on the BlueHat TechNet Page. As promised, we have posted talks from every track block. The samples available are from the e-crime, cloud, mobile and fuzzing content blocks.
As you probably know by now, BlueHat is primarily about educating our own Microsoft population so we can better understand how to build more secure products. The more we know about the security ecosystem, the more we at Microsoft can truly comprehend and assess our security reality. Our secondary goals are to build bridges and bring transparency to the security community to facilitate positive information exchanges.
One way we measure how well are meeting our goals is through surveying our attendees. Here are some of the survey highlights from BlueHat v9 that I want to share with you.
Survey Results for BlueHat General Sessions:
W00t! Strong numbers like those make it all worth it, I tell you! Big thanks to all our speakers and now new members of the BlueHat network, the BlueHat content review team, and Dana Hehl for making everything look so easy.
Mark your calendars! The next BlueHat is October 14-15, 2010. See you all there.
-Celene Temkin
BlueHat Project Manager
PacSec had a lot of the Japanese security scene in attendance (the local powerhouses are pretty sharp and savvy) along with international researchers and past BlueHat speakers, Charlie Miller and Alex Stamos. Take a minute to check out archived presentations from our own Tony Lee introducing the SIRv7 and Jason Shirk discussing fuzzing strategies. But the biggest interest concerned mobile code threats such as malware and how the perimeter defenses are fading away as a viable protection. This seems to be a hot topic everywhere, so hot that the just wrapped-up BlueHat v9 con had an entire track dedicated to mobile security, and in June 2010, at the annual FIRST Conference, how the perimeter defenses are fading away will be the theme for the whole conference.
It’s a cyclic state when it comes to the effectiveness of protections. I remember back in the 80s and 90s when the firewall was going to fix it all. But like everything in life, things evolve and the firewall became a part of a complex mesh of other technologies created to evolve with the threats.
This cyclic and evolving process is something we know a lot about here in Microsoft. The continued security evolution built the MSRC process and the Security Development Lifecycle (SDL). This is how we had to react to threats.
Visiting POC 2009 and PacSec, I got more of a sense of how people outside Microsoft evolve and react; most created either more complex processes or bought more technologies. As I was sitting at POC 2009 watching the presentations, I saw the same theme here as well. It seems that with the evolution of threats, security people everywhere are throwing up more complex processes and technologies. But what happens when the complexity we have created outstrips the problem? I can see that we are always going to have the technological challenges of new threats.
For instance, Conficker, a new threat that helped every security professional evolve due to the complex nature of the threat. However, something else happened with Conficker that really turned on a light in my head. Conficker took advantage of old threats and long-standing security best practices. The fact that Conficker used these old threats and was still widely successful in exploiting our complex processes and technologies is interesting.
I couldn't help asking myself this question, could it be that due to our complexity that we have failed to take into account past experiences? I don’t think so. I think what we may have done is forgotten one or two primary focus security factors. Those factors are “people” and “process”. People management for security is a key tenet of any type of security plan. This fact has been proven everywhere and in every topic including computer security.
If your plan does not take into account an understanding of the human factor and what it means to your security process, you are missing an important point. Understanding the “people” factor will help you in the next important part of the security plan, which is the process part.
Sitting down at PacSec and POC 2009, I see that we have a firm grip on the technological-advancement front. The presentations at both conferences were excellent technically and on the cusp of new developments. But I still believe that a more focused approach on the “people” factor of computer security would do more to enhance the security than technology advancements will.
Here at Microsoft we are looking in that direction as we look at the technological enhancements coming to the continent of Africa. Here is a place where we will have the chance to stress a focus on the ”people” aspect while building up the processes to take advantage of the new technologies afforded the populace. Hopefully you’ll be seeing more of this model in future posts from me as this new initiative develops. But for now make sure to look at the “people” factor as you create, modify or react to problems in the security landscape. It may surprise you what fresh new perspectives and solutions it gives you.
- -Steve
BlueHat v9 will take place from October 21 to 23 at the Microsoft campus in Redmond. Last year, we experimented with a day dedicated to attacks and a day dedicated to SDL security mitigations. This year, we will give you the best content out there… we are interweaving talks from internal and external security subject matter experts with themes related to e-crime, mobile security, cloud computing, and fuzzing.
We kick it off with the BlueHat Executive Sessions on October 21 with condensed versions of the presentations delivered in a deeply technical "Cliff Notes" style. October 22 and 23 are filled with BlueHat General Sessions for our Microsoft IT pro and developer population.
As a refresher, this conference is primarily about educating our own Microsoft population so we can better understand how to build more secure products. The more we know about the security ecosystem, the more we at Microsoft can truly comprehend and assess our own security reality.
We were able to record talks and deliver them to the masses on the Web for BlueHat v8 -- we'll continue this momentum and keep the "technical equivalent of those free online courses from MIT" coming for all attendees. You can also count on the usual speaker video podcasts, anecdotes, archives, and new to BlueHat v9, the first BlueHat Training Video examining Office Binary File Formats, content provided by our benevolent counterparts on the MSRC Engineering Team.
As always, I’m incredibly excited to see the amazing security education, partnerships, and networking opportunities that come out of our community-based defense platform. Like Alice going through the looking glass to get to Wonderland, we have to change our perspective to understand the threat landscape. Should Alice want to send a message back to Bob in the real world, it’s up to all of us to keep Eve out of the conversation. ;-)
Here’s a brief overview of the talks and speakers. Full details will be available on the BlueHat web site within the week.
October 22, 2009
Morning Block: Hyper Reality: Who’s Been Painting My Roses Red?
Tumble down the rabbit hole with us as we kick off the BlueHat v9 General Sessions examining e-crime motivation, attacks, and how to navigate through the mounting social engineering aspect of security coverage. We kick off with Jose Nazario taking a deep dive into DDoS attacks and their growing role as an online political weapon in Politically Motivated Denial of Service Attacks. Next up, Adobe’s Peleus Uhley and our own Jesse Collins will scrutinize the great power and responsibility that comes along with those flashy Web applications in RIA Security: Real-World Lessons from Flash and Silverlight. We then wrap up the morning *Cheshire Cat grin* exploring a little flaw by the name of ATL in The Language of Trust: Exploiting Trust Relationships in Active Content, by Ryan Smith, Mark Dowd and David Dewey.
Afternoon Block: Mobile (in)Security: Curiouser and Curiouser
As more people onboard themselves to smart mobile devices our wonderland certainly has gotten curiouser and curiouser. Take a ride with us as Luis Miras and Zane Lackey uncover Attacking SMS and show us how easy it is to be a victim when there is hardly any user interaction needed to fall prey to attack. Next up, our own Josh Lackey will serve some of the teacups of goodness and tell us what is on the horizon with Mobile Security and Software Radio. Charlie Miller will then show us how to stand on our heads and use automated fuzzing on the iPhone and outline the vuln he found as well as how to exploit it in iPhone SMS Hacking with a Touch About Payloads. Last, we will hear from Patrick McCanna of AT&T Security as he gives us an overview of security threats that face mobile operators in Mobile Operator Security: Security Challenges for Global Networks for Pocket-sized Devices.
October 23, 2009
Morning Block: Cloud Services & Virtualization: Up Above the World You Fly, Like a Tea Tray in the Sky…
Kicking off day 2, we find ourselves up in the clouds, quite literally. In Cloudifornication: Indiscriminate Information Intercourse Involving Internet Infrastructure, Chris Hoff of Cisco takes us on a journey where we learn some really scary things happening with the massive convergence of virtualization and cloud computing and their effect on security models and the information they are designed to protect. Our own Mad Hatter, John Walton, will walk us through advantages and challenges within the Microsoft Software-plus-Services model in Get Your Head Out of the Clouds: Security in Software-plus-Services. Flying up even further, Robert Fly takes on a journey highlighting unique aspects of building enterprise-ready cloud services and how to avoid the torrential rainfall of unforeseen problems in Creating Clouds: Avoiding Rain In The Transition From On-Premise To Services. We then wind up the afternoon with past BlueHat speakers Billy Rios and Nitesh Dhanjani engaging us in new discussions on the security implications and magic mushrooms that are likely to effect the cloud platforms and their clients in the near future in Sharing the Cloud with Your Enemy.
Afternoon Block: Fuzzing Tools & Mitigations: Chasing the White Rabbit
As we end our adventure through the looking glass, our Google friends Tavis Ormandy and Neel Mehta will paint a picture on how their technique of sub-instruction profiling uncovered multiple vulnerabilities in Windows. Next up, we get to take a peek Under the Kimono of Office Security Engineering with our own Tom Gallagher and Dave Conger as they show us a framework built by the Office team to efficiently fuzz any file format parser. The final session before hearing from our guests in the security community amongst the ill-fated gong of our lighting talks will be Chris Webers’ Character Transformations: Finding Hidden Vulnerabilities. This talk will cover ways which latent character and string handling can transform clever inputs into malicious outputs in cross-site scripting.
We will continue to update the BlueHat blog and the TechNet site to keep you current on the happenings during and around the conference. See you in Wonderland!
-Celene
When complex security issues that affect multiple vendors arise, calling them “challenging” is an understatement. We created the Microsoft Vulnerability Research Program (MSVR) to meet those challenges, learn from those experiences and strengthen the ties of our community of defenders across the industry in the process. As the state of software security matures beyond straightforward issues such as buffer overflows and elevation of privilege, we are working diligently towards a new level of cross-industry collaboration on a scale never seen before. We must do so in order to provide our mutual customers with the best possible experience on our platform.
Several firsts and questions had to be met head-on by our relatively young MSVR program now celebrating its first birthday.
· How do we maintain and respect the overarching tenets of Responsible Disclosure while sharing the issue outside of Microsoft?
· How do we communicate openly and directly with multiple impacted parties while not putting customers at risk by a potential broad disclosure prior to the availability of mitigation?
· How do we translate an issue that we came to understand very well to third parties that may not have the same technical history or security response methodologies and practices that we do?
· Can we coordinate across the industry so that everyone is moving to the same goal of addressing the problem, despite differing development practices and engineering requirement timelines?
The talented security researchers that reported the issue to Microsoft had done so in a responsible manner with the goal of improving the ecosystem and helping us protect our customers. At the same time, it became clear to us that this was an industry-wide problem and that the best way to secure the ecosystem was to notify affected vendors while engineering efforts were underway here in Redmond. Microsoft is a supporter of Responsible Disclosure, which aims to allow affected vendors to understand and try to resolve their respective issues before discussing the details of the issue publicly. In this instance, MSVR’s actions demonstrated a variety of responsible disclosure recently dubbed "partial disclosure," when we alerted third-party vendors who we believed had controls compiled with our vulnerable ATL headers. In the past year of MSVR operations, we have acted in the Responsible Disclosure roles of Finder and Coordinator. The ATL issue required us to act in both of those roles, plus in the role of affected Vendor.
While we knew we had to disclose technical details to a broad group, the clock was also ticking as we began to see more and more details about this issue being discussed and discovered in the security community. The original security researchers that reported the issue to us worked with us diligently and patiently to continue acting responsibly with their understanding of the problem, while we began developing a process and technical tools to analyze our controls and look for a solution. At the same time, we began the process of identifying and analyzing the controls that are most commonly deployed but were developed by other vendors. It is at this point we felt that we had a viable way to individually engage as many of these affected vendors as possible to discuss the impact of the issue as it relates to their potentially vulnerable controls.
Due to their potential scope, library-related vulnerabilities can often stir uncertainty and concern in the industry, so we focused our efforts to understand the true depth and breadth of the impact. Our analysis indicated that the vast majority of controls that would impact our users could be addressed by a few key vendors in the ecosystem. With this in mind, MSVR reached out to vendors who had the broadest footprint in the ecosystem that we believed were affected by the issue. We also felt confident that the defense-in-depth engineering solutions being worked on here at Microsoft would help provide a safeguard against attacks and allow other vendors more time to modify and recompile their own controls.
Overall, our goals and objectives were straightforward, if not exactly effortless, and required us to also leverage many of the key lessons learned by the MSRC over the years. After we distilled the actions and goals down to their most elemental levels, it became clear we had to move quickly on several fronts, including:
· Coming up with our own defense-in-depth solution to help protect customers and mitigate the threat.
· Taking steps to identify quickly the affected third-party vendors who we thought had the broadest impact on our platform.
· Finding the right security contacts at the vendors who met those criteria.
· Packaging and disseminating the vulnerability information to them securely.
Our goals in doing so were to:
· Alert as many of the community of vendors who have affected controls as possible that there was an issue with ATL.
· Provide the third-party vendors with technical details necessary to perform the broad analysis of all of their controls to look for the vulnerability in their products.
· Support the third-party vendors in their analysis, answering their questions, and clarifying the issue when necessary.
· Coordinate with the major affected third parties in both the release of the updates, as well as with guidance for our mutual customers.
We learned a lot during this process. After all, evolution requires change in the way we think and in the way we act, which leads to growth. We will incorporate these lessons into MSVR processes moving forward. We have formed stronger relationships across organizations that MSVR has worked with on other issues in the past, and we have forged many new bonds with security teams across company boundaries. Overall, we are very pleased with the positive industry response, and we salute our counterparts in the security organizations of all the third-party vendors we have worked with during this historic collaboration, including but not limited to Adobe and Sun. We are also incredibly thankful and appreciative of Ryan Smith and David Dewey, the original security researchers that reported the issue to us responsibly, as it was a multidimensional challenge that required significant patience and understanding on their part as we determined how to best address the problem.
As we move forward toward the next challenges on the security horizon, we can anticipate deeper integration among the community of defenders, whether they work for Microsoft or a third-party vendor, whether they are security researchers or are members of a CERT – we can expect more collaboration. After all, progress towards securing our platform, as has been made with our own SDL, will naturally lead to attacks being more complex, more dependent on how applications interact with each other and with the underlying operating system, and therefore will require us all to look past our company logos and focus on that threat horizon.
I’m Adrian Stone, who ran the ATL coordination and is the new driver of the MSVR program since July 1, and I’m Katie Moussouris, founder of the MSVR program, and together with the security community, we look forward to advancing community-based defense and helping to usher in this new age of collaborative security for the good of all our customers.