12 Months of Progress for the Microsoft Security Response Centre
by Stephen Toulouse - Security Program Manager of the Microsoft Security Response Centre (MSRC) - Tuesday, 25 October 2005.
As the Internet has grown in popularity so too have threats against computer users; making it critical for individuals and companies to employ effective security strategies to protect their critical information. Microsoft created the Microsoft Security Response Centre (MSRC) to investigate, fix and learn about security vulnerabilities and to help keep customers protected from malicious attacks. The MSRC is comprised of individuals, teams and entire groups around Microsoft; all dedicated to analysing, developing and delivering quality security updates, tools and prescriptive guidance to customers to help protect customers from security threats.

The last 12 months have been a particularly busy time for the MSRC, and, upon reflection, there are two activities that stand out to me. These were the releases of two major operating system service packs: Windows XP Service Pack 2 and Windows Server 2003 Service Pack 1.

Windows XP SP2 was released in August 2004, and we are very pleased with the results so far. One of the key goals around this release was to get enhanced security features for Windows XP into the hands of consumers and enterprises, and so far more than 218 million copies have been distributed worldwide. This was an important security milestone for us. Many people put a lot of effort into this service pack and features like the firewall being on by default and the hardening changes made to Internet Explorer are already paying off and helping customers become more secure.

In Service Pack 1 for Windows Server 2003, the great features and security enhancements I mention above for Windows XP SP2 were also incorporated into this product, along with many other changes. We're particularly excited about the Security Configuration Wizard feature, which reduces the attack surface by querying users about the role their servers fill and then stopping all services and blocking ports that are not needed.

There is very significant work going on behind the scenes in the development cycle of current and all future software releases coming from Microsoft. Now, certain categories of software released from Microsoft now must go through the Security Development Lifecycle process which aims to provide customers with high quality software that is meticulously engineered and rigorously tested to help withstand malicious attack. We've published a lengthy whitepaper about this which is available here. Essentially the SDL is a mandatory process that certain categories of Microsoft software must go through before it is released publicly. It helps us make sure that the software coming from Microsoft today has the latest security engineering advancements included in the code for the benefit of customers. It's a huge step forward for us to have this now as a formal process for our software. So far, we have used the SDL on Windows Server 2003, SQL Server 2000 SP3, and Microsoft Exchange Server SP3. Windows Server 2003 was the first operating released at Microsoft that implemented large portions of the SDL, and compared to Windows 2000, it had 63 percent fewer vulnerabilities in the first year.

While these developments cover significant activity on the product development side at Microsoft as a whole, the Microsoft Security Response Center has also made available a number of free tools and special guidance that can help customers become more secure.


More than 900 embedded devices share hard-coded certs, SSH host keys

SEC Consult analyzed firmware images of more than 4000 embedded devices of over 70 vendors and found that, in some cases, there are nearly half a million devices on the web using the same certificate.

Weekly newsletter

Reading our newsletter every Monday will keep you up-to-date with security news.

Daily digest

Receive a daily digest of the latest security news.

Thu, Nov 26th