Microsoft Security Products Chief Takes On Spyware

Mangione recently described some of the progress Microsoft is making in the battle against the worms, viruses, bugs, spyware, and assorted other malware and adware, and he says the upcoming Windows Longhorn release has a few new, spyware-stopping weapons its arsenal of defenses. (Mangione sat down last week with a group of editors from CMP Media LLC, the parent company of TechWeb. Below are some excerpts from that conversation.)

Initially, some 14 million users have downloaded Microsoft's free anti-spyware tool, and about 40 percent of those have opted to send information in to give the company access to detailed information about malware threats. Additional upgrades of the client-side anti-spyware tool are due this summer, and a for-fee enterprise anti-spyware product is expected as early as the first half of 2006, Mangione said.

Furthermore, Microsoft is pleased with the uptake on Windows XP SP2, and also attributes good participation in Windows Update and Auto Update with having an impact in the war on spyware. "There's a real awareness now of how important it is to update," he said.

Asked about recent reports that malware-writers were evolving from script kiddies into more organized, for-profit criminals, Mangione said the largest number are still script kiddies. However, "the fastest area of growth and investment is absolutely in the area of using vulnerabilities or social engineering to get adware-driven, spyware-driven cloaking software installed on people's machines." And that, he acknowleged, is profit-driven, which does signal and confirm a recent shift in malware-writer motivation.

One area where the software giant will be getting aggressive with developers, including those gathering in Seattle next week for the annual Windows Hardware Engineering Conference, involve more readily, easily and consistently identifying code. "

"We have to be getting much more signed code running on people's machines," Mangione said. "I see a big investment in not only applications but device drivers signed so that people can legitimately see where a software comes from that's running on my machine and can identify who created that piece of software."

Users, he said, are too easily duped into allowing spyware on their machines. Then, in a process described as "cloaking," spyware often hides -- or tries to hide " itself from removal tools. Longhorn may bolster its defenses by changing the way permissions are established allowing applications and device drivers to perform certain tasks.

"The No. 1 reason spyware gets installed o user machines is that users get tricked into going and installing an application. In general, you have to be logged in as an admin in order to do that. A lot of uses are logged in as admin more than anything else and they don't really know it. A big investment in security in Longhorn is allowing things to run in Least User Access mode, which you can be logged in as admin but the process won't have to be running out of admin. By default they won't have administrative privileges, unless you grant application to actually run in admin. Most apps don't even need admin. Most apps only need admin to run install, which should be a fairly infrequent process. That alone will stop software from going and writing inappropriate things in the registry, for installing device drivers and applications."

Another new, security enhancement projected for Longhorn is a technique Mangione dubbed "Windows Service Hardening," under which the services built on top of Longhorn will be locked down. "Process will only be able to do what that service is meant to do. Services are single purpose in nature. They run as processes that most users don't interact with. Unfortunately, a lot of the applications run with admin privileges. What we're able to do is apply identity to those services. And as a result it never writes to the registry, it never writes to the file system. So even if someone could figure out how to inject code into the process, that process will fail when they try to do more malicious things."