BOSTON—After taking on the responsibility of leading Microsofts efforts to secure its much-awaited Vista operating system, Ben Fathi, corporate vice president of the Redmond, Wash., companys Security Technology Unit, is in town at the Security Standard Conference to evangelize to the firms progress in those efforts.
While critics continue to say that Microsofts next-generation operating system will likely carry as many vulnerabilities as its predecessors and some of the software giants partners in the security applications markets have called the firm out for some of the new features present in preview versions of Vista, Fathi maintains that the companys Trustworthy Computing initiative is moving forward, and that the new OS will be the most secure Windows product the company has ever produced.
eWEEK Senior Writer Matt Hines sat down with Fathi at the conference on September 6th to get his perspective on where things stand with Vista at present, and in preparation for its launch in November 2006.
What do you think are the most significant advancements in the first Release Client (RC1) version of Vista, compared to the beta versions of product?
Overall, I would say that the biggest improvements you will see are related to performance and reliability; its significantly faster than Beta 2 and much more reliable. I use it on two or three machines constantly and Ive had no problems with it.
In terms of security the biggest advancements are around User Account Control [UAC]; there are significantly fewer pop-ups, and the Active X install service that allows administrators to provide away for extended users to install things. Those are the big changes—there are lots of small fit and finish changes also.
One of the things that was in Beta 2 and we purposefully didnt talk about, and it got press afterwards, was ASLR—address space layout randomization, which helps with a whole class of attacks on system libraries.
If users tried out BitLocker in the Beta 2 release, the installation process was very complicated. We got feedback on that telling us that you needed a Ph.D. to install it. We spent a lot of time with usability engineers to really simplify the experience. Its a simple wizard now, with a few clicks you can encrypt your entire drive.
We also put a lot of investment in Windows Security Center; we want it to be open and available to all our partners so we worked with the vendors and took their feedback to make sure that its totally unbiased in terms of what it presents to the user.
It gives the vendor who has [security] software on a machine the ability to remediate if the end user runs out of subscription or the signatures are old. The first thing you get is the opportunity to fix the problem without hearing about other vendors. Or users can see other offers on a Web page that has a complete list of all the solutions available based on best cost of ownership for the user over a two year period.
But there are still lots of ways we can improve the system.
Weve heard some of your partners complain about Microsofts decision to employ PatchGaurd and restrict access to the Vista kernel. They contend that the tools Microsoft has offered in replacement wont allow them to build products that are as effective as when they had kernel access. How are you working to quell those fears?
Kernel patch protection isnt new to Vista. It has been shipping for over a year in the 64-bit versions of XP, so its not something new. Secondly, we have never endorsed or supported anyone patching the kernel in any way.
Its something people have done just because it was possible to do. But I like to use the analogy of the computer as your car, and patching the kernel is like trying to work on the engine while driving the car, its not a smart thing to do.
Now that we have all these multi-processor systems, patching the kernel is one processor modifying the instructions or data while the other is trying to execute them. Its just something you dont want to be doing. These third-party projects are changing instructions on the fly.
So you think some of the concerns that have been expressed are a bit overstated?
Its only on 64-bit versions of Vista. The security products involved, not anti-virus or anti-spyware, dont use this functionality. Its really behavior blocking applications and intrusion protection systems that do kernel patching.
For 32-bit systems, which will represent the majority of machines for an unknown number of years, the products will still work. But we dont endorse or support it. On 64-bit were saying this is a new ecosystem, a chance for us to start fresh and do things cleanly, so lets work together to come up with those APIs to do the extensions you want without hacking and patching the kernel.
Not the End of
We already have frameworks for several of the areas that these companies want to monitor, and weve built filter models or APIs to allow monitoring. We dont have comprehensive solutions for process management or for memory management; those are the two areas where were still working with the vendors moving forward.
We think thats the only way that were going to build a sustainable ecosystem that we can continue to support. Its too late to do that for 64-bit Vista, but thats going to be a very small proportion of the operating systems shipping over the next couple of years.
Some analysts have gone as far as saying this is an issue that could cause antitrust problems for Microsoft down the road. It doesnt sound like youd agree with that?
Theres absolutely nothing that Microsoft is doing in its own [security] products that goes around this, theres no way to disable it. Its not an antitrust concern.
So whats the feedback been like from end users working with RC1?
Were getting a lot of great feedback. There have been a couple of minor areas of negative feedback, such as with UAC annoyance. But we believe that weve done a good job addressing that and well continue to improve it between now and the product release.
Youve said were not going to see the end of Patch Tuesdays despite all the security improvements. Do you think customers are disappointed to hear that?
I hope they recognize that its an ongoing process. I hope that sometime in the future we have fewer patches and might not need to do a release. But because of the large deployed installed base running on older versions of the OS, and the fact that were patching applications and even third-party products, theyll continue to be necessary.
Weve seen the attacks move from the OS up the stack and into the applications, and now were doing fewer patches to the OS but possibly more to the applications.
But I think what Vista offers in terms of low-rights Internet Explorer, UAC, BitLocker and ASLR, were giving people the ability to control your environment a lot more effectively.
You dont have to run around and try to install the patches as quickly as possible. You can put these mitigations in place.
What did you learn from the Black Hat conference in Las Vegas this year?
The best part of Black Hat is meeting the researchers out there and making the connections. We depend on them to do responsible disclosure and come to us when they find vulnerabilities rather than building zero-day attacks.
Thats one of the biggest parts of the impact for us, to create those interpersonal relationships so they can trust us and work with us to try and protect the customers. And the parties were great to.
How did you respond to the Vista hack that was presented?
Were already working on addressing that specific problem, which was not a vulnerability. It was just a way of getting things paged into the kernel. But the point is that there will always be attacks and we want to work with everyone in the community and the researchers to protect everyone against them.
People told us they were impressed with the transparency we showed there, and the ability they had to communicate directly with the Microsoft team.
Thats one set of community experts that we work with. Were here today for the same reason. We want to connect with the CIOs and CSOs and hear their concerns and the problems theyre having deploying and installing the patches and issues with existing OS products and applications.
Whats the biggest change that has occurred as a part of the Trustworthy Computing initiative?
In a word, responsibility. At Microsoft thats whats changed. We feel responsible given our stature in the industry and the number of users we have in the world, to improve not just our own products but our entire ecosystem for our customers.
Whats the biggest challenge you still face?
Taking the Secure Development Lifecycle program to the next level is one of the biggest things that we can do for the ecosystem. To us that means taking the tools weve built and the training weve built and wrapping that up in a form that our partners can use.
We call it productizing SDL, and that doesnt mean charging money for it. We want to make it freely available to everybody. We want to turn it into a package that can be used for training and tools by other vendors to improve their security.
As we continue to say, security is not just about the OS. As long as we have third-party applications, your security is only as good as the weakest link in that chain. Evangelizing SDL to the rest of the industry is a big deal for us.