Security Watch

Microsoft Security Goes on Offensive

Company adds new tools to SDL for developers. Plus: Windows Live Messenger update is mandatory; researchers says third-party vulnerabilities, attacks to outpace Windows attacks.

• By Jabulani Leffall
• 01/18/2011

In Microsoft's latest effort to tout its Security Development Lifecyle program, the company on Tuesday released new tools that allow app developers to incorporate and embed a security architecture into their Windows processing environments.

Part of the update is a new tool, still in beta, called Attack Surface Analyzer that the software giant says "helps developers and IT pros identify whether newly developed/installed applications inadvertently change the attack surface of a Microsoft operating system." Simply put, it analyzes the threat environment and the Windows operating system's integrity against nasty bugs that are either inside software code or exploitable during an implementation of a third-party app. Microsoft will also announce other tool updates for Threat Modeling and Binscope Binary Analyzer as it takes part in the Black Hat confab in Washington, D.C., later this week.

Related to that, Redmond also announced that it would begin offering "SDL consulting services," which Microsoft contends will give folks an opportunity to fully understand what they want to get out of the SDL experience. It kicks off in February.

Windows Live Messenger Update No Longer Optional
Microsoft will be issuing "minor changes," including security tweaks, for Windows Live Messenger later this week. According to this blog post, the required update is rolling out in 48 languages and will include a set of "important security updates, performance improvements and targeted bug fixes."

The update was originally released last May as an option, but now it's mandatory. The thinking here is that because XP is no longer supported, unpatched XP bugs could make a Windows Live Messenger session running on XP vulnerable to attacks.

Researcher: Microsoft products comparatively safe
Security experts have said for a while now that Windows OS-level attacks are few and far between and that the new frontier of exploits would come at the browser level (Internet Explorer) or the third-party application level (Adobe Systems products, for instance).

Danish security vendor Secunia has released its latest data backing up that assertion. According to its latest numbers, Secunia said that last year PC users saw on average four times more vulnerabilities originating from third-party products than from Microsoft applications.

Stefan Frei, Research Analyst Director for Secunia, said in his blog that Microsoft products are comparatively safer because of the company's frequent patching process. "Unfortunately many users and IT administrators/security teams do not prioritize timely deployment of security updates," Frei wrote, adding that although the threat level continues to grow, third-party programs are still not yet perceived as the preferred attack vector by non-security staff at organizations running Windows. As well, Frei said that for some vendors other than Microsoft, security updates are complex to navigate and deploy even among IT experts who are generalists, such as systems admins who don't typically have security expertise.