January 23, 2006

Microsoft's recent Windows WMF fiasco underscores the company's Trustworthy Computing initiative is little more than a bag of hot air. From the beginning, the concept that Microsoft would take a long hard look at all its source code and hopefully eliminate all security bugs has been laughable at best. Doing that would require the complete rewrite, recompilation and full testing of all Microsoft software.

This is simply impossible for a company the size of Microsoft.

The WMF scandal became public when Microsoft was informed of a remotely exploitable flaw that could be triggered by opening a specially crafted WMF file.

Microsoft downplayed the severity of the flaw by saying it was not aware of any customers’ systems being compromised because of the flaw. Clearly this is not the same as someone saying customers systems have not been affected. Anyhow, a few days later, reports of various exploits circulating on the internet presumably caused Microsoft to U-turn on the issue and release its WMF patch.

Obviously, there is no hope of improving Windows security unless Microsoft becomes better at finding and fixing flaws than the outsiders.

The WMF flaw demonstrates that currently this is not the case. It also shows that Microsoft’s previous code reviews were largely ineffective, or else the flaw would have been spotted and cleaned long ago.

The key question is, how does Microsoft find flaws and how do its methods compare with those of other people?

Hackers often find new flaws by learning from past ones. When a flaw came to light in the way a web server handled HTTP chunked encoding, for example, these folk started looking at the ways other web servers handled HTTP chunked encoding. Sure enough, they found new flaws to exploit.

Presumably a significant number of people also looked at earlier TIF, GIF and JPEG flaws and realised it could be worthwhile to look at other similar file formats.

Another key question is how many people are employed by Microsoft, full time, to do this kind of work. Unless the number of Microsoft researchers significantly exceeds the number of hackers and outside researchers, then flaws will continue to be exploited before patches appear.

Over the last year or two I’ve asked most of Microsoft’s security experts these questions, and none has offered an answer.

Fair enough, you might say; after all, I don’t know how the various other units in IT Week’s parent company operate.

But with so much at stake, if a lot of effort was going on, I’d imagine Microsoft executives would say they didn’t know the answer but would find out and let me know. Such an offer has never been made.

Source: Vnunet

Save Internet Security.ca's URL to the list of your favorite web sites in your Web browser by clicking here.

Become an authorized reseller of Proxy Sentinel™ and Firewall Sentinel™. Do like the rest of our authorized resellers and have your clients benefit the important security features of our products and solutions, while increasing your sales at the same time. Click here for all the details.

You can link to the Internet Security web site as much as you like. Read our section on how your company can participate in our reciprocal link exchange program and increase your rankings in the major search engines such as
Google and all the others.