Microsoft Security StrategyMicrosoft Security StrategyMicrosoft Security StrategyMicrosoft Security Strategy

David Aucsmith David Aucsmith Architect and CTOArchitect and CTOSecurity Business & Technology Security Business & Technology UnitUnitMicrosoft CorporationMicrosoft Corporation

Session OutlineSession OutlineThe World TodayThe World Today

Threats Threats

Bad GuysBad Guys

How We Got ThereHow We Got ThereLegacy Legacy

CrimeCrime

Evolving the SolutionEvolving the SolutionSecurity StrategySecurity Strategy

A Look AheadA Look Ahead

Vulnerability TimelineVulnerability Timeline

Undiscovered

Vulnerability Discovered

Correction

Component Fixed

Packaging

Customer FixAvailable

Module Gap

Customer Testing /Deployment

Actual Vulnerability To Attack

ResponsibleDisclosure

Experimentation

VulnerabilityDisclosed

Software Ship Fix Deployed

Early Disclosure

Undiscovered

Vulnerability Discovered

Correction

Component Fixed

Packaging

Customer FixAvailable

Module Gap

Customer Testing /Deployment

Actual Vulnerability To Attack

ResponsibleDisclosure

Experimentation

VulnerabilityDisclosed

Software Ship Fix Deployed

Early Disclosure

Rarely discovered

Attacks occur here

Why does this gap exist?

Vulnerability TimelineVulnerability Timeline

Undiscovered

Vulnerability Discovered

Correction

Component Fixed

Packaging

Customer FixAvailable

Module Gap

Customer Testing /Deployment

Actual Vulnerability To Attack

ResponsibleDisclosure

Experimentation

VulnerabilityDisclosed

Software Ship Fix Deployed

Early Disclosure

Undiscovered

Vulnerability Discovered

Correction

Component Fixed

Packaging

Customer FixAvailable

Module Gap

Customer Testing /Deployment

Actual Vulnerability To Attack

ResponsibleDisclosure

Experimentation

VulnerabilityDisclosed

Software Ship Fix Deployed

Early Disclosure

151151180180

331331

BlasterBlasterWelchia/ Welchia/ NachiNachi

NimdaNimda

2525SQL SQL

SlammeSlammerr

Days between patch & exploitDays between patch & exploit Days From Patch To Days From Patch To

ExploitExploit Have decreased so that Have decreased so that

patching is not a defense in patching is not a defense in large organizationslarge organizations

Average 6 days for patch to Average 6 days for patch to be reverse engineered to be reverse engineered to identify vulnerabilityidentify vulnerabilitySource: Microsoft

The Forensics Of A VirusThe Forensics Of A Virus

Blaster shows the complex Blaster shows the complex interplay between security interplay between security researchers, software researchers, software companies, and hackerscompanies, and hackers

Vulnerability reported to us /

Patch in progress

Bulletin & patch available

No exploit

Exploit code in public Worm in the world

July 1 July 16 July 25 Aug 11

ReportReport Vulnerability in Vulnerability in

RPC/DDOM RPC/DDOM reportedreported

MS activated MS activated highest level highest level emergency emergency response processresponse process

BulletinBulletin MS03-026 delivered MS03-026 delivered

to customers to customers (7/16/03)(7/16/03)

Continued outreach Continued outreach to analysts, press, to analysts, press, community, community, partners, partners, government government agenciesagencies

ExploitExploit X-focus (Chinese X-focus (Chinese

group) published group) published exploit toolexploit tool

MS heightened MS heightened efforts to get efforts to get information to information to customerscustomers

WormWorm Blaster worm Blaster worm

discovered –; discovered –; variants and other variants and other viruses hit viruses hit simultaneously (i.e. simultaneously (i.e. “SoBig”)“SoBig”)

Source: Microsoft

Understanding The Understanding The LandscapeLandscapeNational InterestNational Interest

Personal GainPersonal Gain

Personal FamePersonal Fame

CuriosityCuriosity

Script-KiddyScript-Kiddy HobbyistHobbyistHackerHacker

ExpertExpert SpecialistSpecialist

Vandal

Thief

Spy

TrespasserTools created Tools created by experts by experts now used by now used by less skilled less skilled attackers and attackers and criminalscriminals

Fastest Fastest growing growing segmentsegment

Author

Honey Pot ProjectsHoney Pot ProjectsSix computers attached to InternetSix computers attached to Internet

Different versions of Windows, Linux and Mac OSDifferent versions of Windows, Linux and Mac OS

Over the course of one weekOver the course of one weekMachines were scanned 46,255 timesMachines were scanned 46,255 times

4,892 direct attacks4,892 direct attacks

No up-to-date, patched operating systems No up-to-date, patched operating systems succumbed to a single attacksuccumbed to a single attack

All down rev systems were compromised All down rev systems were compromised Windows XP with no patchesWindows XP with no patches

Infested in 18 minutes by Blaster and Sasser Infested in 18 minutes by Blaster and Sasser

Within an hour it became a "bot"Within an hour it became a "bot"Source: StillSecure, Source: StillSecure, see http://www.denverpost.com/Stories/0,1413,36~33~2735094,00.htmlsee http://www.denverpost.com/Stories/0,1413,36~33~2735094,00.html

LegacyLegacy

1990 2005

19911992 1993 19941995 1996 19971998 1999 20002001 2002 20032004

1990 2005

19911992 1993 19941995 1996 19971998 1999 20002001 2002 20032004

16-bit 100 MHz processor16-bit 100 MHz processor10 GByte disk10 GByte disk20 MByte ram20 MByte ramCD driveCD drive13” VGA monitor13” VGA monitor

Windows 95Windows 95FAT FSFAT FSIPX and NetBIOSIPX and NetBIOSOpen networkingOpen networking

32-bit 2.5 GHz processor32-bit 2.5 GHz processor250 GByte disk250 GByte disk3 GByte ram3 GByte ramDVD R/W driveDVD R/W drive21” digital monitor21” digital monitor

Windows XP SP2Windows XP SP2ICFICFUSBUSBUPnPUPnPWindows UpdateWindows Update

Legacy createsLegacy createssecurity security issuesissues

Keeping It In PerspectiveKeeping It In PerspectiveThe security kernel of Windows The security kernel of Windows NT was written:NT was written:

Before there was a World Wide Before there was a World Wide WebWeb

Before TCP/IP was the default Before TCP/IP was the default communications protocolcommunications protocol

The security kernel of Windows The security kernel of Windows Server 2003 was written:Server 2003 was written:

Before buffer overflow tool kits Before buffer overflow tool kits were availablewere available

Before Web Services were Before Web Services were widely deployedwidely deployed

SpamSpamMass unsolicited emailMass unsolicited email

For commerceFor commerceDirect mail advertisementDirect mail advertisement

For Web trafficFor Web trafficArtificially generated Web trafficArtificially generated Web traffic

HarassmentHarassment

For fraudFor fraudPhishingPhishing

Identity theftIdentity theft

Credential theftCredential theft

An Affiliates ProgramAn Affiliates Program““Our first program pays you $0.50 for every validated free-trial Our first program pays you $0.50 for every validated free-trial registrant your website sends to [bleep]. Commissions are registrant your website sends to [bleep]. Commissions are quick and easy because we pay you when people sign up for quick and easy because we pay you when people sign up for our three-day free-trial. Since [bleep] doesn't require a credit our three-day free-trial. Since [bleep] doesn't require a credit card number or outside verification service to use the free trial, card number or outside verification service to use the free trial, generating revenue is a snap.generating revenue is a snap.

The second program we offer is our pay per sign-up plan. This The second program we offer is our pay per sign-up plan. This program allows you to earn a percentage on every converted program allows you to earn a percentage on every converted (paying) member who joins [bleep]. You could make up to 60% (paying) member who joins [bleep]. You could make up to 60% of each membership fee from people you direct to join the site.of each membership fee from people you direct to join the site.

Lastly, [bleep] offers a two tier program in addition to our other Lastly, [bleep] offers a two tier program in addition to our other plans.  If you successfully refer another webmaster to our site plans.  If you successfully refer another webmaster to our site and they open an affiliate account, you begin earning money and they open an affiliate account, you begin earning money from their traffic as well!  The second tier pays $0.02 per free-from their traffic as well!  The second tier pays $0.02 per free-trial registrant or up to 3% of their sign-ups.”trial registrant or up to 3% of their sign-ups.”

Key PointsKey Points

$0.50 for every validated free-trial registrant$0.50 for every validated free-trial registrant

60% of each membership fee60% of each membership fee

Do The MathDo The Math

SoBig spammed over 100 million SoBig spammed over 100 million inboxesinboxes

If 10% read the mail and clicked the If 10% read the mail and clicked the link link

= 10 million people= 10 million people

If 1% of people who went to site signed If 1% of people who went to site signed up for 3-days free trialup for 3-days free trial

= (100,000 people) x ($0.50) = $50,000= (100,000 people) x ($0.50) = $50,000

If 1% of free trials sign up for 1 yearIf 1% of free trials sign up for 1 year= (1,000 people) x ($144/yr) = = (1,000 people) x ($144/yr) = $144,000/yr$144,000/yr

PhishingPhishing

Faking Faking An e-mail that An e-mail that seems to be from a seems to be from a legitimate sourcelegitimate source

SpoofingSpoofingA Web site that A Web site that appears to be appears to be “official”“official”

PhishingPhishingLuring users Luring users to provide to provide sensitive datasensitive data

PhishingPhishing

MSN Billing Phishing CaseMSN Billing Phishing Case

3 Subpoenas identified ISP in

Austria

5 Subpoena to Qwest and

investigations identified Jayson Harris in Iowa, US

1 MS filed John Doe lawsuit in WA

6 Referred to FBI and obtained $3 million Default Judgment

2 Issued subpoenas to

web hosts in CA

4 Austrian ISP identified IP address registered to

Qwest in the US

Phishing ImpactPhishing Impact

Most people are spoofedMost people are spoofedOver 60% have visited a fake or spoofed siteOver 60% have visited a fake or spoofed site

People are tricked People are tricked Over 15% admit to having provided personal data Over 15% admit to having provided personal data

Target for spoofing attacksTarget for spoofing attacksBanks, credit card companies, Web retailers, Banks, credit card companies, Web retailers, online auctions (E-bay) and mortgage companies.online auctions (E-bay) and mortgage companies.

Economic loss for a small number of peopleEconomic loss for a small number of peopleSlightly more than 2%Slightly more than 2%

Average cost of $115 dollarsAverage cost of $115 dollars

Source: TRUSTe

Phishing StatisticsPhishing StatisticsActive phishing sites in Active phishing sites in FebruaryFebruary

26252625

Average monthly growth Average monthly growth raterate

28%28%

Number of hijacked Number of hijacked brandsbrands

6464

Average time online for Average time online for sitesite

5.7 5.7 daysdays

Longest time online for Longest time online for sitesite

30 days30 days

0

200

400

600

800

1000

1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17

Active Phishing Sites by Week November 04 to February 05Active Phishing Sites by Week November 04 to February 05

Source APWG February 2005

SpywareSpywareSoftware that:Software that:

Collects personal information from you Collects personal information from you

Without your knowledge or permissionWithout your knowledge or permission

PrivacyPrivacy15 percent of enterprise PCs have a keylogger15 percent of enterprise PCs have a keyloggerSource: Webroot's SpyAuditSource: Webroot's SpyAudit

Number of keyloggers jumped three-fold in 12 monthsNumber of keyloggers jumped three-fold in 12 monthsSource: Source: SophosSophos

ReliabilityReliabilityMicrosoft WatsonMicrosoft Watson

~50% of crashes caused by spyware~50% of crashes caused by spyware

Support CostsSupport CostsDell, HP, IBM: Spyware causes ~30% of callsDell, HP, IBM: Spyware causes ~30% of calls

Estimated support costs at $2.5m+ / yearEstimated support costs at $2.5m+ / year

Root KitsRoot Kits

Growth in the root kit populationGrowth in the root kit populationTechnical challenge in the communityTechnical challenge in the communityDefeats current anti-spyware productsDefeats current anti-spyware productsFinancial motivation to support adware ans Financial motivation to support adware ans spywarespyware

Takes several hours to walk customer Takes several hours to walk customer through removal & recoverythrough removal & recovery

Ongoing support cost for Microsoft is highOngoing support cost for Microsoft is highhttp://http://support.microsoft.comsupport.microsoft.com/?id=894278/?id=894278More than 12 steps for safemode removal!More than 12 steps for safemode removal!Can no longer detect the latest version of Can no longer detect the latest version of LODMEDUD_ALODMEDUD_ANew malicious drivers moving to boot driversNew malicious drivers moving to boot drivers

February 2005 OCA snapshotFebruary 2005 OCA snapshot

DriverDriver CharacteristicCharacteristic Instance countInstance count

Delprot.sysDelprot.sys Deletion protection for iSearch adware/spyware.Deletion protection for iSearch adware/spyware.8187081870

1.03%1.03%

““LoadMeDude”LoadMeDude”

TROJ_LODMEDUD_ATROJ_LODMEDUD_A

Randomly named driver that hides processes, Randomly named driver that hides processes, registry, files.registry, files.

Auto-update capability.Auto-update capability.

Bundled with Comedy Central adware/spyware.Bundled with Comedy Central adware/spyware.

2549625496

0.32%0.32%

winik.syswinik.sys Protects CommonName adware/spyware.Protects CommonName adware/spyware.1358313583

0.17%0.17%

iesprt.sysiesprt.sys

TROJ_BANKER.WTROJ_BANKER.WSteals banking passwords.Steals banking passwords.

23862386

0.03%0.03%

Hxdefdrv.sysHxdefdrv.sys

““Hacker Defender”Hacker Defender”

Public domain source rootkit.Public domain source rootkit.

Resource hiding and backdoor capability.Resource hiding and backdoor capability.13231323

0.02%0.02%

OCA: 3 Spyware Bundled DriversOCA: 3 Spyware Bundled Drivers

BotsBots

Bot EcosystemBot EcosystemBotsBotsBotnetsBotnetsControl channelsControl channelsHerdersHerders

It began in mass with MyDoom.AIt began in mass with MyDoom.AEight days after MyDoom.A hit the InternetEight days after MyDoom.A hit the InternetScanned for the back door left by the wormScanned for the back door left by the wormInstalled Trojan horse called MitgliederInstalled Trojan horse called MitgliederThen used those systems as their spam engines Then used those systems as their spam engines Millions of computers across the Internet were Millions of computers across the Internet were now for sale to the underground spam community now for sale to the underground spam community

Bot-Nets Tracked Bot-Nets Tracked (3 Sep 2004 (3 Sep 2004 snapshot)snapshot)

Age Age (days)(days) NameName ServerServer MaxSizeMaxSize

02.0002.00 nubela.netnubela.net dns.nubela.netdns.nubela.net 1072510725

10.9410.94 winnt.bigmoney.biz (randex)winnt.bigmoney.biz (randex) winnt.bigmoney.bizwinnt.bigmoney.biz 23932393

09.6609.66 PS 7835 - y.eliteirc.co.ukPS 7835 - y.eliteirc.co.uk y.eliteirc.co.uky.eliteirc.co.uk 20612061

09.1309.13 y.stefanjagger.co.uk (#y)y.stefanjagger.co.uk (#y) y.stefanjagger.co.uky.stefanjagger.co.uk 18321832

03.1003.10 ganjahaze.comganjahaze.com ganjahaze.comganjahaze.com 15071507

01.0401.04 PS 8049 - 1.j00g0t0wn3d.netPS 8049 - 1.j00g0t0wn3d.net 1.j00g0t0wn3d.net1.j00g0t0wn3d.net 36893689

10.9310.93 pub.isonert.netpub.isonert.net pub.isonert.netpub.isonert.net 537537

08.0708.07 irc.brokenirc.netirc.brokenirc.net irc.brokenirc.netirc.brokenirc.net 649649

01.0201.02 PS 8048 - grabit.zapto.orgPS 8048 - grabit.zapto.org grabit.zapto.orggrabit.zapto.org 6262

10.3410.34 dark.naksha.netdark.naksha.net dark.naksha.netdark.naksha.net UNKUNK

08.9608.96 PS 7865 - lsd.25u.comPS 7865 - lsd.25u.com lsd.25u.comlsd.25u.com UNKUNK

UNKUNK PS ? - 69.64.38.221PS ? - 69.64.38.221 69.64.38.22169.64.38.221 UNKUNK

In The NewsIn The NewsBotnet with 10,000 Machines Shut DownBotnet with 10,000 Machines Shut DownSept 8, 2004Sept 8, 2004

A huge IRC "botnet" controlling more than 10,000 machines has A huge IRC "botnet" controlling more than 10,000 machines has been shut down by the security staff of Norwegian provider been shut down by the security staff of Norwegian provider Telenor, according to the Internet Storm Center. The discovery Telenor, according to the Internet Storm Center. The discovery confirms beliefs about the growth of botnets, which were cited confirms beliefs about the growth of botnets, which were cited in the recent distributed denial of service (DDoS) attack upon in the recent distributed denial of service (DDoS) attack upon Akamai and DoubleClick that sparked broader web site Akamai and DoubleClick that sparked broader web site outages. […]outages. […]http://news.netcraft.com/archives/2004/09/08/botnet_with_10000_machines_shut_down.htmlhttp://news.netcraft.com/archives/2004/09/08/botnet_with_10000_machines_shut_down.html

FBI busts alleged DDoS MafiaFBI busts alleged DDoS MafiaAug 26, 2004Aug 26, 2004

A A Massachusetts businessman allegedly paid members of the Massachusetts businessman allegedly paid members of the computer underground to launch organized, crippling distributed computer underground to launch organized, crippling distributed denial of service (DDoS) attacks against three of his competitors denial of service (DDoS) attacks against three of his competitors [...][...]http://www.securityfocus.com/news/9411http://www.securityfocus.com/news/9411

PayloadsPayloads

Keystroke loggers for stealing CC, PIIKeystroke loggers for stealing CC, PII

SYN or application flooding code SYN or application flooding code Used for DDoSUsed for DDoS

DDoS has been used many timesDDoS has been used many times

Including public attacks against Including public attacks against Microsoft.com Microsoft.com

Spam relays – 70-80% of all spam Spam relays – 70-80% of all spam Source SpecialHam.com, Spamforum.bizSource SpecialHam.com, Spamforum.biz

PiracyPiracy

Future featuresFuture features

Botnet Damage PotentialBotnet Damage PotentialAttackAttack Requests/botRequests/bot Botnet TotalBotnet Total Resource exhaustedResource exhaustedBandwidth flood Bandwidth flood (uplink)(uplink)

186 kbps186 kbps 1.86 Gbps1.86 Gbps T1, T3, OC-3, OC-12T1, T3, OC-3, OC-12

Bandwidth flood Bandwidth flood (downlink)(downlink)

450 kbps450 kbps 4.5 Gbps4.5 Gbps T1, T3, OC-3, OC-12, OC-48 (2.488Gbps)T1, T3, OC-3, OC-12, OC-48 (2.488Gbps)

50% of Taiwan/US backbone50% of Taiwan/US backbone

Syn floodSyn flood 450 SYNs/sec450 SYNs/sec 4.5M SYN/sec4.5M SYN/sec 4 Dedicated Cisco Guard (@$90k) OR4 Dedicated Cisco Guard (@$90k) OR

20 tuned servers20 tuned servers

Static http get Static http get (cached)(cached)

93/sec93/sec 929,000/sec929,000/sec 15 servers15 servers

Dynamic http getDynamic http get 93/sec93/sec 929,000/sec929,000/sec 310 servers310 servers

SSL handshakeSSL handshake 10/sec10/sec 100,000/sec100,000/sec 167 servers167 servers

10,000-member botnet10,000-member botnet

>$350.00/weekly - $1,000/monthly (USD) >$350.00/weekly - $1,000/monthly (USD) >Type of service: Exclusive (One slot only)>Type of service: Exclusive (One slot only)>Always Online: 5,000 - 6,000>Always Online: 5,000 - 6,000>Updated every: 10 minutes>Updated every: 10 minutes

September 2004 postings to SpecialHam.com, Spamforum.biz

>$220.00/weekly - $800.00/monthly (USD)>$220.00/weekly - $800.00/monthly (USD)>Type of service: Shared (4 slots)>Type of service: Shared (4 slots)>Always Online: 9,000 - 10,000>Always Online: 9,000 - 10,000>Updated every: 5 minutes>Updated every: 5 minutes

Microsoft Windows Microsoft Windows AntiSpywareAntiSpyware

Global SpyNet™ community helps identify new spywareGlobal SpyNet™ community helps identify new spyware

Automatic signature downloads keep you up-to-dateAutomatic signature downloads keep you up-to-date

Spyware removal reduces PC slow down, pop-up ads, and Spyware removal reduces PC slow down, pop-up ads, and moremore

Scheduled scans help maintain PC security and privacyScheduled scans help maintain PC security and privacy

Continuous protection guards 50+ ways spyware gets Continuous protection guards 50+ ways spyware gets on a PCon a PC

Intelligent alerts handle spyware based on your Intelligent alerts handle spyware based on your preferencespreferences

Updated monthly to Updated monthly to remove prevalent remove prevalent malwaremalwareTargeted at consumers Targeted at consumers without antiviruswithout antivirusEnterprise deployable as Enterprise deployable as part of a defense-in-depth part of a defense-in-depth strategystrategyAvailable through:Available through: Windows UpdateWindows Update Auto UpdateAuto Update Online interfaceOnline interface MS Download CenterMS Download Center

Complements traditional Antivirus technologies by providing one Complements traditional Antivirus technologies by providing one tool that removes prevalent viruses and worms from a PCtool that removes prevalent viruses and worms from a PC

Cleaner Statistics Cleaner Statistics (as of 11 March 2005)(as of 11 March 2005)

ReleasReleasee

Days Days LiveLive ExecutionsExecutions

DisinfectionsDisinfections

ValueValue %%

JanuarJanuaryy 2828 124,613,63124,613,63

2 2 239,19239,19

7 7 0.19200.1920

% %

FebruaFebruaryry 2828

118,209,67118,209,67

00

351,13351,13

55

0.29700.2970

%%

MarchMarch 55 84,013,46084,013,460 149,98149,98

11 0.17850.1785

%%

TotalTotal 6161 326,836,76326,836,76

22

740,31740,31

33

0.22650.2265

%%

1

10

100

1000

10000

100000

1000000

Machines Cleaned

(log)

1 2 3 4 5 6 7 8 9

Malware per Machine

Source: Microsoft

Evolving the SolutionEvolving the Solution

Engineering ProcessEngineering Process Automated triggering of QA processes on fix check-insAutomated triggering of QA processes on fix check-ins

Focus on good non-code solutions where risk is highFocus on good non-code solutions where risk is high

Reduction of ‘encompassed fixes’Reduction of ‘encompassed fixes’Use of oldest possible versions of dependent filesUse of oldest possible versions of dependent files

‘‘Dual Tree’ versus ‘Single Tree’ servicing modelDual Tree’ versus ‘Single Tree’ servicing model

Increase Application compatibilityIncrease Application compatibilityIncreased the number of applications testedIncreased the number of applications tested

Expanded prescriptive documentation on tested Expanded prescriptive documentation on tested applicationsapplications

Broader pre-release testing Broader pre-release testing Microsoft: Desktop 10k+, Server 100+ (various roles)Microsoft: Desktop 10k+, Server 100+ (various roles)

Testing guidance produced along with beta versionsTesting guidance produced along with beta versions

TodayToday20052005

Windows, SQL,Windows, SQL,Exchange, Office…Exchange, Office…

Windows, SQL,Windows, SQL,Exchange, Office…Exchange, Office…

Office Update

Download Center

SUSSUS SMSSMS

““Microsoft Update”Microsoft Update”(Windows Update)(Windows Update)

VS Update

Windows Update

Windows onlyWindows only

Windows onlyWindows only

Windows Windows UpdateUpdateServicesServices

Windows, SQL,Windows, SQL,Exchange, Office…Exchange, Office…

AutoUpdateAutoUpdate

AuthenticationAuthentication

Genesis Of Security Genesis Of Security VulnerabilitiesVulnerabilities

Intended Intended BehaviorBehavior

Actual Actual BehaviorBehavior

Traditional Traditional BugsBugs

Most Security Most Security BugsBugs

Threat Modeling ProcessThreat Modeling Process

Create model of app (DFD, UML etc)Create model of app (DFD, UML etc)

Categorize threats to each tree node Categorize threats to each tree node with STRIDEwith STRIDE

Spoofing, Tampering, Repudiation, Spoofing, Tampering, Repudiation, Info Disclosure, Denial of Service, Info Disclosure, Denial of Service, Elevation Elevation of Privilegeof Privilege

Build threat tree Build threat tree

Rank threats with DREADRank threats with DREADDamage potential, Reproducibility, Damage potential, Reproducibility, Exploitability, Affected Users, Exploitability, Affected Users, DiscoverabilityDiscoverability

1.2.1Parse

Request

Threat (Goal)

SSTTRIDERIDE

Threat (Goal)

SSTRIDETRIDE

Threat (Goal)

STSTRRIDEIDE

DREADDREADThreat

SubthreatCondition

Threat Threat

ConditionCondition DREADDREAD

Sub threat

Threat

Condition

KEYKEY

Process To Date:Process To Date:Windows Server 2003Windows Server 2003

10,000 Engineers trained 10,000 Engineers trained

180 Threat models completed180 Threat models completed

25 Services not installed/off 25 Services not installed/off defaultdefault

20 Services running in 20 Services running in lower privilegelower privilege

DesignDesignPhasePhase

Process to Date:Process to Date:Windows Server 2003Windows Server 2003

8,500 Engineers 8,500 Engineers review codereview code

10 Weeks of 10 Weeks of focused effortfocused effort

150 Security changes150 Security changes

$200M Estimated cost$200M Estimated cost

DesignDesignPhasePhase

PushPushPhasePhase

SDSD33 At Work – MS03-007 At Work – MS03-007The underlying DLL The underlying DLL (NTDLL.DLL) not (NTDLL.DLL) not vulnerablevulnerable

The underlying DLL The underlying DLL (NTDLL.DLL) not (NTDLL.DLL) not vulnerablevulnerable

Code made more conservative during Security PushCode made more conservative during Security PushCode made more conservative during Security PushCode made more conservative during Security Push

EvenEven if it was running if it was runningEvenEven if it was running if it was running IIS 6.0 doesn’t have WebDAV enabled by defaultIIS 6.0 doesn’t have WebDAV enabled by defaultIIS 6.0 doesn’t have WebDAV enabled by defaultIIS 6.0 doesn’t have WebDAV enabled by default

EvenEven if it did have if it did have WebDAV enabledWebDAV enabledEvenEven if it did have if it did have WebDAV enabledWebDAV enabled

Maximum URL length in IIS 6.0 is 16kb by Maximum URL length in IIS 6.0 is 16kb by default (>64kb needed) default (>64kb needed) Maximum URL length in IIS 6.0 is 16kb by Maximum URL length in IIS 6.0 is 16kb by default (>64kb needed) default (>64kb needed)

EvenEven if it was vulnerable if it was vulnerableEvenEven if it was vulnerable if it was vulnerable IIS 6.0 not running by default on IIS 6.0 not running by default on Windows Server 2003Windows Server 2003IIS 6.0 not running by default on IIS 6.0 not running by default on Windows Server 2003Windows Server 2003

EvenEven if it there was an if it there was an exploitable buffer exploitable buffer overrunoverrun

Would have occurred in Would have occurred in w3wp.exew3wp.exe which is which is now running as ‘network service’now running as ‘network service’

EvenEven if the buffer was if the buffer was large enoughlarge enoughEvenEven if the buffer was if the buffer was large enoughlarge enough

Process halts rather than executes malicious code, Process halts rather than executes malicious code, due to buffer-overrun detection code (-GS)due to buffer-overrun detection code (-GS)Process halts rather than executes malicious code, Process halts rather than executes malicious code, due to buffer-overrun detection code (-GS)due to buffer-overrun detection code (-GS)

Source: Microsoft Security Bulletin Search

Guidance and trainingGuidance and trainingSecurity Guidance Security Guidance CenterCenter

Free training for over Free training for over 500K 500K IT professionalsIT professionals

Security toolsSecurity toolsMicrosoft Baseline Microsoft Baseline Security AnalyzerSecurity Analyzer

Security Bulletin Security Bulletin Search ToolSearch Tool

Community Community engagementengagement

NewslettersNewsletters

Webcasts and chatsWebcasts and chats

Microsoft “Security360”Microsoft “Security360”

© 2005 Microsoft Corporation. All rights reserved.This presentation is for informational purposes only. Microsoft makes no warranties, express or implied, in this summary.