Microsoft is Getting It

I learned through Slashdot that Microsoft held its third Blue Hat Security Briefings. They also have a Blue Hat Blog. Reading this article, and considering that this is the third Blue Hat, it sounds to me like Microsoft is taking security seriously. It's been over over four years since Bill Gates issued his famous security memo. What's happened since then?


With Blue Hat, Microsoft is listening to the top public security researchers who are breaking Windows. Halvar Flake at Black Hat Federal 2006 says it is getting tougher to find vulnerabilities in Windows. I reported that a talk I saw on Vista at RSA 2006 impressed me. The company is incorporating good security practices like least privilege and privilege separation, already found in Unix OS' and tools. Microsoft is publishing books like Writing Secure Code, 2nd Ed, Hunting Security Bugs, and The Security Development Lifecycle. The company has a group which has the power to stop shipment of software due to security concerns, and it has exercised that power already.

All of these factors are going to make a difference when Vista is released. I plan to buy a new laptop running Vista (and dual-booting FreeBSD) when the new OS is available. I am optimistic, but we'll have to see what sorts of security advisories Microsoft releases once Vista ships.

I believe that threats are going to shift their attention to the infrastructure surrounding Microsoft. We've already seen that with attacks on applications. The next target will be network infrastructure, especially so-called embedded devices and appliances. These products suffer the sorts of vulnerabilities seen in Microsoft products of the past. I saw Barnaby Jack's latest presentation and his compromise of an embedded consumer grade router scared the heck out of me.

Stay tuned.