Trustworthy Computing with Mike Nash

Published: December 11, 2003

Please note: Portions of this transcript have been edited for clarity

Introduction

Host: Mike_Nash (Microsoft)
Hello and welcome to the monthly TechNet chat on security

Moderator: Jerry_B (Microsoft)
Welcome to today's Chat. Our topic is Trustworthy Computing with Mike Nash. Questions, comments, and suggestions are welcome.

Host: Mike_Nash (Microsoft)
Hi, my name is Mike Nash and I am the corporate vice president of the security business unit.

Host: Mike_Nash (Microsoft)
I want to welcome you all to our monthly security web chat.

Host: Mike_Nash (Microsoft)
Today we can talk about any topic related to security and Microsoft products.

Host: Mike_Nash (Microsoft)
I am joined today by a team of security experts here in Redmond who help me answer questions and track your feedback.

Host: Mike_Nash (Microsoft)
These are usually great sessions, so please get the great questions coming.

Moderator: Jerry_B (Microsoft)
Welcome everyone, let's get started!

Start of Chat

Host: Mike_Nash (Microsoft)
Q: Alpha Allen asks: What are the main changes being implemented in XP SP2 to start the wave towards trustworthy computing that_fs being placed in longhorn?
A: Great question Allen. With Windows XP SP2 in addition to our continued focus on quality, we are focusing on ways to block malicious code from attacking machines.

Host: Mike_Nash (Microsoft)
Blaster taught us that with the right mitigations, malicious code can be stopped even if the vulnerability exists in the software.

Host: Mike_Nash (Microsoft)
The example in the case of blaster is that if the user had the internet connection firewall turned on, than blaster could not attach the system even if the user never installed a patch.

Host: Mike_Nash (Microsoft)
So for Windows XP SP2, we looked at other things like ICF that we could use to block malicious code.

Host: Mike_Nash (Microsoft)
For XP SP2, we are focusing on four areas. 1. Make ICF compatible in more situations. 2. Blocking malicious code in attachments to email and IM where possible, 3. Making web sites safer and 4. Using memory protection to stop some buffer over runs.

Host: Mike_Nash (Microsoft)
Two questions from CK:

Host: Mike_Nash (Microsoft)
Q: 1. There is a vulnerably in IE, that when you go to a web page with a fully patched IE, it downloads an EXE and runs it
A: Great question CK. We are currently investigating this report. There is currently no report of customers being exploited by these alleged vulnerabilities.

Host: Mike_Nash (Microsoft)
Q: CK's second question is why didn't Microsoft put any patches out this month.
A: Another great question. As part of our regular patch release process, we release patches where we have verified vulnerability and have a well tested patch that addresses vulnerability. This month we didn't have any patches in that category.

Host: Mike_Nash (Microsoft)
Q: Bitz : I read the new Win2k3 network quarantine document. Are there plans to either make that a more pictorial document or make it more wizard driven in the future? [I'm a wizard gal]
A: Bitz, this is great feedback. A picture would be very helpful. If you send me your email address (send it in mail to mikenash@microsoft.com) I will make sure that you get an mail when we update the paper.

Host: Mike_Nash (Microsoft)
Q: Mbrierley asks : With the amount of patches for Windows OS's (most being security patches). We are unable to maintain the uptime required by our mngmnt. This has caused them to start looking at Linux as an alternative in some instances. What are your
A: This is great feedback. We are working hard to reduce the number of patches for Windows.

Host: Mike_Nash (Microsoft)
Certainly there much fewer patches for Windows than for other platforms, but we realize that we need to be doing even better.

Host: Mike_Nash (Microsoft)
This is the key reason behind the Trustworthy Computing Initiative. The early results here are showing a trend in the right direction.

Host: Mike_Nash (Microsoft)
For example for exchange 2000 SP3 that went through a security push for their July 2002 release, they have had just 1 security patch in the 17 months since the release vs. 6 in the 17 months before.

Host: Mike_Nash (Microsoft)
We had a similar experience with SQL Server 2000 SP3. In the 10 months before we shipped SQL Server SP3, we had 11 security patches, in the 10 months after SP3, we had just 2.

Host: Mike_Nash (Microsoft)
For Windows Server 2003, in the first 180 days after we shipped Windows Server 2003 (which went through a security push) we had only 6 bulletins that were either critical or important.

Host: Mike_Nash (Microsoft)
This compares to 21 patches in the 180 days after we shipped Windows Server 2000 in Feb of 2000. While there were other patches for Windows Server 2003, they were of lower severity because of default configurations in the system.

Host: Mike_Nash (Microsoft)
For Windows XP, our focus is on SP2 where we are adding some mitigation technologies (that I described earlier) to help prevent attacks.

Host: Mike_Nash (Microsoft)
The idea here is to make it so that even if there is a vulnerability, that you can be safer from attack with out the patch.

Host: Mike_Nash (Microsoft)
I do think that people may still want to deploy patches, but the need to do it on a fast schedule will be reduced.

Host: Mike_Nash (Microsoft)
Q: paul628 : When I installed Visual Basic .NET 2003 Standard on my WinXP it seems that a new WinXP user account (called “ASP.NET Machine A…”) was created during the installation. Is that normal or do you think that new account was caused by a virus?
A: The account is low-privileged account used solely by ASP.NET Worker processes.

Host: Mike_Nash (Microsoft)
Q: Christian_Hougardy_MVP : Mike, the problem is not that there was no patches, the problem is that there was no communication about it, I know IT's who were waiting for the release....and no release...
A: Its great feedback Christian. We need to do better at communication this. It_fs not an easy problem. We use the email alert service to email people when we have a patch. We were being careful not to spam people by saying "there is no patch."

Host: Mike_Nash (Microsoft)
I do appreciate the feedback.

Host: Mike_Nash (Microsoft)
Q: paul : In the last 2 months, there was a bug where you could use adodb.stream to download+execute code by overwriting wmplayer.exe (did this get patched in November? or is this still unpatched?)
A: In November, we released a patch that addressed all known vectors at the time. As new reports come in, we continue to investigate them.

Host: Mike_Nash (Microsoft)
Q: How granular will the controls be in XP sp2 to allow me to leave it on inside my lan. Currently with the sp1 ICF I cannot leave it on inside my office and have my desktops function properly. I would like to have more protection at my desktops.
A: The new firewall is much more configurable than previous versions of Windows XP, you can allow certain _applications_ through the firewall, and allow unrestricted traffic on your local subnet.

Host: Mike_Nash (Microsoft)
The other good news here is that you can use group policy to control the configuration in an enterprise.

Host: Mike_Nash (Microsoft)
Q: MowGreen : Why doesn't Microsoft inform visitors to Windows Update that they should temporarily disable their antivirus programs and any script blocking component of it PRIOR to attempting to download and install updates/patches ?
A: We don't believe customers should disable defensive mechanisms unnecessarily in their day-to-day tasks.

Host: Mike_Nash (Microsoft)
Am I missing something here?

Host: Mike_Nash (Microsoft)
Q: Christian_Hougardy_MVP : Mike, what about the new SUS ?
A: Great question.

Host: Mike_Nash (Microsoft)
As you may know, we currently have a technology called "Software Update Services 1.0" sometimes called SUS 1.0

Host: Mike_Nash (Microsoft)
SUS 1.0 is similar to Windows Update except that it_fs designed for enterprises that want to decide what patches to bring into their environment

Host: Mike_Nash (Microsoft)
Last summer, we updated SUS 1.0 to support service packs since customers told us they needed an easier way to deploy SPs.

Host: Mike_Nash (Microsoft)
We are currently working on a new version of SUS that we call SUS 2.0

Host: Mike_Nash (Microsoft)
SUS 2.0 extends the concept of SUS to a broader set of Microsoft products.

Host: Mike_Nash (Microsoft)
Our initial focus here will be Exchange, SQL Server and Office (and of course Windows)

Host: Mike_Nash (Microsoft)
Q: Dinis : For example, most networks that I know have almost no defenses for internal attacks (their desktops have no firewalls, or IPSec policies) so a malicious user (or a worm) could easily compromise hundreds of boxes (including servers)
A: Great comment Dinis - inside Microsoft we make great use of security technologies to protect our digital assets. A paper entitled "Security at Microsoft" describes some of these techniques. Take a look:

Host: Mike_Nash (Microsoft)
http://www.microsoft.com/technet/itsolutions/msit/security/mssecbp.mspx

Host: Mike_Nash (Microsoft)
There are a lot of questions about Microsoft_fs strategy around AV.

Host: Mike_Nash (Microsoft)
As we have said in the past, its very clear that companies like Symantec and NAI are doing a great job of helping our customers to be more secure with their AV technology. These are great partners who we work closely with.

Host: Mike_Nash (Microsoft)
As you know, in June we announced our intent to acquire the assets of GeCAD, an anti-virus company in Romania. In the meantime we have completed this acquisition.

Host: Mike_Nash (Microsoft)
The reason that we are investing in this area is that there are some customers who are currently not protected by AV either because they don_ft have AV or their signatures are not up to date.

Host: Mike_Nash (Microsoft)
We want to give customers another choice to be secure, but will continue to partner with companies like NAI and Symantec.

Host: Mike_Nash (Microsoft)
As we have said, our current plan is to offer AV for a fee. Our plans to ship this technology are not final. When our product plans become more final, we will announce our plans.

Host: Mike_Nash (Microsoft)
Q: ck : There is a vulnerably in IE, that when you go to a web page with a fully patched IE, it downloads an EXE and runs it... I'm wondering why MS didn't put any patches out this month? Are we going to have to wait till Jan to get this patched?
A: Microsoft is investigating public reports of possible vulnerabilities in Internet Explorer.

Host: Mike_Nash (Microsoft)
Upon completion of this investigation, Microsoft will take the appropriate action to protect our customers, which may include providing a fix through our monthly patch release process.

Host: Mike_Nash (Microsoft)
Currently we have not been made aware of any active exploits of the reported vulnerabilities or customer impact at this time, but we are aggressively investigating the public reports.

Host: Mike_Nash (Microsoft)
Security response requires a balance between time and testing, but Microsoft will only release a patch - when warranted - that is as well engineered and thoroughly tested as possible - whether that is a day, week, month or longer. In security response, an

Host: Mike_Nash (Microsoft)
In security response, an incomplete patch can be worse than no patch at all if it only serves to alert malicious hackers to a new issue.

Host: Mike_Nash (Microsoft)
Hope this helps.

Host: Mike_Nash (Microsoft)
Q: Dinis : Mike, I read that document. It would be nice to know more technical details about that project (including the IPSec polices used)
A: Sorry for the delay in replying Dinis.

Host: Mike_Nash (Microsoft)
The IPSec policies are actually very simple. They are used to mitigate one major threat: that of limiting machines that can communicate with sensitive resources, such as human resources information.

Host: Mike_Nash (Microsoft)
For example, computers in a specific domain can access other sensitive computers, and this is enforced at the network layer. Once a machine has been authenticated, then normal user access controls (logon policy and access rights policy) apply.

Host: Mike_Nash (Microsoft)
IPSec is also used to provide integrity and data secrecy, but this is generally less of a threat, but we get the mitigation from free using IPSec!

Host: Mike_Nash (Microsoft)
Q: Christian_Hougardy_MVP : Mike, we are slowly coming to our monthly question about patching illegal versions. Did you change your mind about it, or do we have to ask again ?
A: This is a hard question Cristian. We have not changed our mind here. People with illegal copies cannot get updates from WU.

Host: Mike_Nash (Microsoft)
That said, they do have the option to get the patch from the download center. This is a technical loophole, however.

Host: Mike_Nash (Microsoft)
We do expect people to pay for the software that they use. What would you think about us offering a customer the ability to buy a license from Microsoft when we detect a pirated copy. What think?

Host: Mike_Nash (Microsoft)
Q: fastflyer28 : what is your present security position on the IE exploits that a chinese researcher found in the past week?
A: We are currently investigating the reports, and at the same time we are disappointed that reports were posted publicly before we had a chance to respond and put our customers to risk

Host: Mike_Nash (Microsoft)
Q: KenS : Mike, When can we expect to see WinXP SP2 released?
A: We expect to release SP2 in the first half of 2004.

Host: Mike_Nash (Microsoft)
Q: AlphaAlien : What kind of preventative measures are being placed in Click Once to avoid more issues like ck mentioned
A: For those who do not know, Click Once is an upcoming technology to ease the deployment of .NET Framework applications through the web. It is designed to run .NET FX applications safely within the Code Access Security sandbox.

Host: Mike_Nash (Microsoft)
If an application needs to run outside the sandbox, it displays a dialog asking the user if they want to install the application and allow it to run unrestricted on the machine.

Host: Mike_Nash (Microsoft)
The focus of the group designing this component is to ensure that the correct decisions are made about running the application.

Host: Mike_Nash (Microsoft)
We cannot insure that there will be no bugs, but security is the highest priority of this group and they are well aware that we have to implement this feature correctly.

Host: Mike_Nash (Microsoft)
Q: Dinis : It is almost impossible to write workable and meaningful Web applications in a Partial Trust. Will Microsoft change the current version of the .NET Framework in order to allow the creation of secure Web hosting environments?
A: This is a great question.

Host: Mike_Nash (Microsoft)
We really need feedback.

Host: Mike_Nash (Microsoft)
It is very challenging to find useful but safe ways to increase the functionality available to Partial Trust applications.

Host: Mike_Nash (Microsoft)
You are correct that we are working hard to add more functionality in this area, but this will not show up until version 2.0.

Host: Mike_Nash (Microsoft)
Also, it is unfortunate if ISPs are allowing customers to run with Full Trust because Partial Trust is not useful to their customers.

Host: Mike_Nash (Microsoft)
If you have any information about what people feel are the critical missing pieces, you can mail JeffCoop@microsoft.com who will forward the information to the .NET Frameworks teams

Host: Mike_Nash (Microsoft)
We are really interested in customer feedback in this area.

Host: Mike_Nash (Microsoft)
We are about out of time today.

Host: Mike_Nash (Microsoft)
I really appreciate the questions and can't believe that an hour is up already.

Host: Mike_Nash (Microsoft)
If you have any other questions, please feel free to contact me at mikenash@microsoft.com

Host: Mike_Nash (Microsoft)
I look forward to your questions.

Host: Mike_Nash (Microsoft)
Thanks again and I will talk to you next month!

Host: Mike_Nash (Microsoft)
Happy Holiday's everyone...have a safe 2004.

Moderator: Jerry_B (Microsoft)
Thanks for joining the chat today everyone. See you next time!

For further information on this topic please visit the following:

Newsgroup: http://www.microsoft.com/technet/community/newsgroups/security/default.mspx

Security Transcripts: Read the archive

Website: Visit the TechNet Security Website

Website: Visit the MSDN Security Dev Center

Website: Visit the Microsoft Security Homepage