Microsoft Early Releases Prove Useful to Malware Creators Too

What are the security implications of the new Windows 7 beta and RC release processes? The Windows 7 beta and RC has been a resounding success so far. Windows 7's reputation with the public has certainly benefited from it, and Office 2010 looks to follow a similar type process. But the early and very public release process is helpful to more than just Microsoft and its customers. There are benefits to Malware creators too. Windows 7 was vulnerable to the conficker worm. Now Microsoft's warning against using any early unauthorized versions (such as those available for download on bitTorrent) of Office 2010, as unauthorized versions of Office 2010 floating around also have vulnerabilities that may be exploited.

Offering early access to Microsoft Windows 7 has been great for customers and Microsoft alike, but in what ways is this useful to malware writers? In theory, having such a public beta and RC gives malware creators early and easy access to prerelease code that may not be fully checked or tested for security vulnerabilities. I say "in theory" because if malware writers want access to early Microsoft code so they can find vulnerabilities and create exploit code, they can just as easily download a leaked unauthorized version of just about any Microsoft product under development. I don't believe the new Microsoft beta and RC processes effectively increases hackers' access to early code.

But there is another aspect of this which does create a window of opportunity for hackers: a much larger attack surface (users running the early software) than we've seen in previous Microsoft product release cycles. The success of Windows 7 beta and RC means there ten of thousands, maybe 100's of thousands more machines out there running early code, and early code means there's a greater likelihood of vulnerabilities existing in the software. 

Larger, more public betas also means a wider range of users will be downloading the new software. That increases the likelihood the unreleased software will be tested in the open, not in an IT or Network lab. Far fewer of the total testing population will be sandboxing the early Microsoft code, running it in a test network or staging area. 

I don't think we should panic and suddenly change course away from the improvements Microsoft has made in the cycle from beta, to RC, to released product. We still need to remain diligent and make sure any early Microsoft code we are running is sandboxed, running in a lab, as a virtualized instance, or at the very least can be blown away and reloaded at the drop of a hat.

Like this? Here are some of Mitchell's recent posts. Mitchell's Book Recommendations: Also visit Mitchell's other blogs and podcasts:

Visit Microsoft Subnet for more news, blogs, opinion from around the Web. Sign up for the bi-weekly Microsoft newsletter. (Click on News/Microsoft News Alert.)

Join the Network World communities on Facebook and LinkedIn to comment on topics that are top of mind.

Copyright © 2009 IDG Communications, Inc.