Threats in a Blender, and Other Raisons d'être

  • Article


Handle:
k8e

IRL:
Katie Moussouris

Rank:
Senior Security Program Manager

Likes:
Cool vulns (responsibly disclosed of course), girls with soldering irons, Spanish tapas, quantum teleportation

Dislikes:
Rudeness, socks-n-sandals, licorice

There are times when one must look toward the best interests of the customers above any competitive strategies.  Security is one of those themes that has the power to unite teams across company boundaries.  As the EcoStrat team builds and strengthens relationships with researchers and partners, we are sometimes faced with unique challenges that we’ve never encountered before.

In the days of the big worms, we as a company and an industry had to rise to the occasion. Today our challenges have evolved, and are a great deal more complex. As we as a collective industry rise to the occasion once again, our awareness and response must evolve as well.

Enter the dawn of the Blended Threat. Mix one part third-party vulnerability with one part Microsoft vulnerability (and blend over ice) – it sounds like a drink vying to replace the Mojito.

It’s not like these types of threats didn’t exist before, but much like format string vulnerabilities that had been lurking in code for years, no one has been talking much about blended threats in a widespread way – until now. Sure, AV vendors used the term, but they were speaking of malware displaying multiple characteristics and using several techniques to achieve their goals. We’re talking about vulnerabilities that are comprised of two or more less severe vulnerabilities.

It started not with a bang, but with a whisper -- A couple of researchers each independently reported two low/moderate severity issues to two separate companies.  On their own, they seemed to both companies to be relatively low-risk.  But the researcher who reported the issue to us thought of combining the two vulnerabilities, to allow remote code execution. 

In a historic collaboration, both companies came together against our common enemy: security threats. Microsoft Security Advisory 953818 was born of this blended threat, and the Ecosystem Strategy Team was there with a new initiative, announced today at Black Hat: Microsoft Vulnerability Research (MSVR) .

Microsoft Vulnerability Research was created as part of the evolution of Microsoft Trustworthy Computing’s work in Security Response, SDL and Security Science. This program is one of the company’s many efforts to not only improve the security of Windows, but of the entire Windows ecosystem, responsibly researching vulnerabilities in third-party software most commonly used by Windows customers. While the source of the vulnerabilities will usually come from original research at Microsoft, the program will also handle third-party vulnerability coordination for blended threats reported to us by responsible researchers, as was the case with Microsoft Security Advisory 953818.

So what's really news here? If we've been practicing responsible disclosure for years, why are we making a big deal about it now? Well, think about when you've performed a penetration test on a company's application and you happen to find a vulnerability in the underlying commercial database. That's traditionally how we used to find third party vulnerabilities--through the course of our normal security work. Now, with MSVR, we're expanding our security research focus to specifically look for third party vulnerabilities.

The MSVR program will formalize the company’s responsible disclosure efforts of working directly with affected vendors, confidentially providing them specific vulnerability information and helping them to create updates.

So in the case of this recent blended threat, along with teams across Microsoft and externally, MSVR allowed us to coordinate with the finders, and across the companies to ensure the best possible outcome for our mutual customers.  Technical contacts, PR contacts -- all were involved in this effort.  It was new ground for all parties, as we had never attempted a joint response to a mutual security threat that was borne of smaller vulnerabilities from each of our products. 

We are often asked what our team does.  This is part of it.  We are the ones who can fast-track security responses that affect not just our users, but users of other people's software to make a significant impact on the safety of the entire Windows ecosystem.  We help make the impossible possible.  We do it with a *lot* of help from our friends, and some from our rivals.  One thing is certain:  While this incident may have been the first, it will not go down in history as the last.  Blended threats are the new black.  And we will all collectively have to become the new Chuck Norris.

Like the countries of the world uniting against a hostile alien invasion, we of all people understand that we can't do it alone.  We rely on the kindness of researchers, competitors, partners, and strangers to make it all come together to help us secure our ecosystem. We are irrevocably intertwined, and so the threats that face us all are blended by their very nature.

My name is Katie Moussouris, and if I am Leia, the security ecosystem is my Obi-Wan Kenobi. 

Help us, Obi-Wan Kenobi, you're our only hope.

For my final thoughts on Black Hat and more, come join me at https://twitter.com/k8em0.

*Postings are provided "AS IS" with no warranties, and confers no rights.*