- home
- reviews
- news
- downloads
- cnet tv
HOLIDAY HELP DESK: Broadcasting live at 1:00 p.m., PT
- log in
- join CNET
- welcome,
- my profile
- log out

News.com special report:

Securing Microsoft: A long road

TalkBack

E-mail

del.icio.us

Digg this

At software giant, pain gives rise to progress

By Ina Fried
Staff writer, CNET News.com
December 3, 2007, 4:00 a.m. PST

Editors' note: This is part 1 in a series examining how Microsoft's security strategy has evolved over the past decade.

REDMOND, Wash.--With a measure of pain, Matt Thomlinson recalls the summer of 2003.

"I remember buses pulling up to the Microsoft campus to shuttle engineers away from their day jobs to go work the phones down at (product support)," said Thomlinson, who heads Microsoft's security engineering efforts. "That was just heartbreaking."

The Blaster worm had just hit, swamping Microsoft's support lines with calls from angry customers.

Andrew Cushman, director of the Microsoft Security Response Center, remembers standing in Muck boots and installing a catch basin in his front yard when he got a call from an account manager. It was just days after September 11, 2001, and one of Microsoft's largest customers had just been hit with what turned out to be the Nimda worm.

George Stathakopoulos, Cushman's boss, still hasn't seen the end of the movie Master and Commander. In spring 2004, he was sitting on his couch watching the film when he got the call that Sasser had hit.

Indeed, much of Microsoft's current security practices can be traced to painful lessons learned during the past decade by people whose job it is to secure Microsoft's products.

Because of the experience of Mike Nash, a vice president at Microsoft, the company finally instituted calling trees as a way to quickly reach people in an emergency. When the Slammer worm hit in January 2003, Nash had to work feverishly to track down the vice president of SQL Server, Gordon Mangione, eventually locating him at his sister's wedding in Canada. (Slammer used Microsoft's SQL Server database to propagate a denial-of-service attack.) Nash first heard reports of Slammer on the local news radio station at 6 a.m. At first, he thought he was dreaming. But as the report played a second time, he knew it was real and headed into work. "I was the second one there," Nash recalls.

Slammer also taught the company that it was not enough to have a patch; the patch had to be easy enough to deploy so that most customers would do so, lessening the chances that outbreaks would propagate so quickly. And it was Blaster that taught the company that it wasn't enough to patch a single flaw; it needed a systematic process for catching whole classes of vulnerabilities, a realization that paved the way for Microsoft's current approach, known as the Security Development Lifecycle, or SDL.

"We've put a lot of our best people in these areas," Microsoft Chairman Bill Gates said in an interview with CNET News.com. "Still tons to be done, but you know, we've definitely made five years of progress in the last five years."

Much of the reason for that traumatic on-the-job training can be traced to Microsoft's decade-long evolution in how it and its employees deal with security. Until 1997, security was seen mainly as a set of features that the company bolted onto its software long after product design and development. The idea of securing code as it was being developed had not been considered.

IE flaws send Microsoft scrambling
That all began to change in March 1997, when the first significant flaws were discovered in Internet Explorer. Researchers at Worcester Polytechnic Institute found a vulnerability in browser shortcuts known as .LNK files. Even as Microsoft was scrambling to deal with the problem, word of the flaw hit cable television news. A few hours later, researchers at the University of Maryland found a second problem and reported it to Microsoft.

Simultaneously, the IE team, which Stathakopoulos was part of, was in the process of moving into a new building. The timing couldn't have been worse: most of their equipment was in boxes. Someone had to run to a store to buy a power supply for one of the team's laptops--the power cords had been packed away--before the battery went dead. Jason Garms, now a senior director for technical strategy, wrote the company's first security bulletin in a Windows' Notepad file and then copied it to a floppy so it could be distributed to customers.

At the time, the company didn't even have a system in place where outsiders could report security bugs directly to Microsoft engineers. The IE flaw came to light because someone had called Microsoft's support line and the matter had gradually escalated.

"We said 'This has to stop,'" Stathakopoulos recalls thinking of the disjointed system at the time. "It's not working for us."

In the aftermath of that bug, Microsoft created the Microsoft Security Response Team as well as a separate Internet Explorer security group. The company also created an e-mail address where outsiders could report potential issues.

The Microsoft Security Response Team was made up of volunteers--employees who had other day jobs, but were interested in helping out when there was a security problem.

Next page: The era of big worms

Stories

Day 1: From pain to progress
Remond's security practices have been transformed since threats like Slammer and Blaster first wormed their way onto the scene.

Day 2: Inviting the hackers inside
Aiming to be more open, company reaches out to the security research community it once kept at a distance.

Day 3: Emerging security threats
Forget widespread worms. Nowadays, limited-scale threats like targeted e-mail attacks are causing the most concern.

Beyond Binary Blog

Day 1: Inside the war room
After years of having to scramble whenever an outbreak hit, Microsoft builds adjoining situation rooms to coordinate its response efforts.

Day 2: Off to the Limo Races
In what might seem an unlikely pairing, Microsoft employees and security researchers team up to go on a scavenger hunt through Seattle.

Day 3: Meet the bug hunters
One talks a mile a minute, another dresses like a bug. Meet some of the people who have helped lead a massive culture change at the company.

Related special reports

Microsoft's lessons from the desktop

Microsoft meets the hackers

'MSBlast' echoes across the Net

Photo galleries

Inside the war room
Painful episodes lead to the creation of a security response center, where teams take on the task of hunting bugs and keeping customers informed.December 3, 2007

The bug hunters
Just who are the people charged with the task of keeping code secure at Microsoft? They're risk takers, whether donning silly costumes or swimming with sharks. December 5, 2007

Credits

Editors: Anne Dujmovic, Mike Ricciuti
Design: Andrew Ballagh
Production: Kendra Dodds

Add a Comment (Log in or register) (58 Comments)

"It's very important when we build an update that it won't break anything."
by `WarpKat December 3, 2007 5:36 AM PST: ...

No comment.

...; Like this Reply to this comment

20 years - not just 10
by caelli December 3, 2007 6:36 AM PST: Hold on - security seems to be totally tied to software quality in this report. Security, far more than that, has to be included in the base design of any system, hardware and software, e.g. the DEC Vax hardware and its VMS operating system, the Intel 286/386/486/Pentium architecture that gave us protection rings, capability enforcement and memory segment protection. The real history of Microsoft goes back to the very start of Windows'NT over Microsoft/IBM's OS/2-3 and even Microsoft's earlier XENIX. The original Intel 286/386 architecture documents clearly referred at the time to the MULTICS protection architecture which its used for its design enabling real security architecture to be defined in a computer system.

So - what happened? The base operating system has to allow for faulty "application" software in such an untrusted world as the Internet and that is exactly what the Intel architecture was designed to do from the start of the 286/386!

Finding and fixing/patching software bugs is NOT the only sign of true integrated security at all! A true secure system, based around well researched security design for the last 30 years or more, creates a properly layered architecture that can cope with faulty applications and middleware and even foreign device drivers. It does not put, for example, device drivers inside the critical access reference monitor/kernel structure for just a start.

This article should look more closely at the real security story. The background to Windows'NT vs OS/2 and the RISC (DEC Alpha, MIPS 4400 processor siuation vs Intel IA-32 design and the role of Microsoft), the underlying security design of Windows'XP/VISTA, the story behind the apparently largely aborted Microsoft "Palladium" or Next Generation Secure Computing Base (NGSCB) activity and its "NEXUS"/ Ring -0 design, the story of XENIX and so on.

What we need is in-depth, investigative reporting that does not confuse software quality concerns, the main Microsoft stance, with true robust computer systems security design such as NSA's Secure LINUX, the GEMSOS system, etc. coupled with underlying hardware resources such as Intel's segmentation and ring structures.; Like this Reply to this comment

This is because IE is so prevalent in the industry
by plee9 December 3, 2007 6:55 AM PST: when everyone is using IE, it is natural that hackers target IE. it is an axiom that a software cannot be proven faultless. thus, this issue is not caused by some incompetency of MSFT engineers. it's because the browser is so popular. i have used other browsers like firefox and they don't even properly support some localization of different language contents.; Like this Reply to this comment

NO MENTION OF SPYWARE?
by ColdMast December 3, 2007 7:40 AM PST: ***?

love the whole waiting months for patches (on Tuesday) only to have a virus release on Wednesday.; Like this Reply to this comment

Progress Noted
by irperez December 3, 2007 9:14 AM PST: Microsoft has definately come a long way. Its always harder to learn lessons when you are the industry leader. The leaders always take the hardest hits while others can stand back and learn without getting hit. I commend Microsoft for humbling themselves and making change and then progress. I can say since 2005 their software has been much better, more stable and less prone to attacks. Although they have ways to go, making it this far is definately worthy of a pat on the back.

Keep up the good work Microsoft.; Like this Reply to this comment

Apple is not to be trusted...
by AppleSuxLeo December 3, 2007 10:21 AM PST: Leoptard installs with the firewall turned off and even when on is full of holes. And Apple zealots are reporting that it crashes often. Sounds like MSFT used to be.I pity Apple when hackers start going after them. They used to get by by being a small target , but those days are numbered. Quicksand(Quicktime)is one of the most INSECURE products on the planet and I refuse to use it. iTunes is also full of holes and never use it either.Truth is Leoptard is a half-baked product Apple released so they could have more useless visual fluff. The real innovation is on the cloud, and MSFT with their "LIVE" services is miles ahead of anything Apple has created.
Vista has been out over a year and has had NO MAJOR SECURITY RELATED ISSUES...even though Mr Jobs probably wished it did.; Like this Reply to this comment

Microsoft leads in security!!
by anil_shanmugam December 3, 2007 10:57 AM PST: I'm not mocking.

http://www.databasesecurity.com/dbsec/comparison.pdf

This is about the secutity patches between SQL Server and Oracle. This is amazing!!; Like this Reply to this comment

No progress as the Storm rages on.
by Macaresafer December 3, 2007 11:45 AM PST: Storm: http://www.wired.com/politics/security/commentary/securitymatters/2007/10/securitymatters_1004

I'll stick with my Mac, thank you. PC apologists can scream that it isn't secure all they like, but I still don't know any Mac users with virus problems. In fact, I still haven't heard of anyone infected with a documented virus, outside of a "security researcher's" office.

I know lots of PC users who have been and continue to be infected.; Like this Reply to this comment

Microsoft is HORRID at security. YES HORRID
by onlyauser December 3, 2007 3:54 PM PST: Microsoft does not have a clue about Operating System needs or security in the slightest.

Every little single thing they do is BLOATED off the charts. No wonder the crap software they produce is not secure.

I wanted to use OneCare, I bought OneCare, I tried to use and like OneCare. OneCare nearly killed my machine. It became like a blue screen light show. So I dumped the Microsoft junk and got NOD32. Now we are talking REAL security.

Also every IT pro I know is not going to move to Vista. EVERYONE KNOW beyond any doubt this bloated piece of crap is tech's biggest and most costly joke!

It is wake up time Microsoft. You make CRAPPY OS and are even worse at security.; Like this Reply to this comment

Most of these viruses are a result of cyberterrorism
by Proustian December 3, 2007 5:18 PM PST: and North Korea, China, Russia, Cuba, Venezuela and other rouge nations spend over $30 million dollars each year to train hackers to write viruses to infect systems on the Internet in various countries as a form of cyberterrorism.; Like this Reply to this comment

Microsoft may have progressed a little...
by wbenton December 7, 2007 4:56 PM PST: But their progression record is the slowest in the industry and they still have a lot further to progress before they can be compared with other, more security responsible vendors!

Walt; Like this Reply to this comment

Some people just amaze me
by xscottr February 15, 2008 4:44 PM PST: I have been using Microsoft products since the early 90?s and I am way too familiar with the problems faced on the long road to security faced by Microsoft. However, no system or network is any more secure then the individuals assigned to install, configure and secure them. I have worked extensively on very critical Microsoft networks as well as Linux networks and networks running both Linux and Windows. The pure amount of engineering that goes into Microsoft products is phenomenal and while Linux designers and engineers are worth their weight in gold they lack two very important things in the IT world that are often over looked; clarity and consistency. For the most part a Linux server is cheap to build set up and as far as network management is concerned very reliable. However, when it comes to higher end functionality it is often the realm of some third party software designer who cost the company using Linux server about 40 to 50% more in time and money then it would had they gone a similar route with Windows 2003. This is not my opinion this is reality. When it comes to security I will be the first to agree that there are vulnerabilities inherent in Windows, but I guarantee you that in a mission critical environment ALL Microsoft products can be secured without the loss of productivity. The bottom line is that this is not possible in a Linux, Novell or MAC environment, simply because they lack productivity features. So, quit confusing the security of these operating systems with the security of the network. Also, it is the work of companies like Adobe and Microsoft that are keeping the Mac afloat in the market, or are you all blind as well as ignorant? What productivity applications are there for Mac? I mean something used in the corporate world designed by apple? Indeed, you got it, nothing! Now as far as Linux and the open source community is concerned I have to hand it to the devs that put together open office they really did a good job with that product and I was really impressed to find the ODBC, JDBC and OLE DB drivers available for SQL Server (yes the Microsoft Database).; Like this Reply to this comment