AusCERT: Microsoft’s security journey

Microsoft claimed it had radically reduced the number of security flaws in its software and, in future, would reduce the amount of patches required; although it warned that more complex vulnerabilities were around the corner.

In a wide-ranging address, the manager of Microsoft's security response centre in the US, Iain Mulholland, told delegates at AusCERT's third annual IT security conference that Microsoft's security efforts were paying off.

Mulholland said there were only nine critical or important vulnerabilities in Windows Server 2003 within the first 292 days of release, compared to 38 vulnerabilities discovered in Windows 2000 in the same time period. This reduction “is proof that long term investment is starting to pay off. We are starting to get it right.”

However on the flipside, he said that the vulnerabilities Microsoft and the community would now see were more complex. “The low-hanging fruit of vulnerabilities are gone. The vulnerabilities that are being found today are very, very complex,” he said.

“These are not things people are discovering, but are actively having to spend a long term researching and understanding,” he said, adding that once the flaw was found, it was easy for hackers to create exploit code.

Mulholland explained that Microsoft's security response to vulnerabilities relied on the vulnerability not being in the wild. “The work that my team does is, by and large, before the vulnerability becomes public knowledge. The clock to discover a patch hasn't started ticking on that. The act of issuing vulnerability [to other bodies] is what draws attention to the world. What my team does is not as [much] time-driven, as it is based on a [potential] exploit and we work on firm confidence that the finder has forwarded this to us and we can afford to take our time,” he said.

In cases where a vulnerability has been disclosed to the greater community, Mulholland said his team can turn around a patch in short order.

“We have turned around stuff in short order before. [It's] not necessarily something I enjoy and it is unsustainable for long periods of time,” he said.

Mulholland told InformationWeek that Microsoft preferred to work on the assumption that the finder would not disclose the vulnerability and that someone else wouldn't discover it in that time.

However, Mulholland said, “it's like everything in security business. We have historically seen that if we build [a] strong relationship with the [vulnerability] finder, then we can establish a channel of confidentiality. And we don't find that very often several people independently find the same issue at the same time.

Mulholland said that, historically, Microsoft's strength had been in taking its time to resolve security issues properly and correctly.

“It's very easy for people to turn around and say 'you should be able to turn this around in x number of days'. We could possibly do this, but would we do a good job of it? And would we have it available for every single language at the same time? Quite possibly not. We believe firmly [that] equity and quality are big drivers. That's why we will take the time to work through what we are working on.”

Mulholland said he believed security was an ongoing journey, and software would never be 100 percent secure. “I don't think any vendor will ever have software that is 100 percent secure and will never need patches. I do firmly believe that we will significantly reduce the amount of patching which is something we are working at. If you compare the bulletins for Windows 2003 versus Windows 2000 you can see we are making progress in that direction and the curve is going the right way,” Mulholland said.

“I'm not going to say that we're ever going to make it totally painless, or make the cause for patching ever go away. I think that's just a fact of life, but what we do want to do is make it as painless as possible,” he said.

Mulholland also gave attendees an insight into the amount of work his team did to issue Microsoft's security bulletins every second Tuesday of the month.

One security bulletin may contain a patch for up to six operating systems as well as be translated into 26 different languages. Sometimes, Mulholland said, this could equate to up to 10 to 20Gbs of data that Microsoft has to push through regional data centres around the world, all at 10am Redmond time.

Auscert2004, which is being held on the Gold Coast, attracted around 700 delegates and 46 exhibitors.

Siobhan Chapman attended AusCERT2004 at the Gold Coast as a guest of AusCERT.