By Sam Varghese
October 22, 2005
(Microsoft general manager for security George) Stathakopoulos takes
pride in the achievement (number of security bulletins issued), as
when he notes that he has been involved in shipping more compact discs
- Windows software - than the Beatles, Rolling Stones and Madonna
combined. - The New York Times
Initially, one could well be forgiven for thinking that the sentence
above was drafted by some spinmeister. It is the last bit in a tale
about a meeting Microsoft held recently with independent security
researchers, most of them former black hats. The meeting is called a
Blue Hat briefing.
This is the second such publicised meeting, part of a media offensive
to spread the idea that Microsoft is taking security seriously. The
reality is different.
In January 2002, Microsoft announced what it called a Trustworthy
Computing Initiative. The term was trademarked, a paper published and
everyone was made to feel that the company would be taking steps to
improve the abysmal security of its products. The years 2000 and 2001
were horror years for Microsoft, with one worm after another affecting
one product or the other and users taking a beating as the malware
Three years on, it doesn't look like too much has changed. There is,
and has, been a lot of talk but the company still appears to treat
security as a PR issue, much the same way that it did before the
trademarking of TCI.
Security holes continue to appear as frequently - or sometimes even
more frequently - as before in Microsoft's products and the only
reason large-scale disruption doesn't become visible is because those
who exploit the flaws are nowadays geared towards making money. The
trend now is more or less uniformly towards using vulnerabilities for
pecuniary gain - for example, by creating zombies that can be used to
It is relatively safe to do this: no company which has been held
ransom in this manner is going to complain. Once a company that does
business of any kind online is known to have poor security, the
chances of improving its business prospects often lessen dramatically.
One of the more recent examples is that of Cardsystems, a US company
handling credit card validation. A leak of card numbers earlier this
year has hit the company badly and it is now about to be taken over.
The company was running its databases on Microsoft's operating
Thus the extent of electronic fraud remains largely unknown. And
companies such as Microsoft are able to boldly claim that flaws in
their products are not known to have been exploited. Yet it is easy to
find on the web - at times in password-protected sites - and in
chatrooms, exploit after exploit for common vulnerabilities that have
yet to be patched.
eEye Digital Security has for years been informing the public 
about holes in Microsoft's products. Right now, there are many in that
list, some pending for nearly seven months. That the company will not
patch these flaws is not surprising; after all, the security advisory
site Secunia estimates that fully 30 per cent of 70 Internet Explorer
flaws posted since 2003 remain unpatched. Security through obscurity
is not possible these days so security through denial is practised
One way of avoiding the obvious is meeting people from the black hat
community who have now gone into business for themselves and are no
longer crackers - these meetings are apparently meant to indicate that
Microsoft takes security seriously. The Blue Hat briefings have got
their requisite publicity through largely unquestioning media outlets
- but whether anything positive actually happens as a result is
largely unknown. It looks like a means of getting people who could be
a problem on-side.
And there is of course the positive spin that publications, often
so-called reputable outlets such as the New York Times (which firmly
believed in the existence of WMD in Iraq) provide. The quote at the
start of this piece is one such an example - it's cute. It fudges the
fact - that security is precisely where it was in 2002 and, in fact,
is much worse.
The future direction that Microsoft will take has been indicated by
its choosing executives with strong business and marketing backgrounds
to head the three divisions of the company, following a reorganisation
last month. The last genuine techie among the crowd, Jim Allchin, will
retire next year. And the goal of the restructuring? To get products
faster to market. Not better products, just those that can come off
the conveyor belt faster.
The next version of Windows will surely be more secure than its
predecessors. And I believe strongly that Santa Claus will bring me
that new laptop for Christmas.
InfoSec News v2.0 - Coming Soon!