[ISN] Microsoft Redux

From: InfoSec News (isnat_private)
Date: Thu Oct 25 2001 - 01:39:21 PDT

  • Next message: InfoSec News: "Re: [ISN] XP vulnerable to DoS attacks"

    Forwarded from: security curmudgeon <jerichoat_private>
    Microsoft Redux
    	by Carole Fennelly
    It's deja-vu, all over again. 
    Yet another worm attacks Microsoft servers, leading me to add yet another
    article to my continuing saga on Microsoft infestations: 
    "Worm Droppings"  (August, 2001)
    "MS Right" (October, 2000)
    "Feeding the Virus Frenzy" (June, 2000)
    So why bother writing another one? Well, the difference this time is
    that research and advisory group Gartner - not typically controversial
    - advised (http://www.gartner.com/DisplayDocument?doc_cd=101034)
    companies to consider dropping Microsoft's IIS web server in favour of
    iPlanet or Apache.
    I've been saying for years that we should address the root cause of
    viruses and worms: poor development practices. It is much more
    efficient to find and correct problems in products *before* they are
    shipped to thousands of customers than to have those customers
    retroactively apply patches. Obviously, no software is perfect and
    sometimes patches are necessary. But, come on - Microsoft has released
    over 50 security advisories this year alone. It appears that they are
    outsourcing system test to the customer while at the same time
    demanding that discovered vulnerabilities not be disclosed to the
    public: http://www.newsbytes.com/news/01/171173.html
    They can't have it both ways.
    Critics of the Gartner report claim Gartner's recommendations are a
    knee-jerk reaction that would cause more harm than good. It is
    irresponsible to just rip out an application without justifiable
    cause. This is a valid point - you should use the application that
    best suits your business requirements, and not just follow the herd.
    But it wasn't that long ago that many IT shops were forced to switch
    to Microsoft platforms because management bought into Microsoft's
    marketing claims significantly reduced administration costs.  Hey, any
    college kid can run an NT machine. Cut the IT staff and get rid of
    those expensive Unix geeks. Now NT administrators are suffering the
    consequences of the perception that they aren't as technical as the
    Unix guys. News flash: Windows administrators can and should be just
    as technically savvy as their Unix counterparts. Microsoft offers no
    free ride on administration, as has been clearly demonstrated.
    Any software product with such a frequently repeated track record of
    security problems deserves the reputation it acquires - and this is
    not limited to Microsoft. For years, the Internet's most popular Mail
    Transfer Agent package, sendmail, earned a deserved reputation for
    poor security. Many sites chose to look at alternatives to sendmail,
    having grown tired of dealing with the bug-of-the-week. Others, who
    wanted the features unique to sendmail, invested time and effort to
    develop the expertise to run sendmail securely.
    There clearly is a serious issue with Microsoft's IIS server, and I
    don't buy the argument that it's just because Microsoft is a favourite
    target for hackers. It's been demonstrated on a Attrition survey
    (http://www.attrition.org/mirror/attrition/os-graphs.html) and on the
    Netcraft web server survey (http://www.netcraft.com/survey/)  that
    Microsoft web servers do *not* dominate the market in anything but
    ISN is currently hosted by Attrition.org
    To unsubscribe email majordomoat_private with 'unsubscribe isn' in the BODY
    of the mail.

    This archive was generated by hypermail 2b30 : Thu Oct 25 2001 - 06:17:36 PDT