Microsoft: 'We try to reproduce every vulnerability that comes in'

Microsoft: 'We try to reproduce every vulnerability that comes in'

Summary: Microsoft outlined what it does with incoming vulnerability research, how it designates flaws and playing the cloak-and-dagger game with hackers.In a Q&A with Ryan Naraine, Jonathan Ness, the lead software engineer on Microsoft's SWI Defense team, addressed a big emerging issue between the software giant and security researchers: Who has the onus to reproduce the flaw?

TOPICS: Security, CXO, Microsoft

Microsoft outlined what it does with incoming vulnerability research, how it designates flaws and playing the cloak-and-dagger game with hackers.

In a Q&A with Ryan Naraine, Jonathan Ness, the lead software engineer on Microsoft's SWI Defense team, addressed a big emerging issue between the software giant and security researchers: Who has the onus to reproduce the flaw? Researchers say Microsoft puts the onus on them to reproduce an issue before doing anything. Microsoft says that's not the case.

What happens when a researcher reports a vulnerability to Microsoft? Ness says:

When a bug report comes in, the MSRC guys will look it over and work on making sure we have all information to help us reproduce the issue. They will open a ticket, notify the researcher and pass it on to the SWI React team. If it's something the MSRC flags as critical, SWI React gets on the ball with the MSRC and the [affected] product team immediately.

The priority is to reproduce the vulnerability, look closely at the surrounding code and understand all potential risks. Once they figure that out, we come in to look for mitigations and workarounds to divert the flow of [attack] code-try to block the vulnerable code from being hit...

Who has to prove the vulnerability? Ness notes:

We try to reproduce every vulnerability that comes in. We really do try. We try to gather all the information, whether it's just an e-mail notice or if there's a sample exploit. We will look at the code, build the test tools and try really hard to find what the [researcher] is reporting. If we can't, our only option is to go back to them and ask them to help us reproduce it.

If possible, we'll try to set up a machine and ask them to hit us with an attack so we can try to capture it. Our priority is to reproduce it, figure out the problem, and then get it fixed.

From there, Ness' team figures out whether an incoming flaw is worth an advisory or detailing technical workarounds on its SWI blog. But once you get to the blog posting the cloak and dagger games begin. Ness has to walk a line between providing details to users and giving hackers ammo.

Topics: Security, CXO, Microsoft

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.


Log in or register to join the discussion
  • All code has bugs, how you deal with it is what counts.

    Yes, of course they do. Whatever you may think of their corporate behavior, they want their code to be secure as much as we do. All code has bugs and all companies try to minimize their impact.

    However, as regards "cloak and dagger", bah!

    The hackers are so far ahead of Microsoft (or Apple, or Sun, or Red Hat ... take your choice of vendor) that withholding information from your clients and customers is *not* playing "cloak and dagger". It is simply a PR move.

    The only persons who are helped by "security through obscurity" are the black hats who would just as soon that we customers didn't know about vulnerabilities until after they have exploited them.

    Immediate and wide spread alerts should be sent out for every vulnerability identified, and we field users can then asses our own risk and response. Not knowing that the dangers is there does not mitigate it -- it simply makes it worse.

    • Agreed

      Hackers are ahead of code writers simply becuase for every 100 man developement team writing code, you probally have a hundred times more people trying to hack into it, the numbers are against them.

      As for "security through obscurity" I for one would certainlly like to know as [b]I[/b] want to be the one to decide if I need to halt the use of a particular service or not, and then decide how to best deal with it until the issue is resolved, not after I find I have been hacked.
      • Indeed, the hackers are ahead of coders, but ...

        not because they are any better, but because of the nature of security. The one who tries to protect something has to build a protective system that take in account all the possible threats. The hacker on the other hand, only has to find a single vulnerability in this system. It's not so easy, but much easier than the work of the protector.
  • RE: Microsoft: 'We try to reproduce every vulnerability that comes in'

    Uh oh. It's a warning sign when people tell you, with four
    part harmony, that they're doing their job; a warning sign
    that some big picture item is being overlooked.
    • I believe it is nothing of the sort

      I would imagine it is merely to state their side, in response to the people running around spreading FUD that it actually means something different, something like [i]some big picture item is being overlooked[/i]
  • If you believe this...

    I worked there once so this is more likely what happens; maybe if they are not out playing soccer etc. you may get some bored micro-slave to look at it, but more likely they will trap some poor contractor into doing it.
    • You sound like a disgruntled contractor yourself,

      Waste removal or janitorial? There's little debate that MS has taken security very seriously since xp sp2. The same can not be said for apple though, particularly with quicktime.
  • Try & try again...

    I count use of the word "try" seven times in that short little explanation from MS. Having had 6 kids (and frequently it seems like I work with a bunch of them as well) I have learned that often when somebody says they will "try" to do something or "tried" to do something it usually means they didn't do much at all. But, oh, no, not that I doubt MS. After all, at times I have found them to be very trying.
  • Computers should just work

    They're having a field day with this hacker code stuff.
  • RE: Microsoft: 'We try to reproduce every vulnerability that comes in'

    Mt2 turk MMO PvP game download online game servers
    <a href="" title="metin2" target="_blank">metin2</a> - <a href="" title="metin2 indir" target="_blank">metin2 indir</a> - <a href="" title="metin2 hile" target="_blank">metin2 hile</a> - <a href="" title="metin2 gm komutlari" target="_blank">metin2 gm komutlari</a> - <a href="" title="metin2 at gorevleri" target="_blank">metin2 at gorevleri</a>
    MMO online games, game related content turk mt2 pvp servers
    <a href="" title="metin 2" target="_blank">metin 2</a> - <a href="" title="pvp" target="_blank">pvp</a> - <a href="" title="server" target="_blank">server</a> - <a href="" title="knight" target="_blank">knight</a>
    Mt2 turk MMO PvP game servers online
    <a href="" title="metin2 pvp sererler" target="_blank">metin2 pvp sererler</a> - <a href="" title="pvp serverlar" target="_blank">serverlar</a> - <a href="" title="pvp serverler" target="_blank">pvp serverler</a> - <a href="" title="metin2 pvp sererlar" target="_blank">metin2 pvp sererlar</a> - <a href="" title="pvp kenti" target="_blank">pvp kenti</a>

    download game servers online turk mt2 pvp servers
    <a href="" title="mt2" target="_blank">mt2</a>
    <a href="" title="metin2 turk" target="_blank">metin2 turk</a>
    <a href="" title="mt2 turk" target="_blank">mt2 turk</a>
    <a href="" title="metin2 tr" target="_blank">metin2 tr</a>
    <a href="" title="metin 2" target="_blank">Metin 2</a>
    <a href="" title="alemt2 indir" target="_blank">alemt2 indir</a>
    <a href="" title="alemt2 kaydol" target="_blank">alemt2 kaydol</a>
    <a href="" title="alemt2" target="_blank">alemt2</a>
    <a href="" title="alemt2 kaydol" target="_blank">fancymt2 kaydol</a>
    <a href="" title="alemt2 kaydol" target="_blank">fancy mt2</a>
    <a href="" title="mt2 pvp" target="_blank">mt2 pvp</a>
    <a href="" title="metin2 pvp" target="_blank">metin2 pvp</a>
    <a href="" title="metin2 pvp" target="_blank">metin2 pvp serverler</a>
    <a href="" title="pvp" target="_blank">pvp</a>
    <a href="" title="metin2" target="_blank">metin2</a>
    <a href="" title="serverler" target="_blank">serverler</a>
    <a href="" title="serverler" target="_blank">serverler</a>

    <a href="" title="metin2pvpserver" target="_blank">metin2pvpserver</a>
    <a href="" title="metin2 pvp server" target="_blank">metin2 pvp server</a>
    <a href="" title="metin2 pvpserver" target="_blank">metin2 pvpserver</a>
    <a href="" title="metin2pvp server" target="_blank">metin2pvp server</a>
    <a href="" title="metin2pvp" target="_blank">metin2pvp</a>
    <a href="" title="metin2 server" target="_blank">metin2 server</a>

    <a href="" title="metin2pvpserverlar" target="_blank">metin2pvpserverlar</a>
    <a href="" title="metin2 pvp serverlar" target="_blank">metin2 pvp serverlar</a>
    <a href="" title="metin2pvp serverlar" target="_blank">metin2pvp serverlar</a>
    <a href="" title="metin2 serverlar" target="_blank">metin2 serverlar</a>

    <a href="" title="face" target="_blank">face</a>
    <a href="" title="facebook" target="_blank">facebook</a>