Got a pen-test report detailing a crazy bad bug in Microsoft software? It could be your problem, not Microsoft’s.
A day ahead of yesterday’s 63-patch November 2018 Patch Tuesday security update, the group that decides what fixes make it into its monthly security update has posted a polite reminder to customers: a weakness affecting our product in your environment isn't necessarily an across-the-board vulnerability in the product.
The Microsoft Security Response Center (MSRC) is the group at Microsoft that evaluates whether reports about security bugs in its huge portfolio actually are vulnerabilities. Once confirmed, it determines what impact the bug has in order to inform admins and end-users how important they are to fix.
To help with this process MSRC in September published guidance to explain to security researchers and customers how it assesses risk with respect to security flaws.
The document aims to clarify what bugs Microsoft considers should be fixed on Patch Tuesday, those that don’t qualify, and the types of bug that could get addressed in a future version update. Basically, only high-risk vulnerabilities get fixed on the monthly Tuesday update.
In between each month’s update the company aims to “triage” every single bug report it receives to investigate whether it meets its “security bug bar”.
Naturally, some legitimate reports don’t cut the mustard for Patch Tuesday, but MSRC appears to have had enough of noise from concerned customers who submit reports written by hired penetration testers detailing what amount to vulnerable implementations of its products rather than actual vulnerabilities in its products.
MSRC makes a point of welcoming reports from researchers, partners, and customers “that include proof of concept (POC), details of an attack or demonstration of a vulnerability, and a detailed writeup of the issue”.
“If you send these reports to us, thank you!,” MSRC writes in a post from several team members.
MSRC notes the third-party penetration test reports often claim a product is vulnerable but then fail to back up claims with details about the attack and don’t acknowledge mitigations at hand.
“Pen test reports sent to us commonly contain a statement that a product is vulnerable to an attack, but do not contain specific details about the attack vector or demonstration of how this vulnerability could be exploited. Often, mitigations are available to customers that do not require a change in the product code to remediate the identified security risk,” MSRC writes.
As an example, Microsoft points to pen test reports about brute force password attacks against Lync Server 2013 configured with the Skype for Business web app endpoints.
“Lync Server 2013 utilizes certain web endpoints for web form authentication. If these endpoints are not implemented securely, they can open the door for attackers to interact with Active Directory. Penetration testers that analyze customer deployments often identify this issue, as it represents risk to the customer environment,” it writes.
MSRC says this is “not an unsolvable problem” because customers could use a password lockout policy to frustrate an attacker who’s discovered a username by locking an account down after a set amount of password guesses. In an enterprise environment, a legit user who’s logged out will most likely contact IT support to unlock the account, potentially raising a flag that something could be worth investigating, Microsoft contends.
Microsoft details several other mitigations against this type of attack that are available, and also encourages admins to “dig into the [pen-test] report for available mitigations before sharing the results outside your organization.”
“If the report comes up with an unpatched vulnerability that has no mitigations, please send us the report and POC.”