Coffeehouse Thread

12 posts

Security in MS products Chat in 2 hours!

Back to Forum: Coffeehouse
  • User profile image
    androidi

    http://www.microsoft.com/communities/chats/vcs/Security_in_Microsoft_Mar10.ics

    Join Mike Nash, Vice President for the Microsoft Security Business Unit, and his team of security experts each month. Microsoft is working hard to improve security and Mike and his team invite you to join them in a candid Q&A session. Ask us your tough questions; share with us what is going well and what needs improvement. This is your chance to talk up front with the leading security minds at Microsoft.

  • User profile image
    Dr. Shim

    More people! Now!

  • User profile image
    W3bbo

    How do I join? All I can do is download that *.ics file.

  • User profile image
    Dr. Shim

    http://www.microsoft.com/technet/community/chats/chatroom.aspx

    Yarr! The original post only points to Outlook calendar data!

  • User profile image
    Dr. Shim

    I don't have much to say. But I'm in. Do we get free pizza?

    (What's your nickname?)

    For other people joining, go here:
    http://www.microsoft.com/technet/community/chats/chatroom.aspx

    Enter your .NET passport credentials.

    I think the chat client only works in IE.

  • User profile image
    Intrigued

    I did not want to have to login to watch a video.

    *bows out*

  • User profile image
    Maurits

    No video.
    Good chat.
    /me wishes transcripts were instant, though...

  • User profile image
    Maurits

    /me is so happy... Smiley

  • User profile image
    androidi

    Mike Nash (Expert): Hi there and welcome to the March Microsoft Security Webcast. My name is Mike Nash and I am the Corp VP responsible for security at Microsoft. Please ask any question about Microsoft security or security in general. As always, I am joined by a CRACK group of security experts here at Microsoft, so they will help me answer questions and make sure I don't accidently say anything innaccurate. We have about an hour, so let's get started

    Jerry Bryant (Moderator): To ask questions, please be sure to check the "Submit a question" box.

    Mike Nash (Expert):
    Q: What will have to happen before Microsoft will look into removing the PIF format from Windows XP?

    A: This is great input. We are evaluating this as we speak.

    Mike Nash (Expert):
    Q: But there are a lot of virus and spyware programs that are not included in the base

    A: We are planning to offer an desktop AV product for Windows. As you know, we acquired a company called GeCAD anti-virus in 2003. There will be both consumer and enterprise versions of a desktop product available for fee from MS. At RSA last month, Bill Gates announced that we would have a beta of the consumer AV offering out by the end of the year.

    Also at RSA, Bill announced that Anti-spyware would be available as part of the Windows value proposition to licensed windows users.

    You are right, both of these technologies require updates/signatures and we will make those available.


    Gatekeeper (Expert):
    Q: As a representative of the company I’m troubled with virus and spyware problem that can damage and monitor our computers

    Mike Nash (Expert):
    Q: I saw Bill Gates present at RSA, he said that MS would have a consumer antivirus product by year-end for the desktop. What are the plans on the desktop side for the enterprise, given Sybari and GeCAD on the Exchange side?

    A: Great question. We will also do a enterprise desktop version based on the same technology as the consumer offering. The consumer offering will come first. As you also know, in February we also announced our plan to acquire a company called Sybari that makes Server and Email anti-virus. One very cool think about Sybari's technology is that it supports multiple AV engines. Our plan is that soon after the Sybari deal closes (its currently in the midst of regulatory review) we plan to make the GeCAD engine available for the Sybari platform.

    Mike Nash (Expert):
    Q: Now that Ozzie is a new CTO, are the other two feeling less important? Smiley

    A: I doubt it. Microsoft covers a lot of technology areas, so we are very lucky to have smart people like Mundie, Vaskevitch and now Ozzie to provide this kind of technical leadership for the company. Ray is certainly a very smart man.

    Gatekeeper (Expert):
    Q: In renegotiating our current antivirus maintainence contract, how should we position future pricing from Microsoft for desktop antivirus? Meaning 10% below McAfee's annual fees. This is a tactic that Gartner suggested.

    A: We really cannot comment or offer any guidance on this question.

    Mike Nash (Expert):
    Q: I am against having all kind of services perioidically scan gigabytes of data in HDD's. Scanning signatures from HDD is a slow inefficient method. All methods that allow entering data in the system should be monitored for malicious stuff instead. Use CPU!

    A: Interesting POV android. Our POV is that we need to actually do both. Ideally malicous code or viruses are found BEFORE they hit the hard disk. Sometimes, heuristics or signitures can't move that fast. So we need to scan the hard disk. As we have more protections on the system where the system can take input, the lower the chance/need to scan the disk. We just are not there yet....but its getting better.

    Mike Nash (Expert):
    Q: Yes but I heard about the antispyware programs that doesn’t use signature base they block monitoring programs but I’m troubled that they don’t scan and don’t display spyware. They only block them

    A: As I noted in my other answer, our anti-spyware approach real combines a number of checkpoints (50+ in the current beta) along with signitures to target specific threats. you really need to do block. Its also important to note that frequent scanning is really NOT a substitute for blocking. something are very hard to fix once the infection gets on the system. Hope this helps.

    Mike Nash (Expert):
    Q: Which AV vendors do you believe will be out of business after MSAV-2 "The revenge" go out? 

    A: Today, many customers do not have up to date AV software on their PC. Our customers are my top priority. I beleive that there is lots of room for companies who build great security products to have a great business even with an offering from Microsoft.

    Mike Nash (Expert):
    Q: I saw your Groove purchase today, how do you think Groove fits into things from a Citrix standpoint? Is Groove secure enough in that are there any security concerns related to not having the applications and data hosted internally via Citrix?

    A: The acquisition is still pending and integration details are not fully worked out. As Groove's products become Microsoft products, they will be reviewed as part of our secure development lifecycle process. We beleive that they have high quality code, but will of course review it as part of our normal process.

    Mike Nash (Expert):
    Q: Mike: have you folks announced any plans for MS Antispyware getting Group Policy integration?

    A: Great question. At RSA we did discuss the notion of an enterprise version of Anti-spyware. The key thing here is centralized control and policy visibility. The design isn't final yet, but it is reasonable to expect that we will take advantage of platform capabilities like GP. Thanks,

    Mike Nash (Expert):
    Q: Hi Mike: it seems that the SysInternals RootkitRevealer can be beat by HackerDefender (which didn't take long). Are you folks thinking about rootkit tools for your users to deal with this growing problem?

    A: We are definitely thinking about how we effectively detect rootkits and prevent them from getting on users systems, along with other forms of malware, as part of our overall security strategy. This will be an ongoing battle with malicious software authors much like viruses and spyware are today. Our research group has been doing great work here over the past year in coming up with the strategies and technologies that we can use in future security products to help customers

    Mike Nash (Expert):
    Q: Currently to do verify a windows user login with in application you are currently having to use and API. Will that be brought in the .NET world or will it stay only as an API?

    A: You can verify a Windows login by calling the LogonUser() API, this same API can be called from .NET code also, sample code is at http://www.microsoft.com/belux/nl/msdn/community/columns/tisseghem/infopathdeserialization.mspx

    Mike Nash (Expert):
    Q: Can you tell us what some of the major security features will be in the upcoming IE 7? Will you be closing all of the publicly known holes in current IE versions?

    A: IE 7 is a major upgrade which focuses on security. IE 7 will build on and broaden the progress made with SP2, while putting in place even stronger defenses against phishing, malware and spyware. However, at this point it is too early to discuss the specific features that will be included in IE 7. IE 7 will of course also address publically known vulnerabilities.

    Mike Nash (Expert):
    Q: We had this week the second update of the "MS antivirus" (dixit the media) and it's a good thing. But why do you keep it so secret ? you have to search to understand what you're downloading...

    A: Great question. I think you are talking about the malware removal tool. As you noted, this is the third installment we have shipped. We keep in quiet frankly because we don't want to annoy users...we just want people to have their PC fixed, but you are right, we need to make it clearer....great feedback.

    Mike Nash (Expert):
    Q: Can we expect all future updates even to older products to be compiled using Microsoft's new compiler with security technology?

    A: Windows XP SP2 and Windows Server 2003 SP1 are all compiled with the latest version of our C++ compiler to take advantage of the new stack-based buffer overrun detection code, and exception handler protection. This compiler will also be shipped in Visual Studio .NET 2005 "Whidbey" We do plan to compile future product SPs with the new compiler.

    Mike Nash (Expert):
    Q: Q: What plans do you have regarding WinPE? It's a bit strange to see that Microsoft offers that really valuable tool only to holders of Select SAM license (or even higher level), while it is also available from http://winpe.sourceforge.net/

    A: WinPE was designed originally for OEMs and their factories so it is limited in functionality and support. It is a value add for select SAM license holders as they have the IT staff and support infrastructure to use the tool effectively. Longer term, we are looking at how we can make WinPE more broadly available and a useful tool for a wider set of customers. Unfortunately, using some of the tools on the site you listed create an unlicensed version of Windows and should be used at your own risk.

    Mike Nash (Expert):
    Q: were can i get my y2k to auto login with a user name and password i know xp has userpasswords2 what win2k got

    A: WinPE was designed originally for OEMs and their factories so it is limited in functionality and support. It is a value add for select SAM license holders as they have the IT staff and support infrastructure to use the tool effectively. Longer term, we are looking at how we can make WinPE more broadly available and a useful tool for a wider set of customers. Unfortunately, using some of the tools on the site you listed create an unlicensed version of Windows and should be used at your own risk.

    Mike Nash (Expert):
    Q: Thanks Mike, I really think we have to speak a lot more about the tool, it's a huge improvement and a large % of end users doesn't know what it is

    A: Great.

    Mike Nash (Expert):
    Q: Is there any more information about whether WinFS will be back-ported to Windows XP? If so, when should security companies begin planning for this?

    A: At this time we have not announced detail as to the WinFS file-system technology being back-ported to Windows XP. We value your input to this technology.


    Mike Nash (Expert):
    Q: Does Microsoft have any comment on the Secunia list of unpatched IE vulnerabilities at http://secunia.com/product/11/ ?

    A: Regardless of the source, any reported vulnerabilities are treated with the utmost urgency by the Microsoft Security Response Center. Any issue that we have validated is already in the process with a fix being developed and then tested for quality release on all platforms, in all languages as soon as it meets our quality bar.


    Mike Nash (Expert):
    Q: I have a C++ program that allocates lots of heap. It works on Windows 2000 SP4, but runs out of memory on XP Pro WS SP2. I understand the heap has changed to add security-related cookies to each memory allocation. Significant?

    A: The heap was changed in Windows Server 2003 (added heap integrity checking to mitigate flink/blink hijacking) and in Windows XP SP2 (added heap integrity checking *AND* cookies) and in Windows Server SP1 we added the same XPSP2 defenses. If an error is found by one of these defenses, you won't get an "out of memory" error, instead your application will raise an exception. That's the long version of "no, I doubt it"

    Mike Nash (Expert):
    Q: Will MS Spyware run if Norton's Firewall and Antivirus are running at the same time?

    A: The short answer is yes. The long answer is also yes.

    Jerry Bryant (Moderator): We have about 9 minutes left in today's chat

    Mike Nash (Expert):
    Q: When WindowsUpdate, OfficeUpdate, etc. are combined into MicrosoftUpdate a lot of people will be installing updates they missed before. Will Antivirus definitions and Spyware definitions be rolled out the same way?

    A: Our long term goal is to deliver all of our updates including signitures using one service.

    Mike Nash (Expert):
    Q: When IE 7 is rolled out, will it  be regarded similar to SP2 and distributed via Windows Update and therefore distributable via SUS and (b) once IE 7 is out, what sort of support timescale do you give to IE 6 users on XP SP 2?

    A: Great question. The packaging and release vehicle for this has not be finalized at this point. Of course we want to make it easy for people to get it.

    Mike Nash (Expert):
    Q: Would it make sense to have LH come with a new user introduction video, like the one about 'what is spyware' on the MS website? Would such introduction educate new users? It should be localized of course..

    A: That is a really great idea that i will share with the LH planning team.

    Mike Nash (Expert):
    Q: Where might I find out how many overhead bytes have been added to heap blocks for those security cookies?

    A: 8 bits is all that was left in the heap block. The biggest defense is the forward link/backward link validity chekcing...the extra cookie is simply an extra defense.

    Jerry Bryant (Moderator): We are over time for the chat today. Mike is working hard to get most of the questions answered before he has to run. Thanks for joining us!

    Mike Nash (Expert):
    Q: Sending an email merge from Microsoft Word through Outlook pops up a warning for every email recipient... any way to fix this planned?

    A: The warning blocks the ability of malicious code to send mail automatically (mass mailing). In this csae with Outlook XP or Outlook 2003 you should be able to set the timer notification to supress teh wrning for subsequent mails up to the limit of 10 mins. there are no plans to remove this important security feature

    Mike Nash (Expert):
    Q: Just installed MS AntiSpyware, now I can't open links in my emails, page can not be displayed, I tried to open Inet Options from Tools on my browser & get a Restrictions window, operation canceled contact Sys Admin. , maybe a setting problem causing this ?

    A: I am sorry you are having problems here. We have not had reports of this happening, so I'd recomemnd that you first try to use add/remove programs from the control panel to remove Windows Anti-spyware and see if you continue to have problems. If not, I would reinstall it.

    Mike Nash (Expert):
    Q: Is it possible to implement the "/NoExecute" functionality of XP SP2 without enabling PAE on AMD boxes running in 32-bit mode?

    A: Right now we have no plans for this to work without the appropriate CPU support (AMD, Intel and Transmeta)

    Mike Nash (Expert):
    Q: When could we get a beta of the AV product?

    A: We plan to have a consumer desktop anti-virus product in beta by the end of the year. Today, we provide a malicous software removal tool that is available from Windows Update and Microsoft download cener that helps detect and remove soem very prevelent malware from a user's machine. howerver, its not a replacement for full desktop AV product. We also plan to have a mail and collaboration services AV product based on our planned acquistion of Sybari.

    Mike Nash (Expert):
    Q: What security mechanisms are in place to prevent spoofed Windows Updates?

    A: From a technical POV, all Windows updates are performed over SSL/TLS (to authenticate the server) and are signed ( to prevent tampering). Tihs has been the case since we first released Windows update.

    Mike Nash (Expert):
    Q: Do you know how your AntiSpyware behaves in corporate environment (especially financial institutions)?

    A: The current beta of Windows Anti-spyware is intended for consumer users primarily....although we willhave support for enterprise deployments as well.

    Mike Nash (Expert):
    Q: Why when there are unpatched vulnerabilites MS don't mention the well known work arounds which could be applied awaiting the fix ?

    A: This is something that we do when we can and when clear mitigation is available. Some mitigations are more generics across issues.

    Mike Nash (Expert): We are about out of time.

    Mike Nash (Expert): i am sorry we didn't get to all of the questions, but there were some really great questions.

    Mike Nash (Expert): Our next chat will be on Thursday April 14 at 9 AM PST.

  • User profile image
    androidi

    Behold the Pwr of JujuEdit Wink

    CTRL + H = replace
    >(Q:.*?)</P

    ><STRONG>\1</STRONG></P

    And we got nice bold Q:uestions Smiley

    I tried same in Notepad2 and it did not work! Very odd!

  • User profile image
    Intrigued

    Thank you for posting the exchange.

    "A: We are definitely thinking about how we effectively detect rootkits and prevent them from getting on users systems, along with other forms of malware, as part of our overall security strategy. This will be an ongoing battle with malicious software authors much like viruses and spyware are today. Our research group has been doing great work here over the past year in coming up with the strategies and technologies that we can use in future security products to help customers."

    Ack!

  • User profile image
    Larry​Osterman

    Y'all might not agree with me, but I was pretty impressed.  This wasn't nearly as "corporate" as I'd expected (except for the answers to the really stupid questions (like what's the pricing for MS AS))

Comments closed

Comments have been closed since this content was published more than 30 days ago, but if you'd like to continue the conversation, please create a new thread in our Forums, or Contact Us and let us know.