Microsoft's glasnost on interoperability means more bugs, more exploits

But in the long run, say experts, it could bolster security for everyone

Microsoft's decision last week to let everyone snoop through its software secrets means vulnerabilities and exploits will almost certainly climb in the short term, security researchers said today.

But the move to open the communications protocols and APIs for Microsoft Corp.'s newest and highest-profile products, including Windows Vista, Windows Server 2008, Office 2007 and others, should translate into better security for everyone in the long run, said those same researchers.

"The net [result] is that we'll see quite a few vulnerabilities over the short run, but over time, we'll gain security," said Andrew Storms, director of security operations at nCircle Inc. The bump in vulnerabilities and exploits that leverage the flaws, however, could be substantial. "It'll be a giant kind of hump in the curve," he warned.

And the hump could show up sooner rather than later. "In the end, it's going to be a good thing, but it will be a bit of a roller coaster ride. I wouldn't be surprised to see it start in eight weeks or so," Storms added.

On Thursday, Microsoft announced changes in how it deals with open-source developers and software rivals, pegging the new positions and initiatives as "interoperability principles." The first spelled out by CEO Steve Ballmer and other company executives, and the one that drew the most attention, was a promise to open its protocols and APIs to everyone's scrutiny.

To back up its talk, Microsoft immediately began posting more than 30,000 pages that documented the protocols and APIs of the Windows client and server software. Documentation for the other products will follow no later than June, said Bob Muglia, head of the company's server and tools division.

Storms and Tyler Reguly, a security research engineer at nCircle, see the newly revealed documentation as a mother lode for researchers of all stripes.

What they get out of mining the Microsoft protocols and APIs, said Reguly, "depends on the kind of researcher you're looking at." Criminal types, he continued, will be able to take advantage of anything they find almost immediately. But most researchers working for security vendors will have a tougher time. "They may not be able to integrate [what they find] into their products right away," he said.

Some of what's tucked into those 30,000 pages will also be new to all, or at least some, hackers. "Some protocols exist now almost in full form," thanks to countless hours of reverse-engineering, Reguly said. "But other protocols aren't publicly specced out. So this levels the playing field." Those who had previously puzzled out the inner workings of Microsoft Windows on their own will be joined by others who now have a "leg up." Translation: more hackers.

Other security professionals disagree. Alfred Huger, vice president of development in Symantec Corp.'s security response group, figures the documentation won't make much difference. "In the short term, there will be an influx of bugs, yes," said Huger, "but the people who are finding [quality] vulnerabilities and writing exploits, they already have enough of this sorted out."

What the three researchers did agree on, however, is that Microsoft and open source code will be made stronger. "Opening up these protocols is a very positive step," said Huger. "The more eyes on [Microsoft's products], the better."

Storms put it differently: "By opening up, Microsoft has gained thousands of free programmers. They're cutting their bottom line by gaining all these free programmers."

Huger assumes, as do Storms and Reguly, that most researchers will report any vulnerabilities they find while sniffing through the documentation, and give Microsoft a chance to patch the flaws before they're disclosed. But Storms also sees another way the protocol and API docs will boost the security of Microsoft's software, and some open-source projects at the same time.

"Some of the additional security will come out of the open-source space. As Samba implements [the protocols and APIs], for example, they'll start finding bugs in how things are supposed to work, as opposed to how they really work," said Storms. Microsoft's patching those vulnerabilities not only secures its code, but also helps secure the open-source software that uses the protocols and APIs to bake in interoperability.

Open-source advocates have dismissed Microsoft's moves as all hat and no cattle. But Storms, Huger and Reguly see a much bigger upside and some real benefit for users -- especially Windows users.

"I think it will be better for everyone," said Reguly. "In the short term, advantage to the bad guys. But this will result in better open-source software and a lot of security improvements."

Copyright © 2008 IDG Communications, Inc.

  
Shop Tech Products at Amazon