[ISN] Experts: Microsoft security gets an 'F'

From: InfoSec News (isnat_private)
Date: Sun Feb 02 2003 - 22:24:31 PST

  • Next message: InfoSec News: "[ISN] Re: A Message from Richard Clarke (fwd)"

    February 1, 2003 
    SAN FRANCISCO, California (Reuters) -- Computer security experts say
    the recent "SQL Slammer" worm, the worst in more than a year, is
    evidence that Microsoft's year-old security push is not working.
    "Trustworthy Computing is failing," Russ Cooper of TruSecure Corp.  
    said of the Microsoft initiative. "I gave it a 'D-minus' at the
    beginning of the year, and now I'd give it an 'F."'
    The worm, which exploited a known vulnerability in Microsoft's SQL
    Server database software, spread through network connections beginning
    January 25, crashing servers and clogging the Internet.
    Public reminded of risks
    It hit a year and one week after Microsoft Chairman Bill Gates sent a
    company-wide e-mail saying Microsoft would make boosting security of
    its software a top priority.
    Microsoft placed responsibility on computer users who failed to
    install a patch that had been available since at least last June.
    "The single largest message is: keep your system up to date with
    patches," Microsoft Chief Security Officer Scott Charney said.
    But the philosophy of patching is fundamentally flawed and leaves
    people vulnerable, Cooper said. For example, Microsoft didn't follow
    its own advice as executives confirmed that an internal network was
    hit by the worm.
    "Microsoft was completely hosed (from Slammer). It took them two days
    to get out from under it," said Bruce Schneier, chief technology
    officer of Counterpane Internet Security, a network monitoring service
    provider. "It's as hypocritical as you can get."
    Fix could have nullified problems
    "We should have done a better job" in protecting the company's own
    network, Mike Nash, corporate vice president of Microsoft's security
    business unit, said. "We understood some things customers were facing
    and it, in some ways, helped us. It was a learning course."
    There was another misstep on Microsoft's part that illustrates the
    problems with patches, Cooper said.
    In October Microsoft released a fix for a different SQL Server problem
    that if installed in the expected manner would have made patched
    systems vulnerable again, he said. "If I followed their advice I'd
    have been vulnerable."
    Microsoft spokesman Rick Miller said administrators were given the
    option with the fix to install it so the patch was intact. He also
    said he knew of no customers who installed the fix and were still hit
    by the worm.
    Implementing fix proves complex
    But, most people installing the fix would not necessarily have known
    how to install it in a safe way, Cooper countered.
    Microsoft released a service pack that would have fixed the problems
    the week before Slammer hit. But not only are there too many patches
    to keep up with, people are reluctant to install them for fear they
    will interfere with their systems.
    Microsoft admits making a mistake with the SQL fix and has "egg on our
    face" over being hit by the worm, Miller said.
    "What this demonstrates and what we readily acknowledge is the patch
    management process is too complex," he said. "Microsoft is committed
    to reorganizing our patch system and delivering high-quality patches
    in a streamlined way."
    Demanding better products
    Nash defended the Trustworthy Computing initiative, saying the
    company's security process and culture have changed. For instance, all
    Windows developers have received special security training, he said.
    However, the fruits of that may not show up until future versions of
    products are released, said Richard M. Smith, a Cambridge,
    Massachusetts-based computer security consultant. "I'd rather they
    focus on the problems we have today."
    "The problem is the whole patch regime has lots and lots of problems,"  
    he said. "It would be much better if the software shipped from
    Microsoft with fewer problems to begin with."
    The solution: install patches, along with firewalls and other security
    software and services, as well as demand better products from
    Microsoft, the experts said.
    Thinking of switching In the meantime, Schneier said he was thinking
    of switching from Windows to the Macintosh platform because of all the
    security issues.  "My wife has a Mac and she doesn't worry about
    viruses, trojans, leaks..., " he said.
    A Consumer Reports survey last year found that virus infection rates
    on Macs are half what they are on Windows, noted Smith. "Is that
    because Macs are safer? I think the answer is yeah."
    ISN is currently hosted by Attrition.org
    To unsubscribe email majordomoat_private with 'unsubscribe isn'
    in the BODY of the mail.

    This archive was generated by hypermail 2b30 : Mon Feb 03 2003 - 01:26:04 PST