On an occasional basis, Microsoft executives answer your questions through SearchWindowsSecurity.com's "Ask Microsoft …" These questions were answered by the software maker's Security Business Unit Team.
If security is such a hot topic with your company, why don't you have a virus scanner built into your operating system? I know other people have asked this, but I have yet to see an answer from Microsoft. -- Jeff Heiden
We are committed to providing software and services that will help better protect our customers and the industry. One of the things that our own internal research shows is that there is still a large minority of PCs where customers aren't running antivirus software with the latest signatures. As a result, we recently released Windows XP Service Pack 2 that includes the Windows Security Center, in which antivirus technologies from third-party antivirus vendors become seamlessly integrated for the customer and customers can quickly monitor the status of their AV software. We continue to work with industry partners on this where appropriate. As for developing our own antivirus software, we did acquire the assets of GeCAD last year and have used this know-how to help develop cleaner tools for some of the major viruses and worms such as Blaster and Sasser. We are not in a position to announce our plans around developing our own antivirus offering. -- Gytis Barzdukas, director of product management, Microsoft Security Business & Technology Unit
Why can't you make a switch that says, "No system updates allowed"? This way, a virus could not make changes to your system. When you want to update something -- like add/remove programs -- you could choose "allow updates" or "turn off updates." -- Tobe Perry
For Microsoft, it is always a balance between security and functionality. What you describe would severely limit the ability for applications to do some of the neat and cool things that PCs can do. Still, in some ways with Windows XP SP2 we have done what you describe, though at a slightly more complex level. We have used multiple layers of isolation and resiliency to insulate a system and limit the impact of malicious software. A good way to understand this is to use an attack such as Blaster as an example. First of all, let's be clear that SP2 protects against Blaster, as the update for the vulnerability is included in the service pack. But in order for Blaster to be successive it needed to exploit multiple vulnerabilities, and SP2 was designed to close off these vulnerabilities for Blaster or other similar attacks. For example, even if the update weren't included, the Windows Firewall is on by default in SP2. This change blocks the ports required to exploit such vulnerability. However, even if the firewall weren't on, the configuration changes to RPC/DCOM that were implemented in SP2 would have protected the PC by denying unauthenticated request DCOM, and this exploit would have been mitigated. But even if we hadn't made this configuration change to DCOM, the GS flag change in SP2 would have prevented Blaster by preventing the unchecked buffer from being exploited. In this way, SP2 provides multiple layers of defense against attacks. -- Gytis Barzdukas, director of product management, Microsoft Security Business & Technology Unit
How can products continue to roll out your doors with buffer overflow vulnerabilities? Setting a sentinel to guard boundaries should have been learned in Programming 101! -- Gene Mountjoy
Security is not a quick-fix solution -- we realize that improving security requires fundamental shifts in the way we develop code and build products internally. Microsoft has invested in internal training and we are mandating ongoing process changes, which have begun to pay off with measurable improvements in the security of newer versions of our software. For example, the GS flag change we instituted in Windows XP SP2 should limit the impact of buffer overruns that still exist. We have also done security reviews of all our software to root out any buffer overruns that still may exist. However, because no software will ever be 100% secure, processes and awareness of new developments and procedures are a key part of an overall security strategy. We are helping customers through prescriptive guidance, education, training and responsiveness to their issues. This is a long-term initiative, but we have every confidence that our efforts will result in helping our customers and the industry be more secure. -- Gytis Barzdukas, director of product management, Microsoft Security Business & Technology Unit