A long time ago I subscribed to the Microsoft “executive letter” and today I got email from Bill Gates. Really. I had to look at it twice to confirm that it wasn’t spam or some virus (ironically, since it’s a security update). Anyway, for a long time I’ve complained about how Windows ships with too many ports and services enabled by default, rather than with a more paranoid security model that would have things closed by default, rather than open. Apparently the security people at Microsoft are listening, and according to Bill…
Well, let me just quote a passage of his email:
ISOLATION AND RESILIENCY
Central to our security efforts is preventing malicious code from being able to exploit a vulnerability by isolating such code, providing more effective control over what computer processes can talk to or work with, and making systems more resilient so they are able to identify and stop suspicious or bad behavior in its tracks.
Windows XP Service Pack 2: We are working on a number of isolation and resiliency advances that address four specific modes of attack in our flagship client operating system. These will be available in late spring/early summer.
– Network Protection: Windows Firewall will be turned on by default, and global firewall settings and central administration of firewall configuration will be enabled. This reduces the “attack surface” of PCs and networks.
– Safer Web Browsing: To reduce the impact of malicious code and Web sites that can damage computers or defraud users, Internet Explorer will automatically block unsolicited downloads from Web sites as well as block unwanted pop-ups unless a user clicks on a download link. IT administrators will also be able to manage this capability to enforce a consistent policy across their organizations. In addition, wireless setup will be improved for more secure browsing on wireless home networks.
– Safer Email and Instant Messaging: To reduce the risk of attacks, we are building better file attachment handling in Outlook Express and Windows Messenger instant messaging, and offering increased customer control over downloads of external content in Outlook Express that could enable a sender to identify your computer.
– Memory Protection: Malicious software designed to exploit buffer overruns can allow too much data to be copied into areas of the computer’s memory. Although no single technique can completely eliminate this type of vulnerability, Microsoft is employing a number of security technologies to mitigate these attacks. First, core Windows components have been recompiled with the most recent version of our compiler technology to protect against stack and heap overruns. Microsoft is also working with microprocessor companies, including Intel and AMD, to help Windows support hardware-enforced data execute protection (also known as NX, or no execute). NX uses the CPU to mark all memory locations in an application as non-executable unless the location explicitly contains executable code. This way, when an attacking worm or virus inserts program code into a portion of memory marked for data only, it cannot be run.
My main reaction to all of this is “well of course, Bill. It’s about time you realized that Windows is, by default, the least secure OS in the market.”. Nonetheless, I’m particularly heartened to read that they’re going to address the background download problem in browsing Web sites within the Windows environment. I have too many friends who are innundated by spyware, malware, etc. without even knowing it’s going on. And just as much, I’m also glad to read that they’re going to fix Outlook Express. I just hope that the new version of Entourage (the Mac version of Outlook, basically) will ship with the new security improvements too. I know it’ll have a better spam filtering system (which it needs).
Anyway, it’s about time. My kudos to Microsoft for hitting the target on their roadmap. Service Pack II can’t come soon enough, in my opinion.