Microsoft's glasnost on interoperability means more bugs

But in the long run, say experts, it could bolster security for everyone

Microsoft's decision last week to let everyone snoop through its software secrets means vulnerabilities and exploits will almost certainly climb in the short term, security researchers said Monday.

But the move to open the communications protocols and APIs for Microsoft's newest and highest-profile products, including Windows Vista, Windows Server 2008, Office 2007 and others, should translate into better security for everyone in the long run, said those same researchers.

"The net [result] is that we'll see quite a few vulnerabilities over the short run, but over time, we'll gain security," said Andrew Storms, director of security operations at nCircle Inc. The bump in vulnerabilities and exploits that leverage the flaws, however, could be substantial. "It'll be a giant kind of hump in the curve," he warned.

And the hump could show up sooner rather than later. "In the end, it's going to be a good thing, but it will be a bit of a roller coaster ride. I wouldn't be surprised to see it start in eight weeks or so," Storms added.

On Thursday, Microsoft announced changes in how it deals with open-source developers and software rivals, pegging the new positions and initiatives as "interoperability principles." The first spelled out by CEO Steve Ballmer and other company executives, and the one that drew the most attention, was a promise to open its protocols and APIs to everyone's scrutiny.

To back up its talk, Microsoft immediately began posting more than 30,000 pages that documented the protocols and APIs of the Windows client and server software. Documentation for the other products will follow no later than June, said Bob Muglia, head of the company's server and tools division.

Storms and Tyler Reguly, a security research engineer at nCircle, see the newly revealed documentation as a mother lode for researchers of all stripes.

What they get out of mining the Microsoft protocols and APIs, said Reguly, "depends on the kind of researcher you're looking at." Criminal types, he continued, will be able to take advantage of anything they find almost immediately. But most researchers working for security vendors will have a tougher time. "They may not be able to integrate [what they find] into their products right away," he said.

Some of what's tucked into those 30,000 pages will also be new to all, or at least some, hackers. "Some protocols exist now almost in full form," thanks to countless hours of reverse-engineering, Reguly said. "But other protocols aren't publicly specced out. So this levels the playing field." Those who had previously puzzled out the inner workings of Microsoft Windows on their own will be joined by others who now have a "leg up." Translation: more hackers.

Other security professionals disagree. Alfred Huger, vice president of development in Symantec's security response group, figures the documentation won't make much difference. "In the short term, there will be an influx of bugs, yes," said Huger, "but the people who are finding [quality] vulnerabilities and writing exploits, they already have enough of this sorted out."

Join the PC World newsletter!

Error: Please check your email address.

Our Back to Business guide highlights the best products for you to boost your productivity at home, on the road, at the office, or in the classroom.

Keep up with the latest tech news, reviews and previews by subscribing to the Good Gear Guide newsletter.

Gregg Keizer

Computerworld
Show Comments

Essentials

Lexar® JumpDrive® S57 USB 3.0 flash drive

Learn more >

Microsoft L5V-00027 Sculpt Ergonomic Keyboard Desktop

Learn more >

Mobile

Lexar® JumpDrive® S45 USB 3.0 flash drive 

Learn more >

Exec

Lexar® Professional 1800x microSDHC™/microSDXC™ UHS-II cards 

Learn more >

Lexar® JumpDrive® C20c USB Type-C flash drive 

Learn more >

Audio-Technica ATH-ANC70 Noise Cancelling Headphones

Learn more >

HD Pan/Tilt Wi-Fi Camera with Night Vision NC450

Learn more >

Budget

Back To Business Guide

Click for more ›

Most Popular Reviews

Latest News Articles

Resources

PCW Evaluation Team

Azadeh Williams

HP OfficeJet Pro 8730

A smarter way to print for busy small business owners, combining speedy printing with scanning and copying, making it easier to produce high quality documents and images at a touch of a button.

Andrew Grant

HP OfficeJet Pro 8730

I've had a multifunction printer in the office going on 10 years now. It was a neat bit of kit back in the day -- print, copy, scan, fax -- when printing over WiFi felt a bit like magic. It’s seen better days though and an upgrade’s well overdue. This HP OfficeJet Pro 8730 looks like it ticks all the same boxes: print, copy, scan, and fax. (Really? Does anyone fax anything any more? I guess it's good to know the facility’s there, just in case.) Printing over WiFi is more-or- less standard these days.

Ed Dawson

HP OfficeJet Pro 8730

As a freelance writer who is always on the go, I like my technology to be both efficient and effective so I can do my job well. The HP OfficeJet Pro 8730 Inkjet Printer ticks all the boxes in terms of form factor, performance and user interface.

Michael Hargreaves

Windows 10 for Business / Dell XPS 13

I’d happily recommend this touchscreen laptop and Windows 10 as a great way to get serious work done at a desk or on the road.

Aysha Strobbe

Windows 10 / HP Spectre x360

Ultimately, I think the Windows 10 environment is excellent for me as it caters for so many different uses. The inclusion of the Xbox app is also great for when you need some downtime too!

Mark Escubio

Windows 10 / Lenovo Yoga 910

For me, the Xbox Play Anywhere is a great new feature as it allows you to play your current Xbox games with higher resolutions and better graphics without forking out extra cash for another copy. Although available titles are still scarce, but I’m sure it will grow in time.

Featured Content

Latest Jobs

Don’t have an account? Sign up here

Don't have an account? Sign up now

Forgot password?