Entries:
Comments:
Posts:

Loading User Information from Channel 9

Something went wrong getting user information from Channel 9

Latest Achievement:

Loading User Information from MSDN

Something went wrong getting user information from MSDN

Visual Studio Achievements

Latest Achievement:

Loading Visual Studio Achievements

Something went wrong getting the Visual Studio Achievements

Stephen Toulouse - Introduction to Microsoft's security response center

Download

Right click “Save as…”

Stephen Toulouse is a security program manager with Microsoft's security response center.

The security response center is the team (and place) that goes into action when a new vulnerability or attack on one of Microsoft's products or customers is found and reported to secure@microsoft.com (that team watches that email address seven days a week, 365 days a year).

The team also works with software teams at Microsoft to bring out patches, updates, and advice for our customers. You'll see the team's work at microsoft.com/security. We recommend visiting that site often to make sure you're up to date on Microsoft's official recommendations on anything regarding the security of Microsoft's products.

Why did Stephen invite us over? TO remind you to visit microsoft.com/protect and make sure your system is protected against the bad guys out there.

In this video he introduces us to what goes on in the security response center.

During the interview he mentions several security bulletin numbers. You can look up all the bulletins at http://www.microsoft.com/technet/security.

Over the next week Stephen will talk more about security.

Tag:

Follow the Discussion

  • I have a version of that T-Shirt Smiley

    .. Question .. Are people allowed to send source (*.c|*.cpp) files to Security@Microsoft.com?
  • MauritsMaurits AKA Matthew van Eerde
    Very nice.  A good picture of security from the reactive side.
    I'm interested also in the proactive site - where can I find info on what Microsoft does to stop vulnerabilities from getting into the software, and to catch vulnerabilities between creation and release?  (developer education, QA, torture tests...)
    Does the biofeedback between the MSRC and Product Development extend to the point of identifying a particular programmer or team of programmers responsible for introducing the vulnerability (after it's fixed, of course)?  Do they then have to re-take security training?
  • ATAT

    LOL. Please remove this 7x365 slogan.
    They simply do their job. Sometimes they do it well (for example Slammer worm), but sometimes they not (Slammer was an exceptional and non-regular case).

    Taking in account my bad expirience with secure@microsoft.com I prefer to contact product groups directly.
    They do monitor email alias during business hours. But this alias like a black hole, information can flow only in, no way to get status or resolution on your reports.
    Most of time everything that you can receive is template like "Thanks. Your issue is important. We are working on solution. We will let you know" with 0 words about actual status. Also you will not receive answer for several months (if any)!!

    Take a look on any latest issue and find out time then issue first reported and then it was actualy fixed. For example this issue takes 216 days. And I'm pretty sure that eEye Digital Security team provided all the information needed and contacted correct people.

    I hope there will be changes with this in near time.

  • Wow, AT you got onto ZDNet.. that is pretty cool. Nice work!

    You are not the first person I've heard that had a bad experience when submitting a problem to Security@MS.com and I'm sure not the last.
  • The Channel 9 TeamThe Channel 9 Team 5 guys from Redmond

    Stephen told me that, yes, you can. Just zip them up.

    Also, the email alias is secure@microsoft.com (not security).

    Robert

  • SteptoStepto Not everyone at the MSRC shaves their head.
    AT wrote:

    LOL. Please remove this 7x365 slogan.
    They simply do their job. Sometimes they do it well (for example Slammer worm), but sometimes they not (Slammer was an exceptional and non-regular case).

    Taking in account my bad expirience with secure@microsoft.com I prefer to contact product groups directly.
    They do monitor email alias during business hours. But this alias like a black hole, information can flow only in, no way to get status or resolution on your reports.
    Most of time everything that you can receive is template like "Thanks. Your issue is important. We are working on solution. We will let you know" with 0 words about actual status. Also you will not receive answer for several months (if any)!!

    Take a look on any latest issue and find out time then issue first reported and then it was actualy fixed. For example this issue takes 216 days. And I'm pretty sure that eEye Digital Security team provided all the information needed and contacted correct people.

    I hope there will be changes with this in near time.



    Hi AT,

    Thanks for the feedback, I'm sorry you had a bad experience at one time but I can assure you that we monitor that alias even on holidays and weekends and off-business hours.  And you get real responses from real people.

    In regards to eEye, they certainly provided us with information, and we provided information back during the entire time.  Sometimes security vulnerabilities are in deep components that require a significant amount of testing. 

    As I explain in the video, with as broad a deployment base as we have, if we produce an update that introduces a problem to even one percent of our users, that's still potentially millions of people that we broke, which of course will cause even more people to not trust updates and not install them.  In the case of that vulnerability, the component was in RPC/DCOM, which of course is used by a multitude of things beyond just the operating system. Thus there was a significant amount of testing that had to be done, and during that testing phase we're still communicating with the security researcher, providing them information.

    I think things have changed significantly in the past several years, and things are only going to get better as time goes on. 

    Thanks again for the feedback.

    S.
  • ATAT

    Stepto wrote:

    ....

    As I explain in the video, with as broad a deployment base as we have, if we produce an update that introduces a problem to even one percent of our users, that's still potentially millions of people that we broke, which of course will cause even more people to not trust updates and not install them. 

    Sure. I agree about this.
    But your arguments have nothing with my issue.

    I was working with ITG/Operations team to fix important security and usability issues I've found in Microsoft File Transfer Manager ActiveX.
    It takes 4 months (Feb-May) for them to release a new version of ActiveX, but they were unable to issue any warning to customers.
    As result I've contacted secure@microsoft alias in late May - provided all details about issue and contact information for person I was working with.

    In July I've received useless template email with words like "We are working on issue. Stay tuned".
    Only after 2 months (in beginning on August) since initial contact and 4 or 5 additional emails to secure@microsoft your team was able to prepare draft of security warning.
    They have spent additional 14 days to send it to people. Only after I've disclosed information I've to public - people were warned.

    But this was not the end of my bad experience.

    Lynn Terwoerds, senior program manager for Microsoft's Security Response Center, publicly lied: "The security response center has been handling this for about a month".

    If you do basic math - June (date of latest FTM version with minor fixes at that time) and 19 August - this will be clearly more that one month.

    P.S> BTW, There were additional trivial issue - DirectX ActiveX buffer overrun found and reported to secure@microsoft.com at same time with FTM (in late May). I've specially found this issue (it takes only 4 hours Wink to compare bug fixing speed then contacting product groups and secure alias. It takes over 7 months for your team to issue a two-bytes "kill-bit fix".
    Can you clarify why? Thouse who realy need to use this ActiveX can revert registry changes, but most of regular user were unprotected for 7 months!

    BTW, for this issue I've not received any credit and nobody notified me about resolution process! I've found that it was fixed only from short note in cumulative Internet Explorer update.

    This is how your team was working several years ago. (But it was _after_ BillG security push!!!).

    I can tell nothing about your current work - because I've decided to not contact this alias anymore.

    You need to change a lot to receive email from me in future !

  • SteptoStepto Not everyone at the MSRC shaves their head.
    AT wrote:

    Stepto wrote:

    ....

    As I explain in the video, with as broad a deployment base as we have, if we produce an update that introduces a problem to even one percent of our users, that's still potentially millions of people that we broke, which of course will cause even more people to not trust updates and not install them. 

    Sure. I agree about this.
    But your arguments have nothing with my issue.

    I was working with ITG/Operations team to fix important security and usability issues I've found in Microsoft File Transfer Manager ActiveX.
    It takes 4 months (Feb-May) for them to release a new version of ActiveX, but they were unable to issue any warning to customers.
    As result I've contacted secure@microsoft alias in late May - provided all details about issue and contact information for person I was working with.

    In July I've received useless template email with words like "We are working on issue. Stay tuned".
    Only after 2 months (in beginning on August) since initial contact and 4 or 5 additional emails to secure@microsoft your team was able to prepare draft of security warning.
    They have spent additional 14 days to send it to people. Only after I've disclosed information I've to public - people were warned.

    But this was not the end of my bad experience.

    Lynn Terwoerds, senior program manager for Microsoft's Security Response Center, publicly lied: "The security response center has been handling this for about a month".

    If you do basic math - June (date of latest FTM version with minor fixes at that time) and 19 August - this will be clearly more that one month.

    P.S> BTW, There were additional trivial issue - DirectX ActiveX buffer overrun found and reported to secure@microsoft.com at same time with FTM (in late May). I've specially found this issue (it takes only 4 hours Wink to compare bug fixing speed then contacting product groups and secure alias. It takes over 7 months for your team to issue a two-bytes "kill-bit fix".
    Can you clarify why? Thouse who realy need to use this ActiveX can revert registry changes, but most of regular user were unprotected for 7 months!

    BTW, for this issue I've not received any credit and nobody notified me about resolution process! I've found that it was fixed only from short note in cumulative Internet Explorer update.

    This is how your team was working several years ago. (But it was _after_ BillG security push!!!).

    I can tell nothing about your current work - because I've decided to not contact this alias anymore.

    You need to change a lot to receive email from me in future !



    Talking to AT about this in IM.  :>

    S.
  • Stepto, abusing quotes like that should be illegal and maybe sometime in the near future (if I have my way) it will be. So to be safe I suggest you don't do it, any laws that I create will be retrospective! >)
  • SteptoStepto Not everyone at the MSRC shaves their head.
    Manip wrote:
    Stepto, abusing quotes like that should be illegal and maybe sometime in the near future (if I have my way) it will be. So to be safe I suggest you don't do it, any laws that I create will be retrospective! >)


    Doh!  Sorry.  Was in a hurry and talking to AT on IM.  We agreed to disagree on some things but it was a good discussion about some of the challenges we face in the security industry.

    S.
  • ATAT
    At MSN IM conversation I've recieved:

    Stepto wrote:

    practically no one who was working there 2 or 3 years ago is there now.  its a new team


    As I've original told - my bad expirience is from past.
    I hope that new team will not repeat mistakes of old one.

    I will definitely check how new team work Smiley

    Thanks
  • ATAT
    Stepto wrote:


    I think things have changed significantly in the past several years, and things are only going to get better as time goes on. 



    I'm realy sorry for such a late reply. I've did a basic Google search and found this:

    Executive Women’s Forum on Information Security
    September 8 – 10, 2004

    Microsoft Corporation (Lynn Terwoerds)
    * Improvements & challenges in the areas of security response & patch management
    * Security mobilization effort  
    * Windows XP SP2

    As well this:
    http://www.infosecuritywomen.com/speakerbios.aspx
    "Lynn Terwoerds, Security Program Manager, Microsoft. As part of the company wide security team, she focuses on the quality of security updates, especially as they affect enterprise, OEM and ISV customers. She leads both a cross group internal team and external partners to do targeted testing. Her current position evolved from her work in Microsoft's Security Response Center. Ms. Terwoerds, a 14-year information technology veteran, has experience in both security planning and implementation external as well as internal to Microsoft.."

    It looks like nothing realy changed. Person who was responsible for MSRC and provided false information to ZdNet about security timing still responsible for security at Microsoft. Even more - area of responsibility only increased - WinXP SP2.

    Now take a read for example:
    Windows XP SP2 Security Center Spoofing Threat 
    "When we contacted Microsoft for comment, a spokesperson said that the company was not aware of this issue, but would investigate. Read Microsoft Responds to see what they said. "

    Please correct me. But it similar to issue I had exactly 2 years ago in August 2002. Microsoft spokesperson still downplaying risks to prevent bad publicity !!!

    There is definitely something wrong in facts as I see them. We need to listen somebody who has more information that me.
  • SteptoStepto Not everyone at the MSRC shaves their head.
    AT wrote:


    Now take a read for example:
    Windows XP SP2 Security Center Spoofing Threat 
    "When we contacted Microsoft for comment, a spokesperson said that the company was not aware of this issue, but would investigate. Read Microsoft Responds to see what they said. "

    Please correct me. But it similar to issue I had exactly 2 years ago in August 2002. Microsoft spokesperson still downplaying risks to prevent bad publicity !!!

    There is definitely something wrong in facts as I see them. We need to listen somebody who has more information that me.


    Hi AT,

    Again, I cannot speak for Lynn, I can only say that the team as it exists right now is not the same team it was then.

    As far as the article you linked, I was one of the people who discussed the issue with that reporter.  The reporter did not submit this problem to secure@microsoft.com.  What we were trying to do was help the reporter understand how WMI works, how the Windows Security Center uses WMI, and how there is no vulnerability in this scenerio.  It seems unfair to expect us to not respond to reports of a security vulnerability.

    The issue at hand requires a user with administrator access to run a program that an attacker has sent them.  If the user is going to do that, there are far more harmful or comprehensive actions the attacker could take than simply mucking about with WMI.  This was the point we were trying to make, that's why we've tried to make changes in Windows XP Service Pack 2 to warn users more clearly when they try to run a program out of email or off the web through the browser that the program might be malicious.

    Again to be clear, the article itself points out that in order to achieve a spoofing attack against the Windows Security Center, you must already be an administrator or convince an administrator to run a program.  That's not a vulnerability in Service Pack 2, Windows Security Center, or even Windows, since if I'm running as root on Linux and someone convinces me to run a malicious program, bad things will happen there too.  And we're trying to provide as much information to the user as possible to show when running a program might be dangerous, like when you try to run one out of email or the web browser.

    S.

  • One of the new features I really like is the ability to embed video in your post, on blogs hosted on WordPress.com. Beta 2 had the ability to 'Insert Video' but it did not work for blogs on WordPress.com.

    I have used other blog writing tools, but I have found WLW to be the most full featured, stable and cost effective. WLW is an excellent tool for writing blog posts, and the fact that you can download it for free makes it even better.

  • mattrmillermattrmiller www.​codeandcoff​ee.com

    Very Cool! Gives me a lot more respect for the inside tasks/responsibilities/operations of the MS security team. It was really neat to actually see the order of operations for security related problems. Man this site is cool!

  • ATAT
    Stepto wrote:


    The issue at hand requires a user with administrator access to run a program that an attacker has sent them.

    ...


    Sure. Running as root or Administrator make your system insecure. But this is common practice for Windows users to run everything as Administrator.
    I did not expect that it will such an easy to bypass security measures in XP SP2 Security Center.

    For example consider System File Checker that allow to verify system files digital signatures.
    Even after succesfull attack you will be able to repair your system (partialy) if not totaly prevent system files replacement (at least for outdated non-SFC aware viruses).
    But this is not true in this case. No easy way to repair/detect Security Center Spoofing after attack.
    Even more - nobody yet checked if it's possible to spoof this before SP2 installation to hide current mailware and troyans on not yet patched PCs.

    I do not understand Windows team motivation about simplifing access to Security Center. There is not so many antivirus and firewall vendors. Requerements to digitaly sign (just like WHQL signed drivers) thouse important system components and check their signature will not hurt (AFAIK, it's already done for kernel part of thouse components).

    Security development is totaly different from regular software development. If you miss several user scenarios during regular software product - you can address them in new version, but if you will miss single attack scenario - there is no easy way to fix this.

    I'm pretty sure that there will be security flaws in software products for a long time.
    I would like Microsoft spend more resources not only on attack prevention, but also on after-attack recovery. For example, some kind of bootable CD/CDR with diagnostics utilites/antiviruses/system recovery tools to decrease recovery costs after incindents and make it possible for moms and dads to repair their system easily.

    P.S> A few quotes from Handling Bad Publicity marketing guide for Small Bussinesses published on Microsoft bCentral:
    "After a crisis, emphasising positive stories such as improved practices and community involvement will help to restore your reputation in the longer term."
  • E-bitzE-bitz Did you just say you RAN OUT of Mountain Dew?
    Come into the business world where my applications say that "you need to be power user or admin".  It's not Microsoft making me insecure, it's Intuit.

    This vulnerability is like the "if I have physical accesss to your machine I can circumvent the password" vulnerability. 

    Show me a line of business application in my office and I'll show you a ton of insecurities.  That's where my risk factors are at... LOB.

    From the reports I've read the the issue is not "from remote", it's like the user interaction flaws, they still have to click.

    Personally, I'll take "I'd like to let end users know that they haven't updated their virus program since they bought the computer two years ago for $1,000, Alex" over the "Potential for malware to overwrite this for $200".

    But that's just my opinion.

    ~Susan
  • Hello,

    My Windows Firewall is OFF but my Security Center shows it as ON.

    Is this a case of Security Center spoofing? None of my malware detctors has found any viruses or worms, and I have removed spyware with Ad-Aware and Spybot.

    I have opened a Microsoft Online Assisted Support Incident but have not received any solution. I have also uninstalled Windows XP Service Pack 2 and reinstalled it but that has not solved the problem.

    This looks like a serious matter. See
    http://www.pcmag.com/article2/0,1759,1639276,00.asp

    Any assistance you may provide will be greatly appreciated.

    Thank you very much.
  • E-bitzE-bitz Did you just say you RAN OUT of Mountain Dew?
    Are you sure that your antivirus doesn't have firewall capabilities?  Mine does and thus the security center will list that I have "A" firewall.  It doesn't care what firewall just that you have one.

    Read the Security center to see which firewall it's reporting.

    The pcmag article is not relevant and just points out that we should not be running as admin.
  • adnanrafikadnanrafik Adnan Rafik
    XP SP2 ! Does it scan Inbound and Outbound traffic.

    According to my experience XP Firewall will not scan the Malware, Adware and Spyware if they are already installed into the system before the installation of Service Pack 2 with firewall.

    I faced this problem then I've downloaded trial version of AdwareSafe. It then detected few spywares and adwares. To make it sure whether anything left into my system I've downloaded another software AdwareSpy. It then detected two new spyware which were not detected by the previous one.

    So on which product should you trust. As far as XP firewall is concerned it will now scan the both incoming and outgoing packets. But I'll keep on cheking with 3rd party software.

    Other than XP Firewall ZoneAlarm and Sygate has got the capability to scan the outgoing traffic even if there any Adware or Spyware installed into the machine.

    Regards.

Remove this comment

Remove this thread

close

Comments Closed

Comments have been closed since this content was published more than 30 days ago, but if you'd like to continue the conversation, please create a new thread in our Forums,
or Contact Us and let us know.