Microsoft Update Management. Sam Youness Microsoft

Transcription

1 Microsoft Update Management Sam Youness Microsoft

2 Microsoft s Areas of Focus for ICS Risk Management Secure Development Device and Network Security Identity and Access Management Operational Response

3 Get Current/Stay Current Win7 Vista SP1, SP2 Vista RTM XP SP3 XP SP2 Better Security Quality SEHOP SEHOP Enabled by default Heap terminate Heap terminate Disabled by default DEP DEP ASLR ASLR SEHOP SEHOP SEHOP Heap terminate Heap terminate Heap terminate DEP DEP DEP ASLR ASLR ASLR SEHOP SEHOP Heap terminate Heap terminate DEP DEP ASLR ASLR 20.0 SEHOP SEHOP SEHOP 18.0 Heap terminate Heap terminate Heap terminate DEP DEP DEP 16.0 ASLR ASLR ASLR 14.0 SEHOP SEHOP SEHOP Heap terminate Heap terminate Heap terminate 12.0 DEP DEP DEP 10.0 ASLR ASLR ASLR 8.0 IE 6 IE 7 IE 8 IE Infection Rate per SP2 SP3 RTM SP1 SP2 RTM Critical Vulnerabilities After One Year Windows XP Windows Vista Windows Windows XP Windows Vista Windows 7

4 Windows XP End of Service Issues XP SP3 (and Office 2003) EOS is on April 8, 2014 Microsoft will not provide security updates after that date Customers running XP will run the risk of security issues Microsoft can help customers move off XP between now and then More details on this at: hive/2013/01/28/why-you-should-upgrade-from-windows-xp.aspx

5 Minimize Surface Attack Example: Server Core Reduce the attack and servicing surface area for certain server roles by only installing what is required and administrators use Servers optimized by role are easier to service and manage Fewer patches Server management lifecycle oriented around roles IT Staff can specialize on their role(s) Increased reliability and security Less installed and less running

6 Microsoft security updates, programs and progress Questions we frequently receive: Why does Microsoft issue so many patches? Why does it take so long to release patches? How does Microsoft test patches before they are released?

7 Helping Customers Manage Risk Engineering Updates for More than a Billion Systems Worldwide 1. High quality security updates Produce high quality security updates that can be confidently deployed to more than a billion diverse systems in the computing eco-system and help customers minimize disruptions to their businesses 2. Community based defense Microsoft looks to mitigate exploitation of vulnerabilities through the collaborative strength of the industry and through partners, public organizations, customers, and security researchers 3. Comprehensive security response process Employing a process that helps Microsoft effectively manage security incidents while providing the predictability and transparency that customers need in order to minimize disruptions to their businesses.

8 Releasing a Security Update Release Vulnerability Reporting MSRC receives incoming vulnerability reports through Secure@Microsoft.com Direct contact with MSRC Microsoft TechNet Security Site anonymous reporting MSRC responds to all reports 24 hour response Service Level Agreement to finder Internal response can be immediate when required Triaging Assess the report and the possible impact on customers Understand the severity of the vulnerability Rate the vulnerability according to severity and likelihood of exploit, and assign it a priority Investigation MSRC Engineering Reproduce the Vulnerability Locate variants Investigate surrounding code and design Managing Finder Relationship Establish communications channel Quick response Regular updates Build the community Encourage responsible reporting Fix Validation MSRC Engineering and Product Team Test against reported issue Test against variants Content Creation Security bulletin Affected software/components Technical description FAQs Acknowledgments Technical guidance MSRC Engineering Workarounds and mitigations SVRD blog MAPP detection guidance Security bulletins second Tuesday of every month Coordinate all content and resources Information and guidance to customers Monitor customer issues and press Update Developer Tools and Practices Update best practices Update testing tools Update development and design process

9 High Quality Security Updates Application Compatibility Testing Security Update Validation Program (SUVP) started 2005 Updates available to limited group of customers under strict nondisclosure agreements (NDA) Test updates in broad range of configurations and environments before updates are released Participants required to provide feedback Participants not given any information about underlying vulnerabilities, area of code updated, or exploits

10 High Quality Security Updates Consolidated Security Updates to Minimize System Restart Uptime is critical - restarting systems can disrupt customers businesses Restarting systems after installing Microsoft security updates is only required when absolutely necessary MSRC constantly trying to find ways to reduce system restart requirements for security updates Single security bulletin often addresses multiple vulnerabilities from the Common Vulnerabilities and Exposures (CVE) database

11 High Quality Security Updates Consolidated Security Updates to Minimize System Restart 120 Security bulletins released and CVEs addressed by Microsoft by half-year, 1H06 1H Security Bulletins Unique CVEs H06 2H06 1H07 2H07 1H08 2H08 1H09 2H09 1H10 Source: Microsoft Security Intelligence Report Volume 9

12 Update Innovation: Microsoft s Exploitability Index Is there exploit code available? Through webcasts, calls, CxO conferences, and forums, we get this question every release without fail.. Reality: While we answer this question in the bulletins today, it frequently changes within the first two weeks (sometimes two hours) after release. While most protections providers are very fast, it s not always before attackers have released exploit code. Customer Pain: Patching drains resources, frustrates IT & does not give confidence in the security of Microsoft products. IT Pros are frustrated w/many patches & updates they deal with as a result of insecure/unreliable products. As a result, time, company resources, energy, and effort is required to install and test patches. Our Goal: Prediction of the likelihood that functional exploit code will be released Exploitability Index: Evaluate exploitability of the vulnerabilities using industry methodology and MAPP partners Provide a prediction of likelihood of exploitation for each vulnerability

13 Microsoft Active Protections Program Are protections available while I deploy Microsoft updates? Customers expect their security protection software to help thwart attacks while evaluating updates. Reality: While most protections providers are very fast, it s not always before attackers have released exploit code. Our Goal: Customers using security protection software are protected from the vulnerabilities at the same time the updates are released. Provides monthly vulnerability information to commercial security software providers Enhances protection at both the application and network layers Customers have improved defense in depth protections while testing and deploying Microsoft security updates Protect the enterprise customers and home user by helping the security providers of their choice get a leg up on exploit code Improves time and quality of protection release Customers receive improved 3rd party protections that are available faster Provides a streamlined information collaboration framework with among Microsoft partners, vendors, infrastructure providers, and customers

14 Microsoft Security Updates and CVRF The Internet Consortium for Advancement of Security on the Internet (ICASI) released its Common Vulnerability Reporting Framework (CVRF) last year. CVRF is a markup system designed to make security bulletins and advisories machine-readable in an industry-standard fashion Microsoft has started to present its updates in the CVRF formats starting in May 2012

15 2012 Microsoft Corporation. All rights reserved. Microsoft, Windows and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries. The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

16 Understanding the Exploitability Index Consistent Exploit Code Likely Inconsistent Exploit Code Likely Functioning Exploit Code Unlikely