, SecurityFocus 2005-05-09
The software giant bares some of its development struggles in a bid to convince security professionals that the company is taking vulnerabilities seriously.
These are entire classes of vulnerabilities that I haven't seen externally. When they found these, (the developers) went on a mission, found them in all parts of the system, and got rid of them.
Among the revelations: The software giant made more than 400 significant changes to the way Windows XP operates in the name of security and eliminated two entire classes of flaws in the operating system, according to Window Snyder, security strategist for Microsoft, who discussed the details during a presentation at the CanSecWest conference in Vancouver.
The lesson for business users and consumers is to "upgrade, if you haven't already," she told attendees at the conference. "We can say forever that Windows XP is more secure and we are putting a lot of work into it, but if you don't have any context into what we are doing, I know it is tough to believe that."
Microsoft released Windows XP Service Pack 2, frequently referred to as SP2, in August after pledging to improve the security of its flagship desktop operating system as part of the company's Trustworthy Computing Initiative. The initiative and the development of both SP2 and Windows 2003 led to many changes in the software giant's process and culture, Snyder said.
For example, the company has put security ahead of product schedules, she said. During SP2 development, as the company neared its original release date, an outside security firm doing code analysis found a slew of flaws belonging to a class of vulnerabilities known as integer overflows. When Microsoft started reviewing other parts of the code, the company found that the flawed components were not isolated cases.
"We started seeing them (integer overflows) in a lot of different places ... we realized we weren't looking for them the same way we were looking for other things," Snyder said. The company decided that fixing the problems was more important than keeping the original product schedule, she added. "We slipped 6 weeks just for this ... but it was the right thing to do."
Snyder, who said her first name is an ode to California culture and not to her current employer, described other changes made to further harden Windows XP. In all, the software giant changed or removed 428 software features in the operating system to reduce potential vulnerability, she said. Of those design change requests -- referred to internally as DCRs -- 51 were in Internet Explorer and 107 were in the networking functions of Windows XP.
Moreover, the company found and fixed two classes of vulnerabilities that have not been discovered elsewhere, she said.
"These are entire classes of vulnerabilities that I haven't seen externally," Snyder said. "When they found these, (the developers) went on a mission, found them in all parts of the system, and got rid of them."
Snyder remained mum on the details, however, even giving the families of vulnerabilities fake code names: "Ginger" and "Photon."
However, the decisions made by Microsoft in pursuit of a safer operating system had some attendees up in arms. Several attendees took Microsoft to task for its removal of a versatile networking feature known as raw sockets in the latest round of patches to Windows XP. Operating systems that support raw sockets, as Windows XP did until the latest update, allow applications to access communications hardware directly. While the feature can be used for communications analysis and filtering, it can also be used by malicious programs to generate fake network data.
One attendee criticized the move away from raw sockets as sacrificing legitimate security firms' needs in order to secure less knowledgeable users.
"We are a security company, a lot of people here sell security software -- if it's going to work under Microsoft a lot of that stuff needs raw sockets," said Chad Loder, principal engineer for software security company Rapid7. "What happened with us is that it broke our customers' applications."
Microsoft currently tells companies that need raw sockets support to move their applications to Windows 2003, but will not promise that raw sockets will be available in that version of the operating system much longer. "People are either going to use Windows 2000 or, as we are considering doing, move over to Linux," Loder said.
Microsoft's Snyder said the company was in the midst of an internal debate over whether and how to continue support for raw sockets.
"There is a lot--a lot--of debate going on regarding raw sockets," she said. "I can't say what the resolution is going to be in the future, however."
Weighing the impact of such changes is the hardest job for the product teams at Microsoft, Snyder said. A lot of legacy code still remains in Windows XP because the company cannot risk breaking customers' applications, she explained. However, the company aims to mitigate the risk of the older code by either continuing to rewrite it, or to only install the code when the user requests the installation.
"Every time we rip a feature out because it is old and we think no one is using it, our customers scream that we are using it," she said. "And over the life time of Windows, that adds up to a significant code base."