AOH :: ISN-3050.HTM

Microsoft's Security Efforts Noted

Microsoft's Security Efforts Noted
Microsoft's Security Efforts Noted,127233-c,privacysecurity/article.html 

Sumner Lemon
IDG News Service
September 22, 2006

KUALA LUMPUR, MALAYSIA -- Code Red, Nimda and Blaster. These 
high-profile worms, which exploited flaws in Microsoft Windows and other 
applications, made Microsoft the butt of security jokes and forced the 
company to reexamine its approach to developing secure software.

"Throughout Microsoft, we thought Windows 2000 was a very solid, 
reliable operating system, perfect for deployment in the enterprise,"  
said Ian Hellen, a security program manager at Microsoft's Windows 
Security Engineering Team. "Those tiny pieces of code were real wake-up 
calls, saying Windows 2000 isn't there yet. It's just not designed to 
cope with these kinds of threats."

That was then. With the commercial release of Vista just months away, 
Microsoft's efforts to improve security are now showing results, though 
much remains to be done by the company, said security experts attending 
the Hack In The Box Security Conference (HITB) here this week.

Recognized Need

"Microsoft has done a left-hand turn in its business and said, 'Right, 
we've got to start building secure applications,'" said Mark Curphey, 
vice president of professional services at McAfee's Foundstone division. 
"They've implemented a very rigorous process across their organization 
and now they're starting to see the benefits of that."

The progress that Microsoft has made can be seen in recent versions of 
software, such as Microsoft Internet Information Services (IIS) 6, which 
has had one high-risk vulnerability uncovered, Curphey said.

"They've done a lot better," said Bruce Schneier, the chief technology 
officer of Counterpane Internet Security.

Curphey and others credit Microsoft's Security Development Lifecycle 
(SDL) software-development process with reducing the number of design 
and coding errors that lead to security vulnerabilities. "We spent a 
long time trying to reorganize our whole development process so that all 
of Microsoft's products, particularly the Windows operating system, is 
reoriented to have security engineering at its core,"  Hellen said.

To some degree, Windows XP Service Pack 2 and Windows Server 2003 
demonstrate how SDL has helped Microsoft improve the security of its 
products. "But it's really only in Windows Vista that we've been able to 
implement this in a comprehensive way," Hellen said, adding there is 
room for further improvement.

Vista Still Needs Help

One security improvement that has yet to be made to Windows Vista is a 
defense against Blue Pill, a prototype technology that uses hardware 
virtualization to install undetectable malware on a computer running the 

Blue Pill, developed by Polish researcher Joanna Rutkowska, was first 
demonstrated using the second beta release of Vista. However, the latest 
pre-production release of Vista, called RC1, does not include defenses 
against Blue Pill, Rutkowska said, adding she was "surprised"  by the 

Blue Pill does not exploit any bugs in Vista, but Rutkowska recommended 
Microsoft disable paging of kernel memory in Vista, which would prevent 
Blue Pill from accessing the operating-system kernel and executing code. 
In response, Microsoft executives attending HITB said the company 
continues work on improving security in Vista, while making no specific 
promise that changes will be made to prevent Blue Pill attacks in the 
production version of Vista.

Microsoft gets credit for improving the overall security of its 
products, but more can be done. However, users must first decide if the 
company's progress in this area is sufficient. "If we think it's enough, 
we're done. If we don't, than we have to do more," Schneier said. 
"They're going to fix the problem to the limit of their economic 

One option is to make vendors like Microsoft liable for the economic 
risks of the security vulnerablilities that users face--something that 
is unlikely to happen given the current political environment, Schneier 
said. "If we want more security, we have to raise the cost of not having 
it," he said.

Visit the InfoSec News store! 

Site design & layout copyright © 1986-2014 CodeGods