Securing Microsoft: The next generation of security threats

Editors' note: This is Part 3 in a series examining how Microsoft's security strategy has evolved over the past decade. Part 1: From pain to progress and Part 2: Inviting the hackers inside

REDMOND, Wash.--Microsoft security engineer Robert Hensing had a question for the hundreds of his company's developers seated before him: can a person's PC become infected with a rootkit simply by opening a PowerPoint file?

In the packed conference center, a smattering of developers raise their hands. Nearby, in an adjacent room, where hackers invited to speak at Microsoft's Blue Hat conference watch the presentations on TV, an entire table of hands go up.

"That's one thing I want you to take away from this," Hensing tells the Microsoft developers. "Applications are dangerous."

Indeed, even though Microsoft has spent a fortune securing Windows, experts say that hackers are moving beyond the operating system. Threats such as rootkits, which can corrupt an operating system, can now be transferred by applications or Web-based programs. A new crop of Web-connected mobile devices represent another emerging threat.

"Operating system vulnerabilities are on the decline," Hensing said in his talk at the most recent Blue Hat security conference in September. "Application vulnerabilities are on the rise."

In part, Microsoft is something of a victim of its own success in securing Vista and Windows XP before it. Halvar Flake, a security researcher who attended the latest Blue Hat, estimates the total cost of Microsoft's years-long security push at more than $1 billion, with a significant chunk spent on Vista. George Stathakopoulos, a general manager in Microsoft's security unit, wouldn't say how much Microsoft has spent, but said that it's "a big number."

Flake, CEO of security firm Zynamics, said that all of that spending has paid off. "Vista is the most difficult mainstream OS to break into that I've ever seen," he said. Because it is harder to hack, it is more expensive for criminals to target.

Paradoxically, it's not clear that Vista's improved security is persuading people to move to the operating system any faster. "Security is a tough sell, really," Flake said. "Customers can't really measure it."

Vista's security is likely making life more difficult for hackers. Flake said the malicious side of him "would hope Vista is a huge flop" and, as a result, that no company ever spends that kind of money and effort securing an operating system.

The true measure of the effectiveness of Vista's new security likely won't be measured for years. Microsoft and other vendors often tout how their newest releases have many fewer flaws than previous versions. That's usually true, but it's only part of the picture. Most of the major operating system vendors have seen their total number of vulnerabilities rise since 2004. New operating systems tend to have fewer flaws upon release, but operating systems live for five to seven years.

As a result, operating system makers try to design products to withstand the types of attacks their software may face toward the middle and end of its life--when operating systems are most heavily adopted.

"We're attacking today's problems," said Matt Thomlinson who heads Microsoft's security engineering efforts. "We certainly have to do that. We also need to get ahead."

The attacks themselves, meanwhile, have grown increasingly targeted. From the mass mailers, to broad phishing scams, to more recent attacks aimed at individuals. Experts expect that trend to continue, with malicious software growing ever more evasive.

Malicious software getting more complex
This year marks a turning point, according a report this week from Cisco Systems-owned IronPort Systems. "For a time, security controls designed to manage malware were working," said Tom Gillis, vice president of marketing for IronPort. "Just when malware design seemed to have reached a plateau, new attack techniques have burst forth, some so complex--and obviously not the work of amateurs--they could have only been designed by means of sophisticated research and development."

IronPort sees Trojan horses and malicious software becoming "increasingly targeted and short-lived," which will make them still harder to spot.

Layered atop that trend is the rise of new attacks that target software applications. While there are only a handful of major operating systems, there are literally thousands of applications, some used by millions of people.

Microsoft has spent significant time and money on securing its applications. After the experience of Slammer, for example, the company's SQL Server database became a model within the company for how to adopt secure development. Security researcher Dan Kaminsky, who has also attended Blue Hat and done a significant amount of security consulting for Microsoft, said that SQL Server has made significant gains over Oracle thanks to those improved practices.

The Office team, too, has taken note of the fact that its documents are frequently targeted as means for an attack. One of the less-discussed reasons for Office's new XML file formats, in fact, is that they are designed from scratch to be more secure, according to Microsoft.

Attacks changing, but so is the business

In many ways, the deck is stacked against those trying to keep users safe. Whether it is fixing a bug or persuading users not to fall for a new social-engineering attack, defenders need to protect everyone, whereas success for attackers might mean finding only a tiny percentage of people to make its prey.

"We need to (protect people) at scale and an attacker doesn't need to do it at scale," Thomlinson said.

Window Snyder, a former Microsoft security team leader now at Mozilla, said that one way to combat the scale problem, is by ramping up on the defensive side as well. For example, she said, some 20,000 people are testing nightly builds of Firefox, offering the ability to see code--and security patches--in real-world use far sooner.

"I think there is a real opportunity to improve how quickly fixes are available and how easy it is for users to deploy them," Snyder said. One example she pointed to is the feature in Firefox that saves exactly where a user is before an update is installed. Because they get taken right back where they were, she said, users are willing to install updates more quickly, decreasing the time that there are vulnerable systems for attackers to target.

Microsoft and others have also tried to do that, particularly in the anti-malware arena. Both the phishing filter in Internet Explorer and the Windows Defender antispyware program built into Vista are based on the real-world experiences of millions of users.

Another challenge for Microsoft and others tackling software security stems from the basic design of the Internet, Chairman Bill Gates told CNET News.com. The Internet, he said, was designed with its primary goal being to ensure resiliency and redundancy, not security. The network's openness and assumption that routers are who they say they are mean that security must be added as a separate layer.

"Of course, the early years, when it was used primarily in universities or small scale, those issues didn't come up because it was mostly people with good intent," Gates said. "Now that it's the way we do commerce and everything is there, that assumption no longer holds."

And, it is not just the attacks themselves that are changing, though. It's also the business.

A decade ago, many security attacks were launched by skilled programmers looking to see if they could poke holes in software and garner some notoriety.

Paul Wood, a security analyst for MessageLabs, said the structure of the "shadow" economy has changed. At one time, lone hackers created an exploit, developed malicious software, and then launched an attack. Now, there is segmentation. There might be one organization with a botnet of zombie computers that rents itself out, while another organization specializes in the actual writing of malicious software, as yet another group collects the credit card or other personal information.

One clear example of the economy that has sprung up around security threats is WabiSabiLabi, an outfit that has set up an eBay-style auction for software vulnerabilities. If it takes off, it means that software vendors may find themselves having to outbid hackers to get a hold of newly discovered flaws.

Risks versus economic opportunity
Part of the reason such a large economy has sprouted up is that the economic opportunity is huge and the risks of getting caught have actually gone down--particularly because law enforcement operates along geographic lines, while the Internet knows no such boundaries.

That places a huge burden on preventing a machine from being taken over in the first place, Kaminsky said. "You are not going to be able to find the guy," he said.

It's also because of new opportunities, such as creating botnets that then perpetrate click fraud, for example, and generate revenue from companies like Google.

"You have evolved financial models that are insanely low-risk with shockingly high return," Kaminsky said. "It's not a recipe for goodness."

The profit motive isn't all bad news for defenders. Flake notes that hackers are now keenly aware of the cost of attacking a system relative to the amount of value that can be attracted. That means they are often looking for the cheapest attack, rather than the most technically sophisticated one. In the early days, you had government spies or skilled hackers looking to make their mark who were willing to pour "ludicrous amounts of time" into crafting an attack.

"Attackers are now operating under economic restrictions," he said. That often means that a defense can make would-be crooks go after someone else instead.

That portends good news for Microsoft, Flake said.

"The threats are currently moving away from Microsoft because Microsoft has outspent everyone," he said.

Mobile devices are one area where attacks may increase, Flake said, while predicting that Apple will also face a few rough years now that its market share has grown and more targeted attacks have become the norm. "Apple is where Microsoft was a few years ago. Apple, he said, still has to look forward to the experience of getting "owned"--that is, taken over by hackers--"repeatedly and being made fun of."