Risk
1/12/2012
02:21 PM
50%
50%

Microsoft Trustworthy Computing Turns 10: What's Next

10 years after Bill Gates famously declared a security emergency within Microsoft, the stakes are much higher. 'TWC Next' will include a focus on cloud services such as Azure.

Windows 8 Upgrade Plans: Exclusive Research
Slideshow: Windows 8 Upgrade Plans: Exclusive Research
(click image for larger view and for slideshow)
Microsoft is marking the 10th anniversary of Bill Gates' game-changing security memo with a focus on new types of attacks that threaten businesses and individuals who are significantly more wired than when the company's chairman launched his now-famous Trustworthy Computing initiative.

"Today, information and communications technology (ICT) underpins every aspect of our personal and professional lives," said Microsoft chief research and strategy officer Craig Mundie, in an e-mail to employees Thursday.

"While it is indisputable that ICT has transformed for the better how we live, society still confronts some long-standing and evolving challenges," Mundie said. "We must protect the security of the electrical power grid, the global financial system, and the telecommunications system, even as determined and persistent adversaries set their sights on these and other critical infrastructures."

[ Malicious attacks accounted for 40% of disclosed breaches last year. Learn more: Hack Attacks Now Leading Cause Of Data Breaches. ]

Gates fired off his Trustworthy Computing memo to employees on Jan. 15, 2002, amid a series of high-profile attacks on Windows computers and browsers in the form of worms and viruses like Code Red and "Anna Kournikova." Code Red, which used buffer overflows to exploit a weakness in Windows Server's Internet Information Services (IIS), infected more than 300,000 PCs.

The onslaught forced Gates to declare a security emergency within Microsoft, and halt all production while the company's 8,500 software engineers sifted through millions of lines of source code to identify and fix vulnerabilities. The hiatus cost Microsoft $100 million. "If we don't do this, people simply won't be willing--or able--to take advantage of all the other great work we do," Gates said in his memo. "We must lead the industry to a whole new level of Trustworthiness in computing."

To accomplish that, Gates identified three principles that Microsoft products were to be designed around--availability, security, and privacy. In practice, that meant placing security on an equal footing with usability and speed-to-market in Microsoft's development cycles.

"Getting your product to market first and killing Netscape was how you got rich at Microsoft. After the Gates memo came out, having your product have fewer top-class bugs and security vulnerabilities and less patches became as important a criterion for measuring the product managers as making an early shipping date," said Gartner research fellow John Pescatore.

As a result, Microsoft products like Visual Studio and Windows Server gained built-in security features for guarding against vulnerabilities caused by errors like stack overflow and were hardened with architectural changes, such as library randomization and formal Secure Development Lifecycle procedures, and the company made many of its own internal safeguards available to third parties.

Previous
1 of 2
Next
Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: just wondering...Thanx
Current Issue
Security Operations and IT Operations: Finding the Path to Collaboration
A wide gulf has emerged between SOC and NOC teams that's keeping both of them from assuring the confidentiality, integrity, and availability of IT systems. Here's how experts think it should be bridged.
Flash Poll
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2017-0290
Published: 2017-05-09
NScript in mpengine in Microsoft Malware Protection Engine with Engine Version before 1.1.13704.0, as used in Windows Defender and other products, allows remote attackers to execute arbitrary code or cause a denial of service (type confusion and application crash) via crafted JavaScript code within ...

CVE-2016-10369
Published: 2017-05-08
unixsocket.c in lxterminal through 0.3.0 insecurely uses /tmp for a socket file, allowing a local user to cause a denial of service (preventing terminal launch), or possibly have other impact (bypassing terminal access control).

CVE-2016-8202
Published: 2017-05-08
A privilege escalation vulnerability in Brocade Fibre Channel SAN products running Brocade Fabric OS (FOS) releases earlier than v7.4.1d and v8.0.1b could allow an authenticated attacker to elevate the privileges of user accounts accessing the system via command line interface. With affected version...

CVE-2016-8209
Published: 2017-05-08
Improper checks for unusual or exceptional conditions in Brocade NetIron 05.8.00 and later releases up to and including 06.1.00, when the Management Module is continuously scanned on port 22, may allow attackers to cause a denial of service (crash and reload) of the management module.

CVE-2017-0890
Published: 2017-05-08
Nextcloud Server before 11.0.3 is vulnerable to an inadequate escaping leading to a XSS vulnerability in the search module. To be exploitable a user has to write or paste malicious content into the search dialogue.

Dark Reading Radio
Archived Dark Reading Radio
In past years, security researchers have discovered ways to hack cars, medical devices, automated teller machines, and many other targets. Dark Reading Executive Editor Kelly Jackson Higgins hosts researcher Samy Kamkar and Levi Gundert, vice president of threat intelligence at Recorded Future, to discuss some of 2016's most unusual and creative hacks by white hats, and what these new vulnerabilities might mean for the coming year.