An In-Depth Look Into Windows Security in 2003
by Mirko Zorz - Monday, 22 December 2003.
Despite constant negative reports on Microsoft security, in March the SANS Institute awarded Microsoft for their security efforts. Many people truly believe that Microsoft is trying to improve while others say it's all just marketing. Microsoft seems to be trying as they setup courses that teach secure coding in several universities worldwide. The questions is - are things getting better?

Skoudis said: "Steering the giant ship that is Microsoft toward more security is an arduous task. I did a back-of-the-envelope calculation a while back, and determined that Microsoft is currently supporting more than a billion lines of code across its entire product line. That's an ocean of potential problems, and it's understandable and unfortunate that it's going to take some time to secure it all. Now, don't get me wrong. I'm not a Microsoft apologist. I slam them when they deserve it. That said, we have to admit and understand the magnitude of their challenge."

"Based on my reckoning, only over the last two years has Microsoft taken security seriously. But they are trying hard now, and have considerable resources to make Good Things happen (Of course, as I typed that line, Microsoft Outlook totally flaked out, freezing inexplicably. What a piece of crap Outlook is... but I digress). By throwing some money around, they can seriously help improve security. In 2004, I expect to see patching get somewhat better (see my previous answer). I also expect to see a high-profile payment of Microsoft cash to someone who turns in a worm writer. That might put a bit of a chill on the current "write-a-worm-and-suffer-no-ill-effects" environment we face now." he added.

Arne Vidstrom said: "There are many vulnerabilities in Microsoft software, and some people think that the only reason is that Microsoft completely sucks. Most, but not all, persons I have met who have held this black or white view are not programmers themselves. Some have never written a single line of code in their whole life. Some have written some code but only very small quantities for example in school or as a hobby. Others are professional programmers but not used to writing large pieces of software. Still others are programmers who have never had their software exposed to thorough testing. All these groups of people live under the illusion that they are capable of writing almost bug free code of any size. Of course there might be some very bright people out there who really are capable of writing large amounts of almost bug free code, but they are only a very small fraction of all programmers. In fact, my personal experience is that the code produced by the average programmer is a lot buggier than the code that comes out from Redmond."

"After writing all this in the defense of Microsoft I have to admit that they could do much better than they have done so far. But even if they do their very best we will probably still see many vulnerabilities in software as complex as much modern software is. If I was to give advice to Microsoft, it would be to consider which attack vectors are the most important to protect against and strengthen the corresponding parts of the code most hard. Also I would advice them to do away with as much of the complexity as they possibly can in these parts, and to make default configurations as strict as possible. I think that the security experts at Microsoft are already completely aware of these things since a long time ago. But as many persons who have worked at a large corporation and with complex systems know, it's not as easy to fix things in a complex environment as it is in a smaller environment where one person understands and has complete influence over all parts." Vidstrom added.

A brand new OS


Harnessing artificial intelligence to build an army of virtual analysts

PatternEx, a startup that gathered a team of AI researcher from MIT CSAIL as well as security and distributed systems experts, is poised to shake up things in the user and entity behavior analytics market.

Weekly newsletter

Reading our newsletter every Monday will keep you up-to-date with security news.

Daily digest

Receive a daily digest of the latest security news.

Mon, Feb 8th