Editors' note: This is part 1 in a series examining how Microsoft's security strategy has evolved over the past decade.
REDMOND, Wash.--With a measure of pain, Matt Thomlinson recalls the summer of 2003.
"I remember buses pulling up to the Microsoft campus to shuttle engineers away from their day jobs to go work the phones down at (product support)," said Thomlinson, who heads Microsoft's security engineering efforts. "That was just heartbreaking."
The Blaster worm had just hit, swamping Microsoft's support lines with calls from angry customers.
Andrew Cushman, director of the Microsoft Security Response Center, remembers standing in Muck boots and installing a catch basin in his front yard when he got a call from an account manager. It was just days after September 11, 2001, and one of Microsoft's largest customers had just been hit with what turned out to be the Nimda worm.
George Stathakopoulos, Cushman's boss, still hasn't seen the end of the movie Master and Commander. In spring 2004, he was sitting on his couch watching the film when he got the call that Sasser had hit.
Indeed, much of Microsoft's current security practices can be traced to painful lessons learned during the past decade by people whose job it is to secure Microsoft's products.
Because of the experience of Mike Nash, a vice president at Microsoft, the company finally instituted calling trees as a way to quickly reach people in an emergency. When the Slammer worm hit in January 2003, Nash had to work feverishly to track down the vice president of SQL Server, Gordon Mangione, eventually locating him at his sister's wedding in Canada. (Slammer used Microsoft's SQL Server database to propagate a denial-of-service attack.) Nash first heard reports of Slammer on the local news radio station at 6 a.m. At first, he thought he was dreaming. But as the report played a second time, he knew it was real and headed into work. "I was the second one there," Nash recalls.
Slammer also taught the company that it was not enough to have a patch; the patch had to be easy enough to deploy so that most customers would do so, lessening the chances that outbreaks would propagate so quickly. And it was Blaster that taught the company that it wasn't enough to patch a single flaw; it needed a systematic process for catching whole classes of vulnerabilities, a realization that paved the way for Microsoft's current approach, known as the Security Development Lifecycle, or SDL.

"We've put a lot of our best people in these areas," Microsoft Chairman Bill Gates said in an interview with CNET News.com. "Still tons to be done, but you know, we've definitely made five years of progress in the last five years."
Much of the reason for that traumatic on-the-job training can be traced to Microsoft's decade-long evolution in how it and its employees deal with security. Until 1997, security was seen mainly as a set of features that the company bolted onto its software long after product design and development. The idea of securing code as it was being developed had not been considered.
IE flaws send Microsoft scrambling
That all began to change in March 1997, when the first significant flaws were discovered in Internet Explorer. Researchers at Worcester Polytechnic Institute found a vulnerability in browser shortcuts known as .LNK files. Even as Microsoft was scrambling to deal with the problem, word of the flaw hit cable television news. A few hours later, researchers at the University of Maryland found a second problem and reported it to Microsoft.
Simultaneously, the IE team, which Stathakopoulos was part of, was in the process of moving into a new building. The timing couldn't have been worse: most of their equipment was in boxes. Someone had to run to a store to buy a power supply for one of the team's laptops--the power cords had been packed away--before the battery went dead. Jason Garms, now a senior director for technical strategy, wrote the company's first security bulletin in a Windows' Notepad file and then copied it to a floppy so it could be distributed to customers.
At the time, the company didn't even have a system in place where outsiders could report security bugs directly to Microsoft engineers. The IE flaw came to light because someone had called Microsoft's support line and the matter had gradually escalated.
"We said 'This has to stop,'" Stathakopoulos recalls thinking of the disjointed system at the time. "It's not working for us."
In the aftermath of that bug, Microsoft created the Microsoft Security Response Team as well as a separate Internet Explorer security group. The company also created an e-mail address where outsiders could report potential issues.
The Microsoft Security Response Team was made up of volunteers--employees who had other day jobs, but were interested in helping out when there was a security problem.
Next page: The era of big worms
Day 1: From pain to progress
Remond's security practices have been transformed since
threats like Slammer and Blaster first wormed their way onto the
scene.
Day 2: Inviting the hackers inside
Aiming to be more open, company reaches out to the security research community it once kept at a
distance.
Day 3: Emerging security threats
Forget widespread worms. Nowadays, limited-scale threats like targeted e-mail
attacks are causing the most concern.
Day 1: Inside the war room
After years of having to scramble whenever an outbreak hit, Microsoft builds adjoining situation rooms to coordinate its response efforts.
Day 2: Off to the Limo Races
In what might seem an unlikely pairing, Microsoft employees and security researchers team up to go on a scavenger hunt through Seattle.
Day 3: Meet the bug hunters
One talks a mile a minute, another dresses like a bug. Meet some of the people who have helped lead a massive culture change at the company.
Microsoft's lessons from the desktop
'MSBlast' echoes across the Net
Microsoft gathers hackers in Redmond
Microsoft puts key security under Windows umbrella
Microsoft gets good reception at Black Hat
Gates: End to passwords in sight
Bug hunters, software firms in uneasy alliance
Microsoft wants to meet more hackers
Is there method in Microsoft's security buys?
Microsoft's blast from the past
Gates: Security is top priority
Inside the war room
Painful episodes lead to the creation of a security response center, where teams take on the task of hunting bugs and keeping customers informed.December 3, 2007
The bug hunters
Just who are the people charged with the task of keeping code secure at
Microsoft? They're risk takers, whether donning silly costumes or swimming with
sharks. December 5, 2007
Editors: Anne Dujmovic, Mike Ricciuti
Design: Andrew Ballagh
Production: Kendra Dodds
No comment.
...
So - what happened? The base operating system has to allow for faulty "application" software in such an untrusted world as the Internet and that is exactly what the Intel architecture was designed to do from the start of the 286/386!
Finding and fixing/patching software bugs is NOT the only sign of true integrated security at all! A true secure system, based around well researched security design for the last 30 years or more, creates a properly layered architecture that can cope with faulty applications and middleware and even foreign device drivers. It does not put, for example, device drivers inside the critical access reference monitor/kernel structure for just a start.
This article should look more closely at the real security story. The background to Windows'NT vs OS/2 and the RISC (DEC Alpha, MIPS 4400 processor siuation vs Intel IA-32 design and the role of Microsoft), the underlying security design of Windows'XP/VISTA, the story behind the apparently largely aborted Microsoft "Palladium" or Next Generation Secure Computing Base (NGSCB) activity and its "NEXUS"/ Ring -0 design, the story of XENIX and so on.
What we need is in-depth, investigative reporting that does not confuse software quality concerns, the main Microsoft stance, with true robust computer systems security design such as NSA's Secure LINUX, the GEMSOS system, etc. coupled with underlying hardware resources such as Intel's segmentation and ring structures.
skin-able to any OS environment
loads of features and plugins
why would I ever go back to using IE?
IE would be just as flawed if only 1 person used it.
If what you claim is true why isn't the leader in the web server market the most exploited? Not surprisingly, MS server products are.
Why?
Because MS software has no real security.
No other reason.
love the whole waiting months for patches (on Tuesday) only to have a virus release on Wednesday.
Keep up the good work Microsoft.
For the longest time they were the only ones out there. Even today, other desktop OS area are a trivial portion of the market.
No one else has this much surface area and provides this much total security.
Unless they do that, any fixes are just band-aids.
Vista has been out over a year and has had NO MAJOR SECURITY RELATED ISSUES...even though Mr Jobs probably wished it did.
Rip a DVD (lagel ones) and burn on a second DVD writer all at the same time, in addition I can have FInal Cut Pro running actively, Photoshop, Email, Web Browser and other things, and be doing a lot of intensive things all at the same time without crashes, freezing, it's acctually workable and nice to work with.
Try doing this on XP, Vista or NT, good luck.
From my experiance when you burn DVDs in Windows, you pretty much can't do anything else, because it will lock up, freeze and make the entire process useless and the disk will end up bad.
I mean what kind of multi-tasking is that ?
In addition anyone with a brain uses a hardware firewall independent of the OS, if that is properly setup, there is no need to have firewall turned on.
I just installed Yellow Dog Linux on my Play Station 3, yes officially supported by Sony and it's freaking amazing that I can do this on a my game machine. I now have a computer in addition to the game machines and I don't have to deal with Microsoft limitations.
Other companies give you choices, Microsoft gives you crap. WAke up and smell the coffee, if Microsoft was making a good OS overall, I would still be using it.
I have no problem in supporting an American Company and wishing them all the best, make billions or trillions, I wouldn't care much or be jelious at all.
But Microsoft lost touch with what people want within Windows and are chasing too many things.
I kept XP and occasionally use it for Excel and the VBA programming that I do to automate repoting (2003 version of Excel rocks). 2007 sucks.
I run Leopard firewall at the most restrictive setting, and have tested it extensively with a number of intrusion tools. It passed all the tests. Not sure where your "full of holes" comment came from, but nothing I've read supports that view.
I've been running Leopard hard on four machines and haven't had a crash yet. Guess the alleged "Apple zealots" must have got a bad batch.
The old, "Macs are secure only because nobody's tried to attack them," line is tired too. Macs are comparatively secure because they implement a tried and tested security model, one that's worked in the Unix world for years. Linux is fairly secure for similar reasons. M$ needs to learn that all the "are you really, truly, honest to God, totally, 100%, no foolin' sure you want to do this" nonsense just gets UAC turned off, rendering Vista just as insecure as XP.
Anyway, the supposed "invulnerability" of Macs is a powerful challenge to any would-be virus writers or crackers. The idea that noone has tried to write mac-specific malware isn't credible. I'm sure plenty have tried. Only one has succeeded so far, and that was a pretty lame exploit.
Quicktime has some security holes, sure, but "one of the most INSECURE products on the planet?" Rubbish. You mustn't have heard of IE or MSOffice or Outlook Express.
Leopard is actually a well-executed OS. It's stable, has useful new features, runs well on older machines, is fast and has been certified as an Open Brand Unix product.
The only security software I run is an antivirus scanner, not because I'm worried about my Mac getting infected, but to protect my customers and friends from any Windows viruses I might accidentally send them in an email. I don't want to be a "Typhoid Mary," carrying around malware that will hurt my feeble Windows-using friends.
Regarding Vista, let's turn your argument on it's head: the reason there haven't been any major Vista security issues yet is because nobody uses it. All the malware writers are still working on XP. Give it another year, wait until everyone's turned off UAC, then we'll see how secure Vista is.
The real innovation may be in "the Cloud," but it'll be a long time before anyone takes that collection of molasses-slow, insecure, half-baked services seriously. Until then, OSs are still relevant. The fact that M$ is trying to divert attention from it's OS and focus it on "Web 2.0" services says more about the quality of Vista than any bold new web-centric strategy at Redmond. Anyway, all that "Live" junk is just an attempt to play catch-up with Google. Badly.
Apparently you don't, since you jump up and down screaming about how not having one turned on is such a huge deal, when in some cases it doesn't make any real difference.
Here's the deal - if there are no processes listening on a TCP, UDP, or ICMP port, then not having a firewall turned on is no big deal. Without listening processes, nothing will respond.
Now, in OSX, you have to specifically turn services on before they will listen for inbound connections - either by way of running an app, or by turning on something like "Windows Sharing" in System Preferences. Otherwise, all you can do w/ a Mac machine is ping it to see if it's alive and on the network (ICMP), and pretty much nothing else.
In Windows, you pretty much need to have a firewall on because, by default, NBT/NetBEUI/RPC (a notoriously insecure lash-up) is on and listening by default, as are roughly half a dozen other processes... all of which will happily respond to anyone out online who queries them.
[i]"The real innovation is on the cloud"[/i]
Hooray - let's all play Buzzword Bullsh!t Bingo!
Okay okay - I got one:
[code]
<xml>
<i><am><so><damn>Web 2.0!</damn></so></am></i>
</xml>
[/code]
Lookit - you don't even know what a firewall is - why should I trust you on opinions that carry more buzzword and vapor than a software vendor's PR department?
Cripes - I really hope you don't work for MSFT... they have a hard enough time trying to code worth a damn as it is.
/P
<a class="jive-link-external" href="http://www.databasesecurity.com/dbsec/comparison.pdf" target="_newWindow">http://www.databasesecurity.com/dbsec/comparison.pdf</a>
This is about the secutity patches between SQL Server and Oracle. This is amazing!!
After all, nobody has ever broken a padlock... because it stayed locked in spite of being shot at in an advertisemt, right?
Also, what kind of "security" website in its right mind would release even some of its content in a format type (MS Office) that macros viruses and etc. can easily hide in!?
Geez... if you're going to spamvertise a site and call it a security expert, at least point to one that pretends to know a thing or two about actual security...
/P
I'll stick with my Mac, thank you. PC apologists can scream that it isn't secure all they like, but I still don't know any Mac users with virus problems. In fact, I still haven't heard of anyone infected with a documented virus, outside of a "security researcher's" office.
I know lots of PC users who have been and continue to be infected.
Given that the story was about security practices at Microsoft Headquarters, your proclamation about using a Mac is about as relevant as my discussion of breakfast. If you had brought up something about how Apple does security differently, then that would be borderline useful. Instead, it's whoop-ti-doo I'm using a Mac. You know something, I don't know about Apple. Quicktime is one of the few products made by Apple from start to finish and guess what it's full of flaws.
<a class="jive-link-external" href="http://www.sophos.com/pressoffice/news/articles/2006/02/macosxleap.html" target="_newWindow">http://www.sophos.com/pressoffice/news/articles/2006/02/macosxleap.html</a>
I'd be if you searched for articles in 2007 alone you'd fine alot more than this.
BTW, Mac never gets that many viruses because they have such small market share. What respected hacker would want to hack a Mac. Not to mention that there hardly isn't that much software on the platform. Why buy an OS where hardly any software vendor supports. Thats like buying a car that runs only on hydrogen fuel cells.
One of the reasons that there is hardly any Mac software is because Apple doesn't encourage development. At least linux does that. Every where you look, I'd bet you can easily find a Microsoft developer. Mac developers? hard to find. Apple does not give any incentives or encouragement to develop on that platform. And until that changes Mac will always be 2nd to Microsoft Windows. Sorry, but thats the truth.
I think there are a lot of PC users who jump to the 'oh it must be a virus' conclusion every time their pc has a problem. Oooh, it is slow to boot up, must be a virus. It shut down unexpectedly it must be a virus (only if you consider windows itself to be a virus!!), or of course we have the 'this-program-isn't-working-so-it-must-be-a-virus virus'.
A hint for others - you tend to find your exposure to viruses is somewhat reduced if you don't look at porn every day too.
Every little single thing they do is BLOATED off the charts. No wonder the crap software they produce is not secure.
I wanted to use OneCare, I bought OneCare, I tried to use and like OneCare. OneCare nearly killed my machine. It became like a blue screen light show. So I dumped the Microsoft junk and got NOD32. Now we are talking REAL security.
Also every IT pro I know is not going to move to Vista. EVERYONE KNOW beyond any doubt this bloated piece of crap is tech's biggest and most costly joke!
It is wake up time Microsoft. You make CRAPPY OS and are even worse at security.
Even if that is true it doesn't let Microsoft off the hook for writing insecure software.
Why pick on 'rouge nations'? Nothing wrong with making yourself pretty. :p
/P
Walt