[ISN] Old code in Windows is security threat

From: InfoSec News (isnat_private)
Date: Mon Jun 10 2002 - 03:12:31 PDT

  • Next message: InfoSec News: "[ISN] Next Generation Secure Remote Log Servers over TCP"

    By Robert Lemos 
    Staff Writer, CNET News.com
    June 9, 2002, 11:00 PM PT
    Microsoft will more quickly retire old code in its Windows operating
    system and other software as a result of the company's four-month-old
    "trustworthy computing" initiative, the company's lead bug basher said
    in an interview.
    The revelation follows last week's warning that a serious
    vulnerability in Microsoft's Internet Explorer occurred in the
    software supporting a decade-old protocol that has rarely been used
    since the World Wide Web became popular.
    "A lot of the (coming) design changes are to remove this feature or
    turn that one off by default," said Steve Lipner, director of security
    assurance for Microsoft and the man on the ground for the company's
    trustworthy computing initiative.
    He added that when Microsoft is faced with a choice between removing
    old, possibly insecure code and keeping a feature to please a small
    fraction of customers, increasingly security is winning out. "Do we
    think that things will be retired more quickly? Sure," Lipner said.
    The acknowledgment that the company is rushing to ax old code comes
    amid criticism that Microsoft's security initiative has been slow to
    show results. More than 30 vulnerabilities have been reported by the
    company since the initiative began, putting it on the same security
    track as last year.
    Fifty-million lines of code
    Even before Windows XP came out, Microsoft said it would sacrifice
    compatibility in some circumstances to increase performance. However,
    the recent, unexpected security problems are accelerating the process
    and prompting the company to remove more code than anticipated. But
    trying to figure out how to cut potentially problematic code is no
    easy task.
    "The problem is that you are dealing with 50 million lines of code and
    everything depends on everything else," said Peter Neumann, principal
    scientist for technology think-tank SRI International.
    Microsoft kicked off its trustworthy computing initiative in January,
    after Chairman Bill Gates urged the company's employees to focus more
    on security and less on creating new features. Critics of the company
    have kept watch for signs of any real changes in how the software
    giant deals with security. Changes in Windows, though, could take
    awhile, especially in light of how the operating system has grown.
    Neumann--who designed the file system for the Multics operating
    system, the precursor to Unix--stresses that software security starts
    with good design, using modular components.
    "Part of the problem is everything is too convoluted," Neumann said.  
    "It's difficult to have an assurance that everything is going to
    work." Adding in backward compatibility only increases complexity, he
    Marc Maiffret, 21-year-old security prodigy and chief hacking officer
    for eEye Digital Security, doesn't fault old code for security
    problems. He said that programmers who don't review the code before
    using it are at fault. Old code may have more security holes in it,
    but those holes should be caught, he said.
    "With a lot of the more recent code, people are smarter about writing
    secure code," Maiffret said, adding that "there is no problem in
    having backwards compatibility, except when there is a flaw in it."
    That's the problem Microsoft is facing. A feature that allowed
    Internet Explorer to communicate with servers running Gopher, a
    pre-Web protocol for hyperlinking information, has a vulnerability
    that could leave PC users open to attack, a Finnish researcher said
    last week.
    GopherSpace, the name of the network of servers that supports the
    Gopher protocol, consists of less than 600 computers offering up less
    than 8 million links, according to a Gopher site maintained at Point
    Loma Nazarene University. The Web has more than 2 billion pages,
    according to the Google search engine.
    While Microsoft is still analyzing the claims, the company's
    trustworthy computing initiative already had project managers
    questioning the wisdom of having support for the rarely used protocol,
    said Microsoft's Lipner.
    "Gopher was one of the functions that was flagged for being turned off
    by default" in the coming Windows XP Service Pack 1, Lipner said.  
    While the disclosure of the apparent flaw beat the company's update,
    Lipner stressed that the design decision showed the initiative was
    paying off. "We were asking the right questions," he said.
    Lipner wouldn't name other features that would be retired, or break
    down how much of Windows XP is considered old code and how much is
    new. Instead, he explained that part of the company's security process
    involves imagining the worst types of attacks against its code and
    developing a "threat model." It then searches for any holes in its
    defenses that would let such attacks through.
    "The developers and testers were reviewing code and testing code as
    prioritized by the threat model," Lipner said.
    Lipner said the work is ongoing, adding, "The security push is a big
    ISN is currently hosted by Attrition.org
    To unsubscribe email majordomoat_private with 'unsubscribe isn'
    in the BODY of the mail.

    This archive was generated by hypermail 2b30 : Mon Jun 10 2002 - 06:11:01 PDT