Feeds

Microsoft unveils details of software security process

Give us back our raw sockets, users say

  • alert
  • submit to reddit

Beginner's guide to SSL certificates

Vancouver, CANADA - Microsoft revealed on Thursday (5 May) some details of the company's struggle to develop Service Pack 2, the massive security update released last August to harden Windows XP.

Among the revelations: The software giant made more than 400 significant changes to the way Windows XP operates in the name of security and eliminated two entire classes of flaws in the operating system, according to Window Snyder, security strategist for Microsoft, who discussed the details during a presentation at the CanSecWest conference in Vancouver.

The lesson for business users and consumers is to "upgrade, if you haven't already," she told attendees at the conference. "We can say forever that Windows XP is more secure and we are putting a lot of work into it, but if you don't have any context into what we are doing, I know it is tough to believe that."

Microsoft released Windows XP Service Pack 2, frequently referred to as SP2, in August after pledging to improve the security of its flagship desktop operating system as part of the company's Trustworthy Computing Initiative. The initiative and the development of both SP2 and Windows 2003 led to many changes in the software giant's process and culture, Snyder said.

For example, the company has put security ahead of product schedules, she said. During SP2 development, as the company neared its original release date, an outside security firm doing code analysis found a slew of flaws belonging to a class of vulnerabilities known as integer overflows. When Microsoft started reviewing other parts of the code, the company found that the flawed components were not isolated cases.

"We started seeing them (integer overflows) in a lot of different places ... we realized we weren't looking for them the same way we were looking for other things," Snyder said. The company decided that fixing the problems was more important than keeping the original product schedule, she added. "We slipped six weeks just for this ... but it was the right thing to do."

Snyder, who said her first name is an ode to California culture and not to her current employer, described other changes made to further harden Windows XP. In all, the software giant changed or removed 428 software features in the operating system to reduce potential vulnerability, she said. Of those design change requests -- referred to internally as DSRs -- 51 were in Internet Explorer and 107 were in the networking functions of Windows XP.

Moreover, the company found and fixed two classes of vulnerabilities that have not been discovered elsewhere, she said.

"These are entire classes of vulnerabilities that I haven't seen externally," Snyder said. "When they found these, (the developers) went on a mission, found them in all parts of the system, and got rid of them."

Snyder remained mum on the details, however, even giving the families of vulnerabilities fake code names: "Ginger" and "Photon."

However, the decisions made by Microsoft in pursuit of a safer operating system had some attendees up in arms. Several attendees took Microsoft to task for its removal of a versatile networking feature known as raw sockets in the latest round of patches to Windows XP. Operating systems that support raw sockets, as Windows XP did until the latest update, allow applications to access communications hardware directly. While the feature can be used for communications analysis and filtering, it can also be used by malicious programs to generate fake network data.

One attendee criticized the move away from raw sockets as sacrificing legitimate security firms' needs in order to secure less knowledgeable users.

"We are a security company, a lot of people here sell security software - if it's going to work under Microsoft a lot of that stuff needs raw sockets," said Chad Loder, principal engineer for software security company Rapid7. "What happened with us is that it broke our customers' applications."

Microsoft currently tells companies that need raw sockets support to move their applications to Windows 2003, but will not promise that raw sockets will be available in that version of the operating system much longer. "People are either going to use Windows 2000 or, as we are considering doing, move over to Linux," Loder said.

Microsoft's Snyder said the company was in the midst of an internal debate over whether and how to continue support for raw sockets.

"There is a lot - a lot - a debate going on regarding raw sockets," she said. "I can't say what the resolution is going to be in the future, however."

Weighing the impact of such changes is the hardest job for the product teams at Microsoft, Snyder said. A lot of legacy code still remains in Windows XP because the company cannot risk breaking customers' applications, she explained. However, the company aims to mitigate the risk of the older code by either continuing to rewrite it, or to only install the code when the user requests the installation.

"Every time we rip a feature out because it is old and we don't think no one is using it, our customers scream that we are using it," she said. "And over the life time of Windows, that adds up to a significant code base."

Copyright © 2005, SecurityFocus logo

Related stories

Eight patches lined up for MS April patch batch
In praise of Windows 2003 SP1
Three quarters of corporate PCs shun SP2
MS and security: good effort but no cigar
Gates: security concerns propel IE7 launch
MS downplays SP2 vuln risk

Intelligent flash storage arrays

More from The Register

next story
Nexus 7 fandroids tell of salty taste after sucking on Google's Lollipop
Web giant looking into why version 5.0 of Android is crippling older slabs
Bada-Bing! Mozilla flips Firefox to YAHOO! for search
Microsoft system will be the default for browser in US until 2020
Be real, Apple: In-app goodie grab games AREN'T FREE – EU
Cupertino stands down after Euro legal threats
Download alert: Nearly ALL top 100 Android, iOS paid apps hacked
Attack of the Clones? Yeah, but much, much scarier – report
SLURP! Flick your TONGUE around our LOLLIPOP – Google
Android 5 is coming – IF you're lucky enough to have the right gadget
Microsoft: Your Linux Docker containers are now OURS to command
New tool lets admins wrangle Linux apps from Windows
prev story

Whitepapers

Choosing cloud Backup services
Demystify how you can address your data protection needs in your small- to medium-sized business and select the best online backup service to meet your needs.
Getting started with customer-focused identity management
Learn why identity is a fundamental requirement to digital growth, and how without it there is no way to identify and engage customers in a meaningful way.
Reg Reader Research: SaaS based Email and Office Productivity Tools
Read this Reg reader report which provides advice and guidance for SMBs towards the use of SaaS based email and Office productivity tools.
Website security in corporate America
Find out how you rank among other IT managers testing your website's vulnerabilities.
Top 5 reasons to deploy VMware with Tegile
Data demand and the rise of virtualization is challenging IT teams to deliver storage performance, scalability and capacity that can keep up, while maximizing efficiency.