In this interview at the 2011 Gartner Security & Risk Management Summit, Neil MacDonald MacDonald, Gartner vice president and Gartner fellow emeritus, discusses several issues related to endpoint platform security, including the importance of patch management, not only for Microsoft software but also for third-party applications like Adobe and Java. MacDonald also discusses Internet Explorer 9 (IE9) security improvements, but explains why not all enterprises should deploy it right away. Later he discusses his Windows 8 security feature wish list, and why potential Apple security issues shouldn’t be overlooked.
Read the full transcript from this video below:
Gartner’s Neil MacDonald on IE9 security, Apple security issues
Interviewer: Neil MacDonald, Gartner vice president and Gartner Fellow
Emeritus. Thank you so much for joining us today.
Neil MacDonald: My pleasure.
Interviewer: We're going to talk a little bit about the state of
Microsoft security and a few other related things. So first off,
Microsoft released 106 security bulletins in 2010, more than in
any other previous year. Some say that suggests that trustworthy
computing in Microsoft is not in a good place; some say it's
doing what it should. What's your take?
Neil MacDonald: First of all, you have to look at other vendors as well. If you look
at the data from Secunia or X-Force or some of the independent
labs, Microsoft is definitely high, but in terms of number of
vulnerabilities so is Apple, so was Adobe, and so was Oracle. I
think we had to take a step back and say, "Is Microsoft worse or
better than the rest of the industry when it comes to
The data shows all of the vendors are having issues. I think
it's more reflective of the bad guys getting very clever in how
they can reverse-engineer the code and find the vulnerabilities.
Microsoft has their secure development life cycle practice. Like
I said, I think it's more of a reflection of the bad guys
getting smarter and finding more clever ways to go after these
vulnerabilities and discover them.
It's affecting all vendors, not just Microsoft, and that's
reflected in the data that we see. I don't think that Microsoft
is worse than other vendors, but can Microsoft improve?
Absolutely. Could Oracle improve? Could Apple improve? Could
Google improve? Absolutely, and that's what the data is saying.
The bad guys have a slight edge; all the vulnerabilities are up
across the board.
Interviewer: Some data from a couple of Verizon's recent Data Breach
Investigations Reports suggest that virtually no breach
incidents are occurring due to what it calls patchable
vulnerabilities. Does that suggest that software security
patching in general, and in Microsoft patches in particular,
aren't as important as these?
Neil MacDonald: I disagree with that. Most security vulnerabilities, when you track
down how the attack is able to do what it does, in many the root
cause is either a misconfiguration or some type of vulnerability
that was ultimately addressed. I agree that end users are a much
easier vulnerability to go after. If I can trick somebody into
downloading a Trojan I may not even need a vulnerability on a
machine to get a footprint.
I agree with that, and I think bad guys are going to go where
it's easier. Is it easier to find some zero-day in Adobe or
Microsoft or is it easier to go trick a user? Many times it's
easier to go trick a user with social engineer techniques. But I
would disagree with, "Oh, we no longer need the patch." No,
absolutely continue to patch, continue to have good patch
management process discipline. Maybe we can shield from attacks
on those vulnerabilities with network-based IDS or web app
firewall, but by all means, patching still must be a
foundational element of our information security strategy, as
well as configuration management.
Interviewer: Let's talk about Internet Explorer 9. There have been some
varying reports about how secure it is versus its competitors.
How does IE9 security stack up?
Neil MacDonald: Some good news here. Microsoft continues to improve the security of
their browser. IE6, if you're still on it, please get off as
soon as possible. IE7 improved on IE6, that wasn't too hard.
IE8, though, continued to raise the bar and that's where most
IE8 is the default browser with Windows 7. IE8 also runs on XP.
That's where most people are putting their standardization
efforts around, especially as they make the migration to Windows
7. Now we've got IE9 coming up. One thing Microsoft did, which
will inhibit adoption, is it only runs on Windows 7. I don't
know if you knew that. Now you have a XP population they are
going to have to be on a different browser. That's not optimal.
I would prefer to have one browser standard across my entire
population, whether it's IE8, or it could look at Firefox, or it
could look at Chrome.
The good news is Microsoft continues to raise the bar in terms
of security with each release. IE8 added URL Reputation. In IE9
the most significant feature is called File Reputation Services,
the same type of a technology Symantec is talking about with SEP
12 with the inside technology, McAfee with Artemis, Trend with
the Smart Protection Network, Sophos with Live Protection;
Microsoft is doing the same thing. File reputation service is
based on visibility across their community of users, and that is
baked into IE9. The idea is that when users
encounter malicious sites, maybe it'll catch it with URL
filtering. Again, that was introduced with IE8. Or they might
catch the file itself using file reputation services that were
introduced in IE9. To me, that was the single, biggest security
feature that was added between releases.
There are some other smaller changes, but to me that was the one
that jumped out and said, "That's really cool. That's really
interesting technology." It makes sense because at the end of
the day, the bad guys continue to try to trick users into going
to sites and downloading stuff, and to the extent that Microsoft
could incorporate file reputation services to address that, I
thought that was a great advance forward.
Interviewer: Many of the malware issues on Windows PCs today don't even
have to do with Windows, or very minimally. We're talking about
Flash issues and Adobe issues, they top the list. What can
enterprises do about what seems to be a rampant problem with
third-party software flaws?
Neil MacDonald: Remember the question earlier,
should we patch or not. Absolutely, I
said. What the bad guys are figuring out that if that we're
doing a pretty good job of patching Windows and configuring it
correctly, then I'm just going to move up the stack. What's the
next most common desktop element that people are going to run?
It could be your antivirus agent so I'll go after Symantec,
McAfee, Trend, Sophos, etc.
What else does everybody run? Adobe, Adobe Reader, Adobe Flash,
or it could be WebEx. There are other common controls and
desktop elements that are used widely. Java Virtual Machines is
another great example. There was a significant increase in Java
Virtual Machine attacks last year. But you get up. The bad guys
aren't dumb. They're really smart and they're looking. "Well,
you know what? If you're getting better at patching Windows,
I'll go up the stack because you're maybe not as good at
patching Adobe." That's true for many enterprises. They have
really good patch management discipline around Windows, they've
got a good patch management discipline around Office, but they
haven't applied that same discipline to the common desktop
elements and common browser-based controls.
In terms of vulnerabilities, and I think I mentioned this
earlier, Adobe was towards the top of the list in attacks on
malformed PDF and attacks on Flash. They were rampant. So the
bad guys are smart and they're going to move up to these common
desktop elements. It's the path of least resistance. You're
going to make it harder for me to attack Windows because you're
patching? Okay. Fine, I'll move up and I'll set my sights a
little bit higher.
What that means for enterprise IT departments is if you're only
taking responsibility for patching Windows and Office, you
aren't doing enough. You've got to patch, at a minimum, Adobe
Reader, Adobe Flash; I would say the Java Virtual Machines that
you're running at the clients, and of course, your endpoint
protection agent, again, Symantec, McAfee, Trend, Sophos, keep
up-to-date with their security patches as well. Very likely,
that means expanding your patch management program to address
these common desktop elements. Many organizations haven't done
Interviewer: We're hearing some very interesting rumors about Windows
8, at least from a functionality standpoint. Are you hearing
anything from a security standpoint and any early guidance for enterprises?
Neil MacDonald: I haven't heard anything specific on security in Windows 8. I can
tell you there are some things I would like Microsoft to do.
Microsoft could put mandatory access controls within the
operating system to provide a very firm and secure foundation on
how applications access operating system resources. It would be
the equivalent of what SE Linux has done for hardening Linux.
Microsoft could take a similar approach. They've done some of
this with something called mandatory integrity controls. That
was technology introduced in Vista and it's there in Windows 7
So they've taken a step. It's what enables, for example,
protected mode browsing with IE8 running on top of Vista and
Windows 7. It helps to isolate the browsing process and treat it
as less trusted from the rest of the operating system. I think
there's a lot more Microsoft could do there. The application
white listing technology, called AppLocker, is only available
with Windows 7 Enterprise. I think Microsoft could improve the
white listing capabilities of Windows to be more directly
competitive with vendors like Bit9, Coretrace, Lumension or
McAfee with the solid core technology. There are definitely
improvements there that would be welcomed.
What we believe Windows 8 should be is a composable operating
system that has a common microkernel and the common microkernel
could work across X86 as well as ARM. Microsoft has publicly
stated that Windows 8 would run on ARM. With this common
microkernel, you could have a foundation for technologies like
Windows Phone 8, which is just a variant of this same
architecture, or a tablet, or an enterprise machine.
That's what we think Windows will be. We've written about this
in the past. We call it the ability to composite workspace and
be able to share, to some level, applications across these
different environments. We think that's what Windows 8 will be.
Of course, Microsoft is being very tight-lipped so they don't
ultimately over-promise and under-deliver. They're being very
Interviewer: Finally, let's talk briefly about Apple and the Mac OS,
which for many years has been thought to be largely protected
from malware. That's starting to change at least a little bit.
Should enterprises that have a significant Mac OS investment
start to take more action in that regard?
Neil MacDonald: I think there's a common misconception that Mac users have, that they
won't be attacked, and they will be attacked. Another common
misconception is that Apple writes perfectly impenetrable code.
The reality is that Apple has vulnerabilities just like
Microsoft, just like Google, just like Oracle. All of them write
code that could be improved, including Apple. So yes, there are
There are a couple of things that help to mitigate the risk to
date with Apple. One has been, in the enterprise, the relatively
low market share. The bad guys, we said earlier, go after what's
easy. If there's a lot more Windows and the Windows machines
aren't being patched or they're not fixing Adobe, it's actually
easier to go after Windows users. So one factor is, how big is
the market share?
Another factor is that for years on Apple, users run as what you
could call standard users. They don't have administrator rights.
That's been the model with Apple for a long time. For Windows
users, for better or for worse, the reality is that the majority
still run their users with administrator rights. That means the
code, the malware that gets on the machine, runs in the context
of the user, which means it has administrator rights which gets
it very deeply rooted into the system.
Most Apple users aren't administrators. They'll get prompted,
which is ironic because a lot of the criticism for Windows and
User Account Control was the prompting, yet we have the same
situation on Linux or Mac when things need to elevate. It's the
same type of problem. What you have in the Apple world is just
better written software. I think it's a reflection of history
that Apple had a much better architecture, encouraging the
developers to write code that would run correctly as standard
user so the experience is much better.
Think about your iPhone. Most people aren't admins on their
iPhone and they don't care. They don't feel like they're being
locked down. They can go download any one of millions of apps as
long as they're in the Apple iStore, the Apple app store. They
can download the apps that they want to run. They don't
necessarily feel constrained. Some people, a rare percentage,
will jailbreak. What that means is getting admin access. What
Apple has shown is that running a standard user without
administrator rights can be quite pleasant and people can like
it. That's what the iPad is, that's what the iPhone is and
that's what Microsoft should do with Windows and the application
ecosystem should do with Windows.
Those are the mitigating factors. If an enterprise client asked
me, "Should I run antivirus protection on my Mac?" I would say,
"Well, do you have users that surf the web? Do they click on
attachments? Can they be easily tricked?" You probably have the
same type of users I do and it's not Mac or Windows that's the
problem, it's typically the users. There, I think we can agree,
we have a vulnerability. So do you need antivirus malware
protection on the Mac? Yes, and that's our position.