Microsoft Says Code is Better, Not Perfect: Q&A

Over the past few years, Microsoft has aggressively sought to change the image that its products have poor security. The company says that Windows Vista, which has been released to manufacturing, will be its most secure operating system to date, representing a top-down change in how its programmers develop code with security in mind.

Stephen Toulouse, senior product manager for the security technology unit, spoke with IDG News Service about how Microsoft’s security teams approach problems with software and the current threat landscape. An edited transcript of that interview follows.

IDG: It seems over the past few months there have been fewer vulnerabilities that would affect, say, millions of users. What is your perception?

Toulouse: To watch how the threat landscape has evolved has been very interesting. When you look back at where we were four years ago, we didn’t have the security development lifecyle; the operating system didn’t have a firewall. I think you are seeing more complex attacks, more social engineering. I think the simplistic attacks of the past with worldwide impacts are far fewer, and we expect that to be further reduced. But we can’t let ourselves be complacent. I think what you’ll see in the future is far more defense in-depth in applications and in operating systems, and that is going to generate far more complex attacks. Attackers are not going to stop.

IDG: Do you think the number of fixes issued on patch Tuesday will fall with Windows Vista? How about with older operating systems and products?

Toulouse: My viewpoint on update Tuesday is it’s impossible to predict the peaks and valleys of the operating systems that are out today. But one of the goals we have with each successive product that we make is that we learn the lesson and implement the new functionality and new security so that over time, you see a reduction not just in the number of vulnerabilities, but their impact on the customer. So I would expect that with Windows Vista, that will be lower. You know that you can’t get the code perfect.

IDG: Will we know more about vulnerabilities found in Vista when the penetration testers who tested it a few months ago are no longer under nondisclosure agreements?

Toulouse: When we went to Black Hat in Las Vegas, we brought the product [Vista] with us and we handed out 3,000 copies. We were out of DVDs before the end of the conference. They take the code and have fun. It was prerelease version in July. They were free to bash on it. From our perspective, the security researcher input was unprecedented. They’re the experts. We didn’t have a lot of people come back and say, “I found a vulnerability.”

IDG: A security vendor, Secunia, recently claimed there was a vulnerability in Internet Explorer 7. Microsoft countered that the software is intended to work that way, even though it could be maliciously exploited. What’s your take?

Toulouse: I think a lot of people confuse an attack vector with a product that has vulnerability. There’s a challenge on what is a vector and what is the vulnerability, and that’s just a matter of opinion in a way. To the extent that people talk about unsafe features being a vulnerability, what do you do when you adhere to a specification and that specification turns out to be unsafe? They have their opinion on it, we have our opinion on it. We certainly respect the guys over at Secunia. It doesn’t mean that we won’t go back and take a look at that. There are times when we will look at functionality when it gets co-opted by attackers and we’ll make a modification. That’s always on the table.

IDG: Microsoft has made some changes to its security teams. The security technology unit (STU) is now part of the trustworthy computing (TWC) team? How is that going to change Microsoft’s tact on security?

Toulouse: Everything is still a little bit up in the air because as reorganizations go, the complexity often is what drives the time. But the current situation is such that the STU and TWC groups, which have mutually complementary goals for driving secure code, will merge. What does that get called in the end? I don’t think that’s been decided yet. Function-wise and role-wise, I think you are going to see the exact same thing. We committed to this as a company. We’ve got to have this group that sits away from everybody and provides security expertise and review. That’s critical to ingraining security as a culture.

IDG: How would you describe the relationship between Microsoft and the independent vulnerability hunters?

Toulouse: It depends. The security researcher community is incredibly diverse. All of them have different viewpoints, different philosophies. Our relationships with security researchers are probably better than they ever have been. We’re certainly seeing more security researchers working with us, but we’re also seeing researchers who go public [with vulnerabilities before informing Microsoft]. When we actually sit down with these guys and ask, “Why do you go public?” the answer surprised us. They said, “To protect customers.” Now unfortunately from our perspective is that the attacker can take it and go use it. We engage in a dialog with [security researchers]. We may disagree on method from time to time.

-Jeremy Kirk, IDG News Service (London Bureau)

Related Links:

• Second IE 7 Flaw Discovered, Secunia Says

This article is posted on our Microsoft Informer page. For more news on the Redmond, Wash.-based powerhouse, keep checking in.

Check out our CIO News Alerts and Tech Informer pages for more updated news coverage.