The Security Research & Defense blog is intended to provide in-depth information to help keep customers more informed about security efforts at Microsoft. The blog provides information from the Microsoft Security Response Center (MSRC) Engineering team about vulnerabilities in Microsoft products, mitigations and workarounds for vulnerabilities and information on active attacks. Additionally the blog provides information about new security defenses and tools that the Microsoft Security Engineering Center (MSEC) Security Science team is working on.
MSRC Engineering discovers information during technical investigations into software security issues. Examples of the type of blog posts they make include:
As always, Microsoft security bulletins or security advisories are the ultimate authority for security issues, but we’ll include juicy spill-over technical stuff in the SRD blog.
MSEC Security Science develops more effective and scalable ways to find vulnerabilities, researches and applies innovative exploit mitigation techniques to Microsoft products, and focuses on tracking and providing early warning of new exploits. Examples of posts they publish here include:
We carefully review technical information prior to posting so that the content does not provide an advantage to someone with malicious intent. Helping to keep our customers more secure and well informed is our number one priority.
Comments are turned off since frankly, we’re concerned that if comments are allowed, we may see some inappropriate ones. Please do (emphatically) email your questions, feedback, and comments about the blog to us at firstname.lastname@example.org. While we can’t promise to address every comment, we will address comments in the blog as appropriate.
For more information please see the following links:
About the Security Research & Defense Bloggers:
Kevin Brown Bio: Kevin has been programming since he discovered BASIC on his TI-99/4A as a kid. As a BBS sysop in the 90’s, he learned the need for security first hand. Several years ago, while confined to the couch with a debilitating injury, he entertained himself by writing his first security tools. After making a full recovery, Kevin decided getting paid to do security work would be even better. He now enjoys studying the root causes of vulnerabilities and looking for new and interesting ways to protect our customers and make our software more resilient to attack. Kevin lives in Kirkland with his family and their small herd of cats.
Brian Cavenah Bio: Brian Cavenah is a Security Software Engineer in the MSRC Engineering team at Microsoft. He enjoys taking thing apart and putting them back together again which explains his fulfillment in discovering, exploiting, and securing software vulnerabilities. Brian enjoys being here in Seattle, and would like to someday build a high-tech greenhouse.
Chengyun Chu Bio: Chengyun Chu, security software engineer in MSRC Engineering. His first encounter with malware happened during a course project when his FORTRAN program (edited so painfully using EDLIN in DOS) was wiped out without his approval. Ever since, he swore to defend his machine, and finally located his dream job at Microsoft, on the MSRC Engineering team. He loves hiking, badminton, and PC games like warcraft/starcraft. His latest favorite toy is the Wii. Sorry Xbox 360.
Bruce Dang Bio: During the day, Bruce works in the Microsoft Security Response Center Engineering group and dedicates his time to protecting customers from various types of malicious software on the Internet. Sometimes this involves helping customers write generic signatures to detect exploits at various layers in the stack. At night, he reads non-technical books and sleeps. Once in a while, he analyzes random file format exploits. In his free time, he enjoys reading and learning about computer security, linguistics, philosophy, and history.
Matt Miller Bio: Matt Miller has been an active member of the security research and development community where he focuses primarily on areas relating to exploitation technology and reverse engineering. Matt joined the Metasploit project in 2004 and contributed to the advancement of the Metasploit framework. Some of these advancements included the Meterpreter, VNC injection, and his work as a core developer on Metasploit 3.0. Matt is also an editor and contributor to the Uninformed Journal which is a free, community-driven outlet for new research. Matt's contributions to the journal have included papers on bypassing PatchGuard and DEP, as well as other techniques that can be used to improve or inhibit exploit reliability. In addition to his work with Metasploit and Uninformed, Matt also developed a functional implementation of Address Space Layout Randomization (ASLR) for Windows 2000, Windows XP, and Windows Server 2003 prior to the integration of ASLR into Windows Vista. Matt recently joined the Microsoft Security Engineering Science team where he is currently focused on program security analysis and exploit mitigations.
Jonathan Ness Bio: Jonathan Ness leads the MSRC Engineering team of software security engineers at Microsoft. He joined Microsoft in March 2003 as a member of the MSRC Engineering (then Secure Windows Initiative (SWI) Attack Team). He and his defense team generate mitigations and workarounds for use in the montly Microsoft security bulletins, detailed vulnerability documentation for MSRC cases, and act as engineering technical lead for the Microsoft company-wide Software Security Incident Response Process (http://www.microsoft.com/security/msrc/incident_response.mspx#ESB). Things Jonathan loves about Microsoft:
Outside Microsoft work, Jonathan thinks about security pretty much all the time. One weekend each month and several weeks each year, he participates as a member of a reserve military unit helping to protect DoD networks. Jonathan has written two books - Gray Hat Hacking (published in 2004) and Gray Hat Hacking, Second Edition (2008). In his spare time, he enjoys his video editing hobby and mentoring youth at his church. He lives a bit north of Redmond with his wife Jessica and their cat Chewey.
Lars Opstad Bio: Lars Opstad, Principal Security Development Manager, manages a part of the Microsoft Security Engineering Center (MSEC) Science group. His team develops tools and techniques to help product teams within Microsoft find security vulnerabilities and automate the Security Development Lifecycle. As these tools become ready for broader consumption, we also release them externally, such as the SDL Threat Modeling Tool, Binscope and !Exploitable.
Fermin J. Serna Bio: Fermin J. Serna is a Security Software Engineer in the MSRC Engineering team. Prior to joining Microsoft, he spent 7 years in Spain working as a Penetration tester and lately running his own company in the security field. He has collaborated with US-CERT in the responsible disclosure of several vulnerabilities, such as CA-2002-12 for ISC-DHCP, and published documents on exploitation techniques on rare architectures such as SPARC and PA-RISC. He loves security, coding, challenges, and chess.
Gavin Thomas Bio: Gavin Thomas (Senior Security Software Engineer) joined the MSRC engineering team in 2006 where he specialises in protecting Microsoft Office and building state of the art fuzzing capabilities. Localised brownouts occurring when Gavin cranks up his latest fuzzer are purely coincidental. Prior to joining Microsoft, Gavin worked as a Cyber Security Specialist for the UK Government. Gavin and his family currently live in the UK.
Matt Thomlinson Bio: Matt Thomlinson is the Senior Director of security engineering in the Trustworthy Computing Group at Microsoft. His teams are responsible for proactively implementing tools and processes to help secure Microsoft products and services, like the Security Development Lifecycle (SDL), as well as reacting to the technical aspects of security response. Matt also leads a security research group that is charged with furthering security science in order to better secure products and develop new vulnerability mitigations for products.
Mark Wodrich Bio: Mark Wodrich is a Security Software Engineer in the MSRC Engineering team. He spent several years working on various networking technologies at Microsoft before joining MSRC Engineering, which explains why he has fond feelings for all network-based vulnerabilities. In his spare time he enjoys travel, hiking and snowshoeing, good food and wine.
Greg Wroblewski Bio: Greg Wroblewski, Senior Security Software Engineer, drives technical side of the security response process at Microsoft. His experience at breaking things started at the age of three, when he successfully broke a power outlet. Surviving this achievement he decided to move his attention towards low voltage devices. Guided by his parents, he eventually settled on software breaking and protecting techniques. Currently as a member of the MSRC Engineering team he is well known for always keeping his development environment updated with newest malware available. Since the time of the WMF vulnerability outbreak, he now keeps his office equipped with a reasonable amount of water, MREs and fire logs. Always prepared to keep customers secure.
David Ross Bio: David Ross is a Principal Security Software Engineer on the MSRC Engineering team. David lives and breathes browser and web application security. Prior to joining MSRC Engineering in 2002, David spent his formative years at Microsoft on the Internet Explorer Security Team and wears the battle scars with pride. David’s blog:http://blogs.msdn.com/dross