After launching yesterday, the Beta for Microsoft Security Essentials has filled up – see the screenshot below.  This first Beta was limited to 75,000 participants within some targeted geographies and it is encouraging to see this target achieved in such a short time.

Though I have not been directly involved with Morro (or any other anti-malware products), I am excited to see Morro (Microsoft Security Essentials, http://www.microsoft.com/security_essentials/) reach the next stage of development by releasing as a Beta package.

I personally think that Microsoft Security Essentials is a significant step forward in helping make the Internet a safer and more trusted experience for the average user.  That may seem strange, given how long the industry has been around and given that there are already several free antivirus solutions available, for those that have even a slight technical interest in finding them.

I’ve shared my experience and opinion in the past about how the business anti-malware industry drives vendors to optimize towards businesses and away from consumers, so I won’t dig into that, but I do think there are some key points worth reviewing.

1. Barriers exist for “home user” protection.   Unfortunately, many barriers to quality PC protection remain for consumers, both in mature and emerging markets where many threats originate.  If you are the “free IT support” for your family and friends, then you already know what I’m talking about.

My Mom’s PC came bundled with trial security bundle where different components were fully enabled for some months, while other protections were partially enabled and yet other components required an upgrade to be enabled.  Bottom line?  Customers are confused by trials and annual subscription renewals, in many cases believing their PCs are covered when in fact their subscriptions have expired and they are not protected.

And also, let’s be frank, certain members of my family are just never going to pull the trigger on some of the online subscriptions that are available, even if they could figure out which ones are legitimate and which ones are actually disguised malware or unwanted software.  And upgrades or updates?  Please.

2. Threats continue to grow and evolve.  E-mail threats continue to grow and evolved and since many of these are now blended threats involving web sites and some aspects of social engineering, they are even becoming more platform agnostic.  By some measures, over 97% of e-mail messages sent over the Internet fall into the “unwanted” and unsolicited category.

Of course, since my Mom and yours are more aware of security issues than they were 10 years ago, malware developers have begun heavily leveraging “fake security software” and social techniques to target consumers and get them to voluntarily deploy their unwanted software.  By providing an easy to find, easy to deploy solution from a known brand like Microsoft, Microsoft Security Essentials can help provide some basic, well, essentials to help fight this issue.

3.  Too Many Users Need More Protection.  Ultimately, the evolution of threats and the barriers for home users combine to create a situation where many users need more protection.  This is not just a threat to those users, but represents a threat to the broader ecosystem when these systems are at risk of catching and spreading malware.

Key Principles

I’ve talked with the product teams about their driving principles and I think they are spot on for what home users need:

• Essential Features that are necessary to enable a safer and more trusted Internet experience.
• Real-time and scan detection and cleaning
• Live Kernel Behavior monitoring (leveraging technology acquired from Komoku)
• Improved anti-stealth functionality – (‘rootkit revealer’ style scanning)
• Rootkit removal
• Standalone boot scanning (boot to a preinstall environment to scan while completely inactive)
• Frequent Dynamic Signature updates
• Dynamic update capability (no wait for next “full signature” release)
• Heuristics with pre-execution program emulation
• Ability to quickly address false positives with the dynamic update capability
• Easy to Get, Easy to Use
• Will be easy to find from a trusted location on microsoft.com
• No cost, not trials or expirations
• Smart default configurations including a dark hours update schedule
• Daily updates
• Quiet Protection
• Lightweight design, tuned for performance
• CPU throtting
• Fewer interruptions – no “information only” UI, only when action is needed
• Deep and Broad Research Team
• Led by Vinny Gullotto (long time personal colleague back to our days at McAfee)
• One of the best, most experienced anti-malware research teams in the industry, built up by Vinny over the past few years.  Truly, though Microsoft has been in this space a short while, the team members that Vinny has assembled have been helping make the Internet safer for pretty much forever.

Final Comments

Let me emphasize that this is just a Beta, so hopefully there will be warts.  Yes, I say hopefully, because the purpose of a Beta is to get a lot of folks engaged to find those warts and report them so that they can be fixed before the product is released.  Having said that, my next step is to install Morro on my home computers tonight and see if I can talk my Mom through installing it on her home machine 2000 miles away.  Those two experiences should give me some great feedback that I can feed to the Microsoft Security Essentials team to help improve the Beta for final release.  I’ll likely share those experiences with you here on the blog.

I also ask you to try it out and share your thoughts and feedback with me.  I have a fair amount of product management experience and I’m happy to distill your various feedback down into some core requirements and then deliver it directly to the product team.

This is that latest in a series of steps over several years that I think is helping make tangible progress for making the Internet safer and more trusted for many users:

• Lots of security improvements in Windows XP SP2.  Remember the days before pop-up protection was introduced into IE6 in XP SP2?  Remember when you kept the personal firewall turned off?
• Windows Defender.  Breaking ground for Essentials, Defender helped raise the bar even it it’s Beta stage.
• Defense-in-depth security features in Windows Vista and the upcoming Windows7.  Say what you want about Windows, security researchers and data are showing that it raised the security bar.

Best regards ~ Jeff

If you are involved in Patch Management, I’d like to ask for your help and participating in Project Quant. 

Since launching in April, we’ve made some good progress in developing a high level patch cycle and have had some great participation on the forums in exploring the details of the functional elements.

Now we are at a stage where we want to gather information in the context of the Patch Cycle that the community is starting to build consensus around and with that in mind, we’ve launched an open survey at http://www.surveymonkey.com/s.aspx?sm=SjehgbiAl3mR_2b1gauMibQw_3d_3d which we’d love to have your partcipation with.  [NOTE:  The survey was developed openly too and you can see the forum discussions if you are interested.]

The goal is to gain an understanding of what people are really doing with regards to patch management, to better align the metrics model with real practices.  We're doing something different with this survey. All the results will be made public.  We don't mean the summary results, but the raw data (minus any private or identifiable information that could reveal the source person or organization).  Once we hit 100 responses we will release the data in spreadsheet formats.  Then, either every week or for every 100 additional responses, we will release updated data. We don't plan on closing this for quite some time, but as with most surveys we expect an initial rush of responses and want to get the data out there quickly.  As with all our material, the results will be licensed under Creative Commons.

We will, of course, provide our own analysis, but we think it's important for everyone to be able to evaluate the results for themselves.  All questions are optional, but the more you complete the more accurate the results will be.  In two spots we ask if you are open for a direct interview, which we will start scheduling right away. Please spread the word far and wide, since the more responses we collect, the more useful the results.

If you fill out the survey as a result of reading this blog post, please use JJBLOG as the registration code. This is optional and won't affect the results, but we think it might be interesting to track how people found the survey, and which social media channels are more effective.

As with the rest of this project, the results will be up at http://securosis.com/projectquant.

Best regards and thanks, Jeff

Although we posted some of our initial thoughts, and have been getting some great feedback from everyone, Rich and I realized that we need a standard patch management cycle so that we can break apart the different parts of the project, so that they can be considered separately and in detail.

Rich has researched several other patch management cycles, and posted a graphic that represents a tentative granular cycle that enables us to move forward.  Clicking on the image will take you to the Project Quant project page and Rich’s original post, which also provides a brief description for each component shown on the graphic.

Also, I want to make sure that you know the Project Quant Forum pages are up and active.   Thanks to DS, Dutch, Daniel, Allen and others that have shared their expertise on the “initial thoughts” thread.

RSA Conference 2009 Webcasts – Day 4 Keynotes (Friday)

There is only a relatively small group of people that stay all the way to the end of the RSA Conference to see the final Friday keynotes, but they were worth the wait.   I can honestly say the two afternoon keynote sessions were my favorite ones of the whole week.  See my previous post: Cheswick and Thompson ‘Securin Ain’t Easy’ Rap Video @ RSA 2009 about the first keynote.

And the final keynote?  … Jamie Hyneman and Adam Savage of the Mythbusters television show.

These guys are great.  If you’ve never seen an episode on the Discovery Channel, then check out a few of the clips on the Mythbuster Youtube landing page.

To give you a flavor of the interview, here is an actual question asked of Adam and Jamie by host Bill Duane:  What is the coolest thing that you’ve ever blown up?  The question comes near the end of the video, fyi.

[click photo to open video]

Jamie and Adam also brought along a video collage they had put together with some “goof reel stuff” and what they referred to as “explosion porn.”  It was fun to watch, but unfortunately, that video clip was not allowed to be in the webcast.  Still I think you’ll enjoy the segment, which is about 35 minutes long.

Regards ~ Jeff

RSA Conference 2009 Webcasts – Day 4 Keynotes (Friday)

There is only a relatively small group of people that stay all the way to the end of the RSA Conference to see the final Friday keynotes, but they were worth the wait.   I can honestly say the two afternoon keynote sessions were my favorite ones of the whole week.

Why?

How about this?  Dr. Hugh Thompson (of People Security and the Hugh Thompson Show) and firewall legend Bill Cheswick do a rap video… sing it with me now “…There were patches, breaches, lots of data leakage…”

[click photo to open video]

After the introductory rap video, Hugh had some great guests that talked a real life identity theft incident that happened last year where a hacked Facebook account was used to get Facebook friends to urgently send money to help their friend who was “stuck in London with no money to get home.”  Watch the video, I’m sure you’ll enjoy it.

Regards ~ Jeff

The RSA Conference team has done an excellent job of making videos available this year for those that could not attend the conference live. Plus, like watching your American Idol on your DVR, you can easily skip past the parts you find boring and just focus on the exciting stuff.

(Again, if you haven’t watched it, I encourage you to watch the Opening ceremony from day 1.)

• Brian J. Truskowski, IBM Global Technology Services
• Philippe Courtot, Qualys
• Dave Hansen, CA

The RSA Conference team has done an excellent job of making videos available this year for those that could not attend the conference live. Plus, like watching your American Idol on your DVR, you can easily skip past the parts you find boring and just focus on the exciting stuff.

(Again, if you haven’t watched it, I encourage you to watch the Opening ceremony from day 1.)

The keynote webcasts for Wednesday:

• Melissa E. Hathaway, National & Homeland Security Council
• Panel Discussion, Information Governance
• John Chambers, Cisco Systems
• Dave DeWalt, McAfee
• Brian Smith, Ph.D., TippingPoint
• James Bamford, Author of “The Shadow Factory”

The RSA Conference team has done an excellent job of making videos available this year for those that could not attend the conference live. Plus, like watching your American Idol on your DVR, you can easily skip past the parts you find boring and just focus on the exciting stuff.

RSA Conference 2009 kicked off with a video honoring Edgar Allen Poe and tying Poe to cryptography, which led into an awesome dual violin performance that I thoroughly enjoyed (do not skip the opening ceremony video!)

The keynote webcasts for Tuesday cover:

• Opening ceremony (Poe video & dual violin performance)
• Art Coviello, RSA/EMC
• Enrique T. Salem, Symantec “An Environment of Increasing Complexity and Risk”
• Scott Charney, Microsoft  “Moving Towards End to End Trust: A Collaborative Effort”
• The Crypotographer’s Panel
  • Whitfield Diffie
  • Martin Hellman
  • Ron Rivest
  • Adi Shamir
  • Bruce Schneier
• Lieutenant General Keith B. Alexander, NSA/CSS

(If you care ;-) I particularly recommend and point you to the following:

• The Opening Ceremony video – I just liked it.
• Scott Charney’s webcast if you have an interest in End to End Trust, as he does a good job of laying out why it is needed and why it must be solved as a collaborative effort by the entire industry.
• Martin Hellman on the Cryptographer’s Panel, which follows up on a them I loved last year (read RSA Crypto Panel: Martin Hellman on 0.01% Events) concerning Low Probability High Impact events. 

Click on the Webcast image above, or here to go to the webcast page.

I am pleased today to announce a project that I have been working to get going for a little while – Project Quant – an open model/method development project being done in conjunction with Rich Mogull of Securosis with the goal of developing a cost model for patch management response that accurately reflects the financial and resource costs associated with the process of evaluating and deploying software updates (patch management).

For me, this is a convergence of two passions that I have in my job and the work I do:

• Helping establish objective metrics for security, and
• Providing tools that are useful to customers

I’ve spoken with a lot of Microsoft customers and found that within the IT departments, they have a strong desire for metrics that help them drive their day-to-day business.  Many of my past analyses and reports were developed with this in mind, but they tend towards the technical and less towards the business aspects of security.  If we know two software companies both fixed 50 vulnerabilities last year, while that might tell us something about the software, that doesn’t tell us about how it impacted different customers in terms of work required or resources. 

As a small (incomplete) example, here are some things that would affect the IT departments:

• How many updates were the fixes bundled into and when were they released?
• Do the vulnerabilities affect software I have in production or not?
• What were the severity ratings and what is my policy with respect to severity ratings?
• How many people work in patch management for my company and what are their roles?
• What sort of tools do I have for deployment?

I think what is needed is a model that captures these and many other aspects of patch management policies and operational realities that is also flexible enough to model small businesses as well as very large corporations.  Project Quant is an effort to get the ball rolling in that effort.

Regards ~ Jeff

Initial Project Quant news coverage:

http://blogs.zdnet.com/security/?p=3151

http://www.darkreading.com/security/management/showArticle.jhtml?articleID=216500918

http://threatpost.com/blogs/microsoft-unveil-patch-management-metrics-project

http://www.eweek.com/c/a/Security/Microsoft-Analysts-Team-Up-to-Improve-Patch-Management-372087/

(and a German article)  Microsoft: Schnelleres Patchen mit Project Quant

This morning, we released the latest version of the Microsoft Security Intelligence Report (SIRv6), examining industry-wide software vulnerability disclosures, Microsoft vulnerability disclosures and exploits, malicious software (malware), and potentially unwanted software.

I am one of the primary contributors to the SIRs, so naturally I think you should download it immediately and read it cover to cover  ;-)  However, I understand that some of you may not wish to read a 150 page technical analysis document, except as a way to fight off insomnia.

Because of that, if you go over to the main SIR page at www.microsoft.com/sir, there is also a "Key Findings" document that is much more concise and provides a nice summary of the findings from each section.

For my section, on Industry and Microsoft vulnerability disclosures, I'll be posting up some brief PowerPoint screencasts over the next few days where I'll talk through my findings while showing some pretty graphs.

Regards ~ Jeff

A couple of days ago, Secunia published their Secunia 2008 Report, and one of their tables garnered quite a bit of attention with respect to Mozilla patching quickly:

• Brian Krebs, Washington Post, Fanning the Flames of the Browser Security Wars
• Brian Prince, eWeek, Security Report Ignites Firefox vs. Internet Explorer Feud
• Ryan Naraine, CNET, Report: Firefox buggier, but issued fixes quicker

I wrote a more in-depth review of the calculated Mozilla patching speed in from Mozilla Patches Fastest. NOT! which you should read.   For those of you who want the concise version, here is a quick bit of data.

The Secunia Report specifically limited scope to vulnerabilities disclosed during 2008.  (which is okay to do, unless you want to draw conclusions about overall vendor patching speed.)  This excludes any issues disclosed before 2008 and fixed in 2008 (or not fixed at all).

So here is my question for those that are really interested in answer the question of how quickly Mozilla fixes vulnerabilities.  What is the average if you include these below (feel free to validate them yourselves to assure yourself that they apply).  Also note that I am only listing ones rated High severity in the NVD or Critical in a Mozilla advisory – there were several more rated Medium severity that I ignored.  I also limited my search to Firefox 2 vulnerabilities.

• CVE-2007-1736, disclosed 3/28/2007, no MFSA after 631 days (352 in 2008) at product end-of-life
  • link: http://www.securityfocus.com/archive/1/archive/1/464041/100/0/threaded
• CVE-2007-2162, disclosed 4/18/07, no MFSA after 610 days (352 in 2008) at product end-of-life
  • http://www.securityfocus.com/archive/1/archive/1/466220/100/0/threaded
• CVE-2007-2671, disclosed 5/1/2007, no MFSA after 597 days (352 in 2008) at product end-of-life
  • link: http://archives.neohapsis.com/archives/fulldisclosure/2007-05/0005.html
• CVE-2007-3072, disclosed 6/4/2007, no MFSA after 563 days (352 in 2008) at product end-of-life
• CVE-2007-3073, disclosed 6/4/2007, no MFSA after 563 days (352 in 2008) at product end-of-life
  • appears to be silently fixed in FF3.0 on 9/30/08 – maybe in FF2, can’t tell
  • link: http://larholm.com/2007/06/04/unpatched-input-validation-flaw-in-firefox-2004/
• CVE-2007-5896, disclosed 11/2/2007, no MFSA after 412 days (352 in 2008) at product end-of-life
  • link: http://xforce.iss.net/xforce/xfdb/38233

I’m not going to do the math, but if you include these six Firefox 2 issues in with the three from the Secunia report, I’m pretty sure the number will be closer to 352 than it will be to zero.

Of course, it may be that some of these issues above were silently fixed by Mozilla.  I wouldn’t mind at all if they came out and confirmed my earlier analysis that they may be doing this.  It would bring the average down a little.

Mozilla has posted their own thoughts on the Secunia report at: Beware the Security Metric.

Please do read their viewpoint as well, so you have all of the input to draw your own conclusions.  Given the above six examples (and my findings in this article), I personally find it ironic that they say this:

Mozilla discloses and releases bulletins for all security issues fixed in Firefox, regardless of how they were discovered. Unlike other vendors that only disclose issues reported by external independent parties, but not by internal developers, QA or security contractors.

Apple Inc.'s Safari is the juiciest target in the upcoming PWN2OWN hacking contest, last year's winner predicted today.

"It's an easy target," said Charlie Miller, the vulnerability researcher who last year walked off with a $10,000 cash prize for breaking into an Apple laptop just a few minutes into the contest. PWNOWN is slated for its third appearance at the CanSecWest security conference later this month in Vancouver, British Columbia.

"It might be because I'm biased about the things I'm good at, but it's the easiest browser [to hack]," Miller said.

[read the full story on computerworld.com]

Of course, this bit of publicity may also draw more attention to Mr. Miller’s session at CanSecWest this year (link to Speakers and sessions):

Hacking Macs for Fun and Profit

MacOS X has so far enjoyed a comparatively safe and malware-free existence on today's hostile Internet. While many previously believed that this was due to its superior security, public demonstrations of the Mac's vulnerability to attacks have hopefully proven otherwise. As with any technology, it is important to know both its strengths and weaknesses. This presentation will focus on the exploitatability of memory corruption vulnerabilities in and on MacOS X by applying currently known techniques to a new platform as well as introducing some new techniques.

Both Charlie and Dino have 0wned the Macs in the previous two PWN2OWN contests at CanSecWest. Now they will teach the attendees how easy it is to do for themselves.

I’ve been busy doing analysis for the next article in my cio.com Firefox series of articles, looking at vulnerability disclosures during 2007 and 2008 and I stumbled upon a little factoid that I had not previously noticed – no single version of Firefox was available for the full year of 2008.

In retrospect, I should have known this would happen, given the Mozilla policy of supporting the predecessor version for 6 months after a new release.

Here is what the timeline looks like: 

In my interactions with customer councils, I’ve found that enterprise administrators expect longer support lifecycles and much longer transition times than those shown here. 

On the other hand, maybe it is different for IT departments managing browsers in the enterprise than it is for other applications …

I’m curious, what are your thoughts on this?

Regards ~ Jeff

When I do analysis and reports on Microsoft products, I typically look for where the Security Development Lifecycle (SDL) has helped to provide improvement and provide some stats on that.  This year, I decided to try and do this monthly to make it easier for me that when I do it all at once.

This report is my attempt to capture and share that information.  I hope you find it useful.

February Summary

First, here is a summary of the 8 vulnerabilities addressed in February, which were addressed in a five updates (MS09-002, MS09-003, MS09-004, and MS09-005). 

Four of the eight vulnerabilities fixed in February had some level of SDL Benefit.  Only 3 of the 8 vulnerabilities affected a Windows platform:

• MS09-002, the IE update, addressed two vulnerabilities
• MS09-004, the SQL update, addressed one vulnerability
  • Note that WMSDE ships with WS2003 to support UDDI
  • Note the WYukon ships with WS2008 (and Core) to support various services

Though I am primarily focusing on Windows components in this monthly summary, I do note that the 2007 versions of both Exchange and Office had fewer vulnerabilities compared with earlier releases.

SDL Vulnerability Benefit

This section summarizes the vulnerabilities and any corresponding SDL benefit for Windows and Windows components.  Because of interest in browsers, I’ll also break out Internet Explorer separately.

Internet Explorer

Windows (including IE)

  Here is the key for this table:

• The first (non-header) row counts all vulnerabilities that affected any version of Windows – 3 this month. 
• For each product row, the second column counts how many affected that product and the third column reflects how many did not affect that version – column 2 and 3 should always add up to the total from the first row (3 this month). 
• The last column counts how many vulnerabilities had the severity mitigated to some degree.
• The numbers in parentheses are the deltas from last month

For products where different versions of built-in applications could be installed (e.g. IE6 or IE7), I am taking the worst cast value and counting when any of the versions are affected.

Update Scenarios

I also want to take a look at how updating is impacted or not.  It is likely that two versions may have the same number of updates, though each mitigates differing numbers of vulnerabilities or different levels of risk.  (For example, a single update might address one Moderate issue on WS2008 while the same update addresses two Critical issues on WS2003).

Companies have differing patch policies, so for the sake of illustration, I am going to assume a very simple update policy:

• Critical or Important – will be rolled out immediately
• Moderate or Low – will be deferred until a periodic roll-up update (perhaps annual or semi-annual)

Internet Explorer

Windows (including IE)

Using this table, I’ll look at two fictional company scenarios:

• Company A:  Has a Windows XP and Windows Server 2003 environment
• Company B:  Has a Windows Vista and Windows Server 2008 environment
• Company C:  Has a Windows XP, Vista, Server 2003 and Server 2008 environment
• Company D:  Uses only servers implemented using Windows Server Core.

Company A has to (potentially) roll out one update for all client machines in February (if IE7 is deployed) and one update for server machines.

Company B has to roll out one update for all client machines in February and one update for server machines.

Company C has to roll out one update for all client machines in February and one update for server machines.

Company D has to roll out one update for its Windows Server Core machines.

2009 Year-to-Date Summary

In addition the the monthly summary, I am going to try and keep a running count of the year-to-date values as well.  I am doing the math in these table by hand and I am trying to be careful, but I apologize in advance for the errors I will likely make before the end of the year.  Point them out and I’ll correct them ;-)

SDL Vulnerability Benefit (YTD)

Looking at the tables below, I find some interesting key points already after February:

• Out of 6 possible Windows vulnerabilities,
• Windows Vista - two have not affected Windows Vista and one additional one had a reduced severity.
• Window Server 2008 – 1 did not affect Windows Server and 3 additional had a reduced severity.
• Windows Server Core (WSC) – 3 did not affect WSC and one additional had a reduced severity, meaning that 66% of possible Windows vulnerabilities either didn’t affect or had reduced severity on WSC.

Internet Explorer

Windows (including IE)

Here is the key for this table:

• The first (non-header) row counts all vulnerabilities that affected any version of Windows – 6 this year. 
• For each product row, the second column counts how many have affected that product and the third column reflects how many have not affected that version – column 2 and 3 should always add up to the total from the first row (6 this year).
• The last column counts how many vulnerabilities had the severity mitigated to some degree.
• The numbers in parentheses are the deltas from last month’s cumulative totals.

Update Scenarios (YTD)

Looking at the Update deployment summary (below) compared to the vulnerability summaries (above), there are some interesting observations:

• Windows Vista, Windows Server 2008 and Windows Server Core did not have to immediately roll out 2/3 of the Updates so far this year.  This is a solid benefit.
• Though the same number of Updates were “applicable” for some different versions, the severity policies as applied resulted in fewer being deployed immediately in some cases.

Windows (including IE)

Using this table, I’ll look at two fictional company scenarios:

• Company A:  Has a Windows XP and Windows Server 2003 environment
• Company B:  Has a Windows Vista and Windows Server 2008 environment
• Company C:  Has a Windows XP, Vista, Server 2003 and Server 2008 environment
• Company D:  Uses only servers implemented using Windows Server Core.

Company A has rolled out a total of three updates (out of 3 possible) year-to-date – one on clients, one on servers and one on both.  One browser update could be deferred for server machines.

Company B has rolled out a total of two updates (out of 3 possible) year-to-date – one on clients and one on servers.  One update could be deferred.  Additionally the browser update could be deferred for server machines.

Company C has rolled out a total of three updates (out of 3 possible) year-to-date.

Company D has rolled out one update (out of 3 possible) year-to-date.  One update did not apply to Windows Core and the other could be deferred because of reduced severity.

________________________________

Regards ~ Jeff