With nearly three decades spent building its software, Windows 8 is the pinnacle of Microsoft’s operating systems and benefits from all the security successes and mistakes previous versions have had. With Windows 8 coming right around the corner, here is a look back at some of the high points and low points for security in Microsoft's flagship product.
Prior to Windows 95, things were fairly quiet, but this big release put the company on the map and on the radar of hackers. The company’s huge embrace of the Internet using pre-Web technologies exposed Microsoft programs like Internet Explorer and ActiveX to security risk. In 1998, a product manager for Microsoft Windows NT's security team acknowledged the security pains. "Essentially, Windows 95 and 98 were designed to provide security features tailored to the consumer marketplace," said Microsoft's Karan Khanna. "But at the design point, they were not designed to be resistant to all forms and intensities of attack." Khanna was responding to a program dubbed "Back Orifice" (a pun on Microsoft's BackOffice server-side application suite) that gave an attacker the ability to remotely control a computer. The Cult of the Dead Cow hacker group said it was trying to pressure Microsoft into improving the security of its operating system.
Security problems continued after the 1996 release of Windows NT 4.0, including a vulnerability that allowed an attacker to impersonate a system administrator, which led to a series of Web site defacements. Several major bugs forced Microsoft to stop providing security updates on two occasions, including one instance in which the company said it could not patch the hole without re-architecting a significant amount of the operating system.
Microsoft confirmed a security hole in Windows 98 and Windows 95 that could be exploited to crash machines if Web surfers opened up a page with malicious code or opened an e-mail message on Hotmail or another Web-based e-mail service.
The late '90s and all of the 2000s were a rough time for Microsoft as Windows and other Microsoft programs were hit with a string of security problems, such as high-profile virus attacks including Melissa, ILoveYou, Blaster, Code Red, and Nimda. The Cult of the Dead Cow came back to Defcon armed with Back Orifice 2000 (or BO2k), an updated version of its remote system administration tool that included support for Windows NT, Windows 2000 and Windows XP. Malware cropped up that exploited Internet Information Server (IIS) services, including a nasty buffer overflow technique. Among the various problems was an exploit that allowed attackers to take control of Windows 2000 servers via IIS, a serious flaw in Windows 2000 that could enable remote intruders to access a PC via its Internet Protocol address and a Plug-and-Play vulnerability in Windows 2000 that was exploited by a series of worms in what experts said appeared to be a war between different virus writer groups. Attackers also were found to be exploited an unpatched security flaw in the Domain Name System (DNS) service.
While there were the various vulnerabilities and exploits with Windows XP -- involving a TCP/IP hole and a flaw in Windows Help and Support Center, among others -- the operating system had some interesting security improvements. Service Pack 2, codenamed "Springboard," had a firewall update that was enabled by default, as well as Data Execution Prevention technology designed to prevent buffer overflow attacks.
Windows Server 2003 follows Trustworthy Computing memo
Microsoft’s come-to-God moment with regard to security came in January 2002 with the famous Bill Gates memo. The company promised to make security a priority across its product lines and launched its Trustworthy Computing initiative. The effort has paid off and Microsoft is a role model for others in the industry in building secure code. But the fruits of the labor took time to filter out to all of the company’s products. Less than two months after launching its Windows Server 2003 operating system, the company had to release a security patch to fix a vulnerability that could let malicious sites run damaging code on the server. The flaw affected Internet Explorer 6, which shipped with Windows Server 2003 as well as with other Microsoft OSes. Despite the embarrassment from releasing a security patch so soon after a release, security experts said the default configuration of Windows Server 2003 was more secure than in previous versions of Windows.
Microsoft's efforts to make good on its promise made with the Bill Gates memo were noticeable with the release of Windows Vista in 2006, ostensibly delayed so the company could slip some security improvements into Windows Server 2003. While many security holes were plugged in Vista, hackers wrote new malware that still managed to cause trouble, such as the Storm worm that created the Storm botnet from millions of PCs and the Zeus trojan that steals banking information.
The security enhancements in Windows Vista are too numerous to list, but User Account Control (UAC) was foremost among them. It allowed people to use their PCs with fewer privileges by default and thus minimizing damage from malware making unauthorized changes. Microsoft also included anti-spyware in Windows, added a phishing filter to Internet Explorer 7 and disabled ActiveX controls by default. Another new security feature, BitLocker full-disk encryption, was found by researchers (along with Apple's FileVault) to be vulnerable to a cold boot attack, however.
Microsoft added a scaled back installation in Windows Server 2008 called Server Core that pared down the interface and programs for specific roles. This reduced the surface for attack of the operating system and would have spared it from about 70 percent of the security vulnerabilities that affected Windows in the prior five years, according to Microsoft.
The Windows 7 era has been fairly mild with regards to security. There have been holes to patch, such as a Zero-Day Server Message Block file-sharing protocol vulnerability in the operating system, but not the plague of problems that hit Microsoft in the past. And the security enhancements keep coming. Windows 7 extended BitLocker drive encryption support to removable storage devices. In the wake of the spread of the Conficker worm via USB drives, Microsoft said it was changing the way Windows 7 handles USB drives so they would not be able to automatically launch a program using the AutoRun function.
Due for public release in October, Windows 8 is the most secure Windows operating system to date, my colleague Seth Rosenblatt says. His review is here. The operating system tackles the inconvenience that passwords pose to a population addicted to the Web. It lets users log in with their Windows Live IDs across multiple PCs, which will allow people to sync their login credentials to all of their Windows 8 PCs. As a result, people can then set up a complex password for each online account without having to remember it. And Microsoft is beefing up the malware protection in Windows 8 and adding more robust features to its Windows Defender tool.