Businesses are under attack, says MS security head

LONDON -- Businesses worldwide face increasing threats from cyber criminals attempting extortion and fraud because the software running their systems makes them vulnerable, Microsoft Corp.'s top security architect told attendees at the e-Crime Congress in London Tuesday.

Even while still walking to the podium, Security Architect and Chief Technology Officer of Microsoft's Security Business Unit David Aucsmith readily admitted that he is considered a "target" for complaints against his company's software, but he also stressed that many of the current security issues could not have been foreseen.

Windows 95 was written without a single security feature, he said, as it was designed to be totally open to let users connect to other systems. Furthermore, the security kernel of the Windows NT server software was written before the Internet, and the Windows Server 2003 software was written before buffer overflows became a frequent target of recent attacks, he said.

"Almost all the attacks on our software are legacy attacks and the points of the system that can talk to older versions of our software," Aucsmith said. "If you want more secure software, upgrade," he added.

While this advice might seem like cold comfort to users, Aucsmith couched the current security threats as a consequence of the changing software industry, and more sophisticated cyber criminals, than of particular neglect by vendors.

Aucsmith said that Microsoft is working diligently to address security issues, by working closely with law enforcement authorities and changing its patching procedures, for example, and that much of the threat comes from criminals who are making a career from high-tech crimes such as hacking, extortion and fraud.

"We are under attack," increasingly from criminals seeking personal gain, he said.

"Since the Sobig virus hit in October of last year, we have yet to see a virus or variant without an element of financial gain," he said, such as bugs that seek users credit card information.

What's more, cyber criminals are becoming increasingly efficient at reverse-engineering software patches to discover and then exploit vulnerabilities, he said.

The time between the release of a patch and the creation of an exploit has dwindled dramatically. The Nimda virus, which was discovered in September of 2001, surfaced 331 days after a patch was released, while the latest exploit of a Windows component called the ASN.1 Library was created within three days of the patch being released, Aucsmith said.

Hackers have the advantage of not having to test their exploits, which allows them to move faster than vendors who must perform rigorous testing to ensure that their patches don't break users' systems, he said.

Still, Aucsmith said that despite the flood of attacks against Microsoft's software only once has it suffered a so-called "zero-day" attack, in which an unknown and unpatched vulnerability is exploited.

"The vast majority of attacks occur after the patch is available," he said.

However, vendors and users' headaches are being worsened by new tools created by sophisticated hackers and made available on the Internet.