Windows Exploits Come from Third-Party Apps

According to Microsoft’s Security Intelligence Report (SIR), malware writers aren’t targeting Vista directly; they’re using holes in third-party apps to attack people’s systems instead. Microsoft’s data agrees with that of independent anti-malware company Kapersky Lab: while direct attacks on XP account for almost half of its vulnerabilities, nearly all attacks on Vista are done by way of exploiting third-party software.

ZDNet’s article on the report includes these graphs comparing the top 10 browser-based vulnerabilities on Windows XP and Windows Vista:

Graph: Top 10 browser-based vulnerabilities in Windows XP -- half are Microsoft's fault.

Graph: Top ten browser-based vulnerabilities in Windows Vista -- all are third-party apps' fault.

One question that comes to mind: is it because Vista is more secure, or because attacking XP is a better approach because it represents a larger base of targets? I certainly don’t know the answer.

Another question that naturally arises from this is: How do you solve the problem of vulnerabilities through third-party apps? I’m a firm believer in Bruce Schneier’s maxim, “security is a process, not a product,” and think that the best approach is a multi-pronged one. The prong for which I’m responsible is educating developers about application security, and as I find out more about the Windows platform and security, I’ll write about it here on Global Nerdy as well as in some of Microsoft’s developer-focused sites.

Recommended Reading


My PDC Interviews: Don Box, Miguel de Icaza, John Lam, Phil Haack and .NET Micro Framework

PDC2008 graphic

A number of people have asked me how many sessions I attended at last week’s Microsoft Professional Developers Conference; my answer was “I only attended the keynotes”. Since every session was recorded on video (with a split screen showing both presenter and presentation) and made available online, I decided to focus on what you can’t replicate outside the conference: getting to know people in the Windows developer community.

It’s standard procedure at Microsoft to assign “buddies” to new hires to help them get acclimated. I have the very good fortune of having John Bristowe as one of my buddies; not only is he a warm and friendly guy, but I also already know him (his sister Ashley and I went to Crazy Go Nuts University together). John’s big on podcasting and was very generous in sharing the interviewer’s chair; he let me do a lot of interviews as a way to both get podcasting practice and introduce myself to people in the Windows world. Thanks, John!

You’re going to need Silverlight to view these videos. If you’re rolling your eyes at the prospect of having to download yet another plugin, keep in mind that Silverlight is a pretty cool tool for writing rich internet apps, I’ll be covering it rather extensively soon, and it’s catching on. Besides, you can’t see the videos without it!

Don Box on My Joining the Dark Side, Demos, Oslo and M, Zombies and How to Pronounce “Azure”

Still from Joey deVilla's interview with Don Box
Click the picture to see the video of the interview.

After introducing myself to Distinguished Engineer (yup, that’s really his title) Don Box as “Microsoft’s Newest Employee”, I told him about my coming to Microsoft from the F/OSS world and asked him to please tell me that I hadn’t made a tragic mistake and ruined my life by coming over to the Dark Side. We also talked about his preparation process for his keynote demo, the Oslo platform and the M programming platform, the proper way to pronounce “Azure” and whether or not Microsoft is ready for the zombie apocalypse.

Useful Don Box/Oslo Links

Miguel de Icaza on Mono

Still from Joey deVilla's interview with Miguel de Icaza
Click the picture to see the video of the interview.

I had a great chat with Mono Project lead Miguel de Icaza about Mono, their answer to Silverlight, the number of people in the Mono Project and how you, as a Windows developer, can take Mono out for a spin. We also talked about how to pronounce “Azure”, and Miguel speculated that the name was a clever choice because the disagreement over its pronunciation is a great way to get people talking about it.

Useful Miguel de Icaza/Mono Links

John Lam on IronRuby

Still from Joey deVilla's interview with John Lam
Click the picture to see the video of the interview.

It’s always good to catch up with Toronto-area guy turned Redmond guy and IronRuby creator John Lam. We had a quick chat about IronRuby and the current state of the project. In the interview, he reminds us that IronRuby is an open source project, talks about the Ruby standard implementation tests it’s currently passing and what to expect from IronRuby in the near future.

Useful John Lam/IronRuby Links

Phil Haack on ASP.NET MVC

Still from Joey deVilla's interview with Phil Haack
Click the picture to see the video of the interview.

Phil Haack not only has the coolest surname for a techie, he’s also got an MVC framework for ASP.NET, just like the ones the Rails, Django and Cake people get to play with. In this interview, we talk about MVC web frameworks for the uninitiated, as well as get his take on how to pronounce “Azure”.

Useful Phil Haack/ASP.NET MVC Links

.NET Micro Framework

Still from Joey deVilla's ".NET Micro Framework" interview
Click the picture to see the video of the interview.

Believe it or not, there’s a .NET framework for embedded devices, the .NET Micro Framework. In this interview, I learn about .NET programming for small devices, the “Dare to Dream Different” contest (where you can win great prizes for coming up with new applications for the .NET Micro Framework) and about what donuts have to do with microcontrollers. Mmm…donuts!

Useful .NET Micro Framework Links


Slice of Life from PDC, Part 4: My Crappy Hotel

Night shot of the Cecil Hotel

Over on my personal blog, The Adventures of Accordion Guy in the 21st Century, I’ve got a long (but entertaining) review of the hotel I stayed at while attending the Microsoft Professional Developers Conference titled A Dump with a Future.