Microsoft to Focus on Security

Anonymous Minion writes: "The Associated Press is reporting that Bill Gates announced to employees Wednesday a major strategy shift across all its products to emphasize security and privacy over new capabilities. In e-mail to employees, Gates referred to the new philosophy as "Trustworthy Computing" and called it the "highest priority". Gates said the new emphasis was "more important than any other part of our work."" People criticized Microsoft for treating security breaches as a public relations problem, so Bill Gates sent this email out to the Associated Press to prove them wrong. (rimshot!) Meanwhile, Richard Smith notes that the Globally Unique Identifier in every installation of Windows Media Player allows websites to universally track users, and Microsoft does not consider it a security problem.

Writing Secure Code

[hogsback]

A couple of Microsoft's security people published a book - Writing Secure Code - recently.
It's obviously Windows biased with respect to code samples, but it's actually very good.

Now they just need to read it themselves - for example, all the vulnerabilities exploited by the universal plug and play fiasco (buffer overruns, trusting untrustworthy data and denial of service attacks) are well described in the book,

Re:Writing Secure Code

[cooldev]

To whet your appetite, a little excerpt from the beginning about how quickly machines get attacked:

Surely, no one will discover a computer slipped onto the Internet, right? Think again. The Windows 2000 test site was found almost immediately, and here's how it happened... Someone was scanning the external IP addresses owned by Microsoft. That person found a new live IP address; obviously, a new computer had been set up. The person then probed various ports to see what ports were open, an activity commonly called port scanning. One such open port was port 80, so the person issued an HTTP HEAD request to see what the server was; it was an Internet IIS 5 server. However, IIS 5 had not shipped yet. Next the person loaded a Web browser and entered the server's IP address, noting that it was a test site sponsored by the Windows 2000 test team and that its DNS name was www.windows2000test.com. Finally the person posted a note on www.slashdot.org, and within a few hours the server was being probed and flooded with IP-level attacks.

Thoughts

[cascino]

First of all, it truly scares me that Bill Gates's announcement that Microsoft will "empasize security and privacy over new capabilities" is considered, in his own words, to be "a major strategy shift." Any reasonable developer knows that security is an inherent part of every feature - not a feature in itself.
Second of all, it can't be said that this is the first time a company has put forth a gung-ho effort (if that is even the case) to secure their products - Oracle's Unbreakable database is clear evidence of this. To me, this seems Microsoft has placed itself further into the security spotlight, and that more holes will be exposed as a result.
Finally, above all else, one has to admit that this announcement seems like the reactionary brainchild of Microsoft's PR department. On /. alone, this is the third article in 24 hours (not including the "Unbreakable" story) with direct relevance to Microsoft's security (or lack thereof). The case can be made that there is a low likelyhood that Microsoft would pay that much attention to the /. community - but on the other hand, I'd think they'd listen to this.

Two questions

[Chris+Johnson]

Two questions. One, it's all very well to talk about this but isn't it like rewriting Netscape from the ground up? Isn't it either totally meaningless or an announcement of a complete energy sink at Microsoft which will immobilize them?

Two, to what extent is this an agenda for obliterating any shred of interoperability with other commercial products in the name of 'security'? Isn't it an open invitation to claim that total and complete lock-in is the only way to be 'secure'?

He can talk the talk...

[Jon+Abbott]

"Users should be in control of how their data is used" -- Bill Gates

To that I say, put your money where your mouth is. Quit endorsing DRM. Quit using proprietary formats in your applications. Open your APIs. Include some decent text manipulation tools at the command line (like GNU textutils). Give the user some choice for a change.

Re:If..

[Pussy+Is+Money]

Nice post.

I think basically you are saying that when Windows' technical deficiencies disappear (which in itself makes the dubious presupposition that one size might fit all), there is no longer any reason why we should oppose them.

This presupposes that such is the case right now; i.e. that we are opposing Microsoft because their code is supposedly so horrible.

But that's bullshit. I have to admit I don't know myself where all the folklore of lousy Windows performance and lousy Windows stability came from. Sure their software can run slow. But have you looked at GNOME recently? And as for security, granted their track record is very bad. But at least they don't ship with telnet, right? Besides there is nothing like designing security for a piece of software that runs on 95% of the desktops in the world.

So it's all relative. In any case, I'll tell you the real reason why we should oppose Microsoft: because whatever business you are in right now, if you're successfull, it will be Microsoft's business next week. That's why we need to oppose Microsoft.

M$ already own the technology to kill buffer issue

[martin]

From the risks digest....

Re: "Buffer Overflow" security problems (Baker, RISKS-21.84)
"Nicholas C. Weaver"
Sat, 5 Jan 2002 13:15:52 -0800 (PST)

I agree with Henry Baker's basic assessment that buffer overflows, especially in code which listens to the outside world (and therefore vulnerable to remote attacks) should be classed as legally negligent.

However, it seems to be nigh-impossible to get programmers to write in more semantically solid languages.

There is another solution: software fault isolation [1]. If the C/C++ compilers included the sandboxing techniques as part of the compilation process, this would eliminate the most deleterious effects of stack and heap buffer overflows: the ability to run an attacker's arbitrary code, with a relatively minor hit in performance (under 10% in execution time).

An interesting question, and one for the lawyers to settle, is why haven't these techniques been widely deployed? The techniques were being commercialized by Colusa Software as part of their mobile code substrate [2] in the mid 1990s. In March 1996, Colusa software was purchased by Microsoft and it seems effectively digested, thereby eliminating another potential mobile-code competitor, something Microsoft seemed to fear at the time.

The interesting RISK, and one which is probably best left to the lawyers, is that as a result, for over half a decade, Microsoft has owned the patent rights and the developments required to eliminate two of their biggest security headaches: unchecked buffer overflows and Active-X's basic "compiled C/C++" nature, yet seems to have done nothing with them.

What is the liability involved when a company owns the rights to a technology which could greatly increase safety, at an acceptable (sub 10%) performance penalty, but does nothing to use it in their own products? Especially when the result is serious, widespread security problems which
could otherwise be prevented?

[1] "Efficient Software-Based Fault Isolation", Robert Wahbe, Steven Lucco, Thomas E. Anderson, Susan L. Graham, in *ACM SIGOPS Operating Systems Review*, volume 27, number 5, December 1993, pp 203--216,

[2] "Omniware: A universal substrate for mobile code"

Nicholas C. Weaver nweaver@cs.berkeley.edu