May 2009 - Posts

Security by obscurity is one option, but I’d rather have SDL working for me
31 May 09 09:19 PM | ronaldg

For those of you who may not remember, SDL stands for Secure Development Lifecycle and represents the foundation for the great strides in security that the Windows platform has made since the early 2000’s.  In fact, of all the knocks about Vista you may have heard, I’m willing to bet that not being secure wasn’t one of them (unless you turned of UAC <grin>).  You may recall from one of my early posts over a year ago, that Vista had far fewer vulnerabilities posted in its first year in production than any other desktop OS. And a lot of that is due to the fact that Vista is the first Microsoft OS developed entirely under the SDL paradigm, aka the Trustworthy Computing Initiative, at Microsoft.

I don’t know how I missed this article when it first came out -- I did post about the PWN2OWN hacking competition, but somehow missed this.  At any rate, this is one of those articles that deserves some exposure even after the fact IMHO.  Those of you who follow or have an interest in computer security, already realize that a big part of the Apple security “halo” is that they effectively have the advantage of what is known as “security by obscurity” (e.g. generally they “appear” more secure as a byproduct of reduced exposure, another phrase that I often use is, “it’s easy to be bulletproof when no one is shooting at you”). It’s interesting to me, like I blogged last year (the PWN2OWN 2008 competition), that the headlines will read “Vista falls” even though the Mac was the first to go by a significantly margin.  But to have me blog about this, as a PC person, doesn’t have nearly the impact that it would coming from the actual exploit generators (aka hackers).  So, when I read this article a few things jumped out at me and I thought I would share them.  Of course, the link is below, so please read the entire article, I thought it was pretty interesting to get this insight right from the source.  In case you don’t want to read the whole thing, let me call out a few of the more interesting comments that I found in the article that I think go to support my contention that the Windows platform is as secure, or possibly more secure, than even the Mac which many folks think is “inherently secure” primarily because of what I call their security “halo”.  Here’s some excerpts that I think are noteworthy from Questions for Pwn2Own hacker Charlie Miller: (btw, the parenthetical elements after some of the excerpts are just my thoughts and are not to be associated with the article itself)

“I came to CanSecWest last year with two bugs but only one exploit.  Last year, you could only win once so I saved the second [Safari] bug.   Turns out, it was still there this year so I wrote another exploit and used it this year.” (hmmm)

What’s the ballpark value of that Safari bug? … It’s much less than the IE 8 vulnerability (exploited separately by Nils) by about a factor of ten.” (which indicates that IE is a much more lucrative and sought after target)

“It’s really simple. Safari on the Mac is easier to exploit.  The things that Windows do to make it harder (for an exploit to work), Macs don’t do.  Hacking into Macs is so much easier. You don’t have to jump through hoops and deal with all the anti-exploit mitigations you’d find in Windows.” (wow, to me this is the ultimate validation of the SDL implementation at Microsoft.  I could also infer that Apple is likely still relying on the halo of obscurity to protect their platform which is where I came up with the title of this post).

“It’s clear that all three browsers (Safari, IE and Firefox) have bugs.  Code execution holes everywhere.   But that’s only half the equation.  The other half is exploiting it.  There’s almost no hurdle to jump through on Mac OS X.”

“It’s hard to find a good bug these days and even harder to exploit and deal with all the mitigations.” (except apparently on Apple where it was indicated above that there were almost no mitigations to have to deal with)

“On a scale of 1-10, how impressive was the Nils’ sweep of exploiting all three main browsersI was surprised.  For IE 8, I’d give him a 9 out of 10.   For Safari, maybe a 2. It’s just too easy to pop Safari.   For Firefox on Windows, I give him a 10...It’s really hard to exploit Firefox on Windows.”  (but notice IE got a 9, so it’s not that far behind FF compared to the 2 for Safari)

but notice what he said about FF on Mac, “With Firefox on Mac OS X, you can do whatever you want.  There’s nothing in the Mac operating system that will stop you...For the amount of time he spent to do what he did on IE and Firefox, he could have found and exploited five or 10 Safari bugs.”

and lastly, “People said five years ago that buffer overflows would be solved by now.  Well, they’re not.  Bugs will always be there so it’s a smart move to work on mitigations and (anti-exploit) roadblocks.”

Hopefully, you’ve picked up some potential ammo here to use when you hear folks who are still living (technologically) in the 90’s continue to express the outdated notion that the Microsoft platform lacks the fundamental security of some other platforms.  Btw,you could also refer to my recent post on how XP is able to meet the security needs of the USAF.  And remember, Vista is the first MS OS that was developed totally under the SDL.  So what I’m saying is, you have now seen the effects of the implementation of the SDL paradigm in place at Microsoft (comments above from a real hacker as well as data that shows that VIsta is 60% less susceptible to malware), and you can expect that our code will continue to reflect an ever improving security record as we move forward.  I wonder if you can expect that from other platforms that have not instituted such a secure coding paradigm.  You make the call.

more Windows 7 info and resources
31 May 09 06:22 PM | ronaldg

As Windows 7 continues it's run (pun intended) to RTM, here’s some links to resources on the Partner Portal as well as other sites to help get you ready for the coming release of Windows 7 which is coming sooner than many of you might be expecting – will you be ready?  Btw, when is sooner than you expect?  I would point out that there is only scheduled to be a single RC of Win7, and that an RC typically lasts anywhere from 3-5 months, so if you consider that Win7 literally breezed thru the beta stage with very few issues, and do the math (RC released in early May), then you should realize that you might be seeing Win7 RTM as early as mid to late summer.  And if that’s the case, you can expect it hit store shelves well before the end of this calendar year.  I would hope all of you are already starting to ramp up on it, but in my events and other partner gatherings I find that there’s still a fair number of you who haven’t, so…

WIndows 7 was included in your APR Action Pack update, so you don’t even have to download it.

Main link to Partner Readiness Resources on the MS Partner Portal  Windows 7 Online Readiness Kit

Download the Window 7 RC.

More links to additional resources on MS Partner Portal (also in Online Readiness Kit above)

More links to additional resources on other web sites.

OK, I think those should last you for a while.  Also, I’ll be doing a lot more coverage on this blog as we move forward, including posting some vidcasts and docs to help you with demos.

While some of your customers may choose to wait for the release-to-manufacturing version and migrate straight from Windows XP, others may find compelling economic reasons to take the Windows Vista migration path. Be ready to support them as necessary, so here’s some VISTA resources around that just in case. 

YMTC - Interesting article on how the US Air Force has locked down Windows XP
31 May 09 01:21 PM | ronaldg

This really is an interesting article, so I’m recommending a read, but too bad it has to be colored (as usual) by press bias, so I can’t really let that pass without a bit of explanation.  Once again, per my YMTC series, here’s an article title I consider a little bit specious (somewhat misleading).  OK, so the article title proclaims that '"Microsoft Offers Secure Windows … But Only to the Government”.  Well, if you do read the read the article, you’ll find that this is basically a highly locked down version of standard XP; nowhere does it state that the XP code base was modified to produce a more secure  (USAF proprietary) version.  In fact, here’s what it said was delivered: “secure configuration of Windows XP out of the box”, notice it refers to configuration.  The article title reflects an underlying anti-MS bias IMHO, since the more accurate title would be “Microsoft helps USAF make Windows XP a great defensive system”.  And the idea that the capability to do an extreme lockdown of XP is somehow limited to only “government” agencies is just plain wrong.  OF course, the government has their own standards and criterion, and it’s particular implementation of this lockdown may be proprietary, but that would not be because Microsoft’s intent is to limit this capability to public sector use.  Accurate title or bias – YMTC.

A little more on the article though…

Couple of things that were called out.  (Are you doing these in your environments that require high security?)

“one of the most important and simplest [configuration changes] was an obvious fix to how Windows XP handled passwords [ensured that administrative passwords were unique]”

“install automated tools to update patches and to detect and prevent someone from altering the configuration”

“Having a single configuration across the network greatly reduced the time it took to patch systems”

“An added benefit of the new configuration was a 40 percent drop in the number of calls to Air Force help desks” (did this one catch your attention, 40% is almost half, imagine what that could do for your IT bottom line if you have a help desk scenario in play)

“Most importantly, security of the system improved…85 percent of attacks were blocked after the configuration was installed”

Microsoft Offers Secure Windows … But Only to the Government

In closing, I would reiterate that this was done via configuration changes to XP, albeit probably more comprehensive, and potentially more sophisticated than many of you do now, but still the point here is that with due diligence even XP can be brought up to a very high level of security.  Now, given that most folks out there don’t have the expertise or in other ways are not ready to enforce this level of security on XP,wouldn’t it be worthwhile to consider how some of the security improvements in Vista (e.g DEP and ASLR) could add some value to your infrastructure security.

Here’s an interesting article on XP Mode hardware virtualization requirement
31 May 09 12:50 PM | ronaldg

I don’t care too much for the title, and would put a bit of my YMTC (you make the call) to it, but nevertheless, this article brings out some key facts about hardware vitualization that i think you should know about and will find interesting.

Microsoft, Intel goof up Windows 7's "XP Mode" (ars technica)

So right off the top I would take some issue with his statement in the subtitle: “…But now we learn that Microsoft and Intel have contrived to make XPM unavailable to many Intel users.”   I consider that an unwarranted negative spin, so let me throw a little YMTC on this.  Well, I don’t know about you, but after what we know about the “Windows Capable” debacle, I’ll be really surprised if we find out that MS did, in fact, conspire with Intel to “limit XPM availability to many Intel users”, just to help Intel upsell some CPUs.  in fact, Jon (the blog author) makes the point at the very end that he isn’t sure why Microsoft is requiring VT support for XP Mode -- so, I guess it’s OK for him to make up his own reason, thus, I take issue that his subtitle and article imply it’s a marketing conspiracy - YMTC.  But in that vein, I don’t know myself (yet), but I’m thinking that it’s more likely that VT is required for the updated version of VPC not just for the XP VM, and that this is less about a marketing conspiracy and more about Microsoft’s platform virtualization strategy for desktop virtualization.

Here’s some other points of interest (IMHO) in the article…

“The vast majority of AMD's lineup, except for Sempron, has AMD-V and will work”.  But, from Jon’s point of view, the fact that Intel doesn’t include VT on many of its procs should apparently dictate that MS not require it for XPM.  The fact that Intel segments their procs around Intel-VT, for marketing (revenue) purposes, is too bad IMHO.  In fact, Jon characterizes it as a “boneheaded move on Intel's part” (to not include VT on more or all CPUs).  But to imply that MS has goofed up XPM for requiring VT, again without more specific knowledge of what the decision was based on, is indicative of the bias (and “small picture” perspectives) that I see so often in the blogosphere.  (And why I do these YMTC bits from time to time.  Of course, some might claim that I have my own bias <grin>.)

One interesting technical piece of information he shares is that “Intel's VT-x and AMD's AMD-V work by introducing a set of instructions that make x86 fully virtualizable without the use of binary translation.”  This is a great nutshell definition of what the hardware virtualization technology does. Jon goes on to say that “VT is the way to go if you're rolling out a new x86-based virtualization package, like Microsoft's hyper-V.”   But, he then states that XPM is a binary translation solution (which I’ll assume is true), so as alluded to above he wonders “why did Microsoft mandate VT support for XPM”.  Well, even though a reason may not be obvious, I can only say that in my 11+ years at MS, I have found that there is ALWAYS a reason for why things are done in our software the way they are, and I have to say that from the times when I’ve been privy to the decision process, that invariably, if you were presented with the same set of decision criterion (or if you had the same kind of “big picture” view), you would make the same decision.  Perhaps some more information will come to light about “why VT” in future whitepapers or engineering blogs.

In the meantime, it is important for all our partners to understand that XPM does have the Intel VT/AMD-V requirement, for whatever reason, and that there are a significant number of Intel CPUs that do not have it, including some fairly recent ones.  Ed Bott has a list of the supporting CPUs on his blog.

On a related note, I find it almost amusing that many of the posts and articles I’ve seen around this subject whine about the fact that the Atom processor doesn’t have VT --  like one would want to use a 1-2gb RAM netbook to host VMs.  I guess they have to find fault with something.

In closing, I would also remind you that XPM is a stand-alone (unmanaged) solution (vs some of the enterprise focused virtualiztion solutions such as MED-B and VDI) and intended for the small business space, thus it is slated to be available in the Professional (and higher) versions of Windows 7.

Microsoft Action Pack Quarterly Webcast 5/26/09
08 May 09 10:43 AM | ronaldg

 As always, well as usual at least, I’ll be hosting another quarterly MAPS webcast in a couple of weeks.  If you’re an Action Pack subscriber, make plans to join me.  Here’s the signup link: https://training.partner.microsoft.com/plc/details.aspx?publisher=12&delivery=266982

Highlights for this quarter include an overview of Windows 7 as well a closer look at the upcoming Digital Distribution transition for the Microsoft Action Pack.

These webcasts are for Action Pack subscribers to know what’s new in the current MAPS quarterly update.  I’m assuming the vast majority of my readership is either already subscribing, or aware of Action Pack (Cert and Gold partners are not eligible since they get the MSDN subscription).  Just as a reminder, if you have any questions about MAPS check out the MAPS page on the partner portal, or if you are having any issues with or specific questions about your subscription, then call 1-866-668-1215 or email MAPS-NA@microsoft.com for that.