This is the final in a series of articles on Microsoft's security play.
Got a visual of hackers snickering at Microsoft's Windows Vista and security tools and effortlessly hacking away at them from their workstations? Or, maybe of exhausted, caffeine-guzzling hackers pounding their fists in frustration at the newly fortressed Vista that has them locked out?
Either way, you've got the picture all wrong.
White-hat hackers, or researchers, aren't dissing Microsoft's security plans, nor are they particularly worried about it cutting into their livelihood, they said in recent interviews with Dark Reading. Instead, they give Microsoft credit for raising the bar with Vista's built-in security features, and they're mostly ambivalent about Microsoft's new Forefront Client Security antivirus and anti-spyware tool. (See 800-Pound Gorilla Sits on AV, Microsoft Releases Forefront, The Vista-Forefront Security Two-Step, and Microsoft Beckons to Early Adopters.)
Vista -- which officially gets launched next week, on November 30 -- is no pushover, with its built-in firewall, user account control, and kernel patch protection, they say. "It's now a lot harder -- you've got to be able to do kernel programming and debugging," says researcher Jon Ellch, a.k.a. johnny cache, who is most famous for his wireless exploits and fingerprinting tool. "This severely ups the ante." (See New Tool Dusts for Fingerprints.)
Forefront, however, will be more of a hurdle for script kiddies and other novice hacker types, Ellch says, not for skilled researchers. "Hackers don't give a damn about antivirus software," Ellch says. "It gets you caught once you're already in. If you haven't been caught by AV before, you didn't have to worry about it. AV protects you from script kiddies" only.
HD Moore, director of security research for BreakingPoint Systems and the creator of the popular Metasploit hacking tool, agrees. "Forefront Client Security does nothing to solve the core problem of vulnerabilities. It just shuts out the third-party anti-spyware/rootkit/malware/antivirus vendors."
But if Forefront is better, cheaper, and easier to get and maintain than existing AV tools, it could keep hackers on their toes, according to Moore. "Then it might raise the bar on pen-tests and drive-by download-type attacks."
Moore says Forefront could be a boon for hackers if, as third-party security vendors fear, they eventually get shut out of the market by Microsoft. He says fewer vendors would simplify the task of finding holes, since there would be fewer tools (including Microsoft's) left standing. "The [fewer] security solutions that are out there, the easier it is for me."
Vista will be a tougher nut to crack, however, hackers say, although most say they haven't wasted their energy hammering on the beta version. "Microsoft has made a lot of good improvements to security with Vista, but it's really too early to tell how things will go," says Marc Maiffret, CTO and chief hacking officer at eEye Digital Security. "We have taken a look at it from a product and overall architecture perspective, but we've not yet started to look for any bugs."
Microsoft put Vista under the hacker microscope during the development process, says Dan Kaminsky, director of penetration testing for IOActive, and one of the researchers who looked for potential hacker holes in Vista during its development. "I spent most of '06 working on Vista and working on problems hackers might be looking for," he says. "There were things we found and things we got closed... Certainly, Vista has closed lot of holes that have been around for a very long time."
Still, Kaminsky says, there will be Vista exploits. "But it will be a harder target, no argument about that."
Microsoft applauded the feedback it has received from researchers on Vista. "Security researcher feedback on Windows Vista has been unprecedented. That said, its important to remember that no software is 100 percent secure," says a Microsoft spokesperson. "Microsoft is working to keep the number of security vulnerabilities that ship in our products to a minimum, through our Security Development Lifecycle process, and that work is paying off."
And researchers agree there's no such thing as a bulletproof OS or client machine. "They [Microsoft] can't eliminate vulnerabilities, but they can make it trivial to find old vulnerabilities," says Thomas Ptacek, a researcher with Matasano Security. "Microsoft makes it harder for them [researchers], but that creates a whole new slew of Black Hat talks."
Hackers aren't worried that Vista's security will slow their business. "Every new release brings new challenges and new opportunities for employment," says Mark Loveless, a.k.a. simple nomad, and security architect for Vernier Networks.
"I think if you asked most researchers, they'd say that they want the bar raised," Ptacek says. "Writing an exploit for a well-known vulnerability is a commodity skill. Teenagers can do it. And they charge less than we do."
Meanwhile, the irony of Microsoft elbowing out competitors that have been securing Windows desktop products for years isn't lost on the research community.
"I think the funniest part is how Microsoft gets to play both sides," Moore says. "Take advantage of the poor security record of their products and at the same time shut out all the third-party solutions, all to sell something new."
And hackers respect the constant game of catch-up that Microsoft is forced to play with them.
"It's an arms race and the attackers definitely have the advantage," says Loveless. "Microsoft has the disadvantage because they have to patch every single hole, and hackers only have to open one at a time."
Kelly Jackson Higgins, Senior Editor, Dark Reading