Finding flaws helpful - MS security chief

Microsoft's product security chief says the discovery of a flaw in its "most secure ever" operating system benefited the company

Microsoft's product security chief has expressed his disappointment over the recent discovery of a vulnerability in the much touted "most secure ever" Windows Server 2003 operating system, but says the company has learned from the experience.

During an interview with ZDNet Australia, software engineer George Stathakopoulos, who is responsible for ensuring Microsoft products are as secure as possible, said the "DCOM" vulnerability -- which was discovered by security group the Last Stage of Delirium, or LSD -- is being treated very, very seriously by the software maker.

"It's an unfortunate thing," he said. "[While] I'm glad it took so long [to find a bug]... compared to previous products, you can never celebrate something like that."

As for the way the vulnerability was disclosed to the software company by LSD, Stathakopoulos is full of praise. "In this case we were very lucky to have a very professional security group [to work with]," he said.

Conceding that vulnerabilities are more or less a way of life, the security boss says the nature of the glitch has highlighted some internal process issues. The DCOM flaw is the first critical bug to affect the Windows Server 2003 product, but also affects NT4 and Windows 2000.

"You know that there will be bugs," he told ZDNet Australia. "In this case we've learned a couple of things… our internal processes could be streamlined a little better."

Stathakopoulos was remarkably frank in admitting the software giant should have caught the vulnerability during the design and review phase, before the product's launch. However, the software company claims the download statistics for the bug's fix have set records -- a sign that the company's investment in an awareness campaign may finally be paying dividends.

"The numbers of installations [of the latest patch] have been phenomenal… Somehow the message is getting through," he said.

The company went as far as posting a warning about the security glitch on the front page of its Web site. Getting the message across to "mum and dad" users is also a priority for the company, but Stahtakopoulos says Microsoft must be careful when treading the fine line between education and harassment.

"A lot of the attention is something we generated… we're being transparent, we're being open about it." Stathakopoulos said. "But there's a difference between informing customers and forcing something on them."

For now, he says, the audit teams have gone back to the code to see what else they can turn up given what they have learned from the latest flaw in the code. His group is also putting together some new tools to assist customers in hardening their servers and providing them with some defence-in-depth pointers. The company will also turn to third-party researchers to help secure its code base.

Although Microsoft doesn't pay "bug money" to researchers that find vulnerabilities, the more talented and professional outfits will get audit work thrown their way if it's deemed appropriate.

"Bug money is not something that Microsoft has ever supported… [but] during the audits we do use third parties," the security head said.

Describing most security researchers as "very ethical", Stathakopoulos says he would encourage anyone who has found a security vulnerability to get in touch.

"If you find a bug, come talk to us -- we'll give you credit," he said.