200 likes | 230 Views
Explore the MSRC's approach to handling security vulnerabilities, from identification to patch deployment, in response to an MS IIS issue. Learn about workarounds, service packs, patches, and the phases of patch development. Discover how MSRC collaborates with product teams and prioritizes user protection. Follow a case involving CyBERPaladin (CyP) and the canonicalization error on MS IIS. Obtain insights into the vital steps of problem-solving and proactive security measures.
E N D
Microsoft Security Response Center Presented by Fan Chiang, Chun-Wei(范姜竣韋) NTUIM
Agenda • Background • Case • Current Problem • MSRC • Security Vulnerability Problem Solving Process • Workarounds • Service Packs • Patches • 4 phases of patch developing • Follow-up • Question NTUIM
Background • According to a 2000 study of IDC : Data security budget in 2003 had risen to 14.8 billion from 6.2 billion in 1999 • Of all the technologies, the Internet has proven to be the greatest threat to data security. Because of three reasons : • Scope • Anonymity • Reproducibility NTUIM
Case • Security program manager of MSRC Scott Culp v.s. CyBERPaladin(CyP) • Security Vulnerability of MS IIS(version4.0、5.0) “Canonicalization Error” • CyP planned to post his findings publicly “within few days.” NTUIM
Current Problem • Contact the IIS development team and get them on their situation. • Legitimize the security vulnerability. NTUIM
MSRC • MSRC has eliminated over 150 security vulnerabilities through roughly 40 MS products. • The goal of MSRC : Protect users by eliminating security vulnerabilities. • The majority support activity of MSRC : Once the vulnerability was identified, MSRC worked with the relevant product development team to find a solution. NTUIM
MSRC (con’t) • Forms and types of vulnerabilities : • Virus、worms、incorrectly-configured systems, password written on sticky pads. • Security vulnerability definition of MS : • As a flaw in a product that makes it infeasible - even when using the product properly - to prevent attackers from usurping privileges on the user’s system, regulating its operation, compromising data on it or assuming ungranted trust. NTUIM
Security Vulnerability Problem Solving Process • Step 1 : Obtain information about possible security problems. • Step 2 : Perform Initial Triage. • - Working with customer to gather more information on the problem • - Testing reported configuration • - Informing the user about patches or workarounds already release • Step 3 : Involve Product Team. NTUIM
Security Vulnerability Problem Solving Process(con’t) • Step 4 : Devise Solution Alternatives. • - Server-side fixes • - Workarounds • - Service Packs • - Patches • Step 5 : Implement Solutions. • Step 6 : Press Response NTUIM
Security Vulnerability Problem Solving Process - Step 4 • Workarounds :Provide the user with a alternative method of using the product that prevents a vulnerability from being exploited. • Service Packs :A scheduled, periodic software update that corrected a large number of bugs, including security vulnerabilities. • Patches :Used when the vulnerability needs to be fixed immediately. NTUIM
4 phases of patch developing • Phase 1 : Create a “Private build,” and Undergo initial testing. • Phase 2 : Proceed to “War Team” . They challenge the developer to show that the “Private build” is necessary and the engineering solution is correct. NTUIM
4 phases of patch developing (con’t) • Phase 3 : Formal testing and Conduct full compatibility testing. • Phase 4 : Develop installer package of each version of the affected product. And then the packages are signed (by MS) and retested. NTUIM
Security Vulnerability Problem Solving Process(con’t) • Step 4 : Devise Solution Alternatives. • - Workarounds • - Service Packs • - Patches • Step 5 : Implement Solutions. • Build bulletin and knowledge base, then Release the patches or workarounds. • Step 6 : Press Response NTUIM
Follow-Up (B) • Good news : The IIS development team knew that this security problem was solved by a already released patch months ago. • Bad news : Due to the issue was complex, affected few users and some mitigating factors, few customers had installed the corresponding patch. NTUIM
Canonicalization Error • Security Vulnerability of MS IIS(version4.0、5.0) “Canonicalization Error” • c:\dir\test.dat, test.dat, and ..\..\test.dat might all refer to the same file like c:\dir\test.dat. • c:\inetpub\wwwroot\test1\test2\test.asp • www.microsoft.com/windowsnt/information/test.asp(VIRTUAL) • www.microsoft.com/test1/test2/test.asp(PHYSICAL) NTUIM
Follow-Up (B) (con’t) • First, release the information as quickly as possible, in case malicious users were already compromising web sites. • Second, and equally important, once the bulletin was released, the whole world needed to be informed as quickly as possible. Otherwise hackers would start attacking the stragglers. NTUIM
Follow-Up (C) • MSRC decided to keep the security vulnerability problem under wraps over the weekend. • MSRC asked TAMs to support the patch installation on customers’ machines. NTUIM
Question • How could Culp solve this security problem before the attacker compromising Web sites running MS IIS ? • Whether take a calculated risk and wait an extra day in order to prepare the patch in multiple languages? NTUIM