7/30/2019 Building a Safer More Trusted Internet Through Information Sharing
1/32
Building a Safer, More Trusted
Internet Through Information Sharing
Microsoft Security Response Center
August 2011
7/30/2019 Building a Safer More Trusted Internet Through Information Sharing
2/32
This document is for informational purposes only. MICROSOFT MAKES NO
WARRANTIES, EXPRESS, IMPLIED, OR STATUTORY, AS TO THE
INFORMATION IN THIS DOCUMENT.
This document is provided as-is. Information and views expressed in this
document, including URL and other Internet Web site references, may change
without notice. You bear the risk of using it.
Copyright 2011 Microsoft Corporation. All rights reserved.
The names of actual companies and products mentioned herein may be the
trademarks of their respective owners.
7/30/2019 Building a Safer More Trusted Internet Through Information Sharing
3/32
1
Contents
Executive Summary ............................................................................................. 2Introduction ........................................................................................................ 6Microsoft Active Protections Program ................................................................ 11
MAPP Statistics .............................................................................................. 12More Than Just Information Sharing .............................................................. 12Collaboration with Adobe .............................................................................. 13Microsoft Active Protections Program Partner Feedback ................................. 15
Microsoft Exploitability Index............................................................................ 18Providing Guidance for Customers on Newer Platforms ................................. 19Denial of Service Exploitability Assessment .................................................... 20Microsoft Exploitability Index Statistics ......................................................... 20
Coordinated Vulnerability Disclosure ................................................................ 23Microsoft Vulnerability Research ....................................................................... 26
MSVR Advisories ........................................................................................... 26MSVR Program Statistics ................................................................................ 28
Conclusion ........................................................................................................ 29
7/30/2019 Building a Safer More Trusted Internet Through Information Sharing
4/32
2
Executive Summary
The threat from cybercrime continues to grow, and people want to feel safer
online. But a safer online experience can only be pursued when customers, the
industry and the security and privacy community work together. The Microsoft
Security Response Center (MSRC) seeks to promote broad industry collaboration,responsible information sharing and better community-based defenses, striving to
deliver a safer online experience for computer users worldwide.
Over the past three years the MSRC has operated a number of key security-related
programs Microsoft Active Protections Program (MAPP); Microsoft Exploitability
Index; and Microsoft Vulnerability Research (MSVR) that collectively share more
information with partners and customers. With these programs, customers have
increased access to more effective countermeasures and additional information to
better evaluate risks.
In addition, in August 2010 the MSRC announced the formulation of a set ofpractices to be used in disclosing information about software vulnerabilities in a
way that benefits both vendors and consumers, called Coordinated Vulnerability
Disclosure (CVD).
This report highlights the progress of these programs and practices, for the first
time including an update on the progress of CVD.
Microsoft Active Protections Program (MAPP)
Community-based defenses help better protect customers. Launched in 2008,
MAPP supplies Microsoft vulnerability information to security software partnersprior to Microsoft's monthly security update release so partners can build
enhanced customer protections.
As of June 2011, 84 partners have joined MAPP; feedback from MAPPpartners shows that the number of end users protected by partner
signatures ranges from the tens of thousands for smaller specialist
7/30/2019 Building a Safer More Trusted Internet Through Information Sharing
5/32
3
companies to hundreds of millions for mass-market vendors. In recentyears, membership has grown most in Asia and Europe.
In 2010, MAPP began to focus on providing benefits to members beyondsimply sharing vulnerability information. For example, MAPP provides
members with information about exploitation techniques to help them
validate their detection routines against newly discovered vulnerabilities.
In 2010, Microsoft and Adobe Systems Inc. began collaborating on an initiative to
distribute detailed vulnerability information for Adobe software to the MAPP
partners. This has given security vendors an opportunity to provide quicker and
more effective protections to their customers prior to Adobe deploying its security
updates, just as MAPP has done for Microsoft software.
Microsoft Exploitability Index
Sometimes overburdened and functioning with limited resources, IT professionals
require additional information to better evaluate risks. The Microsoft
Exploitability Index, launched in October 2008, provides Microsoft customers
with additional guidance to better prioritize the deployment of Microsoft security
updates.
In May of 2011, the MSRC started providing information about howexploitability differs between older versions and newer versions of the
affected products. Of the 256 Exploitability Index ratings published fromJuly 2010 through May 2011, 97 issues were less serious or nonexistent
on the latest version of the affected application than on earlier versions. In
contrast, only seven vulnerabilities affected the most recent version but
not older versions.
At the same time, Microsoft started providing more information about theDenial of Service (DoS) impact of a particular vulnerability. Even
vulnerabilities that are difficult to exploit can still be used to cause a crash
in an application or operating system. For each applicable security
bulletin, a Denial of Service Exploitability Assessment indicates whether
such a crash would be permanent (requiring that the computer be
rebooted) or temporary. Of the 605 Exploitability Index ratings issued from October 2008 to June
2011, only five have been revised. In five other cases, the Key Notes
information for an Exploitability Index assessment was updated, but the
rating itself did not change.
Microsoft recommends that customers install all applicable securityupdates, including bulletins with an exploitability index of 3 or a severity
rating of Moderate, but when circumstances require prioritizing some
7/30/2019 Building a Safer More Trusted Internet Through Information Sharing
6/32
4
updates over others, customers can use Exploitability Index ratings tohelp them save money and better allocate resources. For example, a
customer that deploys all security bulletins within 30 days would have
had to test and deploy a total of 117 bulletins from June 2010 to June
2011. By contrast, a customer that only deploys Critical1 updates with an
Exploitability Index rating of 1 and uses the most recent Windows client
and server versions exclusively would have deployed just 24 updates, a
difference of more than 80 percent.
Coordinated Vulnerability Disclosure (CVD)
In July 2010, the MSRC announced the formulation of a set of practices to be used
in disclosing information about software vulnerabilities in a way that benefits both
vendors and consumers. Termed Coordinated Vulnerability Disclosure (CVD),
these practices have since been adopted by Microsoft and other software vendors
across the industry.
Under the principle of Coordinated Vulnerability Disclosure, finders disclose
newly discovered vulnerabilities in hardware, software, and services directly to the
vendors of the affected product, to a national/regional CERT or other coordinator
who will report to the vendor privately, or to a private service that will likewise
report to the vendor privately. The finder allows the vendor the opportunity to
diagnose and offer fully tested updates, workarounds, or other corrective
measures before any party discloses detailed vulnerability or exploit informationto the public. The vendor continues to coordinate with the finder throughout the
vulnerability investigation and provides the finder with updates on case progress.
Upon release of an update, the vendor may recognize the finder in bulletins or
advisories for finding and privately reporting the issue. If attacks are underway in
the wild, and the vendor is still working on the update, then both the finder and
vendor work together as closely as possible to provide early public vulnerability
disclosure to help protect customers. The aim is to provide timely and consistent
guidance to help customers protect themselves.
Microsoft Vulnerability Research (MSVR)
The MSVR program is an effort to help improve the security of third-party
software running on the Microsoft Windows platform by providing Microsoft
security expertise to software vendors affected by vulnerabilities in their products.
Microsoft recognizes that cooperating with other software vendors on the
discovery and resolution of vulnerabilities helps not only the affected vendors, but
1http://www.microsoft.com/technet/security/bulletin/rating.mspx
http://www.microsoft.com/technet/security/bulletin/rating.mspxhttp://www.microsoft.com/technet/security/bulletin/rating.mspxhttp://www.microsoft.com/technet/security/bulletin/rating.mspxhttp://www.microsoft.com/technet/security/bulletin/rating.mspx7/30/2019 Building a Safer More Trusted Internet Through Information Sharing
7/32
5
Microsoft and its customers as well. Community-based defense efforts aimed atincreasing the security of the overall computing ecosystem help make the online
experience safer, which makes users feel more confident and trustful.
As part of the CVD approach, beginning in April 2011, the MSVRprogram began issuing MSVR Advisories detailing software vulnerabilities
that Microsoft had privately disclosed to third-party vendors.
Since July 2010, MSVR has identified and responsibly disclosed 109different software vulnerabilities affecting a total of 38 vendors.
Since July 2010, 93 percent of third-party vulnerabilities found throughMSVR since July 2010 were rated as Critical or Important2.
Vendors have responded and have coordinated on 97 percent of allreported vulnerabilities; 29 percent of third-party vulnerabilities foundsince July 2010 have already been resolved, and none of the
vulnerabilities without updates have been observed in any attacks.
2http://www.microsoft.com/technet/security/bulletin/rating.mspx
http://www.microsoft.com/technet/security/bulletin/rating.mspxhttp://www.microsoft.com/technet/security/bulletin/rating.mspxhttp://www.microsoft.com/technet/security/bulletin/rating.mspxhttp://www.microsoft.com/technet/security/bulletin/rating.mspx7/30/2019 Building a Safer More Trusted Internet Through Information Sharing
8/32
6
Introduction
The most publicly visible work that the MSRC carries out is coordinating the
development, testing and release of Microsoft security updates that address
vulnerabilities in Microsoft software. This section describes some of the key trends
in managing vulnerabilities in Microsoft software during the 12 months from July
2010 through June 2011, provides some forward-looking thoughts on futuretrends, and highlights tools and processes that organizations can leverage to help
reduce potential disruption that security update deployment might introduce.
Vulnerabilities are weaknesses in software that enable an attacker to compromise
the integrity, availability, or confidentiality of that software or the data it
processes. Some of the most severe vulnerabilities enable attackers to run software
code of their choice, potentially compromising the systems software. The
disclosure of a vulnerability is the revelation of a vulnerability to the public at
large. Disclosures can come from various sources, including software vendors,
security software vendors, independent security researchers, and those who create
malicious software (also known as malware).
It is impossible to completely prevent vulnerabilities from being introduced
during the development of large-scale software projects. As long as human beings
write software code, no software will be perfect and mistakes that lead to
imperfections in software will be made. Some imperfections (bugs) simply
prevent the software from functioning exactly as intended, but other bugs may
present vulnerabilities. Not all vulnerabilities are equal; some vulnerabilities wont
be exploitable because specific mitigations prevent attackers from using them.
Nevertheless, some percentage of the vulnerabilities that exist in a given piece of
software poses the potential to be exploitable.3
Many software developers address vulnerabilities by releasing security updates.
Microsoft has evolved a mature and proven process to help ensure that high-
quality security updates are developed, tested and released in a timely and
predictable manner. See the whitepaper Software Vulnerability Management at
Microsoft for more details on these processes.
3http://www.microsoft.com/security/msrc/whatwedo/updates.aspx
http://go.microsoft.com/?linkid=9738466http://go.microsoft.com/?linkid=9738466http://go.microsoft.com/?linkid=9738466http://go.microsoft.com/?linkid=9738466http://www.microsoft.com/security/msrc/whatwedo/updates.aspxhttp://www.microsoft.com/security/msrc/whatwedo/updates.aspxhttp://www.microsoft.com/security/msrc/whatwedo/updates.aspxhttp://www.microsoft.com/security/msrc/whatwedo/updates.aspxhttp://go.microsoft.com/?linkid=9738466http://go.microsoft.com/?linkid=97384667/30/2019 Building a Safer More Trusted Internet Through Information Sharing
9/32
7
Software vulnerabilities disclosed and security bulletins released July 2010through June 2011
During the 12 months from July 2010 through July 2011 Microsoft released a
total of 117 security bulletins covering 283 individual vulnerabilities. Software
vulnerabilities are enumerated and documented in the Common Vulnerabilities
and Exposures (CVE) list4, a standardized repository of vulnerability information.
There were two out of band security bulletins during this period.
Figure 1. Bulletins issued and CVEs addressed, 1H061H11
4http://cve.mitre.org
http://cve.mitre.org/http://cve.mitre.org/http://cve.mitre.org/http://cve.mitre.org/7/30/2019 Building a Safer More Trusted Internet Through Information Sharing
10/32
8
Coordinated Vulnerability Disclosure (CVD) compliant disclosure rates remainedhigh during the period from July 2010 through June 2011. Seventy-four percent
of vulnerabilities disclosed to Microsoft were reported directly to the MSRC, and
nine percent were reported through vulnerability brokers. A high rate of CVD-
compliant vulnerability disclosure help to reduce risk to computer users on the
internet by allowing Microsoft to develop, test and release a high-quality security
update before details of the vulnerability are broadly disclosed.
Figure 2. Industry-wide vulnerability disclosures, July 2006June 2011
7/30/2019 Building a Safer More Trusted Internet Through Information Sharing
11/32
9
Lower numbers of vulnerabilities that could lead to remote code execution
Although the number of vulnerabilities disclosed in Microsoft software has
increased over the past two years, vulnerabilities that could lead to remote code
execution have dropped in percentage terms:
Figure 3. Percentage of vulnerabilities with potential remote code execution, July 2006June 2011
Microsoft working to minimize disruption due to security updates
Microsoft understands that deploying security updates can cause disruption to
organizations and businesses, particularly when those updates affect server
products. To help minimize disruption, Microsoft conducts extensive testing
before releasing security updates to help avoid deployment or compatibility issues.
Security updates are announced via security bulletins on the second Tuesday of
the month widely regarded across the industry and customer base as best
practice.
As part of this process Microsoft assigns a severity rating and an Exploitability
Index rating to each bulletin with these pieces of information organizations can
choose how to prioritize deployments. Beginning in May 2011, Microsoft began
assigning two Exploitability Index ratings to each bulletin; one rating for the
7/30/2019 Building a Safer More Trusted Internet Through Information Sharing
12/32
10
newest version of the affected product, and a separate rating for older versions ofthe product.
Although some organizations deploy all Microsoft security bulletins when they are
released, many organizations conduct risk assessment exercises to help prioritize
deployments (for example, identifying which bulletins must be deployed in their
environment urgently, and which can be delayed to a quarterly planned
maintenance event).
Combining the severity rating and Exploitability Index can help reduce the
business impact due to update deployment if an organization deploys Critical
bulletins that have an Exploitability Index rating of 1 in its monthly deployment
process (and delays all other bulletins for a quarterly deployment push) the effect
is noticeable.
This effect is particularly positive for newer versions of products. For security
bulletins that affect Windows Server products, which typically cause the most
disruption to organizations and businesses, this approach can be very useful;
urgent deployments could be reduced by almost 85 percent:
Figure 4. Security bulletin deployment events affecting Windows Server under different scenarios, June
2010June 2011
Deploy all Windows Server bulletins within 30 days 83Deploy only critical Windows Server bulletins within 30 days after release 29
Deploy only critical Windows Server bulletins with an XI of 1 on release day 20
Deploy only critical Windows Server bulletins with an XI of 1 on release day,
when all systems are on the most recent product release (Windows Server
2008)
13
Microsoft recommends that customers install all applicable security updates,
including bulletins with an exploitability index of 3 or a severity rating of
Moderate. Exploitation techniques change over time, and newly developed
techniques can make it easier for an attacker to exploit vulnerabilities that had
previously been more difficult to successfully exploit. Nevertheless, Microsoft
recognizes that prioritization decisions will be made within each organization andthat time and resources may often be limited. The Exploitability Index allows
customers facing such limitations to better prioritize their update deployments.
As long as security threats remain, Microsoft will continue its commitment to
helping protect customers. Innovative industry collaboration and information
sharing programs such as MAPP, MSVR, CVD and the Exploitability Index
continue to showcase improved results that demonstrate that commitment.
7/30/2019 Building a Safer More Trusted Internet Through Information Sharing
13/32
11
Microsoft Active ProtectionsProgram
Officially launched in October 2008, MAPP5 supplies Microsoft vulnerability
information to security software providers before each Microsoft monthly securityupdate, and out-of-band security updates and advisories. By obtaining security
vulnerability information early, partners gain additional time to build software
protections for their customers before Microsoft releases security updates to the
public.
Prior to MAPPs launch, security software providers received vulnerability
information at the same time as exploit code writers (10 a.m. Pacific Time on the
second Tuesday of each month, when Microsoft releases its monthly security
updates). Because it takes time for customers to deploy security updates, this
security update release marked the start of a race between individuals with
malicious intent and security software providersa race in which one side hurriesto develop attacks while the other side rushes to provide interim customer
protections until security updates can be applied.
Results reported by Sourcefire, a world leader in real-time adaptive network
security, show that before MAPP, approximately eight hours was needed to
reverse engineer vulnerability information, develop proof-of-concept (PoC) exploit
code, and then build protective detection code for the exploit. Eight hours is also
about the amount of time a focused attacker needs to generate malicious exploit
code after a vulnerability is disclosed. With advance access to vulnerability
information through MAPP, Sourcefire reports that their protective process now
only takes two hours, and that their developers only have to write the detectioncode because everything else is provided. The result is that protections are
typically released hours ahead of any exploit code, which means that customers
are better protected hours ahead of even the most focused attackers.
5 For more information, including a list of MAPP partners, seewww.microsoft.com/security/msrc/collaboration/mapp.aspx
http://www.microsoft.com/security/msrc/collaboration/mapp.aspxhttp://www.microsoft.com/security/msrc/collaboration/mapp.aspxhttp://www.microsoft.com/security/msrc/collaboration/mapp.aspx7/30/2019 Building a Safer More Trusted Internet Through Information Sharing
14/32
12
MAPP Statistics
As of June 2011, 84 partners have joined MAPP; feedback from MAPP partners
shows that the number of end users benefiting from partner signatures ranges
from the tens of thousands for smaller specialist companies to hundreds of
millions for mass-market vendors. MAPP partners6 represent global markets for
antivirus, IDS, and IPS, and include a mix of medium to large companies that
provide active software security protections7 for consumers and enterprises
around the world. Partners include companies based in North America, Europe,
the Middle East, and Asia. In recent years, membership has grown most in Asia
and Europe. In 2011, for example, the MAPP community was strengthened by the
addition of major vendors Qihoo 360, headquartered in China; Avast,headquartered in the Czech Republic; and Avira, headquartered in Germany.
Microsoft security professionals regularly communicate with MAPP members to
understand whether the information it is providing is assisting them in their goal
to protect their customers. Information from these discussions is continuously
evaluated to ensure the program is meeting its main goal of helping to protect the
mutual customers of Microsoft and the security provider.
More Than Just Information Sharing
In 2010, MAPP began to focus not only on getting customers the protection help
they need faster, but also on making existing protections better, a role beyond the
mere dissemination of vulnerability information. Malware creators and attackers
devote considerable efforts to avoiding detection by security software. By
coordinating through a program like MAPP, community members can combine
their skills, visibility, and insight to make it much more difficult for attackers to
avoid detection.
A good example of this coordination involvesMicrosoft Security Bulletin MS10-
087, a bulletin focused on addressing reported vulnerabilities in Microsoft Office
that could allow remote code execution. This security bulletin was released on
November 9, 2010, and addressed a number of vulnerabilities, including
CVE-2010-3333, a vulnerability in the Microsoft Office Rich Text Format (RTF)
parsers. Microsoft researchers determined that this vulnerability would be
relatively trivial for an attacker to exploit, and assigned it an exploitability index
6 For the most current list of all MAPP partners, seehttp://www.microsoft.com/security/msrc/collaboration/mapppartners.aspx.7For information on the term active software security protections, seehttp://www.microsoft.com/security/msrc/collaboration/mappfaq.aspx.
http://www.microsoft.com/technet/security/bulletin/ms10-087.mspxhttp://www.microsoft.com/technet/security/bulletin/ms10-087.mspxhttp://www.microsoft.com/technet/security/bulletin/ms10-087.mspxhttp://www.microsoft.com/technet/security/bulletin/ms10-087.mspxhttp://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-3333http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-3333http://www.microsoft.com/security/msrc/collaboration/mapppartners.aspxhttp://www.microsoft.com/security/msrc/collaboration/mapppartners.aspxhttp://www.microsoft.com/security/msrc/collaboration/mappfaq.aspxhttp://www.microsoft.com/security/msrc/collaboration/mappfaq.aspxhttp://www.microsoft.com/security/msrc/collaboration/mappfaq.aspxhttp://www.microsoft.com/security/msrc/collaboration/mapppartners.aspxhttp://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-3333http://www.microsoft.com/technet/security/bulletin/ms10-087.mspxhttp://www.microsoft.com/technet/security/bulletin/ms10-087.mspx7/30/2019 Building a Safer More Trusted Internet Through Information Sharing
15/32
13
rating of1
Consistent exploit code likely. (See Microsoft Exploitability Indexon page 18 for more information.)
On December 28, the Microsoft Malware Protection Center (MMPC), which is
considered one of the MAPP partners, identified a malicious file that exploited this
vulnerability. The MMPC informed the MSRC that the vulnerability was being
actively exploited, and the MSRC began investigating whether other MAPP
partners had effective means of detecting the exploitation technique. Researchers
discovered that attackers were using three different exploitation methods in an
effort to avoid being detected. Microsoft shared the details of these three
techniques and the files that were identified as exploiting the vulnerability with
each of the partners in the MAPP program. This allowed partners to validate theirdetection routines against the vulnerability and ensure they had accurate coverage
in place.
Collaboration with Adobe
In todays rapidly evolving threat landscape, the solution to a security problem is
often not found in one company, individual, or technology. In 2010, Microsoft
and Adobe Systems Inc. began collaborating on an initiative to distribute detailed
vulnerability information for Adobe software to the MAPP partners. This has given
security vendors an opportunity to provide quicker and more effective protections
to their customers prior to Adobe deploying its security updates, just as MAPP has
done for Microsoft software.
Adobe is proud of its continued participation in the MAPP program and pleased with
the positive feedback weve been getting from MAPP partners. Since the July 2010 MSRC
Information Sharing report, Adobes participation in MAPP has grown from providing
proof of concept documentation for exploits to providing full detection guidance and
examples on virtually all Adobe Reader and Flash Player issues. We are pleased with the
results of our participation in MAPP and value MAPP as a great example of companies
working together to share information to help protect our mutual customers. Adobe has
provided detection guidance to MAPP partners on 14 security updates since we began
participating in the program.
Brad Arkin, Senior Director of Product Security and Privacy, Adobe Systems
Incorporated
7/30/2019 Building a Safer More Trusted Internet Through Information Sharing
16/32
14
Many partners have reacted very positively to the distribution of Adobevulnerability information through the MAPP program. Reactions have included
the following:
In 2011, Microsoft continued its partnership with Adobe on
providing vulnerability information to MAPP partners on Adobe
product vulnerabilities. Adobe has provided detection guidance to
MAPP participants or 14 security bulletins and advisories since
Adobe began participating in the program.
The addition of Adobe to the MAPP notification process extended
and enhanced the many benefits MAPP already offered. This
strategic relationship shows dedication both by Microsoft and
Adobe to provide security for their end users. Consolidating the
format and utilizing a matured delivery mechanism for release
notifications saves Solutionary hours of research and bulletin
preparation each month.
Brad Curtis, Security Engineering and Research Team (SERT),
Solutionary
Microsoft, through MAPP, is helping security vendors like us to
keep ahead in this constant race between cyber criminals (hackers)
and the security vendors. Inclusion of Adobe data on this was a wise
decision by Adobe toward reaching to all security vendors with right
information. We find this initiative by Adobe more helpful as it helps
us to prepare our products in advance against the vulnerability
exploits of PDF and other Adobe files.
MAPP is certainly doing great work towards the common goal of
making the cyber world safer.
Sanjay Katkar, CTO, Quick Heal Technologies
7/30/2019 Building a Safer More Trusted Internet Through Information Sharing
17/32
15
Microsoft Active Protections Program PartnerFeedback
Partners report that the Microsoft Active Protections Program saves them
considerable time and effort, and these savings are passed onto customers by way
of more timely and effective software protections. Some feedback Microsoft has
received includes:
We were excited to see regularly-updated and highly-valued Adobe
vulnerability information on MAPPs platform. Adobes data helped
us to release several protections against Flash flaws in the past year.
The collaboration of MAPP and Adobe is a good start and we hope
that other popular software vendors can join and contribute to a
broader and better security protection for customers.
Daishuo, Senior malware analyst, Beijing Jiangmin New Science
& Technology Co. Ltd.
"MAPP has become an indispensable part of NIKSUN's security
program to protect its customers. The timeliness, quality, efficiency,
and accuracy of our detection have been greatly improved over pre-
MAPP days, when truly detailed MS vulnerability information was
scarce. We are happy to see Adobe join the program and hope that
other high profile vendors will follow suit, as this seems to be a
worthy model of responsible disclosure."
Darryle Merlette, Executive Director -- Security Solutions,
NIKSUN
With the addition of Adobe to the Microsoft Active Protections
Program, Juniper Networks is able to provide quality protection to
customers when time is a critical factor.
Karl Lynn, Juniper Networks
7/30/2019 Building a Safer More Trusted Internet Through Information Sharing
18/32
16
The information coming from MAPP helps us to successfully
provide zero-day protection to customers.
Wei Wang, Beijing Leadsec Technology Co., Ltd
MAPP has been using a creative way to combat vulnerabilities in
shortest time by the way of combining most of security partners all
over the world, not only our company but also all other partners
benefit from it, so the whole information security improves a lot.
Shaowen Yan, Vice President, Beijing Jiangmin New Science &
Technology Co. Ltd.
MAPP program helped SonicWALL improve response time and
achieve greater protection coverage against exploits targeting
Microsoft based vulnerabilities. MAPP program is very well run and
provides our research team with necessary technical detail in
advance to keep our customers protected at the highest level.
Alex Dubrovsky, Director of Software Engineering & Threat
Research, SonicWALL
Although our participation in the MAPP program is relatively short,
it has already helped us to reduce the number of malware samples
that we need to analyze. This allows us to provide customers with
protection faster.
Peter Kov, Software Developer, AVAST Software
MAPPs early notification allows Solutionary to proactively and
intelligently protect clients from the moment the notification is
released. The information MAPP provides is clear and
comprehensive, which streamlines signature deployment and the
alerting process. Since becoming a MAPP member, Solutionarys
7/30/2019 Building a Safer More Trusted Internet Through Information Sharing
19/32
17
Security Engineering & Research Team (SERT) now focuses time and
energy towards identification, defense, and disclosure of new
vulnerabilities, rather than handling the administrative function of
researching and drafting bulletins.
Brad Curtis, Security Engineering and Research Team (SERT),
Solutionary
MAPP gives a great help to improve our ability to protect
customers and deepen our understanding of security.
Hangzhou DPTech Technologies Co., Ltd
MAPP program enables us to provide very timely and accurate
protection to our customers. This gives us and our customers a lot ofconfidence on our protection. We are pleased to be a part of this
program. It is a very good initiative from Microsoft to enable security
vendors to deploy quick protection
Pawan Kinger, Senior Manager, Trend Micro
7/30/2019 Building a Safer More Trusted Internet Through Information Sharing
20/32
18
Microsoft Exploitability Index
Through various communication channels, Microsoft has always provided
customers with information about the availability of proof-of-concept (PoC)
exploit code or active attacks related to vulnerabilities addressed by Microsoft
security updates. The Microsoft Exploitability Index8
was developed in responseto customer requests for additional information to better evaluate risk; it provides
new data on the likelihood of functioning exploit code being developed so
customers have additional guidance to better prioritize the deployment of
Microsoft security updates. 9
The main goal of the Exploitability Index is to help customers prioritize their
security update deployments. This information enables customers to better
identify the security updates that are most important to them and deploy them in
a timely manner. For example, a customer might prioritize addressing an
Important severity vulnerability that is likely to be exploited in the first 30 days
after release of the security update over a Critical vulnerability that is unlikely toever be exploited. Although most customers use the severity ratings to identify
which updates are really worth their attention, the Exploitability Index offers
additional technical detail that can help security teams to maximize the benefit of
their security resources.
The Exploitability Index uses three levels to communicate to customers the
likelihood of functioning exploit code being developed:
1 Consistent Exploit Code Likely. Analysis has shown that exploitcode could be created in such a way that an attacker could consistently
exploit that vulnerability. For example, an exploit would be able to cause
remote code execution of that attacker's code repeatedly, and in a waythat an attacker could consistently expect the same results. This would
make it an attractive target for attackers, and therefore more likely that
exploit code would be created.
8 For more information on the Microsoft Exploitability Index, seehttp://technet.microsoft.com/security/cc998259.9Alberts, Bas, A Bounds Check on the Microsoft Exploitability Index (Miami Beach, Fla.: Immunity, Inc.,2008), p.7.
http://technet.microsoft.com/security/cc998259http://technet.microsoft.com/security/cc998259http://www.microsoft.com/downloads/details.aspx?FamilyID=0c6e07b5-43ce-4da1-873e-2d604106574chttp://www.microsoft.com/downloads/details.aspx?FamilyID=0c6e07b5-43ce-4da1-873e-2d604106574chttp://www.microsoft.com/downloads/details.aspx?FamilyID=0c6e07b5-43ce-4da1-873e-2d604106574chttp://www.microsoft.com/downloads/details.aspx?FamilyID=0c6e07b5-43ce-4da1-873e-2d604106574chttp://technet.microsoft.com/security/cc9982597/30/2019 Building a Safer More Trusted Internet Through Information Sharing
21/32
7/30/2019 Building a Safer More Trusted Internet Through Information Sharing
22/32
20
Although this information has only been published since May 2011, the MSRCperformed an internal evaluation of all 256 Exploitability Index ratings published
from July 2010 through May 2011 and found that 97 issues were less serious or
nonexistent on the latest version of the affected application than on earlier
versions. In contrast, only seven vulnerabilities affected the most recent version
but not older versions.
Denial of Service Exploitability Assessment
In addition, Microsoft started providing more information about the Denial of
Service (DoS) impact of a particular vulnerability. Even vulnerabilities that are
difficult to exploit can still be used to cause a crash in an application or operating
system. For each applicable security bulletin, a Denial of Service Exploitability
Assessment indicates whether such a crash would be permanent (requiring that
the computer be rebooted) or temporary.
Figure 5. Security Bulletin10 summaries have included expanded exploitability information since May
2011
Microsoft Exploitability Index Statistics
The 254 security bulletins published from October 2008 to June 2011 resulted in
605 Exploitability Index ratings, as shown in the following table.11
10 Sign up for free security notifications from Microsoft athttp://technet.microsoft.com/en-us/security/dd252948.aspx11 Security bulletins published in May 2011 and afterward have included two Exploitability Index ratings for eachvulnerability, as explained on page 12. For each of these vulnerabilities, the more severe of the two ratings isrepresented in Figure 2.
http://technet.microsoft.com/en-us/security/dd252948.aspxhttp://technet.microsoft.com/en-us/security/dd252948.aspxhttp://technet.microsoft.com/en-us/security/dd252948.aspxhttp://technet.microsoft.com/en-us/security/dd252948.aspxhttp://technet.microsoft.com/en-us/security/dd252948.aspxhttp://technet.microsoft.com/en-us/security/dd252948.aspx7/30/2019 Building a Safer More Trusted Internet Through Information Sharing
23/32
21
Figure 6. Microsoft Exploitability Index ratings, October 2008June 2011
1 - Consistent Exploit Code Likely 336
2 - Inconsistent Exploit Code Likely 176
3 - Functioning Exploit Code Unlikely 93
Total 605
Of the 605 ratings issued through June 2011, only five have been revised:
June 2009: CVE-2009-1138 was changed from an Exploitability IndexAssessment of1 Consistent exploit code likely to 3 Functioning
exploit code unlikely; Key Notes section updated. September 2010: CVE-2010-2738 was changed from 2 Inconsistent
Exploit Code Likely to 1 Consistent exploit code likely.
September 2010: CVE-2010-2730 was changed from 1 Consistentexploit code likely to 2 Inconsistent Exploit Code Likely.
February 2011: CVE-2011-0091 was changed from 2 InconsistentExploit Code Likely to 3 Functioning exploit code unlikely
April 2011: CVE-2011-0034 was changed from 2 Inconsistent exploitcode likely to 1 Consistent exploit code likely.
In five other cases, the Key Notes information for an Exploitability Index
assessment was updated, but the rating itself did not change:
January 2009: CVE-2008-4114; no change in Exploitability IndexAssessment; Key Notes section clarified.
April 2009: CVE-2008-2540; no change in Exploitability IndexAssessment; Key Notes section updated.
April 2009: CVE-2009-0089; no change in Exploitability IndexAssessment; Key Notes removed.
November 2009: CVE-2009-2523; no change in Exploitability IndexAssessment; Key Notes section added.
September 2010: CVE-2010-0818; no change in Exploitability IndexAssessment; Key Notes section added. An examination of differentpossible deployment scenarios illustrates how the Exploitability Index can
help save organizations money and allow them to better allocate
resources:
7/30/2019 Building a Safer More Trusted Internet Through Information Sharing
24/32
22
Figure 7. Security bulletin deployment events under different scenarios, June 2010June 2011
Deploy all bulletins within 30 days 117
Deploy only critical bulletins within 30 days after release 50
Deploy only critical bulletins with an XI of 1 on release day 35
Deploy only critical bulletins with an XI of 1 on release day, when all systems
are on the most recent product release24
Deploy all Server bulletins only 83
Deploy all Critical Server bulletins only 29
Deploy all Critical Server bulletins with an Exploitability Index rating of 1 20
Deploy all Critical bulletins for Windows Server 2008 with an Exploitability
Index of 113
For example, a customer that deploys all security bulletins within 30 days would
have had to test and deploy a total of 117 bulletins from June 2010 to June 2011.
By contrast, a customer that only deploys critical updates with an Exploitability
Index rating of 1 and uses the most recent Windows client and server versions
exclusively would have deployed just 24 updates, a difference of more than 80
percent.
Microsoft recommends that customers install all applicable security updates,
including bulletins with an exploitability index of 3 or a severity rating of
Moderate. Exploitation techniques change over time, and newly developed
techniques can make it easier for an attacker to exploit vulnerabilities that hadpreviously been more difficult to successfully exploit. Nevertheless, Microsoft
recognizes that prioritization decisions will be made within each organization and
that time and resources may often be limited. The Exploitability Index allows
customers facing such limitations to better prioritize their update deployments.
7/30/2019 Building a Safer More Trusted Internet Through Information Sharing
25/32
23
Coordinated VulnerabilityDisclosure
In July 2010, the MSRC announced the formulation of a set of practices to be used
in disclosing information about software vulnerabilities in a way that benefits both
vendors and consumers. Termed Coordinated Vulnerability Disclosure (CVD),
these practices have since been adopted by Microsoft and other software vendors
across the industry.
Under CVD, finders disclose newly discovered vulnerabilities in hardware,
software, and services directly to the vendors of the affected product, to a
national/regional CERT or other coordinator who will report to the vendor
privately, or to a private service that will likewise report to the vendor privately.
The finder allows the vendor the opportunity to diagnose and offer fully tested
updates, workarounds, or other corrective measures before any party discloses
detailed vulnerability or exploit information to the public. The vendor continues
to coordinate with the finder throughout the vulnerability investigation andprovides the finder with updates on case progress. Upon release of an update, the
vendor may recognize the finder in bulletins or advisories for finding and privately
reporting the issue. If attacks are underway in the wild, and the vendor is still
working on the update, then both the finder and vendor work together as closely
as possible to provide early public vulnerability disclosure to help protect
customers. The aim is to provide timely and consistent guidance to help
customers protect themselves.
Information about vulnerabilities in third-party products comes to MSVR in three
primary ways:
Internal Microsoft developers and test engineers: In the course of their dayto day jobs, developers and test engineers find potential vulnerabilities in
third party software. These vulnerabilities are reported to the MSVR team,
which then works with the affected vendor to fix the issue.
Internal research projects: As time and resources permit, MSVR performsits own vulnerability analysis and research on third-party products that
7/30/2019 Building a Safer More Trusted Internet Through Information Sharing
26/32
24
run on Microsoft operating systems but are not developed by Microsoft,using internally developed toolsets and practices.
External reports to Microsoft Security Response Center (MSRC): Externalresearchers report issues to the MSRC that they believe affect Microsoft
products. On occasion, researchers determine that a reported issue affects
third-party products instead of or in addition to Microsoft products. As
with internally discovered vulnerabilities, these are reported to the MSVR
team, which works with the affected vendors to address the issue.
After receiving information about a vulnerability in a third-party product, MSVR
compiles a comprehensive set of information about the vulnerability to provide to
the affected vendor. This can include information about the test environment inwhich the vulnerability was observed, the severity and security impact of the
vulnerability, crash dump information, proof-of-concept and/or exploit code, root
cause analysis information, and other technical details about the vulnerability.
When the analysis is complete, MSVR initiates communication with the vendors
designated contact, using encrypted email if possible, or other methods as
appropriate. In order to minimize the risk of vulnerability information being
misdirected while attempting to identify the vendor contact, MSVR will not send
the vulnerability report in the initial e-mail. The initial e-mail will be a simple
introduction stating that MSVR is attempting to identify the correct contact to
report a vulnerability in the vendors products or services.When the appropriate
vendor contact is identified and confirms willingness to accept the vulnerability
report, MSVR provides the vulnerability report.
Microsoft understands that each software vendor is likely to have its own list of
concerns about cooperating with other parties on vulnerability response, and that
some software vendors may have misgivings about accepting MSVRs help. MSVR
is pleased to work in a cooperative manner with any vendor dealing with a
software vulnerability on the Windows platform. At the same time, MSVR urges
every software vendor to address vulnerabilities in an open, responsive, and timely
fashion, whether in cooperation with MSVR or not. This will help keep the
Internet ecosystem safer for all users, and help vendors achieve a positive
reputation in the security community as well.
Many customers have reacted very positively to the announcement of CVD.
Reactions have included the following:
7/30/2019 Building a Safer More Trusted Internet Through Information Sharing
27/32
25
For more information, seeCoordinated Vulnerability Disclosureat the MSRC
website.
"When researchers disclose software vulnerabilities before vendors have a chance to
address them, business may be impacted. Announcing vulnerabilities in public ways
serves no useful purpose; enterprises and even individual users immediately lose a veil of
protection, because the details of a vulnerability are available to those who would do
harm. I agree with Microsoft's Coordinated Vulnerability Disclosure (CVD) policy, where a
vulnerability is announced in tandem with a fix or recommendation for compensating
controls. By far, this is a more responsible approach to vulnerability
publicity. Unfortunately, vulnerability disclosures continue to grow in number and scale
in part for the recognition and financial reward they might bring. That environmentshouldn't be nurtured or promoted. By working within the system, there will be far less
damage to the system we all rely on."
- Alan Levine, Chief Information Security Officer, Alcoa
We applaud the efforts of Microsoft and others in the software industry to develop
better practices around vulnerability disclosure and move the debate forward. At BP we
support the principle of disclosing vulnerabilities in a coordinated way. We also believe
that "full disclosure" of software vulnerabilities, without warning to the user community
and without immediate access to fixes or patches, poses a significant risk to large and
small businesses alike.
- John I Meakin, Director, Digital Security & CISO, BP
As a cybercrime insurance provider, we constantly look for ways to create secure
environments that lowers risk for our business and our customers around the world. Full
disclosure of vulnerabilities without a proper fix in place costs big companies like ours
lots of money. Not only does it cause significant disruption to our business, it increases
risk to our customers. Microsofts approach to vulnerability disclosure provides a
predictable process that minimizes the disruption and reduces cost associated with
implementing updates. This helps us and it helps our customers.
-Don Garvey, Chief Information Security Officer, Chubb Corporation
http://www.microsoft.com/security/msrc/report/disclosure.aspxhttp://www.microsoft.com/security/msrc/report/disclosure.aspxhttp://www.microsoft.com/security/msrc/report/disclosure.aspxhttp://www.microsoft.com/security/msrc/report/disclosure.aspx7/30/2019 Building a Safer More Trusted Internet Through Information Sharing
28/32
26
Microsoft Vulnerability Research
In an age in which every type of computing device can be interconnected, the
security and privacy of data is more important than ever. In addition, the potential
consequences of security vulnerabilities can be much more severe and have a
much greater impact on the Internet in general. Microsoft Vulnerability Research
(MSVR) was established to provide a mechanism for Microsoft software developersand security researchers to share their collective knowledge and experience with
third-party software developers and the greater community. The success of MSVR
has helped improve the security ecosystem as a whole, which benefits Microsoft,
other software publishers, and the worldwide community of computer users.
Figure 8. The MSVR response process
MSVR Advisories
As part of the CVD approach, beginning in April 2011, the MSVR program began
issuing MSVR advisories detailing software vulnerabilities that Microsoft had
privately disclosed to third-party vendors.
7/30/2019 Building a Safer More Trusted Internet Through Information Sharing
29/32
27
Figure 9. MSVR advisories issued from April to June 2011
MSVR11-001Use-After-Free Object Lifetime Vulnerability in Chrome Could
Allow Sandboxed Remote Code Execution4/19/2011
MSVR11-002HTML5 Implementation in Chrome, Opera, and Safari Could
Allow Information Disclosure5/17/2011
MSVR11-003Vulnerability in RealNetworks RealPlayer Could Allow Remote
Code Execution5/17/2011
MSVR11-004Vulnerability in RealNetworks RealPlayer RichFX Component
Could Allow Remote Code Execution5/17/2011
MSVR11-005Vulnerability in Foxit Reader Could Allow Remote Code
Execution6/21/2011
MSVR11-006 Vulnerability in Google SketchUp Could Allow Remote CodeExecution
6/21/2011
Microsoft does not reveal vulnerability details before a vendor-supplied update is
available for issues reported though the MSVR program unless there is significant
evidence of active attacks in the wild. If attacks begin before the vendor has
released their remediation, Microsoft will continue to coordinate to release
consistent mitigation and workaround guidance with the vendor. This cooperative
approach ensures that affected customers understand their risk and what to do to
mitigate that risk, without revealing details with which attackers can use to
commit cybercrime.
This coordination takes place under Microsoft's CVD approach to vulnerabilitydisclosure. CVD clarifies how Microsoft responds as a vendor impacted by
vulnerabilities in its products and services, as a finder of new vulnerabilities in
third-party products and services, and as a coordinator of vulnerabilities that
affect multiple vendors.
MSVR advisories are posted at
http://www.microsoft.com/technet/security/advisory/MSVRarchive.mspx. The
format of an MSVR Advisory is similar to that of a Microsoft security advisory:
each MSVR advisory contains a top-level summary that states the reason for
issuing the advisory, frequently asked questions, and a Suggested Actions section
describing any action that users may have to take to help protect themselves.MSVR advisories may be revised as required to reflect new information or
guidance.
http://www.microsoft.com/technet/security/advisory/msvr11-001.mspxhttp://www.microsoft.com/technet/security/advisory/msvr11-002.mspxhttp://www.microsoft.com/technet/security/advisory/msvr11-003.mspxhttp://www.microsoft.com/technet/security/advisory/msvr11-004.mspxhttp://www.microsoft.com/technet/security/advisory/msvr11-005.mspxhttp://www.microsoft.com/technet/security/advisory/msvr11-006.mspxhttp://www.microsoft.com/technet/security/advisory/MSVRarchive.mspxhttp://www.microsoft.com/technet/security/advisory/MSVRarchive.mspxhttp://www.microsoft.com/technet/security/advisory/MSVRarchive.mspxhttp://www.microsoft.com/technet/security/advisory/msvr11-006.mspxhttp://www.microsoft.com/technet/security/advisory/msvr11-005.mspxhttp://www.microsoft.com/technet/security/advisory/msvr11-004.mspxhttp://www.microsoft.com/technet/security/advisory/msvr11-003.mspxhttp://www.microsoft.com/technet/security/advisory/msvr11-002.mspxhttp://www.microsoft.com/technet/security/advisory/msvr11-001.mspx7/30/2019 Building a Safer More Trusted Internet Through Information Sharing
30/32
28
MSVR Program Statistics
Since July 2010, MSVR has identified and responsibly disclosed 109different software vulnerabilities affecting a total of 38 vendors.
Since July 2010, 93 percent of third-party vulnerabilities found throughMSVR since July 2010 were rated as Critical or Important12.
Vendors have responded and have coordinated on 97 percent of allreported vulnerabilities; 29 percent of third-party vulnerabilities found
since July 2010 have already been resolved, and none of the
vulnerabilities without updates have been observed in any attacks.
For more information, see the Microsoft Vulnerability Research page athttp://www.microsoft.com/security/msrc/collaboration/research.aspx.
12http://www.microsoft.com/technet/security/bulletin/rating.mspx
http://www.microsoft.com/security/msrc/collaboration/research.aspxhttp://www.microsoft.com/security/msrc/collaboration/research.aspxhttp://www.microsoft.com/technet/security/bulletin/rating.mspxhttp://www.microsoft.com/technet/security/bulletin/rating.mspxhttp://www.microsoft.com/technet/security/bulletin/rating.mspxhttp://www.microsoft.com/technet/security/bulletin/rating.mspxhttp://www.microsoft.com/security/msrc/collaboration/research.aspx7/30/2019 Building a Safer More Trusted Internet Through Information Sharing
31/32
29
Conclusion
The global computing threat landscape is constantly evolving. Microsoft has
responded to this continuing shift by developing a series of programs and
initiatives that involve responsible information sharing to help customers manage
and overcome computing threats. The Microsoft Active Protections Program has
partners reporting significant reductions in development time for deliveringprotection help to customers, which reduces the amount of time that systems are
at risk. The Microsoft Exploitability Index is now firmly established as a valuable
part of the Microsoft monthly security update release cycle, helping customers
around the world prioritize their security update deployments and working to
create more reliable and cost-effective system protection measures. Through the
Microsoft Vulnerability Research program, Microsoft has leveraged its
considerable depth of expertise and tools with vendors to help raise the level of
security in their products that run on the Windows platform. Coordinated
Vulnerability Disclosure is helping to protect customers around the world from
attack while Microsoft works to build, test and release high-quality security
updates.
In todays ever evolving criminal landscape, increased information sharing is key
to advancing progress towards safer, more trusted computing experiences. This
involves continued work to develop better community-based defenses, increased
help to resolve vulnerabilities in highly leveraged third-party code running on the
Windows platform, and empowering customers with information that helps them
make better risk assessments.
7/30/2019 Building a Safer More Trusted Internet Through Information Sharing
32/32
One Microsoft Way
Redmond, WA 98052-6399
microsoft.com/security