Longhorn Development Raising Virus Concerns

It’s still at least a year from being available to consumers, but already questions are being raised about whether some parts of Microsoft’s Longhorn might actually make the operating system more vulnerable to some relatively primitive kinds of viruses.

A Symantec security researcher first sounded the alarm at the Virus Bulletin International Conference in Chicago about so-called script viruses, which first appeared around 1998 and peaked with the Melissa and Love Letter viruses in 1999 and 2000.

Researcher Eric Chien said Microsoft Shell, also known as Monad, could pose a security risk because it is designed to enable developers to configure systems using text scripts containing multiple commands. Designed to give administrators and application developers more flexibility in working with the Windows platform, the tool could also spawn malicious code.

Chien said malicious code writers will be drawn to Monad’s ability to handle multiple commands in short bursts of code. He noted that it was code written in Visual Basic script that enabled early virus outbreaks.

Other Security Features

Microsoft, however, said the concerns about the script overlook the fact that Monad will not enable circumvention of Longhorn’s other security features and noted that the feature remains under development. The company has said all along that Longhorn will be the first version of its operating system designed with security as a central component.

Gartner analyst Michael Silver said that while Microsoft once was willing to let Longhorn develop on its own schedule, it now recognizes the importance of making the release available sooner rather than later because of competitive threats from Linux and a lack of motivation among its established customer base to upgrade in large numbers.

“They’ve started to fill in some of the gaps in the roadmap to get to Longhorn,” Silver said. “They are going to be very sensitive about any suggestions that it’s not going to be safe and secure.”

Because the final details of Longhorn are not completely known, the company gives itself flexibility to address issues as they arise, Silver noted, and to build in features it believes can best answer the Linux challenge. “This is one of the reasons you release developer copies of software,” he added.

Stripped Down Longhorn

Separately, Microsoft revealed that it is working on a “light” version of Longhorn that contains stripped-down versions of the code, a move that could better secure server-versions of the program and reduce the cost of maintaining and patching the software for customers.

The innovation is expected to be available when server versions of Longhorn hit the market in 2007 and is widely seen as improvement over the existing approach, in which parts of the Windows code not used in servers, such as storage, file or printing functions, are present but simply never activated.

The idea, according to Microsoft, is to include only the parts of the code that are needed for a specific function, such as a server, which would reduce the need to patch systems each time a new vulnerability is found in other parts of the code and make it more difficult to launch attacks on servers.

Priming the Pump

Yankee Group analyst Laura DiDio said Microsoft has wrestled with how closely to tie together the two versions of its operating system and might have learned from the long lag between the upgrade of XP and the Windows Server 2003 release that customers want better integration.

Parsing the code would be one way of providing better integration without exposing servers to every security flaw that might arise on the full code, she told the E-Commerce Times.

“This is a question that Microsoft has clearly focused a lot of energy towards,” DiDio said. Meanwhile, the now steady release of details about the features and approaches Microsoft will offer are important to enterprises that have to make plans for future upgrades.

“Microsoft knows that it needs to start getting people to think about upgrading now so they’ll be ready to do so when the release is out,” she added.

Leave a Comment

Please sign in to post or reply to a comment. New users create a free account.

Related Stories
More by Keith Regan
More in Security

LinuxInsider Channels