Bruce Schneier and Adam Schostack

Bruce Schneier and Adam Schostack of Zero Knowledge have penned a wonderful, balanced whitepaper laying out a security map for Microsoft's Trustworthy Computing initiative, spelling out, piece by piece, the root causes of the security problems in MSFT products, and a roadmap for mitigating them in the future.

Originally, e-mail was text only, and e-mail viruses were impossible. Microsoft changed that by having its mail clients automatically execute commands embedded in e-mail. This paved the way for e-mail viruses, like Melissa and LoveBug, that automatically spread to people in the victims' address books. Microsoft must reverse the security damage by removing this functionality from its e-mail clients, and from many other of its products. This rigid separation of data from code needs to be applied to all products.

Microsoft has compounded the problem by blurring the distinction between the desktop and the Internet. This has led to numerous security vulnerabilities, based on different pieces of the operating system using system resources differently. Microsoft should revisit these design decisions…

Office: Macros should not be stored in Office documents. Macros should be stored separately, as templates, which should not be openable as documents. The programs should provide a visual interface that walks the user through what the macros do, and should provide limitations of what macros not signed by a corporate IT department can do.

Internet Explorer: IE should support a complete separation of data and control. Java and JavaScript should be modified so they cannot use external programs in arbitrary ways. ActiveX should eliminate all controls that are marked "safe for scripting."

E-mail: E-mail applications should not support scripting. (At the very least, they should stop supporting it by default.) E-mail scripts should be attached as a separate MIME attachment. There should be limitations of what macros not signed by a corporate IT department can do.



(via /.)