msrc - funcionamiento
DESCRIPTION
Charla impartida por Fermín J. Serna, del MSRC de Microsoft, en el evento Asegúr@IT 6, que tuvo lugar el día 18 de Junio de 2009 en Getafe, Madrid.TRANSCRIPT
Trustworthy Computing
Inside The MicrosoftSecurity Response Process
Fermín J. SernaMSRC Engineering
Trustworthy Computing
We’re Microsoft and we’re here to help!
MSRC Teams responsible for security updates:MSRC Operations PMMSRC Engineering
Why we are here:Expose internal MSRC process for security updatesCase studies on two cases
In band comprehensive fixOut of Band fix
Trustworthy Computing
Releasing a Security Update
MSRC receives incoming vulnerability reports through:
[email protected] – Direct contact with MSRCMicrosoft TechNet Security Site – anonymous reporting
MSRC responds to all reports:
24 hour response Service Level Agreement to finderInternal response can be
immediate when required
Vulnerability Reporting
MSRC-Engineering and Product Team:
Test against reported issue Test against variants
Fix Validatio
nMSRC Engineering:
Workarounds and MitigationsSVRD BlogMAPP Detection Guidance
Technical guidance Update best practices
Update testing toolsUpdate development and design process
Update Dev Tools and Practices
Assess the report and the possible impact on customersUnderstand the severity of the vulnerabilityRate the vulnerability according to severity and likelihood of exploit, and assign it a priority
Triaging Establish communications channel
Quick responseRegular updates
Build the communityEncourage responsible reporting
Managing Finder
Relationship Security bulletin:Affected software/componentsTechnical descriptionFAQsAcknowledgments
Content Creation Security bulletins -
second Tuesday of every monthCoordinate all content and resourcesInformation and guidance to customersMonitor customer issues and press
Release
MSRC-EngineeringReproduce the VulnerabilityLocate variantsInvestigate surrounding code and design
Investigation
Trustworthy Computing
MSRC Operations
Work with finders and security researchers that report vulnerabilitiesCoordinate internal product teams to work towards an update Develop and release messaging around vulnerabilities
Advisories, Bulletins, KB Articles, blogsCoordinate severity ratings with MSRC Engineering and Product teams
Vulnerability Reporting
Managing Finder
Relationship
Content Creation
Release
Trustworthy Computing
Vulnerability ReportingMSRC receives incoming vulnerability reports through:
[email protected] – Direct contact with MSRCMicrosoft TechNet Security Site – anonymous reportingIndustry Security EventsHoney-potsSecurity Community Partners
MSRC responds to all reports:24 hour response Service Level Agreement to finder7 day supportEvery report is triaged by a security specialist
Trustworthy Computing
Exploitability Index and Bulletin Severity ratings
Provides customers with guidance on the likelihood of functional exploit code being developed
Developed in response to customer requests for additional information to further evaluate risk
Published as part of the monthly Microsoft security bulletin summary
Trustworthy Computing
Pre Release
Security Bulletin Advance Notification - three business days prior to releaseMAPP notifications prior to release
Second TuesdayRelease
Day
Updates posted on Download Center, Windows Update and/or Office UpdateBulletins postedRSS FeedsCustomer email and instant message notificationsCommunity outreachMS Field alerts and call downsSVRD Blog
Post Release
Security Bulletins Webcast (Wednesday following release, 11AM PT)Supplementary Webcasts if neededMonitor bulletin uptake and customer issues through PSS and Windows UpdateBulletin maintenance
Outreach And Communications
Trustworthy Computing
Releasing a Security Update
MSRC receives incoming vulnerability reports through:
[email protected] – Direct contact with MSRCMicrosoft TechNet Security Site – anonymous reporting
MSRC responds to all reports:
24 hour response Service Level Agreement to finderInternal response can be
immediate when required
Vulnerability Reporting
MSRC-Engineering and Product Team:
Test against reported issue Test against variants
Fix Validatio
nMSRC Engineering:
Workarounds and MitigationsSVRD BlogMAPP Detection Guidance
Technical guidance Update best practices
Update testing toolsUpdate development and design process
Update Dev Tools and Practices
Assess the report and the possible impact on customersUnderstand the severity of the vulnerabilityRate the vulnerability according to severity and likelihood of exploit, and assign it a priority
Triaging Establish communications channel
Quick responseRegular updates
Build the communityEncourage responsible reporting
Managing Finder
Relationship Security bulletin:Affected software/componentsTechnical descriptionFAQsAcknowledgments
Content Creation Security bulletins -
second Tuesday of every monthCoordinate all content and resourcesInformation and guidance to customersMonitor customer issues and press
Release
MSRC-EngineeringReproduce the VulnerabilityLocate variantsInvestigate surrounding code and design
Investigation
Trustworthy Computing
Initial Technical Investigation
Reproduce the issue internallyDetermine Root causeGather network captures, crash dumps, etc.See if it is a valid security issue. If so:
Determine exploitability and severity
Triaging Investigation
Trustworthy Computing
Hacking for Variations
Update threat model (if needed)Review code for variants of the reported issueReview code for other issues in the same module/areaCheck for similar defects in other productsSee if related bugs were found by internal testersFuzzing:
Develop custom tools / improve existing fuzzing tools as needed. Run fuzzing tools and investigate any issues found
Static analysis:Sometimes the issue could be flagged by static analysis of source or binariesIf so, update tools as needed and run analysis
Investigation
Trustworthy Computing
Validation & Sign-off
Fix validation:Review the proposed fix, review the fixed code, test the fixed binary
Bulletin review:Review the technical content of the Security Bulletin and provide feedback
Communication strategy:Additional information provided to customers via our SRD blog http://blogs.technet.com/srd/
Improvements rolled into the standard fuzzing and static analysis tools prescribed by SDL
Fix Validatio
n
Update Dev Tools and Practices
Technical guidance
Trustworthy Computing
Mitigations & Workarounds
Opportunities to disrupt vulnerable code pathMethods
Analyze callstack + process flow looking for ACL opportunityInspect source codeAsk product team for ideasKnowledge about protocol or productProcess Monitor / dynamic analysisBrainstorm with teams
Technical guidance
Content Creation
Trustworthy Computing
Detection Guidance
Opportunities for partners to detect vulnerabilityWe share
Internally generated safe-to-investigate reproExplicit detection guidance (boundary conditions, etc)Problem Description / Technical NotesExploit Indicators (Event log entries, for example)Stack trace with public symbolsDisassembly with public symbolsAffected module version
Technical guidance
Content Creation
Trustworthy Computing
Case Studies
MS08-025Cumulative updateVariant investigationUnderstanding new attack vectors and research techniquesTesting cycles
MS08-078Quick response time ( 8 days)Timelines Advisory + Communications
Trustworthy Computing
Fuzz Testing / Developing Fixes
31st
31st
11th
MSRC Case Opened
Internal ReproRoot CauseSeverity and
Attack VectorsHacking for Variations
Mitigations and
WorkaroundsAgree on Fix
Review Source Code
Functional Tests on Binaries
Bulletin Review
Bulletin Ships
Internal Process for MS08-025
26th 8th
MS08-025
25th
3rd
15th 31
st
26th
24th
28th
4th
Broad Test PassDepth Test Pass
26th
October ‘07 November ‘07 December ‘07 January ‘08 February ‘08 March ‘08 April ‘08
Trustworthy Computing
Hacking for Variations
Bulletin Ships
Vuln posted to Chinese message
board
CN-MSRC discovers
public posting
MSRC Engineering initial reproRoot CauseBegin M&W
InvestigationAdvisory published
Out-of-BandPlanning Begins
Agree on Fix
Advisory Rev’d
(OLEDB32.dll workaround)
Advisory rev’d(Disable Row
Position workaround)
SRD blog posted
Advisory rev’d(Disable XML
Island workaround)
10th
Internal Process for MS08-078
8th
16th12th
11th
9th
7th
10thFocused Package testing
9th
Dec 8, 2008 (Monday)
Dec 9, 2008
(Tuesday)
Dec 10, 2008
(Wednesday)
Dec 11, 2008
(Thursday)
Dec 12, 2008
(Friday)
Dec 13, 2008
(Saturday)
Dec 14, 2008
(Sunday)
Dec 15, 2008
(Monday)
Dec 16, 2008
(Tuesday)
8th
10th
12th
13th
MS08-078
Trustworthy Computing
Blogs: MSRC Operations: http://blogs.technet.com/msrc/ MSRC Engineering http://blogs.technet.com/srd/
Microsoft Security Web sites: www.microsoft.com/security and www.microsoft.com/technet/security Sign up to receive notifications on security updates: www.microsoft.com/security/bulletins/alerts.mspx Sign up for the Security Bulletin Web cast: www.microsoft.com/technet/security/bulletin/summary.mspxRSS Feeds for Security Bulletins: www.microsoft.com/technet/security/bulletin/secrssinfo.mspx Security Advisories: www.microsoft.com/technet/security/advisory Security Guidance Center for Enterprises: www.microsoft.com/security/guidanceProtect Your PC: www.microsoft.com/protectMAPP http://www.microsoft.com/security/msrc/mapp/overview.mspx
Trustworthy Computing
© 2003 Microsoft Corporation. All rights reserved.This presentation is for informational purposes only. MICROSOFT MAKES NO WARRANTIES, EXPRESS OR IMPLIED, IN THIS SUMMARY.
Trustworthy Computing
Microsoft Active Protections Program(MAPP)
New program for security software providersMembers of MAPP receive security vulnerability information from MSRC in advance of monthly security updateMembers can provide updated protections to customers via their security software or devices
AntivirusNetwork-based intrusion detection systemsHost-based intrusion prevention systems.