The following is an excerpt from the book Hacking Exposed: Network Security Secrets & Solutions. In this section...
of Chapter 4: Hacking Windows (.pdf), authors Stuart McClure, Joel Scambray and George Kurtz describe what makes Windows a target for hackers, and what Microsoft is doing to combat Windows hacking.
It's been entertaining to watch Microsoft mature security-wise since the first edition of this book nearly ten years ago. First the bleeding had to be stopped -- trivially exploited configuration vulnerabilities like NetBIOS null sessions and simple IIS buffer overflows gave way to more complex heap exploits and attacks against end users through Internet Explorer. Microsoft has averaged roughly 70 security bulletins per year across all of its products since 1998, and despite decreases in the number of bulletins for some specific products, shows no signs of slowing down.
To be sure, Microsoft has diligently patched most of the problems that have arisen and has slowly fortified the Windows lineage with new security-related features as it has matured. This has mostly had the effect of driving focus to different areas of the Windows ecosystem over time -- from network services to kernel drivers to applications, for example. No silver bullet has arrived to radically reduce the amount of vulnerabilities in the platform, again implicit in the continued flow of security bulletins and advisories from Redmond.
In thinking about and observing Windows security over many years, we've narrowed the areas of highest risk down to two factors: popularity and complexity.
Popularity is a two-sided coin for those running Microsoft technologies. On one hand, you reap the benefits of broad developer support, near-universal user acceptance, and a robust worldwide support ecosystem. On the flip side, the dominant Windows monoculture remains the target of choice for hackers who craft sophisticated exploits and then unleash them on a global scale (Internet worms based on Windows vulnerabilities such as Code Red, Nimda, Slammer, Blaster, Sasser, Netsky, Gimmiv, and so on all testify to the persistence of this problem). It will be interesting to see if or how this dynamic changes as other platforms (such as Apple's increasingly ubiquitous products) continue to gain popularity, and also whether features like Address Space Layout Randomization (ASLR) included in newer versions of Windows have the intended effect on the monoculture issue.
Complexity is probably the other engine of Microsoft's ongoing vulnerability. It is widely published that the source code for the operating system has grown roughly tenfold from NT 3.51 to Vista. Some of this growth is probably expected (and perhaps even provides desirable refinements) given the changing requirements of various user constituencies and technology advances. However, some aspects of Windows' growing complexity seem particularly inimical to security: backward compatibility and burgeoning feature set.
Backward compatibility is a symptom of Windows' long-term success over multiple generations of technology, requiring support for an ever-lengthening tail of functionality that remains available to target by malicious hackers. One of the longest-lasting sources of mirth for hackers was Windows' continued reliance on legacy features left over from its LAN-based heritage that left it open to some simple attacks. Of course, this legacy support is commonly enabled in out-of-the-box configurations to ensure maximum possible legacy compatibility.
Finally, what keeps Windows squarely in the sights of hackers is the continued proliferation of features and functionality enabled by default within the platform. For example, it took three generations of the operating system for Microsoft to realize that installing and enabling Windows' Internet Information Services (IIS) extensions by default leaves its customers exposed to the full fury of public networks (both Code Red and Nimda targeted IIS, for example). Microsoft still seems to need to learn this lesson with Internet Explorer.
Notwithstanding problem areas like IE, there are some signs that the message is beginning to sink in. Windows XP Service Pack 2 and Vista shipped with reduced default network services and a firewall enabled by default. New features like User Account Control (UAC) are starting to train users and developers about the practical benefits and consequences of least privilege. Although, as always, Microsoft tends to follow rather than lead with such improvements (host firewalls and switch user modes were first innovated elsewhere), the scale at which they have rolled these features out is admirable. Certainly, we would be the first to admit that hacking a Windows network comprised of Vista and Windows Server 2008 systems (in their default configurations) is much more challenging than ransacking an environment filled with their predecessors.
Reprinted with permission from The McGraw-Hill Companies Inc. Copyright 2009. "Hacking Exposed, Sixth Edition" by Stuart McClure, Joel Scambray and George Kurtz. Written permission from The McGraw-Hill Companies is required for all other users.