Microsoft Talks Vista Security In Online Chat
"We&re doing a number of things in Windows Vista to help protect users from malware," Nash told the chat audience. "One of the most innovative is protected mode in Internet Explorer. Protected mode reduces the severity of threats to IE and add-ons running in the IE process by eliminating the silent install of malicious code through software vulnerabilities. This is done by automatically running IE in isolation from any other application or process in the operating system and limiting the IE process from writing to any location beyond Temporary Internet Files without explicit user consent."
Nash characterized protected mode as just one of many the software giant is applying to deal with Web-based threats. "We&re also doing work to reduce the attack surface area by disabling by default most ActiveX controls and COM objects that can be instantiated as ActiveX controls. We&re also doing a number of things to reduce phishing attacks and other forms of spoofing users into making a bad trust decision," Nash added.
In addition, Microsoft is currently working to improve the firewalling in Windows to provide bi-directional filtering, Nash said. He reiterated a Microsoft pledge to equip all Vista users with anti-spyware technology. Microsoft released the beta version of its AntiSpyware 1.0 program this past January, using technology it acquired through its purchase in late 2004 of Giant Software.
Early on in the chat, Nash fielded a question that amounted to a criticism of the tactic common throughout the software world of limiting the ability to perform certain tasks to users with administrative privileges. The question was keyed to Microsoft's CRM program, but Nash expanded his answer to encompass software in general.
"Frankly the issue is less about Microsoft CRM and more of a general issue where we did not do a good enough job of creating clear security levels in Windows," Nash wrote to the chat audience. "Starting With Windows Server 2003, we started to look hard at exactly what features [and] services required what privilege levels. This is part of our secure-by-default strategy. We were able to reduce a lot of privileges which reduced attack surface area. We call this 'least privilege' ".
That strategy is being carried through to Windows Vista, Nash said. "For Windows Vista we created a new capability called user account protection. This feature enables you to use your desktop system without being an admin."
In Vista, administrative protection will be handled in part via a user-account protection services. Though billed as a colloquial, give-and-take chat with online participants, at least one of Microsoft's responses appears to have been drawn directly from a previous public statements. Nash was asked why Microsoft had not gone ahead with a security update that it had planned to issue on Sept. 13.
"No bulletins were released on September 13," Nash told the chat audience. "For the update that we were planning on shipping, late in the testing process, we encountered a quality issue that we decided was significant enough that it required some more testing and development before releasing it. We have made a commitment to only release high quality updates that fix the issues at hand, and therefore we felt it was in the best interest of our customers to not release this update until it undergoes further testing."
Most of that answer was a repeat of a blog entry posted on Friday, Sept. 9 by Mike Reavey, a member of Microsoft's Security Response Center.
On the developer front, one chat participant told Nash that, while Microsoft seemed to be very responsive in providing end-user security updates, it seemed slower in coming up better tools for software developers. "We hope that the upcoming release of Visual Studio 2005 in November will help address that this," Nash answered. "We have done a lot to help developers write secure code with this release. It includes the integration of PREfast, FxCop, the secure CRT, and other improvements that enable developers to write more secure applications. This release makes available many of the same technologies we are using within Microsoft to improve the security of our own code."