Hackers make Microsoft look slow

The recent Windows WMF debacle demonstrates that Microsoft’s Trustworthy Computing initiative is little more than a bag of wind. The idea that Microsoft would take a long hard look at all its source code and thereby remove all bugs has always been laughable. It would require the complete rewrite and testing of all Microsoft software, and this is absolutely unthinkable for a company with as much software as Microsoft.

The WMF scandal became public when Microsoft was informed of a remotely exploitable flaw that could be triggered by opening a specially crafted WMF file. Microsoft downplayed the severity of the flaw by saying it was not aware of any customers’ systems being compromised because of the flaw. Clearly this is not the same as someone saying customers systems have not been affected. Anyhow, a few days later, reports of various exploits circulating on the internet presumably caused Microsoft to U-turn on the issue and release its WMF patch.

Obviously, there is no hope of improving Windows security unless Microsoft becomes better at finding and fixing flaws than the outsiders. The WMF flaw demonstrates that currently this is not the case. It also shows that Microsoft’s previous code reviews were largely ineffective, or else the flaw would have been spotted and cleaned long ago.

The key question is, how does Microsoft find flaws and how do its methods compare with those of other people? Hackers often find new flaws by learning from past ones. When a flaw came to light in the way a web server handled HTTP chunked encoding, for example, these folk started looking at the ways other web servers handled HTTP chunked encoding. Sure enough, they found new flaws to exploit.

Presumably a significant number of people also looked at earlier TIF, GIF and JPEG flaws and realised it could be worthwhile to look at other similar file formats.

Another key question is how many people are employed by Microsoft, full time, to do this kind of work. Unless the number of Microsoft researchers significantly exceeds the number of hackers and outside researchers, then flaws will continue to be exploited before patches appear.

Over the last year or two I’ve asked most of Microsoft’s security experts these questions, and none has offered an answer. Fair enough, you might say; after all, I don’t know how the various other units in IT Week’s parent company operate. But with so much at stake, if a lot of effort was going on, I’d imagine Microsoft executives would say they didn’t know the answer but would find out and let me know. Such an offer has never been made.