Microsoft Corp. is under the spotlight — and under the gun — to live up to its promise of offering users a more secure platform.
Since Microsoft chairman Bill Gates announced the company’s Trustworthy Computing initiative, the software giant has been commended for its efforts, as well as summarily bashed for a flood of vulnerabilities that have IT managers struggling under a deluge of risks and patches. And security analysts say administrators might be facing more security breaches, more blended threats, more denial-of-service attacks and more Web defacements than ever this year. That will make Microsoft’s security efforts even more critical.
In a one-on-one interview with Datamation, Dave Aucsmith, a security architect for Microsoft, says the Trustworthy Computing initiative is going well, despite the criticisms.
And when it comes to talking about the Slammer worm that crippled the Internet worldwide for several days last month, Aucsmith says Microsoft has to share the blame. The worm took advantage of a vulnerability in Microsoft’s SQL 2000 Web servers. Microsoft issued a patch for it last July but Aucsmith says it was probably the worst patch they ever issued — gummy and complicated to install. That’s one of the reasons that millions of administrators didn’t install the patch, leaving their systems wide open to the Slammer attack.
Here Aucsmith talks about the deluge of vulnerabilities and patches that administrators have to deal with, what Microsoft is trying to do to help them, and how the company is working to better secure the follow-up to Windows XP.
Q: How do you think the Trustworthy Computing initiative is going?
I think it’s going very well. It’s not done. It’s started. It’s headed in the right direction and it has the right support internally. But we’ve still got a long way to go…There’s a long product life cycle. We’ve had things in development for quite a while.
What are you working on?
The follow-up to [Windows] XP. We changed the way we write code. There’s a new methodology that we don’t write code without a threat model. It’s looking at all the ways it could be hacked. We’ve built tests. How modules act, and how they interact and how the product behaves…they all have threat models.
How do you hope that will change the operating system?
I don’t think we’ll see buffer overruns. I hope we’ll find the fundamental flaws in protocols. It should mean the code coming out will have less vulnerabilities. It won’t be a whole new beast, but it will be a more secure beast.
A lot of vulnerabilities have been found since the initiative got underway and, as I’m sure you know, critics are saying you’re not doing enough about it. How do you answer them?
Yes, there have been more vulnerabilities announced. It’s like cancer statistics. Now that we know what we’re looking for, we find it more. We’re just doing a better job finding them Attacks are up. Vulnerabilities are up partly because of the number of services available and the amount of connectivity, and partly because of the sheer number of people looking for them.
IT managers are saying that there simply are too many vulnerabilities and patches to keep up with. Whats gone wrong here?
We’re looking at why the gap is so big between [the time the patch is released] and the deployment of the patch. Our patches, as an industry, aren’t so easy to apply…I understand. We’re damned if we do. And we’re damned if we don’t. We’ve made the conscious decision that we will patch a vulnerability as soon as we know of it. We give them all the information we can.
Are you doing anything to ease the burden that all these patches are putting on IT managers?
There’s a percentage of systems that once you shut them down, they’re not coming back up. We’re working on the ability to apply patches that don’t need you to reboot the system. It’s very technically daunting. We have technology in the next version of the operating system that supports this. It required a substantial rearchitecture. It won’t be in Windows Server 2003 but in the follow-on to XP…We also anticipate tools and software to help them manage patches. We’re working on it. Third parties are working on it.
A lot of people have said that Microsoft is partly to blame for the spread of the Slammer worm because the patch you issued was too complicated to install readily. Do you feel any responsibility?
Oops. We goofed on that one. That was probably our worst case. Or I would hope that’s the worst we did. On that particular one, we made assumptions about the order that the patch would be applied in. We assumed people would have kept the service pack current. We’re relooking at the whole process so they can patch [vulnerabilities] regardless of service packs and other updates.
The Slammer worm hit your own machines. Hadn’t you installed your own patch?
Right now, I guarantee you that at Microsoft there are systems that have never been patched. That’s by design. We need them for testing purposes. Our testing machines were hit…We had very few systems hit, but it didn’t take many to crash our entire network. We had services go offline and very slow-moving traffic.
Were any servers hit that should have been patched and weren’t?
I don’t know if I know that answer.
A lot of security analysts are saying 2003 is going to be a particularly bad year in terms of security incidents. Are you anticipating the same thing?
I personally don’t see this year being particularly different. There’s a steady increase, year to year. The one place I see…if we go to war with Iraq, there’s the possibility that cyberspace becomes one of the battlefields.
If we do go to war, what kind of cyber attacks would you expect?
It could run the gamut from nothing to something significant. The potential is there. I don’t know if the reality will follow.
Has the government been in touch with people at Microsoft concerning the potential for cyber terrorism?
We, like a lot of large corporations, work closely with the government. I’m sure we’re in contact about what the government thinks is threats. It’s sharing information about known vulnerabilities, known attacks, vulnerabilities that have been found but haven’t been made public so we can take care of it.