Being in charge of security for Microsoft products is what you may call a demanding job. The old adage of “just because you’re paranoid, doesn’t mean that they are not out to get you” applies in full.
Every hacker, cracker and spammer is right now seeking a way to exploit any small flaw in the array of Microsoft products and services that we all use in our daily working and home lives.
Yet at its 2004 worldwide partner conference in Toronto, Microsoft announced plans to make the world of Windows fundamentally more secure. The underlying message was that despite the feeling of almost constant attack from the hackers, the computer giant would turn security from a concern into a business asset. The question is how?
The Toronto conference brought together more than 6,000 Microsoft resellers, distributors, ISVs, OEMs, system builders, system integrators, sales professionals and solutions architects eager to discover the product roadmap for the coming year. In what could be inferred as 'keeping the best until last', Microsoft chose to close the meeting with a bravura speech from CEO Steve Ballmer and a more calculated display from Mike Nash, corporate vice president of Microsoft's Security Business and Technology Unit.
Twelve months ago Ballmer had announced its security initiative and commitments to the same audience and Microsoft was keen to point out the progress that had been made and outline its future plans.
Despite the overall bullishness of his address, the CEO conceded that the last twelve months had been trying for Microsoft and even issued what could be seen as a mea culpa as much as a call to arms. “We've made, I think, at least a year or more of progress on security in the last year, we're not perfect. We're not where we need to be. But we've had velocity in really getting after the most important issue that you and our customers told us about 12 months ago, and I'm fired up about that, and we're going to keep it right there burned at the top of our brain, ” he declared. Nash, in his speech, concurred, admitting “many of the issues we have heard about from customers and from partners like you really show that there's a lot of work we need to do .”
Digging deeper, Nash explained that in terms of addressing questions of isolation and resiliency of windows products, the focus will be on Windows XP Service Pack (SP) 2, which was rolled out in August. Revealed Nash: “The chief thing we've done here really is the focus on [SP2], making sure that we could not only address core vulnerabilities in our products but build resiliency into the system.
Even if there are new vulnerabilities or perhaps exploits against things that aren't even a vulnerability in Microsoft software, [we want] customers that use the latest service pack of Windows to be protected from those kinds of illegal, malicious attacks.” A bold claim and one which in truth could not, and would not, be made last year.
SP2’s launch has been twice delayed but Mike Nash, corporate vice president, Microsoft Security Business and Technology Unit, told InfoSecurity Today that when it came to security the key issue was to release something that was of high quality and not simply to rush to the market. Microsoft he said would “provide leadership to its customers” with regards to security and identified two key aspects. These are to “make sure people can automate what they need to do and to make sure that customers feel safe to do this.”
What will be seen in SP2 are functions that default with the maximum security setting. For example, as a default Service Pack 2 turns on the firewall for every network connection that you use and SP2 will aim to offer better protection from remote procedure call-based attacks such as those used by Blaster. It also contains new functionality that will let you disable individual Active X controls. Attachments that match a list of known potentially dangerous file types can be blocked and SP2 can be configured to block out pop-ups and pop-downs on web pages in order to prevent malware from sneaking into systems.
Also highly featured was ISA Server 2004, designed to safeguard Microsoft systems and applications from malicious attack at the edge by building filters to block malicious attacks against Outlook, against Exchange, against other applications.
In terms of core operating systems and vulnerabilities, Nash pointed out that in the first year of Windows Server 2003’s life only 13 critical or important vulnerabilities were spotted compared with 42 for the same period when Microsoft shipped Windows 2000. He expressed pride in now having a cleaner tool available for download to detect and remove any infections from the various download exploits.
That said, Nash conceded that there was no room for complacency. “IVery much the focus here is on making sure we're doing the things that you told us were most important and we certainly know we have a lot more work to do. “ he conceded.
And never has thee been an understatement in today’s security market. The black-hat community will make quite sure of this.