June 10, 2002 4:00 AM PDT
Old code in Windows is security threat
The revelation follows last week's warning that a serious vulnerability in Microsoft's Internet Explorer occurred in the software supporting a decade-old protocol that has rarely been used since the World Wide Web became popular.
"A lot of the (coming) design changes are to remove this feature or turn that one off by default," said Steve Lipner, director of security assurance for Microsoft and the man on the ground for the company's trustworthy computing initiative.
He added that when Microsoft is faced with a choice between removing old, possibly insecure code and keeping a feature to please a small fraction of customers, increasingly security is winning out. "Do we think that things will be retired more quickly? Sure," Lipner said.
The acknowledgment that the company is rushing to ax old code comes amid criticism that Microsoft's security initiative has been slow to show results. More than 30 vulnerabilities have been reported by the company since the initiative began, putting it on the same security track as last year.
Fifty-million lines of code
Even before Windows XP came out, Microsoft said it would sacrifice compatibility in some circumstances to increase performance. However, the recent, unexpected security problems are accelerating the process and prompting the company to remove more code than anticipated. But trying to figure out how to cut potentially problematic code is no easy task.
"The problem is that you are dealing with 50 million lines of code and everything depends on everything else," said Peter Neumann, principal scientist for technology think-tank SRI International.
Microsoft kicked off its trustworthy computing initiative in January, after Chairman Bill Gates urged the company's employees to focus more on security and less on creating new features. Critics of the company have kept watch for signs of any real changes in how the software giant deals with security. Changes in Windows, though, could take awhile, especially in light of how the operating system has grown.
"The problem is that you are dealing with 50 million lines of code and everything depends on everything else."
"Part of the problem is everything is too convoluted," Neumann said. "It's difficult to have an assurance that everything is going to work." Adding in backward compatibility only increases complexity, he added.
Marc Maiffret, 21-year-old security prodigy and chief hacking officer for eEye Digital Security, doesn't fault old code for security problems. He said that programmers who don't review the code before using it are at fault. Old code may have more security holes in it, but those holes should be caught, he said.
"With a lot of the more recent code, people are smarter about writing secure code," Maiffret said, adding that "there is no problem in having backwards compatibility, except when there is a flaw in it."
That's the problem Microsoft is facing. A feature that allowed Internet Explorer to communicate with servers running Gopher, a pre-Web protocol for hyperlinking information, has a vulnerability that could leave PC users open to attack, a Finnish researcher said last week.
GopherSpace, the name of the network of servers that supports the Gopher protocol, consists of less than 600 computers offering up less than 8 million links, according to a Gopher site maintained at Point Loma Nazarene University. The Web has more than 2 billion pages, according to the Google search engine.
While Microsoft is still analyzing the claims, the company's trustworthy computing initiative already had project managers questioning the wisdom of having support for the rarely used protocol, said Microsoft's Lipner.
"Gopher was one of the functions that was flagged for being turned off by default" in the coming Windows XP Service Pack 1, Lipner said. While the disclosure of the apparent flaw beat the company's update, Lipner stressed that the design decision showed the initiative was paying off. "We were asking the right questions," he said.
Lipner wouldn't name other features that would be retired, or break down how much of Windows XP is considered old code and how much is new. Instead, he explained that part of the company's security process involves imagining the worst types of attacks against its code and developing a "threat model." It then searches for any holes in its defenses that would let such attacks through.
"The developers and testers were reviewing code and testing code as prioritized by the threat model," Lipner said.
Lipner said the work is ongoing, adding, "The security push is a big job."