Launched in 2007, the Security Vulnerability Research & Defense blog’s intent is to provide more information about Microsoft vulnerabilities, mitigations and workarounds, and active attacks. During Microsoft’s technical investigation of security issues, information is discovered that we feel is important to share. Some examples include:
- Workarounds that are not 100% effective in every situation, every attack vector
- Workarounds that are specific to a particular attack
- Super complicated workarounds that work but cannot be recommended to all customers
- Interesting mitigations that might not be present in all cases
- “Best Practices” type guidance that applies to a particular vulnerability
- Group policy deployment guidance
- “Interesting” facts about a vulnerability Microsoft is fixing that will help customers learn more about Windows, the security infrastructure, or the way we conduct security investigations
- Debugging techniques and information on how to triage security vulnerabilities
- Overview of some of the challenges that we face when fixing specific security bugs
As always, security bulletins or security advisories are the ultimate authority but we’ll try to include juicy spill-over technical stuff in the Microsoft Security Vulnerability Research and Defense blog.
The technical information included on the blog is to help our customers understand the vulnerability in more detail. We carefully review it prior to posting so that the content does not provide an advantage to someone with malicious intent. Keeping our customers secure and well informed is our number one priority.
We’re going to start this blog with comments turned off. Frankly, we’re concerned that if comments are allowed, we may see some inappropriate comments. Though, please (emphatically) email your questions, feedback, and comments about the blog to us at switech@microsoft.com. While we can’t promise to address every comment, we will address comments in the blog as appropriate.
For more information regarding Microsoft's Secure Windows Initiative (SWI) please see the following links:
http://blogs.technet.com/msrc/archive/2005/07/15/407755.aspx
http://www.microsoft.com/technet/archive/security/bestprac/secwinin.mspx?mfr=true
About the SVRD Bloggers:
Chengyun Chu Bio: Chengyun Chu, security software engineer in SWI Defense team. His first encounter with malware happened during a course project when his FORTRAN program (edited so painfully using EDLIN in DOS) was wiped out without his approval. Ever since, he swore to defend his machine, and finally located his dream job at Microsoft, on the SWI Defense team. He loves hiking, badminton, and PC games like warcraft/starcraft. His latest favorite toy is the Wii. Sorry Xbox 360.
Nick Finco Bio: Found under a pseudo-random tree somewhere in Montana, Nick has been breaking software ever since his school administrators tried to prevent computer gaming during class. Upon joining Microsoft, he worked in the Windows Security Management team for years. Finally, his desire to pen test software pushed him into the SWI Defense team, where he worked with Rob and Damian to create the team and refine its processes into the well oiled machine it is today. Currently, Nick is a member of the SWI React team where he continues to expand his expertise while tracking down those wily security bugs.
Damian Hasse Bio: Damian Hasse, Security Development Manager at Microsoft, manages the SWI React and SWI Defense Teams of security researchers that investigate vulnerabilities and security threats with the Microsoft Security Response Center (MSRC), as well as the SWI Pen Test team which helps to review Microsoft products for security issues before they are released. SWI, just in case you’re not familiar with the acronym, is the Secure Windows Initiative (SWI) at Microsoft, which is an effort comprised of many teams and individuals within Microsoft dedicated to making Microsoft products more secure from malicious attacks.
Within SWI the React and Defense teams work on every MSRC case to help improve the guidance and protection we provide our customers. We do this through our security updates (patches.) As part of our role, we discover additional attack vectors, new exploitation techniques and adapt quickly to stay ahead of the ever evolving security ecosystem. We also analyze each MSRC vulnerability and determine mitigations and workarounds, which get published in the bulletins.
The teams also provide forward looking security guidance to product teams within Microsoft, impacting products and services before and after release. We ultimately help to protect Microsoft customers from getting their systems compromised by building more resilient software. This is all part of the security pillar of Trustworthy Computing at Microsoft (http://www.microsoft.com/mscorp/twc/default.mspx)
Jonathan Ness Bio: Jonathan Ness leads the SWI Defense team of software security engineers at Microsoft. He joined Microsoft in March 2003 as a member of the Secure Windows Initiative (SWI) Attack Team. He and his defense team generate mitigations and workarounds for use in the montly Microsoft security bulletins, detailed vulnerability documentation for MSRC cases, and act as engineering technical lead for the Microsoft company-wide Software Security Incident Response Process (http://www.microsoft.com/security/msrc/incident_response.mspx#ESB).
Things Jonathan loves about Microsoft:
- Helping make hundreds of millions of computers more secure every month
- Working every day with some of the smartest security engineers in the world who all care passionately about protecting customers
- Finding ways to convey enough details about a vulnerability to help protect customers but not enough for that information to spawn exploits
- Helping customers find ways to reduce attack surface and protect themselves from attacks
Outside Microsoft work, Jonathan thinks about security pretty much all the time. One weekend each month and several weeks each year, he participates as a member of a reserve military unit helping to protect DoD networks. Jonathan has written two books - Gray Hat Hacking (published in 2004) and Gray Hat Hacking, Second Edition (2008). In his spare time, he enjoys his video editing hobby and mentoring youth at his church. He lives a bit north of Redmond with his wife Jessica and their cat Chewey.
Fermin J. Serna Bio: Fermin J. Serna is a Security Software Engineer in the SWI React team. Prior to joining Microsoft, he spent 7 years in Spain working as a Penetration tester and lately running his own company in the security field. He has collaborated with US-CERT in the responsible disclosure of several vulnerabilities, such as CA-2002-12 for ISC-DHCP, and published documents on exploitation techniques on rare architectures such as SPARC and PA-RISC. He loves security, coding, challenges, and chess.
Mark Wodrich Bio: Mark Wodrich is a Security Software Engineer in the SWI React team. He spent several years working on various networking technologies at Microsoft before joining SWI React, which explains why he has fond feelings for all network-based vulnerabilities. In his spare time he enjoys travel, hiking and snowshoeing, good food and wine.
Greg Wroblewski Bio: Greg Wroblewski, Senior Security Software Engineer, drives technical side of the security response process at Microsoft. His experience at breaking things started at the age of three, when he successfully broke a power outlet. Surviving this achievement he decided to move his attention towards low voltage devices. Guided by his parents, he eventually settled on software breaking and protecting techniques. Currently as a member of the SWI React team he is well known for always keeping his development environment updated with newest malware available. Since the time of the WMF vulnerability outbreak, he now keeps his office equipped with a reasonable amount of water, MREs and fire logs. Always prepared to keep customers secure.
David Ross Bio: David Ross is a Principal Security Software Engineer on the SWI React Team. David lives and breathes browser and web application security. Prior to joining SWI in 2002, David spent his formative years at Microsoft on the Internet Explorer Security Team and wears the battle scars with pride. David’s blog:http://blogs.msdn.com/dross