Microsoft Earns Merit Patches for Security

But is Redmond’s medicine the right pill for dealing with new exploits?

By David Worthington

May 1, 2007 —

Microsoft has taken a lot of hits for perceived lack of security in its software. In response, Bill Gates gave the company’s security experts carte blanche to change that perception by improving the security of its products. Over time, this resulted in the remediation process that its Security Response team follows today. But is that process effective enough to protect customers?

When either the security community or its own internal experts discover a potential problem, the team takes the lead and starts a process that begins with triaging the issue and then coordinates the security response activities that follow.

The team’s first priority is scoping the exploit. After an issue is discovered, it passes through triage, and product-specific security experts are designated to investigate the scope and impact of the threat on an affected product, before the Secure Windows Initiative team evaluates the overall impact it may have on other Microsoft products, said Mark Miller, director of the Microsoft Security Response Center (MSRC).

Mike Reavey, operations manager of MSRC, expounded on this process in a April 3 Security Response Center Blog posting discussing a flaw in the way that Windows handles animated cursors and what Microsoft has done about it.

Reavey wrote in his blog that the team “drives for release” after it determines the vulnerability can be reproduced. The remediation is prioritized based upon severity, said Miller, analogous to the way hospital emergency rooms prioritize their critically ill patients. But exploits, like illnesses, can be evasive: The exact number of the afflicted is not always known up front.

From the start of the process, all possible surrounding issues are investigated. The triaging emphasizes the discovery of as many related issues as is possible. Often, this means that related vulnerabilities must be resolved to completely solve the problem, due to dependencies between Windows and other Microsoft products, Reavey wrote in his blog.

For example, MS07-017, the remedy for the animated cursor exploit, fixed not one but seven vulnerabilities. Reavey explained, in his blog, that Microsoft’s customers want security updates to be as comprehensive as possible. “Customers do not want to have to apply multiple updates to address issues in the same components.”

The next step in Microsoft’s investigative process is to create and test security updates, a process that Reavey wrote takes an average of two months for Windows-related updates, involving hundreds of individuals worldwide. Reavey acknowledged that the testing process can run a longer course when updates modify functionality that is “pervasive and core to the operating system.”

In the case of an exploit where customers are exposed to imminent risk, the level of urgency decides Microsoft’s willingness to “shortcut” steps in the process—such as quality testing—to release on a faster timeline. The team weighs risk versus comprehensiveness when customers are vulnerable to exploits, Reavey wrote.

MICROSOFT’S FALLOUT
Microsoft Product Support Services and the company’s Security Response Team work collectively to distribute prescriptive information to customers. “We have made a number of enhancements over the last year to provide quality information to customers, particularly when issues require real-time clarity and guidance, such as through security advisories, the MSRC blog, publishing incident pages, Webcasts, RSS feeds and syndication of our content,” Miller said.

Once a patch is released, Microsoft’s Security Engineering Strategy team works to prevent recurrence by establishing new processes and tools, and builds defensive measures against similar threats into upcoming products, Miller added.

Another group decides whether or not Microsoft is providing enough defense-in-depth: the right security products and services to protect customers against emerging threats. The Trustworthy Computing Team looks outside of itself and works with the industry to, as Miller said, “improve the security of the Internet ecosystem.”

If there is a suspicion that criminal activity is involved, said Miller, Microsoft cooperates with law enforcement worldwide to track down malicious users and activity that it believes threatens its customers.

IS IT ALL WORKING?
Gary McGraw, CTO of the security firm Cigital, remarked that the biggest issue Microsoft faces is that of backward compatibility. McGraw compared Microsoft to an aircraft carrier. “They can try to do security-by-design and do a pretty good job, but they have all of this momentum from so many years that will make it a challenge for them,” he said.

McGraw continued his assessment, “They are doing much more than paying lip service, as they had done for years. They changed their software development process to introduce security touch points, like performing code reviews and risk analysis, and have trained all their developers on security. They are very active trying to do things, but it just turns out to be hard, especially with all of that momentum.”

Illuminata founder and principal IT adviser Jonathan Eunice was more critical of Microsoft. “The major bugs and exposures keep being discovered and exploited at a very rapid pace—the design-for-security approach isn’t working—or at the very least, isn’t working well enough,” Eunice said in an e-mail.

People Security’s chief security strategist, Herbert H. Thompson, believes that Microsoft’s security-by-design initiative, planning security into products, has substantially reduced vulnerabilities. He credits the maturity of its product development life cycle and “unlimited management buy-in.” Thompson said that a major difference between Microsoft and other software vendors is that it has one of the most mature security processes in the security development life cycle.

But Thompson questioned whether the software giant has worked to prevent the vulnerabilities that affect its customers. “From the software perspective, how well you think they are doing on [security] is influenced by how you measure whether it’s working on not.”

He explained: “There are more zero-day vulnerabilities being exploited than in the past. In the past, the things people had to worry about were worms, but those came long after Microsoft patched and fixed the issue. From a consumer standpoint, [the problem] was that individual companies were so slow at deploying patches, and not Microsoft’s fault. Nowadays, many zero-days [newly disclosed exploits] are actively being exploited in the field.”

The problem today is that the environment changed out from under Microsoft, said Thompson. Thompson sites a shift in attacker motivations, and a shift away from disgruntled systems administrators and “script kiddies” to the financially motivated hacker. “Some of the rootkit providers offered service-level agreements. The shift to economically motivated attacker has really put pressure on folks like Microsoft,” Thompson remarked.

As a result, Thompson said, malicious users are looking more than ever before at browser and application-level vulnerabilities, because “that is where the money is for them.” He believes that Windows Vista’s browser constraints signal maturity in Microsoft’s thinking, and that the company has resigned itself to vulnerabilities; he credits Microsoft for reducing their impact on the operating system.

Thompson sees one bright side: that for many organizations, secure means compliant to federal and state laws to disclose data exposure, and that there is now a business case built around security. “Being incompliant has consequences,” he noted.

McGraw advocates shared responsibility for security. “People should not take a look at Microsoft and say, ‘We need to figure out if they can do software security before we embark on our own.’ They need to understand that they have got to address software security today,” he argued.

Share this link: http://www.sdtimes.com/link/30553

Microsoft focuses on security development life cycle A change from the previous ways of handling application security, Microsoft is embracing the security development life cycle in its products and launching a series of programs to let customers take part in this new security method.

Microsoft's Midori to sandbox apps for increased security The Midori project, Microsoft's effort to design a post-Windows, next-generation operating system, is projected to offer memory access control, to protect against privilege elevation attacks and to enforce least-privilege computing.

Microsoft adapts SDL to agile development Changes to the SDL facilitate security testing during development, but experts warm about disruption to agile teams

Add comment

Name*
Email*
Country

Comment
Preview

News on Monday
more>>
SharePoint Tech Report
more>>

Download Current Issue
ISSUE 3/15/2010 PDF

Need Back Issues?
DOWNLOAD HERE

Receive the print Edition?

Google Code turns 5
Google Code Turns 5, and adds a Paxos Algorithm to make the system more stable and reliable.
03/17/2010 11:16 AM EST

Test your Visual Studio 2010 know-how
Microsoft is offering free beta certification exams for Visual Studio 2010.
03/17/2010 11:08 AM EST

Microsoft lifts the hood on IE9
Microsoft is previewing IE9.
03/16/2010 01:10 PM EST