In our last update cycle we published the security bulletin MS12-020 Vulnerabilities in Remote Desktop Could Allow Remote Code Execution. Relatively soon after the release, there was a public exploit code available – we informed here: Proof-of-Concept Code available for . . . → Read More: Security Updates and Exploit Code]]> CORRECTION:So far there is “only” Proof of Concept code in the wild, no real exploit.

In our last update cycle we published the security bulletin MS12-020 Vulnerabilities in Remote Desktop Could Allow Remote Code Execution. Relatively soon after the release, there was a public exploit code available – we informed here: Proof-of-Concept Code available for MS12-020.

This would not necessarily make me blog as it is a fairly common scenario – unfortunately. In all the different discussion lists internally, I realized that a there was a lot of confusion and nervousness internally and with our customers, which I definitely can understand.

I just wanted to make sure, that you understand and see all the resources you have available to take an informed decision. We basically give you two assessments: A Severity Rating and Vulnerability Impact and an Exploitability Index:

• The Security Rating and Vulnerability Impact describes how severe the vulnerability is and is described here in detail. If there are default mitigations in place, there is a chance that a vulnerability rating is lower. What is important is, that our assessment is always based on a default, out-of-the-box installation. If you decide to switch off the firewall, obviously there is a good chance that your risk is higher than flagged in our assessment.
• The Exploitability Index shows how likely we think an exploit is. We provide this information since late 2008 but it seems still not too well known – it is described here. You always find it in the bulletin summary per month.

Let’s apply this now to MS12-020 described above: The security rating is “critical”, which is the highest possible rating we have and the exploitability index is on “1 – Exploit code likely”. So, in this case we have a critical vulnerability and we expected a working exploit code to hit the net – unfortunately we have proven to be right.

This is in no means to criticize anybody, it is more to give you all the information to take the right decisions upfront. This update was definitely one you want to set extremely high on your priority list…

Roger

Before joining Microsoft a little bit more than 10 years ago, I ran a team at PricewarehoureCoopers on e-Business Risk Management – classical security consulting in the Internet bubble time. When I announced that I will leave PwC and join Microsoft, I got interesting reactions (and remember, this was 2001). Mainly they were along . . . → Read More: 10 Years of Trustworthy Computing at Microsoft]]>

Before joining Microsoft a little bit more than 10 years ago, I ran a team at PricewarehoureCoopers on e-Business Risk Management – classical security consulting in the Internet bubble time. When I announced that I will leave PwC and join Microsoft, I got interesting reactions (and remember, this was 2001). Mainly they were along two lines:

• Oh, you are joining a desktop company? Why?
• A security guy? Joining Microsoft? hmm…

So, these reactions came from the time immediately before we launched Windows XP (you are not on XP today, are you? If you are, read this article). Microsoft was not perceived as an enterprise player and was not seen as secure – they were wrong back then in the first case but right in the second one I guess. I joined being part of the consulting organization but soon met the country manager and I was having a chat with him about the perception on Microsoft’s security in the market. We (say: he ) then decided that we need to work on that and that I shall draw a job description – the job then was called Chief Security Officer and Chief Security Advisor later on. And then Nimda hit! And then Blaster hit! And then Slammer hit! I had the “privilege” back then to run the incident response team in Switzerland and had the privilege to have customers screaming at me, tell me that we fucked up (that was a quote).

Interestingly in the meantime the famous Bill Gates’ Memo hit the streets, saying:

There are many changes Microsoft needs to make as a company to ensure and keep our customers’ trust at every level – from the way we develop software, to our support efforts, to our operational and business practices. As software has become ever more complex, interdependent and interconnected, our reputation as a company has in turn become more vulnerable. Flaws in a single Microsoft product, service or policy not only affect the quality of our platform and services overall, but also our customers’ view of us as a company.

and even more important:

In the past, we’ve made our software and services more compelling for users by adding new features and functionality, and by making our platform richly extensible. We’ve done a terrific job at that, but all those great features won’t matter unless customers trust our software. So now, when we face a choice between adding features and resolving security issues, we need to choose security. Our products should emphasize security right out of the box, and we must constantly refine and improve that security as threats evolve.

This memo led to the creation of Trustworthy Computing with Scot Charney running the organization since it’s beginning and Scott then created the Chief Security Advisor community, the community I was in since the beginning and have the honor to run today globally.

Coming back to the beginning: I remember the first keynote I did for Microsoft was on Trustworthy Computing immediately after this announcement. People approached me in the breaks and asked me whether I really believe what I just said: that Microsoft is going to change. And I confirmed that. I have never seen (not before nor after) a company stopping development for almost four months to address issues and then change the way the company operates – that radically. I would never ever put my name and my credibility at risk if I would not have believed back then and I am still convinced that we did and still do an outstanding job and that we are leading the industry today. Interestingly I do not get these questions anymore…

So, what happened over these 10 years of Trustworthy Computing? What were significant achievements? Well, there are numerous and I have to apologize to the teams I am not mentioning here upfront…

• Immediately after SQL Slammer in 2003 we span up a process called Software Security Incident Response Process (SSIRP), a process which is still in place today and we constantly adapt it to new threats and especially new challenges. This was a huge effort as we needed to be able to ramp up an incident organization all across the globe 24*7 – and we still are today.
• Probably the biggest and most fundamental change was the way we develop software. We introduced the Security Development Lifecycle (SDL) and constantly keep it updated. Not only did we change the development process internally, we make this information available to the industry for free. Others shall be able to learn from our learning from the past. What concerns me is the slow adoption of such methodologies from a vendor side as well as from a customer side. Who really asks for a process? Typically customers ask for product certification but not for a sound process – something we as an industry need to continue on changing.
• Different teams were spun up to address security re-actively like the Microsoft Security Response Center and the Malware Protection Center.
• Since 2006 we publish our Security Intelligence Report – the most comprehensive report in the market.
• Our Digital Crimes Unit is fighting cybercrime from a legal as well as from a technology perspective. We are working closely with the Council of Europe and other organizations improving the legal situation. We are taking down botnets like Waledac, Rustock and Kelhios in close collaboration with the authorities.  We are providing technology to fight sexual exploitation of children like PhotoDNA.

A lot of things happened over the course of the years and there is still a lot to do. These are just some highlights (besides the creation of the Chief Security Advisor community).

If you want to see a condensed version of the “life” of Trustworthy Computing”, here you go:

And the official story on the news center: At 10-Year Milestone, Microsoft’s Trustworthy Computing Initiative More Important than Ever

Sometimes I am asked how many people work at Microsoft on security. And the answer is "everybody” (well, almost ). It is not something we separate and put into a team labeled security. It is part of all our lives to one extent or another and this is the way it should be.

If I would have a wish for 2012, it would be that the industry would stand together much closer to address the issues of today and the future. I do not see that security is something the industry should compete on – rather collaborate to fight the criminals – together with the governments and the governments together with us. I was already fairly vocal about this in the Octopus Conference and will continue to ask for it. To help with this dialogue, we published a model called Cybersecurity Agenda for Governments and will soon publish a book on it as well.

In parallel, the teams internally will continue their great work to bring Trustworthy Computing to the next level. All of this is needed, when we think that there will be a third billion devices added to the Internet in the next five years!

Roger

This made us thinking about what . . . → Read More: Cybersecurity–More than a good headline]]> A lot of governments all across the globe are working on starting, restarting or pushing their Cybersecurity initiative. What often concerns me is, that the last real headline has more impact on the strategy and the themes to be addressed than a structure or a plan or a strategy.

This made us thinking about what is needed to run a successful Cybersecurity Agenda within a country? What themes ought to be addressed and in which form.

We came up with a fairly simple model:

To explain the model, we just published two papers about it:

• Cybersecurity white paper abstract – a one pager with a high-level description
• Cybersecurity: More than a good headline – a few more pages going deeper into the discussion of the different subjects.

In parallel we are working on a book about this, giving much more examples and background – so stay tuned.

The only thing I really know: When I do a presentation explaining Cybersecurity and at the end show the slide above, governments love it. Typically they approach me asking for the deck – if they are not politically correct they tell me that they just want to get this slide.

Comments are very welcome. If you need/want further information, get in touch with me. Happy to help

Roger

Just a quick one:

The MMPC on Facebook and Twitter

The Microsoft Malware Protection Center (MMPC) officially launched its Facebook page . . . → Read More: Microsoft Malware Protection Center on Facebook and Twitter]]> I know, I have been fairly slow in blogging currently but I was fairly busy with a few cool projects (which I will disclose later) and – time flies if you are having fun

Just a quick one:

The MMPC on Facebook and Twitter

The Microsoft Malware Protection Center (MMPC) officially launched its Facebook page and Twitter account. From this Welcome page, you can read the latest blog posts, see the latest Twitter feeds, and find out what threats most affect your desktop.

Roger

We now just published a special Intelligence Report on this botnet:

Read an overview of the Win32/Rustock family of rootkit-enabled backdoor Trojans background, functionality, how it . . . → Read More: Special Intelligence Report on the Rustock Takedown]]> As you might remember, on Match 16th Microsoft together with other industry players was successfully able to take down the Rustock botnet and thus significantly reducing the spam level.

We now just published a special Intelligence Report on this botnet:

Read an overview of the Win32/Rustock family of rootkit-enabled backdoor Trojans background, functionality, how it works, and threat telemetry data with analysis for 2010 to May 2011. This document provides legal and technical action used to takedown the Rustock botnet and how to detect and remove the threat using Microsoft antimalware products.

You will find it here.

Roger

There is now a version 2, which is still as important as version . . . → Read More: Ten Immutable Laws Of Security (Version 2.0)]]> You might have known the 10 Immutable Laws Of Security since quite a while. It is kind of the “collected non-technical wisdom” of what we see in security respeonse being it in Microsoft Security Response Center or in our Security Product Support.

There is now a version 2, which is still as important as version 1 was. The 10 Laws are:

Law #1: If a bad guy can persuade you to run his program on your computer, it’s not solely your computer anymore.
Law #2: If a bad guy can alter the operating system on your computer, it’s not your computer anymore.
Law #3: If a bad guy has unrestricted physical access to your computer, it’s not your computer anymore.
Law #4: If you allow a bad guy to run active content in your website, it’s not your website any more.
Law #5: Weak passwords trump strong security.
Law #6: A computer is only as secure as the administrator is trustworthy.
Law #7: Encrypted data is only as secure as its decryption key.
Law #8: An out-of-date antimalware scanner is only marginally better than no scanner at all.
Law #9: Absolute anonymity isn’t practically achievable, online or offline.
Law #10: Technology is not a panacea.

Just make sure that you keep them in mind – there is no “patch” for them . The whole set of explanations can be found here: Ten Immutable Laws Of Security (Version 2.0)

Roger

So, if you want to learn more: http://technet.microsoft.com/en-us/library/cc162838.aspx

Roger