SlideShare uma empresa Scribd logo

Microsoft Vulnerability Research - How to be a finder as a vendor

Jeremy Brown
Jeremy Brown

You may think of Microsoft as a company that fixes vulnerabilities, but we frequently find security issues in other vendors’ products as well. Microsoft Vulnerability Research (MSVR) was created to help ensure that our company demonstrates the same behavior, in the role of a finder, that we’d like to see from other companies and researchers from all over the world. We make sure that our reports are complete and accurate and communicated securely and effectively to the right place. This presentation will cover how and why MSVR was created, an in-depth look at our operations and what we’ve learned so far with this program. We’ll also discuss how your company can have a centralized program to do the same. We’ll finish things off with a run through of an example vulnerability that one of our finders discovered, reported through MSVR, and what is was like working to get it fixed with an advisory we released thereafter.

Tecnologia
1 de 82
Baixar para ler offline
MICROSOFT VULNERABILITY RESEARCH How to be a finder as a vendor
WHO ARETHESE FINE GENTLEMEN  David Seidman  Manager of MSVR Program  Likes authentication, hates passwords  Jeremy Brown  MSVR Contributor since 2011  Likes bugs, but also likes making things more secure
AGENDA  What is MicrosoftVulnerability Research?  The MSVR Process  How it works  And how things can go wrong
AGENDA  Case Studies  Libavcodec  Comodo GeekBuddy  VMware Player  Blackberry “PrintTo Go”  Lessons Learned
WHATWE’RE NOT COVERING  How Microsoft handles vulnerabilities in 3rd party software distributed with our products  Any information about MSVR bugs in the queue for public release  The ethics of disclosure or debating which philosophy is the greatest
WHAT IS MICROSOFT VULNERABILITY RESEARCH?
ORIGINS  MSVR started in 2008  Founded by Katie Moussouris  Announced at the BlackHat conference
ORIGINS  MSRC cases and internal finds were affecting many other vendors  We needed a way to coordinate with vendors across the industry in order to ensure fixes for these bugs materialize
MSVR ISN'T  MSRC  Microsoft Security ResponseCenter  Handles security incidents and vulnerabilities affecting Microsoft products  Microsoft Bounty Programs  Cash for defensive ideas and IE11 Preview bugs
MSVR ISN'T  HackerOne  Hosts of the Internet Bug Bounty program  “Rewards friendly hackers who contribute to a more secure internet”  Sponsored by both Microsoft and Facebook
MSVR IS…  A program to help Microsoft employees report security vulnerabilities to third party software vendors  Provide assistance to finders  People to answer questions and ping the vendor  Security contact database  The resources to find contacts if no public ones exist
MSVR IS…  Objectives  Prevent miscommunication  Keep all parties informed  Provide transparency for both sides
MSVR ADVISORIES  Dedicated Microsoft webspace to display and archive vulnerability and fix information  http://technet.microsoft.com/en-us/security/msvr  Each advisory credits the researcher for the find  Unless you want to be anonymous, of course
WHYTHE FOCUS ONTHIRD PARTY  Windows runs lots of third-party code.That code becomes attack surface for Microsoft users.  Adobe Reader and Oracle Java account for the majority exploits used to compromise PCs  Not just PC software  Routers in our datacenters  Firmware in our devices  Apps in our software stores Reference: http://download.microsoft.com/download/5/0/3/50310CCE-8AF5-4FB4-83E2-03F1DA92F33C/Microsoft_Security_Intelligence_Report_Volume_15_English.pdf
WHYTHE FOCUS ONTHIRD PARTY  Often the vulnerabilities affect Microsoft too  Protocol flaws  DNS  SSL  Common coding and design flaws
SECURINGTHE ECOSYSTEM  Here’s a short list of vendors we’ve worked with at MSVR  Adobe, AOL, Apple, Blackberry, CA, Cisco, Citibank, Comodo, Fidelity, Google, Hex-Rays, HP, IBM, Intel, Intuit, Lenovo, Mozilla, Nullsoft, Nvidia, OpenOffice, Opera, Oracle, PGP, RealNetworks, SAP, Symantec,VMware, Wireshark, WordPress,Yahoo!  ….as well as many, many more
GOALS  Ensure that Microsoft works with others the same way we’d like them to work with us  Coordinated vulnerability disclosure so that Microsoft employees do not drop 0-days  Reproducible and interesting bugs  Good repro and explanation Reference: http://blogs.technet.com/b/msrc/archive/2011/04/19/coordinated-vulnerability-disclosure-from-philosophy-to-practice.aspx
GOALS  Help Microsoft finders out  Make sure bugs get fixed  Release advisories  Help secure the Microsoft ecosystem  Build relationships with other vendors
WHO ARE FINDERS?  Individual Microsoft employees who find security bugs for various reasons  Hobby  Securing software they use  Product groups working extensively with a third party product  E.g. Office findingAdobe Reader bugs when testingWord’s Save as PDF function  Often many bugs are discovered at once, or a stream of bugs is generated on an ongoing basis  Product groups hitting one-off bugs  It is not uncommon to hit a bug in a third-party component while just testing functionality
WHICHVULNERABILITIES ARE ELIGIBLE?  Found by a Microsoft employee  Whether found on own time or otherwise, using company resources or not  Critical and Important on SDL Bug Bar  Remote code execution, server DoS, XSS, SQLi, MITM, a few others  Affects a product on a Microsoft platform or used in a Microsoft datacenter  E.g. iPhone apps are not eligible  These aren’t hard rules – designed to ensure high ROI
MSVR REQUIREMENTS  I am not a lawyer, so this is a paraphrase of the actual policy  Microsoft employees must use CVD under all circumstances  CVD: CoordinatedVulnerability Disclosure (the new one, not “responsible disclosure”)  =no 0days per Microsoft’s policy  Employees must notify MSVR of all vulnerabilities they report  Exception: existing working/support/partnership relationships can continue  Using MSVR to manage the process is optional for bugs found on personal time
MSVR REQUIREMENTS  Third-party bugs found outside company time and not using company assets may be reported through a vuln broker using CVD  The employee can keep the money  This includes bug bounties too
THE MSVR PROCESS
STEP 1: REPORTVULNERABILITY
STEP 1 MISFIRE: CLASSIC 0-DAY  <insert anyWindows 0day full disclosure post here in the last 20 years>
STEP 2: ENSURE QUALITY  MSVR ensures that all required elements are present:  Qualifying bug details  Proof of concept file or solid repro steps  Description of issue, including affected products and versions, severity, etc.  Stack trace  Ideas for workarounds or code fixes  We’ll go back-and-forth with finders until it meets quality bar  Won’t ship if it doesn’t
STEP 2 MISFIRE: NOT A BUG  When logging intoWindows  If you have the number 8 in your login password, and  You have NumLock off and  You use the number pad when typing the number 8  You will switch focus to the username field and might accidentally type the rest of your password into the username field
STEP 3: CHECK FOR MICROSOFT IMPACT  Does Microsoft have code that could be similarly affected?  Does an SSL bug affect our SSL stack?  Does a browser bug affect Internet Explorer?  Etc.  If so, coordinate with third parties to align their fix schedule with ours
STEP 3 MISFIRE: WE 0-DAY OURSELVES  Microsoft researchers: Online ad networks’ payment processing can be theoretically exploited for fraud!  Just like Bing’s  Researchers: “We thought it would be okay because we didn’t mention Bing”
STEP 4: REPORTVULNERABILITY  Find the vendor’s security contact point (email, web form, etc) if we don’t already have it  If they don’t have one, we try harder   Tell them we have a vulnerability to report and request PGP or S/MIME key  Perhaps explain to them what PGP is…  Encrypt and send details
STEP 4 MISFIRE: SALES PURGATORY  Vendor:What’s your customer ID?  Microsoft: We don’t have a customer ID, we found a security problem with your website.  Vendor: Oh, well with no customer ID we can’t help you.Would you like to buy our product?  Microsoft: We don’t want help or to buy your product.We’re trying to help you.  Vendor:Thank you for contactingVendor.Your email is very important to us.
STEP 5: MONITOR  Follow up with company and internal finder to track their fix through release  Resolve questions about repro and severity  Vendor may send a private, fixed version for the finder to confirm the bug is fixed  Keep all parties up to date with plans for updates, blog post, conference presentations, etc.
STEP 5 MISFIRE: SURPRISE!  Oh that bug?We patched that six months ago.
STEP 6: SHIP UPDATE  Vendor releases update  Implore them to credit our researcher  If they “forget”, we’ll ping them and recommend it again 
STEP 6 MISFIRE: NO CREDIT  Vendor: Here’s the fix! <no credit to finder>  Finder: Hey!
STEP 7: MSVR ADVISORY  Released when we think a bug particularly merits Microsoft customers’ attention  Optional  Not all vulnerabilities get advisories  Released with or (typically) after the vendor releases a patch  In case of active attacks, we could release one proactively, but we have yet to do so  Purpose is to notify our customers of the patch and remind them to install it  Finder always has the option to release their own advisory in coordination with MSVR once vendor has patched
STEP 7B: MSVR CREDITS  When we don’t do a full advisory, still provide internal finders credit
CASE STUDIES
CASE STUDY: LIBAVCODEC  MSVR12-017  Vulnerabilities in FFmpeg Libavcodec Could Allow Arbitrary Code Execution  FuzzingVLC with WMA files.. Boom  But it’s obviously easier to find a crash than to figure out what caused it Reference: http://technet.microsoft.com/en-us/security/msvr/msvr12-017
CASE STUDY: LIBAVCODEC  !Exploitable says aWriteAV at libavcodec_plugin.dll  Looks like this isn’t a bug inVLC, but in the included A/V codec  Let’s diff to see what the fuzzer changed in the template to make our repro file!
CASE STUDY: LIBAVCODEC
CASE STUDY: LIBAVCODEC  We can see that the 0x0001 was changed to 0x0007  But what is that word value anyways?  And how do I already know it’s a word?
CASE STUDY: LIBAVCODEC  Meet OffVis  “The Microsoft OfficeVisualizationTool (OffVis) allows IT professionals, security researchers and malware protection vendors to better understand the MicrosoftOffice binary file format in order to deconstruct .doc-, .xls- and .ppt-based targeted attacks”  Free public version available on the Microsoft download website  But it’s not actually specifically for office documents. OffVis uses GUT templates, which is the same concept as 010 editor binary templates: describing file formats in order to parse and edit such files smarter. Reference: http://www.microsoft.com/en-us/download/details.aspx?id=2096
CASE STUDY: LIBAVCODEC
CASE STUDY: LIBAVCODEC  So we know a few more things now!  ASF is the container format forWMA files  A quick search for “Number of Channels” in the ASF specification tells us  It’s a 16-bit value  It’s a member of theWAVEFORMATEX structure  It’s the “number of audio channels” for this content  Manual testing shows that changing the value from 0x0003 - 0x0008 causes a crash  Also noteworthy, changing it to 0x0009 results inVLC displaying an error dialog about howVLC does not support the WMA2 file format Reference: http://msdn.microsoft.com/en-us/library/bb643323.aspx
CASE STUDY: LIBAVCODEC  Now take a look at the couple of instructions before the crash  pop ebx  call dword ptr[ebx+30h]  Anyone else smiling?   For those not immediately enlightened, this is very promising for exploitation  As long as we have some kind of influence or control over the ebx register  And there’s a pop before the call.. well, the stack is our friend
CASE STUDY: LIBAVCODEC  We’ve got our original and repro files, quick write-up and ready to share with msvr@microsoft.com  They packaged up the deliverables and sent them off to the vendor  Handled coordination  Status updates  Questions from the vendor
CASE STUDY: LIBAVCODEC  The vulnerability was patched in May, 2012 and the advisory was released a few months later
CASE STUDY: LIBAVCODEC
CASE STUDY: COMODO GEEKBUDDY  CVE-2014-7872  Comodo GeekBuddy Privilege Escalation  What is GeekBuddy and how does it work?
CASE STUDY: COMODO GEEKBUDDY  Noticed GeekBuddyRSP.exe was listening on two familiar ports  5800, 5901 (VNC)  VNC server to tunnel technical support remoting makes sense
CASE STUDY: COMODO GEEKBUDDY  Let’s try to connect using aVNC client and see what happens
CASE STUDY: COMODO GEEKBUDDY
CASE STUDY: COMODO GEEKBUDDY  The attack goes as follows  Admin logs in  User (or guest) logs in and uses aVNC client to connect to localhost  User assumes Administrator’sVNC session via no server password set  Couple significant caveats  OS must support more than one simultaneous login, eg.Windows Server  GeekBuddy is known to be bundled with the following products  Comodo Anti-Virus, Comodo Firewall, Comodo Internet Security  But they only install on Windows Client  Comodo might have bundled GeekBuddy in some enterprise packages
CASE STUDY: COMODO GEEKBUDDY  What other vectors of exploitation can you think of?  Client-side CSRF-like attack  Host a modified JavaVNC Client on a webserver  GeekBuddy target browses to webpage with embedded VNC client  VNC client connects to localhost and does interesting things with the target’s session  Comodo released a fixed version October, 2014
CASE STUDY:VMWARE  MSVR13-002  Vulnerabilities inVMware OVFTool Could Allow Arbitrary Code Execution  Step 1:What file types doesVMware handle?  VMX  VMDK  OVF  …more Reference: http://technet.microsoft.com/en-us/security/msvr/msvr13-002
CASE STUDY:VMWARE  Step 2:What is OVF?  OpenVirtual Machine Format  “an open, secure, portable, efficient and extensible format for the packing and distribution of (collections of) virtual machines” Reference: http://www.vmware.com/pdf/ovf_whitepaper_specification.pdf
CASE STUDY:VMWARE  TL;DR– It’s a xml-based file format for describing virtual machine data  And since XML implies describing and consuming untrusted data.. probably a worthy target
CASE STUDY:VMWARE  Step 3: How doesVMware load OVF files?  Upon loading a OVF file, it executes ovftool.exe  Nearly the same as having the OVF parsing code inVMware player
CASE STUDY:VMWARE Step 4:What is OVFTool?
CASE STUDY:VMWARE Step 5: Find a interesting crash or other unexpected behavior <?xml version="1.0" encoding="utf-8"?> <ovf:Envelope xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:ovf="%p.%p.%p.%p.%p.%p.%p.%p" xmlns:vssd="http://schemas.dmtf.org/wbem/wscim/1/cim- schema/2/CIM_VirtualSystemSettingData" … </ovf:Envelope>
CASE STUDY:VMWARE And when we load the OVF file inVMware..
CASE STUDY:VMWARE
CASE STUDY: BLACKBERRY PTG  Submitted as, “Blackberry PrintTo Go Auth Bypass”  But what can we gain from this bug?  What is Blackberry PTG?  Allows you to “print” documents from your computer to your BlackBerry Playbook tablet  E.g. Install the software on your PC and you can send anything you can print as a PDF to your Playbook
CASE STUDY: BLACKBERRY PTG
CASE STUDY: BLACKBERRY PTG  In order to send documents to the Playbook, the user must do the following  Log into the service using your BlackBerry ID (user/pass)  Encrypt the documents using a password generated from the PTG app on the Playbook  Find the device using the it’s PIN  We can bypass this locally  Therefore we won’t need to login to Blackberry to perhaps “print” documents to a device
CASE STUDY: BLACKBERRY PTG
CASE STUDY: BLACKBERRY PTG  There’s something listening on port 1234.. interesting  With the BB login dialog open, start a web browser and simply point it to this URL  http://localhost:1234/myserverlet/  The login dialog will immediately continue to the next page  Therefore bypassing authentication
CASE STUDY: BLACKBERRY PTG  Theory  The login procedure checks if it receives data on listening port 1234, not the data’s validity (at least well enough)
CASE STUDY: BLACKBERRY PTG
CASE STUDY: BLACKBERRY PTG
CASE STUDY: BLACKBERRY PTG
CASE STUDY: BLACKBERRY PTG  So what could one gain from bypassing this login page?  There wasn’t a Playbook tablet to completely test the exploit scenarios  We handed the report to BlackBerry security with our ideas so they could test internally  BB concluded that while this was undesirable behavior, it wasn’t a security issue  “Printing does not succeed as the Connector does not have the BlackBerry ID account info and token needed for printing”  Without a Playbook on hand, it was tough to test this remaining step  We didn’t know if it would succeed or not with a real device connected  Better to submit anyways so they could confirm with us
LESSONS LEARNED  Vendors range greatly in their capacity  Which is not necessarily correlated with size  Some small development teams are very responsive, others are not  Some big companies have effective and established procedures, others mire you in bureaucracy
LESSONS LEARNED  Setting limits is important  Pen-testing the web and dumped hundreds of bugs on us for most for relatively unimportant sites doesn’t scale too well  Finders may report low-severity bugs that they think are very serious  Employees like this program!
WHYYOU SHOULD RUNYOUR OWN MSVR  Give employees a standard, end-to-end process for getting security bugs fixed  Inter-company bug reporting can be more coordinated and efficient  Relatively cheap to run, with high ROI  Boost employee morale  Secure the ecosystem, as your product likely depends on *something*  Eg. HackerOne bug bounty program has a bounty for “The Internet”
WHATWE'D LIKETO SEEWHEN REPORTING VULNERABILITIES  Clearly identified point of contact  Public encryption key (PGP or S/MIME)  Direct line to a real person who understands security  Don't turn us away because we don't have a support contract!
WHATWE'D LIKETO SEEWHEN REPORTING VULNERABILITIES  Clear communication  Acknowledgment receipt of the initial email  Repro, including affected platforms  Update release dates, including any delays  How we will be credited (ask us for our preference!)  Closure  Variant investigation  Relatively prompt fixes
QUESTIONS?
CONTACT  msvr@microsoft.com
©2014 Microsoft Corporation. All Rights Reserved. This document is provided "as-is." Information and views expressed in this document, including URL and other Internet Web site references, may change without notice.You bear the risk of using it. Some examples are for illustration only and are fictitious. No real association is intended or inferred.This document does not provide you with any legal rights to any intellectual property owned by Microsoft.You may copy and use this document for your internal, reference purposes.

Recomendados

CODE BLUE 2014 : Microsoft Vulnerability Research: How to be a Finder as a Ve...
CODE BLUE 2014 : Microsoft Vulnerability Research: How to be a Finder as a Ve...CODE BLUE 2014 : Microsoft Vulnerability Research: How to be a Finder as a Ve...
CODE BLUE 2014 : Microsoft Vulnerability Research: How to be a Finder as a Ve...CODE BLUE
 
Protecting Enterprise - An examination of bugs, major vulnerabilities and exp...
Protecting Enterprise - An examination of bugs, major vulnerabilities and exp...Protecting Enterprise - An examination of bugs, major vulnerabilities and exp...
Protecting Enterprise - An examination of bugs, major vulnerabilities and exp...ESET Middle East
 
Software Security Engineering (Learnings from the past to fix the future) - B...
Software Security Engineering (Learnings from the past to fix the future) - B...Software Security Engineering (Learnings from the past to fix the future) - B...
Software Security Engineering (Learnings from the past to fix the future) - B...DebasisMohanty43
 
Technology auto protection_from_exploit
Technology auto protection_from_exploitTechnology auto protection_from_exploit
Technology auto protection_from_exploitКомсс Файквэе
 
None More Black - the Dark Side of SEO
None More Black - the Dark Side of SEONone More Black - the Dark Side of SEO
None More Black - the Dark Side of SEORoberto Suggi Liverani
 
Douglas - Real JavaScript
Douglas - Real JavaScriptDouglas - Real JavaScript
Douglas - Real JavaScriptd0nn9n
 
Continuous Security: Zap security bugs now Codemotion-2015
Continuous Security: Zap security bugs now Codemotion-2015Continuous Security: Zap security bugs now Codemotion-2015
Continuous Security: Zap security bugs now Codemotion-2015Carlo Bonamico
 
Jeremy Brown & David Seidman - Microsoft Vulnerability Research: How to be a ...
Jeremy Brown & David Seidman - Microsoft Vulnerability Research: How to be a ...Jeremy Brown & David Seidman - Microsoft Vulnerability Research: How to be a ...
Jeremy Brown & David Seidman - Microsoft Vulnerability Research: How to be a ...RootedCON
 

Recomendados

CODE BLUE 2014 : Microsoft Vulnerability Research: How to be a Finder as a Ve...
CODE BLUE 2014 : Microsoft Vulnerability Research: How to be a Finder as a Ve...CODE BLUE 2014 : Microsoft Vulnerability Research: How to be a Finder as a Ve...
CODE BLUE 2014 : Microsoft Vulnerability Research: How to be a Finder as a Ve...CODE BLUE
 
Protecting Enterprise - An examination of bugs, major vulnerabilities and exp...
Protecting Enterprise - An examination of bugs, major vulnerabilities and exp...Protecting Enterprise - An examination of bugs, major vulnerabilities and exp...
Protecting Enterprise - An examination of bugs, major vulnerabilities and exp...ESET Middle East
 
Software Security Engineering (Learnings from the past to fix the future) - B...
Software Security Engineering (Learnings from the past to fix the future) - B...Software Security Engineering (Learnings from the past to fix the future) - B...
Software Security Engineering (Learnings from the past to fix the future) - B...DebasisMohanty43
 
Technology auto protection_from_exploit
Technology auto protection_from_exploitTechnology auto protection_from_exploit
Technology auto protection_from_exploitКомсс Файквэе
 
None More Black - the Dark Side of SEO
None More Black - the Dark Side of SEONone More Black - the Dark Side of SEO
None More Black - the Dark Side of SEORoberto Suggi Liverani
 
Douglas - Real JavaScript
Douglas - Real JavaScriptDouglas - Real JavaScript
Douglas - Real JavaScriptd0nn9n
 
Continuous Security: Zap security bugs now Codemotion-2015
Continuous Security: Zap security bugs now Codemotion-2015Continuous Security: Zap security bugs now Codemotion-2015
Continuous Security: Zap security bugs now Codemotion-2015Carlo Bonamico
 
Jeremy Brown & David Seidman - Microsoft Vulnerability Research: How to be a ...
Jeremy Brown & David Seidman - Microsoft Vulnerability Research: How to be a ...Jeremy Brown & David Seidman - Microsoft Vulnerability Research: How to be a ...
Jeremy Brown & David Seidman - Microsoft Vulnerability Research: How to be a ...RootedCON
 
Webinar | Cybersecurity vulnerabilities of your business - Berezha Security G...
Webinar | Cybersecurity vulnerabilities of your business - Berezha Security G...Webinar | Cybersecurity vulnerabilities of your business - Berezha Security G...
Webinar | Cybersecurity vulnerabilities of your business - Berezha Security G...Berezha Security Group
 
Java Application Development Vulnerabilities
Java Application Development VulnerabilitiesJava Application Development Vulnerabilities
Java Application Development VulnerabilitiesNarola Infotech
 
Web Application Security - Everything You Should Know
Web Application Security - Everything You Should KnowWeb Application Security - Everything You Should Know
Web Application Security - Everything You Should KnowNarola Infotech
 
Open Source Security – A vendor's perspective
Open Source Security – A vendor's perspectiveOpen Source Security – A vendor's perspective
Open Source Security – A vendor's perspectiveMatthew Wilkes
 
10 Best DevSecOps Tools for 2023
10 Best DevSecOps Tools for 202310 Best DevSecOps Tools for 2023
10 Best DevSecOps Tools for 2023SofiaCarter4
 
179 black-box-software-testing-copyright-2003-cem-kaner1652
179 black-box-software-testing-copyright-2003-cem-kaner1652179 black-box-software-testing-copyright-2003-cem-kaner1652
179 black-box-software-testing-copyright-2003-cem-kaner1652ngothanhtungth
 
Secure Your DevOps Pipeline Best Practices Meetup 08022024.pptx
Secure Your DevOps Pipeline Best Practices Meetup 08022024.pptxSecure Your DevOps Pipeline Best Practices Meetup 08022024.pptx
Secure Your DevOps Pipeline Best Practices Meetup 08022024.pptxlior mazor
 
INSECURE Magazine - 35
INSECURE Magazine - 35INSECURE Magazine - 35
INSECURE Magazine - 35Felipe Prado
 
Software Myths
Software MythsSoftware Myths
Software MythsRajat Bajaj
 
Allegory of the cave(1)
Allegory of the cave(1)Allegory of the cave(1)
Allegory of the cave(1)setuid0
 
The Top 3 Strategies To Reduce Your Open Source Security Risks - A WhiteSour...
The Top 3 Strategies To Reduce Your Open Source Security Risks - A WhiteSour... The Top 3 Strategies To Reduce Your Open Source Security Risks - A WhiteSour...
The Top 3 Strategies To Reduce Your Open Source Security Risks - A WhiteSour...WhiteSource
 
AppSec How-To: Achieving Security in DevOps
AppSec How-To: Achieving Security in DevOpsAppSec How-To: Achieving Security in DevOps
AppSec How-To: Achieving Security in DevOpsCheckmarx
 
network-host-reconciliation
network-host-reconciliationnetwork-host-reconciliation
network-host-reconciliationGordon Mackay - CISSP
 
Security engineering 101 when good design & security work together
Security engineering 101 when good design & security work togetherSecurity engineering 101 when good design & security work together
Security engineering 101 when good design & security work togetherWendy Knox Everette
 
Biggest info security mistakes security innovation inc.
Biggest info security mistakes security innovation inc.Biggest info security mistakes security innovation inc.
Biggest info security mistakes security innovation inc.uNIX Jim
 
Data Security in Fintech App Development: How PHP Can Help
Data Security in Fintech App Development: How PHP Can HelpData Security in Fintech App Development: How PHP Can Help
Data Security in Fintech App Development: How PHP Can HelpNarola Infotech
 
Ivanti Patch Tuesday for April 2020
Ivanti Patch Tuesday for April 2020Ivanti Patch Tuesday for April 2020
Ivanti Patch Tuesday for April 2020Ivanti
 
Introduction to the proposed EU cyber resilience act (CRA)
Introduction to the proposed EU cyber resilience act (CRA)Introduction to the proposed EU cyber resilience act (CRA)
Introduction to the proposed EU cyber resilience act (CRA)Olle E Johansson
 
Cyber Security for Financial Institutions
Cyber Security for Financial InstitutionsCyber Security for Financial Institutions
Cyber Security for Financial InstitutionsKhawar Nehal khawar.nehal@atrc.net.pk
 
Prevent Getting Hacked by Using a Network Vulnerability Scanner
Prevent Getting Hacked by Using a Network Vulnerability ScannerPrevent Getting Hacked by Using a Network Vulnerability Scanner
Prevent Getting Hacked by Using a Network Vulnerability ScannerGFI Software
 
Provoking Windows
Provoking WindowsProvoking Windows
Provoking WindowsJeremy Brown
 
Summer of Fuzz: macOS
Summer of Fuzz: macOSSummer of Fuzz: macOS
Summer of Fuzz: macOSJeremy Brown
 

Mais conteúdo relacionado

Semelhante a Microsoft Vulnerability Research - How to be a finder as a vendor

Webinar | Cybersecurity vulnerabilities of your business - Berezha Security G...
Webinar | Cybersecurity vulnerabilities of your business - Berezha Security G...Webinar | Cybersecurity vulnerabilities of your business - Berezha Security G...
Webinar | Cybersecurity vulnerabilities of your business - Berezha Security G...Berezha Security Group
 
Java Application Development Vulnerabilities
Java Application Development VulnerabilitiesJava Application Development Vulnerabilities
Java Application Development VulnerabilitiesNarola Infotech
 
Web Application Security - Everything You Should Know
Web Application Security - Everything You Should KnowWeb Application Security - Everything You Should Know
Web Application Security - Everything You Should KnowNarola Infotech
 
Open Source Security – A vendor's perspective
Open Source Security – A vendor's perspectiveOpen Source Security – A vendor's perspective
Open Source Security – A vendor's perspectiveMatthew Wilkes
 
10 Best DevSecOps Tools for 2023
10 Best DevSecOps Tools for 202310 Best DevSecOps Tools for 2023
10 Best DevSecOps Tools for 2023SofiaCarter4
 
179 black-box-software-testing-copyright-2003-cem-kaner1652
179 black-box-software-testing-copyright-2003-cem-kaner1652179 black-box-software-testing-copyright-2003-cem-kaner1652
179 black-box-software-testing-copyright-2003-cem-kaner1652ngothanhtungth
 
Secure Your DevOps Pipeline Best Practices Meetup 08022024.pptx
Secure Your DevOps Pipeline Best Practices Meetup 08022024.pptxSecure Your DevOps Pipeline Best Practices Meetup 08022024.pptx
Secure Your DevOps Pipeline Best Practices Meetup 08022024.pptxlior mazor
 
INSECURE Magazine - 35
INSECURE Magazine - 35INSECURE Magazine - 35
INSECURE Magazine - 35Felipe Prado
 
Allegory of the cave(1)
Allegory of the cave(1)Allegory of the cave(1)
Allegory of the cave(1)setuid0
 
The Top 3 Strategies To Reduce Your Open Source Security Risks - A WhiteSour...
The Top 3 Strategies To Reduce Your Open Source Security Risks - A WhiteSour... The Top 3 Strategies To Reduce Your Open Source Security Risks - A WhiteSour...
The Top 3 Strategies To Reduce Your Open Source Security Risks - A WhiteSour...WhiteSource
 
AppSec How-To: Achieving Security in DevOps
AppSec How-To: Achieving Security in DevOpsAppSec How-To: Achieving Security in DevOps
AppSec How-To: Achieving Security in DevOpsCheckmarx
 
Security engineering 101 when good design & security work together
Security engineering 101 when good design & security work togetherSecurity engineering 101 when good design & security work together
Security engineering 101 when good design & security work togetherWendy Knox Everette
 
Biggest info security mistakes security innovation inc.
Biggest info security mistakes security innovation inc.Biggest info security mistakes security innovation inc.
Biggest info security mistakes security innovation inc.uNIX Jim
 
Data Security in Fintech App Development: How PHP Can Help
Data Security in Fintech App Development: How PHP Can HelpData Security in Fintech App Development: How PHP Can Help
Data Security in Fintech App Development: How PHP Can HelpNarola Infotech
 
Ivanti Patch Tuesday for April 2020
Ivanti Patch Tuesday for April 2020Ivanti Patch Tuesday for April 2020
Ivanti Patch Tuesday for April 2020Ivanti
 
Introduction to the proposed EU cyber resilience act (CRA)
Introduction to the proposed EU cyber resilience act (CRA)Introduction to the proposed EU cyber resilience act (CRA)
Introduction to the proposed EU cyber resilience act (CRA)Olle E Johansson
 
Prevent Getting Hacked by Using a Network Vulnerability Scanner
Prevent Getting Hacked by Using a Network Vulnerability ScannerPrevent Getting Hacked by Using a Network Vulnerability Scanner
Prevent Getting Hacked by Using a Network Vulnerability ScannerGFI Software
 

Semelhante a Microsoft Vulnerability Research - How to be a finder as a vendor (20)

Webinar | Cybersecurity vulnerabilities of your business - Berezha Security G...
Webinar | Cybersecurity vulnerabilities of your business - Berezha Security G...Webinar | Cybersecurity vulnerabilities of your business - Berezha Security G...
Webinar | Cybersecurity vulnerabilities of your business - Berezha Security G...
 
Java Application Development Vulnerabilities
Java Application Development VulnerabilitiesJava Application Development Vulnerabilities
Java Application Development Vulnerabilities
 
Web Application Security - Everything You Should Know
Web Application Security - Everything You Should KnowWeb Application Security - Everything You Should Know
Web Application Security - Everything You Should Know
 
Open Source Security – A vendor's perspective
Open Source Security – A vendor's perspectiveOpen Source Security – A vendor's perspective
Open Source Security – A vendor's perspective
 
10 Best DevSecOps Tools for 2023
10 Best DevSecOps Tools for 202310 Best DevSecOps Tools for 2023
10 Best DevSecOps Tools for 2023
 
179 black-box-software-testing-copyright-2003-cem-kaner1652
179 black-box-software-testing-copyright-2003-cem-kaner1652179 black-box-software-testing-copyright-2003-cem-kaner1652
179 black-box-software-testing-copyright-2003-cem-kaner1652
 
Secure Your DevOps Pipeline Best Practices Meetup 08022024.pptx
Secure Your DevOps Pipeline Best Practices Meetup 08022024.pptxSecure Your DevOps Pipeline Best Practices Meetup 08022024.pptx
Secure Your DevOps Pipeline Best Practices Meetup 08022024.pptx
 
INSECURE Magazine - 35
INSECURE Magazine - 35INSECURE Magazine - 35
INSECURE Magazine - 35
 
Software Myths
Software MythsSoftware Myths
Software Myths
 
Allegory of the cave(1)
Allegory of the cave(1)Allegory of the cave(1)
Allegory of the cave(1)
 
The Top 3 Strategies To Reduce Your Open Source Security Risks - A WhiteSour...
The Top 3 Strategies To Reduce Your Open Source Security Risks - A WhiteSour... The Top 3 Strategies To Reduce Your Open Source Security Risks - A WhiteSour...
The Top 3 Strategies To Reduce Your Open Source Security Risks - A WhiteSour...
 
AppSec How-To: Achieving Security in DevOps
AppSec How-To: Achieving Security in DevOpsAppSec How-To: Achieving Security in DevOps
AppSec How-To: Achieving Security in DevOps
 
network-host-reconciliation
network-host-reconciliationnetwork-host-reconciliation
network-host-reconciliation
 
Security engineering 101 when good design & security work together
Security engineering 101 when good design & security work togetherSecurity engineering 101 when good design & security work together
Security engineering 101 when good design & security work together
 
Biggest info security mistakes security innovation inc.
Biggest info security mistakes security innovation inc.Biggest info security mistakes security innovation inc.
Biggest info security mistakes security innovation inc.
 
Data Security in Fintech App Development: How PHP Can Help
Data Security in Fintech App Development: How PHP Can HelpData Security in Fintech App Development: How PHP Can Help
Data Security in Fintech App Development: How PHP Can Help
 
Ivanti Patch Tuesday for April 2020
Ivanti Patch Tuesday for April 2020Ivanti Patch Tuesday for April 2020
Ivanti Patch Tuesday for April 2020
 
Introduction to the proposed EU cyber resilience act (CRA)
Introduction to the proposed EU cyber resilience act (CRA)Introduction to the proposed EU cyber resilience act (CRA)
Introduction to the proposed EU cyber resilience act (CRA)
 
Cyber Security for Financial Institutions
Cyber Security for Financial InstitutionsCyber Security for Financial Institutions
Cyber Security for Financial Institutions
 
Prevent Getting Hacked by Using a Network Vulnerability Scanner
Prevent Getting Hacked by Using a Network Vulnerability ScannerPrevent Getting Hacked by Using a Network Vulnerability Scanner
Prevent Getting Hacked by Using a Network Vulnerability Scanner
 

Mais de Jeremy Brown

Summer of Fuzz: macOS
Summer of Fuzz: macOSSummer of Fuzz: macOS
Summer of Fuzz: macOSJeremy Brown
 
Attacking Big Data Land
Attacking Big Data LandAttacking Big Data Land
Attacking Big Data LandJeremy Brown
 
Adventures with Podman and Varlink
Adventures with Podman and VarlinkAdventures with Podman and Varlink
Adventures with Podman and VarlinkJeremy Brown
 
ProdSec: A Technical Approach
ProdSec: A Technical ApproachProdSec: A Technical Approach
ProdSec: A Technical ApproachJeremy Brown
 
Browser Fuzzing with a Twist (and a Shake) -- ZeroNights 2015
Browser Fuzzing with a Twist (and a Shake) -- ZeroNights 2015Browser Fuzzing with a Twist (and a Shake) -- ZeroNights 2015
Browser Fuzzing with a Twist (and a Shake) -- ZeroNights 2015Jeremy Brown
 
Hacking Virtual Appliances
Hacking Virtual AppliancesHacking Virtual Appliances
Hacking Virtual AppliancesJeremy Brown
 
Cloud Device Insecurity
Cloud Device InsecurityCloud Device Insecurity
Cloud Device InsecurityJeremy Brown
 
A Bug Hunter's Perspective on Unix Drivers
A Bug Hunter's Perspective on Unix DriversA Bug Hunter's Perspective on Unix Drivers
A Bug Hunter's Perspective on Unix DriversJeremy Brown
 

Mais de Jeremy Brown (10)

Provoking Windows
Provoking WindowsProvoking Windows
Provoking Windows
 
Summer of Fuzz: macOS
Summer of Fuzz: macOSSummer of Fuzz: macOS
Summer of Fuzz: macOS
 
Unsecuring SSH
Unsecuring SSHUnsecuring SSH
Unsecuring SSH
 
Attacking Big Data Land
Attacking Big Data LandAttacking Big Data Land
Attacking Big Data Land
 
Adventures with Podman and Varlink
Adventures with Podman and VarlinkAdventures with Podman and Varlink
Adventures with Podman and Varlink
 
ProdSec: A Technical Approach
ProdSec: A Technical ApproachProdSec: A Technical Approach
ProdSec: A Technical Approach
 
Browser Fuzzing with a Twist (and a Shake) -- ZeroNights 2015
Browser Fuzzing with a Twist (and a Shake) -- ZeroNights 2015Browser Fuzzing with a Twist (and a Shake) -- ZeroNights 2015
Browser Fuzzing with a Twist (and a Shake) -- ZeroNights 2015
 
Hacking Virtual Appliances
Hacking Virtual AppliancesHacking Virtual Appliances
Hacking Virtual Appliances
 
Cloud Device Insecurity
Cloud Device InsecurityCloud Device Insecurity
Cloud Device Insecurity
 
A Bug Hunter's Perspective on Unix Drivers
A Bug Hunter's Perspective on Unix DriversA Bug Hunter's Perspective on Unix Drivers
A Bug Hunter's Perspective on Unix Drivers
 

Último

SAP Build Work Zone - Overview L2-L3.pptx
SAP Build Work Zone - Overview L2-L3.pptxSAP Build Work Zone - Overview L2-L3.pptx
SAP Build Work Zone - Overview L2-L3.pptxNavinnSomaal
 
DevEX - reference for building teams, processes, and platforms
DevEX - reference for building teams, processes, and platformsDevEX - reference for building teams, processes, and platforms
DevEX - reference for building teams, processes, and platformsSergiu Bodiu
 
Developer Data Modeling Mistakes: From Postgres to NoSQL
Developer Data Modeling Mistakes: From Postgres to NoSQLDeveloper Data Modeling Mistakes: From Postgres to NoSQL
Developer Data Modeling Mistakes: From Postgres to NoSQLScyllaDB
 
Hyperautomation and AI/ML: A Strategy for Digital Transformation Success.pdf
Hyperautomation and AI/ML: A Strategy for Digital Transformation Success.pdfHyperautomation and AI/ML: A Strategy for Digital Transformation Success.pdf
Hyperautomation and AI/ML: A Strategy for Digital Transformation Success.pdfPrecisely
 
"ML in Production",Oleksandr Bagan
"ML in Production",Oleksandr Bagan"ML in Production",Oleksandr Bagan
"ML in Production",Oleksandr BaganFwdays
 
Advanced Computer Architecture – An Introduction
Advanced Computer Architecture – An IntroductionAdvanced Computer Architecture – An Introduction
Advanced Computer Architecture – An IntroductionDilum Bandara
 
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks..."LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...Fwdays
 
Unraveling Multimodality with Large Language Models.pdf
Unraveling Multimodality with Large Language Models.pdfUnraveling Multimodality with Large Language Models.pdf
Unraveling Multimodality with Large Language Models.pdfAlex Barbosa Coqueiro
 
Human Factors of XR: Using Human Factors to Design XR Systems
Human Factors of XR: Using Human Factors to Design XR SystemsHuman Factors of XR: Using Human Factors to Design XR Systems
Human Factors of XR: Using Human Factors to Design XR SystemsMark Billinghurst
 
TrustArc Webinar - How to Build Consumer Trust Through Data Privacy
TrustArc Webinar - How to Build Consumer Trust Through Data PrivacyTrustArc Webinar - How to Build Consumer Trust Through Data Privacy
TrustArc Webinar - How to Build Consumer Trust Through Data PrivacyTrustArc
 
From Family Reminiscence to Scholarly Archive .
From Family Reminiscence to Scholarly Archive .From Family Reminiscence to Scholarly Archive .
From Family Reminiscence to Scholarly Archive .Alan Dix
 
Ensuring Technical Readiness For Copilot in Microsoft 365
Ensuring Technical Readiness For Copilot in Microsoft 365Ensuring Technical Readiness For Copilot in Microsoft 365
Ensuring Technical Readiness For Copilot in Microsoft 3652toLead Limited
 
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek SchlawackFwdays
 
Story boards and shot lists for my a level piece
Story boards and shot lists for my a level pieceStory boards and shot lists for my a level piece
Story boards and shot lists for my a level piececharlottematthew16
 
Gen AI in Business - Global Trends Report 2024.pdf
Gen AI in Business - Global Trends Report 2024.pdfGen AI in Business - Global Trends Report 2024.pdf
Gen AI in Business - Global Trends Report 2024.pdfAddepto
 
Commit 2024 - Secret Management made easy
Commit 2024 - Secret Management made easyCommit 2024 - Secret Management made easy
Commit 2024 - Secret Management made easyAlfredo García Lavilla
 
Connect Wave/ connectwave Pitch Deck Presentation
Connect Wave/ connectwave Pitch Deck PresentationConnect Wave/ connectwave Pitch Deck Presentation
Connect Wave/ connectwave Pitch Deck PresentationSlibray Presentation
 
Search Engine Optimization SEO PDF for 2024.pdf
Search Engine Optimization SEO PDF for 2024.pdfSearch Engine Optimization SEO PDF for 2024.pdf
Search Engine Optimization SEO PDF for 2024.pdfRankYa
 
Take control of your SAP testing with UiPath Test Suite
Take control of your SAP testing with UiPath Test SuiteTake control of your SAP testing with UiPath Test Suite
Take control of your SAP testing with UiPath Test SuiteDianaGray10
 

Último (20)

SAP Build Work Zone - Overview L2-L3.pptx
SAP Build Work Zone - Overview L2-L3.pptxSAP Build Work Zone - Overview L2-L3.pptx
SAP Build Work Zone - Overview L2-L3.pptx
 
DevEX - reference for building teams, processes, and platforms
DevEX - reference for building teams, processes, and platformsDevEX - reference for building teams, processes, and platforms
DevEX - reference for building teams, processes, and platforms
 
Developer Data Modeling Mistakes: From Postgres to NoSQL
Developer Data Modeling Mistakes: From Postgres to NoSQLDeveloper Data Modeling Mistakes: From Postgres to NoSQL
Developer Data Modeling Mistakes: From Postgres to NoSQL
 
Hyperautomation and AI/ML: A Strategy for Digital Transformation Success.pdf
Hyperautomation and AI/ML: A Strategy for Digital Transformation Success.pdfHyperautomation and AI/ML: A Strategy for Digital Transformation Success.pdf
Hyperautomation and AI/ML: A Strategy for Digital Transformation Success.pdf
 
"ML in Production",Oleksandr Bagan
"ML in Production",Oleksandr Bagan"ML in Production",Oleksandr Bagan
"ML in Production",Oleksandr Bagan
 
Advanced Computer Architecture – An Introduction
Advanced Computer Architecture – An IntroductionAdvanced Computer Architecture – An Introduction
Advanced Computer Architecture – An Introduction
 
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks..."LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...
 
Unraveling Multimodality with Large Language Models.pdf
Unraveling Multimodality with Large Language Models.pdfUnraveling Multimodality with Large Language Models.pdf
Unraveling Multimodality with Large Language Models.pdf
 
E-Vehicle_Hacking_by_Parul Sharma_null_owasp.pptx
E-Vehicle_Hacking_by_Parul Sharma_null_owasp.pptxE-Vehicle_Hacking_by_Parul Sharma_null_owasp.pptx
E-Vehicle_Hacking_by_Parul Sharma_null_owasp.pptx
 
Human Factors of XR: Using Human Factors to Design XR Systems
Human Factors of XR: Using Human Factors to Design XR SystemsHuman Factors of XR: Using Human Factors to Design XR Systems
Human Factors of XR: Using Human Factors to Design XR Systems
 
TrustArc Webinar - How to Build Consumer Trust Through Data Privacy
TrustArc Webinar - How to Build Consumer Trust Through Data PrivacyTrustArc Webinar - How to Build Consumer Trust Through Data Privacy
TrustArc Webinar - How to Build Consumer Trust Through Data Privacy
 
From Family Reminiscence to Scholarly Archive .
From Family Reminiscence to Scholarly Archive .From Family Reminiscence to Scholarly Archive .
From Family Reminiscence to Scholarly Archive .
 
Ensuring Technical Readiness For Copilot in Microsoft 365
Ensuring Technical Readiness For Copilot in Microsoft 365Ensuring Technical Readiness For Copilot in Microsoft 365
Ensuring Technical Readiness For Copilot in Microsoft 365
 
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack
 
Story boards and shot lists for my a level piece
Story boards and shot lists for my a level pieceStory boards and shot lists for my a level piece
Story boards and shot lists for my a level piece
 
Gen AI in Business - Global Trends Report 2024.pdf
Gen AI in Business - Global Trends Report 2024.pdfGen AI in Business - Global Trends Report 2024.pdf
Gen AI in Business - Global Trends Report 2024.pdf
 
Commit 2024 - Secret Management made easy
Commit 2024 - Secret Management made easyCommit 2024 - Secret Management made easy
Commit 2024 - Secret Management made easy
 
Connect Wave/ connectwave Pitch Deck Presentation
Connect Wave/ connectwave Pitch Deck PresentationConnect Wave/ connectwave Pitch Deck Presentation
Connect Wave/ connectwave Pitch Deck Presentation
 
Search Engine Optimization SEO PDF for 2024.pdf
Search Engine Optimization SEO PDF for 2024.pdfSearch Engine Optimization SEO PDF for 2024.pdf
Search Engine Optimization SEO PDF for 2024.pdf
 
Take control of your SAP testing with UiPath Test Suite
Take control of your SAP testing with UiPath Test SuiteTake control of your SAP testing with UiPath Test Suite
Take control of your SAP testing with UiPath Test Suite
 

Microsoft Vulnerability Research - How to be a finder as a vendor

  • 1. MICROSOFT VULNERABILITY RESEARCH How to be a finder as a vendor
  • 2. WHO ARETHESE FINE GENTLEMEN  David Seidman  Manager of MSVR Program  Likes authentication, hates passwords  Jeremy Brown  MSVR Contributor since 2011  Likes bugs, but also likes making things more secure
  • 3. AGENDA  What is MicrosoftVulnerability Research?  The MSVR Process  How it works  And how things can go wrong
  • 4. AGENDA  Case Studies  Libavcodec  Comodo GeekBuddy  VMware Player  Blackberry “PrintTo Go”  Lessons Learned
  • 5. WHATWE’RE NOT COVERING  How Microsoft handles vulnerabilities in 3rd party software distributed with our products  Any information about MSVR bugs in the queue for public release  The ethics of disclosure or debating which philosophy is the greatest
  • 7. ORIGINS  MSVR started in 2008  Founded by Katie Moussouris  Announced at the BlackHat conference
  • 8. ORIGINS  MSRC cases and internal finds were affecting many other vendors  We needed a way to coordinate with vendors across the industry in order to ensure fixes for these bugs materialize
  • 9. MSVR ISN'T  MSRC  Microsoft Security ResponseCenter  Handles security incidents and vulnerabilities affecting Microsoft products  Microsoft Bounty Programs  Cash for defensive ideas and IE11 Preview bugs
  • 10. MSVR ISN'T  HackerOne  Hosts of the Internet Bug Bounty program  “Rewards friendly hackers who contribute to a more secure internet”  Sponsored by both Microsoft and Facebook
  • 11. MSVR IS…  A program to help Microsoft employees report security vulnerabilities to third party software vendors  Provide assistance to finders  People to answer questions and ping the vendor  Security contact database  The resources to find contacts if no public ones exist
  • 12. MSVR IS…  Objectives  Prevent miscommunication  Keep all parties informed  Provide transparency for both sides
  • 13. MSVR ADVISORIES  Dedicated Microsoft webspace to display and archive vulnerability and fix information  http://technet.microsoft.com/en-us/security/msvr  Each advisory credits the researcher for the find  Unless you want to be anonymous, of course
  • 14. WHYTHE FOCUS ONTHIRD PARTY  Windows runs lots of third-party code.That code becomes attack surface for Microsoft users.  Adobe Reader and Oracle Java account for the majority exploits used to compromise PCs  Not just PC software  Routers in our datacenters  Firmware in our devices  Apps in our software stores Reference: http://download.microsoft.com/download/5/0/3/50310CCE-8AF5-4FB4-83E2-03F1DA92F33C/Microsoft_Security_Intelligence_Report_Volume_15_English.pdf
  • 15. WHYTHE FOCUS ONTHIRD PARTY  Often the vulnerabilities affect Microsoft too  Protocol flaws  DNS  SSL  Common coding and design flaws
  • 16. SECURINGTHE ECOSYSTEM  Here’s a short list of vendors we’ve worked with at MSVR  Adobe, AOL, Apple, Blackberry, CA, Cisco, Citibank, Comodo, Fidelity, Google, Hex-Rays, HP, IBM, Intel, Intuit, Lenovo, Mozilla, Nullsoft, Nvidia, OpenOffice, Opera, Oracle, PGP, RealNetworks, SAP, Symantec,VMware, Wireshark, WordPress,Yahoo!  ….as well as many, many more
  • 17. GOALS  Ensure that Microsoft works with others the same way we’d like them to work with us  Coordinated vulnerability disclosure so that Microsoft employees do not drop 0-days  Reproducible and interesting bugs  Good repro and explanation Reference: http://blogs.technet.com/b/msrc/archive/2011/04/19/coordinated-vulnerability-disclosure-from-philosophy-to-practice.aspx
  • 18. GOALS  Help Microsoft finders out  Make sure bugs get fixed  Release advisories  Help secure the Microsoft ecosystem  Build relationships with other vendors
  • 19. WHO ARE FINDERS?  Individual Microsoft employees who find security bugs for various reasons  Hobby  Securing software they use  Product groups working extensively with a third party product  E.g. Office findingAdobe Reader bugs when testingWord’s Save as PDF function  Often many bugs are discovered at once, or a stream of bugs is generated on an ongoing basis  Product groups hitting one-off bugs  It is not uncommon to hit a bug in a third-party component while just testing functionality
  • 20. WHICHVULNERABILITIES ARE ELIGIBLE?  Found by a Microsoft employee  Whether found on own time or otherwise, using company resources or not  Critical and Important on SDL Bug Bar  Remote code execution, server DoS, XSS, SQLi, MITM, a few others  Affects a product on a Microsoft platform or used in a Microsoft datacenter  E.g. iPhone apps are not eligible  These aren’t hard rules – designed to ensure high ROI
  • 21. MSVR REQUIREMENTS  I am not a lawyer, so this is a paraphrase of the actual policy  Microsoft employees must use CVD under all circumstances  CVD: CoordinatedVulnerability Disclosure (the new one, not “responsible disclosure”)  =no 0days per Microsoft’s policy  Employees must notify MSVR of all vulnerabilities they report  Exception: existing working/support/partnership relationships can continue  Using MSVR to manage the process is optional for bugs found on personal time
  • 22. MSVR REQUIREMENTS  Third-party bugs found outside company time and not using company assets may be reported through a vuln broker using CVD  The employee can keep the money  This includes bug bounties too
  • 25. STEP 1 MISFIRE: CLASSIC 0-DAY  <insert anyWindows 0day full disclosure post here in the last 20 years>
  • 26. STEP 2: ENSURE QUALITY  MSVR ensures that all required elements are present:  Qualifying bug details  Proof of concept file or solid repro steps  Description of issue, including affected products and versions, severity, etc.  Stack trace  Ideas for workarounds or code fixes  We’ll go back-and-forth with finders until it meets quality bar  Won’t ship if it doesn’t
  • 27. STEP 2 MISFIRE: NOT A BUG  When logging intoWindows  If you have the number 8 in your login password, and  You have NumLock off and  You use the number pad when typing the number 8  You will switch focus to the username field and might accidentally type the rest of your password into the username field
  • 28. STEP 3: CHECK FOR MICROSOFT IMPACT  Does Microsoft have code that could be similarly affected?  Does an SSL bug affect our SSL stack?  Does a browser bug affect Internet Explorer?  Etc.  If so, coordinate with third parties to align their fix schedule with ours
  • 29. STEP 3 MISFIRE: WE 0-DAY OURSELVES  Microsoft researchers: Online ad networks’ payment processing can be theoretically exploited for fraud!  Just like Bing’s  Researchers: “We thought it would be okay because we didn’t mention Bing”
  • 30. STEP 4: REPORTVULNERABILITY  Find the vendor’s security contact point (email, web form, etc) if we don’t already have it  If they don’t have one, we try harder   Tell them we have a vulnerability to report and request PGP or S/MIME key  Perhaps explain to them what PGP is…  Encrypt and send details
  • 31. STEP 4 MISFIRE: SALES PURGATORY  Vendor:What’s your customer ID?  Microsoft: We don’t have a customer ID, we found a security problem with your website.  Vendor: Oh, well with no customer ID we can’t help you.Would you like to buy our product?  Microsoft: We don’t want help or to buy your product.We’re trying to help you.  Vendor:Thank you for contactingVendor.Your email is very important to us.
  • 32. STEP 5: MONITOR  Follow up with company and internal finder to track their fix through release  Resolve questions about repro and severity  Vendor may send a private, fixed version for the finder to confirm the bug is fixed  Keep all parties up to date with plans for updates, blog post, conference presentations, etc.
  • 33. STEP 5 MISFIRE: SURPRISE!  Oh that bug?We patched that six months ago.
  • 34. STEP 6: SHIP UPDATE  Vendor releases update  Implore them to credit our researcher  If they “forget”, we’ll ping them and recommend it again 
  • 35. STEP 6 MISFIRE: NO CREDIT  Vendor: Here’s the fix! <no credit to finder>  Finder: Hey!
  • 36. STEP 7: MSVR ADVISORY  Released when we think a bug particularly merits Microsoft customers’ attention  Optional  Not all vulnerabilities get advisories  Released with or (typically) after the vendor releases a patch  In case of active attacks, we could release one proactively, but we have yet to do so  Purpose is to notify our customers of the patch and remind them to install it  Finder always has the option to release their own advisory in coordination with MSVR once vendor has patched
  • 37.
  • 38. STEP 7B: MSVR CREDITS  When we don’t do a full advisory, still provide internal finders credit
  • 40. CASE STUDY: LIBAVCODEC  MSVR12-017  Vulnerabilities in FFmpeg Libavcodec Could Allow Arbitrary Code Execution  FuzzingVLC with WMA files.. Boom  But it’s obviously easier to find a crash than to figure out what caused it Reference: http://technet.microsoft.com/en-us/security/msvr/msvr12-017
  • 41. CASE STUDY: LIBAVCODEC  !Exploitable says aWriteAV at libavcodec_plugin.dll  Looks like this isn’t a bug inVLC, but in the included A/V codec  Let’s diff to see what the fuzzer changed in the template to make our repro file!
  • 43. CASE STUDY: LIBAVCODEC  We can see that the 0x0001 was changed to 0x0007  But what is that word value anyways?  And how do I already know it’s a word?
  • 44. CASE STUDY: LIBAVCODEC  Meet OffVis  “The Microsoft OfficeVisualizationTool (OffVis) allows IT professionals, security researchers and malware protection vendors to better understand the MicrosoftOffice binary file format in order to deconstruct .doc-, .xls- and .ppt-based targeted attacks”  Free public version available on the Microsoft download website  But it’s not actually specifically for office documents. OffVis uses GUT templates, which is the same concept as 010 editor binary templates: describing file formats in order to parse and edit such files smarter. Reference: http://www.microsoft.com/en-us/download/details.aspx?id=2096
  • 46. CASE STUDY: LIBAVCODEC  So we know a few more things now!  ASF is the container format forWMA files  A quick search for “Number of Channels” in the ASF specification tells us  It’s a 16-bit value  It’s a member of theWAVEFORMATEX structure  It’s the “number of audio channels” for this content  Manual testing shows that changing the value from 0x0003 - 0x0008 causes a crash  Also noteworthy, changing it to 0x0009 results inVLC displaying an error dialog about howVLC does not support the WMA2 file format Reference: http://msdn.microsoft.com/en-us/library/bb643323.aspx
  • 47. CASE STUDY: LIBAVCODEC  Now take a look at the couple of instructions before the crash  pop ebx  call dword ptr[ebx+30h]  Anyone else smiling?   For those not immediately enlightened, this is very promising for exploitation  As long as we have some kind of influence or control over the ebx register  And there’s a pop before the call.. well, the stack is our friend
  • 48. CASE STUDY: LIBAVCODEC  We’ve got our original and repro files, quick write-up and ready to share with msvr@microsoft.com  They packaged up the deliverables and sent them off to the vendor  Handled coordination  Status updates  Questions from the vendor
  • 49. CASE STUDY: LIBAVCODEC  The vulnerability was patched in May, 2012 and the advisory was released a few months later
  • 51. CASE STUDY: COMODO GEEKBUDDY  CVE-2014-7872  Comodo GeekBuddy Privilege Escalation  What is GeekBuddy and how does it work?
  • 52. CASE STUDY: COMODO GEEKBUDDY  Noticed GeekBuddyRSP.exe was listening on two familiar ports  5800, 5901 (VNC)  VNC server to tunnel technical support remoting makes sense
  • 53. CASE STUDY: COMODO GEEKBUDDY  Let’s try to connect using aVNC client and see what happens
  • 54. CASE STUDY: COMODO GEEKBUDDY
  • 55. CASE STUDY: COMODO GEEKBUDDY  The attack goes as follows  Admin logs in  User (or guest) logs in and uses aVNC client to connect to localhost  User assumes Administrator’sVNC session via no server password set  Couple significant caveats  OS must support more than one simultaneous login, eg.Windows Server  GeekBuddy is known to be bundled with the following products  Comodo Anti-Virus, Comodo Firewall, Comodo Internet Security  But they only install on Windows Client  Comodo might have bundled GeekBuddy in some enterprise packages
  • 56. CASE STUDY: COMODO GEEKBUDDY  What other vectors of exploitation can you think of?  Client-side CSRF-like attack  Host a modified JavaVNC Client on a webserver  GeekBuddy target browses to webpage with embedded VNC client  VNC client connects to localhost and does interesting things with the target’s session  Comodo released a fixed version October, 2014
  • 57. CASE STUDY:VMWARE  MSVR13-002  Vulnerabilities inVMware OVFTool Could Allow Arbitrary Code Execution  Step 1:What file types doesVMware handle?  VMX  VMDK  OVF  …more Reference: http://technet.microsoft.com/en-us/security/msvr/msvr13-002
  • 58. CASE STUDY:VMWARE  Step 2:What is OVF?  OpenVirtual Machine Format  “an open, secure, portable, efficient and extensible format for the packing and distribution of (collections of) virtual machines” Reference: http://www.vmware.com/pdf/ovf_whitepaper_specification.pdf
  • 59. CASE STUDY:VMWARE  TL;DR– It’s a xml-based file format for describing virtual machine data  And since XML implies describing and consuming untrusted data.. probably a worthy target
  • 60. CASE STUDY:VMWARE  Step 3: How doesVMware load OVF files?  Upon loading a OVF file, it executes ovftool.exe  Nearly the same as having the OVF parsing code inVMware player
  • 62. CASE STUDY:VMWARE Step 5: Find a interesting crash or other unexpected behavior <?xml version="1.0" encoding="utf-8"?> <ovf:Envelope xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:ovf="%p.%p.%p.%p.%p.%p.%p.%p" xmlns:vssd="http://schemas.dmtf.org/wbem/wscim/1/cim- schema/2/CIM_VirtualSystemSettingData" … </ovf:Envelope>
  • 63. CASE STUDY:VMWARE And when we load the OVF file inVMware..
  • 65. CASE STUDY: BLACKBERRY PTG  Submitted as, “Blackberry PrintTo Go Auth Bypass”  But what can we gain from this bug?  What is Blackberry PTG?  Allows you to “print” documents from your computer to your BlackBerry Playbook tablet  E.g. Install the software on your PC and you can send anything you can print as a PDF to your Playbook
  • 67. CASE STUDY: BLACKBERRY PTG  In order to send documents to the Playbook, the user must do the following  Log into the service using your BlackBerry ID (user/pass)  Encrypt the documents using a password generated from the PTG app on the Playbook  Find the device using the it’s PIN  We can bypass this locally  Therefore we won’t need to login to Blackberry to perhaps “print” documents to a device
  • 69. CASE STUDY: BLACKBERRY PTG  There’s something listening on port 1234.. interesting  With the BB login dialog open, start a web browser and simply point it to this URL  http://localhost:1234/myserverlet/  The login dialog will immediately continue to the next page  Therefore bypassing authentication
  • 70. CASE STUDY: BLACKBERRY PTG  Theory  The login procedure checks if it receives data on listening port 1234, not the data’s validity (at least well enough)
  • 74. CASE STUDY: BLACKBERRY PTG  So what could one gain from bypassing this login page?  There wasn’t a Playbook tablet to completely test the exploit scenarios  We handed the report to BlackBerry security with our ideas so they could test internally  BB concluded that while this was undesirable behavior, it wasn’t a security issue  “Printing does not succeed as the Connector does not have the BlackBerry ID account info and token needed for printing”  Without a Playbook on hand, it was tough to test this remaining step  We didn’t know if it would succeed or not with a real device connected  Better to submit anyways so they could confirm with us
  • 75. LESSONS LEARNED  Vendors range greatly in their capacity  Which is not necessarily correlated with size  Some small development teams are very responsive, others are not  Some big companies have effective and established procedures, others mire you in bureaucracy
  • 76. LESSONS LEARNED  Setting limits is important  Pen-testing the web and dumped hundreds of bugs on us for most for relatively unimportant sites doesn’t scale too well  Finders may report low-severity bugs that they think are very serious  Employees like this program!
  • 77. WHYYOU SHOULD RUNYOUR OWN MSVR  Give employees a standard, end-to-end process for getting security bugs fixed  Inter-company bug reporting can be more coordinated and efficient  Relatively cheap to run, with high ROI  Boost employee morale  Secure the ecosystem, as your product likely depends on *something*  Eg. HackerOne bug bounty program has a bounty for “The Internet”
  • 78. WHATWE'D LIKETO SEEWHEN REPORTING VULNERABILITIES  Clearly identified point of contact  Public encryption key (PGP or S/MIME)  Direct line to a real person who understands security  Don't turn us away because we don't have a support contract!
  • 79. WHATWE'D LIKETO SEEWHEN REPORTING VULNERABILITIES  Clear communication  Acknowledgment receipt of the initial email  Repro, including affected platforms  Update release dates, including any delays  How we will be credited (ask us for our preference!)  Closure  Variant investigation  Relatively prompt fixes
  • 82. ©2014 Microsoft Corporation. All Rights Reserved. This document is provided "as-is." Information and views expressed in this document, including URL and other Internet Web site references, may change without notice.You bear the risk of using it. Some examples are for illustration only and are fictitious. No real association is intended or inferred.This document does not provide you with any legal rights to any intellectual property owned by Microsoft.You may copy and use this document for your internal, reference purposes.