Windows - eWeek


Battery 500 Project Charged Up over All-Electric Cars
Charting the Final Frontier--Google Maps for Indoors
Get Smarter Technology on Your Mobile!
  Windows


Microsofts Security Response Center: How Little Patches Are Made



 By: Ryan Naraine
2005-06-08
Article Rating:starstarstarstarstar / 0


There are 0 user comments on this Windows story.


  Table of Contents:
  1. Microsofts Security Response Center: How Little Patches Are Made
  2. ' Job Doesnt End on '

Rate This Article:
Poor Best
Microsofts Security Response Center: How Little Patches Are Made
( Page 1 of 2 )

Tech Ed conference attendees get a behind-the-scenes look at how Redmond handles the creation of software patches—and an explanation for long delays in fixing known vulnerabilities.ORLANDO, Fla.—Anxious to shed the companys image as having a lax attitude about software security, officials at the Microsoft Security Response Center are using the Tech Ed conference here to provide a rare glimpse at the step-by-step process used to create, test and roll out security patches.

The software maker trained the spotlight on the operations of the MSRC during breakout sessions and one-on-one discussions with customers, stressing that all publicly—and privately—reported vulnerabilities are thoroughly investigated to determine whether customers are at risk.

"Were on all the [security mailing] lists, just like you are, and we investigate everything, even if its a post about a simple weird behavior in a product," said MSRC program manager Stephen Toulouse.

By monitoring the public lists and underground hacker sites, Toulouse said the company is able to keep track of discussions about vulnerabilities that may not have been reported to Microsoft.

In addition, he said, a "real person" monitoring the secure@micosoft.com e-mail address keeps close watch on all vulnerability reports sent in by private researchers.

"Once we determine its a real security issue, it goes into the triage phase. We immediately get in touch with the researcher and ask for more information so we can recreate the attack scenario internally. We also look for different attack scenarios," he said.

Researchers have complained in the past that Microsoft routinely ignores threat warnings, which contributes to the underlying distrust, but Toulouse said the companys mission is to improve its relationship and "create a community" with grey hat hackers.

"We respond immediately to the initial vulnerability report and provide the researcher with contact names, e-mail addresses and phone numbers. We make it clear we want to work closely with the researcher to pinpoint the problem and get it fixed. We commit to providing [researchers] with a progress report on the Microsoft investigation every time they ask for one," he said.

"We may not have enough information from the initial report and we may not know the configurations of the [researchers] vulnerable system, so we always work closely to get all the relevant details."

Resource Library:
Armed with the vulnerability information, the triage team kicks into high gear. On every product team within Microsoft, a staff member is on call to coordinate with the MSRC and join the investigation, Toulouse said.

"It becomes a detailed, complicated process because we are looking at all supported versions of Windows to understand the complete angle and we also have to figure out the impact it could have on customers," he said. "Once we are talking to a product team, weve already confirmed its an issue that needs to be fixed and were already working on the bulletin that will eventually be released [on Patch Tuesday]."

In the midst of investigations, especially for flaws in network-facing products that could cause code execution attacks, he said, the MSRC continues to scour the Internet to determine whether public exploits are circulating.

Windows security ranks high on this years Tech Ed agenda. Click here to read more.

At this stage, Toulouse said, "parallel investigations" are done by the MSRC and the product teams to "widen the circle" and reproduce the attack vector.

"We are now thinking like the hacker. We look at the vulnerability from the hackers perspective. If its a buffer overflow and its Internet-facing, the alarms go off and we have to figure out if its easy to exploit. The product team is also investigating from the code point of view. They want to know if there are additional vulnerabilities in the associated code. So it becomes a complete audit," he said.

This, he admitted, leads to long delays in getting a comprehensive fix rolled out, but its a risk the company is willing to take to ensure the quality of patches. "We find that the [audit] process gives us more depth, and we keep the researcher in the loop throughout the process to let them know what were doing."

The testing process also puts a monkey wrench in the patch release timetable. Even though Microsoft has recruited external patch testers as part of a formalized Security Update Validation Program, Toulouse said the quality assurance process has become "very, very complex," especially for products that are closely tied to the operating system.

Click here to read more about Microsofts decision to use external patch testers.

"In theory, we can release an update with a patch very quickly, but thats a big mistake. One of the things customers demand is quality patches. They dont want to deal with faulty patches that break their applications and they dont want to deal with all the associated trouble," he said.

Its never a perfect science, and Toulouse said the MSRC learned the hard way in 2003 when it rolled out the MS03-026 bulletin to fix a code execution hole in a DCOM RPC (Windows Distributed Component Object Model Remote Procedure Call) interface and subsequently discovered that it was a substandard patch.

A few weeks later, the Blaster worm ripped through the Internet and Microsoft released MS03-039 with an admission that additional ports involving RPC remained unpatched.

"That was an experience that taught us a valuable lesson. Its better if we find it before the bad guys figure it out," he said.

In some cases, particularly when the Internet Explorer browser is involved, the testing process "becomes a significant undertaking," Toulouse said. "Its not easy to test an IE update. There are six or seven supported versions and then were dealing with all the different languages. Our commitment is to protect all customers in all languages on all supported products at the same time, so it becomes a huge undertaking."

"This is exactly why it can take a long time to ship an IE patch. Were dealing with about 440 different updates that have to be tested. We have to test thoroughly to make sure it doesnt introduce a new problem. We have to make sure it doesnt break the Internet. We have to make sure online banking sites work and third-party applications arent affected," he added.

Internet Explorer updates are also cumulative, meaning that they address several newly discovered vulnerabilities and all previously released patches, causing even more delays when the new fixes are bundled into older updates.

"This is why it takes so long, but thats not to say that if theres an exploit, we wont accelerate testing and get it out there as fast as we can. But if we find problems in the testing phase, it could trigger a restart and cause even more delays," Toulouse said.

Next Page: The job doesnt end on Patch Day.





  Reader Comments: Microsofts Security Response Center: How Little Patches Are Made
>>> Be the FIRST to comment on this article!
 


 
 
>>> More Windows Articles          >>> More By Ryan Naraine
 


x}r㶲s\@♵M푦dKkmyYSHHbLZ$KreoВlO}6Fh@ggOD\ݴ9w͙M5>56^@^jc\ȁY\nhɿTݑu:1BsdbLJNtf?D9zu v=rذ 1"% hJqO{e $}ВEtBAͨ8 .)J!"xV3t BDԑ?CC7=aL+i,h΋OςI5tO|BMk6 tI< EC#mxqZ.S+ЍEXn`vt"I4oap{4ڭl= KpI}xXOk9mLP#AтMz>kI-ߟL-s#08wwɭ5 <Q%]Ӂ4}aqjS〧 !Tgx3=w= | o ߽5#z[-[X6x G͙A R|'sZ.( wc@ =JIAL"D% T h4AGEENmb$OHX-Vpp(ݞH:sGn_-KEs㙰TL٣XB YX/_23CCɴaX9{DMfT`B[ụDKak`F]_rA+ŲMCAIqTZ/)CzdEgl;Si;COΌ`?[^0t)ioLI ?,xpo aB?1bѪ)C@3~ ~6ˇ-|Ц5}b0&B11 =w :'_ ۝P '.јSQrVҳsMi |k٬ ̙> .z2Hp0ѿ{̞v(֌f;,NrByOS*,, H@,gmdz[Oq)f$ ,4tOݡ~u_24-%ւfۏRu%zց$l J=°εZ*![p5|a׼2F]RZBKHDlPc/΅%2=CM"&Io<j7}A 5s;o\PeepdҶ<:UKU5m\-}sf8, J; HoIJ*6*/gXS؝yд\"ҝzGzW@>:`3әǟGRlC2ӱDhR+}ne0GIUU[23R%x#e\46L XbOF8]%0Z3-,*'5eGhH35f"@0oY=:=4̄+uh'T-a?xtqj )مYk;+H8KJAUc?$i?怚H|A2exL,`_C׶ݻlʠ::7HҘN!ȹg@**X-PQ1"YOt/F5aNjN~SmF3䊻!`P#fpu,Tn\wdSIBE)'.5 cd]Xzm@4`D N.LbV4>\Pbrnr2b*XkPTB$&EPg7`u0$P/XL+*9K.pϟ  sFWyQFfZ?K^HjP'VVR尨V*h!Gq)4ɾ;c>΁x}ˬ5? '_>k{]7 \μ + '3E<&R$-p2HU?X^Ik01Sle`Sxt b*䪢#?݀΍l.#Џ]!.־1X@P A6+8SӞ,jXXRO-85_+1 &oE`9\P˶TU)&U$jl|T`Z܎:y>-.)W` >N-2Ǩi 01j-tpMU*Ղʾ_ڳv+^t m(5#c #2pgrh)hMf54};`է[ +fh+,s Jb+ʹV(EcZUz|yhFIdM3iqS<ܪ+_|ˀeyM/ܛZJg`%'\U+h{9^@HpbGi |䯦gR!܏p<6L Mt,jZ)/19|6t8Y]TM'w_b7oQ2\ 6-УG'~7"mǤ|e2u-tn1b%[4x[2|'@dѪ)3NQFgs|0k嬙fwṛ: ߀&?\@qccn#2v"9zB*>_P궵( EGIռn0RBE-) BD4 ZlmL l⊗q~ZA τkox~E 6 2jm5)`J&¸_v^Iў@b2aOt53qp0͎3-$َVum4uP"5{Hq#$˴I>N0atA*}7*\$IvSf﩮 Ϛ8_arOn͏;W>0Jj$7 rQӊ5JR#09LQ@Z#GYdQ.|eR)Wn8L3Az "!~[!6E),8{Je%[ yr2(jT 8fX&1W+ʬʼ f@48&ov/?ZU}{"}QL ޟpف#;? t%.}vwz@ ۇ>\y1a}n\fCrj8E)jizBvip*/!UWOM}a}dzLR(!Iw1]0|r&El/>HWYFh0Z^ < N9pWKY犟;$g틖:\79$ 5.XF>9>k5ÏۍzhR`QQc cjeax!w m 8D@ISL$SQ(kI``eanKlx0a9RL锐'.ϓp|Nh+'I^VR6T$4%!44QLNbC]B+Cg ҽl\OpVHpo&_xvImK$Ζ&!̗4.נzY8V#kvh~ta}QגZ4ҫoeW!9 ?<)'Tz@”+4tӨ~Ebӝcai;Fx vv;2x;zZ1 ?ݮpeG|wsFdtWcD #塺1&>k'@Ǣ1n ~]ު8Gq,\[9S Zt ەgaBxa1~hr쐋N4z+Ҹ;5LZ0e,H~"CGH|5|ÿ§  95gy S:7vkmc20)}_?I+IcqOsn<rt3VTsb;I6$BUUk ۻȾXEVe.tѕNt*<>rgȸ@7YU (f~\;pO cÙc}d<ݸw[f1vfwoY.=]bwQ[ݝ{ŞvYiIeK\-"PnǸZ|:W%0.ր-%$\}1 _;bE c+g |('򽦎NU%p Mkko!1 %C%4y˭0LdT/rK[⹋^]:lQۍo%n2- fF, y6u2kV)a.Z_nb_pK.YzSꀰtJx2e$[& iv aUޭ? 4QN,ָuˉgȺ܊ I`8'"7,s*rD# Fv.ʚϔb29#xGyy˚Mu{d/H &mw!UU)*%{% j-N*MOA/q۪i ԥaJ4գofکM1:S4T.}09I`TI]0LKT)T"  ];-YU$Lc/< ]j Y uRX]*BS3IUDx'gH%{TZdذoVU؊]&^/YK'K24 izc`@{JfK\Rȗf' LWt/BHmI/nںY~v׺ڮ7izLWM!ĻSBN/.F_nѵu6bP\*/fAv {fGuAUhu]!\pWH9)Fj+,Y[*d\; f`q$HmR\-MW>8raX0J{ڷDzYޑkϋEq7pO>2̽ Ox&7)L *[zXYE.F804#m6toޚUxm!AНht1ᭅ9%yQMF&Xl B$DY "fe~=L"㴭(Tkܳ==)# I0i u o6pB#YV̓f2HL37_b"0h"K /]D *ƬlVH+j^~¸Q߳/&I0`(AŞPsL-mO{MV+MKuKcaPm[#*|t焰fZ;yK Ee&ԧp՟̚\Zy;-^Ge> K\ҥ. ;]邥*X^2l%n3+*vbX|t J/M( ?*I+{{{{}ׂV(W_5%s3L[`` KQK56Ȼ6,1y;W= HCkCu ~ia7}坿Z(7901!nB3!zohWݪKtEMWT{h &,J !ZNOS qbֳeAK=va|c>`/;\xb̀]TKj'SP5R0_$2Df;w+ z"\9|uN$k:'VoqԵF0Zg +1ZtTjNH -H cu?0`D#cmbԷx]kϹꍖEnca,2;cI/K@.bWZ`0b&zpm !W:='g$99lB/tb3Y;k_%9؋ӊ,ƻ.c 2[S!1cTA9-)j":- jD-~0ëi1 Gg>)fF<@FLຶh;bw=Vڸ𺸴q yK-y -J4sc59غsl.h 7pKm$c9zNGfF;n!xZlSKMµ3 Aʥ 8Iuף6: w9IfjRCrz8 Ps7ίzȕժTjQܣF +' 20(Ur3NAf)XyeZۺב:۬Ÿ#=/bZN{? RtacJp8a%}TKTI`3?o(?`|KALr|jq_ojq`v1%Ip4I vSi ^Rc"WVc -|29ҤF;66wZRW3>3B[sxYx˞uc`2,9+aT-^`~oKZIȶ8+΍NSaTwt|Ա\~;4 ?R)!%**B2#o{I } NrtF7e\S[Z8G Pmļϴ@B )}o M,ӴiDLROWa\ND>_s_!0 8 -sF@Yj$O?GP56:[h]wZ^몋V <wB&#xy;&?`J99$.+Ja L8ِk:|e1vȠu/ـ OS5l \Zs4aaֺxuU1"'0 ឩ`U-2Șh MQ ҖHxD~2&'V3!"&Lma@\z6")(ĴC1CLD:5,%}`oyi_21Fiŷn(lC;b21C|>OcbI&F'O T&}nA=bA!>?'~eML)!HbiWu~kg6Q`6u}`EP00a|Ln'àv7]_5:POLsA%NfldaQ({b8M t߃3,ȏ]Klݜ(8cj1I(tCK/Hzsʬ -×>0}(-ŌCZQJФ*!dW`cU-%N+) ; Ͳgb8~E VH:+^@03:%%{$͈oT?`Nrҹ" rrjU\YMa[Kp \MnQs}Ѻj_r {bAlL_d,g:KFYqbvʌPN{:#ͅfU/Y2U94$JM뇭(k.!jbTũ0M?fچfjԊk9ޗGj8ٙ%Wk3;ژӦk􀗣JcrN.Mo )nu:E+WMjV}QqxQ?fWP~(@y'9 4h2ʏxu $>Vsv3Wo73v~i_d ?vs݌/Peu?ˀ]eg(Uѿ@r 3ڿ\'I72q S*R~/2苬+ OY射8(߇ }VV<_`]dkt.rf f{%̭LЯN3^a芪g-5n+ ǸJuys/-#y)6(0gG6+F.Э-'ވm]=g%Iy=0?%Mu1Wvl+Jy._[nNJ>j).~QJxd\$WɴFVی A"Xe8Nt7<1W }+,3y˘w;=q*n}7}v=y cAx܊xG5iq[~|^&m\ŠMC7aoa Jö`Z;o=6dj Y }b)049 hޠ z}y<8J)¼Ib|+}*Յo\&s_" 9oފ_J΅*K XV-0W k`Q{epÄ#6O 5U"yO|/_,c˃~:= I_R\=u{Ȫ\ED}Q!by>W]nx6)G1_nû!<of`-K?Xv3i `dkR0FO 3cEjnf@L @zhmоxNq kHl7c@ԯL`Xk/J7gM5"fGV9/:+_7ac۝X. 6d1w1o6Nώ{;Y:5 ~wh{'Հm&9ش|v$SvtNu<7z_P.; m>~26./Jh"v]"6 R Ň%0g3g2EtR59>`&8`;lÏ"6 #TF\|gȌa)`< {4Sv؏ۤkdQ9Hr&ze h$.6=/k"6DwΚb.-4-)KPRJVm.Q ?`n4+@Kx.^| g˜ǯP @Eʹ5;Dq N&%˷}YQ v|.yzhFʪv\|m&]*IxҍHqp/>~ElC3`A\|eKB${'sm"اTt r!̃LN,G9ˆȝ[QYɶz S~n\[[nAG\+<>ci$x]!fxc< z`7G}4ȦJupEvD'>6كl2`f(_Gk0=Hˍߟg%\"d< lԷ@FC0!Im.KE0%&(Xp\- +4_-r (@P 9BuzϷ[<-v3受e$| _[0~X+mʕbA,\@ 7tl)NgsZ%.YH6v*} X^c0У,20%9G5E6^}.<̳(`,$v"V9rsh;h3THهl*~&o-Yl{kۺНTnxS}v4۝wNE^8%ܚmJ@U&s)#sM-bX)M9Q/kFsK&|idLp -ͱ=RZ`'l/Zwaz,