Editors' note: This is part 3 in a series examining how Microsoft's security strategy has evolved over the past decade.
REDMOND, Wash.--Microsoft security engineer Robert Hensing had a question for the hundreds of his company's developers seated before him: can a person's PC become infected with a rootkit simply by opening a PowerPoint file?
In the packed conference center, a smattering of developers raise their hands. Nearby, in an adjacent room, where hackers invited to speak at Microsoft's Blue Hat conference watch the presentations on TV, an entire table of hands go up.
"That's one thing I want you to take away from this," Hensing tells the Microsoft developers. "Applications are dangerous."
Indeed, even though Microsoft has spent a fortune securing Windows, experts say that hackers are moving beyond the operating system. Threats such as rootkits, which can corrupt an operating system, can now be transferred by applications or Web-based programs. A new crop of Web-connected mobile devices represent another emerging threat.
"Operating system vulnerabilities are on the decline," Hensing said in his talk at the most recent Blue Hat security conference in September. "Application vulnerabilities are on the rise."
In part, Microsoft is something of a victim of its own success in securing Vista and Windows XP before it. Halvar Flake, a security researcher who attended the latest Blue Hat, estimates the total cost of Microsoft's years-long security push at more than $1 billion, with a significant chunk spent on Vista. George Stathakopoulos, a general manager in Microsoft's security unit, wouldn't say how much Microsoft has spent, but said that it's "a big number."
Flake, CEO of security firm Zynamics, said that all of that spending has paid off. "Vista is the most difficult mainstream OS to break into that I've ever seen," he said. Because it is harder to hack, it is more expensive for criminals to target.
Paradoxically, it's not clear that Vista's improved security is persuading people to move to the operating system any faster. "Security is a tough sell, really," Flake said. "Customers can't really measure it."
Vista's security is likely making life more difficult for hackers. Flake said the malicious side of him "would hope Vista is a huge flop" and, as a result, that no company ever spends that kind of money and effort securing an operating system.
The true measure of the effectiveness of Vista's new security likely won't be measured for years. Microsoft and other vendors often tout how their newest releases have many fewer flaws than previous versions. That's usually true, but it's only part of the picture. Most of the major operating system vendors have seen their total number of vulnerabilities rise since 2004. New operating systems tend to have fewer flaws upon release, but operating systems live for five to seven years.
As a result, operating system makers try to design products to withstand the types of attacks their software may face toward the middle and end of its life--when operating systems are most heavily adopted.
"We're attacking today's problems," said Matt Thomlinson who heads Microsoft's security engineering efforts. "We certainly have to do that. We also need to get ahead."
The attacks themselves, meanwhile, have grown increasingly targeted. From the mass mailers, to broad phishing scams, to more recent attacks aimed at individuals. Experts expect that trend to continue, with malicious software growing ever more evasive.
Malicious software getting more complex
This year marks a turning point, according a report this week from Cisco Systems-owned IronPort Systems. "For a time, security controls designed to manage malware were working," said Tom Gillis, vice president of marketing for IronPort. "Just when malware design seemed to have reached a plateau, new attack techniques have burst forth, some so complex--and obviously not the work of amateurs--they could have only been designed by means of sophisticated research and development."
Modern malicious software, IronPort suggests, borrows many characteristics from today's social-networking sites. They are collaborative and adaptive. Plus, the company said, they fly under the radar, "living on enterprise or residential PCs for months or years without detection."
IronPort sees Trojan horses and malicious software becoming "increasingly targeted and short-lived," which will make them still harder to spot.
Layered atop that trend is the rise of new attacks that target software applications. While there are only a handful of major operating systems, there are literally thousands of applications, some used by millions of people.
Microsoft has spent significant time and money on securing its applications. After the experience of Slammer, for example, the company's SQL Server database became a model within the company for how to adopt secure development. Security researcher Dan Kaminsky, who has also attended Blue Hat and done a significant amount of security consulting for Microsoft, said that SQL Server has made significant gains over Oracle thanks to those improved practices.
The Office team, too, has taken note of the fact that its documents are frequently targeted as means for an attack. One of the less-discussed reasons for Office's new XML file formats, in fact, is that they are designed from scratch to be more secure, according to Microsoft.
Day 1: From pain to progress
Remond's security practices have been transformed since threats like Slammer and Blaster first wormed their way onto the scene.
Day 2: Inviting the hackers inside
Aiming to be more open, company reaches out to the security research community it once kept at a distance.
Day 3: Emerging security threats
Forget widespread worms. Nowadays, limited-scale threats like targeted e-mail attacks are causing the most concern.
Day 1: Inside the war room
After years of having to scramble whenever an outbreak hit, Microsoft builds adjoining situation rooms to coordinate its response efforts.
Day 2: Off to the Limo Races
In what might seem an unlikely pairing, Microsoft employees and security researchers team up to go on a scavenger hunt through Seattle.
Day 3: Meet the bug hunters
One talks a mile a minute, another dresses like a bug. Meet some of the people who have helped lead a massive culture change at the company.
Inside the war room
Painful episodes lead to the creation of a security response center, where teams take on the task of hunting bugs and keeping customers informed.December 3, 2007
The bug hunters
Just who are the people charged with the task of keeping code secure at Microsoft? They're risk takers, whether donning silly costumes or swimming with sharks. December 5, 2007
Editors: Anne Dujmovic, Mike Ricciuti
Design: Andrew Ballagh
Production: Kendra Dodds
11 commentsJoin the conversation! Add your comment