Businesses worldwide face increasing threats from cyber criminals attempting extortion and fraud because the software running their systems makes them vulnerable, said Microsoft's top security architect at the e-Crime Congress in London.
Security architect and chief technology officer of Microsoft's security business unit David Aucsmith admitted that he is considered a "target" for complaints against his company's software, but he also stressed that many of the security issues could not have been foreseen.
Windows 95 was written without a single security feature, as it was designed to be totally open to let users connect to other systems. The security kernel of the Windows NT server software was written before the internet, and the Windows Server 2003 software was written before buffer overflows became a frequent target of recent attacks, he said.
"Almost all the attacks on our software are legacy attacks and the points of the system that can talk to older versions of our software," Aucsmith added. "If you want more secure software, upgrade."
Aucsmith said the existing security threats are a consequence of the changing software industry, and more sophisticated cyber criminals.
Microsoft is addressing these security issues by working closely with law enforcement authorities and changing its patching procedures. Much of the threat comes from criminals who are making a career from high-tech crimes such as hacking, extortion and fraud, he said.
Cyber criminals are becoming increasingly efficient at reverse-engineering software patches to discover and then exploit vulnerabilities.
The time between the release of a patch and the creation of an exploit has dwindled dramatically. The Nimda virus, which was discovered in September 2001, surfaced 331 days after a patch was released, while the latest exploit of a Windows component called the ASN.1 Library was created within three days of the patch being released, Aucsmith said.
Hackers have the advantage of not having to test their exploits, which allows them to move faster than suppliers who must perform rigorous testing to ensure that their patches do not break users' systems.
Still, Aucsmith said that despite the flood of attacks against Microsoft's software, only once has it suffered a so-called "zero-day" attack, in which an unknown and unpatched vulnerability is exploited.
Tools created by sophisticated hackers and made available on the internet have caused more headaches for suppliers and users, such as a tool which automatically reverse-engineers patches, creates an exploit and launches attacks allowing any non-tech savvy user to become a potential cyber criminal.
According to a survey by the UK's National Hi-Tech Crime Unit, UK businesses are estimated to have lost billions of pounds last year because of computer crimes, and they are not alone. Businesses worldwide are grappling with increasingly sophisticated cyber threats.
While law enforcement officials are encouraging users to report cyber crime and do what they can to shore up their systems, suppliers say that they are doing their parts to make their products more secure.
Besides encouraging users to upgrade to more secure versions of its software, Microsoft is working on improving its patching procedures.
The company already switched from a weekly to a monthly patch release cycle to reduce user work, but is also working on delivering a regular Microsoft Update that includes fixes to all its software instead of the existing Windows Update patch.
Microsoft also plans to make all of its patches reversible, in case users want to remove them, and patches that can be applied without having to reboot systems.
Scarlett Pruitt writes for IDG News Service