I have to admit: When I first learned about Windows 7 XP Mode I was quite surprised. How can we actually ship an XP Virtual Machine with Windows 7? Well, then I started to think (no, it did not hurt too much)… But before I share my findings with you, let me tell you a story:

A few months back, a friend of mine called me. He was desperate. He is the owner of a car dealer close to where I live (a pretty big one for Swiss terms) and had decided to renew the business’s IT system. So, they moved to Windows Server 2008 Terminal Server and Windows Vista as a client. They hired an IT shop to do it for them and the migration went pretty smoothly – up until they wanted to start the web application of the car manufacturer. It is one of the German car makes you definitely know and which is well known for the quality of its cars. Unfortunately the web application did not run with Internet Explorer 7. So, they went back to the car manufacturer to learn that they knew about this but had no plans to make it compatible with neither IE 7 not IE 8. An alternative browser was not an option either as the latest versions broke this application as well. He needed a solution, which I could not provide – unfortunately. Finally they decided to let one PC run on XP with IE 6, just to get around the problem for this one task. So, basically they did “Windows 7 XP Mode” – just physical.

Now, let’s consider such scenarios. I know of companies that have decided to stay with XP and not move to Windows Vista because of concerns over compatibility issues with other applications they run. Their systems no doubt run, but they are depriving themselves of security and privacy enhancements designed to cope with modern threats – bear in mind that XP was designed in 2001 to cope with the threats back then – threats which changed significantly over the last eight years! The impact of Windows Vista as a secure platform is significant, and Windows 7 will built on that foundation.

Additionally we know that the browser is one of the most targeted attack vectors in the ecosystem. We shouldn’t be surprised by this as the browser is the window to the outside world and has to defend the computer against everything coming from the Internet. The security of the browser increased tremendously from Windows XP to Windows Vista, and will again with Windows 7. I deliberately did not say from IE 6 to 7 to 8 – even though this is true at least as much as with the OS. But the OS provides additional protection like IE 7 Protected Mode on Windows Vista which we simply cannot deliver on Windows XP or Address Space Layout Randomization or … That these design changes pay off can be seen if you look at our Microsoft Security Intelligence Report (SIR):

In Windows XP, 42% of the successful attacks came through our software, in Windows Vista, this changed tremendously:

This data is in the Security Intelligence Report v5. If we look at the malware infections per operating system in the most recent SIR version 6, there is another reason to migrate to Windows Vista/Windows 7:

Looking at all of this, our task basically boils down to “How can we help our customers benefit from the much better protection on today’s Operating Systems and in parallel ensure compatibility.” It is the classical security vs. compatibility problem. Of course we make a huge investment to ensure the operating system is as compatible with old applications as possible but we all know that there will be a point where we simply have to draw a line and put security needs above compatibility.

From this viewpoint Windows 7 XP Mode all of a sudden makes sense. It allows our customers to migrate to Windows 7 and significantly lowers the risk, for example, of web browsing or running 98% of their application software. The last 2%, which would have been issues that could have prevented migration, have so far been covered by the XP Mode. Now to be completely clear here: XP Mode has to be a temporary solution! The only effective long-term answer is to migrate applications to a version that is compatible with today’s Operating Systems. It also has to be managed and protected like any other machine – it is a full blown Windows XP with Internet Explorer 6 connected to the network. So it has to be used wisely and very, very limited but it allows you to migrate to the more secure environment for the every day’s tasks.

And finally, XP Mode from a user perspective can be set up in a way that the user only sees the legacy application running seamlessly in the Windows 7 environment. So, there is not necessarily a Windows XP, where the user can do everything they want: You just give them the legacy applications you want. Here is a picture how this looks like:

If you look at it like that it is simply a risk management decision: Which risk is higher? Leaving our customers on an 8-10 year old operating system for another few years, or helping them to migrate to a modern one, accepting the drawback with XP Mode? With XP Mode, we could have helped my friend above without actually having to force him to run a PC just for the sake of this single application!

For more information on VirtualPC on Windows 7, please look at http://blogs.technet.com/windows_vpc/ (I “borrowed” the last picture from there)

Roger

NSSLabs just recently published a study on browser security with regards to Phising and Malware protection, which we comissioned. To take it upfront: The whole methodology is transperent and therefore rather than challenging the results, let’s learn from them how we can improve.

As I do not want to take the joy away for you to read the study, I just want to show you two pieces of information from the report:

Let’s look at the Phising study first:

They looked at how long a user has to wait until a Phishing URL is blocked by the browser:

Scary to me is that Safari by far increases the mean of the group. Even though Chrome 2 is behind the other three, I guess that Internet Explorer, Firefox and Opera are comparable here (even though we are more than 20% faster).

So, speed is one thing, accuracy and completeness another one. Let me quote from the report: The average phishing URL catch rate for browsers over the entire 14 day test period ranged from 2% for Safari 4 to 83% for Windows Internet Explorer 8.  Internet Explorer 8 and Firefox 3 were the most consistent in the high level of protection they offered. Statistically, Internet Explorer 8 and Firefox 3 had a two-way tie for first, given the margin of error of 3.96%. Opera 10 beta came in third due to inconsistent protection during the test. Chrome 2 was consistent, albeit at a much lower rate of protection, and Safari offered minimal overall protection.

Or in graphical terms:

Again, the scary piece is the huge difference between the different browsers. Whereas Internet Explorer and Firefox are similar, the rest is far, far (and Safari even further) spread out.

Then they did a similar test with regards to socially engineered Malware protection:

Again, looking at the response time, I guess we can improve when it comes to the comparison with other browsers:

But again, there is a huge gap between the best and the worst (and they are very bad). When it comes then to the block rate, the game changes:

Again, to quote the report:

Internet Explorer 8  caught 81% of the live threats, an exceptional score which surpassed the next best browser (Firefox 3) by a 54% margin. Windows Internet Explorer 8 improved 12% between Q1 and Q2 tests, evidence of concerted efforts Microsoft is making in the SmartScreen technology.

Firefox 3 caught 27% of live threats, far fewer than Internet Explorer 8. It was, however, the best among products utilizing the Google SafeBrowsing API. (Note: Firefox 3.5 was not stable enough to be tested during the course of this test. A patch has subsequently become available to address the stability issue. We were able to manually verify that the protection was identical between versions 3.0.11 and 3.5).

Safari 4 caught 21% of live threats.  Overall protection varied greatly, with two short periods of severe dips.  Chrome 2 caught just 7% of live threats an 8% drop from the previous test. 

Opera 10 Beta caught a mere 1% of live threats, providing virtually no protection against socially engineered malware. In our test bed validation, we verified there was effectively no difference between Opera 9 and Opera 10 Beta.

So, this is definitely interesting material for your next browser discussion

Roger

Henk van Roest, our EMEA Security Program Manager is running a pretty successful internal blog. Before summer vacation he started a series called “Why it pays to be secure” which I think has some great information in it. I asked him then to go public with it but he told me that he is not doing this kind of outside communication but that I should feel free to use the content, which I am going to do – thank you Henk.

I will basically copy/paste his series over time. So I do not want to take the credit for the great work he did. Let’s start with his introduction today.

In the Security Incident Response Team we are often faced with support cases from customers compromised through some malware which is wreaking havoc in their environment.

Usually the customer says that deploying updates to software (not just MS Software) is too time consuming, too expensive and too disruptive to their environment.  Of course the resulting issue is usually also quite disruptive e.g. Conficker.

Microsoft has done a great deal of research into managing an IT environment as well as numerous studies with some of our customers to discover the “True” cost of a managed environment.

I thought it was useful to start a series of posts under on the subject of Update Management and Infrastructure Optimization that might allow you to have good conversations with your customers on the subject.

So for the purpose of this introduction I’ll just copy one little piece from a study done in 2006 (so this is not a ‘new’ thing):

WINDOWS DESKTOP BEST PRACTICES

In this research, IDC evaluated more than 20 potential best practices and identified three that are consistently used by top-performing IT departments for optimizing Windows desktops.

• Standard desktop strategy (savings of $110/PC). Deploying a standardized desktop by minimizing hardware and software configurations.
• Centrally managed PC settings and configuration (savings of $190/PC): Keeping deployed PCs standardized by preventing users from making changes that compromise security, reliability and the application portfolio.
• Comprehensive PC security (savings of $130/PC): Proactively addressing security with antivirus, antispyware, patching, and quarantine.

http://download.microsoft.com/download/a/4/4/a4474b0c-57d8-41a2-afe6-32037fa93ea6/IDC_windesktop_IO_whitepaper.pdf

This is a pretty interesting survey: Future of the Internet III: How the Experts See It

Here are the key findings:

• The mobile device will be the primary connection tool to the internet for most people in the world in 2020.
• The transparency of people and organizations will increase, but that will not necessarily yield more personal integrity, social tolerance, or forgiveness.
• Voice recognition and touch user-interfaces with the internet will be more prevalent and accepted by 2020.
• Those working to enforce intellectual property law and copyright protection will remain in a continuing "arms race," with the "crackers" who will find ways to copy and share content without payment.
• The divisions between personal time and work time and between physical and virtual reality will be further erased for everyone who is connected, and the results will be mixed in their impact on basic social relations.
• "Next-generation" engineering of the network to improve the current internet architecture is more likely than an effort to rebuild the architecture from scratch.

This shows to me that our End-to-End Trust vision is more important than ever as we will be relying on a trusted stack and a strong identity.

Roger

Our EMEA Security Program Manager, Henk van Roest, started this series internally and with his consent I am publishing it here in my blog as I think it contains a lot of great information for you to use.

Returning to the theme of deploying security updates once more, we need to look at the potential cost of not deploying updates, breaches……

Studies are available for the years 2007 & 2008 for US, UK and Germany as examples:

http://www.encryptionreports.com/costofdatabreach.html

Extract from United States Report:

Among the study’s key findings:

• Total costs continue to increase: The total average costs of a data breach grew to $202 per record compromised, an increase of 2.5 percent since 2007 ($197 per record) and 11 percent compared to 2006 ($182 per record). Breaches are costly events for an organization; the average total cost per reporting company was more than $6.6 million per breach (up from $6.3 million in 2007 and $4.7 million in 2006) and ranged from $613,000 to almost $32 million.
• Cost of lost business continues to carry the highest impact: The cost of lost business continued to be the most costly effect of a breach averaging $4.59 million or $139 per record compromised. Lost business now accounts for 69 percent of data breach costs, up from 65 percent in 2007, compared to 54 percent in the 2006 study.
• Third-party data breaches increase, and cost more: Breaches by third-party organizations such as outsourcers, contractors, consultants, and business partners were reported by 44 percent of respondents, up from 40 percent in 2007, up from 29 percent in 2006 and 21 percent in 2005. Per-victim cost for third party flubs is $52 higher (e.g., $231 vs. $179) than if the breach is internally caused.
• “First timers” cost more, repeat breaches continue: Data breaches experienced by “first timers” are more expensive than those experienced by organizations that have had previous data breaches. Per-victim cost for a first time data breach is $243 vs. $192 for experienced companies. More than 84% of all cases in this year’s study involved organizations that had more than one major data breach.
• Training and awareness programs lead companies’ efforts to prevent future breaches, according to 53% of respondents. Forty-nine percent are creating additional manual procedures and controls. Of the technology options, 44% of companies have expanded their use of encryption technologies, followed by identity and access management solutions to prevent future data breaches.