Over dinner at the e-Crime Congress last week, I found myself sitting next to the chief technology officer of Microsoft’s security business unit, Dave Aucsmith.
He believed that we may have seen the end of the RPC/DCOM style exploits against the Microsoft platform, which peaked last year, now that the critical gaps in the Windows code have been patched.
However, he added, the time between a patch being made available to the public and the first exploit appearing has now decreased to a level which makes patching no defence in larger organisations. It now takes an average of nine days for a patch to be reverse engineered by hackers to expose the vulnerability it protects against.
“Blaster demonstrated the complex interplay between security researchers, software companies and hackers who now hack together worms with posted exploit code and worm toolkits,” he said.
This is a worrying new phenomenon, regardless of which operating system you might favour.
In defence of the progress being made under Microsoft’s Trustworthy Computing initiative, Aucsmith pointed out that the security kernel of Windows NT was written before there was a world wide web and before TCP/IP was the default communications protocol.
Even with the progress made in Windows Server 2003, with its much-reduced attack surface, Aucsmith conceded that its own security kernel was written before the buffer overflow tool kits that led to last summer’s damage were available, and before web services were widely deployed, a fact that only illustrates the nature of the fast-moving target that Microsoft and, indeed, any other software supplier has to second guess.
If the speed of development and demand for counter measures isn’t bad enough, he points to the problem of highly popular enterprise software products – with off-the-record examples – that sit on top of the Windows platform, but offer poor or very limited security features that only add to the risks of a downstream compromise, for which Microsoft is frequently blamed.
So what comes next in the war on Windows? Aucsmith said that if you look at the history of exploits, we’ve had attacks against the network protocols, we’ve had DNS spoofing and fractured packets, the “Ping of death”, attacks against operating system services and, most recently, various buffer overruns, web spoofs and worms.
Hopefully, on properly patched systems, those doors are now closed, although the problem of millions of unpatched legacy systems still remains in a growing broadband environment.
What may come next could be attacks against application services or even SQL injection, but Aucsmith saw the emphasis moving increasingly towards the theft of information, social engineering and backdoor Trojan control of personal computers, a new phenomenon that demands a concerted international response to the emergence of cyber crime.
What we do know, is that while the larger holes in the Microsoft operating system have now been patched, the information security battle has now moved to a different dimension, where the defence of the Windows environment is only part of a much greater tactical problem for the defenders of cyberspace.
What do you think?
How can we encourage users to be more vigilant against cybercrime attacks? Tell us in an e-mail >> ComputerWeekly.com reserves the right to edit and publish answers on the website. Please state if your answer is not for publication.
Setting the world to rights with the collected thoughts and opinions of leading industry analyst Dr Simon Moores of Zentelligence.
Acting globally, Zentelligence (Research) advises governments, suppliers, business and the media on the evolution, application and delivery of leading-edge technologies and specialises in the areas of eGovernment and information security.
For further information on Zentelligence and its research, presentation and analyst services visit www.zentelligence.com
This was first published in March 2004