Mechele Gruhn, Microsoft
Are you perfect? We aren't. But we are trying to be better.
Please join us as we share the good, the bad, and the ugly stories of success and failure from the last crazy year, how we plan to improve in the next year, and how you can help.
This session will be targeted at BlueHat attendees both external and internal to Microsoft who interact with the Microsoft Security Response Center for resolution of vulnerabilities as part of coordinated vulnerability disclosure and will share lessons learned from the past as well as a look forward to the future.
2. WARNING
The following presentation contains exploits, true stories, rampant
honesty and integrity combined with radical transparency and attempts
to save the world. As such, it may contain mature language, trigger
content, and other items which may cause discomfort in the viewer.
3. WARNING
The following presentation contains exploits, true stories, rampant
honesty and integrity combined with radical transparency and attempts
to save the world. As such, it may contain mature language, trigger
content, and other items which may cause discomfort in the viewer.
You are welcome to leave
4. WARNING
The following presentation contains exploits, true stories, rampant
honesty and integrity combined with radical transparency and attempts
to save the world. As such, it may contain mature language, trigger
content, and other items which may cause discomfort in the viewer.
You are welcome to leave now.
5. WARNING
The following presentation contains exploits, true stories, rampant
honesty and integrity combined with radical transparency and attempts
to save the world. As such, it may contain mature language, trigger
content, and other items which may cause discomfort in the viewer.
You are welcome to leave now.
You have been warned.
6. stop this criminal insanity
bestially demented psychopaths
an unidentifiable MS Support person, containing more
nonsensical, inept and empty words proving that only an
irresponsible mentally retarded semiliterate saboteur, an
intellectually challenged semiliterate and/or a
communicationally challenged semiliterate can write such
nonsensical, inept and empty words
kinda shady
Can I have an update on MSRC Case XXXXX please? It's severe vulnerability
with easy temporary fix, but no updates/fix after 5 months
I'm totally disappointed in MSRC. It seems that they
can not understand my PoC nor make any
reasonable conclusion:(
May I know the status of my bug report XXXXX
So that I could disclose it public if it's fixed
why are you repeatedly ignoring my emails asking
to confirm which CVE fixes which case/s I reported…
I thought we liked each other, but now you're
giving me a silent treatment. Should I disclose issues
without fix confirmation?
any updates about this case XXXXX for four months and I got no
reply about the bounty. Please check it ASAP.
why is there no response to my e-mail?
:( why is this keep happening to my reports?
The world is not simply black (Hacking Team) and white (MSRC); that type of thinking leads to totalitarianism
nice to see MSRC didn't credit me though :/
Asked MSRC to look into
the fact that MSFT
installers are easily
pwned by DLLs planted
by Edge in Downloads.
Their response?
¯_(ツ)_/¯
Wonder what they
would consider "a
real lead", if this
isn't one. :-/”
I meant that somebody needs to audit MSRC. Somebody up
there at Microsoft with a bit of blood in her veins.
What is the maximum
queue time for a report
in MSRC to be forwarded
to the Bounty team?
MSRC still sucks xxx. XXXX this place
MSRC is dead
robots
My friend it's been a long time since you reported the security
clearance. You have not answered yet. I do not have time to wait
for you anymore. I explained the security issue. I will never report
security incidents again! You work very slowly. I’m xxxxxxx your
mother in your friend who confirmed the report! XXXX off!
Close the report. XXXX you report and your friend and your mom!
7. MSRC LISTENS | BLUEHAT V18
Mechele Gruhn
Principal Security PM Manager
MSRC Vulnerability Response
@M3CH3L3
Kymberlee Price
Principal Security PM Manager
MSRC Community Programs
@Kym_Possible
8.
9. secure@microsoft.com
Coordinated Vulnerability Disclosure
Bounty
Security Update Guide
Researcher Top 100
BlueHat
Cyber Defense Operations Center
Microsoft Security Response Center
Our mission is to protect customers from
being harmed through security
vulnerabilities in Microsoft's offerings
and rapidly repulse attacks against the
Microsoft Cloud's cloud offerings
@msftsecresponse
Microsoft Active Protection Program
GSPSSIRP
15. Update guidance for speculative execution side-channel attacks
1 Advisory
ADV180002
KB
CVE-2017-5753 CVE-2017-5754CVE-2017-5715
KB
KB
KB
KB
KB
KB
KB
KB
KB
KB
KB
KB
KB
KB
KB
KB
KB
KB
KB
KB
KB
KB
KB
KB
KB
KB
KB
KB
KB
Blog Blog Blog Blog Blog Blog Blog Blog
Blog Blog Blog Blog Blog Blog Blog Blog
Ack
Ack
Ack
Ack
Ack
Ack
Ack
Ack
Ack
Ack
Ack
Ack
16. Update guidance for speculative execution side-channel attacks
1 Advisory
ADV180002
KB
CVE-2017-5753 CVE-2017-5754CVE-2017-5715
KB
KB
KB
KB
KB
KB
KB
KB
KB
KB
KB
KB
KB
KB
KB
KB
KB
KB
KB
KB
KB
KB
KB
KB
KB
KB
KB
KB
KB
Blog Blog Blog Blog Blog Blog Blog Blog
Blog Blog Blog Blog Blog Blog Blog Blog
Ack
Ack
Ack
Ack
Ack
Ack
Ack
Ack
Ack
Ack
Ack
Ack
17.
18. vulnerability (noun)
ˌvəl-n(ə-)rə-ˈbi-lə-tē
: a security exposure that results from a
product weakness that the product
developer did not intend to introduce
and should fix once it is discovered
Microsoft Security Response Center
33. D E S I G N R E V I E WS T E P H A N I E . B A T T E R S H E L L / H U I . L I U ( D A I S Y )
Vulnerability Report
Abuse Report
Azure Pentest
Notification
Online Services Researcher
Acknowledgments
Report an issue
39. stop this criminal insanity
bestially demented psychopaths
an unidentifiable MS Support person, containing more
nonsensical, inept and empty words proving that only an
irresponsible mentally retarded semiliterate saboteur, an
intellectually challenged semiliterate and/or a
communicationally challenged semiliterate can write such
nonsensical, inept and empty words
kinda shady
Can I have an update on MSRC Case XXXXX please? It's severe vulnerability
with easy temporary fix, but no updates/fix after 5 months
I'm totally disappointed in MSRC. It seems that they
can not understand my PoC nor make any
reasonable conclusion:(
May I know the status of my bug report XXXXX
So that I could disclose it public if it's fixed
why are you repeatedly ignoring my emails asking
to confirm which CVE fixes which case/s I reported…
I thought we liked each other, but now you're
giving me a silent treatment. Should I disclose issues
without fix confirmation?
any updates about this case XXXXX for four months and I got no
reply about the bounty. Please check it ASAP.
why is there no response to my e-mail?
:( why is this keep happening to my reports?
The world is not simply black (Hacking Team) and white (MSRC); that type of thinking leads to totalitarianism
nice to see MSRC didn't credit me though :/
Asked MSRC to look into
the fact that MSFT
installers are easily
pwned by DLLs planted
by Edge in Downloads.
Their response?
¯_(ツ)_/¯
Wonder what they
would consider "a
real lead", if this
isn't one. :-/”
I meant that somebody needs to audit MSRC. Somebody up
there at Microsoft with a bit of blood in her veins.
What is the maximum
queue time for a report
in MSRC to be forwarded
to the Bounty team?
MSRC still sucks ass. Fuck this place
MSRC is dead
robots
My friend it's been a long time since you reported the security
clearance. You have not answered yet. I do not have time to wait
for you anymore. I explained the security issue. I will never report
security incidents again! You work very slowly. I'm fucking your
mother in your friend who confirmed the report! Fuck off!
Close the report. Fuck you report and your friend and your mom!