Last week the Bromium crew was invited to the BlueHat conference, an exclusive Microsoft security event to which the media has no access. It is primarily designed for internal Microsoft developers and architects to get insights into the world outside (mostly security focused). As someone there thoughtfully said– “being close to reality keeps us out of living in our own bubble”.
The Bromium Labs crew travel frequently to a lot of conferences and this indeed was different (enough for me to write this blog, if that helps). Each talk was thoughtfully selected and had some great relevant topics. Let’s step back and look at this – Why on earth would Microsoft invite the security community to point out their own mistakes? And more importantly is this really important for Microsoft? If you’ve been there long enough in the security industry, remember the days “I can tell you I wish those people just would be quiet. It would be best for the world.”? Well, what I witnessed was a whole new Microsoft and an empowered security group that has opened up to the community, open to admit mistakes and publicly pays bounties to uncover serious bugs. Very few large vendors have the guts to be so blatantly open and this is indeed rare.
However, today if you found a bug that was worth $250k in the underground, would you still go and give it to Microsoft and get it patched? Opinions are likely to vary on this. Today, zero days are revenue generating business models for some researchers and this debate is likely to be open for a while.
The bottom line is: is any of this working? Well, when was the last time you heard of a remotely exploitable IIS vulnerability? But yes, I did hear about several zero days in IE this year alone. So, progress certainly but work still needs to be done. Security is a mission and not a goal. We all get it.
Our talk was focused on architectural limitations of application sandboxes. As we end 2013, we already have already witnessed several breakouts of application sandboxes (which arguably is a 10 year old technology). The first malware break out of the Adobe sandbox was uncovered in Feb 2013 and it’s certain that this is just the beginning. We published our research on this topic around the time when we launched Bromium Labs a few months back. This indeed was a good way to end the year, meeting with people who care about this.
Yes, it true – I heard murmurs like “So, when is Apple going to organize an iHat?” Let’s wait and watch, I’m sure it’s on the wish list for Santa Claus from the security community.