We already have frameworks for several of the areas that these companies want to monitor, and weve built filter models or APIs to allow monitoring. We dont have comprehensive solutions for process management or for memory management; those are the two areas where were still working with the vendors moving forward.
We think thats the only way that were going to build a sustainable ecosystem that we can continue to support. Its too late to do that for 64-bit Vista, but thats going to be a very small proportion of the operating systems shipping over the next couple of years.
Some analysts have gone as far as saying this is an issue that could cause antitrust problems for Microsoft down the road. It doesnt sound like youd agree with that?
Theres absolutely nothing that Microsoft is doing in its own [security] products that goes around this, theres no way to disable it. Its not an antitrust concern.
So whats the feedback been like from end users working with RC1?
Were getting a lot of great feedback. There have been a couple of minor areas of negative feedback, such as with UAC annoyance. But we believe that weve done a good job addressing that and well continue to improve it between now and the product release.
Youve said were not going to see the end of Patch Tuesdays despite all the security improvements. Do you think customers are disappointed to hear that?
I hope they recognize that its an ongoing process. I hope that sometime in the future we have fewer patches and might not need to do a release. But because of the large deployed installed base running on older versions of the OS, and the fact that were patching applications and even third-party products, theyll continue to be necessary.
Weve seen the attacks move from the OS up the stack and into the applications, and now were doing fewer patches to the OS but possibly more to the applications.
But I think what Vista offers in terms of low-rights Internet Explorer, UAC, BitLocker and ASLR, were giving people the ability to control your environment a lot more effectively.
You dont have to run around and try to install the patches as quickly as possible. You can put these mitigations in place.
What did you learn from the Black Hat conference in Las Vegas this year?
The best part of Black Hat is meeting the researchers out there and making the connections. We depend on them to do responsible disclosure and come to us when they find vulnerabilities rather than building zero-day attacks.
Thats one of the biggest parts of the impact for us, to create those interpersonal relationships so they can trust us and work with us to try and protect the customers. And the parties were great to.
How did you respond to the Vista hack that was presented?
Were already working on addressing that specific problem, which was not a vulnerability. It was just a way of getting things paged into the kernel. But the point is that there will always be attacks and we want to work with everyone in the community and the researchers to protect everyone against them.
People told us they were impressed with the transparency we showed there, and the ability they had to communicate directly with the Microsoft team.
Thats one set of community experts that we work with. Were here today for the same reason. We want to connect with the CIOs and CSOs and hear their concerns and the problems theyre having deploying and installing the patches and issues with existing OS products and applications.
Whats the biggest change that has occurred as a part of the Trustworthy Computing initiative?
In a word, responsibility. At Microsoft thats whats changed. We feel responsible given our stature in the industry and the number of users we have in the world, to improve not just our own products but our entire ecosystem for our customers.
Whats the biggest challenge you still face?
Taking the Secure Development Lifecycle program to the next level is one of the biggest things that we can do for the ecosystem. To us that means taking the tools weve built and the training weve built and wrapping that up in a form that our partners can use.
We call it productizing SDL, and that doesnt mean charging money for it. We want to make it freely available to everybody. We want to turn it into a package that can be used for training and tools by other vendors to improve their security.
As we continue to say, security is not just about the OS. As long as we have third-party applications, your security is only as good as the weakest link in that chain. Evangelizing SDL to the rest of the industry is a big deal for us.