[ISN] Microsoft Tries to gage security gremlins

From: InfoSec News (isnat_private)
Date: Wed Nov 07 2001 - 01:24:29 PST

  • Next message: InfoSec News: "[ISN] Islands in the Clickstream. Doing What's Necessary. November 6, 2001"

    Forwarded from: Justin Lundy <jblat_private>
    By Robert Lemos
    Special to CNET News.com
    November 6, 2001, 4:00 a.m. PT
    Microsoft's security response center must be feeling a little
    punch-drunk these days.
    After the one-two combination of the Code Red and Nimda worms that
    targeted the company's server and PC software this past summer, the
    titan announced an initiative in early October to promote
    security-savvy administration among its partners.
    However, almost every week since it announced its Strategic Technology
    Protection Program, a new security flaw has cropped up. In the past
    few weeks, holes have been found in Excel and PowerPoint and a new
    system for protecting music content. A major security patch was issued
    for Windows XP, and the company had to shut down part of its Passport
    service to fix a set of flaws in the technology that Microsoft hopes
    will become the foundation of its .Net initiative.
    The company will have to do some fancy footwork to quell concerns of
    its .Net partners and current customers, said John Pescatore, an
    analyst with research firm Garner. The .Net initiative is Microsoft's
    overarching plan for ubiquitous online services.
    "Microsoft realizes that they have to be perceived as a more secure
    company if .Net is ever going to be a success," Pescatore said.
    In a column following the outbreaks of the Code Red and Nimda worms,
    the analyst urged companies hit by both attacks to consider
    alternatives to Microsoft's Internet Information Server (IIS)
    This week, Microsoft will meet with security experts, privacy
    advocates and policy-makers at its Trusted Computing Conference in
    Mountain View, Calif.
    The meeting of the minds in the security world will give the software
    giant a chance to renew its push to rewrite the ground rules for
    disclosing information about vulnerabilities. The company wants to see
    fewer details in the independent advisories that illuminate the holes
    in its products; getting its way could give Microsoft a bit of
    breathing room to respond to the flaws before malicious hackers target
    its customers.
    That could also help the company regain some of the credibility lost
    in the recent security compromises.
    In a recent essay, Scott Culp, program manager for Microsoft's
    security response center, lambasted researchers and hackers who
    provide snippets of program code to illustrate how a particular
    vulnerability can be taken advantage of. Known as exploit code, the
    partial programs usually make it easier to develop hacking tools and
    worms that attack computers using a specific vulnerability.
    "It's high time the security community stopped providing blueprints
    for building these weapons," he wrote in the essay.
    Many believe that is what happened in July, when more than 360,000
    computers running Microsoft's Web server software fell prey to the
    Code Red worm, a program that took advantage of a vulnerability known
    as the printing ISAPI flaw. The company that found the flaw, eEye
    Digital Security, worked with Microsoft to create a fix, but, in its
    advisory, it also publicized details about the exploitation of the
    Consensus or concealment?
    Microsoft's aim is to curtail hackers' access to such details.
    "For its part, Microsoft will be working with other industry leaders
    over the course of the coming months to build an industrywide
    consensus on this issue," Culp wrote.
    Yet others worry that Microsoft's main motive is to dial down its own
    public-relations disasters.
    "This conference is an ambush to push through Microsoft's beliefs on
    limited disclosure to make it seem to be endorsed, when the larger
    community hasn't even seen any details," said Russ Cooper, research
    director with security firm TruSecure.
    In the latest security faux pas, Microsoft released an update for
    Windows XP that included, by Cooper's count, five security fixes, but
    the company has issued advisories on only two.
    "They promised more information to people about how to become secure
    and stay secure, but what do we get? They keep ignoring the consumer,"
    he said.
    Electronic rights activists, worried about what .Net might mean for
    privacy, aren't comforted by the knowledge that the giant has yet to
    prove it can secure its systems.
    Last week, a software engineer demonstrated a way to use several flaws
    in the company's Passport authentication system--the key to security
    for .Net.
    "The security lapses further support our claims that Microsoft's
    guarantees of privacy and security are deceptive and unfair to
    consumers," Marc Rotenberg, director of the Electronic Privacy
    Information Center, wrote in a letter to the Federal Trade Commission.
    "Further, Microsoft's failure to disclose the actual risks associated
    with the collection and use of personal information in the Passport
    service constitutes an unfair and deceptive trade practice."
    ISN is currently hosted by Attrition.org
    To unsubscribe email majordomoat_private with 'unsubscribe isn' in the BODY
    of the mail.

    This archive was generated by hypermail 2b30 : Wed Nov 07 2001 - 07:05:33 PST