Microsoft unveils details of software security process
http://www.securityfocus.com/printable/news/11115
The software giant bares some of its development struggles in a bid to
convince security professionals that the company is taking vulnerabilities
seriously.
By Robert Lemos, SecurityFocus May 9 2005 8:03AM
Vancouver, CANADA -- Microsoft revealed on Thursday some details of the
company's struggle to develop Service Pack 2, the massive security update
released last August to harden Windows XP.
Among the revelations: The software giant made more than 400 significant
changes to the way Windows XP operates in the name of security and
eliminated two entire classes of flaws in the operating system, according to
Window Snyder, security strategist for Microsoft, who discussed the details
during a presentation at the CanSecWest conference in Vancouver.
The lesson for business users and consumers is to "upgrade, if you haven't
already," she told attendees at the conference. "We can say forever that
Windows XP is more secure and we are putting a lot of work into it, but if
you don't have any context into what we are doing, I know it is tough to
believe that."
Microsoft released Windows XP Service Pack 2, frequently referred to as SP2,
in August after pledging to improve the security of its flagship desktop
operating system as part of the company's Trustworthy Computing Initiative.
The initiative and the development of both SP2 and Windows 2003 led to many
changes in the software giant's process and culture, Snyder said.
For example, the company has put security ahead of product schedules, she
said. During SP2 development, as the company neared its original release
date, an outside security firm doing code analysis found a slew of flaws
belonging to a class of vulnerabilities known as integer overflows. When
Microsoft started reviewing other parts of the code, the company found that
the flawed components were not isolated cases.
"We started seeing them (integer overflows) in a lot of different places ...
we realized we weren't looking for them the same way we were looking for
other things," Snyder said. The company decided that fixing the problems was
more important than keeping the original product schedule, she added. "We
slipped 6 weeks just for this ... but it was the right thing to do."
Snyder, who said her first name is an ode to California culture and not to
her current employer, described other changes made to further harden Windows
XP. In all, the software giant changed or removed 428 software features in
the operating system to reduce potential vulnerability, she said. Of those
design change requests -- referred to internally as DSRs -- 51 were in
Internet Explorer and 107 were in the networking functions of Windows XP.
Moreover, the company found and fixed two classes of vulnerabilities that
have not been discovered elsewhere, she said.
"These are entire classes of vulnerabilities that I haven't seen
externally," Snyder said. "When they found these, (the developers) went on a
mission, found them in all parts of the system, and got rid of them."
Snyder remained mum on the details, however, even giving the families of
vulnerabilities fake code names: "Ginger" and "Photon."
However, the decisions made by Microsoft in pursuit of a safer operating
system had some attendees up in arms. Several attendees took Microsoft to
task for its removal of a versatile networking feature known as raw sockets
in the latest round of patches to Windows XP. Operating systems that support
raw sockets, as Windows XP did until the latest update, allow applications
to access communications hardware directly. While the feature can be used
for communications analysis and filtering, it can also be used by malicious
programs to generate fake network data.
One attendee criticized the move away from raw sockets as sacrificing
legitimate security firms' needs in order to secure less knowledgeable
users.
"We are a security company, a lot of people here sell security software --
if it's going to work under Microsoft a lot of that stuff needs raw
sockets," said Chad Loder, principal engineer for software security company
Rapid7. "What happened with us is that it broke our customers'
applications."
Microsoft currently tells companies that need raw sockets support to move
their applications to Windows 2003, but will not promise that raw sockets
will be available in that version of the operating system much longer.
"People are either going to use Windows 2000 or, as we are considering
doing, move over to Linux," Loder said.
Microsoft's Snyder said the company was in the midst of an internal debate
over whether and how to continue support for raw sockets.
"There is a lot--a lot--of debate going on regarding raw sockets," she said.
"I can't say what the resolution is going to be in the future, however."
Weighing the impact of such changes is the hardest job for the product teams
at Microsoft, Snyder said. A lot of legacy code still remains in Windows XP
because the company cannot risk breaking customers' applications, she
explained. However, the company aims to mitigate the risk of the older code
by either continuing to rewrite it, or to only install the code when the
user requests the installation.
"Every time we rip a feature out because it is old and we don't think no one
is using it, our customers scream that we are using it," she said. "And over
the life time of Windows, that adds up to a significant code base."
<[EMAIL PROTECTED]>
Copyright � 1999-2005 SecurityFocus
You are a subscribed member of the infowarrior list. Visit
www.infowarrior.org for list information or to unsubscribe. This message
may be redistributed freely in its entirety. Any and all copyrights
appearing in list messages are maintained by their respective owners.
