CodeRed, Nimda and Blaster. These high-profile worms, which exploited flaws in Microsoft's Windows OS (operating system) and other applications, made the software giant the butt of security jokes and forced the company to re-examine its approach to developing secure software.
That was then. With the commercial release of Vista just months away, Microsoft's efforts to improve security are now showing results, according to security experts attending the HITB (Hack In The Box) security conference in Kuala Lumpur, Malaysia, this week.
"Microsoft has done a lefthand turn in its business and said, 'Right, we've got to start building secure applications,'" said Mark Curphey, vice-president of professional services at McAfee's Foundstone division. "The firm has implemented a very rigorous process across its organisation, and now it's starting to see the benefits of that."
The progress that Microsoft has made can be seen in recent versions of software, such as IIS (Internet Information Services) 6.0, which has had one high-risk vulnerability uncovered, Curphey said.
"Microsoft has done a lot better," said Bruce Schneier, the chief technology officer of Counterpane Internet Security.
Curphey and others credit Microsoft's SDL (Security Development Lifecycle) software-development process with reducing the number of design and coding errors that lead to security vulnerabilities. "We spent a long time trying to reorganise our whole development process so that all of Microsoft's products, particularly the Windows OS, is reoriented to have security engineering at its core," Hellen said.
To some degree, Windows XP Service Pack 2 and Windows Server 2003 demonstrate how SDL has helped Microsoft improve the security of its products. "But it's really only in Windows Vista that we've been able to implement this in a comprehensive way," Hellen said, adding that there is room for further improvement.
One security improvement that has yet to be made to Windows Vista is a defence against Blue Pill, a prototype technology that uses hardware virtualisation to install undetectable malware on a computer running the OS.
Blue Pill, developed by Polish researcher Joanna Rutkowska, was first demonstrated using the second beta release of Vista. However, the latest pre-production release of Vista, called RC1, does not include defences against it, Rutkowska said, adding she was "surprised" by the omission.
Microsoft gets credit for improving the overall security of its products, but the security industry insists more can be done. However, users must first decide if the company's progress in this area is sufficient. "If we think it's enough, we're done. If we don't, than we have to do more," Schneier said. "Microsoft is going to fix the problem to the limit of its economic losses."
One option is to make vendors liable for the economic risks of the security vulnerabilities that users face – something that's unlikely to happen, given the current political environment, Schneier said. "If we want more security, we have to raise the cost of not having it," he said.