Stung by a number of embarrassing security vulnerabilities in recent weeks, Microsoft Corp. has made "Trustworthy Computing" a top goal and even delayed shipment of its new .Net tools so it could perform a last-minute security audit. At Gartner Inc.'s Midsize Enterprise Conference here this week, Cliff Reeves, Microsoft's vice president of Windows.Net product management, laid out Microsoft's security road map for attendees at the conference. He spoke to Computerworld about security flaws and user concerns -- and what Microsoft is doing about them.
Q: Microsoft has been hit by a number of embarrassing security flaws in its software. What accounts for the escalating number of problems?A: We actually have no more vulnerabilities than any other piece of software doing the same functions, and we get hit a lot. But it's not an excuse, it's just the current reason. The more interesting message than the number of attacks, and the visibility of Microsoft, is the additional responsibility we have by virtue of market success. You can say the number of attacks is a result of market success, which is true. Or you can say the obligation to have fewer attacks is an obligation of market success. And I think that's the attitude that the company has about this.
Q: Is Microsoft more vulnerable than other companies because it's such a big target?A: Almost by definition [it is]. If you've got millions of lines of code -- and let's say our code was five times as good as everybody else's is but we had 10 times as many people out there hitting it -- the chances are that we'd see less pure vulnerabilities but we'd see more attacks and successes, simply because people would find the holes.
Q: Because Microsoft is so big and is on so many desktops and networks, it does have more responsibility. But it seems like Microsoft hasn't done enough with the responsibility that it has. You mentioned that Microsoft is retraining its engineers on security best practices. Sounds good. But isn't it a bit late in the process?A: Anytime you look at a situation where there's a problem and say, "Shouldn't we have been aware of that, or couldn't we have been aware of that, or wouldn't it have been good if I fixed that beforehand?" -- absolutely. But do I think the company should be wearing a hair shirt over that? No. I think this is a learning process. We don't sit there going, "To hell with security, let's just go put some features out. We don't care about users." This is a culturalization process. Could we have reacted sooner? Possibly. Would other companies have reacted sooner? I don't know. I think we have a tremendous sense of obligation to our users and we've always fulfilled it by delivering more functions at incredibly good prices and incredibly good speed. And now, there's another knob they want turned. And you know what? We owe them that, and we have a bigger obligation to do it. With the benefit of hindsight, we could have changed everything. But I'm not sure it was either practical or possible.
Q: And what's a hair shirt?
A: It's what early Christians used to wear to show sorrow and regret. They used to wear a shirt that was really itchy and scratchy, and they would wear it to show penance.
Q: So, Microsoft shouldn't be wearing one?A: We can wear a hair shirt, but it's more important to figure out what to do about products and be proactive.
Q: Let's talk about some of the problems in some features. In Windows XP, for example, there was a problem with Universal Plug and Play (UPnP). Explain the problem and what's been done about it. A: UPnP. It was a buffer overrun problem, and that's increasingly more common, where someone can program and send a long piece of data that is long enough to overwrite the stack in memory ... and it can do things like send bad e-mails. That particular technique has been a feature in a few bug exposures recently, and two in [America Online Inc.'s software] in recent weeks. The good news is ... we can go back and locate them and fix them. That, amongst other things, is one thing that we're examining in the code.
Q: After the NIMDA virus hit last fall, Gartner Inc. warned users about security vulnerabilities in Microsoft's Internet Information Server and was critical about the number of security patches that Microsoft issues. What is going on there?A: First of all IIS is not any more error-prone than any other Web server. In fact, some versions of Apache or Linux have had more exposures. It's not a code quality issue per se. There are two issues: One is [that] IIS by default provided access to a lot of services. And the reason we did that was to make the system easy to deploy and easy to use. And generally, if you asked users if they wanted that, they would have said yes. However, if they provide any type of exposure, you find out that there are a lot more systems because of the number of IIS's out there. So, one of the first things we did was issue a tool which allows you to lock down IIS, then turn off and then turn on selectively the services that you want, which dramatically drops the door on the exposures. Secondly, with respect to hot fixes, yes, if there are a number of security exposures developed, we immediately put out a fix for them. That results in several fixes, and some could be low priority, but you can't always judge that and not put out a fix. We always put out a fix. As a result, you could have cumulative maintenance and with a large deployment, it can be time consuming to determine which one to apply in sequence or just go through them all, particularly if you haven't been keeping up with maintenance. So, one of the things we did was a cumulative pack, which took all previous fixes. Secondly, we put Windows Update in place, which will automatically alert people of priority fixes, so you're one click away from getting the fix downloaded. And then [there's] Windows Update Corporate Edition, which will allow corporations to deal with the practical issues of keeping fixes up-to-date and, of course, educating people on [Microsoft's System Management Server], which is a mechanism for validating fix levels across systems.
Q: And what about .Net? Windows.Net, including Visual Studio.Net, was recently delayed for a security audit. What was the purpose and the status of that audit?A: It was part of the ongoing scrutiny of security. And we're pretty open as a company in terms of saying what we're doing and when we're doing it. ... If there is a reason for a delay or change in schedule, we explain why. And the extra scrutiny of .Net was well worth the time and money. Many of the design elements of .Net, particularly the sandboxing of applications, will reduce security exposures dramatically. It features signed code and the ability to apply permissions to code. So a piece of code actually has assigned to it information about who wrote it ... which is impossible to steal. And it has a digest, so if [you] modify the code, even if signatures are intact, the digest won't be the same. You can actually tell that code is modified. So that there are a number of checks in the Common Language runtime, which allows isolation of the applications and a very strong checking of the access rights of code. It will be a long while before that is pervasive. But that is exactly the kind of fundamental change that needs to be made to produce secure environments.
Q: And the audit is complete?
A: Yes. [The tools] were available on the Web last week.
Q: Windows XP and Windows.Net are the top initiatives under way at Microsoft right now. Is there a concern that the security problems will overshadow what Microsoft is trying to accomplish with those products?A: The fundamental issue is we want to get computing as safe as using electricity over the phone, and as reliable. And anything that stops that is a problem for us. The recent spate of attacks, they're part of a trend. We're by no means the only people suffering from it. And yes, it's important to us if our customers are damaged in any way or even worried.
Q: So what do you want to tell Computerworld readers about Trustworthy Computing and what Microsoft is doing to address its security problems?A: There are a very long list of actions that run all the way from writing better code to using best practices and supporting our customers and teaching our customers how to manage their systems better. ... The real goal is we believe software developers and the PC revolution -- that whole ecosystem -- has the potential to deliver far more value than it already has delivered. But it won't deliver that unless systems seem safe to use. And that means they stay up, and data that's private can be kept private and not subject to attacks. And I want to tell people that we're committed to building environments that are 100 percent safe for them.