|
|
|
Behind the Scenes at Microsoft`s Secure Windows Initiative
By: Ryan Naraine
2008-02-19
Article Rating: / 6
There are 0 user comments on this Network Security & Hardware story.
eWeek Security Watch Editor Ryan Naraine recently spoke with Jonathan Ness, the lead software security engineer on the SWI Defense team, about how software vulnerabilities are rated and the ups and downs of working with third-party researchers. Microsofts Secure Windows Initiative unit has emerged from the shadows, promising a new level of transparency, as well as details of software vulnerabilities and security bulletins.
SWI, tasked with maintaining and managing all aspects of Microsofts mandatory SDL (Security Development Lifecycle), has launched a new blog that provides customers with technical details on security vulnerabilities, mitigations and workarounds.
eWeek Security Watch Editor Ryan Naraine recently spoke with Jonathan Ness, the lead software security engineer on the SWI Defense team, about how software vulnerabilities are rated, what goes on behind the scenes after a security vulnerability is reported, and the ups and downs of working with third-party researchers.
Whats your background? How did you end up at Microsoft?
During the Christmas holidays in 2002, I read the second edition of [Microsoft Senior Security Program Manager] Michael Howards Writing Secure Code from cover to cover.
I was working in the military at the time, and, after going line by line over the 600 pages in the book, I decided on a whim to apply to Microsoft to work on [Howards] team. I went through the interview loop, and here I am on the SWI team, working at Microsoft because of that book.
Whats your role within SWI?
I work on one of the peer teamsSWI Defensethat focus specifically on creating mitigations and workarounds for vulnerabilities.
We work directly with the MSRC [Microsoft Security Response Center] and the product teams to reproduce vulnerabilities, create and test temporary workarounds, and help with rating the severity of a security issue.
We always want to make sure were offering the right guidance for customers, whether its a workaround before a patch is released or product-specific mitigations in the bulletins.
There are other teams within SWI that we work alongside. SWI React, for example, is a peer team thats responsible for finding vulnerabilities that may be related to an externally reported issue. They build fuzzers [vulnerability-testing tools] to look for specific issues and handle the code review to make sure were not missing anything. They handle things like testing the patch, validating some of the work from the product teams.
What happens when a vulnerability is reported by a third-party, or external, security researcher?
When a bug report comes in, the MSRC guys will look it over and work on making sure we have all information to help us reproduce the issue. They will open a ticket, notify the researcher and pass it on to the SWI React team. If its something the MSRC flags as critical, SWI React gets on the ball with the MSRC and the [affected] product team immediately.
The priority is to reproduce the vulnerability, look closely at the surrounding code and understand all potential risks. Once they figure that out, we come in to look for mitigations and workarounds to divert the flow of [attack] codetry to block the vulnerable code from being hit.
Well go through the entire response process, which includes working with the product team to build a fuzzer and creating an attack tool to look for additional problems. We want to have a tool by the end of the servicing cycle that could have found [that vulnerability] if it didnt come in from the outside.
There have been complaints from external researchers that Microsoft puts the onus on them to reproduce/prove the vulnerability.
We try to reproduce every vulnerability that comes in. We really do try. We try to gather all the information, whether its just an e-mail notice or if theres a sample exploit. We will look at the code, build the test tools and try really hard to find what the [researcher] is reporting. If we cant, our only option is to go back to them and ask them to help us reproduce it.
If possible, well try to set up a machine and ask them to hit us with an attack so we can try to capture it. Our priority is to reproduce it, figure out the problem, then get it fixed.
And once it gets reproduced?
My teams focus is to understand the vulnerability, find places where an exploit can hit the vulnerable code, then research for mitigations and workarounds to protect against the vulnerability.
In some cases, if its an issue that requires a [prepatch] security advisory, well release the mitigations to help customers understand how they can protect themselves until we get an update ready. Then, when the bulletins go out on Patch Tuesday, youll find our work in the mitigations section.
During the course of an investigation, we learn things that dont quite fit into the bulletins, so we decided to start a new blog to talk down to the guts of specific vulnerabilities. Were using the new blog [blogs.technet.com/swi] to get really technical about the vulnerabilities that weve fixed, how the mitigations work and some other workarounds that might not be 100 percent effective but still useful for some customers.
On the new blog, how do you balance the need to share technical information and the risk of giving too much guidance to malicious hackers?
We want to be sure people understand the vulnerabilities and all the mitigation guidance. Sure, hackers can use that same information to understand the bug, too, but you have to remember that were only dealing with things that are already patched.
Weve talked internally about walking this fine line, and if we think something we put on the blog could actually help an attacker, well err on the side of not releasing the information. Were not going to post information that shows how to exploit a specific vulnerability.
We expect to have our blog entries coincide with [Microsofts] Patch Tuesdays to go into more detail on the mitigation portion of the bulletins and help to clarify things that didnt make it into the bulletin.
The bad guys are already reversing our patches as soon as theyre released. They have that research already. We subscribe to commercial exploit packs, so we know whats happening and the kind of third-party research thats being done after the patches are released.
There have been criticisms that Microsoft has been very slow to issue prepatch advisories and workarounds for things that are publicly known by hackers. Is that fair?
The advisories are still about giving customers proper guidance as soon as we have something thats tested and understood. Some things can be murky in the beginning when a vulnerability is complicated, and were moving fast to reproduce it and understand the risk. Some things come together quicker than others, and it can be tricky to figure out the right time to post an advisory.
Microsofts own security guru, Michael Howard, has made the argument that buffer-related security vulnerabilities found in Windows Vista should be downgraded because of backup mitigations built into the operating system. Is that something the SWI team would consider?
Michael makes a good argument, but we dont feel good yet about reducing severity ratings for Vista.
This is how we look at it: If an exploit were to hit the vulnerable code, well assume that a hacker can bypass the mitigations. Sure, [Vista] might catch and terminate the process, but, in reality, it still hits the [vulnerable] code.
Thats how we look at itif it hits the code, then well rate it accordingly.
Even with Protected Mode IE, there are certain ways to break out of that to launch an exploit. We have to take that into consideration when were rating bugssame for the other mitigations. With ASLR [address space layout randomization], for example, if the exploit only works once in 256 tries, well still rate it as if it could be exploited.
There are times when well reduce the severity for things like Windows Server 2003; where scripting is disabled, well drop that down to moderate on server vulnerabilities. But if the affected code is present and you can hit the vulnerable code with an exploit, well rate as if the exploit would have worked.
If its a memory corruption vulnerability, we assume the attacker can control the contents of memory, and we rate the bug accordingly. When we apply a rating, we want to be sure people understand the details and the severity clearly so they can make a proper decision.
According to Microsofts definitions, a flaw will be rated critical if it could be exploited to allow the propagation of an Internet worm without user action. But your IE bulletins are rated critical even if a user has to click on a Web site to be exploited.
We view clicking on a Web page as an expected user action. In fact, for those browse-and-youre-owned issues, we call those zero-click vulnerabilities. Well always consider those as critical, even though the word wormable doesnt really apply.
|
|
�������xr㶲0;; ʷ♵M"fmy�45SHHbL\$KrK?Kg<�xӅ|8%�l4�ݍF·�$i9�uM5�5|zkѻ`HRsg>�,36
@FoRQP
Ġ�x�nwݶ&N`P'~ �C���᳙*,�Q ���H5��KԚLÆ`&$Ʈl
dčʼn5m2�f
�E1;'��I�- �6
�#%��֥�ȏ�ͻ'k[!t�U�N(�T|0tgL'þ�=a�> J%h��ʏ "|xB'g�x�dY��u(X(Qu",M+lဌl�ڮ�U� ؓڭBul�!�6
�ȅCoWoh��ɿT݉[͛��L4I��հ�HfI%p'z:rm3����k>�NRY Z�3�tt=��P���OMҷB�]L1H��6}D?&Q Ig�6qO-z^y�
y�>x:tQVu ¿
yo@בnL|w�da-QMDZ6'�>6�L)�|HCɤ:QԧF�q9e,�f4öCCٰo�5\k5E9,U+ue~,^+Y�-\hoF_JE4Ew�� �pd
vtu]+iu�n�EsΧˊfoF">��ef"ȅ�Q.%M�>�
g�|�8J�Ku=ba�pY<<�ZoV͉*]X]uUjZl�E?龂KwI�|jeOv؆)WI��F4�,h�eݴ�s榣V�1WPsv�/*uU9-z�Qn�ũl�:2X�
jXR7XaQ�l�A`�:�g!>QӚ�#qRO#Gs�>H2AG61^�zK
ucj���>3 �a�
;p�w�>-Fv1s�{Q �{>�0i��CkF�Q`G�I
�l"��]�LR}�l��8d�$n)s>s�Ln-�`��VwMGH�b1L{��TM`�@# ,z���C��
�
@�l�߽5�#~[-[�Y6x�OA �]x~9-WR���C/0@}JIIL"D%� R
h��4�A�G�EBEN�m�bo$gw$]Vph�(7ݞ�H:w'P-h&3ay?cb -d[b�}I�lΌ�eV&vϏaZLbo��7�]�,�Slo3-M�us*%6��ʋzhB&3yj^VTE�C�eEg]6��ˁ)tC_F8-?��Gx�ljt0τ��{8Ƿc˰`�xҚh�yNu!S�Lar� i�f�T���L{dl{�ٚM�>�BX͙;cL���
nu(GpoGK�<&T֬zo��}��p�l7+ w&��rG|媞5
�jx0?s\�LdFfko�}iȜ^ftTR6�P��b8dOÈ~�G*+i�S)KJ7V+kV=Դz X;7l�� �ʸnJY
Yr>:u>]�ȃ`�w�!O\C�61�8yrǮmwA�utn\?(y�Sˤk9�h��9Ц
ֈiD��,Za��g�*
#�ؚyް<~lL4�"�w�.Bā'h<.�Y6[P==>Ħ\Qۀ+�KRI1])Xk±�&�,< "+ڂ��iȈ0A ��~"}����jA���4>
�\Rb�r>+j*e$T6)5*�i86�+o
`bI߰�B�VT!rB�s�}?w�2_!�挮`Gt!UkR�ZEU}Z�gG+<(9N ̌�k}��PjVRK{9i`7,��mC[$
zT�Èh;�qņ�Z
J'5�g�H5ysV�9y�]%��fZ+e1yZUz|ylƵYd{Eęٍ*�ʗӇ21wY|3VRD�sRͳikhx9�^@HpjGi�*���ߺ�;B�7x^ox�Py�m/POﺪiT_0Ld��T~�#\�3fb|g]b+s�|,On?z�ƚAFh5xb�==#ݸ{ɿ,�YE8&+琩os�C/��w�ܒ;� k@X'W-(7ϙ40pR2Y=u�6,^kJa;9Qo@H�ms1�0�`>��;n�=%��^\ց�h
03RlȪ�+> 2&iZIRkϢsG&:Lpz�]�{O
uṚo{{k7�÷ �G�L)߭~*9�WI�Hk>hw
ĶZV
'}DiB�q=C
~vS�=/t�2JEU��dP�e�Hb.x|V
n�&v.ė,ǽ�?wH;�m)u�oл�o= rHpAjw>^�'d�0|
s|n]E�6b��`[&IEq=S�!�gtgL�t�PܗI3�T/Us>\z�4��MN3bn
*q�)ېcgcs�}u�YLPH:X!�a��P�@�$X�)��XAU:ӿeg'U3���_f�}�Rt<~Ur;Pע~�}#S�2MĜ�yk�NEl 1O�bt#1ݻ���%~*f B�O��.�K7t[b��.Nxsyؠ#%tBU[���4D�]{gE��Szw~P�1h�Gtv�ڕvdѧ}E��Tq��k:�+`*
94�Dh�H�^ݍ X"2�NIJa'>�}8z�d�,F��Jf�y��Ӽ4hɘAx�l�7B_7n�C]�pb]C��1o~ˤa�
]ek{�*{�w}w�o]VZ�tC.q�B�1�d/)$%ΓE Lj
O�K =�Fݽ]vV5BĬxBw2h띧lw�kL��>dO>^jDC|W9��2�/�
[a[#�؞qa��L��dOC%�7÷Cw#�S�'gSc3/HF#xk��O(6-lF�@|Pذ/�h](0i�aj}Z�p$|#؈�'/G'?[7�{cE�|3̕
u�\ kM_U_s
wޘ�����P�E?\=3q� �Fȗqi+BF43ˁmr��.G�c}6T�zTW�n�#�:��9qi@X?ѝ(�S8:s�eǑv/
�)$pRWjiY�)%)��P50=;�ӏJ~��=v�1(��oaX�{P~lOӪ{,�3M:�X)�YjjorlZyT�tIt+N`.�%^A
�z)u�mr\+$E/ɸƈ ;^: K `9yvyL>��
-n&��ONd�ȯ!h 6á�L\IT^pa(�*kjp5r���7-�o#g=Bٳ͈�O^ OxڈӨ)��|ip�y'H�?>b[HQ1T= LF~6ԌER�.w�$aHU)/�J,T&?sA��D@ndJU|<�t!}"�=gISrϥJD�D]�|r)Vާ�ҥ
t;a\S0B>j͕Z�.=P̅^�UU6:\�h#�6���2oJe�ܚ"ͧ%C*UIoʐWdOgyn*D\ ,�O}wFِCX&ITj2jd�D<"E�oQ�e�N2ȵ̢ON�ן)?]j��%QGw���HISv9c�O��X;�]`#��wA")Մ�� ,�ĝ��[q_ER%)_JY.y.q$�T٩�E�2q�%Q�%j�K�I5B��7�82DJQك_КAe,25_�k��(O
~Bg.f�ċR0?0{պø Tr�h�>�,h<;3YD=
[V} ;&.C�M54ULӽgK=h.=j@kH��K�o1�S&1�q17777w�kJm|q^wMv�CW�P)[O[*�1���g�`��ORϝ7065'T:6Q0E�"Z@mȧ/s��>_C3�n�R� �'K0ĕr>qXD"���H��Xo^D��%UOzmCz1l;^_H)���~G!���>�q
>yC$�� @$�"I (Av8UȵgOP�/oss�X�Ñ`{��+
M�,�+t'D$b�v@a��_L�{*{C�� �pR�u.+亮ػ{
ܮ>�i�^+csj�ߥ=RI-K]�>�gl1;nKl*n2Io)9��@b7u)HC"9 ��W�ED댉o]�[�JL\@��!@'<�AH `
{�bMk~mwe�b ��=L z.�5��y3$���nnQk�c�9T[�G\ei]�
H#=NǞn5<�`��vO'� ��;��B�O!@ /}mwaL�UNj<}t� UVyDV/}w=
�b�A�E2�.D{�Ԋ�|4
k;��:�ބ+uA�vk�9�u�$R�f��G;�Evh�ܧv.m̌KǺm1!7:�@�]h|'�d�t~�(X&X���
/�X��� hnZ?_{&:ßw?�]h|g�_ɏ4 9�Na|ڝ�e�/`�_gë^.Gn�˹l��乞ndoKx7 ȿ�2n0r_|k���?)|`7a�*�h-�l߽�SW!۩,fER��Z!��ߤ�L`m_m�_(H^uσ�dUokocϊ>t)�R�rOjp�,C̉u��={
!(d� �Ɨ��kEI3�Ʊ)�'{�h4cT1,,}dnyL7��ᖃș�y�,�5�.3h
έk�(jSHLv{�/E6���T_[g�@U�lb�2Оo�v�q%��-{8R��xz1|Dv1m:Z|@
aLDP�gMK��^�k܁.�vi�(N-£�E�F}Oj{
es�^d7>k_A'-g�!YΞCm�>K��xpvfT�n#n$XG}K:iL/!�Po/
:âI��YfV,3h6Ef`a�3ط�/0 �7v6F�zLcM�QXcJ:*z�5\?ԝ�ST#䉯oL"
W���B~Y�B x�e @+5�:�bgw|#bDzE1"t9Ƕ:/}"P�^qK��odEPXp�8!'�9tްp��B6E?߉o"(C^P"^]����M�}1I� t9�ڊbMo�@�ע$~SZ�� �O��]�c)~c�)�+hW��x �B,p}&�6K
ʹ<8?G56��MEfIȢDE\��sInժJ]]-���D�r/*�r+Șznj=! c=TAN9=�S�5���ߗ�RUBI� ُ�|^k�ik�6j=!ɣ`5��vX5r{�u3sY<5�7SYzڽ9Z<1xfUj*ra8ufծL
1Y��n�1H!r��&⦭$���Lv��~6ӿ4,\�9�(�-^a̷𥳐fe�˳5Ԯl�6o�pn:�|^jB6�"|rRfs':B0+vb"m]%鮵IwLw|#Թ|I��?:z碷��
+K=�`�0̊ۼeUd[hlo�wAQgg)q8�@�ș莥M�LJIߣ4�?R)%o$:*
|�sYl�g�
zJ��`x`dVOobD+))�o2윶FcˠOW1h�
�|)W'��n�,�7�\#�P�| -SwO�Rk5eaj+�Y�!kj��`=ҡd+qܖe܃6˞�뷏�^x2oB`(x���]I٫TT~�Nǻ/�|�T0/b#-#C
a�|$z34m��G��׀��gxBW7�el�Nh$�}b c"uFf!&�T)
==`Nv�V\}G��@F>;G}m!��Ƅc8G9Pg9}�1�
F�[;5�g�r�`(\`Cw�FH�]KXuh�`>zS?�w|1[GB(W�9$#X h_ruW
��Iݹa?ч����L-ǮnԚiED#Rhb��GBcM /W>nrn[ք ၰ
�5"��
B|wFp��bZ1Ř!bmr�͈)iv9:LQXj��*��{3wاX, ,[�B QW tQR*�("*�@���`g*o�#��c�n
Q&@Ԕ�͍$�u�~k
v�K�
.X`���3[��]ă0>]w730lMqW'Ag#jbj�`�b \�]:vN���5'��H=:y=)s!aZ;:U_|LR
]�4�Bq0h^Z!�oX6�2����
=`�rڻ"-rznUr]y�Ta[+p�RnQqi}yչ���31F;�d�6MJry:2 �n)sC9mL6�W;ρWγ҈(a�h,.6YtI�t�PJTٌ��5�1o&Ll+�W=vS+�t�_�?gg:^Z�9v�!6&w�Z�:-j��0}P܄q�P��b�]�Ȥo�u[9@/9B9WP~�)Ay/�9}�hp)?@�|�?�Z_~)4:;'f$�EN9~K?�Y_~�swRB9�n�|o7]O7>]7]n�v?92zP9�r�)By7�"g|/@~.r�"gz/��^~K�/s�>>� �/�)>Cr}�}Ρ5_�^55u�:Iʙ#gK\8=>9)/�G9R{
W�KӜ:賊�9�+f/_+̡sTh3�_?G+@/ ~�dnldڹ<�R+��]q%=-{ᘴ[ͺ�r}ח:
c|U$X2&�����)htVydS����˼=�>w�懴I��8j.�{]�r-Xѧ�cZ=Ś/�Yy<�*
u�=�}٘in?�QǒGЬ��.Ǒrۿ剹?|�ka[<�G4q6 =�Pޛ@K�n
]��85����#r�Ӛ\ŭxg?9/�ydֺWWV�5Wl�NA6KֈE>Yݩ7�xЧx.
ߊ�dU^>n{��d4o�q��a� �F>&od<[`?�eR 7㌰6և�{�
CW�ec=tF}Y�ʪ9�(Ѱ~H�"79<�R9Gq`�FC䮨-3Pt5h{N|3q X94l��H�GRe_*V+rR8~G;B"ð���{)&0#&4v�XUrF(�2B�4|OӴW�]7tS+rc<{�+4�wpY-P��p
E��Ч��/5w̆Hٯ˘E͛YȌ�M�Mu?/�ጽNۯD�#�H���f@�2b'�`{��z9�8�;by0`N�f���.eа!7ao/XbKZ;�cp��\;�l�=4 gjy(}by0\9Kh,~@��
E�!ԏ)g,#�[�P`t{^}FN�.LESzq
;�@8��,_bYĞA
��x��XC��-['l�yjb)m+�bUX���;${%
F(�1>r��^���`iB�0HߟuA;[Dm�X<�ap��N]�%�d/<�Lg}�n`$->X
v;inČk,{�`wb5c*+
"��ЫAz��m�:�o1M55~�ɑ�(�
V �k�EF(�l#byr*B�FWnrǶ;7ٽp��{�P�R�-�~���ӳ�Vm$bx{t�Du;В��O^�!��N��
�fB~OTǓx
��ŌnQ>ಓJ_�bHZf^$ul70H-��z [ݫ}v�`"-s($9L
/}�X�}T.I
5sE�Eב�E,&J #
B:ɄdX.N`'2Д2�v]~iW,){+1¢�_j
u.��ME\kυ�xsp���^[0D00�Y��~l+>AՋpaHz��0�H%)~Ղ]#rF33��1#qyU�� p6�+Bqb<#U:.~=I��T~7)V��\wц|7(6؋|%Og
Ͽa�H�O)
�3FϨnS�C��>X�Z��%r]˜1J1Д8ٶ2#OA3r
ϭ�e[� ��O"�CZ24a�(�zc<�9z�n% ,�1-ix�M �C2~
l|$_Oxƪ~SQxr='���d���u-I�S`�ނ4�ܨNaEVb0%�yMvS}?�d|E��#bSp!@�pM5f2QTĻ
�Q)ۉYj��%x�d휙Eד69~sµe@DqLgHvxGml<^�:y�l떮�E�Ofu�ݎüȶJ�{]!Kb��C>bmR>ǔK.)�tO�ԕ��CVt3N�ů�k,^��zX�տdW3>�n)ZF#,c
�ԭ<�P8��_CAc.v^%e�܌�uF¶u4m�����ѩ���oTM\7LTV�2��h�T�xI;s�__9V0�|>,�cz��#}c\��91F`=s�˓
i>2�#"�$$jVI�;;Q0��&iE-ȓl`C�v�_.�<8-�ciĬ��;acXJ�XF!&�?�O80�Ux|�-h\l�}[xtmx0#rz�,�ɀj^0�U9sm�j ֺW6x�ozc|�[0�XjPtP>9-_0$a�1�+�=�c-�hw!wS׆!0ѕD1F(g,1�f� w�Ax��
�v�4�3u㆗�xtq"E�m�ӻ:igA0��}es1]�/���CM+_1dFx-<��#Dg˳̆Uj*$Zg,��
|
Network Security & Hardware 
