Microsoft had a big problem 10 years ago. Buggy code was allowing viruses like "CodeRed", "ILoveYou" and "Nimda" to infect millions of computers running its Windows and Microsoft's web server software.
Major security-related events at Microsoft over the past decade.
(Credit: Microsoft)
Times have changed.
Back then, the steady stream of worm outbreaks, coding glitches that annoyed users and security weaknesses reported by outside researchers was having a steady and negative effect on the company's reputation. Microsoft was everywhere on consumer and corporate PCs worldwide, but the software giant couldn't seem to deliver solid software.
Then came a famous Bill Gates memo on 15 January 2002, which promised to change all that. Gates realised that if the company didn't get its security act together the future of its .NET framework for network services, and the company itself, would be threatened. His company-wide email warned:
As software has become ever more complex, interdependent and interconnected, our reputation as a company has in turn become more vulnerable. Flaws in a single Microsoft product, service or policy not only affect the quality of our platform and services overall, but also our customers' view of us as a company.
So now, when we face a choice between adding features and resolving security issues, we need to choose security. Our products should emphasise security right out of the box, and we must constantly refine and improve that security as threats evolve.
To solve the crisis, the company embarked on a new Trustworthy Computing initiative, which Gates said "is the highest priority for all the work we are doing. We must lead the industry to a whole new level of Trustworthiness in computing".
At the time, security expert Richard Forno cynically told CNET that his gut feeling was that Gates' email was "a PR blitz, pure and simple".
His view has certainly changed 10 years later.
"They fixed parts of Outlook we complained about, and even overcompensated with Windows Vista and the [User Account Control warnings] annoyances there in the name of security," Forno said. "For simple user tasks, such as changing the desktop colour, you had to click through an alert, confirm the action or type in your password."
However, the UAC warnings failed to be effective when people chose to ignore them and just clicked through, so Microsoft toned them down in Windows 7.
You might be interested in:
"On the whole, they're much improved now than they were then" on security, said Forno, graduate program director for cybersecurity at the University of Maryland in Baltimore County.
Other security experts concur.
"I agree that their products have gotten a lot better. How insecure they still are says a lot about how hard this problem really is," Bruce Schneier, chief security technology officer of BT, said in a backhanded compliment.
"They've turned the ship several degrees towards security, for sure," said Gary McGraw, chief technology officer at consulting firm Cigital. "They are by far the leaders in software security."
Birth of a movement
"They went from being one of the worst companies in security to being one of the best," said Marc Maiffret, founder and chief technology officer at eEye who was a prominent critic of the pre-Trustworthy Computing Microsoft.
At the young age of 21, Maiffret discovered Code Red, the first worm to target a Microsoft platform. He and other hackers were thorns in Microsoft's side, constantly banging on its software to uncover holes and releasing exploits to prompt the company to fix the weaknesses more quickly. After Code Red, Maiffret testified before Congress about the worm menace that was affecting Microsoft customers.
"People were upset [about the security problems] but didn't know how to channel their anger and frustration," largely because Microsoft was the main game in town, he said. "Two weeks leading up to Code Red, peoples' web servers were crashing and they didn't know why. The worm was spreading and infecting computers and the industry was ignorant to what was going on."
When the Gates memo came out, security researchers were thrilled that finally the company was going to start taking security seriously, according to Maiffret. "Finally, there was a breakthrough," he said. "It was the right place at the right time, the birth of a movement."
From that moment on, Microsoft made security a part of the process of building its software, rather than trying to include it as an after-thought. It was a cultural change and it affected every product and technology engineers worked on. Two technologies in particular have boosted the protection of customers — address space layout randomisation (ASLR) and data execution prevention (DEP).
Meanwhile, the lion's share of vulnerabilities have shifted from Microsoft software to web applications, in part because of Microsoft's security efforts and in part because that's where the user activity is nowadays. Many web application developers don't know to build software with security in mind, like veteran Microsoft does.
Microsoft also is sharing what it has learned and its tools with other companies, particularly its partners whose security vulnerabilities bleed over into its software and customers. Microsoft offers free downloads of its Security Development Lifecycle (SDL) Optimisation Model and its SDL Threat Modelling Tool. In addition, Adobe — whose security problems are reminiscent of Microsoft's circa 2002 — is borrowing some of Microsoft's solutions, such as regular security updates and sharing information on vulnerabilities with vendors ahead of the release of updates so they can fix their software.
"Microsoft put a lot of investment into building the Security Development Lifecycle and learned many lessons along the way on what worked well," said Brad Arkin, senior director, security, Adobe products and services. "In formalising our own secure product life cycle, we were eager to tap into that knowledge instead of reinventing the wheel. This allowed us to spend more time on the actual implementation across all of our product teams."
"The industry looks up to Microsoft, especially from a secure coding perspective," said Nitesh Dhanjani, an executive director at Ernst & Young. "I've had clients tell me they draw inspiration from that. They've seen results in the sense that fixing bugs earlier in the life cycle is worth the effort by saving money and protecting data."
Rather than view security researchers as the enemy, Microsoft embraces them as the valuable partners they can be. The company invites researchers to speak at a Blue Hat conference it hosts annually on its campus and brief engineers on different hacking techniques, said Jeff Jones, director of Trustworthy Security at Microsoft. And the company announced at the Black Hat conference last year a new US$250,000 Blue Hat prize for the best example of security defence research. The company also has been aggressive using technology and innovative legal means to takedown botnets.
Microsoft isn't resting on its laurels, though, and affirming its commitment to security in another company-wide email sent recently.
"'TwC Next', the ensuing decade-plus of Trustworthy Computing, will focus on the new world of devices and services," wrote Craig Mundie, chief research and strategy officer at Microsoft. "Everyone at Microsoft and the entire computing ecosystem has a role to play."
"We are equally committed to taking lessons learned and this foundation we've built and applying it to computing going forward for the next 10 years," Jones said.
In a world where smartphones and social networking dominate people's lives, Microsoft will work to provide secure software regardless of the application or device.
"There is a dependency on computing that didn't exist 10 years ago," Jones said. "We've learned ... that trust of our customers is the greatest asset a company can have."
The Gates security email changed the entire software industry, Forno said.
"The Trustworthy Computing thrust by a major vendor brought security into the forefront of the public eye," he said in an interview. "That is probably the lasting outcome. That memo 10 years ago raised the level of awareness about security in computing to the internet security community at large."
Via CNET
SabrinaS 
Linkedin 
RSS Feeds 
Newsletters 
Alerts
STOP - the REAL question is what happened to "Palladium" / Next Generation Secure Computing Base (NGSCB) at Microsoft (which actually got top attention by NewsWeek magazine at the time) ?
The "chart" in the ZDNet report conveniently removes the whole of this VITAL effort, including the Intel and other group collaboration, the Trusted Computing Group - TCG - on the TPM or "Trusted Platform Module" - that was aimed at REAL security from the base up and which now is inlcuded on many motherboards and laptops, etc.
This was Microsoft's REAL effort to incorporate security where it is MOST NEEDED - at the base OS services area from the "ground up", e.g. isolation of device drivers, system services, separation of code segments (remember the Intel architecture provided basic memory security through "segmentation" with appropriate memory usage enforcement such as code vs data vs stack, etc.), trusted paths between IO device and process, enabling such REAL protection technology as "PINPad on the keyboard", etc AND there were 4 protection rings in the CPU - Microsoft ignored that!
Just a few quotes re NGSCB:
"NGSCB also relies on a curtained memory feature provided by the CPU. Data within curtained memory can only be accessed by the application to which it belongs, and not by any other application or the Operating System."
".....the Windows API has developed over many years and is as a result extremely complex and difficult to audit for security bugs. To maximise security, trusted code is required to use a smaller, carefully audited API..."
To quote from "Wikipedia" -
"Microsoft has not published any materials regarding NGSCB on their MSDN site since March 2004, and none of the principal features described in the existing NGSCB materials have appeared in the two major versions of Windows since 2004 (Windows Vista and Windows 7)."
Please ZDNET - let's get the REAL story out for the community and industry alike - some real investigative journalism, e.g. publish the design chart from Microsoft for NGSCB (it's readily available on the Web and quite colourful), find out what happened to it all and why, etc.. Look at the development of SELinux, the "Security Extended LINUX" system, as an alternative at the time, and see this all in context over the last 10 years.