Feeds

Microsoft's New Security Mojo

  • alert
  • submit to reddit

Protecting against web application threats using SSL

Opinion Recently, Microsoft announced a program to offer rewards in exchange for information leading to the arrest and conviction of those who exploit its flagship Windows product through viruses, worms, and other forms of malicious code. Yet, despite the software giant's own executives saying publicly over a year ago that their products "weren't designed for security" the company continues to point fingers at third parties, hackers, and crackers as the source of the many problems plaguing the Windows-based portions of the Internet. It also demonstrates the ineffective organized chaos that remains Microsoft's response to the marketplace demands for better-developed, better-tested products.

Security (or lack thereof) in Microsoft's products has adversely impacted corporate profits for years, and finally is beginning to affect Microsoft's future profit potential as well. As a result, Microsoft suddenly is committed to improving security, despite its years of sitting idle. Hence the company's mad rush to inject "security" into every product, speech, and statement to reassure its customers that Windows is still a worthy operating environment to spend money on. It's even sponsored an upcoming report critical of Linux security to help spread fear, uncertainty, and doubt about Microsoft's chief competitor and underscore why Windows is a better product. Sadly, rather than address its own problems, the company is content to use creative marketing as a substitute for good security and software development.

The problem isn't that virus-writers are exploiting Windows, it's that Microsoft makes Windows easy to exploit by anyone with a modicum of programming know-how -- and instead of accepting responsibility, the company is trying to pass the blame for such problems off onto others. Creating a rewards program is a clever, low-cost way of diverting public attention away from the many problems resulting from its history of exploit-friendly programming practices so it doesn't have to address the root causes that forced the creation of the rewards program in the first place. It also allows the company to portray itself taking the moral high ground (albeit illusory) in its approach to proactive product security.

The rewards program builds on the company's recent announcement to convert its traditional as-necessary security bulletin and patch-release process into a predictable monthly one. Interestingly, Microsoft's October 2003 white paper discussion of the new security release process says this will make it easier for customers to stay current through a single cumulative monthly patch that fixes reported problems in Windows. That sounds perfectly reasonable until one reads that "Microsoft will make an exception to the above release schedule if we determine that customers are at immediate risk from viruses, worms, attacks or other malicious activities. In such a situation Microsoft may release security patches as soon as possible to help protect customers."

Given that the majority of Microsoft security bulletins deal with these very problems, one wonders if this new policy really makes a difference by improving security or if it means that to reduce the number of security bulletins (and associated negative media coverage) Microsoft will be more selective in what it deems an "immediate risk" to customers. It's likely that the company will seldom release a bulletin-patch outside of its assigned monthly schedule, since it would not only undermine its new policy but put it in the unfortunate position of having to defend what makes one problem "more critical" than another and warrant a special release.

Admittedly, a monthly patch-release schedule may make it easier for customers to stay current, but also means that a potential adversary knows exactly when to release his next malicious code or exploit technique to the world. Network administrators likely will resent being kept in the dark between monthly patches, never knowing if their networks are endangered or being compromised until the next security bulletin is announced.

Patching aside, it's more interesting - and seems very convenient - that the company responsible for the majority of digital problems in cyberspace in recent years is now offering a remedy for these recurring problems in the form of Trustworthy Computing and the next version of Windows code-named Longhorn. Of course, to receive this much-desired increase security, users must pay for it via a product upgrade. Unless I'm mistaken, this sounds a bit like the Mafia offering "protection" services to local neighborhood businesses to protect against security problems it creates (or tolerates) as a form of revenue. Pay for your "protection" or be "at-risk" (wink-wink) until you do.

Microsoft has an established history of such sneaky practices to get what it wants from its customers. Remember that over a decade ago, the company intentionally caused early versions of Windows to display error messages if installed on anything other than the Microsoft version of DOS - once users installed MS-DOS, the error messages disappeared. More recently, to fix a series of critical vulnerabilities in the Windows Media Player last year, Microsoft forced users to accept the imposition of new and controversial digital rights management (DRM) software as part of the security "fix." Of course, users were free to not install the fix if they didn't want the DRM software on their systems, but would remain at-risk to attack and exploitation from any number of criminals on the Internet as a result.

This brings up the question of how the definition of "security" is changing to fit marketplace needs. The MSDN website shows DRM is a core 'security' function of Longhorn that runs in what Microsoft calls the Secure Execution Environment. The very fact that an operating system - the engine that runs our computers and touches everything we do on them - is based on a DRM foundation (with "hooks" for third parties including Microsoft to determine what may be done with what information on a computer) is frightening. Ask any objective security professional -- DRM should not be viewed as a function of security but rather an add-on function of revenue protection for those industries based on digital content.

Home and business users alike should not be forced into a Mafia-like protection agreement to be secure in cyberspace. Nor should the fundamental definition of security be extended - or twisted - to include invasive mechanisms of profit-protection for industries unable to adapt their business models for the Information Age. Until Microsoft takes a realistic view of security and defines effective real-world ways of improving product security in the present day - such as cleaning up the existing Windows code instead of greedily forcing mass upgrades - its existing customers will be reluctant to adopt a newer version of the Windows product line no matter what the speeches and marketing material promise.

Microsoft chairman Steve Ballmer recently said the company's rewards program makes it clear that Microsoft is "taking security seriously." What he meant to say was that it's clear that Microsoft is taking its security reputation seriously. That's a big difference.

Copyright (© 2003 by author. Permission granted to reproduce in entirety with credit to author.

RRichard Forno is consulting, lecturing, and writing in the Washington, DC area. His areas of expertise include information security program development and management (emphasis on incident response & security awareness,) information operations, trend analysis, and critical infrastructure protection. More biog here.

Reducing the cost and complexity of web vulnerability management

More from The Register

next story
Spies would need SUPER POWERS to tap undersea cables
Why mess with armoured 10kV cables when land-based, and legal, snoop tools are easier?
Early result from Scots indyref vote? NAW, Jimmy - it's a SCAM
Anyone claiming to know before tomorrow is telling porkies
Apple Pay is a tidy payday for Apple with 0.15% cut, sources say
Cupertino slurps 15 cents from every $100 purchase
Israeli spies rebel over mass-snooping on innocent Palestinians
'Disciplinary treatment will be sharp and clear' vow spy-chiefs
YouTube, Amazon and Yahoo! caught in malvertising mess
Cisco says 'Kyle and Stan' attack is spreading through compromised ad networks
Hackers pop Brazil newspaper to root home routers
Step One: try default passwords. Step Two: Repeat Step One until success
Microsoft to patch ASP.NET mess even if you don't
We know what's good for you, because we made the mess says Redmond
NORKS ban Wi-Fi and satellite internet at embassies
Crackdown on tardy diplomatic sysadmins providing accidental unfiltered internet access
prev story

Whitepapers

Providing a secure and efficient Helpdesk
A single remote control platform for user support is be key to providing an efficient helpdesk. Retain full control over the way in which screen and keystroke data is transmitted.
WIN a very cool portable ZX Spectrum
Win a one-off portable Spectrum built by legendary hardware hacker Ben Heck
Storage capacity and performance optimization at Mizuno USA
Mizuno USA turn to Tegile storage technology to solve both their SAN and backup issues.
High Performance for All
While HPC is not new, it has traditionally been seen as a specialist area – is it now geared up to meet more mainstream requirements?
Security and trust: The backbone of doing business over the internet
Explores the current state of website security and the contributions Symantec is making to help organizations protect critical data and build trust with customers.