http://www.wired.com/news/technology/0,1282,47299,00.html By Michelle Delio 2:00 a.m. Oct. 4, 2001 PDT Microsoft's newest security initiative is drawing jeers and a few cheers from industry experts. Many experts said Microsoft's Strategic Security Protection Program plan announced Wednesday is nothing more than a half-hearted attempt to assuage increasing demands from government, industry and consumers for better product security, before the government intervenes and business falls. Admitting that it has a "special obligation to help ensure the security of the Internet and our customers' data," Microsoft said it will offer free security support services, a free CD that contains all current system-specific security patches, and automatic bi-monthly delivery and installation of new security patches via the Internet. Brian Valentine, senior vice president of the Windows Division at Microsoft, said the rallying cry of the new initiative is, "We will not rest until your business is secure. Period." But some security experts said if Microsoft stands by that promise, its employees won't be getting much sleep, and charge that simply improving the delivery method of patches for insecure products is not enough to provide real security. Releasing software riddled with security holes is simply unacceptable, Air Force CIO John Gilligan told the FBI on Monday, according to an agent who attended the briefing. Gilligan said government agencies and businesses can no longer afford to play a constant game of hunt-and-patch, and demanded that software companies test their products thoroughly before releasing them. Gilligan added the government might have to impose security standards on software manufacturers if they don't begin to take security seriously, particularly in light of the Sept. 11 terrorist attacks. "Absolutely, Microsoft is going about this totally the wrong way," said Nick Marken, a software and security consultant for New York state. "A big part of this SSPP program is focused on delivering security patches. But they should be focusing on delivering more secure products instead of implementing all kinds of spiffy plans to patch those products." "If they focus on patching holes, instead of ensuring the holes don't exist, Microsoft techies are going to be running around like chickens with their heads cut off," Marken said. "This new initiative is just a gesture, not a real response, to the increasing industry and consumer demand for more secure software. And I can see the government stepping in to set security standards." Microsoft's Valentine defended the SSPP program's emphasis on patches. "Naturally, vulnerabilities will exist, and we need to increase our engineering investment and work with government agencies, the appropriate consulting agencies, to minimize those vulnerabilities," Valentine said in a press statement. Joey Maier, a systems administrator and security engineer, thought that delivering patches directly to end users was a good idea, but warned that systems administrators probably wouldn't sign up for the service. "Most of us have discovered that adding patches to a production system without testing them first is a good way to break your existing applications," Maier said. Other security experts said patches only solve known security issues. "There's that golden rule of security that states that security is an ongoing process and patches and updates are an important part of it," Dave Kroll, president of Finjan Software, a security software firm, said. "But security administrators shouldn't rest well at night just because all software patches are installed. Patches won't protect you from the next unpublished vulnerability. Installation of patches seems to be proactive, but actually it is in reaction to a database of known vulnerabilities." Gilligan's briefing focused on Microsoft-specific worms and viruses such as Code Red, Nimda and Melissa, as did a report last week from Gartner security analyst John Pescatore recommending in no uncertain terms that businesses switch to non-Microsoft Web server software in the wake of this summer's worm attacks. The report stated that "viruses and worms will continue to attack IIS until Microsoft has released a completely rewritten, thoroughly and publicly tested, new release of IIS.... This move should include any Microsoft .NET Web services, which requires the use of IIS." Microsoft's Valentine said in a statement that the next version of its hacker-plagued IIS Web server software will not be written, but will be "locked down by default," with the pre-defined configurations set to the highest security levels. "The security community has always wanted Microsoft to issue products that are locked down by default. So there should be rejoicing that MS appears to have finally listened to all the pleading from the experts in the security and network field," Marquis Grove, of Security News Portal, said. "If the products then prove to be less then secure, it will be because of defects or bugs within the products themselves rather than some lapse by an administrator who was not familiar with the entire gamut of security settings within Microsoft products." Grove also pointed out that Code Red and Nimda took advantage of holes in IIS' code, not faulty security settings. Jack Dahany, vice president of server security at Watchguard Technologies, also noted that the availability of patches from Microsoft didn't stop the spread of Code Red or Nimda, but said that Microsoft's program was a step in the right direction. "Granted, Microsoft is not, as they should be, rewriting their products to be more secure, because that is pretty hard and takes quite some time," Dahany said. "And the outcome of that effort would not necessarily be markedly better security." "SSPP is good common-sense guidance for a user community that needs it. I think that Microsoft has done their users a real service with this," Dahany said. "It is a public acknowledgement that their systems need more protection than they arrive with out of the box, and it is also a signal that Microsoft is now going to play a real part in the security education and training of their customers." Microsoft's Valentine said he has complete faith in the initiative. "I cannot emphasize enough how very serious we are about this program," Valentine said in a statement. - ISN is currently hosted by Attrition.org To unsubscribe email majordomoat_private with 'unsubscribe isn' in the BODY of the mail.
This archive was generated by hypermail 2b30 : Fri Oct 05 2001 - 03:27:43 PDT