After a month of security disasters, Microsoft offers new tool, progress report

Analysis
Jul 27, 20095 mins

Company underscores that applications are the new hacker favorite.

At Black Hat today, Microsoft made several announcements intended to reassure its users that it was being as transparent as humanly possible regarding security vulnerabilities. These announcements came during a month when Microsoft was forced to defend itself and its security processes like a little leaguer in a 90 miles-per-hour batting cage.

OffVis: The company has taken a lot of heat when it admitted that Office vulnerabilities are not something it can abolish. Today, the company countered by releasing a new visual analysis tool, OffVis (pictured below). OffVis examines security hacks by digging into Office binary files. The Microsoft Office Visualization Tool (OffVis) was originally created for Microsoft security researchers and anti-malware software makers to help them identify and write detection signatures. Today Microsoft has made it available to the public. It gives them a view of any Microsoft Office binary file format by hovering a curser over it. IT professionals can use OffVis for incident forensics. It can help users determine that multiple hacks actually came from the same file-level flaw, says Andrew Cushman, Security Director for Microsoft Security Response Center.

Threats to operating systems have decreased and hackers have turned to applications to worm their way in, according to the latest Microsoft analysis of its own security performance, the April 2009 Security Intelligence Report. When it came to attacks against Microsoft Office documents, the report found that 91.3 percent of attacks analyzed exploited “a single vulnerability for which a security update had been available for more than two years,” Microsoft says.

I asked Cushman why Microsoft didn’t think OffVis would actually make it easier for the bad guys to find these holes. “OffVis is making it easier for IT professionals to do what the attack community has been doing for a long time. This isn’t providing tools to them they don’t already have and it doesn’t help craft attacks, it only helps explain the file format,” he said.

Ok then. I asked him, if binary files were the new source of hacker delight, why shouldn’t enterprises abandon them and go with an open-source alternative instead, like ODF? “I would point out the Office binary file format is for older versions of Office. Office 12 and Office 14 have an XML format,” he says. When he says Office 12, he is referring to the Office that most everyone is currently using, Office 2007. For users that have upgraded to SP2, released April 2009, the standard file format is Microsoft’s notorious Office Open XML. OOXML is now an ISO standard, but the process that lead it is acceptance was beyond controversial. Office 14 is the code-name for Office 2010, which won’t be released until next year.

But Cushman also said that open source isn’t automatically more secure, “This is the old thought about how many eyes are better. Just go back and read some of Michael Howard’s blogs debunking that many eyes lead to better security.”

OffVis

Project Quant: This is a project that ultimately intends to put a price on patch management to help companies determine how best to allocate their efforts. The project is being run by vendor Securosis with Microsoft as a sponsor. Today Project Quant released a progress report which includes a 10-step model for performing patch management.

The model is about what you would expect: monitor for patches, evaluate, acquire the patch, prioritize rollout, test and approve, create deployment package, deploy, confirm deployment, clean up, document new configuration and start all over again. Those involved in the project also released a summary of a survey on how enterprises cope with security updates. Participants tended to have mature procedures in place for patching desktops and servers but almost half had no formal process for patching desktop applications. The Quant team has identified more areas to study as they march toward their goal of helping you calculate the cost of it all.

Microsoft Security Update Guide: If you’d rather, you can turn to Microsoft for its recommended patch management guide via its Microsoft Security Update Guide. The guide has been newly updated and is available for download for free. The guide helps document all the many ways Microsoft makes security informational available to users. Earlier this month, Microsoft took heat for taking about 18 months to find a fix for a critical ActiveX flaw.

Security vendor collaboration: Microsoft also gave a progress report on the two main initiatives it announced last year: the Microsoft Active Protections Program (MAPP) and the Microsoft Exploitability Index. Both were said to be working great, with MAPP helping Microsoft bring patches to users faster than ever before. This comes on the heels of announcing it would be releasing a critical out of band patch for Internet Explorer on Tuesday.

It is true that security protection requires collaboration on the part of the vendors and so the MAPP program deserves to be acknowledged in at least one area:. As of July 2009, 47 global partners have signed on to participate. Likewise, the Microsoft Exploitability Index gives users a better sense of how much panic should be allotted to news of vulnerabilities. Microsoft proudly points out that of the 140 ratings it assigned to vulnerabilities since it started the index, only one had to be revised. We’ll leave it you to decide if 140 is a reasonable number of vulnerabilities, given the breadth of Microsoft’s software offerings.

Visit the Microsoft Subnet web site for more news, blogs, podcasts. Subscribe to all Microsoft Subnet bloggers. Sign up for the bi-weekly Microsoft newsletter. (Click on News/Microsoft News Alert.)

  • Microsoft releases Linux Hyper-V drivers but still wants to crush Linux
  • Zero-day protection
  • Microsoft utters the F-word: “free”
  • Roll your own XP-to-Windows 7 upgrade on a USB drive
  • Firefox Stays In The Game With Firefox 3.5
  • Usability Testing SharePoint Sites: A little testing can make a big difference
  • Sometimes Slower Can Be Better
  • Giveaways and goodies from Microsoft Subnet and Cisco Subnet

Follow Microsoft Subnet on Twitter