Holes in Microsoft software leaves businesses worldwide open to extortion and fraud, the company's top security expert has admitted.
Speaking at the e-Crime Congress in London on Tuesday, David Aucsmith, CTO of Microsoft's Security Business Unit, confessed that he is considered a target for complaints against his company's software. But he stressed that many of the current security issues could not have been foreseen.
Windows 95 was written without a single security feature, he said, as it was designed to be totally open to let users connect to other systems. Furthermore, the security kernel of the Windows NT server software was written before the Internet, and Windows Server 2003 software was written before buffer overflows became a frequent target of recent attacks, he explained.
"Almost all the attacks on our software are legacy attacks and the points of the system that can talk to older versions of our software," Aucsmith said. "If you want more secure software, upgrade." He claimed the current security threats were a consequence of the changing software industry and more sophisticated cyber criminals, than of particular neglect by vendors.
Microsoft is working diligently to address security issues, he said, by working closely with law enforcement authorities and changing its patching procedures. Much of the threat, he warned, comes from criminals who are making a career from high-tech crimes such as hacking, extortion and fraud. "We are under attack," he stressed.
"Since the Sobig virus hit in October of last year, we have yet to see a virus or variant without an element of financial gain," he pointed out - for example, bugs that seek users credit card information. What's more, cyber criminals are becoming increasingly efficient at reverse-engineering software patches to discover and then exploit vulnerabilities, he said.
The time between the release of a patch and the creation of an exploit has dwindled dramatically. The Nimda virus, which was discovered in September of 2001, surfaced 331 days after a patch was released, while the latest exploit of a Windows component called the ASN.1 Library was created within three days of the patch being released, Aucsmith said.
Hackers have the advantage of not having to test their exploits, which allows them to move faster than vendors who must perform rigorous testing to ensure that their patches don't break users' systems, he said. But, despite the flood of attacks against Microsoft's software only once has it suffered a so-called "zero-day" attack, in which an unknown and unpatched vulnerability is exploited, Aucsmith said. "The vast majority of attacks occur after the patch is available."
However, the problem is made worse by sophisticated hackers tools available freely on the Internet. One such tool available now automatically reverse-engineers patches, creates an exploit and launches attacks, Aucsmith revealed, allowing any non-tech savvy user to become a potential cyber criminal. "These tools are so good I'm afraid we'll see more zero-day attacks," he warned.
According to a survey also released yesterday by the National Hi-Tech Crime Unit, UK businesses are estimated to have lost billions of pounds last year due to computer crimes and they are not alone. Businesses worldwide are grappling with increasingly sophisticated cyber threats.
While law enforcement officials are encouraging users to report cyber crime and do what they can to shore up their systems, vendors say that they are doing their part to make their products more secure. Besides encouraging users to upgrade to more secure versions of its software, Microsoft is working on improving its patching procedures, Aucsmith said.
The company has already switched from a weekly to a monthly patch release cycle to reduce user work, and is working on delivering a regular Microsoft Update that includes fixes to all its software instead of the current Windows Update patch.
Additionally, Microsoft plans to make all of its patches reversible, in case users want to unapply them. Plus, patches that can be applied without having to reboot systems are on their way, he said.