Microsoft's Attack Surface Analyzer sheds light on software vulnerabilities

New tool helps developers identify potential weak points in products, lets admins quantify a program's affect on PC security

While nobody would claim that Microsoft's just-released Attack Surface Analyzer can make your systems secure, it does provide some interesting insight into PC behavioral changes instigated by newly installed programs.

Based on a suitably academic eight-year-old Carnegie Mellon research paper called Measuring Relative Attack Surfaces, ASA conducts before-and-after analyses of software. You take a baseline with the tool, install a program or activate some specific program feature, and take another scan. ASA then tells you the differences in vulnerable places that can be attacked, the so-called Relative Attack Surface.

The announcement blog says:

Some of the checks performed by the tool include analysis of changed or newly added files, registry keys, services, ActiveX Controls, listening ports, access control lists and other parameters that affect a computer's attack surface.

That's the kind of information you can expect.

Microsoft is letting the beta version of ASA out the door in conjunction with its work at the Black Hat conference in Virginia. ASA's destined to become part of the official Microsoft Security Development Lifecycle tool set. Microsoft uses ASA internally; the company is making it available to a wider audience to help developers identify potential weak points in their products, so corporate admins can take a detailed look at any products being considered for release throughout an organization. They're also looking for bugs and suggestions.

I decided to take ASA for a spin. I ran an ASA baseline on a moderately loaded 64-bit Windows 7 system, then installed Microsoft's Bing Toolbar. The results were a bit disconcerting.

The Bing Toolbar installs a bunch of additional cra -- uh, companion software, including a service known as SeaPort.exe. Brian Nelson has an excellent description of SeaPort in his Brighthub blog. In short, it's a nearly undocumented service tied to Windows Live (and thus Bing Toolbar) that runs automatically every time you start Windows, keeps track of your search history, and periodically phones home to Mother Microsoft. It's part of the Search Enhancement Pack installed with the Bing Toolbar, and ASA doesn't like it one little bit.

Here's what the ASA report told me. If I counted correctly, ASA throws up (I use the phrase intentionally) 61 different warnings about a weak Access Control List on the Search Enhancement Pack folder, which "allows tampering by NT TrustedInstaller."

Similarly, ASA says that there are six new weak ACLs on Bing Bar folders, nine weak ACLs on MSN Toolbar folders, and seven weak ACLs on the Bing Rewards Client folder that "allows tampering by \Everyone." ASA also tells me "Service SeaPort vulnerable to tampering" and that the new DCOM object "(SeaPort) may be vulnerable to unauthorized access by \Everyone."

Guess somebody at Microsoft forgot to run the Attack Surface Analyzer on the Bing Toolbar.

It took me two minutes to uninstall Bing Toolbar. Unfortunately, that didn't clear out SeaPort. I had to follow Brian Nelson's instructions to manually remove it.

In short, I'm impressed. ASA doesn't try to attack a system or exploit specific weaknesses. There are no signature files. Nothing's collected and sent back to Microsoft. ASA just looks at places where programs commonly fall short, where they expose your system to attack vectors that have been used in the past. It tells you what's been changed when installing or activating a part of a program. And it leaves the conclusions to you.

ASA's now a permanent part of my bag of self-defense tricks. As for Bing Toolbar? Meh.

This article, "Microsoft's Attack Surface Analyzer sheds light on software vulnerabilities," was originally published at Get the first word on what the important tech news really means with the InfoWorld Tech Watch blog, and for the latest in business technology news, follow on Twitter.

Copyright © 2011 IDG Communications, Inc.