Charla impartida por Fermín J. Serna, del MSRC de Microsoft, en el evento Asegúr@IT 6, que tuvo lugar el día 18 de Junio de 2009 en Getafe, Madrid.

1. Inside The MicrosoftSecurity Response Process Fermín J. Serna MSRC Engineering

2. We’re Microsoft and we’re here to help! MSRC Teams responsible for security updates: MSRC Operations PM MSRC Engineering Why we are here: Expose internal MSRC process for security updates Case studies on two cases In band comprehensive fix Out of Band fix

3. Releasing a Security Update Release Content Creation Security bulletins - second Tuesday of every month Coordinate all content and resources Information and guidance to customers Monitor customer issues and press Managing Finder Relationship Security bulletin: Affected software/components Technical description FAQs Acknowledgments Triaging Establish communications channel Quick response Regular updates Build the community Encourage responsible reporting Vulnerability Reporting Assess the report and the possible impact on customers Understand the severity of the vulnerability Rate the vulnerability according to severity and likelihood of exploit, and assign it a priority MSRC receives incoming vulnerability reports through: Secure@Microsoft.com – Direct contact with MSRC Microsoft TechNet Security Site – anonymous reporting MSRC responds to all reports: 24 hour response Service Level Agreement to finder Internal response can be immediate when required Update Dev Tools and Practices Technical guidance Fix Validation Investigation Update best practices Update testing tools Update development and design process MSRC Engineering: Workarounds and Mitigations SVRD Blog MAPP Detection Guidance MSRC-Engineering and Product Team: Test against reported issue Test against variants MSRC-Engineering Reproduce the Vulnerability Locate variants Investigate surrounding code and design

4. MSRC Operations Vulnerability Reporting Managing Finder Relationship Content Creation Release Work with finders and security researchers that report vulnerabilities Coordinate internal product teams to work towards an update Develop and release messaging around vulnerabilities Advisories, Bulletins, KB Articles, blogs Coordinate severity ratings with MSRC Engineering and Product teams

5. VulnerabilityReporting MSRC receives incoming vulnerability reports through: Secure@Microsoft.com – Direct contact with MSRC Microsoft TechNet Security Site – anonymous reporting Industry Security Events Honey-pots Security Community Partners MSRC responds to all reports: 24 hour response Service Level Agreement to finder 7 day support Every report is triaged by a security specialist

6. Exploitability Index and Bulletin Severity ratings Provides customers with guidance on the likelihood of functional exploit code being developed Developed in response to customer requests for additional information to further evaluate risk Published as part of the monthly Microsoft security bulletin summary

7. Second Tuesday Release Day Pre Release Post Release Security Bulletin Advance Notification - three business days prior to release MAPP notifications prior to release Updates posted on Download Center, Windows Update and/or Office Update Bulletins posted RSS Feeds Customer email and instant message notifications Community outreach MS Field alerts and call downs SVRD Blog Security Bulletins Webcast (Wednesday following release, 11AM PT) Supplementary Webcasts if needed Monitor bulletin uptake and customer issues through PSS and Windows Update Bulletin maintenance Outreach And Communications

8. Releasing a Security Update Release Content Creation Security bulletins - second Tuesday of every month Coordinate all content and resources Information and guidance to customers Monitor customer issues and press Managing Finder Relationship Security bulletin: Affected software/components Technical description FAQs Acknowledgments Triaging Establish communications channel Quick response Regular updates Build the community Encourage responsible reporting Vulnerability Reporting Assess the report and the possible impact on customers Understand the severity of the vulnerability Rate the vulnerability according to severity and likelihood of exploit, and assign it a priority MSRC receives incoming vulnerability reports through: Secure@Microsoft.com – Direct contact with MSRC Microsoft TechNet Security Site – anonymous reporting MSRC responds to all reports: 24 hour response Service Level Agreement to finder Internal response can be immediate when required Update Dev Tools and Practices Technical guidance Fix Validation Investigation Update best practices Update testing tools Update development and design process MSRC Engineering: Workarounds and Mitigations SVRD Blog MAPP Detection Guidance MSRC-Engineering and Product Team: Test against reported issue Test against variants MSRC-Engineering Reproduce the Vulnerability Locate variants Investigate surrounding code and design

9. Initial Technical Investigation Triaging Investigation Reproduce the issue internally Determine Root cause Gather network captures, crash dumps, etc. See if it is a valid security issue. If so: Determine exploitability and severity

10. Hacking for Variations Investigation Update threat model (if needed) Review code for variants of the reported issue Review code for other issues in the same module/area Check for similar defects in other products See if related bugs were found by internal testers Fuzzing: Develop custom tools / improve existing fuzzing tools as needed. Run fuzzing tools and investigate any issues found Static analysis: Sometimes the issue could be flagged by static analysis of source or binaries If so, update tools as needed and run analysis

11. Validation & Sign-off Fix Validation Update Dev Tools and Practices Technical guidance Fix validation: Review the proposed fix, review the fixed code, test the fixed binary Bulletin review: Review the technical content of the Security Bulletin and provide feedback Communication strategy: Additional information provided to customers via our SRD blog http://blogs.technet.com/srd/ Improvements rolled into the standard fuzzing and static analysis tools prescribed by SDL

12. Mitigations & Workarounds Technical guidance Content Creation Opportunities to disrupt vulnerable code path Methods Analyze callstack + process flow looking for ACL opportunity Inspect source code Ask product team for ideas Knowledge about protocol or product Process Monitor / dynamic analysis Brainstorm with teams

13. Detection Guidance Technical guidance Content Creation Opportunities for partners to detect vulnerability We share Internally generated safe-to-investigate repro Explicit detection guidance (boundary conditions, etc) Problem Description / Technical Notes Exploit Indicators (Event log entries, for example) Stack trace with public symbols Disassembly with public symbols Affected module version

14. Case Studies MS08-025 Cumulative update Variant investigation Understanding new attack vectors and research techniques Testing cycles MS08-078 Quick response time ( 8 days) Timelines Advisory + Communications

15. Internal Process for MS08-025 MSRC Case Opened Internal Repro Root Cause Severity and Attack Vectors Hacking for Variations Mitigations and Workarounds Agree on Fix Review Source Code Functional Tests on Binaries Bulletin Review Bulletin Ships 31st 31st 11th 26th 8th 4th 28th 15th 25th 31st 24th 3rd Fuzz Testing / Developing Fixes Broad Test Pass Depth Test Pass MS08-025 26th 26th

16. Internal Process for MS08-078 Bulletin Ships Vuln posted to Chinese message board Root Cause Begin M&W Investigation Advisory published Out-of-Band Planning Begins Agree on Fix Advisory Rev’d (OLEDB32.dll workaround) Advisory rev’d (Disable Row Position workaround) Advisory rev’d (Disable XML Island workaround) CN-MSRC discovers public posting MSRC Engineering initial repro SRD blog posted 10th 8th 10th 13th 10th 12th 7th 8th 16th 12th 11th Hacking for Variations Focused Package testing MS08-078 9th 9th

17. Blogs: MSRC Operations: http://blogs.technet.com/msrc/ MSRC Engineering http://blogs.technet.com/srd/ Microsoft Security Web sites: www.microsoft.com/security and www.microsoft.com/technet/security Sign up to receive notifications on security updates: www.microsoft.com/security/bulletins/alerts.mspx Sign up for the Security Bulletin Web cast: www.microsoft.com/technet/security/bulletin/summary.mspx RSS Feeds for Security Bulletins: www.microsoft.com/technet/security/bulletin/secrssinfo.mspx Security Advisories: www.microsoft.com/technet/security/advisory Security Guidance Center for Enterprises: www.microsoft.com/security/guidance Protect Your PC: www.microsoft.com/protect MAPP http://www.microsoft.com/security/msrc/mapp/overview.mspx

18. © 2003 Microsoft Corporation. All rights reserved. This presentation is for informational purposes only. MICROSOFT MAKES NO WARRANTIES, EXPRESS OR IMPLIED, IN THIS SUMMARY.

19. Microsoft Active Protections Program(MAPP) New program for security software providers Members of MAPP receive security vulnerability information from MSRC in advance of monthly security update Members can provide updated protections to customers via their security software or devices Antivirus Network-based intrusion detection systems Host-based intrusion prevention systems.