If you happen to work at a company that produces lots of different products, you may not only being looking for bugs in your own code, but also in other vendor’s products as well
I’ll show you how it’s possible to have a coordinated approach to getting bugs fixed outside your company, which is especially valuable if your platform supports or relies on them
High level of what we’re doing now
David is working on new ways to handle authentication that don’t depend on humans generating and remembering text for their security
MSVR is a program within Microsoft that handles bugs in non-Microsoft software
Bugs are usually found and submitted by security researchers at Microsoft across the divisions and this program coordinates fixes and advisories with the third-party vendors
MSVR is a program within Microsoft that handles bugs in non-Microsoft software
Bugs are usually found and submitted by security researchers at Microsoft across the divisions and this program coordinates fixes and advisories with the third-party vendors
More on this later
Reference for Reader+Java remark = SIR
Example: Subtle bug in BIND DNS Server that could affect Microsoft DNS Server
Reference: “Microsoft Vulnerability Research: Playing Well with Others Since 2009”
This is not about trying to force companies or researchers to work with us, but rather make sure we also live up to Microsoft’s standards and work to make everyone involved happy
Not complete but gives you a picture of the circumstances in which we tend to find vulnerabilities
Key point: it is okay to use company resources and tools to find vulnerabilities on company time, as long as you also do your job
Bugs that are below the bar still have some requirements (see later slide) but MSVR doesn’t have resources to help report them.
CVD ensures the vendor is notified and given a reasonable amount of time to fix
CVD requirement is actually in our employee handbook
CVD ensures the vendor is notified and given a reasonable amount of time to fix
CVD requirement is actually in our employee handbook
Also logged in a tracking database
Or send a mail to msvr@Microsoft
Qualifying bug = high enough severity, Microsoft platform
We don’t want to waste others’ time with incorrect or nonspecific reports
If the bug is a design flaw, maybe you have an idea to design it better
Human error doesn’t really qualify here
Hypothetical example
Lots of legwork here
Optional for MSVR
The finder always has an option to release their own content too, as long as the vendor has patched
The idea here is to attract attention to noteworthy vulnerabilities that may not otherwise attract it. E.g. we may not need to do an advisory for an Adobe issue because it’s something everyone already knows about (unless it’s under attack), nor an advisory for an XSS flaw where there’s no user action, but might do one for a vuln in a common piece of software that isn’t often patched.
There’s a tension between wanting to avoid warning the world when the danger isn’t that high, while still wanting to provide credit to your people. Having two advisory forms lets us do both.
http://technet.microsoft.com/en-us/security/msvr/msvr12-017
This is one of the tools we use in MMPC (Microsoft Malware Protection Center) to analyze and visualize file formats
Partial paste of PoC adjusted from a fuzzer-mutated OVF file
The xmlsns:ovf envelope property is malformed; instead of pointing to the ovf schema url, it’s full of %p’s, which when interrupted by a function that takes format specifies, will print values as pointers
Their team likely has access to internal knowledge about BB products, so they could see further than we could on if this was an issue or not
Thanks BlackBerry Security team!
Why use your own program instead of brokers?
Maybe your company has some great resources you can utilize to make bug hunting more interesting and efficient
If we all do this it’s good for everyone. Even if we don’t all do it, it’s still good just for you.
We understand complex software and know which fixes should and should not take a long time
We understand complex software and know which fixes should and should not take a long time