No security silver bullet for Vista: Microsoft

No security silver bullet for Vista: MS security chief
Written by Patrick Gray, Contributor
Despite extensive security auditing and development of Vista, the new operating system will not be free of bugs, Microsoft general manager of product security, George Stathakopoulos, concedes.

Speaking to ZDNet Australia by telephone from Microsoft's Redmond headquarters, Stathakopoulos said the group is working hard to eradicate security glitches and vulnerabilities, but it's inevitable that bugs will slip through. "There will be bugs in the code," he said. "I don't expect anything that I ever do will be a silver bullet."

Despite a massive effort focused on reviewing code and improving coding techniques, Stathakopoulos says the software giant is also working on hardening the OS from the ground up to mitigate any leftover problems. "We learned some lessons (about stack protection) with Windows 2003," he says. "We're doing the same thing for the heap ... [vulnerabilities] will hopefully be much harder to exploit."

The stack protection built into Windows Server 2003 helped to mitigate some vulnerabilities, but was "by no means foolproof," according to one bug researcher ZDNet Australia spoke to. But Stathakopoulos says that's okay -- it's now Microsoft's challenge to improve upon the original protection mechanism. "Every time you do something like that, there's a set of people who will try to find ways around it ... eventually the effort for someone to go around it will become too difficult," he says.

Likewise, the overflow protection put in place for Windows XP Service Pack 2 may not be perfect, but Stathakopoulos says it mitigated many vulnerabilities and made systems harder targets.

"What we've done from the beginning is spend time studying the design," he added. "And we've made some decisions that have to do with quality itself ... certain coding practices we were simply not going to tolerate."

Mitigation seems a big part of Microsoft's strategy. Windows services will no longer run at a system level privilege unless it's absolutely necessary. Operating system components will only have access to the parts of system they need to in order to fulfil their role. If the service is compromised by an attacker, human or other, the attack should not be able to compromise the entire system. "We have very few services running as system," Stathakopoulos says.

And there's good news, he says. Critical vulnerabilities appear to be moving "up the stack" and away from the operating system. "Instead of focusing on the OS they're attacking applications," Stathakopoulos says.

Microsoft's internal efforts going into finding the vulnerabilities themselves have also been substantial, he says. "Over the last few months we've been getting a lot of format file bugs. We're trying to make sure all our parsers can handle a badly formatted file," he says.

That means throwing deliberately malformed files at MS file parsers to see if they cope.

That's not to say the company doesn't want the security research community doing some of the heavy lifting for it. Microsoft has its own conference for security researchers, which on the surface of things, appears designed to butter up ethical hackers.

But for Stathakopoulos, the biggest advantage is getting Microsoft's top brass together twice a year to focus exclusively on security issues. "We have a very technical top brass ... when you talk to someone about SQL they understand everything about it," he says.

As for recent criticisms levelled at rival OS maker Apple by Stephen Toulouse, a program manager in Microsoft's Security Response Center, Stathakopoulos isn't buying into it. Toulouse blasted the company over its handling of reported security vulnerabilities on his blog.

Stathakopoulos says those types of arguments aren't necessarily productive, but he understands Toulouse's frustrations. Trying to unshackle Microsoft from the negative image of its security hasn't been easy; kicking the software giant in the teeth has become second nature for the press, which has had years of practice due to the company's historically lacklustre performance in the security area.

Little, as far as much of the press is concerned, has changed. At roughly the same time a Windows Media Player vulnerability (WMF) was making headlines around the world this year, a strikingly similar vulnerability in Apple's Quicktime software (which affected Windows machines with that software installed on them) was discovered and disclosed. A search of Google reveals 204,000 results for pages containing the phrase "WMF vulnerability" and approximately 43,000 containing "Quicktime vulnerability".

Still, Stathakopoulos isn't bothered. Arguments about which vendor is more secure don't interest him. "I hate it when people start arguing 'I am more secure than you'," he says. "As an industry we have to come together. Your Linux, Oracle or whatever."

Editorial standards