Microsoft Security Response Center

1
Microsoft Security Response Center

• Presented by Fan Chiang, Chun-Wei(????)

2
Agenda

• Background
• Case
• Current Problem
• MSRC
• Security Vulnerability Problem Solving Process
• Workarounds
• Service Packs
• Patches
• 4 phases of patch developing
• Follow-up
• Question

3
Background

• According to a 2000 study of IDC Data security
  budget in 2003 had risen to 14.8 billion from
  6.2 billion in 1999
• Of all the technologies, the Internet has proven
  to be the greatest threat to data security.
  Because of three reasons
• Scope
• Anonymity
• Reproducibility

4
(No Transcript)
5
(No Transcript)
6
Case

• Security program manager of MSRC Scott Culp v.s.
  CyBER Paladin(CyP)
• Security Vulnerability of MS IIS(version4.0?5.0)
  Canonicalization Error
• CyP planned to post his findings publicly within
  few days.

7
Current Problem

• Contact the IIS development team and get them on
  their situation.
• Legitimize the security vulnerability.

8
MSRC

• MSRC has eliminated over 150 security
  vulnerabilities through roughly 40 MS products.
• The goal of MSRC Protect users by eliminating
  security vulnerabilities.
• The majority support activity of MSRC Once the
  vulnerability was identified, MSRC worked with
  the relevant product development team to find a
  solution.

9
MSRC (cont)

• Forms and types of vulnerabilities
• Virus?worms?incorrectly-configured systems,
  password written on sticky pads.
• Security vulnerability definition of MS
• As a flaw in a product that makes it infeasible -
  even when using the product properly - to prevent
  attackers from usurping privileges on the users
  system, regulating its operation, compromising
  data on it or assuming ungranted trust.

10
Security Vulnerability Problem Solving Process

• Step 1 Obtain information about possible
  security problems.
• Step 2 Perform Initial Triage.
• - Working with customer to gather more
  information on the problem
• - Testing reported configuration
• - Informing the user about patches or workarounds
  already release
• Step 3 Involve Product Team.

11
Security Vulnerability Problem Solving Process
(cont)

• Step 4 Devise Solution Alternatives.
• - Server-side fixes
• - Workarounds
• - Service Packs
• - Patches
• Step 5 Implement Solutions.
• Step 6 Press Response

12
Security Vulnerability Problem Solving Process -
Step 4

• Workarounds Provide the user with a alternative
  method of using the product that prevents a
  vulnerability from being exploited.
• Service Packs A scheduled, periodic software
  update that corrected a large number of bugs,
  including security vulnerabilities.
• Patches Used when the vulnerability needs to be
  fixed immediately.

13
4 phases of patch developing

• Phase 1 Create a Private build, and Undergo
  initial testing.
• Phase 2 Proceed to War Team . They challenge
  the developer to show that the Private build is
  necessary and the engineering solution is
  correct.

14
4 phases of patch developing (cont)

• Phase 3 Formal testing and Conduct full
  compatibility testing.
• Phase 4 Develop installer package of each
  version of the affected product. And then the
  packages are signed (by MS) and retested.

15
Security Vulnerability Problem Solving Process
(cont)

• Step 4 Devise Solution Alternatives.
• - Workarounds
• - Service Packs
• - Patches
• Step 5 Implement Solutions.
• Build bulletin and knowledge base, then Release
  the patches or workarounds.
• Step 6 Press Response

16
Follow-Up (B)

• Good news The IIS development team knew that
  this security problem was solved by a already
  released patch months ago.
• Bad news Due to the issue was complex, affected
  few users and some mitigating factors, few
  customers had installed the corresponding patch.

17
Canonicalization Error

• Security Vulnerability of MS IIS(version4.0?5.0)
  Canonicalization Error
• c\dir\test.dat, test.dat, and ..\..\test.dat
  might all refer to the same file like
  c\dir\test.dat.
• c\inetpub\wwwroot\test1\test2\test.asp
• www.microsoft.com/windowsnt/information/test.asp
  (VIRTUAL)
• www.microsoft.com/test1/test2/test.asp (PHYSICAL)

18
Follow-Up (B) (cont)

• First, release the information as quickly as
  possible, in case malicious users were already
  compromising web sites.
• Second, and equally important, once the bulletin
  was released, the whole world needed to be
  informed as quickly as possible. Otherwise
  hackers would start attacking the stragglers.

19
Follow-Up (C)

• MSRC decided to keep the security vulnerability
  problem under wraps over the weekend.
• MSRC asked TAMs to support the patch installation
  on customers machines.

20
Question

• How could Culp solve this security problem before
  the attacker compromising Web sites running MS
  IIS ?
• Whether take a calculated risk and wait an extra
  day in order to prepare the patch in multiple
  languages?