Jeff Jones Security Blog

So, near the end of last week, I fired up my Xbox and downloaded the new “experience” – a massive update to the UI, which includes avatars.

Lots of cool new stuff, but when I checked out my friend’s avatars, now that was really cool.

This *is* stepto.  ;-)   If you know him, then no further explanation is necessary.  If you don’t, check out the picture on his blog header…

With the recent release of v5 of the Security Intelligence Report, I decided to produce a couple of webcast videos where I present my findings to you directly in a brief presentation. In this second one, I go over the vulnerability disclosure trends for vulnerabilities affecting Microsoft products.

1H08 Vulnerability Trends - Part 2 - Microsoft

To see all of my videos on http://edge.technet.com, click here (http://edge.technet.com/Tags/SecurityGuy/).

Best regards, Jeff

With the recent release of v5 of the Security Intelligence Report, I decided to produce a couple of webcast videos where I present my findings to you directly in a brief presentation. In this first one, I go over the industry-wide trends.

1H08 Vulnerability Trends - Part1 - Industry

To see all of my videos on http://edge.technet.com, click here (http://edge.technet.com/Tags/SecurityGuy/).

Best regards, Jeff

This morning, we released the latest version of the Microsoft Security Intelligence Report (SIRv5), examining industry-wide software vulnerability disclosures, Microsoft vulnerability disclosures and exploits, malicious software (malware), and potentially unwanted software.

I am one of the primary contributors to the SIRs, so naturally I think you should download it immediately and read it cover to cover  ;-)  However, I understand that some of you may not wish to read a 150 page technical analysis document, except as a way to fight off insomnia.

Because of that, if you go over to the main SIR page at www.microsoft.com/sir, there is also a "Key Findings" document that is only 18 pages long and provides a nice summary of the findings from each section.

For my section, on Industry and Microsoft vulnerability disclosures, I'll be posting up some brief PowerPoint screencasts over the next few days where I'll talk through my findings while showing some pretty graphs.

Regards ~ Jeff

This report looks at all of the vulnerabilities fixed by Apple, Microsoft, Red Hat and Ubuntu during the first half of 2008. At the vendor level, the report examines all vulnerabilities as well as Days of Risk (DoR) associated with those vulnerabilities. The report further drills down to examine just those issues affecting the commonly installed desktop operating system components.

• The four vendors fixed a total 585 vulnerabilities in 1H08. 26.8% affected multiple vendors and of those, only 8 were fixed on the same day – the rest had an average 35 day delay between the first available fix and the last available fix..
• Microsoft had the lowest average Days of Risk for all vulnerabilities fixed at 24.22 days, with the next closest vendor at 72 days.
• For desktop OS vulnerabilities, Windows Vista had the fewest vulnerabilities in 1H08 at 21. The next lowest number was Windows XP SP2 at 26.
• Windows Vista customers experienced full or partial mitigation for 46% of the 26 vulnerabilities affecting Windows XP SP2 in 1H08, but also experienced one additional vulnerability in new code.

In addition to these measurements for the vendors and products, the body of the report also provides weighted analysis which provides a lesser consideration for lower severity issues. Please read the full report for details.

Of course, if you ask me, everyone should be implementing a process that is SDL-like, so that isn't particularly interesting for me to write about.

However, it is interesting when others probe the question.  I think you may be interested in reading Time For Apple To Embrace A Security Development Lifecycle by Andrew Storms.

Give it a read and let me know your thoughts...

Regards ~ Jeff

One of the more interesting session I went to yesterday was a talk by Chris Hoff called "The Four Horsemen of the Virtualization Apocalypse."  (If you've never read Hoff's blog, you should check it out at http://rationalsecurity.typepad.com/.)

I thought I was keeping a close eye on security and virtualization issues, but this talk illustrated how wide and varied the topic really is.  This was not about Blue Pill and it wasn't about having security monitors in the hypervisor - instead he focused on how virtualizing physical devices (e.g. switches, systems) will cause lots of problems for security architects and administrators.

Briefly, here are the four horsemen:

• Conquest - Translating your physical capacity planning implementation to virtual devices probably won't work.
• Death - Virtualized networks lack several physical attributes assumed by security applications and high-availability devices today - you'll probably have to re-architect it all to get the same functionality, which might not even be possible in your new virtual world
• War - Adding security VAs takes away precious resources that could have been used to dynamically add VMs.  It is a war of resources.
• Famine - With all of the redesigning and accommodation happening, security costs are going to eat into any savings you make on server consolidation.

Now, if you want to read the much more thorough version, see Hoff's original post here.

Okay, how does this all relate to the title of my post?  Not much.  However, much later on day one, things really started rolling.

After being crowded out of the Shadow Bar, a bunch of us ended up over at Casa Fuente (A cigar bar in Caesars forum).  Five minutes after arriving, someone spilled a drink in my lap, big fun!  It turns out that it was Stepto's birthday, and Hoff makes sure everyone has a drink and we all sing happy birthday to Stepto.  Check out part of it, courtesy of Jack Daniel:

Immediately after the toast, Jennifer Jabbusch knocks over a table, falls to the floor and begins having a seizure. Stepto rushes over, trying to help, and just about that time, she flips over and starts laughing - total fakeout! Everybody bursts out laughing.

Shortly after that, they closed for the night and kicked us out and we all headed over to Cleopatra's Barge. There weren't enough seats or tables for us, but I noticed that the "reserved" barge seating was empty. Drawing upon a clever technique (i.e. sometimes called "asking") I social engineered a waitress into letting us have the reserved area. Within mere minutes, several security geeks are on the dance floor, doing us proud.

This leads me to the Four Horsemen of Cleopatra's Barge.  (Though I was out there too, I am excluding myself since simply because I can.)

• JJ, for leadership
• Hoff, who owned the dance floor.
• Ryan Naraine, for getting low, low, low
• David, for letting his hair down.

Though our collective dancing does not signal the end of the world, it certainly capped an excellent day

So, this afternoon, I'm in the Microsoft booth at Black Hat when this guy comes up (badge hidden of course) and starts talking to some of my colleagues.  Right away, it was pretty obvious that he was antagonistic.  I will refer to him as "h8er" from here on out.  Though I am paraphrasing a bit, this is based upon a true story.  It gave me a chuckle, so I thought I'd share.

h8er:  So, how does it feel to work for a company that has made so many bad security decisions.

MSFT guy:  Well, I feel lucky to be in a position to try and influence good security decisions going forward - are there any specifics you want to give me feedback on?

h8er:  All those prompts irritating people, for example.

MSFT guy:  Oh, so you don't like that aspect of UAC.  We've gotten a lot of feedback on that, but the UAC security changes in Windows Vista encompass a pretty wide range of options designed to make it easier for most users to run as non-admin.  Plus, we've incorporated some of the feedback into SP1 and I think it is a lot better.  Have you tried SP1?

h8er:  <crickets chirping in the silence>

MSFT guy: (still trying) Let me ask it a different way.  A lot of folks have said that after the first few weeks, the UAC prompts tapered off, have you not found that to be the case?

h8er:  <crickets chirping in the silence>

MSFT guy: What about some of the other changes in Windows Vista - I think the addition of ASLR, for example, was a good decision and raises the bars for attackers developing exploits.

non-MSFT guys standing nearby:  He has probably never even tried Vista - I bet you run Linux and just heard the prompt stuff second hand.

h8er:  I don't run Linux ... I run a Mac!

(NOTE: This seemed to rattle him, so he went on the offensive.)

h8er:  Don't you feel embarrassed working for Microsoft knowing that 40% of your customers are infected with Malware?

MSFT guy:  Actually, based upon research in the latest Security Intelligence Report, less than 1% of machines have malware and need corrective action - plus, recent research in the same report has shown that most of that is on older platforms and Windows Vista has an even lower incidence.  40% is a pretty high number, what source did you hear that from?

h8er:  <crickets chirping in the silence>

(NOTE:  Need a new tack, better try something different.)

h8er:  Well, I feel a lot safer running my Mac and knowing the malware writers aren't targeting me.

MSFT guy:  Oh, threat landscape is a different topic than the security of the software, but I can't really agree anyway.  Many of the folks I talk to are more concerned about spearphishing or targeted attacks specifically against their valuable data.  Recent data shows that Mac OS X has quite a higher incidence of security vulnerabilities that other comparable systems.  That means that if an attacker did target them, he'd have a lot more options to choose from.  In that case, I feel much more comfortable using or recommending Windows Vista than I would using your Mac.

He left shortly after that, but not before giving the Microsoft guy an invite to his company's party - I won't tell you which company it was, but it makes the story even funnier.  To cap it, a few minutes later, one of the bystanders came by and said "so, did the Mac fanboy get tired of harrassing you and leave?"

Having lots of fun at Black Hat 2008 ~ Jeff

I thought I'd share a quick story from Black Hat.

So, I went Caesar's and headed back to the conference area to register and get my badge.  As I neared the escalators, I started seeing a lot of folks with badges on that said "Configuresoft."

I thought, hmm, there must be another conference going on here at the same time - which would be weird, since Black Hat filled the areas last year.

Anyway, I trudged on, found registration and got my badge for Black Hat.  Here is a picture:

Duh.  Look for more updates as the conference progresses.  ~Jeff

Yesterday at Black Hat 2008, along with some other stuff, we announced that we will be adding some new information to Security Bulletins - an "Exploitability Index" for each of the vulnerabilities addressed by the bulletin.

Based upon talking with Microsoft customers over the past five years, they are always looking for that little bit of extra information to help make prioritization decisions.  An obvious example of this is the severity attached to the vulns.  However, as explained by Mike Reavey of the the Microsoft Security Response Center (MSRC) over on the Ecostrat blog today, customers are also very interested in which vulnerabilities already have exploit code or sample exploits available.

According to our analysis in the most recent Security Intelligence Report (SIR), only about 30 percent of the vulnerabilities we fix each year have exploit code released.  Why is it not 100% ?  Some are not interesting to attackers, sure, but some are simply more challenging to develop a consistent exploit against.  It seems like it would be practically useful if this sort of information could be analyzed and published for customers.

How does one come up with an Exploitability Index?

• The MSRC will analyze the vulnerability and explore what it would take to exploit it, with the support of our Security Vulnerability Research & Defense (SVRD) team.  This will include leveraging methodologies from the broad researcher community.
• We will also ask security researcher members of the Microsoft Active Protections Program (MAPP) (download FAQ) to review the vulnerabilities and check our analysis before releasing the index.

The idea of the Exploitability Index is to provide more information to help customers prioritize Microsoft security updates. This Index will reflect our best estimate, scrutinized by MAPP partners, of the likelihood of a functional exploit being developed for a given vulnerability.

If you are interested, I did an interview with Mike Reavey a while back, where we discuss what sort of information customers want that isn't yet in Security Bulletins.  FYI, the video is about 15 minutes long and the early part focuses on Mike, how he got into security and how he ended up at Microsoft before we get to the Security Bulletin discussion ... if you want to get right to the Security Bulletin discussion, skip forward to about 08:40.

If you like these sorts of videos, click on
SecurityGuy 001 - Interview with MSRC Leader Mike Reavey and it'll take you to the edge.technet.com site and you can check out the related videos.

Regards ~ Jeff

Tomorrow, I set off for Black Hat 2008 in Las Vegas to join colleagues that are already there (see Defend the Flag: Roguery Abounds!, over on the new MSRC Ecostrat blog.)

As always, I am excited to head over to this conference to see if anything new and exciting will be presented and of course, to see and talk to folks that I haven't seen face to face in a while.

In that vein, if you are going to be there and would like to grab a coffee and chat, send me a message - don't be shy.

I'm not going so far as to Twitter my minute to minute activities, but I do expect to give you some updates wrt the briefings as more interesting things happen throughout the week.  See you there!

Regards ~ Jeff

I converted my office fileserver to Windows Server 2008 (WS2008) a while back and I've never been happier - WS2008 is my favorite product ever.  Nicely modular, pretty much everything turned off by default and some great tools for enabling just the components your need for a particular role.

There is one more step I've been wanting to take and that is to enable the Hyper-V role and convert my fileserver over to just one virtual machine on the box, so I can set up other VMs on the same box.  Today, I was excited to see Microsoft Releases Hyper-V on CNET.  Here is a summary of the key links (note that it is only available for the 64-bit versions of WS2008):

• Update for Windows Server 2008 x64 Edition (KB950050)

• Hyper-V FAQ

• How to Install Hyper-V

Check back with my and I'll let you know how things go and share any tips I have for what to do or not do, as well as my review of how easy/hard it is.

Regards ~ Jeff

In cast you didn't see it, the Microsoft Security Response Center (MSRC) team just announced the release of three tools to help customers fend off SQL injection attacks:

• UrlScan 3.0 Beta (see Wade Hilmo's blog for more), a security tool that restricts the types of HTTP requests that Internet Information Services (IIS) will process. By blocking specific HTTP requests, the UrlScan helps prevent potentially harmful requests.
• Microsoft Source Code Analyzer for SQL Injection (MSCASI) CTP (see the SQL Security blog for more), a tool that can be used to detect ASP code susceptible to SQL injection attacks.
• Scrawlr (see HP's security blog for more), a free scanner, developed by HP Web Security Research Group in conjunction with Microsoft, which will allow customers to identify whether their Web sites might be susceptible to SQL injection.

There are already a lot of resources out there available already for these tools.  Let me point you to a few of them:

• The new Microsoft Security Advisory 954462 announcing the tools, with guidance
• Finding SQL Injection with Scrawlr at the HP Security Center
• URLScan Tool 3.0 Beta page, including download links & docs
• MSCASI download and reference kb: Microsoft Knowledge Base Article 954476
• A good discussion of Injection Attacks by Michael Howard on the SDL Blog
• Security Vulnerability Research & Defense Blog on SQL Injection Attack
• SDL blog post on the new tools: SQL Injection Defense Tools 

and some best practice guidance for developers:

• How To: Protect from SQL Injection in ASP.NET
• Preventing SQL Injections in ASP, by Bala Neerumalla
• Coding Techniques for protecting against SQL Injection in ASP.NET
• Filtering SQL Injection from Classic ASP

Best regards ~ Jeff

I wanted to mention to folks that a new Security Development Lifecycle (SDL) web site went up earlier this month on microsoft.com.  Amazingly, you can navigate to it via http://www.microsoft.com/sdl, instead of some long name you'd never remember.

Of course, once you navigate to that URL, you get redirected to a long url that you'll never remember that is on the MSDN subsite, which is encouraging when you think about it.

I have it on reasonably good authority (aka the site owner), that there are plans for the site content to grow this year and that this will be one of the main starting points to learn more about Microsoft efforts to improve developer's ability to write code that is less prone to security problems.

While I'm on this topic, I may as well provide some other pointers to related content, lifted from the SDL Home page:

Considering the large amount of customer software that is developed in-house at large companies, I think SDL-like processes are becoming a critical need beyond vendor-developed software.  If your company hasn't started this process already, these resource might provide a good starting point.

Regards ~ Jeff

Share this post :

With Windows Server 2008, the Microsoft Windows Server team introduced a new installation option –Server Core.

Server Core is a “minimal install” option of Windows Server that excludes much of the GUI and many applications – such as Internet Explorer and Windows Media Player – that would be present in a default installation.

In this very short report (download the full report), I perform a brief analysis how much smaller the software footprint is for Windows Server 2008 Server Core and examine a theoretical Server Core version of Windows Server 2003 over the past two years to gauge how much Server Core might convey in terms of reducing security updates.

As shown in the chart, looking at the Windows Server Security Bulletins over the past two years, 40% of them would not have applied to a theoretical Server Core build. The results of the analysis are encouraging in terms of security progress.  Check back in a few weeks and I'll publish my 90 day vulnerability study for Windows Server and we'll look at how this potential is being fulfilled...