Tuesday, April 24, 2012

What security issues must be resolved now which cannot wait for the next version of Windows® to arrive?

A recent discussion in my Operating Systems class prompted an interesting response on my part to what the main security issues afflicting Microsoft's systems are. Here's my 2 cents:

The most common threats to Microsoft systems on the consumer and business side is through Internet Explorer and Microsoft Office vulnerabilities. When reviewing this months Microsoft Security Bulletin, there are critical updates to patch various vulnerabilities across all releases of the Windows OS for Internet Explorer versions 6 through 9, and Microsoft Office version 2003 through 2010 SP1. The not-so-seen critical updates are for the .NET Framework, which supports interactive sessions with users through browser windows, are related to the Internet Explorer issues of an attacker being able to execute remote code by having a user visit a spoofed website and/or clicking on a link/banner that contains the malformed code. What I find interesting in this months report is that the majority of the notices that Microsoft put out have to do with the same vulnerability, namely the ability to allow an attacker to remotely execute code through a browser session. As many other of my classmates have mentioned in their posts this week, this is part of the evolution of operating system software in particular. Microsoft spends millions of dollars and thousands of man hours developing, and hardening, their kernels. With a user-base of Microsoft software reported at over 1 billion users world-wide, there are only so many scenarios that can be built into software testing labs making it impossible to correct every problem before the product is released to manufacture. Plus, many of these users have advanced knowledge of systems and software who can find vulnerabilities under scenarios impossible to test for under lab conditions. A lot of these users report those vulnerabilities to the development team so a patch can be created and released to the masses, others are not found out until a virus or some malware is put into the wild to exploit them. Security companies like Symantec and McAfee use intuitive software to track these attacks and inform the developers of the issues while generating their own patch, or cure as it were, to the impeding exploit. In the cases of major global attacks, Microsoft works with the security companies, and government entities, to create a cohesive solution to not only cure infected systems, but also protect unexposed systems from future exploitation.

With the great investment it takes to create a major operating system release, patching makes the best sense for providing important updates to a system, without disrupting the flow of user adoption and education on best practices. In some instances, such as when a system issue deals with deadlocked processes, a workaround could be implemented, such as adding a forced delay in processing time with processes competing for the same resource. This is why some of the Windows Updates sent out are related to changing registry values or adding a batch file to affect a process workaround while the development team evaluates whether this is an isolated or potentially wide-spread issue. If they determine that the issues can be replicated over a majority of the systems, then they will create a patch to permanently change the process and resolve the condition, otherwise they will leave the workaround in place for the limited cases that do come up under unusual scenarios.

What do you think? Am I on point, or way off base?

~Geek

No comments:

Post a Comment