SAN FRANCISCO -- The future of Windows security likely will involve a kind of back-to-basics approach to preventing attacks and malware infections through the use of features such as application whitelisting, further integration of TPMs and more extensive use of code signing.
Microsoft Corp. has been working on many of these technologies for several years and some of them are already used in various forms in Windows XP and Vista, but the company is working on ways to make the operating system and core applications smarter and more efficient at blocking threats as early in the process as possible, according to Microsoft product unit manager David Cross.
During a session Thursday at RSA Conference 2008, he said the company is pleased with how such Vista security features as the User Account Control (UAC) have worked out, but that the company is seeking ways to make them more automated and less invasive for users.
"The reason we put UAC in Vista was to annoy users," Cross joked. "But seriously, we needed to change the ecosystem and we had to use a pretty heavy hammer to do it."
Cross said Microsoft has been analyzing data collected from more than a million Vista systems and found that the majority of user sessions don't have any UAC prompts in them, and that the number of programs that are generating UAC prompts is dropping.
Still, he said, Microsoft is looking to make the security features less obtrusive in Vista and future versions of Windows. Specifically, the company wants to make better use of things such as application whitelisting, which prevents any application from running other than those explicitly allowed by the user. This can not only enable administrators to prevent employees from running unwanted but legitimate applications like Skype or Gnutella, but can also stop malware from executing.
The company also has been working on better ways to isolate running applications and integrate code signing with UAC. Much of the work Microsoft is doing is a result of the decreasing effectiveness of classic signature-based defenses such as antivirus, IDS and antispyware software. Signatures are of little use against threats that shift tactics and behaviors continuously.
"The threats are more complex. It's a maze now. We're seeing on average about a thousand new threats every day," said Vinny Gullotto, head of Microsoft's Malware Protection Center, who spoke during Cross's session as well. "I'd say back in the days of LoveLetter and Nimda, we would see about 500 a month. Signature-based technology should be a final backstop. Behavior monitoring should be the main defense."
Gullotto said that sophisticated threats such as rootkits and custom Trojans used in highly targeted spear phishing attacks present unique problems that can't be solved with signature-based tools. "Rootkits are still a big concern," he said. "I don't think we've seen the peak of the problem with them yet."
Cross said he expects Microsoft to invest more heavily in a number of other security areas as well, including better integration of trusted platform modules into the computing environment.