Error in MS Protocol Could Compromise Security

Microsoft VP Jim Allchin testifies that Microsoft has already identified at least one protocol and two APIs that it plans to withhold from public disclosure under a security exemption in the federal antitrust settlement proposal.

Download the authoritative guide: The Ultimate Guide to IT Security Vendors

WASHINGTON -- Microsoft Corp. has already identified at least one protocol and two APIs that it plans to withhold from public disclosure under a security exemption in the federal antitrust settlement proposal agreed to in November, according to Jim Allchin, Microsofts group vice president for Platforms, who testified in the antitrust case in court Tuesday.

The protocol, which is part of Message Queuing, contains a coding mistake that would threaten the security of enterprise systems using it if it were disclosed, Allchin said.

When Kevin Hodges, attorney for the group of states pursuing tough remedies against Microsoft, asked him how many APIs would be exempt under the security carve-out, Allchin said he did not know the exact number but it would include APIs that deal with anti-piracy and digital rights management. Microsoft has already identified APIs involved with Windows File Protection that would be withheld, he said.

When pressed for further details, Allchin said he did not want to offer specifics because Microsoft is trying to work on its reputation for security. "The fact that I even mentioned the Message Queuing thing bothers me," he said.

The final Microsoft executive lined up to defend the company, Allchin highlighted the security problems he foresees resulting from technical information disclosure requirements sought by nine states and the District of Columbia that rejected the federal settlement proposal. The states are seeking disclosure requirements to allow rival software developers to create products that work with Windows, which Microsoft was found to have used illegal means to sustain as a monopoly operating system. The states proposal does not include an exemption for security issues.

The hearing Tuesday revealed that one of Microsofts own witnesses, who was canceled from the witness list last week, disagrees with the company on what kind of technical information would have to be withheld for security purposes. Roger Needham, a professor and managing director of the Microsoft Research Lab in Cambridge, England, testified in a deposition taken in February that it would not be necessary to exempt information other than cryptographic keys and their locations from disclosure requirements to protect the security of Windows. Allchin said he did not agree with Needhams opinion.

Trying to demonstrate that there would be no limit on the number of APIs and protocols that Microsoft could withhold from disclosure under the proposed settlements security carve-out, Hodges noted that Microsoft would decide what to disclose and what not to disclose, and there would be no announcements about non-disclosure.

Like Bill Gates before him, in his written testimony Allchin raised the specter of national security threats--even compromises to the U.S. efforts in Afghanistan--that could result if the states win their case. In his written testimony, Allchin suggested several, far-reaching dangers that could develop if the Microsoft is not permitted to withhold API and protocol disclosures when it has security-related concerns. "It is no exaggeration to say that the national security is also implicated by the efforts of hackers to break into computing networks," Allchin wrote in his testimony. "Computers, including many running Windows operating systems, are used throughout the United States Department of Defense and by the Armed Forces of the United States in Afghanistan and elsewhere."

Allchin also testified at length about .Net, countering charges made by rivals, particularly Jonathan Schwartz of Sun Microsystems Inc. Charging that Schwartzs testimony implied an oversimplified sense of the interoperability of .Net and Java technology, he said the two systems are not perfect equivalents of each other.

When Hodges quizzed him about the relative proprietary nature of the two companies platforms, Allchin conceded that Java specifications are available to the public while .Net specifications in sum are proprietary. He also conceded that Sun has tried to make Java a cross-platform system, while Microsofts .Net is primarily focused on Windows.

The attorney for the states also challenged Allchin on his assertion that Sun should have no difficulty persuading OEMs to install Java Virtual Machine, as opposed to Microsofts own JVM alone, on their PCs. Hodges held up an internal Microsoft e-mail from Allchin, in which he said, "Im also counting on us getting OEMs fighting against Sun." He tried to admit other evidence to show that Microsoft continues to take steps to prevent OEMs from supporting rival platforms, but the judge sustained the Microsoft attorneys objections.

In an interim procedural defeat for Microsoft, Judge Colleen Kollar-Kotelly ruled Tuesday that the states will be allowed to present two expert witnesses, Andrew Appel, professor of computer sciences, and James Bach, an independent software tester, in their rebuttal to Microsofts witnesses. Appel and Bach plan to discuss Windows XP Embedded and how Microsoft could use it to comply with the states proposed requirement of a modular Windows--one in which the operating system is unbundled from middleware. Bach is expected to demonstrate how XP Embedded can be used as an operating system with removable middleware--something that Microsoft has vehemently denied is feasible.