Challenging the Immutable Laws Of Security

Have the facts behind the basic maxims of computer security changed in the last eight years? In fact, there has been progress, but the rules generally have stood the test of time.

One of the great, classic articles of computer security comes from Microsoft in an era when security was not their strong suit. The article "10 Immutable Laws of Security" by Scott Culp relates rules which ring as true today as they did in 2000 when the article was written-or do they?

Now Jesper M. Johansson, a Microsoft MVP and Ph.D in MIS has begun a series of articles re-examining the laws. The first in the series looks at laws 1 through 3. They're all important laws, but in the eight years since they were formulated have things changed to make them less true?

The first law is something you hear all the time from every reputable source: If a bad guy can persuade you to run his program on your computer, it's not your computer anymore. Once you let someone execute code on your system there are ways for them to take control of it. What has happened in this regard since 2000? Johansson points out that in 2000 the mainstream operating systems, Windows 98 and NT 4.0, were certainly under the thumb of this law. The 9x generation of Windows didn't have any way to prevent others from running code on your system.

NT had a basic model of privileges so in theory you might be able to prevent malicious code from running or mitigate its effects. But as a practical matter, it didn't work very well and the system was so full of holes that it couldn't be effectively secured. As Johansson says, anyone who wanted to get work done in NT4 ran it as Administrator, which means that any malicious code did as well. That year Windows 2000 was released, improving the situation, but by less than it seemed at the time.

Windows Vista and Windows Server 2008, the current shipping versions, are clearly far more secure products than those of eight years ago. Does that mean that Law No. 1 is no more? No way. But things are different. Johansson notes IE Protected Mode as one of several "security boundaries" that did not exist eight years ago, but doesn't go very far with it. I think IE Protected Mode really does represent a meaningful dent in the first law, although I hope nobody thinks I'm saying that Vista is now bulletproof. And in spite of IE Protected Mode there have been vulnerabilities in IE7 on Vista that Microsoft said could result in remote code execution. But clearly it has also effectively sandboxed many attacks; they may get to run through IE, but they can't do much of value to an attacker.

And it's not just Windows; anti-virus protection in 2000 was many generations behind where it is now, where top-notch protection includes a host-intrusion prevention system, software which monitors running processes for activity which appears malicious. These systems are not perfect, but clearly they do stop some attacks. Once again, a dent in law No. 1, but you're still best served by assuming the law stands because you can't rely on the protection.