Microsoft On Security, Slammer and Its Next OS

Microsoft Corp. is under the spotlight — and under the gun — to live up to its promise of offering users a more secure platform.

Since Microsoft chairman Bill Gates announced the company’s Trustworthy Computing initiative, the software giant has been commended for its efforts, as well as summarily bashed for a flood of vulnerabilities that have IT managers struggling under a deluge of risks and patches. And security analysts say administrators might be facing more security breaches, more blended threats, more denial-of-service attacks and more Web defacements than ever this year. That will make Microsoft’s security efforts even more critical.

In a one-on-one interview with Datamation, Dave Aucsmith, a security architect for Microsoft, says the Trustworthy Computing initiative is going well, despite the criticisms.

And when it comes to talking about the Slammer worm that crippled the Internet worldwide for several days last month, Aucsmith says Microsoft has to share the blame. The worm took advantage of a vulnerability in Microsoft’s SQL 2000 Web servers. Microsoft issued a patch for it last July but Aucsmith says it was probably the worst patch they ever issued — gummy and complicated to install. That’s one of the reasons that millions of administrators didn’t install the patch, leaving their systems wide open to the Slammer attack.

Here Aucsmith talks about the deluge of vulnerabilities and patches that administrators have to deal with, what Microsoft is trying to do to help them, and how the company is working to better secure the follow-up to Windows XP.

Q: How do you think the Trustworthy Computing initiative is going?

I think it’s going very well. It’s not done. It’s started. It’s headed in the right direction and it has the right support internally. But we’ve still got a long way to go…There’s a long product life cycle. We’ve had things in development for quite a while.

What are you working on?

The follow-up to [Windows] XP. We changed the way we write code. There’s a new methodology that we don’t write code without a threat model. It’s looking at all the ways it could be hacked. We’ve built tests. How modules act, and how they interact and how the product behaves…they all have threat models.

How do you hope that will change the operating system?

I don’t think we’ll see buffer overruns. I hope we’ll find the fundamental flaws in protocols. It should mean the code coming out will have less vulnerabilities. It won’t be a whole new beast, but it will be a more secure beast.

A lot of vulnerabilities have been found since the initiative got underway and, as I’m sure you know, critics are saying you’re not doing enough about it. How do you answer them?

Yes, there have been more vulnerabilities announced. It’s like cancer statistics. Now that we know what we’re looking for, we find it more. We’re just doing a better job finding them Attacks are up. Vulnerabilities are up partly because of the number of services available and the amount of connectivity, and partly because of the sheer number of people looking for them.

IT managers are saying that there simply are too many vulnerabilities and patches to keep up with. Whats gone wrong here?

We’re looking at why the gap is so big between [the time the patch is released] and the deployment of the patch. Our patches, as an industry, aren’t so easy to apply…I understand. We’re damned if we do. And we’re damned if we don’t. We’ve made the conscious decision that we will patch a vulnerability as soon as we know of it. We give them all the information we can.

Are you doing anything to ease the burden that all these patches are putting on IT managers?

There’s a percentage of systems that once you shut them down, they’re not coming back up. We’re working on the ability to apply patches that don’t need you to reboot the system. It’s very technically daunting. We have technology in the next version of the operating system that supports this. It required a substantial rearchitecture. It won’t be in Windows Server 2003 but in the follow-on to XP…We also anticipate tools and software to help them manage patches. We’re working on it. Third parties are working on it.

A lot of people have said that Microsoft is partly to blame for the spread of the Slammer worm because the patch you issued was too complicated to install readily. Do you feel any responsibility?

Oops. We goofed on that one. That was probably our worst case. Or I would hope that’s the worst we did. On that particular one, we made assumptions about the order that the patch would be applied in. We assumed people would have kept the service pack current. We’re relooking at the whole process so they can patch [vulnerabilities] regardless of service packs and other updates.

The Slammer worm hit your own machines. Hadn’t you installed your own patch?

Right now, I guarantee you that at Microsoft there are systems that have never been patched. That’s by design. We need them for testing purposes. Our testing machines were hit…We had very few systems hit, but it didn’t take many to crash our entire network. We had services go offline and very slow-moving traffic.

Were any servers hit that should have been patched and weren’t?

I don’t know if I know that answer.

A lot of security analysts are saying 2003 is going to be a particularly bad year in terms of security incidents. Are you anticipating the same thing?

I personally don’t see this year being particularly different. There’s a steady increase, year to year. The one place I see…if we go to war with Iraq, there’s the possibility that cyberspace becomes one of the battlefields.

If we do go to war, what kind of cyber attacks would you expect?

It could run the gamut from nothing to something significant. The potential is there. I don’t know if the reality will follow.

Has the government been in touch with people at Microsoft concerning the potential for cyber terrorism?

We, like a lot of large corporations, work closely with the government. I’m sure we’re in contact about what the government thinks is threats. It’s sharing information about known vulnerabilities, known attacks, vulnerabilities that have been found but haven’t been made public so we can take care of it.

RELATED NEWS AND ANALYSIS

• Ethics and Artificial Intelligence: Driving Greater Equality

  FEATURE |  By James Maguire,
  December 16, 2020

• AI vs. Machine Learning vs. Deep Learning

  FEATURE |  By Cynthia Harvey,
  December 11, 2020

• Huawei’s AI Update: Things Are Moving Faster Than We Think

  FEATURE |  By Rob Enderle,
  December 04, 2020

• Keeping Machine Learning Algorithms Honest in the ‘Ethics-First’ Era

  ARTIFICIAL INTELLIGENCE |  By Guest Author,
  November 18, 2020

• Key Trends in Chatbots and RPA

  FEATURE |  By Guest Author,
  November 10, 2020

• Top 10 AIOps Companies

  FEATURE |  By Samuel Greengard,
  November 05, 2020

• What is Text Analysis?

  ARTIFICIAL INTELLIGENCE |  By Guest Author,
  November 02, 2020

• How Intel’s Work With Autonomous Cars Could Redefine General Purpose AI

  ARTIFICIAL INTELLIGENCE |  By Rob Enderle,
  October 29, 2020

• Dell Technologies World: Weaving Together Human And Machine Interaction For AI And Robotics

  ARTIFICIAL INTELLIGENCE |  By Rob Enderle,
  October 23, 2020

• The Super Moderator, or How IBM Project Debater Could Save Social Media

  FEATURE |  By Rob Enderle,
  October 16, 2020

• Top 10 Chatbot Platforms

  FEATURE |  By Cynthia Harvey,
  October 07, 2020

• Finding a Career Path in AI

  ARTIFICIAL INTELLIGENCE |  By Guest Author,
  October 05, 2020

• CIOs Discuss the Promise of AI and Data Science

  FEATURE |  By Guest Author,
  September 25, 2020

• Microsoft Is Building An AI Product That Could Predict The Future

  FEATURE |  By Rob Enderle,
  September 25, 2020

• Top 10 Machine Learning Companies 2021

  FEATURE |  By Cynthia Harvey,
  September 22, 2020

• NVIDIA and ARM: Massively Changing The AI Landscape

  ARTIFICIAL INTELLIGENCE |  By Rob Enderle,
  September 18, 2020

• Continuous Intelligence: Expert Discussion [Video and Podcast]

  ARTIFICIAL INTELLIGENCE |  By James Maguire,
  September 14, 2020

• Artificial Intelligence: Governance and Ethics [Video]

  ARTIFICIAL INTELLIGENCE |  By James Maguire,
  September 13, 2020

• IBM Watson At The US Open: Showcasing The Power Of A Mature Enterprise-Class AI

  FEATURE |  By Rob Enderle,
  September 11, 2020

• Artificial Intelligence: Perception vs. Reality

  FEATURE |  By James Maguire,
  September 09, 2020