Trustworthy Computing

Inside The MicrosoftSecurity Response Process

Fermín J. SernaMSRC Engineering

Trustworthy Computing

We’re Microsoft and we’re here to help!

MSRC Teams responsible for security updates:MSRC Operations PMMSRC Engineering

Why we are here:Expose internal MSRC process for security updatesCase studies on two cases

In band comprehensive fixOut of Band fix

Trustworthy Computing

Releasing a Security Update

MSRC receives incoming vulnerability reports through:

Secure@Microsoft.com – Direct contact with MSRCMicrosoft TechNet Security Site – anonymous reporting

MSRC responds to all reports:

24 hour response Service Level Agreement to finderInternal response can be

immediate when required

Vulnerability Reporting

MSRC-Engineering and Product Team:

Test against reported issue Test against variants

Fix Validatio

nMSRC Engineering:

Workarounds and MitigationsSVRD BlogMAPP Detection Guidance

Technical guidance Update best practices

Update testing toolsUpdate development and design process

Update Dev Tools and Practices

Assess the report and the possible impact on customersUnderstand the severity of the vulnerabilityRate the vulnerability according to severity and likelihood of exploit, and assign it a priority

Triaging Establish communications channel

Quick responseRegular updates

Build the communityEncourage responsible reporting

Managing Finder

Relationship Security bulletin:Affected software/componentsTechnical descriptionFAQsAcknowledgments

Content Creation Security bulletins -

second Tuesday of every monthCoordinate all content and resourcesInformation and guidance to customersMonitor customer issues and press

Release

MSRC-EngineeringReproduce the VulnerabilityLocate variantsInvestigate surrounding code and design

Investigation

Trustworthy Computing

MSRC Operations

Work with finders and security researchers that report vulnerabilitiesCoordinate internal product teams to work towards an update Develop and release messaging around vulnerabilities

Advisories, Bulletins, KB Articles, blogsCoordinate severity ratings with MSRC Engineering and Product teams

Vulnerability Reporting

Managing Finder

Relationship

Content Creation

Release

Trustworthy Computing

Vulnerability ReportingMSRC receives incoming vulnerability reports through:

Secure@Microsoft.com – Direct contact with MSRCMicrosoft TechNet Security Site – anonymous reportingIndustry Security EventsHoney-potsSecurity Community Partners

MSRC responds to all reports:24 hour response Service Level Agreement to finder7 day supportEvery report is triaged by a security specialist

Trustworthy Computing

Exploitability Index and Bulletin Severity ratings

Provides customers with guidance on the likelihood of functional exploit code being developed

Developed in response to customer requests for additional information to further evaluate risk

Published as part of the monthly Microsoft security bulletin summary

Trustworthy Computing

Pre Release

Security Bulletin Advance Notification - three business days prior to releaseMAPP notifications prior to release

Second TuesdayRelease

Day

Updates posted on Download Center, Windows Update and/or Office UpdateBulletins postedRSS FeedsCustomer email and instant message notificationsCommunity outreachMS Field alerts and call downsSVRD Blog

Post Release

Security Bulletins Webcast (Wednesday following release, 11AM PT)Supplementary Webcasts if neededMonitor bulletin uptake and customer issues through PSS and Windows UpdateBulletin maintenance

Outreach And Communications

Trustworthy Computing

Releasing a Security Update

MSRC receives incoming vulnerability reports through:

Secure@Microsoft.com – Direct contact with MSRCMicrosoft TechNet Security Site – anonymous reporting

MSRC responds to all reports:

24 hour response Service Level Agreement to finderInternal response can be

immediate when required

Vulnerability Reporting

MSRC-Engineering and Product Team:

Test against reported issue Test against variants

Fix Validatio

nMSRC Engineering:

Workarounds and MitigationsSVRD BlogMAPP Detection Guidance

Technical guidance Update best practices

Update testing toolsUpdate development and design process

Update Dev Tools and Practices

Assess the report and the possible impact on customersUnderstand the severity of the vulnerabilityRate the vulnerability according to severity and likelihood of exploit, and assign it a priority

Triaging Establish communications channel

Quick responseRegular updates

Build the communityEncourage responsible reporting

Managing Finder

Relationship Security bulletin:Affected software/componentsTechnical descriptionFAQsAcknowledgments

Content Creation Security bulletins -

second Tuesday of every monthCoordinate all content and resourcesInformation and guidance to customersMonitor customer issues and press

Release

MSRC-EngineeringReproduce the VulnerabilityLocate variantsInvestigate surrounding code and design

Investigation

Trustworthy Computing

Initial Technical Investigation

Reproduce the issue internallyDetermine Root causeGather network captures, crash dumps, etc.See if it is a valid security issue. If so:

Determine exploitability and severity

Triaging Investigation

Trustworthy Computing

Hacking for Variations

Update threat model (if needed)Review code for variants of the reported issueReview code for other issues in the same module/areaCheck for similar defects in other productsSee if related bugs were found by internal testersFuzzing:

Develop custom tools / improve existing fuzzing tools as needed. Run fuzzing tools and investigate any issues found

Static analysis:Sometimes the issue could be flagged by static analysis of source or binariesIf so, update tools as needed and run analysis

Investigation

Trustworthy Computing

Validation & Sign-off

Fix validation:Review the proposed fix, review the fixed code, test the fixed binary

Bulletin review:Review the technical content of the Security Bulletin and provide feedback

Communication strategy:Additional information provided to customers via our SRD blog http://blogs.technet.com/srd/

Improvements rolled into the standard fuzzing and static analysis tools prescribed by SDL

Fix Validatio

n

Update Dev Tools and Practices

Technical guidance

Trustworthy Computing

Mitigations & Workarounds

Opportunities to disrupt vulnerable code pathMethods

Analyze callstack + process flow looking for ACL opportunityInspect source codeAsk product team for ideasKnowledge about protocol or productProcess Monitor / dynamic analysisBrainstorm with teams

Technical guidance

Content Creation

Trustworthy Computing

Detection Guidance

Opportunities for partners to detect vulnerabilityWe share

Internally generated safe-to-investigate reproExplicit detection guidance (boundary conditions, etc)Problem Description / Technical NotesExploit Indicators (Event log entries, for example)Stack trace with public symbolsDisassembly with public symbolsAffected module version

Technical guidance

Content Creation

Trustworthy Computing

Case Studies

MS08-025Cumulative updateVariant investigationUnderstanding new attack vectors and research techniquesTesting cycles

MS08-078Quick response time ( 8 days)Timelines Advisory + Communications

Trustworthy Computing

Fuzz Testing / Developing Fixes

31st

31st

11th

MSRC Case Opened

Internal ReproRoot CauseSeverity and

Attack VectorsHacking for Variations

Mitigations and

WorkaroundsAgree on Fix

Review Source Code

Functional Tests on Binaries

Bulletin Review

Bulletin Ships

Internal Process for MS08-025

26th 8th

MS08-025

25th

3rd

15th 31

st

26th

24th

28th

4th

Broad Test PassDepth Test Pass

26th

October ‘07 November ‘07 December ‘07 January ‘08 February ‘08 March ‘08 April ‘08

Trustworthy Computing

Hacking for Variations

Bulletin Ships

Vuln posted to Chinese message

board

CN-MSRC discovers

public posting

MSRC Engineering initial reproRoot CauseBegin M&W

InvestigationAdvisory published

Out-of-BandPlanning Begins

Agree on Fix

Advisory Rev’d

(OLEDB32.dll workaround)

Advisory rev’d(Disable Row

Position workaround)

SRD blog posted

Advisory rev’d(Disable XML

Island workaround)

10th

Internal Process for MS08-078

8th

16th12th

11th

9th

7th

10thFocused Package testing

9th

Dec 8, 2008 (Monday)

Dec 9, 2008

(Tuesday)

Dec 10, 2008

(Wednesday)

Dec 11, 2008

(Thursday)

Dec 12, 2008

(Friday)

Dec 13, 2008

(Saturday)

Dec 14, 2008

(Sunday)

Dec 15, 2008

(Monday)

Dec 16, 2008

(Tuesday)

8th

10th

12th

13th

MS08-078

Trustworthy Computing

Blogs: MSRC Operations: http://blogs.technet.com/msrc/ MSRC Engineering http://blogs.technet.com/srd/

Microsoft Security Web sites: www.microsoft.com/security and www.microsoft.com/technet/security Sign up to receive notifications on security updates: www.microsoft.com/security/bulletins/alerts.mspx Sign up for the Security Bulletin Web cast: www.microsoft.com/technet/security/bulletin/summary.mspxRSS Feeds for Security Bulletins: www.microsoft.com/technet/security/bulletin/secrssinfo.mspx Security Advisories: www.microsoft.com/technet/security/advisory Security Guidance Center for Enterprises: www.microsoft.com/security/guidanceProtect Your PC: www.microsoft.com/protectMAPP http://www.microsoft.com/security/msrc/mapp/overview.mspx

Trustworthy Computing

© 2003 Microsoft Corporation. All rights reserved.This presentation is for informational purposes only. MICROSOFT MAKES NO WARRANTIES, EXPRESS OR IMPLIED, IN THIS SUMMARY.

Trustworthy Computing

Microsoft Active Protections Program(MAPP)

New program for security software providersMembers of MAPP receive security vulnerability information from MSRC in advance of monthly security updateMembers can provide updated protections to customers via their security software or devices

AntivirusNetwork-based intrusion detection systemsHost-based intrusion prevention systems.