microsoft security response center presented by fan chiang, chun-wei( 范姜竣韋 ) 2015/11/14 1...
TRANSCRIPT
-
Microsoft Security Response CenterPresented by Fan Chiang, Chun-Wei()**
NTUIM
OPLAB , NTUIM
Microsoft Security Response CenterMicrosoft Security Response Center
AgendaBackgroundCaseCurrent ProblemMSRCSecurity Vulnerability Problem Solving ProcessWorkaroundsService PacksPatches4 phases of patch developingFollow-up Question
** NTUIM
OPLAB , NTUIM
Microsoft Security Response CenterMicrosoft Security Response Center
BackgroundAccording to a 2000 study of IDC : Data security budget in 2003 had risen to 14.8 billion from 6.2 billion in 1999
Of all the technologies, the Internet has proven to be the greatest threat to data security. Because of three reasons :ScopeAnonymityReproducibility** NTUIM
OPLAB , NTUIM
Microsoft Security Response Center
** NTUIM
OPLAB , NTUIM
Microsoft Security Response Center
* NTUIM*
OPLAB , NTUIM
Microsoft Security Response CenterMicrosoft Security Response Center
CaseSecurity program manager of MSRC Scott Culp v.s. CyBER Paladin(CyP)
Security Vulnerability of MS IIS(version4.05.0) Canonicalization Error
CyP planned to post his findings publicly within few days.
** NTUIM
OPLAB , NTUIM
Microsoft Security Response CenterMicrosoft Security Response Center
Current ProblemContact the IIS development team and get them on their situation.
Legitimize the security vulnerability.
** NTUIM
OPLAB , NTUIM
Microsoft Security Response CenterMicrosoft Security Response Center
MSRCMSRC has eliminated over 150 security vulnerabilities through roughly 40 MS products.
The goal of MSRC : Protect users by eliminating security vulnerabilities.
The majority support activity of MSRC : Once the vulnerability was identified, MSRC worked with the relevant product development team to find a solution. ** NTUIM
OPLAB , NTUIM
Microsoft Security Response CenterMicrosoft Security Response Center
MSRC (cont)Forms and types of vulnerabilities :Viruswormsincorrectly-configured systems, password written on sticky pads.
Security vulnerability definition of MS : As a flaw in a product that makes it infeasible - even when using the product properly - to prevent attackers from usurping privileges on the users system, regulating its operation, compromising data on it or assuming ungranted trust.
** NTUIM
OPLAB , NTUIM
Microsoft Security Response CenterMicrosoft Security Response Center
Security Vulnerability Problem Solving ProcessStep 1 : Obtain information about possible security problems.
Step 2 : Perform Initial Triage.- Working with customer to gather more information on the problem- Testing reported configuration- Informing the user about patches or workarounds already releaseStep 3 : Involve Product Team.** NTUIM
OPLAB , NTUIM
Microsoft Security Response CenterMicrosoft Security Response Center
Security Vulnerability Problem Solving Process (cont)Step 4 : Devise Solution Alternatives.- Server-side fixes- Workarounds- Service Packs- Patches
Step 5 : Implement Solutions.
Step 6 : Press Response
** NTUIM
OPLAB , NTUIM
Microsoft Security Response CenterMicrosoft Security Response Center
Security Vulnerability Problem Solving Process - Step 4
Workarounds : Provide the user with a alternative method of using the product that prevents a vulnerability from being exploited.
Service Packs : A scheduled, periodic software update that corrected a large number of bugs, including security vulnerabilities.
Patches : Used when the vulnerability needs to be fixed immediately.
** NTUIM
OPLAB , NTUIM
Microsoft Security Response CenterMicrosoft Security Response Center
4 phases of patch developingPhase 1 : Create a Private build, and Undergo initial testing.
Phase 2 : Proceed to War Team . They challenge the developer to show that the Private build is necessary and the engineering solution is correct.
** NTUIM
OPLAB , NTUIM
Microsoft Security Response CenterMicrosoft Security Response Center
4 phases of patch developing (cont)Phase 3 : Formal testing and Conduct full compatibility testing.
Phase 4 : Develop installer package of each version of the affected product. And then the packages are signed (by MS) and retested.** NTUIM
OPLAB , NTUIM
Microsoft Security Response CenterMicrosoft Security Response Center
Security Vulnerability Problem Solving Process (cont)Step 4 : Devise Solution Alternatives.- Workarounds- Service Packs- PatchesStep 5 : Implement Solutions.Build bulletin and knowledge base, then Release the patches or workarounds.Step 6 : Press Response
** NTUIM
OPLAB , NTUIM
Microsoft Security Response CenterMicrosoft Security Response Center
Follow-Up (B)Good news : The IIS development team knew that this security problem was solved by a already released patch months ago.
Bad news : Due to the issue was complex, affected few users and some mitigating factors, few customers had installed the corresponding patch.
** NTUIM
OPLAB , NTUIM
Microsoft Security Response CenterMicrosoft Security Response Center
Canonicalization ErrorSecurity Vulnerability of MS IIS(version4.05.0) Canonicalization Error
c:\dir\test.dat, test.dat, and ..\..\test.dat might all refer to the same file like c:\dir\test.dat.c:\inetpub\wwwroot\test1\test2\test.aspwww.microsoft.com/windowsnt/information/test.asp (VIRTUAL)www.microsoft.com/test1/test2/test.asp (PHYSICAL)
* NTUIM*
OPLAB , NTUIM
Microsoft Security Response CenterMicrosoft Security Response Center
Follow-Up (B) (cont)First, release the information as quickly as possible, in case malicious users were already compromising web sites.
Second, and equally important, once the bulletin was released, the whole world needed to be informed as quickly as possible. Otherwise hackers would start attacking the stragglers.
** NTUIM
OPLAB , NTUIM
Microsoft Security Response CenterMicrosoft Security Response Center
Follow-Up (C)MSRC decided to keep the security vulnerability problem under wraps over the weekend.
MSRC asked TAMs to support the patch installation on customers machines.
** NTUIM
OPLAB , NTUIM
Microsoft Security Response CenterMicrosoft Security Response Center
QuestionHow could Culp solve this security problem before the attacker compromising Web sites running MS IIS ?
Whether take a calculated risk and wait an extra day in order to prepare the patch in multiple languages?
* NTUIM*
OPLAB , NTUIM
, Canonicalization is the process by which various equivalent forms of a name can be resolved to a single, standard name - the so-called canonical name. For example, on a given machine the names c:\dir\test.dat, test.dat, and ..\..\test.dat might all refer to the same file. Canonicalization is the process by which such names would be mapped to a name like c:\dir\test.dat.
.ASP is probably the best-known ISAPI-mapped file typeThe vulnerability does not affect static file types such as .htm, .jpg, or .gif. Similarly, it does not affect non-web file types such as .doc, .exe or .bat.
..\..\test.dat c:\dir\test.dat, test.dat, and ..\..\test.dat c:\dir\test.datwww.microsoft.com/test1/test2/test.asp (www.microsoft.com/windowsnt/information/test.asp VIRTUAL FOLDER) c:\inetpub\wwwroot\test1\test2\test.aspPHYSICAL FOLDER
test2test1test.asp ***