Microsoft is reflecting back on security lessons learned over the past 25 years. As one of the most targeted digital estates in the world, the company sees threats against its products up close every single day.
Cyberattacks in the early 2000s, such as Code Red and SQL Slammer, resulted in Microsoft prioritizing security in the Windows operating system and codebase. And a whole category of trivial memory corruption bugs has been eradicated, said Michael Howard, a senior director on Microsoft’s Red Team, during Microsoft’s Build developer conference last week. Secure coding initiatives have put safeguards around unsafe C library functions that caused buffer overflows. The memory corruption vulnerabilities still left are really complex and hard to find.
“In 25 years, has there actually been any progress? And the answer is absolutely, categorically, and emphatically yes,” Howard said.
The SQL Slammer worm was a wake-up call, he added. While the vulnerability was discovered in late 2002 and patched, there were enough unpatched systems to allow it to spread in early 2003. Slammer spread worldwide in just 10 minutes and caused $1 billion worth of damages, according to an analysis by researchers at the University of Houston.
That bug would never manifest itself at Microsoft today, and testing techniques like fuzzing will easily find this type of bug, Howard said.
Adopting the Security Mindset
Howard spent his early Microsoft days as a security program manager for Internet Information Services (IIS) versions 3, 4, 5, and 6. IIS 5, which shipped with Windows 2000, had security features such as PKI integration, server-side certificate integration, and server-based certificate revocation, but the product itself wasn’t secure, Howard said.
“That, for me, was a baptism of fire,” Howard said. “I was hired to work on security features. I ended up working on securing features instead.”
Howard met with Bill Gates in November 2000 and explained how vulnerabilities manifest and how attackers find them, break into systems, and take advantage of vulnerabilities. Two years later, Gates published his memo calling on Microsoft teams to prioritize security in products.
The results started showing after that. IIS 6.0 — which shipped with Windows Server 2003 in 2003 — was an absolutely “rock solid, secure platform,” Howard said.
Since then, Microsoft has implemented many initiatives to ensure safe code, including fuzzing and protections in compilers.
Technical Debt Plagues Security
But problems remain. The company’s decades-old codebase is written in C and C++, which technology leaders have identified as unsafe and the source of many security vulnerabilities.
Microsoft last year introduced the Secure Future Initiative, which has elements focusing on writing more secure code. One element champions a move to Rust, as using the memory-safe programming language can reduce the likelihood of buffer overflows in code. Google and the US government have also joined widespread calls to abandon C and C++ and move to Rust.
“It’s time we reconsidered the use of C and C++ … something on the order of 70% of security vulnerabilities we fix at Microsoft are memory safety issues,” Howard said, noting that Microsoft has already transitioned system firmware and software that manages PC hardware from C++ to Rust. “If you’re rewriting the code, you may as well write it in something that is designed from the get-go to ensure memory safety, correctness, and threat safety.”
