Con: Trust, but verify, Microsoft's pledge

By Bruce Schneier
CNET News.com
January 18, 2002

Microsoft Chairman Bill Gates should be given credit for making security and privacy a top priority for his legions of engineers, but we'll have to wait to see if his call represents a real change or just another marketing maneuver.

Microsoft has made so many empty claims about its security processes--and the security of its processes--that when I hear another one, I can't help believing it's more of the same flim-flam.

Anyone remember last November when Microsoft's Jim Allchin, group vice president, said in a published interview that all buffer overflows were eliminated in Windows XP? Or that the new operating system installed in a minimalist way, with features turned off by default? Not only did the Universal Plug and Play (UPnP) vulnerability that was found last month exploit an unneeded feature that was enabled by default, but it also was a buffer overflow.

Anyone remember Scott Culp, manager of Microsoft's Security Response Center, complaining about how people caused "information anarchy" by releasing details about Microsoft security vulnerabilities and touting how fast Microsoft was at patching problems? There's a vulnerability in IE that Microsoft is busy ignoring.

Or how about when Culp said that the UPnP vulnerability was "the first network-based, remote compromise" in Windows, conveniently ignoring Code Red, Nimda, and the dozens of others that came before.

So let's hope that the Gates memo is more than a headline grab and represents a sea change within Microsoft. If that's the case, I applaud the company's decision. It's a difficult one. Putting security ahead of features is not easy.

Microsoft is going to have to say things like: "We're going to put the entire .Net initiative on hold, probably for years, while we work the security problems out." They're going to have to stop all development on operating system features while they go through their existing code, line by line, fixing vulnerabilities, eliminating insecure functionality and adding security features.

Security works best when it's designed into the system from the beginning, so a lot of what they've already done is going to have to be rewritten.

Microsoft has built a monopoly business by throwing features into their products and dealing with the problems later. It's what they do naturally. It's what all software developers do naturally. Some pretty strong leadership is required to reverse this mentality. The company will have to delay release schedules, pare down functionality and potentially lose short-term market share.

And they're going to have to reverse their mentality of treating security problems as public-relations problems. I'd like to see honesty from Microsoft about their security problems. No more pretending that problems aren't real if they're not accompanied by exploit code, and attacking the security researcher if they are. No more pretending security problems aren't caused by bad code in the first place. No more claiming that XP is the most secure operating system ever, simply because it's the one they want to sell.

While we congratulate Microsoft for this change, let's not forget the two forces that led them to this decision. Don't think it's some magnanimous gesture for the Internet; Microsoft is too smart to spend all those resources out of the goodness of its heart.

Give the credit to the full-disclosure movement, which has repeatedly shown that Microsoft's security is far worse than it claims. Analysts firms such as Gartner have recommended that enterprises switch from Microsoft IIS and delay installing Windows XP because of security concerns. It's the full-disclosure movement that has allowed Gartner, and everyone else, to accurately assess the risks of Microsoft software.

Microsoft knows that it doesn't have a future unless it can convince the public that Windows XP and .Net are secure, safe and trustworthy. Keeping vulnerabilities secret will only reduce the pressure on Microsoft, allowing them to revert to pretending that they're secure when they're really not.

Also give credit to the increasingly loud calls for software liability. More experts, industry groups and advisory panels are supporting the notion that software be held to the same liability rules as any other consumer product. It makes no sense that a tire maker can be liable for a systemic flaw while Microsoft can produce an operating system with a new systemic flaw discovered every week and not be held liable. I think Gates sees this liability juggernaut on the horizon and is doing his best to dodge it.

Security is a process, not a product. It's an endless, arduous, thankless process. After all, few people notice when something works well.

While I have no illusions that Microsoft can make its products secure with a press announcement and a month of developer training, it is a start. The technical difficulties are immense--there are some things Microsoft needs to do that are currently beyond the abilities of current science--but Microsoft has the resources to tackle them.

It must, because Microsoft's monopoly software position significantly affects the security of the Internet. During the decade in which they ignored security, it steadily worsened. At least if they're headed in the direction of trustworthy computing, they're likely to get closer.

earlier essay: The Case for Outsourcing Security
later essay: Should Vendors be Liable for Their Software's Security Flaws?
categories: Business of Security, Computer and Information Security
back to Essays and Op Eds

Photo of Bruce Schneier by Per Ervland.

Schneier on Security is a personal website. Opinions expressed are not necessarily those of Co3 Systems, Inc..