Microsoft’s security used to be a joke. Its operating systems were riddled with bugs that were exploited by hackers and mocked at conferences such as Black Hat, the Las Vegas confab for security technology. But yesterday, one of the independent security researchers at the conference praised Microsoft’s progress on improving security.
Chris Paget, chief hacker at security consulting firm Recursion Ventures, is a well-known figure at the twin Black Hat and Defcon conferences in Las Vegas, having demonstrated a live interception of a cell phone call last year. In her talk this year, she said she hated the limitations of Microsoft’s operating systems and had only two Windows machines in her home. But five years ago, she was enlisted as a penetration tester (pen tester) by Microsoft to screen Windows Vista before it launched. She was paid as an external contractor for Microsoft and signed a non-disclosure agreement that only expired a day before her talk.
Vista was roundly criticized by critics for being slow and ill-conceived in many ways. But Paget said that she was impressed with Microsoft’s thoroughness in testing it for security problems.
“Microsoft’s security process is spectacular,” Paget said. “Security is a process, not a product. It evolves. The question is, ‘Was Vista secure?’ Microsoft has a very bad reputation for security and it is very much undeserved.”
Yes, you could argue that Paget was paid by Microsoft and isn’t truly independent. Microsoft is also a sponsor of Black Hat and it threw a big party there on Thursday night, as it does every year. But this year’s round of talks had to pass muster with an independent review board. Jeff Moss, founder of the conference and a well-known security guru, said there were absolutely “no vendor pitches allowed” on stage. Paget is not currently working for Microsoft.
Paget concluded that Microsoft was serious about making Vista more secure than Windows XP, which was also heavily criticized and exploited. Over three months, she and a team of other external penetration testers were allowed to investigate all of the new features introduced in Windows Vista from a security point of view. They were allowed to review source code, document bugs, interview sometimes squirming programmers, and report on their results in what was dubbed a “final security review.”
“There was a huge list of things Microsoft did right,” Paget said, who went on to say Microsoft was “world leading” in security.
The work resulted in the discovery of a lot of serious bugs that had to be fixed, which caused a delay in the shipment of Vista. But Microsoft concluded that the $250,000 it spent on dealing with every major bug had a good return on investment. Its programmers attacked the highest-risk bugs and went down as far as they could on the list in the time they had. The team decided not to review the oldest part of the code, the legacy code behind earlier versions of Windows. If bugs were serious enough, the security consultants could threaten the teams responsible for them that their components would not ship if the bugs weren’t fixed. Features that had no documentation were removed.
“We were described by one insider as a ‘rape gang,’” Paget said, since the security consultants were so merciless.
Paget said that there was, however, one point where she felt so passionate about a risky feature that she revealed it publicly as a “zero-day” bug — in other words, releasing information about the bug at a time when there was no known fix for it. She was terrified that Microsoft would sue her, and she discovered that the author of the buggy feature was also terrified of getting fired. But the feature was eventually fixed.
“You can see why it was a huge gamble by Microsoft to bring us in,” Paget said. “Nothing is ever secure, but Vista was a huge leap in the right direction.”
Paget’s information is out of date, since it is five years old and Vista has been succeeded by Windows 7. At the time, hacking was a growing problem and, Paget joked, “I was a different gender.” Paget did not have a final count of how many bugs were fixed, but she was impressed with the overall qualitative experience.
But Microsoft has steadily invested more and more money in security measures, said Mike Reavey, director of the Microsoft Security Response Center, in an interview. Reavey, who attended Paget’s talk, said, “It was great to see that story told.” Reavey said that Vista was the beginning of across-the-board security improvements at Microsoft.
Microsoft says its Security Development Lifecycle process is now a part of every single product it ships. In new reports, Microsoft says that the bugs reported in its software are measurably less exploitable than they were before.
In a report issued earlier this year, Microsoft’s own assessment of security issues showed real quantitative improvement in terms of how exploitable its bugs were. Of the 256 Exploitability Index ratings published from July 2010 through May 2011, 97 issues were less serious or nonexistent on the latest version of the affected application than on earlier versions. That means that the bugs that got through were less harmful, with respect to security.
Microsoft was also praised in a talk by representatives of security consulting firm iSec Partners, who said that Microsoft’s current network security compared favorably to Apple’s. To cap it off, Microsoft announced it would give a $250,000 reward to security researchers who came up with the best defensive security improvements for Microsoft’s software. This so-called Blue Hat prize “gamifies” the process for hackers so they’re motivated to creation protections for software, rather than just find its weaknesses.