11 June 2002 Microsoft’s “trustworthy computing” initiative has – not surprisingly – uncovered flaws in some of the code for the company’s Windows operating system.
The four-month long, ongoing project to locate flaws in Windows that malicious hackers could exploit has uncovered a number of features in Windows that are vulnerable to exploitation. The vulnerabilities are mostly in code for legacy features that the company has maintained for compatibility with older software.
In an interview with ZDNet, Microsoft’s director of security assurance Steve Lipner said the company would now be phasing out backward-compatibility features far more quickly than it has done previously.
As a result of the audit, the company had planned to turn off support by default for the legacy protocol gopher – once used in a similar way to the web – in the next update to Internet Explorer, even before a Finnish researcher discovered a flaw in the program that could be exploited to gain access to the user’s PC.
“A lot of design changes are to remove this feature or turn that one off by default,” Lipner said. When the security team encounters a flaw and has to choose between removing the feature and keeping it to please some customers, Lipner says the company is increasingly favouring the more secure approach. But the result will be a quicker turnover of old code. “Do we think that things will be retired more quickly? Sure,” he adds. Lipner would not comment on which features of Windows had known security flaws.