Risk
1/12/2012
02:21 PM
Connect Directly
RSS
E-Mail
50%
50%

Microsoft Trustworthy Computing Turns 10: What's Next

10 years after Bill Gates famously declared a security emergency within Microsoft, the stakes are much higher. 'TWC Next' will include a focus on cloud services such as Azure.

Windows 8 Upgrade Plans: Exclusive Research
Slideshow: Windows 8 Upgrade Plans: Exclusive Research
(click image for larger view and for slideshow)
Microsoft is marking the 10th anniversary of Bill Gates' game-changing security memo with a focus on new types of attacks that threaten businesses and individuals who are significantly more wired than when the company's chairman launched his now-famous Trustworthy Computing initiative.

"Today, information and communications technology (ICT) underpins every aspect of our personal and professional lives," said Microsoft chief research and strategy officer Craig Mundie, in an e-mail to employees Thursday.

"While it is indisputable that ICT has transformed for the better how we live, society still confronts some long-standing and evolving challenges," Mundie said. "We must protect the security of the electrical power grid, the global financial system, and the telecommunications system, even as determined and persistent adversaries set their sights on these and other critical infrastructures."

[ Malicious attacks accounted for 40% of disclosed breaches last year. Learn more: Hack Attacks Now Leading Cause Of Data Breaches. ]

Gates fired off his Trustworthy Computing memo to employees on Jan. 15, 2002, amid a series of high-profile attacks on Windows computers and browsers in the form of worms and viruses like Code Red and "Anna Kournikova." Code Red, which used buffer overflows to exploit a weakness in Windows Server's Internet Information Services (IIS), infected more than 300,000 PCs.

The onslaught forced Gates to declare a security emergency within Microsoft, and halt all production while the company's 8,500 software engineers sifted through millions of lines of source code to identify and fix vulnerabilities. The hiatus cost Microsoft $100 million. "If we don't do this, people simply won't be willing--or able--to take advantage of all the other great work we do," Gates said in his memo. "We must lead the industry to a whole new level of Trustworthiness in computing."

To accomplish that, Gates identified three principles that Microsoft products were to be designed around--availability, security, and privacy. In practice, that meant placing security on an equal footing with usability and speed-to-market in Microsoft's development cycles.

"Getting your product to market first and killing Netscape was how you got rich at Microsoft. After the Gates memo came out, having your product have fewer top-class bugs and security vulnerabilities and less patches became as important a criterion for measuring the product managers as making an early shipping date," said Gartner research fellow John Pescatore.

As a result, Microsoft products like Visual Studio and Windows Server gained built-in security features for guarding against vulnerabilities caused by errors like stack overflow and were hardened with architectural changes, such as library randomization and formal Secure Development Lifecycle procedures, and the company made many of its own internal safeguards available to third parties.

Previous
1 of 2
Next
Comment  | 
Print  | 
More Insights
Register for Dark Reading Newsletters
White Papers
Cartoon
Current Issue
Flash Poll
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2013-2595
Published: 2014-08-31
The device-initialization functionality in the MSM camera driver for the Linux kernel 2.6.x and 3.x, as used in Qualcomm Innovation Center (QuIC) Android contributions for MSM devices and other products, enables MSM_CAM_IOCTL_SET_MEM_MAP_INFO ioctl calls for an unrestricted mmap interface, which all...

CVE-2013-2597
Published: 2014-08-31
Stack-based buffer overflow in the acdb_ioctl function in audio_acdb.c in the acdb audio driver for the Linux kernel 2.6.x and 3.x, as used in Qualcomm Innovation Center (QuIC) Android contributions for MSM devices and other products, allows attackers to gain privileges via an application that lever...

CVE-2013-2598
Published: 2014-08-31
app/aboot/aboot.c in the Little Kernel (LK) bootloader, as distributed with Qualcomm Innovation Center (QuIC) Android contributions for MSM devices and other products, allows attackers to overwrite signature-verification code via crafted boot-image load-destination header values that specify memory ...

CVE-2013-2599
Published: 2014-08-31
A certain Qualcomm Innovation Center (QuIC) patch to the NativeDaemonConnector class in services/java/com/android/server/NativeDaemonConnector.java in Code Aurora Forum (CAF) releases of Android 4.1.x through 4.3.x enables debug logging, which allows attackers to obtain sensitive disk-encryption pas...

CVE-2013-6124
Published: 2014-08-31
The Qualcomm Innovation Center (QuIC) init scripts in Code Aurora Forum (CAF) releases of Android 4.1.x through 4.4.x allow local users to modify file metadata via a symlink attack on a file accessed by a (1) chown or (2) chmod command, as demonstrated by changing the permissions of an arbitrary fil...

Best of the Web
Dark Reading Radio
Archived Dark Reading Radio
This episode of Dark Reading Radio looks at infosec security from the big enterprise POV with interviews featuring Ron Plesco, Cyber Investigations, Intelligence & Analytics at KPMG; and Chris Inglis & Chris Bell of Securonix.