[ISN] Microsoft failing security test?

From: InfoSec News (isnat_private)
Date: Fri Jan 11 2002 - 10:46:40 PST

  • Next message: InfoSec News: "RE: [ISN] U.S. Cyber Security Weakening"

    By Robert Lemos
    Special to ZDNet News 
    January 11, 2002 4:38 AM PT
    Microsoft's security initiatives and the release of the company's
    "most secure operating system yet" haven't quashed myriad holes that
    security experts say put customers in harm's way.
    Although the software titan has been touting the need for security
    through its Secure Windows Initiative, the recent revelation of a
    severe flaw in the company's flagship Windows XP operating
    system--combined with the discoveries of several recent Internet
    Explorer browser holes--has left security experts questioning whether
    Microsoft can fully lock down its products.
    "It's not about security mechanisms and initiatives, but in the end
    how secure the code is," said Marc Maiffret, chief hacking officer
    with eEye Digital Security, the Aliso Viejo, Calif., company that
    found the hole in Windows XP. If left unchecked, that hole could let
    hackers take over a computer user's PC remotely. Microsoft itself
    deemed the flaw "critical" for desktop PC users.
    Steve Lipner, director of security assurance for Microsoft, said the
    company is working hard to close the holes, but that security is an
    evolutionary process. "It is so hard to predict what will happen on
    that score," Lipner said. "But our objective is to drive the number of
    (security) bulletins to zero."
    Still, the Redmond, Wash.-based giant has had difficulty keeping code
    hackers from ferreting out flaws in its products.
    In the past two months, for example, more than half a dozen security
    problems have been found with the latest version of Internet Explorer.  
    The most recent: Almost three weeks ago, a 31-year-old Austin,
    Texas-based security researcher revealed a bug in IE 6. The bug could
    let an attacker send an HTML e-mail, which in turn could steal
    cookies, allow access to files, or direct the victim to a false Web
    site that, to the average person, would be almost indistinguishable
    from the real thing.
    The researcher, who asked to be identified by his online handle,
    ThePull, said an attacker who could fool a victim into clicking a
    simple Web link in e-mail could make off with the victim's digital
    keys to, say, any online account that has its log-in information saved
    as a cookie.
    Microsoft has refused to comment on the latest IE issue, and no patch
    had been issued as of Thursday evening. That has many security pros,
    including Maiffret, irked.
    "Right now, there is a known vulnerability and there is no way to turn
    it off," he said. "To leave everyone wide open is like Ford Motor
    knowing that their car's tires are bad and not saying anything."
    Microsoft's Lipner said the company's policy is not to discuss such
    issues while they are under investigation.
    "We always monitor mailing lists and so forth to see if the
    vulnerability is being used to harm customers," Lipner said, "but
    until then we believe it is best to wait."
    The bigger they are...
    Microsoft is a natural target for code hackers because of its dominant
    position in the industry. Such security problems, though, have become
    a black eye for the company because of its multibillion-dollar bet on
    its overarching .Net initiative, a set of software technologies
    designed to deliver services easily and securely over the Internet.  
    Security experts fear that e-business could suffer if .Net becomes
    successful and is not adequately secured.
    "You can say you have a firewall and white papers that show how secure
    the technology is, but that still doesn't matter if you still have
    buffer overflows in your code," Maiffret said.
    Other researchers drew parallels between Microsoft's current silence
    and the nearly two months the company stayed mum on the flaws in
    Windows XP. Those were activated through Universal Plug and Play, a
    networking protocol integrated into Windows XP that lets devices
    recognize each other automatically.
    "Microsoft treats security bulletins as PR problems," said Bruce
    Schneier, chief technology officer of network protection company
    Counterpane Internet Security. "If Microsoft had its way and there was
    bug secrecy, we wouldn't know that any of this happened."
    Chris Wysopal, director of research and development for security
    company @Stake, argued that an early warning can sometimes actually
    hurt security, tipping off malicious attackers to the vulnerability.
    Still, Wysopal said, with the Plug and Play incident, Microsoft could
    have told customers to just turn off the function if they weren't
    using it.
    "It does make sense to warn people up front that they can take actions
    now," Wysopal said. "I would like to see people not rely on patches so
    much. I was disappointed with the FBI's retraction (after they)  
    proposed a solution that did not require a patch."
    The FBI released an advisory Dec. 21 outlining how people could turn
    off Universal Plug and Play, but the agency later partially retracted
    the advisory and recommended that Microsoft's patch be installed
    "There are all these vendors that are writing products that rely on
    UPnP," said Russ Cooper, editor of NTBugTraq and a security researcher
    with technology company TruSecure. "So would Microsoft want to tell
    their users to turn it off? No."
    Other researchers echoed the concern over the Universal Plug and Play
    standard, saying that security never had been a primary concern for
    the technology.
    "UPnP just has to work; it doesn't have to be good," said
    Counterpane's Schneier.
    However, Microsoft's Lipner said the vulnerability in the Universal
    Plug and Play component of Windows XP is fairly complex and of a type
    that hasn't been recognized by the code-auditing tools the software
    giant uses to detect software bugs.
    "There is nobody who is more disappointed than I am when one of these
    vulnerabilities is found," Lipner said. "But at the same time, I don't
    think two or three months' experience with a new product is a
    statistical sample to say what we have done and have not done."
    Improving security is not a quick process, but it is happening, Lipner
    said. Last June, a new kind of buffer overflow in the company's Index
    server software led to a proliferation of the Code Red worm. Now
    Microsoft's auditing software is designed to detect such a problem.
    "We have to continue doing this," Lipner said, "finding new security
    problems and fixing them before the product ships--and, unfortunately,
    after the product ships."
    Measured by the number of security bulletins the company has released,
    Microsoft's progress in security is mixed. In 1999, the company issued
    60 security advisories, followed by a whopping 100 in 2000. That fell
    back to 60 last year.
    Lipner said the company would continue to analyze every problem to
    help eliminate flaws in future products.
    "In 2004," Lipner said, "if we only have one advisory, you know we
    will be doing analysis on that flaw to make sure we catch it the next
    time around."
    ISN is currently hosted by Attrition.org
    To unsubscribe email majordomoat_private with 'unsubscribe isn' in the BODY
    of the mail.

    This archive was generated by hypermail 2b30 : Fri Jan 11 2002 - 17:12:23 PST