Editors' note: This is part three in a series examining how Microsoft's security strategy has evolved over the past decade. Read part one here, and part two here.
Microsoft security engineer Robert Hensing had a question for the hundreds of his company's developers seated before him: can a person's PC become infected with a rootkit simply by opening a PowerPoint file?
In the packed conference centre, a smattering of developers raise their hands. Nearby, in an adjacent room, where hackers invited to speak at Microsoft's Blue Hat conference watch the presentations on TV, an entire table of hands go up.
"That's one thing I want you to take away from this," Hensing tells the Microsoft developers. "Applications are dangerous."
Indeed, even though Microsoft has spent a fortune securing Windows, experts say that hackers are moving beyond the operating system. Threats such as rootkits, which can corrupt an operating system, can now be transferred by applications or Web-based programs. A new crop of Web-connected mobile devices represent another emerging threat.
"Operating system vulnerabilities are on the decline," Hensing said in his talk at the most recent Blue Hat security conference in September. "Application vulnerabilities are on the rise."
In part, Microsoft is something of a victim of its own success in securing Vista and Windows XP before it. Halvar Flake, a security researcher who attended the latest Blue Hat, estimates the total cost of Microsoft's years-long security push at more than $1 billion, with a significant chunk spent on Vista. George Stathakopoulos, a general manager in Microsoft's security unit, wouldn't say how much Microsoft has spent, but said that it's "a big number."
Flake, CEO of security firm Zynamics, said that all of that spending has paid off. "Vista is the most difficult mainstream OS to break into that I've ever seen," he said. Because it is harder to hack, it is more expensive for criminals to target.
Paradoxically, it's not clear that Vista's improved security is persuading people to move to the operating system any faster. "Security is a tough sell, really," Flake said. "Customers can't really measure it."
Vista's security is likely making life more difficult for hackers. Flake said the malicious side of him "would hope Vista is a huge flop" and, as a result, that no company ever spends that kind of money and effort securing an operating system.
The true measure of the effectiveness of Vista's new security likely won't be measured for years. Microsoft and other vendors often tout how their newest releases have many fewer flaws than previous versions. That's usually true, but it's only part of the picture.
Most of the major operating system vendors have seen their total number of vulnerabilities rise since 2004. New operating systems tend to have fewer flaws upon release, but operating systems live for five to seven years.
As a result, operating system makers try to design products to withstand the types of attacks their software may face toward the middle and end of its life -- when operating systems are most heavily adopted.
"We're attacking today's problems," said Matt Thomlinson who heads Microsoft's security engineering efforts. "We certainly have to do that. We also need to get ahead."
The attacks themselves, meanwhile, have grown increasingly targeted. From the mass mailers, to broad phishing scams, to more recent attacks aimed at individuals. Experts expect that trend to continue, with malicious software growing ever more evasive.
Malicious software getting more complex
This year marks a turning point, according a report this week from Cisco Systems-owned IronPort Systems.
"For a time, security controls designed to manage malware were working," said Tom Gillis, vice president of marketing for IronPort. "Just when malware design seemed to have reached a plateau, new attack techniques have burst forth, some so complex -- and obviously not the work of amateurs -- they could have only been designed by means of sophisticated research and development."
Modern malicious software, IronPort suggests, borrows many characteristics from today's social-networking sites. They are collaborative and adaptive. Plus, the company said, they fly under the radar, "living on enterprise or residential PCs for months or years without detection."
IronPort sees Trojan horses and malicious software becoming "increasingly targeted and short-lived," which will make them still harder to spot.
Layered atop that trend is the rise of new attacks that target software applications. While there are only a handful of major operating systems, there are literally thousands of applications, some used by millions of people.
Microsoft has spent significant time and money on securing its applications. After the experience of Slammer, for example, the company's SQL Server database became a model within the company for how to adopt secure development. Security researcher Dan Kaminsky, who has also attended Blue Hat and done a significant amount of security consulting for Microsoft, said that SQL Server has made significant gains over Oracle thanks to those improved practices.
The Office team, too, has taken note of the fact that its documents are frequently targeted as means for an attack. One of the less-discussed reasons for Office's new XML file formats, in fact, is that they are designed from scratch to be more secure, according to Microsoft.
Hold on?
Where is the real investigative reporting?
This whole series seems to equate overall systems security with software quality and bug patching. the following quote from the 3rd part says it all:
Threats such as rootkits, which can corrupt an operating system, can now be transferred by applications or Web-based programs.
Hold on!! This alludes to a long known and fundamental principle of secure systems design - unprivileged cannot interfere with privileged or other structures. That was the basic of Multics 40 years ago and the basic principle of the design of the security structure of the Intel IA-32 CPUs (Yes - from the 286 to the Pentium). This reference is NOT a realization that security problems have moved to applications. Rather, it emphasizes even more that operating system security and isolation is fundamental. An application MUST NOT BE ABLE TO DO THAT - i.e. insert a root-kit.
Security involves a specific attention to basic hardware and software architecture - systems that are tolerant of software bugs! No - software quality and patching ARE NOT the base for security architecture. This was even admitted by Microsoft with its Palladium / NGSCB project and the associated Intel La Grande hardware (whatever happened to all that in Vista ??)
These three articles just do not even mention any of this - a basic failure of investigative reporting giving a distorted view of real security needs and what actually happened at Microsoft.
Remember mandatory device driver signing for Windows 32 bit sub-systems?
Sad - I expected a far better analysis of the last 10 years of "security" - sorry, software quality analysis - at Microsoft from ZDNet/C/Net.