[ISN] [infowarrior] - Article: Forget California, It's Time to Recall Microsoft

From: InfoSec News (isnat_private)
Date: Thu Aug 14 2003 - 02:09:42 PDT

  • Next message: InfoSec News: "[ISN] Cyber Head Hunt Nears End"

    Forwarded from: Richard Forno <rfornoat_private>
    
    Forget California, It's Time to Recall Microsoft
    Richard Forno <www.infowarrior.org>
    (c) 2003 Richard Forno.
    Permission granted to reproduce in entirety with credit to author.
    
    A sign on a Trenton, NJ railroad bridge says "Trenton Makes, The World
    Takes."  In light of recent history, a sign at Sea-Tac airport should
    probably read "Microsoft Makes, The World Quakes."
    
    For the second time this year, Microsoft is the source of a major
    internet security event. First was Slammer/Sapphire in January that
    seriously impacted networks and corporations around the world,
    including shutting down ATM machines at some large banks. And now,
    we've got MSBlaster taking advantage of a years-old vulnerability in
    Microsoft Windows operating systems. But unlike Slammer that only
    targeted servers, this one goes after desktop computers as well -
    meaning that ninety percent of the world's computers are potential
    targets and victims this week.  Consumer desktops are significantly
    more plentiful than corporate ones but less-protected against viruses,
    worms, and other attacks. As low-hanging fruit goes, they're a perfect
    target of opportunity for cyber-mischief.
    
    According to a Wired
    (http://www.wired.com/news/infostructure/0,1377,59994,00.html) story
    today, Microsoft is confused why these worms continue plaguing users when
    the company's made great effort to improve the patch delivery process.
    Microsoft says it's working with federal law enforcement to find out who's
    behind the dastardly deed that's giving the software monopoly yet another
    embarrassing black eye in the media. This is a typical Microsoft response
    full of proactive sound of fury, but signifying nothing helpful.  And the
    media's full of reporting about the pervasiveness of MSBlaster and what
    people can do to protect themselves against this "latest" cyber-threat.
    
    Yet Microsoft says third-party software accounts for
    (http://www.zdnet.com.au/newstech/security/story/0,2000048600,20277185,00.htm)>half
    of all Windows crashes. Funny, it also blamed the competing DR-DOS for
    Windows 3.1 crashes in an (http://news.com.com/2100-1001-225129.html)
    attempt to get people to buy MS-DOS back in the 1980s. (It was later
    discovered that Microsoft had engineered false error messages to trick
    users into buying MS-DOS.) It also said Internet Explorer couldn't be
    removed from Windows 95 without crippling the operating system, and
    was proven wrong by enterprising researchers. So Microsoft's track
    record for veracity isn't exactly stellar when it comes to its
    products and business practices.
    
    But, few if any are mentioning the real issues here:  MSBlaster's
    ability to affect practically all versions of Windows shows that
    despite Microsoft's marketing flacks, there is still significant code
    shared between all versions of Windows. Anyone who thinks DOS is dead,
    or Windows XP's code internals have little in-common with Windows NT 4
    should think again. MSBlaster proves it.
    
    Also, MSBlaster takes advantage of known vulnerable network ports in
    Windows, ports that any competent network administrator or internet
    provider should have closed long, long ago. In fact, there's probably
    no good reason why these ports should be enabled on consumer versions
    of Windows or supported by ISP networks, for that matter. In other
    words, it baffles the mind why these well-known ports continue to be a
    major security vulnerability in Windows.
    
    Of course, Microsoft pledges to continue working on its patch
    distribution process as part of its larger "Trustworthy Computing"
    initiative. That's all well and good, but does this mean the security
    of our networked systems has been reduced to the repeated mantra of
    "run the patch" and then sit back to wait for the next pair (exploit
    and fix - a matched set!) to be released? Hopefully not. Security is a
    two-part process requiring the network staff to administer their
    resources appropriately and the software vendors to produce code
    that's much more reliable than it is now.
    
    As it did with the Slammer worm in January, Microsoft proudly says it
    made available a patch for Windows far in advance of the vulnerability
    being exploited on a massive scale.  But many users didn't get the
    message or download the patch - either because home users didn't
    realize that the automatic Windows Update process was designed for
    just that reason (or would "do it later") or, in the case of large
    companies, network administrators likely were too busy installing any
    number of other patches required (at least 30, according to the number
    of security bulletins so far in 2003) to keep their Microsoft systems
    operating in a somewhat more secure manner from week to week. (And we
    wonder why help desk staffs burn out so quickly.)
    
    If Microsoft really wanted to resolve its software problems, it would
    take greater care to ensure such problems were fixed before its
    products went on sale - and thus reverse the way it traditionally
    conducts business. Doing so means less resources wasted by its
    customers each year patching and re-patching their systems, hopefully
    meaning more is available for effective network planning, design, and
    management to support a robust defense-in-depth security strategy.
    Customers shouldn't be forced to spend their money cleaning up after
    Microsoft's mistakes, laziness, or general complacency, but on
    improving their information environments to take full advantage of the
    many benefits of the Information Age.
    
    More importantly, why are we - users, administrators, media, and the
    government - praising Microsoft for their response to this critical
    problem? If something's wrong with a product, responsible companies
    are obligated to fix it as a matter of good business practice. A
    responsible adult knows that if you make a mess, you're expected to
    clean it up, regardless if anyone compliments you for your efforts.
    Did anyone expect widespread praise to be heaped on Ford Motors after
    its Explorer fiasco a few years back? Hardly - there was a serious
    problem with one of its products, and the company fixed it, albeit
    under the threat of lawsuits from victims or their families.
    
    But that's not the case with software, from Microsoft or anyone else.
    When you acquire software, you don't really "buy" it, but rather
    purchase a license to use it "as is" for a period of time, and the
    vendor is under no obligation to fix anything wrong with its product.
    If you take the time to read the thousands of words in a typical
    software End User License Agreement (EULA) - and many people don't --
    you'll see that by installing and using the software, you indemnify
    the vendor against any claims, losses, or problems resulting from
    using its software, even if the vendor knew about the problem before
    it sold the product. In some cases, as this Register
    (http://www.theregister.co.uk/content/4/26517.html) article notes, you
    agree to let Microsoft remotely modify your software and you can't
    hold it liable if something breaks as a result.
    
    Code Red, Love Bug, Slammer, Nimda, Pretty Park, BubbleBoy, Melissa,
    Code Red II, MSBlaster, and numerous other high-profile
    Microsoft-sponsored incidents...many view them as "the price of doing
    business in the Information Age" and cheerfully spend (or lose)
    increasing amounts of money with each new incident arising from poorly
    designed software. But rather than face reality by conducting a
    dollars-and-sense risk assessment of their IT operation to see how
    much Microsoft's vulnerabilities cost their enterprise annually, these
    sheeple - at all levels of government, industry, and society -- prefer
    tolerating mediocrity to efficiency and reliability in their software
    assets, because they're either too lazy to investigate alternatives or
    don't want to propose changes to the comfortable status quo.
    
    What recourse do you have in such cases?  You can't just sue the
    software vendor for problems with their product like you can the maker
    of a vehicle or appliance since you've given up those rights by using
    the product under the terms of its license agreement. The only option
    you have is continue using the software in question and scrambling to
    update your systems whenever a new problem presents a danger to your
    information assets. In other words, when Microsoft says "patch" you
    salute and say "how soon?"
    
    Or, you can vote with your pocketbook and move to an alternative
    software product that works better, costs less to buy and maintain,
    and won't burn out your network support staff.  Nobody's saying you
    must use any one particular product or operating system, and they all
    tend to perform the same basic functions needed in today's working
    society - although some are better at it than others. It may take a
    little bit of effort to switch and get used to the new product, but
    the long-term payoff will be worth it.
    
    After all, in the real world, if you don't like Ford trucks, you can
    buy a Jeep instead.
    
    
    
    
    -
    ISN is currently hosted by Attrition.org
    
    To unsubscribe email majordomoat_private with 'unsubscribe isn'
    in the BODY of the mail.
    



    This archive was generated by hypermail 2b30 : Thu Aug 14 2003 - 05:44:14 PDT