When I compare what the threat landscape looked like at the turn of the century to what it looks like today it’s clear that things have changed.

At the height of the dot-com boom, less than a third of homes in North America and Europe had Internet access[1], with broadband technologies accounting for less than 10 percent of that overall number[2]. Servicing software using the Internet was in its infancy. The idea that an attacker could compromise a large number of interconnected computer systems on the Internet was considered theoretical by many.

In 1999 the Melissa macro virus that propagated via email by infecting documents proved to many that what was thought to be merely theoretical was indeed possible. This revelation led to the release of other mass mailing worms such as LoveLetter in 2000, and a virus detected as Virus:VBS/VBSWGbased.gen that used a payload disguised as a photograph of tennis star Anna Kournikova in early 2001. As the Internet grew rapidly and newer email clients blocked or disabled macros that weren’t digitally signed by a trusted source, attacks evolved. Attackers sought to take advantage of vulnerabilities in network services and Internet programs. Code Red, Nimda, SQL Slammer, Blaster and others did just this in the years between 2001 and 2004.

clip_image002

In 2004 Microsoft released Service Pack 2 (SP2) for Windows XP. When you take a close look at the security enhancements that SP2 included you can see they were squarely aimed at preventing the types of threats that our customers were facing such as mass mailing worms and worms that targeted vulnerabilities in software listening on the network. Some of the enhancements in SP2 included:

  • Windows Firewall: enabled for all network interfaces by default, starting early in the boot process and turning off late during shutdown.
  • RPC/DCOM hardening: an effort to prevent Blaster style attacks on these network services.
  • Execution protection (NX) technology: prevents attackers from overrunning a marked data buffer with code and then executing the code. This helps make a worm like Blaster less likely of being successful.
  • Windows update automatic update client (version 5): made it easier to install security updates and keep systems up to date.
  • Security Center: provided status of three major security functions: the firewall, automatic updates, and virus protection; provided a central location for this information.
  • Other security enhancements were also included in Outlook Express, Internet Explorer, Windows Media Player, and others programs.

Windows XP SP2 was a game changer. Enabling a host based firewall by default to restrict unfettered access to listening network ports helped to protect the network services that attackers were trying to exploit and provided customers more time to deploy security updates in their environments using Windows Update and the fledgling deployment tools of that era. As SP2 was deployed to more and more computers in the ecosystem, the big mass worm attacks subsided as their ability to spread had been significantly blunted. Windows XP SP2 successfully raised the bar for attackers.

As big a step forward as Windows XP SP2 was at that time, we realized that the security enhancements it provided were just the start of the work we’d have to do to help protect our customers for the long term. Windows XP SP2 was released almost eight years ago, and on an operating system that was designed and developed last century. Windows XP SP2 has been out of support since July 13, 2010 and end of support for Windows XP is April 8, 2014.

Infection rate (CCM) trends for currently and recently supported 32-bit versions of Windows XP, Windows Vista, and Windows 7, first quarter of 2010 – second quarter 2011 as reported in the Microsoft Security Intelligence Report Volume 11

clip_image004

Attackers’ motivations have changed since 2004 and now financial gain is a primary motivation for the activity we see in the threat landscape. Attackers have had to broaden the repertoire of tactics they use to attempt to compromise systems; most of the attacks we see today rely on social engineering - trying to get users to bring badness from the Internet through their host based firewalls via web browsers, peer to peer networks, document parsers, email, social networks, etc.

This is why security is a journey not a destination. Protecting systems from compromise will be necessary as long as criminals exist. The 10 year anniversary of Trustworthy Computing marks an important milestone and is a natural point to stop and reflect on the past and what we have learned. It also marks the start of the next decade of challenges during which Microsoft will be as committed to helping protect our customers as we have ever been.

At this year’s RSA Conference in San Francisco, California, February 27 - March 2, Jeff Jones and I will be sharing a detailed look back at the threat landscape in our session called:

Code Red to Zbot: 10 Years of Tech, Researchers and Threat Evolution

Thursday, March 1, 8:00 AM
Room 102
Session code: HT1-301

For a sneak preview of our session, please check out our RSA Podcast.

We hope to see you there.

Tim Rains
Director
Trustworthy Computing


[1] Organisation for Economic Co-operation and Development. Information Technology Outlook 2008. Paris: OECD Publication Service, 2008, p. 196.

[2] “March 2003 Bandwidth Report.” WebSiteOptimization.com. http://www.websiteoptimization.com/bw/0302/