I don't really see any particular, spectacular mistake made my Microsoft in 2006 but there are some things which I don't fully agree with, like e.g. the design of Integrity Level mechanism which prevents only against writes not reads or issues regarding kernel protection or the fact that they concentrate only on prevention (like most other OS vendors) and haven't done anything to make systematic compromise detection feasible. I guess these are just different points of view and I would not call any of them a 'big mistake'.

What do you think about the full disclosure of vulnerabilities?

I'm quite neutral about this. On one hand, I think that it should be every customer's right to point out flaws in the products they buy and I really don't see why those who find bugs should be *obliged* to first report it to the vendor - i.e. why should they be forced to do a free Q&A with the vendor?

On the other hand, when we look at the quality of the advisories published these days, where most of the bugs reported are just some denial of services, I have the feeling that people are looking for cheap publicity. It's quite understandable that companies which are victims of those "audits" might feel a bit pissed off.

Naturally, from time to time we see a very interesting bug report, sometimes presenting a new class of bugs or a new method of exploitation. It's hard to overestimate the value of such reports for the security community, so if the author decided to release those information for free, I guess we all should only be grateful to the author.


What is your opinion about Microsoft Patch Tuesdays? Shouldn't there be more frequent patch releases?

I guess there should be, but I can also understand that releasing a patch is a complicated business process, because it requires lots of testing, etc. I also realize that even if we had patches released on a daily basis, that still would not be a sufficient solution, as attackers might still exploit some unknown vulnerability.


Thus, I think it's much more important that the OS itself provided various anti-exploitation technologies and also be designed to limit the damage of the potential successful exploitation (least privilege design, strict privilege separations, etc). And it's clear that Microsoft is going this way, although there's still room for improvement in this area.

What is the most interesting fact you've become aware of while researching for your recent papers?

It's hard to point to just one fact. Usually the most amazing thing is that something you though of before (e.g. some attack) actually does work after you implemented the proof-of-concept code. That's always very amazing for me.

What's your take on the open source vs. closed source security debate?

I don't like when people say that something is secure just because it's open source and inherently insecure, just because it's a commercial, closed source product.

Although it should be admitted that a lot of security technologies have been introduced in the open source systems for the first time, like e.g. ASLR which has been invented by PaX about 6 years ago.

What are your future plans? Any exciting new projects?