Thanks to xStainDx for his post in BPN.
It must be tough to be the largest software company in the world. Everyone's always trying to exploit every little hole in your applications and every little mistake you make gets played up in the media. On the other hand, your software is in so many homes and offices across the world that you directly or indirectly touch the lives of millions, if not billions, of people.
With that popularity, though, comes a responsibility not only to call attention to any flaws in your products that might adversely affect your customers, but also to build products from the ground up that are secure as they can be. Microsoft is improving its track record on the former, but after almost two years of Trustworthy Computing, I've yet to see much progress on the latter.
Let's start with the positives. Since the MSBlast worm appeared last month, the software giant has been on the media offensive, doing its best to make sure everyone knows about a new patch that fixes a newly discovered flaw in Windows. The company even set up a dedicated Web site to help people protect their PCs against worms and other attacks.
News source: ZDnet
It must be tough to be the largest software company in the world. Everyone's always trying to exploit every little hole in your applications and every little mistake you make gets played up in the media. On the other hand, your software is in so many homes and offices across the world that you directly or indirectly touch the lives of millions, if not billions, of people.
With that popularity, though, comes a responsibility not only to call attention to any flaws in your products that might adversely affect your customers, but also to build products from the ground up that are secure as they can be. Microsoft is improving its track record on the former, but after almost two years of Trustworthy Computing, I've yet to see much progress on the latter.
Let's start with the positives. Since the MSBlast worm appeared last month, the software giant has been on the media offensive, doing its best to make sure everyone knows about a new patch that fixes a newly discovered flaw in Windows. The company even set up a dedicated Web site to help people protect their PCs against worms and other attacks.
News source: ZDnet
The site is hardly perfect. It basically tells you how to turn on the Windows XP firewall that's left off by default. If Microsoft really cared about securing the millions of Windows computers in the world, it would have enabled the firewall component in XP by default. It also would have disabled a long list of services and protocols that do little for you and me, yet make us bait for any hacker smart enough to exploit them.
Still, it's great that Microsoft's being proactive, right? Well, sort of. It's great if the folks in Redmond really mean it. Trouble is, Microsoft hasn't been aggressive in locating its own software flaws--it still leaves that job to third-party security experts. And even when it finds out about problems from others, it doesn't always fix them in a timely manner. Internet Explorer, for example, contains 31 flaws that are known yet unpatched. Moreover, I've yet to see new software from Microsoft that is actually more secure than previous versions.
I'M THINKING about this last issue right now because the final shipping code for the next version of the Microsoft Office suite just arrived on my desk today. This is the version that'll run on new computers sold this holiday season. It won't be in stores until Oct. 21, but I've got an advanced copy so my colleagues and I can evaluate it before it ships.
Though Microsoft's PR folks are touting the new Office as the latest and greatest, I have reservations about the application suite from a security standpoint. More to the point: Will it be any more secure than earlier versions of Office?
Am I to believe, as the Trustworthy Computing initiative promised, that Microsoft developers have reviewed every line of code to make sure Office 2003 is free of security vulnerabilities? Or that Microsoft has redesigned Word, Outlook, and Excel, employing the latest security techniques? When I expressed these concerns to Microsoft's PR reps, they simply answered: "We'll get back to you."
UNFORTUNATELY, history is not on Microsoft's side. Office 97 required so many service patches (many of which dealt with security issues) that the software giant rushed out Office 98 several months ahead of schedule. I know from my briefings with Microsoft that Office 2003 will contain many new ways for computers to communicate with the Internet, including several ways to authenticate documents and e-mails. That means more of your PC's ports will be open to the Internet, providing more opportunities for hackers to find new flaws to exploit.
I believe it's reasonable to expect Microsoft to secure the new version of Office. After all, it was Bill Gates himself who threw down the gauntlet almost two years ago and asked his employees to ensure the security of all Windows products. I'm just asking the company to follow up on the promise. So far, it's not looking good.
Microsoft certainly have a historical problem of adding features without considering the security implications but this does appear to now be recognised by MS and they are trying to deal with it via the Trustworthy Computing Initiative by reviewing all code thoroughly and taking a security first approach to system configuration - but is this enough?
Given that even SSH (which even has secure in it's name let alone the code!) has root exploits does suggest that even a relatively small and focused security app cannot be made totally secure in a reasonable amount of time (given enough time and people, every vulnerability should be found and closed...but how long) it's difficult to imagine an OS sized chunk of code and all it's associated applications to ever reach a state of being totally secure...although I'm sure *BSD users will disagree.
One enourmous security problem that the article doesn't even touch on is insecure users - even if every line of the latest Microsoft OS and Office suite (is that 100 million lines? More I would guess) is mathematically verified as being as secure as a secure thing, it only takes the average user to blindly run the attachment they just received and all bets are off...I guess in the search for security we'll have to stop unsigned .exes, stop receiving unsigned mail attachments...that really gives big business a justification for the TCPA, now all your PC are belong to us.
Just hope those erroneously issued Microsoft Root keys are invalidated by the time TCPA arrives...
no, as no OS is 100% secure; popularity makes just easier to exploit it.
no mather Unix, no mather MS
popularity doesnt magicly make hole appear in the security of an os. populaity just makes more targets to attack.
populatity doesnt have to do with the nasty os microsoft makes. nor does the security have to do with populaity
I think the point he is making is that being popular makes it more worthwhile to exploit, if Unix was as popular, you bet hackers would try hard and find plenty of problems, but why bother when hardly (by comparison) anyone is using it on their desktops?
It might be secure in your context but not globally. Kernel vulnerabilities get exposed on all flavors of unix, and application/vendor vulnerabilities abound. Unless it's a server serving nothing, it is not fundamentally secure by default -- it has the OS elements covered. There is still the administrative elements, which involves firewalling, patch management, etc.
The same is true of Windows, even with the vulnerabilities. So saying unix is simply secure is a head-in-the-sand exercise.
We've moved all our development over to .NET and have seen instant security patches to all of our new softwares simply by newer versions of the framework.
Take for instance the 1.1 framework on asp.net apps. Did you know that with the 1.1 framework, if you try and type any html in on a form, the form will return an error, unless you specificly put a flag in on the page allowing it?
That was an instant "poof, remove a vulnerability that all our pages had".
The framework will also allow all the apps written with it to take advantage of some of the new hardware security initiatives and os features such as form/application/memory hiding. And already by default restrict how other applications can touch your app.
They are getting there, but we won't see it till Longhorn. In the mean time, they are giving us developers the tools to move along with them.
IMHO
wow what a mistake.
Yeah, keep talking. Way to make people's decisions for them without any information whatsoever.
I'm afraid you'll have to regret that quote...
Yeah, .NET apps might be more secure as they run managed code, but what about the underlying platform and the code that aren't rewritten to use managed code.
I'm beginning to think you work for SUN with your FUD. But even they would agree that managed code is > unmanaged code...
That's why I'm looking forward to Longhorn, as its a big push towards rewriting the underlying platform rather than just an add-on to the OS as it is now.
Add this to the fact that this company's products are used the word over millions and have touched the lives of billions, and then you realise that they do not care to make their products secure. If it was of that much importance to Mr Gates, and his company/employees, it would not just be a challenge he issued to them, it would be part of the company's philosophy.
Not enough in-house testing is done, and Microsoft is responsible for this. They should stand up and be counted for what they are, and this is a manufacturer of wholly insecure consumer products.
Until his company's attitude changes, the public's opinion of Microsoft will always be that they are insecure by nature.
Isn't it? What would you call it the way it is now? They completely stopped development on new software for a month so everyone could learn better coding techniques. What else do you want for it to be a company philosophy?
I seem to have hit a nerve here...
I currently use IE, Office, WMP, Windows XP, Visual Studio, Fox Pro, and a few others. Over the past 2 years, I must have had to install well in excess of 200 patches for all these products. This is not acceptable in my opinion.
You say that they stopped development for a month, well I will have to take your word for it, but so what. The products are still insecure sitting on my desktop. So woopee for Microsoft and their "Coding Techniques", a secure product is what I want, not excuses.
Uh, no, not really. I'm asking you a question. What do you want from them?
If that's not acceptable, don't use a computer. Seriously. There's nothing anyone can do about that.
No, you don't. Go read the news and you might hear about this stuff once in a while.
Well, gee, I've only had to install like 3 patches on Windows Server 2003 since it came out. If that's too much for you, like I said, don't use a computer.
the latter would be to build products as secure as possible from the ground up. the only problem is, XP was written BEFORE the trustworthy computing initiative, so any real shift in security programming will affect longhorn, not XP. i've seen little reports on vulnerabilities in NEW microsoft software (msn, vs.net, etc.), whereas XP was completed BEFORE "trustworthy computing".
Visual Studio .NET: http://www.computerweekly.com/Article110131.htm
MSN: http://www.securityfocus.com/bid/8221
Windows 2003 Server, etc: http://www.usatoday.com/tech/news/computersecurity/2003-07-16-microsoft-hole_x.htm
Windows Server 2003 vulnerabilities since "gold":
http://www.microsoft.com/technet/treeview/default.asp?url=/technet/security/current.asp?productid=176&servicepackid=0&submit1=go&isie=yes
Total of 5 patches, only 2 are critical.
Redhat Linux 9 security advisories since "gold":
https://rhn.redhat.com/errata/rh9-errata-security.html
51 patches.
Edit: I know you can say "but the redhat errata includes non redhat code from other vendors!" That's not fair play. You can accuse Microsoft of bugs with the included IE but can't separate that from the OS, then lets include all the applications that ship with the commercial product "Redhat Linux 9". Fair is fair...
Last edited by 24542 on 23 Sep 2003 - 18:08
OpenBSD 3.3 'went gold' about the same time as Windows 2003. There have been no patches needed to keep your system secure. Infact in the entire history of openbsd there has been but a single remote exploit in it's default setup (it was first shipped around the same time as Windows 95 'a')
What does any of this prove? Not a hell of a lot really. I suppose we could use the old "it's more popular" defense (after-all how many Win2k3 servers have shown up in the last ~4 months vs the number of desktop linux installs (one that is traditionally regarded as 'newbie-oriented') but that's not an excuse for insecurity on either platform.
http://www.openbsd.org/security.html#33 (in reference to your "no vulnerabilities" comment)
And even in looking at that list there are a subjective 2-3 kernel vulnerabilities.
And you're right, it doesn't prove much. The original argument stance I was presenting is that the POST "trustworthy computing" releases from Microsoft have been a leap in security over old code, and that is evident by the number of patches released.
In fact I'd go so far as to compare Win2003 to OpenBSD based upon what you said, and the link.
I doubt they will as long as they keep it a closed source project with a relatively small group of developers. They need to get development assistance from other places than a building in Redmond.
Their operating system and other software has grown too complex to maintain on their own with few exploits and there are too many potential attackers.
Last edited by 21023 on 23 Sep 2003 - 13:42
Although Microsoft Windows vulnerabilities get most of the headlines, researchers this week identified vulnerabilities in two commonly used open-source software products.
The more serious of the vulnerabilities affects Sendmail, an open-source program for managing e-mail. The vulnerability lies in the way the e-mail server software parses e-mail headers, said Dan Ingevaldson, engineering manager for Internet Security Systems in Atlanta.
"It's an extremely serious vulnerability," Ingevaldson said, adding that computer attackers could probably exploit it. It is less clear, he said, whether a separate flaw in OpenSSH, also discovered this week, can be exploited.
Source - News.com
Zero flaws? Few flaws? Lots of flaws?
Windows have lots of security flaws.
I consider many open source operating systems having few security flaws. This comes as no surprise, since they can get more people to work on improving the code since it's open.
Btw, a tip: qmail. No one has found a single security hole in it yet, since it was designed with security as top priority. It's sendmail compatible. There's a nice reward for the guy finding a security hole in it.
All you're saying is that security exploits exist in other operating systems than Windows (big surprise there...). You're not comparing the amount of sendmail exploits with MS Exchange Server exploits though. I'm sure we would soon see the familiar pattern with MS software then.
Last edited by 21023 on 23 Sep 2003 - 13:41
somedork
when it does come out and does become exploited in less than 2 weeks what will you say about "trustworthy computing initiative" ?
what will it take for you to look at microsoft and deside that this "trustworthy computing initiative" was a joke from the begining?
what will it take for you to deside that enough is enough?
Or do you somehow expect a company to magically transition from a state where security is not a priority to a state where it is? This was the state in the entire industry, not Microsoft alone.
But of course you wouldn't realize that; everything for you is some stupid "microsoftee" argument.
Really? Gee. I'm glad to see you professing to being an industry expert. You must be a 60 - 70 year old dude to have the infinite wisdom which rests upon your shoulders and experience that has roots in the punchcard days. You are my hero, "jagged flame".
what will it take for you to look at microsoft and deside that this "trustworthy computing initiative" was a joke from the begining?
what will it take for you to deside that enough is enough?
MS has already radically improved their operations. I will probably never be affronted by exploits as long as every other server vendor in existance has exploits (including the beloved OpenBSD quoted earlier).
MS at this point in the game has one OS out the door since the TCI ... WS2003. Compare its density of vulnerabilities with any other OS out there. Why are you still pointing fingers at MS?
Every OS has vulnerabilities. You can scream "enough" all you want, but I wonder what OS you run, and why you're such a hypocrite.
I guess you must be calling me a fag because I'm pointing out something you should have known with your massive Java experience. I'm sorry. I didn't realize you were SO INTELLIGENT that you can throw words like "fag" around and expect them to mean something on a public domain like the Internet.
But wait, this is your world. Apparently, you're the winner of this duel because you "quashed" my argument with a stupid one-liner and absolutely no facts to back up your rebuttal, which effectively proves you're more clever than I am. Right, right.
Wow, it looks like you're upset about not knowing something so obvious. Sorry, buddy, it doesn't take a 60-year-old to understand the concept that companies can't instantly transition like that. If you think it does, no f*cking wonder you're so clueless.
Let me break it down for your stupid ass. Companies are made of many people. You can't turn the direction around by snapping your fingers and expecting things to move. It takes time. And I'm sure you realize that you can't instantly unwrite millions of lines of code and make them secure. Hence, the Trustworthy Computing initiative.
Since you're in bed with Sun already, you could just go ask the CEO what his priorities were in the 90's. I can assure you that security was not at the top of his list.
Oh, and while we're on the topic of being an expert, who's the one running around acting like he's the resident Java know-it-all? If you're claiming to be a Java expert, it really shouldn't be so damn surprising that there are other experts on this site.
Oh, it's common knowledge that werejag runs Windows.
Last edited by 820 on 25 Sep 2003 - 05:35
Yea, that makes sense.
You are a fag. Doesn't take a genius to know that.
What duel? You just like throwing potshots and insults around to everyone who doesn't uphold your view. See the part about you being a fag.
See what I mean, you take something and turn it into your own argument. You totally missed the whole point which was it should have been a priority in the first place. There, thats it. As far as security not being a priority in the "industry", you are dead wrong and I have a few IBM veterans here who you can call up and argue with. IBM has been building machines with security as top priority for decades. But, I guess that doesn't count in your little world.
Yea, my ass isn't that smart.
Please. I'm vendor neutral. I'm a WebSphere and WebLogic developer developing on all IBM boxes. But, I'm glad you know so much about my sex life. I bet yours is kickin.
When did I say that? Just because its something I do just about everyday of my life? I don't go around professing my "Java guru status", but it is something I can talk intelligently about. For something I like so much, I feel I have to defend Java from all the fud people like you spread against Java. I don't think there's anything wrong with that.
Hey dumbass, that happens to be exactly what you're doing. So you just called yourself a fag. LOL
You make it way too easy. Focus on the facts, buddy, because the insults aren't your strong suit.
First of all, I would challenge you to find a statement that I am spreading anything about Java. I don't talk about Java. The only time I talked about Java was when you dragged me into some stupid debate about nomenclature.
"I don't think there's anything wrong with that." Of course you think there's something wrong with that, because that's exactly what I'm doing right now.
I like this. You're pissed off that you're wrong, so you get all frustrated and accuse me of pretending to be an industry expert. Then you jump on your horse and act all smart, and somehow that's not supposed to be the same thing. Oh, and you think that calling people fags is somehow supposed to do something. Simply hilarious.
If your IBM veterans know so much, ask them what the difference is between this and Trustworthy Computing.
Security is a "significantly heightened concern" now. That means it was not their number one priority before, because obviously they have to make some changes to escalate it. Either that, or it was their number one priority and they were doing a sh*tty job.
I'm sure you still don't understand. Changes need to be made for EVERYONE. Everyone is doing new security initiatives, not just Microsoft. Yes, even IBM. The fact that you keep bitching about how it should have been that way in the first place is just a bunch of hypocritical whining about Microsoft in particular.
No one's debating against the fact that the security used to suck. No, it shouldn't have sucked before, and that is someone's fault. But why the f*ck are you wasting everyone's time bitching about it? Oh, I know. Because it's supposed to be definitive evidence that Microsoft is evil.
You make it way too easy. Focus on the facts, buddy, because the insults aren't your strong suit.
Um, no. I don't throw potshots at people. Just throwing an opinion out is different. You attack people constantly. I think its your hobby. You need help.
No you're not. You are trying to personally insult me or "win" a debate or something. This must be your life.
What are you talking about? How am I wrong? It's an opinion. Mine against yours. End of story. The only reason I'm still here is because I'd want to kick your ass if I saw you in person because your such a dork.
Yep. I was trying to act all smart and use all big fancy Webster words to build myself up as a super genius. But, still you do proclaim to be the know all genius. I give that title to you. Just because I think results are better than marketing bull****.
How that different? It's a service and marketing bs. Everyone is looking for the next y2k and I'm sure IBM saw this as a way to get some cash in the bank. It doesn't necessarily target IBM based OSes or software. Guess how many security exploits we get on our AIX, Z/OS, and as/400 boxes? Are you telling me Z/os wasn't built with security in mind? It's the Alcatraz of operating systems. Remember, IBM sells a good deal of microsoft based systems too.
I did a quick google on "JaggedFlame" because I was interested and it almost looks like your life revolves around trolling message boards and flaming anybody that has a problem with anything microsoft does. You are so cool, man. I'm not even going to bother replying to whatever flame you whip up cuz it ain't worth my time to waste it on you.
Right, which is why you called me a fag twice.
Take your own medicine. Don't bitch to me about something you do as well.
As opposed to what you're doing? Why are you here? Obviously, you're trying to show me something.
You're insinuating that this is somehow localized to Microsoft. You're wrong. End of story.
You can claim to kick my ass all you want. All I have to say is, bring it on. There's a good chance I know more martial arts than your entire family does combined. You touch me, your ass gets kicked to the next state.
Yeah, results like, there are only three major vulnerabilites in Windows Server 2003 since it came out in April.
Results like, Windows Server 2003 is entirely locked down and almost inpenetrable.
Results like that. Yeah, I don't know what you're smoking.
Neither does Trustworthy Computing. Do you even understand what it is?
One PART of Trustworthy Computing is the OSes and software. It is definitely not the end-all.
Wow, you're smart. Looks like it never occurred to you that this is the alias I use on message boards, and I have other ones I use for other stuff. You just have to love that logic. I search for this guy's alias online, and it's all about online stuff (may I add it's only THIRTEEN RESULTS), so therefore his life revolves around online stuff. What a dumbass.
And it works for you too. Searching for Zatko55, it's all some bullsh*t about Java. What do you have to say about that? Do you live and breathe Java every day? Is that the best you can do?
Good riddance. I'm tired of hearing your bitching, dude. This happens every time. I bring up some point, and you turn it into some tenth grade bitch fight where you just call me names and use ad hominem attacks. If all you can do is whine about me on a public domain, I'd encourage you to come find me so I could put you out of your misery.
Thanks for not replying. Last time you did that, you got your arguments dragged over the floor by four different people after you stopped reading. It's good that some people know when to quit.
Last edited by 820 on 25 Sep 2003 - 21:12
On the flip side of the coin, I should point out that Linux still suffers from far more security bugs and other vulnerabilities than Windows does. Researchers at mi2g Intelligence Unit, which has been tracking and verifying computer-based vulnerabilities since 1995, say that in August 67 percent of all successful and verifiable attacks against servers targeted Linux, compared with just 23.2 percent that targeted Windows--and August was the month during which SoBig.F and MSBlaster hit. Furthermore, 12,892 e-business sites running Linux were successfully breached during that month, compared with just 4626 sites running Windows. Windows vulnerabilities get more press because more people run Windows on the desktop, so any Windows-based worms or viruses will generally affect a far larger group of individuals. But anyone who thinks that jumping to Linux is a cure-all should think again. Even if you don't consider the usage numbers, everyone's favorite open-source poster boy is still a huge target for attackers.
http://www.wininformant.com/Articles/Index.cfm?ArticleID=40256
The guy is hardly pro-Windows though, simply read some of his other topics on that page. As for the report itself that he mentions, I tried to look it up http://mi2g.com but you have to pay for it.
Keep in mind what RauL said, NO one piece of software will ever be 100% secure and unbreakable. Even Microsoft has claimed this. Microsoft says that because computer code is written by humans and that humans cannot produce 100% perfect code, software will never be 100% secure.
However, considering Microsoft's Error reporting technology and the fact that they are constantly upgrading their sofware to protect against new threats, Microsoft has to be among the most secure software available today.
Not everything has to be 3rd party to make Windows secure.
its people like you that keep virii in the wild.
its very illresponsable to not have a outgoing/incoming firewall and antivirus that is updated.
Good practices prevent viruses, period. I am an exception to the norm and would never condone what I do as practice. However at my work I run AV, mostly because I don't monitor everything on that machine as strictly as I do my home machine.
If you never open anything, you never get viruses. Just like, if you have a firewall blocking all your ports, you can't be attacked (no surface area). It's simple concepts, but probably beyond you...