- Nokia's new N97 vs. the iPhone
- 10 Microsoft research projects
- Hard to get justice in MySpace case
- Smartphone smackdown: Storm vs. iPhone
- Apple removes antivirus support page
BOSTON -- Microsoft's U.S. general manager/chief security advisor for its National Security Team thinks like a true security professional: In every bit of good news, Bret Arsenault wonders what bad news could be lurking behind it.
Speaking at the Boston SecureWorld conference Wednesday, the 19-year Microsoft veteran whose job includes protecting enterprises, developers and Microsoft itself said there actually is plenty of good news on the security front. For example, his outfit scans a half million devices (with customer permission) per month and in the first half of last year saw the first period-over-period decline in new vulnerabilities disclosed across Microsoft and non-Microsoft software since 2003.
However, 3,400 new vulnerabilities were discovered and “it’s still a big number,” Arsenault says. “So if vulnerability rates are down, where are they?”
One trend that pops out is that attackers are increasingly laying off operating systems and exploiting applications instead. One reason for this, Arsenault says, is that vendors like Microsoft, Apple and Red Hat have done a good job in recent years securing the IP stack and operating system.
Arsenault pointed out that the first operating system hardening guide Microsoft wrote for Windows 2000 came 18 months after shipment of the product; the next (for XP Service Pack 2) was within 90 days of product shipment. With Vista and other new products, Microsoft ships the hardening guide along with the product. “On the application side, on the other hand, we’re very far behind,” Arsenault said (though he said the Office 2007 hardening guide is very solid, even if it did take a year-plus to release it).
“You have your classic arms escalation race between the hackers and the people who are trying to protect [software], so [the hackers] go after the easiest target that’s least protected,” Arsenault said. “The application space is the next space in the model they’re going after,” and he sees this continuing to be the case for at least the next few years. And Arsenault is talking about Office as well as CRM, ERP and other programs that contain the sorts of data that financially motivated hackers crave.
“This is not a problem that people should be thinking is just an Office problem,” he said. “It’s anybody who uses file formats that are not XML based going forward.” Adobe, Corel and Google are among others facing similar challenges, Arsenault said.
Rss FeedRss Feed
Partner Content
SMART Steps Toward Consolidated Workload Automation
Consolidating job scheduling into a single, comprehensive workload automation solution is a critical first step to effective workload automation (WLA).
White paper on WLA here
A Comprehensive Approach to Practicing ITIL Change Management
Read a compelling whitepaper by EMA, Inc. to learn best practices for integrating workload automation.
Whitepaper here
2 Minutes to IT workload automation
BMC CONTROL-M can put money back into your IT budget and strip the complexity and risk from workload automation.
View video here
Gain a faster, cheaper way to manage workload
BMC CONTROL-M can help you migrate to a workload automation solution to meet your organization’s goals.
Listen here for more info
Comments (3)
Let's get realBy Anonymous on March 27, 2008, 10:04 amThis group is suppose to protect Microsoft, ie, the end users. But with every new release, there seems to be more bugs/security risks. What is there process? release,...
Reply | Read entire comment
airbags?By Anonymous on March 27, 2008, 9:43 amHe's actually going to spend major bucks to put airbags in a 16 year old Toyota???
Reply | Read entire comment
Microsoft's chief security dude fears the new stuffBy Microsoft Subnet on March 26, 2008, 7:48 pmThe comment by Microsoft's Bret Arsenault is classic. He is concerned about security issues with Web 2.0, Web services and software as a service. “They all...
Reply | Read entire comment
View all comments