[ISN] MS Security Plan: OK, Kind Of

From: InfoSec News (isnat_private)
Date: Fri Oct 05 2001 - 00:53:12 PDT

  • Next message: InfoSec News: "Re: [ISN] Full Disclosure: How Much Security Info Is Too Much?"

    By Michelle Delio 
    2:00 a.m. Oct. 4, 2001 PDT 
    Microsoft's newest security initiative is drawing jeers and a few
    cheers from industry experts.
    Many experts said Microsoft's Strategic Security Protection Program
    plan announced Wednesday is nothing more than a half-hearted attempt
    to assuage increasing demands from government, industry and consumers
    for better product security, before the government intervenes and
    business falls.
    Admitting that it has a "special obligation to help ensure the
    security of the Internet and our customers' data," Microsoft said it
    will offer free security support services, a free CD that contains all
    current system-specific security patches, and automatic bi-monthly
    delivery and installation of new security patches via the Internet.
    Brian Valentine, senior vice president of the Windows Division at
    Microsoft, said the rallying cry of the new initiative is, "We will
    not rest until your business is secure. Period."
    But some security experts said if Microsoft stands by that promise,
    its employees won't be getting much sleep, and charge that simply
    improving the delivery method of patches for insecure products is not
    enough to provide real security.
    Releasing software riddled with security holes is simply unacceptable,
    Air Force CIO John Gilligan told the FBI on Monday, according to an
    agent who attended the briefing.
    Gilligan said government agencies and businesses can no longer afford
    to play a constant game of hunt-and-patch, and demanded that software
    companies test their products thoroughly before releasing them.
    Gilligan added the government might have to impose security standards
    on software manufacturers if they don't begin to take security
    seriously, particularly in light of the Sept. 11 terrorist attacks.
    "Absolutely, Microsoft is going about this totally the wrong way,"
    said Nick Marken, a software and security consultant for New York
    state. "A big part of this SSPP program is focused on delivering
    security patches. But they should be focusing on delivering more
    secure products instead of implementing all kinds of spiffy plans to
    patch those products."
    "If they focus on patching holes, instead of ensuring the holes don't
    exist, Microsoft techies are going to be running around like chickens
    with their heads cut off," Marken said. "This new initiative is just a
    gesture, not a real response, to the increasing industry and consumer
    demand for more secure software. And I can see the government stepping
    in to set security standards."
    Microsoft's Valentine defended the SSPP program's emphasis on patches.
    "Naturally, vulnerabilities will exist, and we need to increase our
    engineering investment and work with government agencies, the
    appropriate consulting agencies, to minimize those vulnerabilities,"
    Valentine said in a press statement.
    Joey Maier, a systems administrator and security engineer, thought
    that delivering patches directly to end users was a good idea, but
    warned that systems administrators probably wouldn't sign up for the
    "Most of us have discovered that adding patches to a production system
    without testing them first is a good way to break your existing
    applications," Maier said.
    Other security experts said patches only solve known security issues.
    "There's that golden rule of security that states that security is an
    ongoing process and patches and updates are an important part of it,"
    Dave Kroll, president of Finjan Software, a security software firm,
    "But security administrators shouldn't rest well at night just because
    all software patches are installed. Patches won't protect you from the
    next unpublished vulnerability. Installation of patches seems to be
    proactive, but actually it is in reaction to a database of known
    Gilligan's briefing focused on Microsoft-specific worms and viruses
    such as Code Red, Nimda and Melissa, as did a report last week from
    Gartner security analyst John Pescatore recommending in no uncertain
    terms that businesses switch to non-Microsoft Web server software in
    the wake of this summer's worm attacks.
    The report stated that "viruses and worms will continue to attack IIS
    until Microsoft has released a completely rewritten, thoroughly and
    publicly tested, new release of IIS.... This move should include any
    Microsoft .NET Web services, which requires the use of IIS."
    Microsoft's Valentine said in a statement that the next version of its
    hacker-plagued IIS Web server software will not be written, but will
    be "locked down by default," with the pre-defined configurations set
    to the highest security levels.
    "The security community has always wanted Microsoft to issue products
    that are locked down by default. So there should be rejoicing that MS
    appears to have finally listened to all the pleading from the experts
    in the security and network field," Marquis Grove, of Security News
    Portal, said.
    "If the products then prove to be less then secure, it will be because
    of defects or bugs within the products themselves rather than some
    lapse by an administrator who was not familiar with the entire gamut
    of security settings within Microsoft products."
    Grove also pointed out that Code Red and Nimda took advantage of holes
    in IIS' code, not faulty security settings.
    Jack Dahany, vice president of server security at Watchguard
    Technologies, also noted that the availability of patches from
    Microsoft didn't stop the spread of Code Red or Nimda, but said that
    Microsoft's program was a step in the right direction.
    "Granted, Microsoft is not, as they should be, rewriting their
    products to be more secure, because that is pretty hard and takes
    quite some time," Dahany said. "And the outcome of that effort would
    not necessarily be markedly better security."
    "SSPP is good common-sense guidance for a user community that needs
    it. I think that Microsoft has done their users a real service with
    this," Dahany said. "It is a public acknowledgement that their systems
    need more protection than they arrive with out of the box, and it is
    also a signal that Microsoft is now going to play a real part in the
    security education and training of their customers."
    Microsoft's Valentine said he has complete faith in the initiative.
    "I cannot emphasize enough how very serious we are about this
    program," Valentine said in a statement.
    ISN is currently hosted by Attrition.org
    To unsubscribe email majordomoat_private with 'unsubscribe isn' in the BODY
    of the mail.
    ISN is currently hosted by Attrition.org
    To unsubscribe email majordomoat_private with 'unsubscribe isn' in the BODY
    of the mail.

    This archive was generated by hypermail 2b30 : Mon Oct 08 2001 - 14:59:33 PDT