advertisementHome Phone and Internet $60/mo
News.com special report:

Securing Microsoft: A long road

Tell us what you think about this storyTalkBack    E-mail this story to a friendE-mail    Add to your del.icio.usdel.icio.us    Digg this storyDigg this

The next generation of security threats

By Ina Fried
Staff writer, CNET News.com
December 5, 2007, 4:00 a.m. PST

Editors' note: This is part 3 in a series examining how Microsoft's security strategy has evolved over the past decade.

REDMOND, Wash.--Microsoft security engineer Robert Hensing had a question for the hundreds of his company's developers seated before him: can a person's PC become infected with a rootkit simply by opening a PowerPoint file?

In the packed conference center, a smattering of developers raise their hands. Nearby, in an adjacent room, where hackers invited to speak at Microsoft's Blue Hat conference watch the presentations on TV, an entire table of hands go up.

"That's one thing I want you to take away from this," Hensing tells the Microsoft developers. "Applications are dangerous."

"We're attacking today's problems. We certainly have to do that. We also need to get ahead."
--Matt Thomlinson, head of security engineering efforts, Microsoft

Indeed, even though Microsoft has spent a fortune securing Windows, experts say that hackers are moving beyond the operating system. Threats such as rootkits, which can corrupt an operating system, can now be transferred by applications or Web-based programs. A new crop of Web-connected mobile devices represent another emerging threat.

"Operating system vulnerabilities are on the decline," Hensing said in his talk at the most recent Blue Hat security conference in September. "Application vulnerabilities are on the rise."

In part, Microsoft is something of a victim of its own success in securing Vista and Windows XP before it. Halvar Flake, a security researcher who attended the latest Blue Hat, estimates the total cost of Microsoft's years-long security push at more than $1 billion, with a significant chunk spent on Vista. George Stathakopoulos, a general manager in Microsoft's security unit, wouldn't say how much Microsoft has spent, but said that it's "a big number."

Flake, CEO of security firm Zynamics, said that all of that spending has paid off. "Vista is the most difficult mainstream OS to break into that I've ever seen," he said. Because it is harder to hack, it is more expensive for criminals to target.

Paradoxically, it's not clear that Vista's improved security is persuading people to move to the operating system any faster. "Security is a tough sell, really," Flake said. "Customers can't really measure it."

Vista's security is likely making life more difficult for hackers. Flake said the malicious side of him "would hope Vista is a huge flop" and, as a result, that no company ever spends that kind of money and effort securing an operating system.

The true measure of the effectiveness of Vista's new security likely won't be measured for years. Microsoft and other vendors often tout how their newest releases have many fewer flaws than previous versions. That's usually true, but it's only part of the picture. Most of the major operating system vendors have seen their total number of vulnerabilities rise since 2004. New operating systems tend to have fewer flaws upon release, but operating systems live for five to seven years.

As a result, operating system makers try to design products to withstand the types of attacks their software may face toward the middle and end of its life--when operating systems are most heavily adopted.

"We're attacking today's problems," said Matt Thomlinson who heads Microsoft's security engineering efforts. "We certainly have to do that. We also need to get ahead."

The attacks themselves, meanwhile, have grown increasingly targeted. From the mass mailers, to broad phishing scams, to more recent attacks aimed at individuals. Experts expect that trend to continue, with malicious software growing ever more evasive.

Malicious software getting more complex
This year marks a turning point, according a report this week from Cisco Systems-owned IronPort Systems. "For a time, security controls designed to manage malware were working," said Tom Gillis, vice president of marketing for IronPort. "Just when malware design seemed to have reached a plateau, new attack techniques have burst forth, some so complex--and obviously not the work of amateurs--they could have only been designed by means of sophisticated research and development."

Photos: Microsoft's bug hunters

Modern malicious software, IronPort suggests, borrows many characteristics from today's social-networking sites. They are collaborative and adaptive. Plus, the company said, they fly under the radar, "living on enterprise or residential PCs for months or years without detection."

IronPort sees Trojan horses and malicious software becoming "increasingly targeted and short-lived," which will make them still harder to spot.

Layered atop that trend is the rise of new attacks that target software applications. While there are only a handful of major operating systems, there are literally thousands of applications, some used by millions of people.

Microsoft has spent significant time and money on securing its applications. After the experience of Slammer, for example, the company's SQL Server database became a model within the company for how to adopt secure development. Security researcher Dan Kaminsky, who has also attended Blue Hat and done a significant amount of security consulting for Microsoft, said that SQL Server has made significant gains over Oracle thanks to those improved practices.

The Office team, too, has taken note of the fact that its documents are frequently targeted as means for an attack. One of the less-discussed reasons for Office's new XML file formats, in fact, is that they are designed from scratch to be more secure, according to Microsoft.

Next page: Attacks changing, but so is the business



CONTINUED: Attacks changing, but so is the business...
Page 1 | 2
advertisement
News
Latest news
Business tech
Green tech
Wireless
Security
Media
Popular topics
Apple iPhone
Apple iPod
CES
Cell phones
Dell
GPS
CNET sites
CNET Site map
CNET TV
Downloads
News
Reviews
Shopper.com
More information
Newsletters
Corrections
Customer Help Center
RSS
What's new
About CNET