Stephen Toulouse - Introduction to Microsoft's security response center

Posted By: The Channel 9 Team | Aug 26th, 2004 @ 4:03 PM | 56,241 Views | 20 Comments
Stephen Toulouse is a security program manager with Microsoft's security response center.

The security response center is the team (and place) that goes into action when a new vulnerability or attack on one of Microsoft's products or customers is found and reported to secure@microsoft.com (that team watches that email address seven days a week, 365 days a year).

The team also works with software teams at Microsoft to bring out patches, updates, and advice for our customers. You'll see the team's work at microsoft.com/security. We recommend visiting that site often to make sure you're up to date on Microsoft's official recommendations on anything regarding the security of Microsoft's products.

Why did Stephen invite us over? TO remind you to visit microsoft.com/protect and make sure your system is protected against the bad guys out there.

In this video he introduces us to what goes on in the security response center.

During the interview he mentions several security bulletin numbers. You can look up all the bulletins at http://www.microsoft.com/technet/security.

Over the next week Stephen will talk more about security.
Media Downloads:
Rating:
0
0
#Aug 26th, 2004 @ 4:48 PM
Manip
Manip
I have a version of that T-Shirt Smiley

.. Question .. Are people allowed to send source (*.c|*.cpp) files to Security@Microsoft.com?
#Aug 26th, 2004 @ 4:54 PM
Maurits
Maurits
AKA Matthew van Eerde
Very nice.  A good picture of security from the reactive side.
I'm interested also in the proactive site - where can I find info on what Microsoft does to stop vulnerabilities from getting into the software, and to catch vulnerabilities between creation and release?  (developer education, QA, torture tests...)
Does the biofeedback between the MSRC and Product Development extend to the point of identifying a particular programmer or team of programmers responsible for introducing the vulnerability (after it's fixed, of course)?  Do they then have to re-take security training?
#Aug 26th, 2004 @ 4:55 PM
AT
AT

LOL. Please remove this 7x365 slogan.
They simply do their job. Sometimes they do it well (for example Slammer worm), but sometimes they not (Slammer was an exceptional and non-regular case).

Taking in account my bad expirience with secure@microsoft.com I prefer to contact product groups directly.
They do monitor email alias during business hours. But this alias like a black hole, information can flow only in, no way to get status or resolution on your reports.
Most of time everything that you can receive is template like "Thanks. Your issue is important. We are working on solution. We will let you know" with 0 words about actual status. Also you will not receive answer for several months (if any)!!

Take a look on any latest issue and find out time then issue first reported and then it was actualy fixed. For example this issue takes 216 days. And I'm pretty sure that eEye Digital Security team provided all the information needed and contacted correct people.

I hope there will be changes with this in near time.

#Aug 26th, 2004 @ 5:06 PM
Manip
Manip
Wow, AT you got onto ZDNet.. that is pretty cool. Nice work!

You are not the first person I've heard that had a bad experience when submitting a problem to Security@MS.com and I'm sure not the last.
#Aug 26th, 2004 @ 5:42 PM
The Channel 9 Team
The Channel 9 Team
5 guys from Redmond

Stephen told me that, yes, you can. Just zip them up.

Also, the email alias is secure@microsoft.com (not security).

Robert

#Aug 26th, 2004 @ 5:52 PM
Stepto
Stepto
Not everyone at the MSRC shaves their head.
AT wrote:

LOL. Please remove this 7x365 slogan.
They simply do their job. Sometimes they do it well (for example Slammer worm), but sometimes they not (Slammer was an exceptional and non-regular case).

Taking in account my bad expirience with secure@microsoft.com I prefer to contact product groups directly.
They do monitor email alias during business hours. But this alias like a black hole, information can flow only in, no way to get status or resolution on your reports.
Most of time everything that you can receive is template like "Thanks. Your issue is important. We are working on solution. We will let you know" with 0 words about actual status. Also you will not receive answer for several months (if any)!!

Take a look on any latest issue and find out time then issue first reported and then it was actualy fixed. For example this issue takes 216 days. And I'm pretty sure that eEye Digital Security team provided all the information needed and contacted correct people.

I hope there will be changes with this in near time.



Hi AT,

Thanks for the feedback, I'm sorry you had a bad experience at one time but I can assure you that we monitor that alias even on holidays and weekends and off-business hours.  And you get real responses from real people.

In regards to eEye, they certainly provided us with information, and we provided information back during the entire time.  Sometimes security vulnerabilities are in deep components that require a significant amount of testing. 

As I explain in the video, with as broad a deployment base as we have, if we produce an update that introduces a problem to even one percent of our users, that's still potentially millions of people that we broke, which of course will cause even more people to not trust updates and not install them.  In the case of that vulnerability, the component was in RPC/DCOM, which of course is used by a multitude of things beyond just the operating system. Thus there was a significant amount of testing that had to be done, and during that testing phase we're still communicating with the security researcher, providing them information.

I think things have changed significantly in the past several years, and things are only going to get better as time goes on. 

Thanks again for the feedback.

S.
#Aug 26th, 2004 @ 6:33 PM
AT
AT

Stepto wrote:

....

As I explain in the video, with as broad a deployment base as we have, if we produce an update that introduces a problem to even one percent of our users, that's still potentially millions of people that we broke, which of course will cause even more people to not trust updates and not install them. 

Sure. I agree about this.
But your arguments have nothing with my issue.

I was working with ITG/Operations team to fix important security and usability issues I've found in Microsoft File Transfer Manager ActiveX.
It takes 4 months (Feb-May) for them to release a new version of ActiveX, but they were unable to issue any warning to customers.
As result I've contacted secure@microsoft alias in late May - provided all details about issue and contact information for person I was working with.

In July I've received useless template email with words like "We are working on issue. Stay tuned".
Only after 2 months (in beginning on August) since initial contact and 4 or 5 additional emails to secure@microsoft your team was able to prepare draft of security warning.
They have spent additional 14 days to send it to people. Only after I've disclosed information I've to public - people were warned.

But this was not the end of my bad experience.

Lynn Terwoerds, senior program manager for Microsoft's Security Response Center, publicly lied: "The security response center has been handling this for about a month".

If you do basic math - June (date of latest FTM version with minor fixes at that time) and 19 August - this will be clearly more that one month.

P.S> BTW, There were additional trivial issue - DirectX ActiveX buffer overrun found and reported to secure@microsoft.com at same time with FTM (in late May). I've specially found this issue (it takes only 4 hours Wink to compare bug fixing speed then contacting product groups and secure alias. It takes over 7 months for your team to issue a two-bytes "kill-bit fix".
Can you clarify why? Thouse who realy need to use this ActiveX can revert registry changes, but most of regular user were unprotected for 7 months!

BTW, for this issue I've not received any credit and nobody notified me about resolution process! I've found that it was fixed only from short note in cumulative Internet Explorer update.

This is how your team was working several years ago. (But it was _after_ BillG security push!!!).

I can tell nothing about your current work - because I've decided to not contact this alias anymore.

You need to change a lot to receive email from me in future !

#Aug 26th, 2004 @ 6:57 PM
Stepto
Stepto
Not everyone at the MSRC shaves their head.
AT wrote:

Stepto wrote:

....

As I explain in the video, with as broad a deployment base as we have, if we produce an update that introduces a problem to even one percent of our users, that's still potentially millions of people that we broke, which of course will cause even more people to not trust updates and not install them. 

Sure. I agree about this.
But your arguments have nothing with my issue.

I was working with ITG/Operations team to fix important security and usability issues I've found in Microsoft File Transfer Manager ActiveX.
It takes 4 months (Feb-May) for them to release a new version of ActiveX, but they were unable to issue any warning to customers.
As result I've contacted secure@microsoft alias in late May - provided all details about issue and contact information for person I was working with.

In July I've received useless template email with words like "We are working on issue. Stay tuned".
Only after 2 months (in beginning on August) since initial contact and 4 or 5 additional emails to secure@microsoft your team was able to prepare draft of security warning.
They have spent additional 14 days to send it to people. Only after I've disclosed information I've to public - people were warned.

But this was not the end of my bad experience.

Lynn Terwoerds, senior program manager for Microsoft's Security Response Center, publicly lied: "The security response center has been handling this for about a month".

If you do basic math - June (date of latest FTM version with minor fixes at that time) and 19 August - this will be clearly more that one month.

P.S> BTW, There were additional trivial issue - DirectX ActiveX buffer overrun found and reported to secure@microsoft.com at same time with FTM (in late May). I've specially found this issue (it takes only 4 hours Wink to compare bug fixing speed then contacting product groups and secure alias. It takes over 7 months for your team to issue a two-bytes "kill-bit fix".
Can you clarify why? Thouse who realy need to use this ActiveX can revert registry changes, but most of regular user were unprotected for 7 months!

BTW, for this issue I've not received any credit and nobody notified me about resolution process! I've found that it was fixed only from short note in cumulative Internet Explorer update.

This is how your team was working several years ago. (But it was _after_ BillG security push!!!).

I can tell nothing about your current work - because I've decided to not contact this alias anymore.

You need to change a lot to receive email from me in future !



Talking to AT about this in IM.  :>

S.
#Aug 26th, 2004 @ 7:32 PM
Manip
Manip
Stepto, abusing quotes like that should be illegal and maybe sometime in the near future (if I have my way) it will be. So to be safe I suggest you don't do it, any laws that I create will be retrospective! >)
Microsoft Communities