Old code in Windows is security threat

[InfoSec News <isn () c4i org>]

http://news.com.com/2100-1001-934363.html?tag=fd_top

By Robert Lemos 
Staff Writer, CNET News.com
June 9, 2002, 11:00 PM PT

Microsoft will more quickly retire old code in its Windows operating
system and other software as a result of the company's four-month-old
"trustworthy computing" initiative, the company's lead bug basher said
in an interview.

The revelation follows last week's warning that a serious
vulnerability in Microsoft's Internet Explorer occurred in the
software supporting a decade-old protocol that has rarely been used
since the World Wide Web became popular.

"A lot of the (coming) design changes are to remove this feature or
turn that one off by default," said Steve Lipner, director of security
assurance for Microsoft and the man on the ground for the company's
trustworthy computing initiative.

He added that when Microsoft is faced with a choice between removing
old, possibly insecure code and keeping a feature to please a small
fraction of customers, increasingly security is winning out. "Do we
think that things will be retired more quickly? Sure," Lipner said.

The acknowledgment that the company is rushing to ax old code comes
amid criticism that Microsoft's security initiative has been slow to
show results. More than 30 vulnerabilities have been reported by the
company since the initiative began, putting it on the same security
track as last year.

Fifty-million lines of code

Even before Windows XP came out, Microsoft said it would sacrifice
compatibility in some circumstances to increase performance. However,
the recent, unexpected security problems are accelerating the process
and prompting the company to remove more code than anticipated. But
trying to figure out how to cut potentially problematic code is no
easy task.

"The problem is that you are dealing with 50 million lines of code and
everything depends on everything else," said Peter Neumann, principal
scientist for technology think-tank SRI International.

Microsoft kicked off its trustworthy computing initiative in January,
after Chairman Bill Gates urged the company's employees to focus more
on security and less on creating new features. Critics of the company
have kept watch for signs of any real changes in how the software
giant deals with security. Changes in Windows, though, could take
awhile, especially in light of how the operating system has grown.

Neumann--who designed the file system for the Multics operating
system, the precursor to Unix--stresses that software security starts
with good design, using modular components.

"Part of the problem is everything is too convoluted," Neumann said.  
"It's difficult to have an assurance that everything is going to
work." Adding in backward compatibility only increases complexity, he
added.

Marc Maiffret, 21-year-old security prodigy and chief hacking officer
for eEye Digital Security, doesn't fault old code for security
problems. He said that programmers who don't review the code before
using it are at fault. Old code may have more security holes in it,
but those holes should be caught, he said.

"With a lot of the more recent code, people are smarter about writing
secure code," Maiffret said, adding that "there is no problem in
having backwards compatibility, except when there is a flaw in it."

That's the problem Microsoft is facing. A feature that allowed
Internet Explorer to communicate with servers running Gopher, a
pre-Web protocol for hyperlinking information, has a vulnerability
that could leave PC users open to attack, a Finnish researcher said
last week.

GopherSpace, the name of the network of servers that supports the
Gopher protocol, consists of less than 600 computers offering up less
than 8 million links, according to a Gopher site maintained at Point
Loma Nazarene University. The Web has more than 2 billion pages,
according to the Google search engine.

While Microsoft is still analyzing the claims, the company's
trustworthy computing initiative already had project managers
questioning the wisdom of having support for the rarely used protocol,
said Microsoft's Lipner.

"Gopher was one of the functions that was flagged for being turned off
by default" in the coming Windows XP Service Pack 1, Lipner said.  
While the disclosure of the apparent flaw beat the company's update,
Lipner stressed that the design decision showed the initiative was
paying off. "We were asking the right questions," he said.

Lipner wouldn't name other features that would be retired, or break
down how much of Windows XP is considered old code and how much is
new. Instead, he explained that part of the company's security process
involves imagining the worst types of attacks against its code and
developing a "threat model." It then searches for any holes in its
defenses that would let such attacks through.

"The developers and testers were reviewing code and testing code as
prioritized by the threat model," Lipner said.

Lipner said the work is ongoing, adding, "The security push is a big
job."



-
ISN is currently hosted by Attrition.org

To unsubscribe email majordomo () attrition org with 'unsubscribe isn'
in the BODY of the mail.