Microsoft is urging those who conduct pen-tests (penetration software) on its software to hold off on reports, at least until they know if the problem is their end. The company issued the advice as part of its November 2018 Patch Tuesday cumulative updates earlier this week.
Pen-tests are organized and authorized simulated attacks on software to find bugs. Microsoft, like others, has had its share of pen-tests turn up problems in its software. However, the company says a software issue on the testing end may be an issue with the testing environment and not the software.
Of course, there are many times when these reports are legitimate and uncover real vulnerabilities. In fact, we report on many of these across Microsoft services, including numerous serious zero-days.
Microsoft is not ignoring these situations, but instead urging caution in the final tests. Microsoft Security Response Center (MSRC) is the division tasked with checking pen-test reports to see if they are really software vulnerabilities.
Naturally, the division will function more efficiently if non-legitimate reports are lessened. Microsoft has published new guidance to help security researchers better understand the results of pen-tests.
Working with MSRC
The most obvious way for researchers to know if their findings are accurate is to “that include proof of concept (POC), details of an attack or demonstration of a vulnerability, and a detailed writeup of the issue”.
“If you send these reports to us, thank you!,” MSRC writes.
“Pen test reports sent to us commonly contain a statement that a product is vulnerable to an attack, but do not contain specific details about the attack vector or demonstration of how this vulnerability could be exploited. Often, mitigations are available to customers that do not require a change in the product code to remediate the identified security risk,” MSRC writes.
