Security Now! Transcript of Episode #22

In a recent edition of Security Now! Steve Gibson details why he believes Microsoft intentionally introduced the WMF feature responsible for last week’s zero-day vulnerability. Gibson is now on a quest to discover exactly when this feature made it’s way into Windows and who is responsible for it. This is particularly troubling when taken in context with Microsoft’s ambition to enter the security services market, something I’ve talked about before. I’ll definitely be keeping my eye on this one.

update: Despite the stir Gibson’s claims have created, it would seem his argument is without merit. The story has been dbunked by at least 2 people in the community. Stephen Toulouse, Communications Manager for security response at Microsoft (ie: media frontman for MS Sec) posted his answer to various questions about the WMF feature on the MSRC blog. Thomas C. Green also posted a blistering critique of Gibson’s story completely ripping it to shreds. Green’s not exactly friendly to Microsoft either for that matter…

InformationWeek | Security | Microsoft Dubs New WMF Bugs ‘Performance Issues’ | January 10, 2006

The Trustworthy Computing initiative has been a mostly positive thing for Microsoft’s customers, but every once in a while, you really have to wonder if it’s all a PR game. In reality, the guys on the TC security team are doing a great job. It’s the company’s PR machine that needs to be told to shut up once in a while.

SPAM or UCE (unsolicited commercial e-mail) is a growing problem that has been plaguing the internet since the U.S. goverment turned over control to the private sector. I was reading one of my favorite hardware sites, [H]ardOCP when I came across this thread on their forum. What struck me was how misunderstood this problem is. SMTP, the protocol that defines how mail is sent and recieved is entirely open. This is both good and bad. It’s good for a free society to be able to communicate freely and openly without the threat of censorship or other outside controls. However, this freedom can be abused by a small minority affecting the community as a whole. This is the situation we find ourselves in today. Various methods have been proposed, but only a few make real sense. The best solution today is to implement a dedicated spam filter. Contrary to popular belief, spam filters are not as cumbersome or inaccurate as they used to be. Products like MailFrontier have drastically reduced the number of false positives while still trapping almost 100% of the junk mail. As good as they are, I still see this type of product as a stop-gap on the way to a better solution. That better solution will probably involve extensions to SMTP. Digital signatures may be one part of the solution. (similar to how commercial websites register with a trusted certificate authority like VeriSign) While setting up a trust framework will help weed out the known good, from the known bad, there will always be a small subset that remains unknown. There are also issues like virus-infected computers that are used by spammers as a proxy to send their junk mail. These problems can be solved today, but the largest barriers are complexity and the ammount of work required. However, those barriers are getting smaller every day as security products become more tightly integrated and easy to deploy and maintain.