Securing Microsoft: A long road
TalkBack
E-mail
del.icio.us
Digg thisThe next generation of security threats
Editors' note: This is part 3 in a series examining how Microsoft's security strategy has evolved over the past decade.
REDMOND, Wash.--Microsoft security engineer Robert Hensing had a question for the hundreds of his company's developers seated before him: can a person's PC become infected with a rootkit simply by opening a PowerPoint file?
In the packed conference center, a smattering of developers raise their hands. Nearby, in an adjacent room, where hackers invited to speak at Microsoft's Blue Hat conference watch the presentations on TV, an entire table of hands go up.
"That's one thing I want you to take away from this," Hensing tells the Microsoft developers. "Applications are dangerous."
Indeed, even though Microsoft has spent a fortune securing Windows, experts say that hackers are moving beyond the operating system. Threats such as rootkits, which can corrupt an operating system, can now be transferred by applications or Web-based programs. A new crop of Web-connected mobile devices represent another emerging threat.
"Operating system vulnerabilities are on the decline," Hensing said in his talk at the most recent Blue Hat security conference in September. "Application vulnerabilities are on the rise."
In part, Microsoft is something of a victim of its own success in securing Vista and Windows XP before it. Halvar Flake, a security researcher who attended the latest Blue Hat, estimates the total cost of Microsoft's years-long security push at more than $1 billion, with a significant chunk spent on Vista. George Stathakopoulos, a general manager in Microsoft's security unit, wouldn't say how much Microsoft has spent, but said that it's "a big number."
Flake, CEO of security firm Zynamics, said that all of that spending has paid off. "Vista is the most difficult mainstream OS to break into that I've ever seen," he said. Because it is harder to hack, it is more expensive for criminals to target.
Paradoxically, it's not clear that Vista's improved security is persuading people to move to the operating system any faster. "Security is a tough sell, really," Flake said. "Customers can't really measure it."
Vista's security is likely making life more difficult for hackers. Flake said the malicious side of him "would hope Vista is a huge flop" and, as a result, that no company ever spends that kind of money and effort securing an operating system.
The true measure of the effectiveness of Vista's new security likely won't be measured for years. Microsoft and other vendors often tout how their newest releases have many fewer flaws than previous versions. That's usually true, but it's only part of the picture. Most of the major operating system vendors have seen their total number of vulnerabilities rise since 2004. New operating systems tend to have fewer flaws upon release, but operating systems live for five to seven years.
As a result, operating system makers try to design products to withstand the types of attacks their software may face toward the middle and end of its life--when operating systems are most heavily adopted.
"We're attacking today's problems," said Matt Thomlinson who heads Microsoft's security engineering efforts. "We certainly have to do that. We also need to get ahead."
The attacks themselves, meanwhile, have grown increasingly targeted. From the mass mailers, to broad phishing scams, to more recent attacks aimed at individuals. Experts expect that trend to continue, with malicious software growing ever more evasive.
Malicious software getting more complex
This year marks a turning point, according a report this week from Cisco Systems-owned IronPort Systems. "For a time, security controls designed to manage malware were working," said Tom Gillis, vice president of marketing for IronPort. "Just when malware design seemed to have reached a plateau, new attack techniques have burst forth, some so complex--and obviously not the work of amateurs--they could have only been designed by means of sophisticated research and development."
Modern malicious software, IronPort suggests, borrows many characteristics from today's social-networking sites. They are collaborative and adaptive. Plus, the company said, they fly under the radar, "living on enterprise or residential PCs for months or years without detection."
IronPort sees Trojan horses and malicious software becoming "increasingly targeted and short-lived," which will make them still harder to spot.
Layered atop that trend is the rise of new attacks that target software applications. While there are only a handful of major operating systems, there are literally thousands of applications, some used by millions of people.
Microsoft has spent significant time and money on securing its applications. After the experience of Slammer, for example, the company's SQL Server database became a model within the company for how to adopt secure development. Security researcher Dan Kaminsky, who has also attended Blue Hat and done a significant amount of security consulting for Microsoft, said that SQL Server has made significant gains over Oracle thanks to those improved practices.
The Office team, too, has taken note of the fact that its documents are frequently targeted as means for an attack. One of the less-discussed reasons for Office's new XML file formats, in fact, is that they are designed from scratch to be more secure, according to Microsoft.
Next page: Attacks changing, but so is the business
Stories
Day 1: From pain to progress
Remond's security practices have been transformed since
threats like Slammer and Blaster first wormed their way onto the
scene.
Day 2: Inviting the hackers inside
Aiming to be more open, company reaches out to the security research community it once kept at a
distance.
Day 3: Emerging security threats
Forget widespread worms. Nowadays, limited-scale threats like targeted e-mail
attacks are causing the most concern.
Beyond Binary Blog
Day 1: Inside the war room
After years of having to scramble whenever an outbreak hit, Microsoft builds adjoining situation rooms to coordinate its response efforts.
Day 2: Off to the Limo Races
In what might seem an unlikely pairing, Microsoft employees and security researchers team up to go on a scavenger hunt through Seattle.
Day 3: Meet the bug hunters
One talks a mile a minute, another dresses like a bug. Meet some of the people who have helped lead a massive culture change at the company.
Related special reports
Microsoft's lessons from the desktop
'MSBlast' echoes across the Net
Related stories
Microsoft gathers hackers in Redmond
Microsoft puts key security under Windows umbrella
Microsoft gets good reception at Black Hat
Gates: End to passwords in sight
Bug hunters, software firms in uneasy alliance
Microsoft wants to meet more hackers
Is there method in Microsoft's security buys?
Microsoft's blast from the past
Gates: Security is top priority
Photo galleries
Inside the war room
Painful episodes lead to the creation of a security response center, where teams take on the task of hunting bugs and keeping customers informed.December 3, 2007
The bug hunters
Just who are the people charged with the task of keeping code secure at
Microsoft? They're risk takers, whether donning silly costumes or swimming with
sharks. December 5, 2007
Credits
Editors: Anne Dujmovic, Mike Ricciuti
Design: Andrew Ballagh
Production: Kendra Dodds
I worked on a womens Vista laptop over the weekend and she was almost in tears because she could not write her articles like she could on XP. She was upset for being forced to buy Vista.
I think she reflects the feelings of a lot of people out there.
My complaint about Vista is its crappy file management system. I cannot believe how hard it is compared to XP in the downloading moving and saving files.
I believe Microsoft has not a clue of what is really going on out there in the real world.
I am a Microsoft user and will be for a period of time to come. I do hope the hackers will come and fix the file management problem in Vista since microsoft can't seem to do things right.
I understand that Apples Lepherds software has problems like vista, but their Tiger is great. I also have a collection of various Linux distros and they are also very good. I think PCLInux and Ubuntu are excellant. So you advocates please don't bother us!
Yes, [i]applications[/i] are dangerous... it's part and parcel of
security on any computer.
However, how come data files (e.g. powerpoint files) have to be
so dangerous (to a Windows user) as well?
Family photos, important documents, music... those things
shouldn't present any danger at all to a user (and on Mac and
Linux, they don't). Yet even the [i]screen saver[/i] (*.scr) on a
Windows box could hide potentially nasty bugs.
***? covering up poor programming practices and bad design
with 'oh, apps are dangerous - we got your money, so deal with
it'
Increasing numbers of us have found a better way, thanks much.
And as a bonus, I don't have to live in fear of my applications,
either.
/P
Many of them contain escape mechanisms that permit the object being interpreted to invoke the execution of programs. These programs my be external to or included in the object itself. MS Word was so bad about this for so long that Word objects are now generally feared.
While this capability is useful its utility does not justify the risk.
Until recently pdfs were preferred to docs because Adobe controlled the specification of the object and the interpreters (Adobe Reader and Acrobat.)
The original intent of pdf appears to have been to encapsulate a printable document. However, many pdfs are only, or preferably, viewed rather than printed. (I try never to print.) Adobe, which now also owns MacroMedia Flash, says wouldn't it be nice if an object could also contain moving graphics. Oops there went the attack surface.
When an object type is very popular, new interpreters emerge. I now have a number of programs on my computer, including, for example, the FoxIt viewer that will interpret pdfs. Oops. There it goes again. To get an idea of how bad the problem is, look at the size of the latest version of the Reader. The bigger and more complex the program, the greater the opportunity for error.
Remember the idea of Object Oriented Programming, in which the object would encapsulte both the data and all of the methods and procedures that could operate on it. The market preferred the traditional model, in part so that the common methods would not have to be replicated for each object.
Now the methods are proliferating and becoming more complex. Part of the problem is that the decisions about the functionality of the program and the risk associated with it are separated from one another and made by different people.
All that said, everyone should have seen this coming. We fixed the transport layer and attacks moved to the server. We fixed the servers and attacks moved to the client. We fix the OS and attacks move to the applications. First they moved to the browsers. Now they are moving to "plug-ins" and helper applications. Where is the surprise.
- New Threat Smet!
- by Schratboy December 5, 2007 9:02 PM PST
- Crikie! Most IT managers don't even have a freaking handle on the basics let alone worrying about all the so-called new threats. None of the hype matters as long as owners and administrators continue to "Fly Blind" and don't know how their network is being used. Fundamental knowledge is the best defense and doesn't require excessive instrumentation, expensive or technical skill. A little bit of knowledge and policy goes a long way to keeping data and assets safe and risk-free.
- Reply to this comment
-
(11 Comments)