Microsoft Opens Its Security Research Cookbooks

greg65535 writes "Today Microsoft launched a blog about the internals of their IT security research and patch development process. There are already some posts that you will not find in the official security bulletins or KB articles. One of the posts says, 'We periodically identify workarounds or mitigations like this that we can't use for official guidance because they're either too nuanced or have some exception cases. When we discover something potentially useful but are uncomfortable listing it in the bulletin, we'll do our best to describe it here in this blog.' It looks like Microsoft is making an effort to become more 'open' in the area of security research and communication."

Microsoft Security Protocols

[andy314159pi]

Microsoft Opens Its Security Research Cookbooks

Chapter 1.

If someone knocks on the door, use the little peep hole.

Re:Microsoft Security Protocols

[RuBLed]

in cases where there is no peep hole, get the tower shield provided to you during the orientation...

Re:Microsoft Security Protocols

[RuBLed]

I don't know about your company, but here security = Barney-costumed QA's...

"Heyyy.. Is thaatt a bug?? Give me a hug..."

Re:Microsoft Security Protocols

Gah, at first I thought Barney from Half-Life. Then the voice made me think you were channeling the G-Man. Then I realized I was doing something wrong.

Re:Microsoft Security Protocols

No, you're not. This comment reads like a total troll for "big-ups".

Security is about the best tool for the job and it's not always the Open Source tool, with the "street cred". When you say you're an IT professional, do you by chance mean you work for a small business, supporting other small businesses, (with pirated copies of Windows)?

No one avenue is the correct choice for security. You should chose the complete set of tools from a variety of vendors, who offer total support. Good luck getting official support with tripwire on Debian.

Cisco are a proprietary vendor - are you telling me they have no quality solutions? I suppose you don't use Symantec or another vendors AV, on your client desktops? Microsoft ISA actually offers a very robust and powerful firewalling system, for exampling, allowing you to internally spoof/proxy SSL certificates to domain members so you can even inspect encrypted packets on the network. Maybe not a polite thing to do but clearly useful in some organisations.

And while we're on it, Domains... Active Directory is a security tool in itself. Locking down desktops and client machines is a key security method and AD offers about the best way to do this on the market - I suppose you use Samba and about 500 perl scripts, instead, do you?

What utter garbage...

Re:Microsoft Security Protocols

[palegray.net]

Microsoft and security? Proprietary software and security? Talk about oxymorons. When I and other computer professionals think about security, we think about powerful, open source software, not closed source solutions like Microsoft's. Am I right guys? That was actually the most fan-boyish post I have ever read on this site, in over seven years of reading, beyond any shadow of a doubt, ever. For real. I threw up a little in my mouth. No kidding.

Somewhere, even Richard Stallman is cringing.

Re:Microsoft Security Protocols

[killjoe]

>Security is about the best tool for the job and it's not always the Open Source tool,

Maybe the best tool for the job is not the open source tool but it's never the tool made by MS.

>Locking down desktops and client machines is a key security method and AD offers about the best way to do this on the market - I suppose you use Samba and about 500 perl scripts, instead, do you?

X. Look it up.

Re:Microsoft Security Protocols

[uglyduckling]

Good luck getting official support with tripwire on Debian.

Luck has nothing to do with it. Reading the extensive list of consultants categorised by country on the Debian site has everything to do with it.

Re:Microsoft Security Protocols

You're an idiot. What you're advocating is not security so much as covering your own arse - "nobody ever got fired for buying IBM^WMicrosoft^WCisco", basically.

The giveaway is, of course, the fact that you talk about "official" support for tripwire on Debian. Who cares whether support is official or not? What really matters is whether it's useful, and "official" is neither a necessary nor a sufficient precondition for that. But to answer my earlier question, there *are* people who cares: middle managers, those that are not directly in charge of actually getting things done but that still have someone above them they have to report to. For people like that (like you?), it's indeed true: nobody ever got fired for buying Cisco and an "official" support package, even when Debian and tripwire would've sufficed.

After all, if Cisco's solution fails, you can always say that Cisco was a trustworthy brand and that you paid for your superduper platinum support package and all that, and you won't get fired. If Debian+tripwire fail? Bad luck: you've got no scapegoat left to blame, so it'll be you who takes the heat.

Smart middle managers realise this, of course, so the question is - are you lying, or are you just stupid?

Re:Microsoft Security Protocols

[gallwapa]

AD the best security tool ?

HAHAHAHAHAHHAHAHAHA

You've obviously never heard of a company called "Novell".

Simple example of how different they are:

Give a person read on VOLUME_A:\USERDATA\LOCATION\DEPARTMENT\SOMETHING\SHARE at the "SHARE" folder
and they can't even see ANYTHING except that.

Using AD (NTFS rather, but since its all one "suite" and the permissions are given to domain users) you're looking at SHARE_A, SHARE_B, SHARE_C, SHARE_D

Then in SHARE_A you can see USERDATA, DISTRIBUTION, SOFTWARE, ADMINSONLY, then under USERDATA the user can see LOCATION1, LOCATION2, LOCATION3, then under department they can see DEPARTMENT_A, DEPARTMENT_B, etc.

Just a small example. eDirectory + Zenworks is far greater than AD With GPO

Re:Microsoft Security Protocols

[dave87656]

Regarding "I suppose you don't use Symantec ..."

Well, we use Symantec on two email machines we have. Even though the updates are current, these machines are constantly compromised. I understand that there is no such thing as perfect security, but the use of Windows and AV software doesn't seem to buy much except, perhaps, some time.

Kind of nifty

[Lulfas]

So it's a way of getting the nitty-gritty of issues, which won't be shown to Joe Average, who wouldn't have a clue what it was anyways? Cool.

yeah but

[User+956]

It looks like Microsoft is making an effort to become more 'open' in the area of security research and communication.

That's just because they haven't found a way to launch chairs at people through the internet.

Re:yeah but

[ubrgeek]

Yeah, good luck people agreeing to install that ActiveX control! :)

Re:yeah but

[palegray.net]

You won't have to install it; new sploits for IE will allow drive-by-chairloads.

Not now Kato you fool!!!!!

[Picass0]

Microsoft Security Research: Do you know what kind of a bomb it was?
Clouseau: The exploding kind.

Something tells me...

[ZeroSerenity]

That this will just cause more issues than help any by giving away vulnerabilities in Windows. Just me thinking.

Now its public ?

[garphik]

Don't give out new ideas.

Can we revisit the tag thing?

Why is it that people feel the need to put in 35 character long tags? Isn't that defeating the purpose of it all?

Re:Can we revisit the tag thing?

[corychristison]

I dunno what's worse:
- that there is a 35 character tag
- or that you took the time to count it

Re:Can we revisit the tag thing?

echo somereallyreallyreallylongstring | wc -c

counting is for beancounters, not bofhs ;)

Re:Can we revisit the tag thing?

[neomunk]

SHHHHH!!!!

Next you'll be giving away the secrets of the all-mighty grep (hallowed be it's name) to the masses.

Shame on you.

BAMF!

[Torodung]

Chapter 2!

An unidentified program wants to use your little peep hole.

The source and purpose of this little peep hole is unknown. Don't use the peep hole unless you have used it before or know where it's from.

CANCEL/ALLOW?

Re:BAMF!

[spec8472]

Someone is attempting to reuse an old joke on Slashdot.

Would you like to:
1. Dispatch Microsoft Anti-Fun Squad. (In Soviet Russia, anti-fun squad make joke of you!)
2. Create a beowulf cluster of these
3. ???
4. Profit!

Re:BAMF!

[cmacb]

Chapter 3

There is no Chapter 3.

Re:BAMF!

[metamorfoza]

Chapter 3. ???? Chapter 4. Profit!

Re:BAMF!

[Torodung]

Chapter 4

Declare Chapter 11.

Re:BAMF!

[jam244]

Chapter 5

???

Re:BAMF!

[Torodung]

Chapter 6

Mod your critics as trolls on Slashdot.

Re:BAMF!

[dave87656]

Excellent!

A question for Mahatma Ghandi

[knorthern+knight]

Question: Mr. Ghandi, what do you think of Microsoft security?

Answer: I think it would be a good idea.

Re:A question for Mahatma Ghandi

[protobion]

Except it's spelled "Gandhi".

Ahh...Slashdot!

[bogaboga]

It looks like Microsoft is making an effort to become more 'open' in the area of security research and communication.

It does not just look like...it definitely is the case that Microsoft *is* making an effort...not just looking like.

Question is: Who is being sensational here?

Re:Ahh...Slashdot!

[robo_mojo]

t does not just look like...it definitely is the case that Microsoft *is* making an effort...not just looking like.

That depends on what your definition of "is" is.

Re:Ahh...Slashdot!

[ozmanjusri]

it definitely is the case that Microsoft *is* making an effort...not just looking like.

A statement of intent and two example postings is "making an effort"?

You're being very generous to a company with a long history of abandoned promises and vapourware.

How about we wait and see how they perform for a few months instead of offering immediate praise?

depends on the meaning

[192939495969798999]

It looks like Microsoft is making an effort to become more 'open' in the area of security research and communication.

That depends on what the meaning of is is.

But will they release source code...

[christian.einfeldt]

...in exchange for all of the help that they get? Probably not. Seeing that most developers want their free labor to at least result in open source code, I can't imagine that this effort is going to be all that popular with the best developers.

Microsoft likes to throw around the word "open" a lot these days, but most smart people in the industry remain skeptical. Take, for example, what open standards advocate Russell Ossendryver has to say about Microsoft's supposed open OOXML format:

The legacy binary formats remain closed. If a file is one which was converted from an older format of Microsoft Office by DIS29500 and allowed to wrap the old file in xml, it remains unreadable for everyone else. OOXML is still a closed spec tied into to many proprietary formats.

So how open is open? Unless the code is considered open under OSI standards or Free under FSF guidelines, it's really still just a pig with lipstick and a dress.

Re:But will they release source code...

[El+Royo]

There are different types of open. Your point is hardly at all related to the article. Just revealing some of their process will no doubt be very useful to developers who also develop code that needs to be secured. Also, providing more details on vulnerabilities might be useful to people who are protecting corporate networks. Obviously, what you meant is that this effort won't be popular with the best developers with a chip on their shoulders.

Re:But will they release source code...

[rhenley]

it's really still just a pig with lipstick and a dress That's a funny way to spell Steve Ballmer...

Re:But will they release source code...

[nrgy]

Ugh I hate to defend Microsoft but I have to be one to disagree with you.

When I provide code for people, projects, or even companies who's software I use, I could really give a rats behind if its open source or not. Sure it would be NICE but hardly REQUIRED by me at least.

If you don't like what will be done with your free labour then don't provide it, no one is forcing you to. I like people who contribute and provide there free time, but I don't like it when those same people feel that since its so called FREE LABOUR that they can start imposing what can and should be done with there FREE LABOUR. It just doesn't work that way

Yes you are providing a service, yes it is welcome by the recipient and community, NO you shouldn't have a say in what way your contributions are disseminated because it was your choice to provide the service and no one else's.

I don't know about you but I provide my code because I want a better end product, not because I want it to be free in the open. If the code I provide will make my life easier then do with it as you will. Just because its not OPEN SOURCE like you say doesn't mean that it doesn't perform any good for the community of users for software X. Besides you wrote the stuff, unless you signed a legal waver to your code then nothing is stopping YOU from releasing it OPEN SOURCE style.

Re:But will they release source code...

[TheSkyIsPurple]

We're not all developers out here.

Personally, I'd love access to the source code so I can better determine how systems are interacting when something goes wrong with something we paid for, but it's not necessary.

Feedback like this can help open up other avenues for troubleshooting and understanding, and working with our TAM, I've had more than one instance where something we've seen has turned into a note in one of these KBs, or has caused part of a KB to not go public.

Too nuanced?

[morgan_greywolf]

There is actually another mitigating factor present here that we didn't include in the bulletin because we could not authoritatively say that it was true in every case. The vulnerable code path only executes if your machine has a primary DNS suffix. Most of the time, only domain-joined machines have a primary DNS suffix. So it would have been great to say in the bulletin: "Machines not joined to a domain are safe" but that is not 100% accurate so we did not include that. Technically, an administrator could manually set a primary DNS suffix on a non-domain-joined machine. Okay...

We periodically identify workarounds or mitigations like this that we can't use for official guidance because they're either too nuanced. How, exactly, is this 'too nuanced'? Why not just say "if your machine doesn't have a primary DNS suffix, you are not vulnerable"?

I'll tell you why...because they assume that Windows administrators are idiots. Now, I've known some stupid Windows administrators in my day, but I wouldn't go so far as to think that most of them are idiots.

Re:Too nuanced?

[TheSkyIsPurple]

I can kinda understand it though... I've had to fight off more than my share of "We should do this because Microsoft says so" from the technical management (who don't have the time to take a nuanced understanding of the issue at hand)

If they say it, thousands of customers will implement it without understanding the things that might break by removing that setting.
Then they call Microsoft for help fixing it. (Oddly enough, you'd think that would actually drive them to do this, since it would guarantee more partner hours to burn off)

(Yes, we have a parallel dev and test environment before things go production, but there is no way that blackbox testing for the scope we deal with is going to catch all of even the most glaring of issues. You have to actually know what's going on, and understand how things interact. Wanna disable the DHCP client on your statically assigned server? careful... might screw up DNS a couple weeks from now when things start expiring.)

Re:Too nuanced?

[Opportunist]

because they assume that Windows administrators are idiots

Well, they should know. They've been selling them those MSC* classes, so they know what quality they can expect...

Re:Too nuanced?

[TheLink]

It is a fair assumption, most of them aren't very smart (and why should they need to be?) and are usually ignorant.

For as long as most people are stupid and ignorant it makes sense to target the largest market ;). Works for politicians, works for Microsoft.

So you have thousands of windows administrators that can only admin say 5-10% of a single machine (they can't figure out the rest).

Whereas a skilled admin should be able to admin hundred or so windows/linux desktops, or thousands of Linux/BSD servers.

Re:Too nuanced?

[rolfc]

Most of the time, only domain-joined machines have a primary DNS suffix

I tend to set a primary DNS suffix on all my machines, windows as well as linux, seem to me that the only domains that count at Microsoft is Windows-domains. I am not surprised that they tend to break all kind of things.

Re:Too nuanced?

[emurphy42]

you'd think that would actually drive them to do this, since it would guarantee more partner hours to burn off

You're assuming they aren't already churning out as many partner hours as they have the manpower to handle.

Re:Too nuanced?

[Krishnoid]

Why not just say "if your machine doesn't have a primary DNS suffix, you are not vulnerable"?

Because you'd have to localize it in 50 different languages, and it's faster to post it once in a blog?

Re:Too nuanced?

[dilipm]

Well said on this one. I work for a Storage Major as a Support Specialist. Yesterday i had a client ask me what a "OU" (Organizational Unit) was in the Active Directory, when i asked her to change some security credentials on the OU for your CDP solution to work. Guess what her email Signature Reads "Storage Architect - Windows" :-( People like these are the ones that come around here bashing Microsoft. While Microsoft in itself is no hero in security the advancements in terms of security they made has been tremendous post the "Trustworthy Computing" initiative a few years back. As for the Initiative itself goes its very similar to the ones for Vista and IIS and Windows Server 2008 in recent days. The company feels its more ideal to work hand in hand with the developers and users who use their software day to day. Remember 70% of all Web servers that use SSH / SSL based deployments prefer IIS on windows rather than Apache whom otherwise have the majority market share. That goes to say simply that Web Admins don't trust Apache with SSL deployments on their pages. This is fact. Go goggle it and you would get truck loads of simple numbers and if you are not lost in bashing Microsoft to death then you may actually get to read some simple figures that would make some sense.

Blog tuesday!

[GrumpySimon]

Let me guess, the blog only gets updated on the second tuesday of every month?

Re:Blog tuesday!

[caferace]

Let me guess, the blog only gets updated on the second tuesday of every month?, Hahahahhahahaa. Not.

Let ME guess. You didn't actually RTFA? Did you?

We expect to post every "patch Tuesday" with technical information about the vulnerabilities being fixed. .

So what...

[krycheq]

Microsoft isn't the only one researching vulnerabilities in their products, and in fact, if it wasn't for the effort of a lot of third-party researchers uncovering vulnerabilities, Microsoft probably wouldn't make the effort that they are just now showing us and exposing to public scrutiny.

The real problem is twofold... first, denial; for so long Microsoft (as well as many other mainstream software companies) refused to admit that there was a problem and didn't spend any time or money on the problem. This is a mindset that still needs to be addressed and was never present in open-source software development. Second, the time-to-acknowledgment has to come down. Microsoft is not making vulnerabilities that they discover public knowledge in a timely fashion to allow people who use their products to address these vulnerabilities through work-arounds and other techniques, and in fact, their approach to patch development is prioritized using marketing, not security awareness, as the primary driver behind which vulnerabilities are addressed and when.

Wireshark

[cibyr]

Anyone else find it interesting that they had screenshots from Wireshark (previously known as Ethereal) on the page?

Re:Wireshark

[daveb]

It's actually a network monitor screenshot (netmon) not wireshark. They look similar but they aren't the same thing. I prefer wireshark myself, but I know a couple of people who have converted to netmon for sniffing wireless on vista

Re:Wireshark

Anyone else find it interesting that they had screenshots from Wireshark (previously known as Ethereal) on the page?

Especially as the blurb states they were NetMon captures. I suppose that technically they could have used NetMon to make the captures and Wireshark to view them, but ...

Re:Wireshark

[miffo.swe]

You know a couple of people running Vista? Thats much more interesting because every single soul i know have switched back to XP or started using Linux.

The people you know seems like real MS fanbois if they still run Vista.

Re:Wireshark

[daveb]

You must have a very limited set of contacts. Most people I know who have purchased a PC in the last year are NOT geeks. I don't know of a single person who has gone out of their way to install XP on their PC, and I would be totally blown away if any of these people installed Linux. Not a single one of them is a "fanboy" - they are your average Mum & Dad and small business who use whatever is on their PC, pretty much treating it as an appliance. THESE are the people who form the majority of computer users. And they are the reason why any IT support person needs to come to grip with Vista, because one day it will dominate just as XP dominates now (which btw was a big yawn for a few years after release)

Vista, like it's predecessors XP, Win2k ... hell go back to Win3 & Dos ... got adopted and dominated the PC space through hardware purchase NOT by people buying off the shelf and installing on a PC which had a previous OS. When the home market is saturated it seems the business world follows for the desktop. I'm not sure if there's a causal relationship there but it does seem to be a trend.

Having said that, the person I know who prefers netmon on Vista IS a geek (an IT student). She runs several Debian systems at home (desktop and servers) but prefers Vista on her laptop. Again - not a fanboy, I think she's pretty well balanced actually.

Re:Wireshark

I switched from Ethereal to Netmon on XP because I just couldn't get it to capture on some interfaces. When I got NetMon 3.0, I never looked back. It captures all the data, has parsers for every protocol I use, and is easier to use.

dom

"Uncomfortable"?

When we discover something potentially useful but are uncomfortable listing it in the bulletin... Like how to unlock DX10 on XP?

Microsoft Opens Its Security Research Cookbooks

[SeaFox]

Aren't Easy-Bake Ovens fun!

Re:Microsoft Opens Its Security Research Cookbooks

[Opportunist]

I'd be wary of EZ-Bake ovens that work akin to "push a few buttons and sometimes it just randomly blows up". Outside of KOL, that is.

Patience...

[this+great+guy]

I am still working on a draft of CTP - Chair Transmission Protocol

Openness

[jeffmock]

It makes me so glad that anyone can read the source code for the OS I use. I don't know how I would get by if one company was the only trusted agent to decide whether some issue was too "nuanced" for me to know about. I don't know how people get through the day running that stuff.

Re:Openness

Fuck you.
Go to Red Hat or Ubuntu's security updated page, and you see dozens and dozens of security updates over 2007, 2006, 2005, etc. And of all those, I bet my right nut (that's right, I said the "right nut", not the "left" one that most people bet, that's how confident I am) that you've read the corresponding source code to exactly ZERO of those bugs. So get off your high horse and STFU, idiot.

Lemme fix that for you...

[fabu10u$]

"It looks like Microsoft is making an effort to appear more 'open' in the area of security research and communication."

Microsoft defines all "research" as?

[AHuxley]

Marketing.
MS can fool you into spending your free time on its blogs.
Microsoft Security Research: the first book is free.

Warning: If you hit cancel

you may be eaten by a Grue.

Abort, Retry, Ignore?

Re:Efforts and real change.

[willyhill]

Except that creative spelling and the ever-dreadful "convert now or fall forever" attitude will never yield anything meaningful.

The virtues of knowing what you are talking about

It looks like Microsoft is making an effort to become more 'open' in the area of security research and communication.

It looks like someone has never read MS's TechNet anytime in the past 10+ years. MS has always been very open about these things, and between MSDN and TechNet, there's hardly anything I've needed to know which wasn't readily available.

Now if I were to actually have a valid complaint, I'd talk about how difficult it can sometimes be to search through that information. I've sometimes spent literally hours reading through search results, and it never seems like refining the search improves the results. But, MS has something in beta right now which is supposed to improve that- I haven't used it yet, however, so can't say how good it is.

And we care why?

So, the company that created the largest security problem in the world due to ad-hoc coding and lack of architecture wants to share its security lab secrets?
C'mon... we all know why windows is insecure; how about just fixing it in a user-livable manner like every other OS has done?

Microsoft Security and Patch Process

[tristian_was_here]

Security hole discovered:
Step 1 - Say Open Source Software is insecure and mock Linux
Step 2 - Think about security hole
Step 3 - Promise fix will be done in next service pack
Step 4 - Mock Linux a bit more and claim open source is comunism
**** 5 Months later security fix

Small correction..

[Sam+the+Nemesis]

Not being anal, but it is Gandhi and not Ghandi

Re:Small correction..

[Krishnoid]

But in all fairness, to be anal-retentive, it's anal-retentive.

New Comments to this post are disabled.....

[hydertech]

What a COMMUNITY! I log into the new MS R&D Blog and I cannot read the comments nor can I post.

Jesus.

MOD PARENT FUNNY Re:Microsoft Security Protocols

[asuffield]

Microsoft ISA actually offers a very robust and powerful firewalling system, for exampling, allowing you to internally spoof/proxy SSL certificates to domain members so you can even inspect encrypted packets on the network.

Quoted for hilarity. Up to that point I thought your post was actually serious. Haven't seen a punchline that good in ages.

The reason we are insecure in the internet

[JackMeyhoff]

Because most connections are in the clear and unencrypted. If you encrypt, you would be much more secure. Period.

some little trolling

Interesting if 5 years late...

Re:MOD PARENT FUNNY Re:Microsoft Security Protocol

Microsoft ISA actually offers a very robust and powerful firewalling system, for exampling, allowing you to internally spoof/proxy SSL certificates to domain members so you can even inspect encrypted packets on the network.

Quoted for hilarity. Up to that point I thought your post was actually serious. Haven't seen a punchline that good in ages.

Which part to you find humorous? The spoof/proxy of SSL certificates? Do you think it can't be done when every machine on your network trusts a CA root that you control?

Microsoft ISA is bloated and not easy to configure without careful reading, but it does do the job it is intended for.

Why...

[AZScotsman]

Why does MS's "Security Cookbook" look like an 8-Ball with a little window in the bottom?

Re:MOD PARENT FUNNY Re:Microsoft Security Protocol

[t0rkm3]

Microsoft ISA is bloated and not easy to configure without careful reading, but it does do the job it is intended for poorly Fixed that for ya... There are good SSL proxies out there. ISA is not one of them.

Have you learned your lesson yet?

Dear Twitter/Erris/$NEW_SOCKPUPPET_WE_HAVE_NOT_DISCOVERED_YET

Slashdot is probably the most sympathetic forum you'll ever find for your deranged ranting and raving. And you've buried not one, but two accounts in Karma Hell.

I'm sure you were preparing your usual "M$ astroturfers" defense, so consider this: Nobody is modding your "I Hate Microsoft" posts up. If your Slashdot accounts were the battleground between the Paid Microsoft Shills and the True Warriors of Linux, as you have deluded yourself into believing, then somebody, somewhere, would be throwing an Insightful or Informative your way. But they're not.

I've never been ostracized by my own kind before. How does it feel?

Maybe now, you'll learn that the message isn't enough. It's how you send the message that truly counts.

You Lose Again.

Ha ha, fuck you for thinking you can control public opinion and expression. M$ executives deserve more than derision, they deserve jail time. Your little modpoint games are as worthless as the way you are spending your life. Suck it up as your employers flog you for yet another failure to make the internet safe for their failures. Their loss of control and public mind share is a reality you can't change for them.

Securitry Research

[jesse285]

Thank God that there is someone on our side in this, the little peoples, who don't have all the money, it make me feel good that freedom is working.