2 of 17Image
Malware is short for malicious software, and it’s been a nagging problem on Windows since at least the mid-1990s.
In January 2002, after a series of high-profile and highly embarrassing attacks that affected Windows customers and Microsoft itself, Bill Gates wrote his now famous “Trustworthy Computing” memo. Although it was viewed with some skepticism at the time, it really did represent a turning point for Microsoft.
Until that point, security was literally an afterthought. As a result of the Trustworthy Computing initiative, Microsoft introduced a massive change in the way it develops software. The Security Development Lifecycle has paid off hugely over the last 10 years and has been widely praised and copied.
Today, as this chart shows, most malware is installed via social engineering or by using exploits that target vulnerabilities that have already been patched.
In summer 2003, if you were a PC support specialist, the dialog box above meant that your life was hell. The malicious software attack called MSBlast/32 (aka Blaster) spread over networks using the RPC protocol and caused affected computers to go into a spontaneous reboot loop. This contemporaneous SANS writeup notes that this worm had the potential to be more than annoying: It could have allowed an attacker to run code with Local System privileges on the compromised system. Fortunately, whoever wrote Blaster was apparently more interested in creating havoc.
Blaster’s incredible effectiveness was directly attributable to a terrible decision Microsoft made with Windows XP, which included an effective firewall that was turned off by default.
Windows has included an update utility since Windows 95, and Automatic Updates were introduced with Windows Me in 2000.
It wasn’t until 2003, however, that Microsoft systematized its process for issuing security updates. Security updates are provided on the second Tuesday of each month—Patch Tuesday. Non-security updates are provided on the fourth Tuesday of each month. Microsoft began this program so that corporate customers could plan for testing and installation of security updates. Although it was a controversial decision, today it’s generally regarded as effective.
On rare occasions—once a year or so—Microsoft releases an “out of band” update to address an issue that can’t wait till the next month’s Patch Tuesday.