Managing Expectations on Trustworthy Computing
- By Scott Bekker
- February 10, 2003
The history of the Microsoft Trustworthy Computing initiative so far is bracketed by self-propogating worms that each were built on previously patched Microsoft vulnerabilities and each caused more than $1 billion in damages.
Mayhem caused by the July 2001 Code Red worm provided incentive for Microsoft to get serious about an internal initiative to regain the industry's trust. Chairman and chief software architect Bill Gates moved that Trustworthy Computing initiative to the front burner with his famous Jan. 15, 2002, e-mail to Microsoft employees and subcontractors. "Trustworthy Computing is the highest priority for all the work we are doing," Gates wrote in his Trustworthy Computing e-mail.
One year and $200 million into the initiative, just as Microsoft was patting itself on the back for its Trustworthy Computing-related efforts, another worm hit another Microsoft product. SQL Slammer attacked Microsoft SQL Server 2000 and MSDE 2000 late last month, clogging networks with messages and causing thousands of systems to fail.
It is tempting to call the SQL Slammer worm a test of the Trustworthy Computing effort and to slap Microsoft with a failing grade. But a more serious look at Trustworthy Computing through the lens of this worm shows both the strengths and the weaknesses of the program.
In some ways, SQL Slammer simply demonstrates -- in the same way that Code Red and Nimda did -- that Trustworthy Computing is a completely necessary transformation for Microsoft to undergo.
Three pillars of Trustworthy Computing are that products be secure in design, by default and in deployment. The SQL Slammer worm highlights why all three of those are important.
Design flaws in SQL Server 2000's coding allowed for the flaw exploited by the SQL Slammer or Sapphire worm. Microsoft efforts to educate the developers who are writing Yukon and other future Microsoft products in designing secure products should help reduce the number of code flaws in those products.
Prior to the Windows Server 2003 development cycle, Microsoft made no effort to lock down even its enterprise products out of the box. This laissez faire attitude toward default installations contributed to the SQL Slammer problem where users left Port 1434 exposed to the Internet. It is yet another example of why Trustworthy Computing and related efforts under the Strategic Technology Protection Program to lock down systems by default are critical for Microsoft and a definite move in the right direction. Microsoft recently detailed a raft of new security features in Windows Server 2003 that will make the product far more secure by default than Windows 2000.
SQL Slammer showed also how too many systems are insecure in deployment. A patch for the flaw exploited by SQL Slammer was available for six months, yet an estimated 75,000 systems were infected anyway. To be clear, it's not Microsoft's fault that users didn't apply a six-month-old patch that Microsoft had labeled "critical." But it's part of an overall problem that Microsoft knows it must solve. If users don't apply voluntary patches, Microsoft must find a new model. The company is making first steps toward a new model with the Windows Update Service, Software Update Server and elements of Systems Management Server.
IDC analyst Al Gillen says Microsoft seems to be very serious about security in its future products, and remarks on one other thing about Microsoft vulnerabilities.
"Don't forget that a lot of the vulnerabilities that Windows 2000 has had have been driven by the applications, not by the OS. They involve compromising one of the Microsoft server applications that run on top of the OS. That must tell you something right there, the base OS is not the vulnerability that it used to be," Gillen says.
Slammer may have signalled a new Microsoft responsiveness, according to one former high-ranking employee in Microsoft's security infrastructure. Eric Schultze, director of research and development at Shavlik, is the former program manager for the Microsoft Security Response Center and a senior technologist in the Trustworthy Computing team.
"In one perspective, the Microsoft Trustworthy Computing emphasis is really shining through in that Microsoft mobilized [the] weekend [that Slammer emerged]," Schultze says. Microsoft created an installer patch to simplify some tricky installation routines in the recommended patch, Schultze notes. Later in the week, Microsoft created several new Slammer scanning and SQL security tools for users. "If that entire Trustworthy Computing initiative hadn't come together a year ago, I don't know that we would have seen [such a thorough response over a weekend]. There's a new attitude at Microsoft now with Trustworthy Computing. Issues that may have been less important in the past are now at the top of the list," Schultze says.
At the same time, SQL Slammer emphasizes how the emphasis of Trustworthy Computing initiative is primarily on future Microsoft releases. A lot of the near future security problems with Microsoft's products will exploit its current and legacy product set.
Gates outlined that move-forward emphasis in his original Trustworthy Computing e-mail. "It is only in the context of the basic redesign we have done around .NET that we can achieve [a Trustworthy Computing platform]," Gates wrote. "So now, when we face a choice between adding features and resolving security issues, we need to choose security. Our products should emphasize security right out of the box"
Longtime Microsoft watcher Russ Cooper, editor of Tru-Secure Corp.’s Windows NT Bugtraq Mailing List, suggests that while Microsoft seems very serious about security, the company may be using security itself as a feature to drive users to future versions of the product. “They have to figure out how to re-teach the people who’ve been thinking in a very marketing-oriented fashion to not think that way, and still appease their shareholders.
In the meantime, there's a lot of Microsoft software out there that customers won't be upgrading for several years. Need evidence? Look at Microsoft's recent decision to extend Windows NT 4.0 Server support for a year. Windows 2000 Server and SQL Server 2000 will be supported through 2007. Even SQL Server 7.0 is supported into 2006. The main emphasis of the Trustworthy Computing initiative is on securing new products.
Even Windows Server 2003 is not a true Trustworthy Computing operating system. The two-month development standdown and code review happened two years into the development cycle. Developers were reviewing code that was written before security became a top priority at the company. Not until the Blackcomb version of Windows server is released will there be a Microsoft server operating system truly architected from the ground up with security as the top priority.
In a vacuum, the $200 million spent on Trustworthy Computing so far sounds like a lot of money. It is a lot money. For a little perspective, though, the number is about 4 percent of the $5 billion or so that Microsoft spends on research and development.
Trustworthy Computing is a major initiative, and one that Microsoft is extremely serious about, but it is not a panacea. The evolution of threats mean that Microsoft will spend more, not less, on Trustworthy Computing over time. And the program will always be a work in progress.
Using Microsoft's own definition of the Trustworthy Computing initiative, SQL Slammer has very little bearing on the initiative. It's a worm that exploits the problems in Microsoft's pre-Trustworthy Computing code, another example of why Trustworthy Computing is important. But the worm suggests that Microsoft may need to define Trustworthy Computing a little more broadly -- less as a feature improvement for next generation proucts and more of a two-way effort reaching back to better automated patching of legacy products that will be around for the next five years.