Windows

Has Microsoft gotten better at security or just less relevant?

Deb Shinder noticed a change in attitude at the 2011 versions of BlackHat and Defcon 19 when it comes to Microsoft. She explains in this week's Microsoft InSights Blog post.

This week, I'm writing this column from a Las Vegas hotel room. I'm here to attend BlackHat 2011 and Defcon 19, the annual conferences to which hundreds of people flock each year to learn more about all things hackable. Both were originally founded in the 1990s by Jeff Moss.

Defcon has retained much of its original "leet hax0rs," anything-goes atmosphere (although it's now attended by plenty of law enforcement personnel and well-known security researchers along with the underground contingent).

BlackHat has morphed into a big business, attracting speakers from government agencies and major universities, charging premium rates for admission and holding additional conferences all over the world.

2011 focus

In years past, there was always a big focus at BlackHat on hacking Microsoft Windows. Presenters delighted in demonstrating the latest and greatest exploits that could bring the mighty Microsoft to its knees. Talk after talk, we'd hear about all the reasons Redmond's progeny provided hackers, crackers, and attackers with low-hanging fruit so easy to pick that it was almost no challenge at all. But I've begun to notice a gradual but significant change.

This year's schedule includes some of the same:

  • Easy and Quick Vulnerability Hunting in Windows
  • Windows Hooks of Death: Kernel Attacks through User-Mode Callbacks
  • Microsoft Vista: NDA-less The Good, the Bad, and the Ugly

But it's interesting to note that so many of this year's presentations deal with other technologies:

  • War Texting: Identifying and Interacting with Devices on the Telephone Network
  • Killing the Myth of Cisco IOS Diversity: Towards Reliable, Large-Scale Exploitation of Cisco iOS
  • Hacking Google Chrome OS
  • Overcoming (Apple) iOS Data Protection to Re-enable iPhone Forensics
  • Apple iOS Security Evaluation
  • Hacking Androids for Profit
  • Exploiting the iOS Kernel

This shift in focus brings up a couple of different possibilities. It could be that Microsoft is getting better at security, resulting in fewer serious vulnerabilities for researchers to find and discuss. Or it could be that nobody cares about the Microsoft vulnerabilities so much anymore, because they see Windows as irrelevant in the so-called "post PC world."

Defenders of Microsoft's honor have long argued that one big reason so many viruses and attacks are discovered for Windows -- as opposed to Mac OS X or Linux -- is because attackers naturally prefer to target the OS that has the greatest market share, so as to get more bang for their buck. It was a form of security through obscurity, rather than proof that the other operating systems were inherently more secure. The corollary to that is that if the other operating systems grew popular, they would become more attractive targets and attackers would start to exploit them more. Is that what's happening now?

Maybe it's a little bit of both. It would be hard for anyone to deny that the newer versions of Windows are more secure than their predecessors. According to Microsoft's Security Intelligence Report for 2010, malware infection rates for Windows XP systems were four to five times greater than for Windows 7 machines. Windows Vista still had double the infection rate of Windows 7. It's obvious that each version of Windows has gotten progressively more secure.

Microsoft efforts

Microsoft has made a concerted effort over the past several years to address security concerns about their products. Their Trustworthy Computing Initiative was detailed in a whitepaper written by Craig Mundie in 2002 and laid out principles for making Windows computing more trustworthy based on the four pillars of security, privacy, reliability, and business integrity. The company has also made efforts to instill in developers the SD3 concept of a security development lifestyle that incorporates these mandates: Secure by Design, Secure by Default, and Secure in Deployment.

Both Vista and Windows 7 include a number of security technologies that earlier versions of Windows lack, including User Account Control (UAC), Address Space Layout Randomization (ASLR), full support for NX (No Execute) feature of modern processors, mandatory integrity control to enforce application isolation, separation of system services, interactive logins, and more.

Despite earlier public criticisms of Windows' lack of security, the efforts to make it more secure haven't always been met with open arms by computer users. Many complained bitterly about the User Account Control (UAC) feature in Windows Vista and its "in your face" security. Likewise, many administrators were unhappy about the locked-down-by-default nature of Internet Explorer in Windows Server.

Because "more security" often goes hand-in-hand with "less convenience," added security measures are sure to annoy those who don't like the extra effort it requires to access the resources they want, and some just turn the security features off, defeating the whole purpose (and making Windows less secure). However, when used as intended, these features significantly increase the security of Windows systems.

Something else I noticed regarding the BlackHat schedule is that Microsoft is represented there, with presentations being given by Microsoft employees Mark Russinovich and Katie Moussouris. A perusal of the list of speakers doesn't turn up anyone from Google or Apple. Of course, Apple tends to avoid tech events that aren't devoted exclusively to their own products (for example, CES), but one might expect Google representatives to be there (there is a former Google employee on the list). Does this mean those companies are less serious about participating in the security community?

My Take

I think it's encouraging that Microsoft is willing to send employees to speak in a venue such as BlackHat, in which many of the participants have traditionally been hostile to or at least skeptical of Microsoft's products. While other technologies are becoming increasingly important in home and business computing and thus are now rightly coming under more scrutiny on the security front, the security issues of Microsoft, which its still-large market share, are far from irrelevant. They say actions speak more loudly than words, and both Microsoft's words and actions over the past several years indicate that they are serious about getting security right. Whether or not they actually have accomplished that is another matter -- one to be saved for another edition of this column.

Also read:

About

Debra Littlejohn Shinder, MCSE, MVP is a technology consultant, trainer, and writer who has authored a number of books on computer operating systems, networking, and security. Deb is a tech editor, developmental editor, and contributor to over 20 add...

27 comments
cmrpm
cmrpm

I agree with both @jazzy5 and @8string. There are simply more attractive targets available these days especially mobile devices where getting a product to market may have trumped security concerns. Microsoft has made good strides in security but will remain a big target because of their market share globally. If hackers spent nearly as much time trying to exploit Red Had or a Mac, we might just as easily place their names alongside Microsoft. It doesn???t matter how hard you try to secure something (data, house, car, etc.), if a thief wants it bad enough, they will find a way to get it. Microsoft???s security has improved because they???ve worked at it and they are also less relevant because there are now other more attractive targets to go after. Chris Rich Product Manager NetWrix Corporation NetWrix is #1 for Change Auditing: Simple, Lightweight, Affordable

seanferd
seanferd

I remember he was supposed to have a presentation on Windows kernel vulnerabilities, the sort for which MS issued thirteen patches last Patch Tuesday. (Win32 GUI user-mode callbacks flaws.) Never mind, he must have already presented. It's the 5th today. (Duh.)

jazzy5
jazzy5

I believe Microsoft has gotten better at security, that it have come to a point that is not easy or profitable to hack it anymore. The BlackHat does not talk about old hacks because there not there any more. All have been patch. New ones is very hard to figure out and are been patch faster then before. But I do have to admit that there are other rich target. BTW, Apple does not have a 10% market share. It only have a 5.36%. Linux is said to only have 1%, but I am not sure of that. It's been said for many years to have only 1%, I am was hoping they were at the 5% level by now. The rest 5% is smartphones OS. Pick your choice and divide it. This is the more promising. There is more phone out there and it has all the features needed to be a easy target. On the server market, I see more Micorsoft growing in this market than any other one.

8string
8string

The pool is bigger. Smartphones, Apple gaining 10% market share of a growing pie, all point to many more targets that are wide open for attack, as opposed to MS's increasingly secure platform. I understand that there are still numerous vulnerabilities in Windows, SQL etc. but the naive behavior of Apple users, and frankly smartphones, point to a wild west ability to find and exploit stuff that people are not even admitting could be a problem, at least to themselves. I have given up trying to explain to Apple users (I am one at times) that trojans are much more likely to be at work than what they perceive to be 'virus's' of the kiddie script that attacked Windows in the early part of the last decade.

dan.wildcat
dan.wildcat

I don't really think Microsoft is less relevant although Apple has gained more notice as well as Linux. That may just be the ground-swell of users that are tired of Microsoft and are out looking to see if there is anything better out there. That's an arguable point in both directions. I would think, though, that the proliferation of mobile devices in recent years would cause hackers to shift their focus a bit. It is juicier fruit with less security. More focus from the security community would be beneficial to showing the need for more security in that area. So maybe it's not so much a relevancy issue for Microsoft than simply a mass proliferation of new devices with new operating systems waiting for exploitation.

Joe_Wulf
Joe_Wulf

As for relevance... Enterprise-class operating systems (i.e. Red Hat Enterprise Linux) have continued to gain ground, improve their quality and drive the server-side of major enterprises. Micro$loth hasn't had the understanding of the quality, strength and integrity an OS requires to live in that world. From the security perspective.... a significant key method to determine how 'more' secure any of Micro$loth's OS's are is to watch their update service and the "Add/Remove Programs" list of what is installed. When the preponderance of 'updates', for three straight years, that comes out in Micro$loth Updates are feature improvements versus 'security patch' upon 'security patch'... THEN one can accurately assess that Micro$loth has begun to get the clue about how to code a secure OS.

oldbaritone
oldbaritone

How about the exact opposite? Maybe BlackHat has decided that there are so many well-known vulnerabilities in Windows that it wouldn't be worth the price just to see exploits of the same vulnerabilities discussed last year - or even earlier. There are new markets where MS is not yet a major player, and the list you mention looks like BlackHat is keeping pace with technology and staying on the leading edge.

Rndmacts
Rndmacts

With Vista, Microsoft took a different tact with hackers and security companies, actively inviting them to find holes and weaknesses while the software was in Beta. During this phase Microsoft uncovered weak code and worked to fix it before the final release of the software, and don't they still have a bounty system in place for hackers who discover exploits to the OS. Following their logic then I imagine that Win 8 when released will be even more secure than Win 7. They have also pursued a new tact in going after hackers that do go rogue by cooperating with law enforcement to make sure these miscreants are charged and held accountable for the damage they do. This new environment of working with and rewarding these hackers who might be now considered part of Microsoft's security directions in protecting their customers. Then you have Apple primarily and Google both claiming they can't be hacked like Microsoft and now that they have enough market penetration with their smartphone products. They have both painted a big bulls eye on their various OS's and offered a challenge to hackers to disrupt their software. I mean think of the fun when an exploit of Apple is done and exposed and then listen while Apple denies, denies, denies until a secret fix is issued and still denies that their OS needs Anti-Virus software. Apple more or less challenges all levels of the security establishment to prove them wrong. This is the new reality, Microsoft has become proactive in finding exploitable code while Apple and to some extent Google deny the possibility of it happening. Also for the majority of Microsoft users, persons who don't understand security, Microsoft has made moves to protect them, and the majority don't turn off the UAC and if a user doesn't install AV software within 60 days then Microsoft Security Essentials is installed as part of the update process and turned on by default. Yes there are malware for the OS but it is getting more difficult to dupe users into cooperating with their installation.

Jonno-the-First
Jonno-the-First

As far as security goes, it seems they are playing the game of shifting software around so the nasty guys cant write viruses that work anymore. Its gotten ridiculous! As soon as the accounting software guys and taxation department shift to linux, I'm in there with them...

Tony Hopkinson
Tony Hopkinson

There are new and more intersting things to talk about, and to get paid for talking about.

seanferd
seanferd

Who is going to bother demonstrating old exploits, regardless that they were never patched? We'd have to look at the data which shows what has yet to be fixed via patches or new Windows releases to know this. Less spectacular vulnerabilities probably won't make it into the fairly limited schedule, either. So a statistical look at the CVE DB and whatever Microsoft reports itself would probably be more informative. Certainly other, newer operating systems and software which are gaining popularity are going to start overshadowing Microsoft's contributions to insecurity. There are so many, and they do demand attention. OK, more than a third reason in there. (I wasn't expecting some sort of Spanish Inquisition. :P ) I'm sure there must be others. But bless MS if they are starting to be more secure from the bottom up, rather than using the old stapled-on armor method.

bboyd
bboyd

Maybe they aren't the low hanging fruit, or the new fruit is sweeter and just as easy to pick. I think some improvement has been made. One feature of the improvement is less use of IE as a browser among the wider population. /smirk Really the situation is more diverse and complex than a simple question and yes or no.

Mark W. Kaelin
Mark W. Kaelin

Did you attend this year's conventions? Do you agree there is a shift in attitude and focus taking place in the security community with regard to Microsoft? Why is there a shift ??? better security or less relevance?

charleswdavis6670
charleswdavis6670

Please define "ground swell" in actual percentages or numbers.

Tony Hopkinson
Tony Hopkinson

your use of the pejoritive, means they'll be viewed with total disdain anyway... These guys are or were addressing problems with out of the box default installs essentially for home appliance users, not uber geeks building production quality web servers.... Sort yourself out.

gavin142
gavin142

"Micro$loth hasn't had the understanding of the quality, strength and integrity an OS requires to live in that world." If the DIDN'T have an understanding of these things you've outlined, they would NOT control the huge portion of the server market that they do. Personally, I find the fact that they publicly admit to the security updates and publish them regularly as they do to be much more reassuring than the "stealth patches" that Jobs & crew publish rather than admit that they're not perfect. I hate to tell Jobs this, but the last perfect man died 2000 years ago, and he ain't fooling anyone.

Neon Samurai
Neon Samurai

Counting patches doesn't really tell you anything other than software is still being actively developed provided patches keep becoming available. What is more interesting is the patch times; how long from the report of a bug to the release of a patch. How responsive is the company when security issues are discovered. What you actually want is to see a steady flow of those security patches indicating active ongoing development of the OS. If all you see is feature addition patches, you have to start wondering how many unpatched bugs remain in the software (and that's for any software not just Microsoft's work) (sidenote; The intentional mis-spelling of Microsoft doesn't really improve your comment.)

rfolden
rfolden

2011: Year of the GNU/Linux Desktop!

Tony Hopkinson
Tony Hopkinson

be from where I've been sat. : ( Even those who have it on run as with admin rights anyway, and default to just hitting return. That doesn't even count how much software is still out there that fails badly when UAC is still on. I welcomed vista because of UAC (a lot better than nothing).\Will Win 8 be more secure, well we'll see , given one of the things that were going to do in 7 was allow an installer to turn off parts of UAC, including the thing itself, which was outright stupid given the first line of defense is the user not deciding they did want to see Ms Spears naked....

rfolden
rfolden

After all 2011 is "The year of the GNU/Linux Desktop!"

Tony Hopkinson
Tony Hopkinson

Gartner et all say mobile and cloud are the big thing, various goverments (states as well I seem to remember) went to linux. If the boys at DefCon ignored them, nobody "important" would bother going.... Numbers are irrelevant, not to mention open to radically different interpretations...

Tony Hopkinson
Tony Hopkinson

A lot of the windows server market, is we use windows desktops, and we've always used windows, so lets keep it simple and keep using it. Even MS had to do some serious chopping to build an OS for the cloud and they don't use it for their high volume stuff like Hotmail. Windows server market includes SBS for instance, which is the default pre-install sell on the high street for those who come in and say I want a computer to run my busness on.... PS as far as I'm aware Steve Jobs is Apple not Red Hat.... You need to sort yourself out as well.

Tony Hopkinson
Tony Hopkinson

Cease encouraging each other it's boring as well as irritating.

Tony Hopkinson
Tony Hopkinson

The only apples I have anything to do with are those that make up a nice cold cider. I neither know nor care whether his points about Mr Jobs were correct or otherwise, what they were was totally irrelevant, which is why the post was dismissed. "MS are great because (insert attack on some other bloke here) , is a totally unconvincing argument. Try again...

powerman2012
powerman2012

Really? States the facts about Steve Jobs and you immediately dismiss the content of his post? Yeah, you DO need to sort yourself out. Get a grip on reality. Stop reading the 'pro' Apple blogs.

Tony Hopkinson
Tony Hopkinson

I noticed he mentioned MS and Red hat. I noticed Apple never featured in his post. I noticed an anti-Jobs tirade in yours. I now notice that that you response to his post, can't have been.... It's alright having strong views about an OS, but if you want the good points you want to make to be noticed, embedding them in completely irrelevant ones isnlt a good way to go.

gavin142
gavin142

If you'll actually read the comment, you might notice I was specifically responding to his commentary about MS. Before commenting on whether or not someone needs "sorting out," you might want to read a bit more closely.