Bill Gates’ latest security thoughts miss the mark

I get dozens of mailings from Microsoft every week, many of which are pure marketing drivel and quickly go to my trash folder. Occasionally, though, there are nuggets – such as the hands-on security labs I mentioned last week – that can prove useful. It happens rarely, though, and this week was no exception. Still, there was one note that deserves a closer look.

In the latest Microsoft Business Insights newsletter (“a monthly newsletter highlighting the latest news and resources on using Microsoft products, technologies, and partners to help solve your line-of-business challenges,” according to the blurb at the Business Solutions Web site (https://www.microsoft.com/BusinessSolutions/) was the headline: “What Bill Gates Is Doing to Protect You from Hackers.”  Well. This I had to see.

The link took me to the “Microsoft Progress Report: Security,” from Bill’s Executive E-mail at the end of March (https://www.microsoft.com/mscorp/execmail/2004/03-31security.asp).

After a lot of verbiage about the rise of worms, viruses and Trojans, Bill finally got around to telling me what he was doing to help, much of which centered on Service Pack 2 for Windows XP, due out any day now.

One vulnerability, which I’ve harped on about in this newsletter, is the infamous “buffer overflow” (https://www.nwfusion.com/details/746.html). Here’s what Bill says will happen with XP SP2:

“Although no single technique can completely eliminate this type of vulnerability, Microsoft is employing a number of security technologies to mitigate these attacks. First, core Windows components have been recompiled with the most recent version of our compiler technology to protect against stack and heap overruns. Microsoft is also working with microprocessor companies, including Intel and AMD, to help Windows support hardware-enforced data execute protection (also known as NX, or no execute). NX uses the CPU to mark all memory locations in an application as non-executable unless the location explicitly contains executable code. This way, when an attacking worm or virus inserts program code into a portion of memory marked for data only, it cannot be run.”

While that might seem commendable (and it probably does deserve a cheer along the lines of “it’s about time!”), the “NX” technology doesn’t prevent crackers from exploiting buffer overflows; it only makes it more difficult. The cracker will have to be sure that the exploit code overwrites existing executable code. Crackers generally have lots of time to find that information, and willingly share it among themselves.

What we really need are better programmers, Bill. We need programmers who take the time to put in the bounds checking and error handling that’s necessary to catch buffer overflows before they’ve had time to insert malicious code and without crashing the machine, which would simply lead to more denial-of-service attacks. It’s not difficult, it doesn’t require an advanced degree in security services; it just requires dull grunt work on the part of the application coders, designers and managers to see that all avenues for exploits are cut off. Tell us how you’re going to do that, Bill.