1 / 20

Microsoft Security Response Center

Microsoft Security Response Center. Presented by Fan Chiang, Chun-Wei( 范姜竣韋 ). Agenda. Background Case Current Problem MSRC Security Vulnerability Problem Solving Process Workarounds Service Packs Patches 4 phases of patch developing Follow-up Question. Background.

svance
Download Presentation

Microsoft Security Response Center

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Microsoft Security Response Center Presented by Fan Chiang, Chun-Wei(范姜竣韋) NTUIM

  2. Agenda • Background • Case • Current Problem • MSRC • Security Vulnerability Problem Solving Process • Workarounds • Service Packs • Patches • 4 phases of patch developing • Follow-up • Question NTUIM

  3. Background • According to a 2000 study of IDC : Data security budget in 2003 had risen to 14.8 billion from 6.2 billion in 1999 • Of all the technologies, the Internet has proven to be the greatest threat to data security. Because of three reasons : • Scope • Anonymity • Reproducibility NTUIM

  4. NTUIM

  5. NTUIM

  6. Case • Security program manager of MSRC Scott Culp v.s. CyBERPaladin(CyP) • Security Vulnerability of MS IIS(version4.0、5.0) “Canonicalization Error” • CyP planned to post his findings publicly “within few days.” NTUIM

  7. Current Problem • Contact the IIS development team and get them on their situation. • Legitimize the security vulnerability. NTUIM

  8. MSRC • MSRC has eliminated over 150 security vulnerabilities through roughly 40 MS products. • The goal of MSRC : Protect users by eliminating security vulnerabilities. • The majority support activity of MSRC : Once the vulnerability was identified, MSRC worked with the relevant product development team to find a solution. NTUIM

  9. MSRC (con’t) • Forms and types of vulnerabilities : • Virus、worms、incorrectly-configured systems, password written on sticky pads. • Security vulnerability definition of MS : • As a flaw in a product that makes it infeasible - even when using the product properly - to prevent attackers from usurping privileges on the user’s system, regulating its operation, compromising data on it or assuming ungranted trust. NTUIM

  10. Security Vulnerability Problem Solving Process • Step 1 : Obtain information about possible security problems. • Step 2 : Perform Initial Triage. • - Working with customer to gather more information on the problem • - Testing reported configuration • - Informing the user about patches or workarounds already release • Step 3 : Involve Product Team. NTUIM

  11. Security Vulnerability Problem Solving Process(con’t) • Step 4 : Devise Solution Alternatives. • - Server-side fixes • - Workarounds • - Service Packs • - Patches • Step 5 : Implement Solutions. • Step 6 : Press Response NTUIM

  12. Security Vulnerability Problem Solving Process - Step 4 • Workarounds :Provide the user with a alternative method of using the product that prevents a vulnerability from being exploited. • Service Packs :A scheduled, periodic software update that corrected a large number of bugs, including security vulnerabilities. • Patches :Used when the vulnerability needs to be fixed immediately. NTUIM

  13. 4 phases of patch developing • Phase 1 : Create a “Private build,” and Undergo initial testing. • Phase 2 : Proceed to “War Team” . They challenge the developer to show that the “Private build” is necessary and the engineering solution is correct. NTUIM

  14. 4 phases of patch developing (con’t) • Phase 3 : Formal testing and Conduct full compatibility testing. • Phase 4 : Develop installer package of each version of the affected product. And then the packages are signed (by MS) and retested. NTUIM

  15. Security Vulnerability Problem Solving Process(con’t) • Step 4 : Devise Solution Alternatives. • - Workarounds • - Service Packs • - Patches • Step 5 : Implement Solutions. • Build bulletin and knowledge base, then Release the patches or workarounds. • Step 6 : Press Response NTUIM

  16. Follow-Up (B) • Good news : The IIS development team knew that this security problem was solved by a already released patch months ago. • Bad news : Due to the issue was complex, affected few users and some mitigating factors, few customers had installed the corresponding patch. NTUIM

  17. Canonicalization Error • Security Vulnerability of MS IIS(version4.0、5.0) “Canonicalization Error” • c:\dir\test.dat, test.dat, and ..\..\test.dat might all refer to the same file like c:\dir\test.dat. • c:\inetpub\wwwroot\test1\test2\test.asp • www.microsoft.com/windowsnt/information/test.asp(VIRTUAL) • www.microsoft.com/test1/test2/test.asp(PHYSICAL) NTUIM

  18. Follow-Up (B) (con’t) • First, release the information as quickly as possible, in case malicious users were already compromising web sites. • Second, and equally important, once the bulletin was released, the whole world needed to be informed as quickly as possible. Otherwise hackers would start attacking the stragglers. NTUIM

  19. Follow-Up (C) • MSRC decided to keep the security vulnerability problem under wraps over the weekend. • MSRC asked TAMs to support the patch installation on customers’ machines. NTUIM

  20. Question • How could Culp solve this security problem before the attacker compromising Web sites running MS IIS ? • Whether take a calculated risk and wait an extra day in order to prepare the patch in multiple languages? NTUIM

More Related