14 DAY TRIAL // Microsoft claims to have a code securing process that is superior to that of Symantec. There is, of course, somewhat of a contradiction in the Redmond company's perspective. The fact of the matter is that Symantec is one of the heavyweights of the security industry, whose entire business is focused on developing solutions designed to bulletproof insecure Microsoft products. But in the end, software is software and Symantec's security solutions are just as prone to security vulnerabilities as any other piece of code. But more so in comparison to the Redmond company's software.
According to Michael Howard, a Senior Security Program Manager in the Security Engineering group at Microsoft, the difference is made by the Software Development Lifecycle. In an effort to boost the security of its products, Microsoft has started to apply a complex methodology to its software development process dubbed SDL. The products coming out of SDL should, at least in theory, not only have a diminished level of vulnerabilities, but also a lower overall maximum severity rating for the flaws. Case in point: Windows Vista, the first Microsoft operating system to go through SDL, and the most secure Windows platform on the market, according to the company. Howard illustrated his point by discussing a collection of multiple buffer overflow vulnerabilities associated with the Autonomy KeyView module in Symantec's Mail Security products.
"The vulnerabilities are not in Symantec code, yet Symantec customers are still open to attack. The issues lie in a small number of file parsers used in many applications created by a third party vendor. As you probably know, file parsing vulnerabilities are very common, and even though the number of such bugs has dropped significantly in Microsoft products, in the past we had many. Thankfully, the SDL's fuzzing requirements have significantly helped reduce the number of parsing-related vulnerabilities in our products. As I mentioned, the vulnerabilities are not in Symantec code; they are in dependencies, in DLLs provided by another company. The SDL refers to these as 'giblets', a term coined by Steve Lipner, a Senior Director at Microsoft", Howard explained.
Howard expressed a high degree of confidence that the SDL could have caught the majority of the parser vulnerabilities. The .WPD File Parser flaw, for example, would have been an easy take for approaches such as fuzzing, code inspection or static-analysis. The same is valid for .SAM File Parser and the .MIF File Parser vulnerabilities, intimately connected with APIs that have been banned from Vista, due to SDL. Howard had doubts only in relation to the .DOC File Parser vulnerability, out of all the bugs in Symantec's product.