In the ’90s, Marc Andreessen famously joked that Netscape would reduce Windows to a set of poorly debugged device drivers. By the turn of the century, critics were instead arguing that Microsoft itself had reduced its own software to a collection of security holes.
In October 2003, Microsoft CEO Steve Ballmer threw down the gauntlet. Reiterating the company’s commitment to the Trustworthy Computing initiative launched the previous year by Chairman and Chief Software Architect Bill Gates, Ballmer pledged to continue to enhance security in Windows and other Microsoft software. He outlined a three-pronged approach that included an improved patch-deployment process, a global education program, and new technologies to make systems more resistant to attack.
“Our goal is simple: Get our customers secure and keep them secure,” Ballmer said in a statement.
But has Microsoft lived up to that challenge? One year after Ballmer made his pledge, what’s really changed?
Patching the holes
The big news, of course, is Windows XP SP2 (Service Pack 2). The long-awaited upgrade, released in August, weighed in at a whopping 266MB. Its single most salient feature -- a firewall that’s on by default, blocking all inbound connections -- means little to people already protected behind corporate DMZs, NAT routers, and personal firewalls. Even so, the SP2 firewall -- and the auto-update procedure that will roll it out to tens of millions of desktops in the coming months -- is a watershed event.
Attach an unprotected Windows PC to the Internet, and almost before you can blink, it can be recruited into one of the armies of “zombies” that wreak havoc on the Internet, launching DoS attacks and other mischief. Last month, InfoWorld reported that one such zombie network -- 10,000 PCs strong -- was discovered by a Norwegian ISP and then shut down by authorities in Singapore.
We have no way of knowing how many other zombie armies remain at large, but we do know with utter certainty that no Internet-attached PC should lack firewall protection.
Controversially, Microsoft chose not to equip the SP2 firewall with an outbound inspection feature (egress filtering) such as those found in personal firewall products from Symantec, Zone Labs, and others. This was doubtlessly a tough call. A common end-user reaction to egress filters, which prompt for user approval before granting applications access to outbound ports, is simply to approve everything or to disable the outbound filter. But omission of this feature allowed critics to say, with some justification, that Microsoft had again chosen convenience over security.
Click for larger view.
“That alone would have prevented Blaster,” says Michael Howard, senior program manager of the security business and technology unit at Microsoft and co-author of Writing Secure Code (Microsoft Press, 2002).