By Michael Cherry [Bio]
Posted: Jan. 21, 2002

Chief Software Architect Bill Gates has told all employees that security will now take precedence over features in Microsoft’s software design process. His memo kicks off a companywide initiative, called "Trustworthy Computing," that will be the third security-related initiative in a year. The latest initiative has a better chance of succeeding than the previous ones because it comes from Microsoft’s top executive, and because it's the first to target all Microsoft product groups. However, recent events show just how long and arduous the journey will be to the new world of Trustworthy Computing, and how vigilant customers must remain in the meantime.

Trustworthy Computing

Microsoft’s Advanced Strategy and Policy Group under Chief Technology Officer Craig Mundie has been working to define Trustworthy Computing. Specific details are yet to be provided, but Gates’s e-mail outlined the following key aspects:

Availability. Products should run when customers need them, and redundancy and automatic recovery should be available to reduce the frequency and duration of system outages.

Security. Data should be protected from harm and only used or modified in appropriate ways. Developers should easily understand how to create applications that respect and enhance security.

Privacy. Users should be in control of how their data is used, and it should be easy for them to specify the appropriate use of their information.

Availability, security, and privacy are critical to Microsoft’s future success in many areas, including the following:

• Microsoft is asking its corps of loyal developers to migrate to the .NET Framework—a completely new and largely untested layer sitting between the application and the operating system. While the .NET Framework makes it simpler to build highly available and secure applications, developers will not base core business applications on the .NET Framework unless they can be convinced that Microsoft understands and is addressing issues such as security. The .NET Framework can make it easier to write secure, available applications, but only if the .NET Framework itself meets high standards of security and availability.
• Microsoft is trying to sell its server products into enterprise data centers, where availability and security are extremely important. (See the Dec. 2001 Research Report, "Microsoft Aims for the Enterprise.") This contrasts with the desktop application market, where these criteria are often perceived to be less important than adding new features and shipping on time.
• Microsoft will soon be trying to sell consumers a set of Microsoft-hosted Web services (see ".NET My Services Picture Getting Clearer" on page 26 of the Dec. 2001 Update), and it is Microsoft’s dream to move beyond the PC into consumer device markets, such as mobile phones and set-top boxes, and into fee-based consumer online services, such as centralized data storage. However, none of the new technology will take hold among a broad consumer market until it offers the reliability of other pervasive technologies, such as the telephone and the automobile.

The Need for Trustworthy Computing

Past e-mails from Gates to the troops, such as the 1995 memo that called out the importance of the Internet, are credited with turning Microsoft around and focusing it on a new critical path. This time, however, autonomous product teams independently adding features to products cannot achieve success. Trustworthy Computing can only be achieved through a consistent and dependable companywide focus on security through the entire development cycle of the product, from initial feature specification through development and testing.

Recent incidents—a critical vulnerability in Windows XP, a new worm that exploits the default configuration of SQL Server, and a controversial proposal to limit discussion of security problems—show how far the company has to go.

The UPnP Vulnerability

Shortly after Microsoft shipped Windows XP in 2001, eEye Digital Security found a buffer overflow in Microsoft’s implementation of the Universal Plug and Play (UPnP) service that would allow a miscreant to take control of an attacked PC. UPnP facilitates the connection of intelligent devices over a variety of physical media. Although hardware vendors are beginning to develop devices with UPnP interfaces, UPnP is so new that few devices currently support it.

Microsoft produced and tested a patch to resolve the buffer overflow, but intermittent outages of its Windows Update Web site slowed distribution of the patch.

This latest vulnerability highlights trade-offs that Microsoft must make between security and usability in the default configuration of services. On one hand, Microsoft wants services such as UPnP turned on so that users can automatically take advantage of UPnP devices. However, a more secure approach would have been to ship with the services off by default and have users turn them on through a wizard or have administrators turn them on through Group Policy (for Windows XP Professional).

Worm Targets SQL Server

Recently, the CERT Coordination Center (a federally funded research and development center operated by Carnegie Mellon University) posted a vulnerability note and an incident report documenting a worm called "Voyager Alpha Force" that targets SQL Server and the SQL Server Desktop Engine (formerly known as the Microsoft Data Engine [MSDE]) databases. The worm exploits the fact that some installations do not allow the assignment of an initial password for the database system administrator account, allowing log-ons to that account without a password. In particular, many applications (including some Microsoft products) install the SQL Server Desktop Engine in this insecure default configuration.

Worse, some of Microsoft's own product teams appear to have been unaware of this vulnerability, even after the CERT bulletin was posted. For example, the Windows team included the server desktop engine with no system administrator password in the embedded version of XP, which shipped after the CERT bulletin. (The SQL Server Desktop Engine is used for the development of the embedded image, but that would not result in developing an embedded image with the vulnerability to this worm.)

Finally, some customers might be unaware of this threat because Microsoft has chosen not to issue a security bulletin. According to Christopher Budd, a program manager with Microsoft’s Security Response Center, Microsoft took no action because "according to Microsoft’s definition, SQL Server does not have a vulnerability." (Microsoft’s vulnerability definition is outlined at a Web site listed in the Resource section below.) Thus, customers and Microsoft’s own product teams might remain unaware of security vulnerabilities that have been published only at non-Microsoft sites, which have a broader definition of security vulnerabilities.

Standards for Handling Vulnerabilities

In Nov. 2001, at the Trusted Computing Conference, @stake, Bindview, Foundstone, Guardent, Internet Security Systems, and Microsoft announced their intention to form an organization (as yet unnamed) to develop an industry standard for reporting security vulnerabilities to vendors and the public.

According to Microsoft, such a standard is necessary because every software vendor has different expectations of how vulnerabilities should be reported, and reporters of vulnerabilities have different definitions of what constitutes a vulnerability and what action the vendor should take following the report (e.g., the Voyager Alpha Force vulnerability described earlier). The goals of a reporting standard would include the timely and complete reporting of vulnerabilities, adequate time for vendors to validate and supply fixes, adequate time for users to deploy any fix, and assurances that any security tools that vendors create cannot be subverted to build exploitive software.

However, some organizations have criticized Microsoft's several points of the proposal, including asking participants to wait for 30 days to allow customers to install patches before divulging the technical details needed to build exploit code.

Reluctance to create such standards comes from organizations who are proponents of open discussion, including independent security companies such as eEye and the System Administration, Networking, and Security (SANS) Institute, a research and education organization for system administrators and security professionals.

These critics argue that full disclosure and dissemination of information makes users aware of potential vulnerabilities, even if such information assists attackers. Critics argue that a customer with knowledge of a vulnerability in a service such as UPnP could at least implement a safeguard, such as disabling the service, until a tested patch could be deployed. Critics also worry that a formal or legally binding nondisclosure policy could allow large software vendors, such as Microsoft and AOL, to use the policy to hide flaws in their products or downplay the threat.

Microsoft has not yet revealed when and where the organization will next meet, and when and how it will formalize the proposed standard. Independent organizations such as CERT and SANS have their own reporting standards and do not appear willing to conform to Microsoft's. It's also unlikely that zealous individuals who have discovered many vulnerabilities in Microsoft's software (such as the independent security consultant Georgi Gunninski) will toe the line. Microsoft's Budd acknowledged this possibility but expressed hope that "customers would turn away from companies that do not follow the standards."

Until Trustworthy Computing Arrives

While Gates’s new marching orders for the troops have put a renewed focus on security, customers cannot afford to let down their guard. In the interim, customers must monitor multiple sources such as CERT, SANS, and Microsoft for vulnerability and incident bulletins. They need to be vigilant about applying patches, even when patches are included in service packs that include both patches and new features, and they need to continually examine the default installation configuration of Microsoft products and enable only the services they truly need to conduct their business.

Resources

For Microsoft’s security bulletins and other security information, see www.microsoft.com/security.

For Microsoft’s definition of what constitutes a vulnerability, see www.microsoft.com/technet/treeview/default.asp?url=/technet/columns/security/vulnrbl.asp.

For a transcript of a speech by Craig Mundie that references trusted computing, see www.microsoft.com/presspass/exec/craig/11-06trustedcomputing.asp.

eEye has been instrumental in finding vulnerabilities in Microsoft software. For more information on eEye, see www.eEye.com.

For information on Microsoft’s proposed standards for handling security vulnerabilities, see www.microsoft.com/technet/security/news/standard.asp.

For general information on CERT, see www.cert.org.

For the CERT vulnerability note for Microsoft SQL Server, see www.kb.cert.org/vuls/id/635463.

For the CERT incident report on the Voyager Alpha Force malicious code, see www.cert.org/incident_notes/IN-2001-13.html.

For general information on the SANS Institute, see www.sans.org.

For information on the Secure Windows Initiative, see "Secure Windows Initiative to Tackle Security Vulnerabilities" on page 13 of the Aug. 2001 Update.

For information on the Strategic Technology Protection Program, see "Get Secure, Stay Secure" on page 17 of the Dec. 2001 Update.