Building a Safer More Trusted Internet Through Information Sharing

7/30/2019 Building a Safer More Trusted Internet Through Information Sharing

1/32

Building a Safer, More Trusted

Internet Through Information Sharing

Microsoft Security Response Center

August 2011


2/32

This document is for informational purposes only. MICROSOFT MAKES NO

WARRANTIES, EXPRESS, IMPLIED, OR STATUTORY, AS TO THE

INFORMATION IN THIS DOCUMENT.

This document is provided as-is. Information and views expressed in this

document, including URL and other Internet Web site references, may change

without notice. You bear the risk of using it.

Copyright 2011 Microsoft Corporation. All rights reserved.

The names of actual companies and products mentioned herein may be the

trademarks of their respective owners.


3/32

1

Contents

Executive Summary ............................................................................................. 2Introduction ........................................................................................................ 6Microsoft Active Protections Program ................................................................ 11

MAPP Statistics .............................................................................................. 12More Than Just Information Sharing .............................................................. 12Collaboration with Adobe .............................................................................. 13Microsoft Active Protections Program Partner Feedback ................................. 15

Microsoft Exploitability Index............................................................................ 18Providing Guidance for Customers on Newer Platforms ................................. 19Denial of Service Exploitability Assessment .................................................... 20Microsoft Exploitability Index Statistics ......................................................... 20

Coordinated Vulnerability Disclosure ................................................................ 23Microsoft Vulnerability Research ....................................................................... 26

MSVR Advisories ........................................................................................... 26MSVR Program Statistics ................................................................................ 28

Conclusion ........................................................................................................ 29


4/32

2

Executive Summary

The threat from cybercrime continues to grow, and people want to feel safer

online. But a safer online experience can only be pursued when customers, the

industry and the security and privacy community work together. The Microsoft

Security Response Center (MSRC) seeks to promote broad industry collaboration,responsible information sharing and better community-based defenses, striving to

deliver a safer online experience for computer users worldwide.

Over the past three years the MSRC has operated a number of key security-related

programs Microsoft Active Protections Program (MAPP); Microsoft Exploitability

Index; and Microsoft Vulnerability Research (MSVR) that collectively share more

information with partners and customers. With these programs, customers have

increased access to more effective countermeasures and additional information to

better evaluate risks.

In addition, in August 2010 the MSRC announced the formulation of a set ofpractices to be used in disclosing information about software vulnerabilities in a

way that benefits both vendors and consumers, called Coordinated Vulnerability

Disclosure (CVD).

This report highlights the progress of these programs and practices, for the first

time including an update on the progress of CVD.

Microsoft Active Protections Program (MAPP)

Community-based defenses help better protect customers. Launched in 2008,

MAPP supplies Microsoft vulnerability information to security software partnersprior to Microsoft's monthly security update release so partners can build

enhanced customer protections.

As of June 2011, 84 partners have joined MAPP; feedback from MAPPpartners shows that the number of end users protected by partner

signatures ranges from the tens of thousands for smaller specialist


5/32

3

companies to hundreds of millions for mass-market vendors. In recentyears, membership has grown most in Asia and Europe.

In 2010, MAPP began to focus on providing benefits to members beyondsimply sharing vulnerability information. For example, MAPP provides

members with information about exploitation techniques to help them

validate their detection routines against newly discovered vulnerabilities.

In 2010, Microsoft and Adobe Systems Inc. began collaborating on an initiative to

distribute detailed vulnerability information for Adobe software to the MAPP

partners. This has given security vendors an opportunity to provide quicker and

more effective protections to their customers prior to Adobe deploying its security

updates, just as MAPP has done for Microsoft software.

Microsoft Exploitability Index

Sometimes overburdened and functioning with limited resources, IT professionals

require additional information to better evaluate risks. The Microsoft

Exploitability Index, launched in October 2008, provides Microsoft customers

with additional guidance to better prioritize the deployment of Microsoft security

updates.

In May of 2011, the MSRC started providing information about howexploitability differs between older versions and newer versions of the

affected products. Of the 256 Exploitability Index ratings published fromJuly 2010 through May 2011, 97 issues were less serious or nonexistent

on the latest version of the affected application than on earlier versions. In

contrast, only seven vulnerabilities affected the most recent version but

not older versions.

At the same time, Microsoft started providing more information about theDenial of Service (DoS) impact of a particular vulnerability. Even

vulnerabilities that are difficult to exploit can still be used to cause a crash

in an application or operating system. For each applicable security

bulletin, a Denial of Service Exploitability Assessment indicates whether

such a crash would be permanent (requiring that the computer be

rebooted) or temporary. Of the 605 Exploitability Index ratings issued from October 2008 to June

2011, only five have been revised. In five other cases, the Key Notes

information for an Exploitability Index assessment was updated, but the

rating itself did not change.

Microsoft recommends that customers install all applicable securityupdates, including bulletins with an exploitability index of 3 or a severity

rating of Moderate, but when circumstances require prioritizing some


6/32

4

updates over others, customers can use Exploitability Index ratings tohelp them save money and better allocate resources. For example, a

customer that deploys all security bulletins within 30 days would have

had to test and deploy a total of 117 bulletins from June 2010 to June

2011. By contrast, a customer that only deploys Critical1 updates with an

Exploitability Index rating of 1 and uses the most recent Windows client

and server versions exclusively would have deployed just 24 updates, a

difference of more than 80 percent.

Coordinated Vulnerability Disclosure (CVD)

In July 2010, the MSRC announced the formulation of a set of practices to be used

in disclosing information about software vulnerabilities in a way that benefits both

vendors and consumers. Termed Coordinated Vulnerability Disclosure (CVD),

these practices have since been adopted by Microsoft and other software vendors

across the industry.

Under the principle of Coordinated Vulnerability Disclosure, finders disclose

newly discovered vulnerabilities in hardware, software, and services directly to the

vendors of the affected product, to a national/regional CERT or other coordinator

who will report to the vendor privately, or to a private service that will likewise

report to the vendor privately. The finder allows the vendor the opportunity to

diagnose and offer fully tested updates, workarounds, or other corrective

measures before any party discloses detailed vulnerability or exploit informationto the public. The vendor continues to coordinate with the finder throughout the

vulnerability investigation and provides the finder with updates on case progress.

Upon release of an update, the vendor may recognize the finder in bulletins or

advisories for finding and privately reporting the issue. If attacks are underway in

the wild, and the vendor is still working on the update, then both the finder and

vendor work together as closely as possible to provide early public vulnerability

disclosure to help protect customers. The aim is to provide timely and consistent

guidance to help customers protect themselves.

Microsoft Vulnerability Research (MSVR)

The MSVR program is an effort to help improve the security of third-party

software running on the Microsoft Windows platform by providing Microsoft

security expertise to software vendors affected by vulnerabilities in their products.

Microsoft recognizes that cooperating with other software vendors on the

discovery and resolution of vulnerabilities helps not only the affected vendors, but

1http://www.microsoft.com/technet/security/bulletin/rating.mspx
http://www.microsoft.com/technet/security/bulletin/rating.mspxhttp://www.microsoft.com/technet/security/bulletin/rating.mspxhttp://www.microsoft.com/technet/security/bulletin/rating.mspxhttp://www.microsoft.com/technet/security/bulletin/rating.mspx


7/32

5

Microsoft and its customers as well. Community-based defense efforts aimed atincreasing the security of the overall computing ecosystem help make the online

experience safer, which makes users feel more confident and trustful.

As part of the CVD approach, beginning in April 2011, the MSVRprogram began issuing MSVR Advisories detailing software vulnerabilities

that Microsoft had privately disclosed to third-party vendors.

Since July 2010, MSVR has identified and responsibly disclosed 109different software vulnerabilities affecting a total of 38 vendors.

Since July 2010, 93 percent of third-party vulnerabilities found throughMSVR since July 2010 were rated as Critical or Important2.

Vendors have responded and have coordinated on 97 percent of allreported vulnerabilities; 29 percent of third-party vulnerabilities foundsince July 2010 have already been resolved, and none of the

vulnerabilities without updates have been observed in any attacks.

http://www.microsoft.com/technet/security/bulletin/rating.mspxhttp://www.microsoft.com/technet/security/bulletin/rating.mspxhttp://www.microsoft.com/technet/security/bulletin/rating.mspxhttp://www.microsoft.com/technet/security/bulletin/rating.mspx


8/32

6

Introduction

The most publicly visible work that the MSRC carries out is coordinating the

development, testing and release of Microsoft security updates that address

vulnerabilities in Microsoft software. This section describes some of the key trends

in managing vulnerabilities in Microsoft software during the 12 months from July

2010 through June 2011, provides some forward-looking thoughts on futuretrends, and highlights tools and processes that organizations can leverage to help

reduce potential disruption that security update deployment might introduce.

Vulnerabilities are weaknesses in software that enable an attacker to compromise

the integrity, availability, or confidentiality of that software or the data it

processes. Some of the most severe vulnerabilities enable attackers to run software

code of their choice, potentially compromising the systems software. The

disclosure of a vulnerability is the revelation of a vulnerability to the public at

large. Disclosures can come from various sources, including software vendors,

security software vendors, independent security researchers, and those who create

malicious software (also known as malware).

It is impossible to completely prevent vulnerabilities from being introduced

during the development of large-scale software projects. As long as human beings

write software code, no software will be perfect and mistakes that lead to

imperfections in software will be made. Some imperfections (bugs) simply

prevent the software from functioning exactly as intended, but other bugs may

present vulnerabilities. Not all vulnerabilities are equal; some vulnerabilities wont

be exploitable because specific mitigations prevent attackers from using them.

Nevertheless, some percentage of the vulnerabilities that exist in a given piece of

software poses the potential to be exploitable.3

Many software developers address vulnerabilities by releasing security updates.

Microsoft has evolved a mature and proven process to help ensure that high-

quality security updates are developed, tested and released in a timely and

predictable manner. See the whitepaper Software Vulnerability Management at

Microsoft for more details on these processes.

3http://www.microsoft.com/security/msrc/whatwedo/updates.aspx
http://go.microsoft.com/?linkid=9738466http://go.microsoft.com/?linkid=9738466http://go.microsoft.com/?linkid=9738466http://go.microsoft.com/?linkid=9738466http://www.microsoft.com/security/msrc/whatwedo/updates.aspxhttp://www.microsoft.com/security/msrc/whatwedo/updates.aspxhttp://www.microsoft.com/security/msrc/whatwedo/updates.aspxhttp://www.microsoft.com/security/msrc/whatwedo/updates.aspxhttp://go.microsoft.com/?linkid=9738466http://go.microsoft.com/?linkid=9738466


9/32

7

Software vulnerabilities disclosed and security bulletins released July 2010through June 2011

During the 12 months from July 2010 through July 2011 Microsoft released a

total of 117 security bulletins covering 283 individual vulnerabilities. Software

vulnerabilities are enumerated and documented in the Common Vulnerabilities

and Exposures (CVE) list4, a standardized repository of vulnerability information.

There were two out of band security bulletins during this period.

Figure 1. Bulletins issued and CVEs addressed, 1H061H11

4http://cve.mitre.org
http://cve.mitre.org/http://cve.mitre.org/http://cve.mitre.org/http://cve.mitre.org/


10/32

8

Coordinated Vulnerability Disclosure (CVD) compliant disclosure rates remainedhigh during the period from July 2010 through June 2011. Seventy-four percent

of vulnerabilities disclosed to Microsoft were reported directly to the MSRC, and

nine percent were reported through vulnerability brokers. A high rate of CVD-

compliant vulnerability disclosure help to reduce risk to computer users on the

internet by allowing Microsoft to develop, test and release a high-quality security

update before details of the vulnerability are broadly disclosed.

Figure 2. Industry-wide vulnerability disclosures, July 2006June 2011


11/32

9

Lower numbers of vulnerabilities that could lead to remote code execution

Although the number of vulnerabilities disclosed in Microsoft software has

increased over the past two years, vulnerabilities that could lead to remote code

execution have dropped in percentage terms:

Figure 3. Percentage of vulnerabilities with potential remote code execution, July 2006June 2011

Microsoft working to minimize disruption due to security updates

Microsoft understands that deploying security updates can cause disruption to

organizations and businesses, particularly when those updates affect server

products. To help minimize disruption, Microsoft conducts extensive testing

before releasing security updates to help avoid deployment or compatibility issues.

Security updates are announced via security bulletins on the second Tuesday of

the month widely regarded across the industry and customer base as best

practice.

As part of this process Microsoft assigns a severity rating and an Exploitability

Index rating to each bulletin with these pieces of information organizations can

choose how to prioritize deployments. Beginning in May 2011, Microsoft began

assigning two Exploitability Index ratings to each bulletin; one rating for the


12/32

10

newest version of the affected product, and a separate rating for older versions ofthe product.

Although some organizations deploy all Microsoft security bulletins when they are

released, many organizations conduct risk assessment exercises to help prioritize

deployments (for example, identifying which bulletins must be deployed in their

environment urgently, and which can be delayed to a quarterly planned

maintenance event).

Combining the severity rating and Exploitability Index can help reduce the

business impact due to update deployment if an organization deploys Critical

bulletins that have an Exploitability Index rating of 1 in its monthly deployment

process (and delays all other bulletins for a quarterly deployment push) the effect

is noticeable.

This effect is particularly positive for newer versions of products. For security

bulletins that affect Windows Server products, which typically cause the most

disruption to organizations and businesses, this approach can be very useful;

urgent deployments could be reduced by almost 85 percent:

Figure 4. Security bulletin deployment events affecting Windows Server under different scenarios, June

2010June 2011

Deploy all Windows Server bulletins within 30 days 83Deploy only critical Windows Server bulletins within 30 days after release 29

Deploy only critical Windows Server bulletins with an XI of 1 on release day 20

Deploy only critical Windows Server bulletins with an XI of 1 on release day,

when all systems are on the most recent product release (Windows Server

2008)

13

Microsoft recommends that customers install all applicable security updates,

including bulletins with an exploitability index of 3 or a severity rating of

Moderate. Exploitation techniques change over time, and newly developed

techniques can make it easier for an attacker to exploit vulnerabilities that had

previously been more difficult to successfully exploit. Nevertheless, Microsoft

recognizes that prioritization decisions will be made within each organization andthat time and resources may often be limited. The Exploitability Index allows

customers facing such limitations to better prioritize their update deployments.

As long as security threats remain, Microsoft will continue its commitment to

helping protect customers. Innovative industry collaboration and information

sharing programs such as MAPP, MSVR, CVD and the Exploitability Index

continue to showcase improved results that demonstrate that commitment.


13/32

11

Microsoft Active ProtectionsProgram

Officially launched in October 2008, MAPP5 supplies Microsoft vulnerability

information to security software providers before each Microsoft monthly securityupdate, and out-of-band security updates and advisories. By obtaining security

vulnerability information early, partners gain additional time to build software

protections for their customers before Microsoft releases security updates to the

public.

Prior to MAPPs launch, security software providers received vulnerability

information at the same time as exploit code writers (10 a.m. Pacific Time on the

second Tuesday of each month, when Microsoft releases its monthly security

updates). Because it takes time for customers to deploy security updates, this

security update release marked the start of a race between individuals with

malicious intent and security software providersa race in which one side hurriesto develop attacks while the other side rushes to provide interim customer

protections until security updates can be applied.

Results reported by Sourcefire, a world leader in real-time adaptive network

security, show that before MAPP, approximately eight hours was needed to

reverse engineer vulnerability information, develop proof-of-concept (PoC) exploit

code, and then build protective detection code for the exploit. Eight hours is also

about the amount of time a focused attacker needs to generate malicious exploit

code after a vulnerability is disclosed. With advance access to vulnerability

information through MAPP, Sourcefire reports that their protective process now

only takes two hours, and that their developers only have to write the detectioncode because everything else is provided. The result is that protections are

typically released hours ahead of any exploit code, which means that customers

are better protected hours ahead of even the most focused attackers.

5 For more information, including a list of MAPP partners, seewww.microsoft.com/security/msrc/collaboration/mapp.aspx
http://www.microsoft.com/security/msrc/collaboration/mapp.aspxhttp://www.microsoft.com/security/msrc/collaboration/mapp.aspxhttp://www.microsoft.com/security/msrc/collaboration/mapp.aspx


14/32

12

MAPP Statistics

As of June 2011, 84 partners have joined MAPP; feedback from MAPP partners

shows that the number of end users benefiting from partner signatures ranges

from the tens of thousands for smaller specialist companies to hundreds of

millions for mass-market vendors. MAPP partners6 represent global markets for

antivirus, IDS, and IPS, and include a mix of medium to large companies that

provide active software security protections7 for consumers and enterprises

around the world. Partners include companies based in North America, Europe,

the Middle East, and Asia. In recent years, membership has grown most in Asia

and Europe. In 2011, for example, the MAPP community was strengthened by the

addition of major vendors Qihoo 360, headquartered in China; Avast,headquartered in the Czech Republic; and Avira, headquartered in Germany.

Microsoft security professionals regularly communicate with MAPP members to

understand whether the information it is providing is assisting them in their goal

to protect their customers. Information from these discussions is continuously

evaluated to ensure the program is meeting its main goal of helping to protect the

mutual customers of Microsoft and the security provider.

More Than Just Information Sharing

In 2010, MAPP began to focus not only on getting customers the protection help

they need faster, but also on making existing protections better, a role beyond the

mere dissemination of vulnerability information. Malware creators and attackers

devote considerable efforts to avoiding detection by security software. By

coordinating through a program like MAPP, community members can combine

their skills, visibility, and insight to make it much more difficult for attackers to

avoid detection.

A good example of this coordination involvesMicrosoft Security Bulletin MS10-

087, a bulletin focused on addressing reported vulnerabilities in Microsoft Office

that could allow remote code execution. This security bulletin was released on

November 9, 2010, and addressed a number of vulnerabilities, including

CVE-2010-3333, a vulnerability in the Microsoft Office Rich Text Format (RTF)

parsers. Microsoft researchers determined that this vulnerability would be

relatively trivial for an attacker to exploit, and assigned it an exploitability index

6 For the most current list of all MAPP partners, seehttp://www.microsoft.com/security/msrc/collaboration/mapppartners.aspx.7For information on the term active software security protections, seehttp://www.microsoft.com/security/msrc/collaboration/mappfaq.aspx.
http://www.microsoft.com/technet/security/bulletin/ms10-087.mspxhttp://www.microsoft.com/technet/security/bulletin/ms10-087.mspxhttp://www.microsoft.com/technet/security/bulletin/ms10-087.mspxhttp://www.microsoft.com/technet/security/bulletin/ms10-087.mspxhttp://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-3333http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-3333http://www.microsoft.com/security/msrc/collaboration/mapppartners.aspxhttp://www.microsoft.com/security/msrc/collaboration/mapppartners.aspxhttp://www.microsoft.com/security/msrc/collaboration/mappfaq.aspxhttp://www.microsoft.com/security/msrc/collaboration/mappfaq.aspxhttp://www.microsoft.com/security/msrc/collaboration/mappfaq.aspxhttp://www.microsoft.com/security/msrc/collaboration/mapppartners.aspxhttp://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-3333http://www.microsoft.com/technet/security/bulletin/ms10-087.mspxhttp://www.microsoft.com/technet/security/bulletin/ms10-087.mspx


15/32

13

rating of1

Consistent exploit code likely. (See Microsoft Exploitability Indexon page 18 for more information.)

On December 28, the Microsoft Malware Protection Center (MMPC), which is

considered one of the MAPP partners, identified a malicious file that exploited this

vulnerability. The MMPC informed the MSRC that the vulnerability was being

actively exploited, and the MSRC began investigating whether other MAPP

partners had effective means of detecting the exploitation technique. Researchers

discovered that attackers were using three different exploitation methods in an

effort to avoid being detected. Microsoft shared the details of these three

techniques and the files that were identified as exploiting the vulnerability with

each of the partners in the MAPP program. This allowed partners to validate theirdetection routines against the vulnerability and ensure they had accurate coverage

in place.

Collaboration with Adobe

In todays rapidly evolving threat landscape, the solution to a security problem is

often not found in one company, individual, or technology. In 2010, Microsoft

and Adobe Systems Inc. began collaborating on an initiative to distribute detailed

vulnerability information for Adobe software to the MAPP partners. This has given

security vendors an opportunity to provide quicker and more effective protections

to their customers prior to Adobe deploying its security updates, just as MAPP has

done for Microsoft software.

Adobe is proud of its continued participation in the MAPP program and pleased with

the positive feedback weve been getting from MAPP partners. Since the July 2010 MSRC

Information Sharing report, Adobes participation in MAPP has grown from providing

proof of concept documentation for exploits to providing full detection guidance and

examples on virtually all Adobe Reader and Flash Player issues. We are pleased with the

results of our participation in MAPP and value MAPP as a great example of companies

working together to share information to help protect our mutual customers. Adobe has

provided detection guidance to MAPP partners on 14 security updates since we began

participating in the program.

Brad Arkin, Senior Director of Product Security and Privacy, Adobe Systems

Incorporated


16/32

14

Many partners have reacted very positively to the distribution of Adobevulnerability information through the MAPP program. Reactions have included

the following:

In 2011, Microsoft continued its partnership with Adobe on

providing vulnerability information to MAPP partners on Adobe

product vulnerabilities. Adobe has provided detection guidance to

MAPP participants or 14 security bulletins and advisories since

Adobe began participating in the program.

The addition of Adobe to the MAPP notification process extended

and enhanced the many benefits MAPP already offered. This

strategic relationship shows dedication both by Microsoft and

Adobe to provide security for their end users. Consolidating the

format and utilizing a matured delivery mechanism for release

notifications saves Solutionary hours of research and bulletin

preparation each month.

Brad Curtis, Security Engineering and Research Team (SERT),

Solutionary

Microsoft, through MAPP, is helping security vendors like us to

keep ahead in this constant race between cyber criminals (hackers)

and the security vendors. Inclusion of Adobe data on this was a wise

decision by Adobe toward reaching to all security vendors with right

information. We find this initiative by Adobe more helpful as it helps

us to prepare our products in advance against the vulnerability

exploits of PDF and other Adobe files.

MAPP is certainly doing great work towards the common goal of

making the cyber world safer.

Sanjay Katkar, CTO, Quick Heal Technologies


17/32

15

Microsoft Active Protections Program PartnerFeedback

Partners report that the Microsoft Active Protections Program saves them

considerable time and effort, and these savings are passed onto customers by way

of more timely and effective software protections. Some feedback Microsoft has

received includes:

We were excited to see regularly-updated and highly-valued Adobe

vulnerability information on MAPPs platform. Adobes data helped

us to release several protections against Flash flaws in the past year.

The collaboration of MAPP and Adobe is a good start and we hope

that other popular software vendors can join and contribute to a

broader and better security protection for customers.

Daishuo, Senior malware analyst, Beijing Jiangmin New Science

& Technology Co. Ltd.

"MAPP has become an indispensable part of NIKSUN's security

program to protect its customers. The timeliness, quality, efficiency,

and accuracy of our detection have been greatly improved over pre-

MAPP days, when truly detailed MS vulnerability information was

scarce. We are happy to see Adobe join the program and hope that

other high profile vendors will follow suit, as this seems to be a

worthy model of responsible disclosure."

Darryle Merlette, Executive Director -- Security Solutions,

NIKSUN

With the addition of Adobe to the Microsoft Active Protections

Program, Juniper Networks is able to provide quality protection to

customers when time is a critical factor.

Karl Lynn, Juniper Networks


18/32

16

The information coming from MAPP helps us to successfully

provide zero-day protection to customers.

Wei Wang, Beijing Leadsec Technology Co., Ltd

MAPP has been using a creative way to combat vulnerabilities in

shortest time by the way of combining most of security partners all

over the world, not only our company but also all other partners

benefit from it, so the whole information security improves a lot.

Shaowen Yan, Vice President, Beijing Jiangmin New Science &

Technology Co. Ltd.

MAPP program helped SonicWALL improve response time and

achieve greater protection coverage against exploits targeting

Microsoft based vulnerabilities. MAPP program is very well run and

provides our research team with necessary technical detail in

advance to keep our customers protected at the highest level.

Alex Dubrovsky, Director of Software Engineering & Threat

Research, SonicWALL

Although our participation in the MAPP program is relatively short,

it has already helped us to reduce the number of malware samples

that we need to analyze. This allows us to provide customers with

protection faster.

Peter Kov, Software Developer, AVAST Software

MAPPs early notification allows Solutionary to proactively and

intelligently protect clients from the moment the notification is

released. The information MAPP provides is clear and

comprehensive, which streamlines signature deployment and the

alerting process. Since becoming a MAPP member, Solutionarys


19/32

17

Security Engineering & Research Team (SERT) now focuses time and

energy towards identification, defense, and disclosure of new

vulnerabilities, rather than handling the administrative function of

researching and drafting bulletins.

Brad Curtis, Security Engineering and Research Team (SERT),

Solutionary

MAPP gives a great help to improve our ability to protect

customers and deepen our understanding of security.

Hangzhou DPTech Technologies Co., Ltd

MAPP program enables us to provide very timely and accurate

protection to our customers. This gives us and our customers a lot ofconfidence on our protection. We are pleased to be a part of this

program. It is a very good initiative from Microsoft to enable security

vendors to deploy quick protection

Pawan Kinger, Senior Manager, Trend Micro


20/32

18

Microsoft Exploitability Index

Through various communication channels, Microsoft has always provided

customers with information about the availability of proof-of-concept (PoC)

exploit code or active attacks related to vulnerabilities addressed by Microsoft

security updates. The Microsoft Exploitability Index8

was developed in responseto customer requests for additional information to better evaluate risk; it provides

new data on the likelihood of functioning exploit code being developed so

customers have additional guidance to better prioritize the deployment of

Microsoft security updates. 9

The main goal of the Exploitability Index is to help customers prioritize their

security update deployments. This information enables customers to better

identify the security updates that are most important to them and deploy them in

a timely manner. For example, a customer might prioritize addressing an

Important severity vulnerability that is likely to be exploited in the first 30 days

after release of the security update over a Critical vulnerability that is unlikely toever be exploited. Although most customers use the severity ratings to identify

which updates are really worth their attention, the Exploitability Index offers

additional technical detail that can help security teams to maximize the benefit of

their security resources.

The Exploitability Index uses three levels to communicate to customers the

likelihood of functioning exploit code being developed:

1 Consistent Exploit Code Likely. Analysis has shown that exploitcode could be created in such a way that an attacker could consistently

exploit that vulnerability. For example, an exploit would be able to cause

remote code execution of that attacker's code repeatedly, and in a waythat an attacker could consistently expect the same results. This would

make it an attractive target for attackers, and therefore more likely that

exploit code would be created.

8 For more information on the Microsoft Exploitability Index, seehttp://technet.microsoft.com/security/cc998259.9Alberts, Bas, A Bounds Check on the Microsoft Exploitability Index (Miami Beach, Fla.: Immunity, Inc.,2008), p.7.
http://technet.microsoft.com/security/cc998259http://technet.microsoft.com/security/cc998259http://www.microsoft.com/downloads/details.aspx?FamilyID=0c6e07b5-43ce-4da1-873e-2d604106574chttp://www.microsoft.com/downloads/details.aspx?FamilyID=0c6e07b5-43ce-4da1-873e-2d604106574chttp://www.microsoft.com/downloads/details.aspx?FamilyID=0c6e07b5-43ce-4da1-873e-2d604106574chttp://www.microsoft.com/downloads/details.aspx?FamilyID=0c6e07b5-43ce-4da1-873e-2d604106574chttp://technet.microsoft.com/security/cc998259


21/32


22/32

20

Although this information has only been published since May 2011, the MSRCperformed an internal evaluation of all 256 Exploitability Index ratings published

from July 2010 through May 2011 and found that 97 issues were less serious or

nonexistent on the latest version of the affected application than on earlier

versions. In contrast, only seven vulnerabilities affected the most recent version

but not older versions.

Denial of Service Exploitability Assessment

In addition, Microsoft started providing more information about the Denial of

Service (DoS) impact of a particular vulnerability. Even vulnerabilities that are

difficult to exploit can still be used to cause a crash in an application or operating

system. For each applicable security bulletin, a Denial of Service Exploitability

Assessment indicates whether such a crash would be permanent (requiring that

the computer be rebooted) or temporary.

Figure 5. Security Bulletin10 summaries have included expanded exploitability information since May

2011

Microsoft Exploitability Index Statistics

The 254 security bulletins published from October 2008 to June 2011 resulted in

605 Exploitability Index ratings, as shown in the following table.11

10 Sign up for free security notifications from Microsoft athttp://technet.microsoft.com/en-us/security/dd252948.aspx11 Security bulletins published in May 2011 and afterward have included two Exploitability Index ratings for eachvulnerability, as explained on page 12. For each of these vulnerabilities, the more severe of the two ratings isrepresented in Figure 2.
http://technet.microsoft.com/en-us/security/dd252948.aspxhttp://technet.microsoft.com/en-us/security/dd252948.aspxhttp://technet.microsoft.com/en-us/security/dd252948.aspxhttp://technet.microsoft.com/en-us/security/dd252948.aspxhttp://technet.microsoft.com/en-us/security/dd252948.aspxhttp://technet.microsoft.com/en-us/security/dd252948.aspx


23/32

21

Figure 6. Microsoft Exploitability Index ratings, October 2008June 2011

1 - Consistent Exploit Code Likely 336

2 - Inconsistent Exploit Code Likely 176

3 - Functioning Exploit Code Unlikely 93

Total 605

Of the 605 ratings issued through June 2011, only five have been revised:

June 2009: CVE-2009-1138 was changed from an Exploitability IndexAssessment of1 Consistent exploit code likely to 3 Functioning

exploit code unlikely; Key Notes section updated. September 2010: CVE-2010-2738 was changed from 2 Inconsistent

Exploit Code Likely to 1 Consistent exploit code likely.

September 2010: CVE-2010-2730 was changed from 1 Consistentexploit code likely to 2 Inconsistent Exploit Code Likely.

February 2011: CVE-2011-0091 was changed from 2 InconsistentExploit Code Likely to 3 Functioning exploit code unlikely

April 2011: CVE-2011-0034 was changed from 2 Inconsistent exploitcode likely to 1 Consistent exploit code likely.

In five other cases, the Key Notes information for an Exploitability Index

assessment was updated, but the rating itself did not change:

January 2009: CVE-2008-4114; no change in Exploitability IndexAssessment; Key Notes section clarified.

April 2009: CVE-2008-2540; no change in Exploitability IndexAssessment; Key Notes section updated.

April 2009: CVE-2009-0089; no change in Exploitability IndexAssessment; Key Notes removed.

November 2009: CVE-2009-2523; no change in Exploitability IndexAssessment; Key Notes section added.

September 2010: CVE-2010-0818; no change in Exploitability IndexAssessment; Key Notes section added. An examination of differentpossible deployment scenarios illustrates how the Exploitability Index can

help save organizations money and allow them to better allocate

resources:


24/32

22

Figure 7. Security bulletin deployment events under different scenarios, June 2010June 2011

Deploy all bulletins within 30 days 117

Deploy only critical bulletins within 30 days after release 50

Deploy only critical bulletins with an XI of 1 on release day 35

Deploy only critical bulletins with an XI of 1 on release day, when all systems

are on the most recent product release24

Deploy all Server bulletins only 83

Deploy all Critical Server bulletins only 29

Deploy all Critical Server bulletins with an Exploitability Index rating of 1 20

Deploy all Critical bulletins for Windows Server 2008 with an Exploitability

Index of 113

For example, a customer that deploys all security bulletins within 30 days would

have had to test and deploy a total of 117 bulletins from June 2010 to June 2011.

By contrast, a customer that only deploys critical updates with an Exploitability

Index rating of 1 and uses the most recent Windows client and server versions

exclusively would have deployed just 24 updates, a difference of more than 80

percent.

Microsoft recommends that customers install all applicable security updates,

including bulletins with an exploitability index of 3 or a severity rating of

Moderate. Exploitation techniques change over time, and newly developed

techniques can make it easier for an attacker to exploit vulnerabilities that hadpreviously been more difficult to successfully exploit. Nevertheless, Microsoft

recognizes that prioritization decisions will be made within each organization and

that time and resources may often be limited. The Exploitability Index allows

customers facing such limitations to better prioritize their update deployments.


25/32

23

Coordinated VulnerabilityDisclosure

In July 2010, the MSRC announced the formulation of a set of practices to be used

in disclosing information about software vulnerabilities in a way that benefits both

vendors and consumers. Termed Coordinated Vulnerability Disclosure (CVD),

these practices have since been adopted by Microsoft and other software vendors

across the industry.

Under CVD, finders disclose newly discovered vulnerabilities in hardware,

software, and services directly to the vendors of the affected product, to a

national/regional CERT or other coordinator who will report to the vendor

privately, or to a private service that will likewise report to the vendor privately.

The finder allows the vendor the opportunity to diagnose and offer fully tested

updates, workarounds, or other corrective measures before any party discloses

detailed vulnerability or exploit information to the public. The vendor continues

to coordinate with the finder throughout the vulnerability investigation andprovides the finder with updates on case progress. Upon release of an update, the

vendor may recognize the finder in bulletins or advisories for finding and privately

reporting the issue. If attacks are underway in the wild, and the vendor is still

working on the update, then both the finder and vendor work together as closely

as possible to provide early public vulnerability disclosure to help protect

customers. The aim is to provide timely and consistent guidance to help

customers protect themselves.

Information about vulnerabilities in third-party products comes to MSVR in three

primary ways:

Internal Microsoft developers and test engineers: In the course of their dayto day jobs, developers and test engineers find potential vulnerabilities in

third party software. These vulnerabilities are reported to the MSVR team,

which then works with the affected vendor to fix the issue.

Internal research projects: As time and resources permit, MSVR performsits own vulnerability analysis and research on third-party products that


26/32

24

run on Microsoft operating systems but are not developed by Microsoft,using internally developed toolsets and practices.

External reports to Microsoft Security Response Center (MSRC): Externalresearchers report issues to the MSRC that they believe affect Microsoft

products. On occasion, researchers determine that a reported issue affects

third-party products instead of or in addition to Microsoft products. As

with internally discovered vulnerabilities, these are reported to the MSVR

team, which works with the affected vendors to address the issue.

After receiving information about a vulnerability in a third-party product, MSVR

compiles a comprehensive set of information about the vulnerability to provide to

the affected vendor. This can include information about the test environment inwhich the vulnerability was observed, the severity and security impact of the

vulnerability, crash dump information, proof-of-concept and/or exploit code, root

cause analysis information, and other technical details about the vulnerability.

When the analysis is complete, MSVR initiates communication with the vendors

designated contact, using encrypted email if possible, or other methods as

appropriate. In order to minimize the risk of vulnerability information being

misdirected while attempting to identify the vendor contact, MSVR will not send

the vulnerability report in the initial e-mail. The initial e-mail will be a simple

introduction stating that MSVR is attempting to identify the correct contact to

report a vulnerability in the vendors products or services.When the appropriate

vendor contact is identified and confirms willingness to accept the vulnerability

report, MSVR provides the vulnerability report.

Microsoft understands that each software vendor is likely to have its own list of

concerns about cooperating with other parties on vulnerability response, and that

some software vendors may have misgivings about accepting MSVRs help. MSVR

is pleased to work in a cooperative manner with any vendor dealing with a

software vulnerability on the Windows platform. At the same time, MSVR urges

every software vendor to address vulnerabilities in an open, responsive, and timely

fashion, whether in cooperation with MSVR or not. This will help keep the

Internet ecosystem safer for all users, and help vendors achieve a positive

reputation in the security community as well.

Many customers have reacted very positively to the announcement of CVD.

Reactions have included the following:


27/32

25

For more information, seeCoordinated Vulnerability Disclosureat the MSRC

website.

"When researchers disclose software vulnerabilities before vendors have a chance to

address them, business may be impacted. Announcing vulnerabilities in public ways

serves no useful purpose; enterprises and even individual users immediately lose a veil of

protection, because the details of a vulnerability are available to those who would do

harm. I agree with Microsoft's Coordinated Vulnerability Disclosure (CVD) policy, where a

vulnerability is announced in tandem with a fix or recommendation for compensating

controls. By far, this is a more responsible approach to vulnerability

publicity. Unfortunately, vulnerability disclosures continue to grow in number and scale

in part for the recognition and financial reward they might bring. That environmentshouldn't be nurtured or promoted. By working within the system, there will be far less

damage to the system we all rely on."

- Alan Levine, Chief Information Security Officer, Alcoa

We applaud the efforts of Microsoft and others in the software industry to develop

better practices around vulnerability disclosure and move the debate forward. At BP we

support the principle of disclosing vulnerabilities in a coordinated way. We also believe

that "full disclosure" of software vulnerabilities, without warning to the user community

and without immediate access to fixes or patches, poses a significant risk to large and

small businesses alike.

- John I Meakin, Director, Digital Security & CISO, BP

As a cybercrime insurance provider, we constantly look for ways to create secure

environments that lowers risk for our business and our customers around the world. Full

disclosure of vulnerabilities without a proper fix in place costs big companies like ours

lots of money. Not only does it cause significant disruption to our business, it increases

risk to our customers. Microsofts approach to vulnerability disclosure provides a

predictable process that minimizes the disruption and reduces cost associated with

implementing updates. This helps us and it helps our customers.

-Don Garvey, Chief Information Security Officer, Chubb Corporation
http://www.microsoft.com/security/msrc/report/disclosure.aspxhttp://www.microsoft.com/security/msrc/report/disclosure.aspxhttp://www.microsoft.com/security/msrc/report/disclosure.aspxhttp://www.microsoft.com/security/msrc/report/disclosure.aspx


28/32

26

Microsoft Vulnerability Research

In an age in which every type of computing device can be interconnected, the

security and privacy of data is more important than ever. In addition, the potential

consequences of security vulnerabilities can be much more severe and have a

much greater impact on the Internet in general. Microsoft Vulnerability Research

(MSVR) was established to provide a mechanism for Microsoft software developersand security researchers to share their collective knowledge and experience with

third-party software developers and the greater community. The success of MSVR

has helped improve the security ecosystem as a whole, which benefits Microsoft,

other software publishers, and the worldwide community of computer users.

Figure 8. The MSVR response process

MSVR Advisories

As part of the CVD approach, beginning in April 2011, the MSVR program began

issuing MSVR advisories detailing software vulnerabilities that Microsoft had

privately disclosed to third-party vendors.


29/32

27

Figure 9. MSVR advisories issued from April to June 2011

MSVR11-001Use-After-Free Object Lifetime Vulnerability in Chrome Could

Allow Sandboxed Remote Code Execution4/19/2011

MSVR11-002HTML5 Implementation in Chrome, Opera, and Safari Could

Allow Information Disclosure5/17/2011

MSVR11-003Vulnerability in RealNetworks RealPlayer Could Allow Remote

Code Execution5/17/2011

MSVR11-004Vulnerability in RealNetworks RealPlayer RichFX Component

Could Allow Remote Code Execution5/17/2011

MSVR11-005Vulnerability in Foxit Reader Could Allow Remote Code

Execution6/21/2011

MSVR11-006 Vulnerability in Google SketchUp Could Allow Remote CodeExecution

6/21/2011

Microsoft does not reveal vulnerability details before a vendor-supplied update is

available for issues reported though the MSVR program unless there is significant

evidence of active attacks in the wild. If attacks begin before the vendor has

released their remediation, Microsoft will continue to coordinate to release

consistent mitigation and workaround guidance with the vendor. This cooperative

approach ensures that affected customers understand their risk and what to do to

mitigate that risk, without revealing details with which attackers can use to

commit cybercrime.

This coordination takes place under Microsoft's CVD approach to vulnerabilitydisclosure. CVD clarifies how Microsoft responds as a vendor impacted by

vulnerabilities in its products and services, as a finder of new vulnerabilities in

third-party products and services, and as a coordinator of vulnerabilities that

affect multiple vendors.

MSVR advisories are posted at

http://www.microsoft.com/technet/security/advisory/MSVRarchive.mspx. The

format of an MSVR Advisory is similar to that of a Microsoft security advisory:

each MSVR advisory contains a top-level summary that states the reason for

issuing the advisory, frequently asked questions, and a Suggested Actions section

describing any action that users may have to take to help protect themselves.MSVR advisories may be revised as required to reflect new information or

guidance.
http://www.microsoft.com/technet/security/advisory/msvr11-001.mspxhttp://www.microsoft.com/technet/security/advisory/msvr11-002.mspxhttp://www.microsoft.com/technet/security/advisory/msvr11-003.mspxhttp://www.microsoft.com/technet/security/advisory/msvr11-004.mspxhttp://www.microsoft.com/technet/security/advisory/msvr11-005.mspxhttp://www.microsoft.com/technet/security/advisory/msvr11-006.mspxhttp://www.microsoft.com/technet/security/advisory/MSVRarchive.mspxhttp://www.microsoft.com/technet/security/advisory/MSVRarchive.mspxhttp://www.microsoft.com/technet/security/advisory/MSVRarchive.mspxhttp://www.microsoft.com/technet/security/advisory/msvr11-006.mspxhttp://www.microsoft.com/technet/security/advisory/msvr11-005.mspxhttp://www.microsoft.com/technet/security/advisory/msvr11-004.mspxhttp://www.microsoft.com/technet/security/advisory/msvr11-003.mspxhttp://www.microsoft.com/technet/security/advisory/msvr11-002.mspxhttp://www.microsoft.com/technet/security/advisory/msvr11-001.mspx


30/32

28

MSVR Program Statistics

Since July 2010, MSVR has identified and responsibly disclosed 109different software vulnerabilities affecting a total of 38 vendors.

Since July 2010, 93 percent of third-party vulnerabilities found throughMSVR since July 2010 were rated as Critical or Important12.

Vendors have responded and have coordinated on 97 percent of allreported vulnerabilities; 29 percent of third-party vulnerabilities found

since July 2010 have already been resolved, and none of the

vulnerabilities without updates have been observed in any attacks.

For more information, see the Microsoft Vulnerability Research page athttp://www.microsoft.com/security/msrc/collaboration/research.aspx.

http://www.microsoft.com/security/msrc/collaboration/research.aspxhttp://www.microsoft.com/security/msrc/collaboration/research.aspxhttp://www.microsoft.com/technet/security/bulletin/rating.mspxhttp://www.microsoft.com/technet/security/bulletin/rating.mspxhttp://www.microsoft.com/technet/security/bulletin/rating.mspxhttp://www.microsoft.com/technet/security/bulletin/rating.mspxhttp://www.microsoft.com/security/msrc/collaboration/research.aspx


31/32

29

Conclusion

The global computing threat landscape is constantly evolving. Microsoft has

responded to this continuing shift by developing a series of programs and

initiatives that involve responsible information sharing to help customers manage

and overcome computing threats. The Microsoft Active Protections Program has

partners reporting significant reductions in development time for deliveringprotection help to customers, which reduces the amount of time that systems are

at risk. The Microsoft Exploitability Index is now firmly established as a valuable

part of the Microsoft monthly security update release cycle, helping customers

around the world prioritize their security update deployments and working to

create more reliable and cost-effective system protection measures. Through the

Microsoft Vulnerability Research program, Microsoft has leveraged its

considerable depth of expertise and tools with vendors to help raise the level of

security in their products that run on the Windows platform. Coordinated

Vulnerability Disclosure is helping to protect customers around the world from

attack while Microsoft works to build, test and release high-quality security

updates.

In todays ever evolving criminal landscape, increased information sharing is key

to advancing progress towards safer, more trusted computing experiences. This

involves continued work to develop better community-based defenses, increased

help to resolve vulnerabilities in highly leveraged third-party code running on the

Windows platform, and empowering customers with information that helps them

make better risk assessments.


32/32

One Microsoft Way

Redmond, WA 98052-6399

microsoft.com/security

Building a Safer More Trusted Internet Through Information Sharing

Documents