[ISN] Re: [Full-Disclosure] Microsoft prepares security assault on Linux

From: InfoSec News (isn@private)
Date: Thu Nov 13 2003 - 05:54:23 PST

  • Next message: InfoSec News: "[ISN] Secunia Weekly Summary - Issue: 2003-46"

    Forwarded from: Jason Coombs <jasonc@private>
    CC: support@private, "'Helmut Hauser'" <helmut.hauser@private>,
    full-disclosure@private, bugtraq@private,
    
    I wrote an information security book last year under contract with 
    Microsoft Press. The book was never published -- among other things it 
    explains truthfully the poor security condition of Windows and offers 
    detailed instructions and advice for defending against Microsoft's bad 
    business practices and incorrect security decisions. URLs for the free 
    electronic book are:
    
    (PDF)
    http://www.forensics.org/IIS_Security_and_Programming_Countermeasures.pdf
    
    (Raw Text/PNG Graphics --> safer!)
    http://www.forensics.org/jasonc/iisforensics.zip
    
    The security awareness for Windows communicated by my book would have 
    enabled people to avoid intrusions, infections, damage, and down time 
    from MS Blaster, SQL Slammer/Sapphire, and many of this year's other 
    threats. It would also have helped to educate developers of Web 
    applications so that fewer new vulnerabilities would have been created.
    
    A few of the specific warnings provided by my book include:
    
    * FrontPage Server Extensions are badly flawed from a security 
    perspective and should never be used.
    
    * Ports open by default (RPC/DCOM/SMB/Messenger/Workstation Service/etc) 
    will be found to expose remote exploitable buffer overflow 
    vulnerabilities and therefore must be protected and closed at all costs.
    
    * Don't use/rely on Microsoft Baseline Security Analyzer because it 
    intentionally ignores known vulnerabilities in order to more often 
    report a happy "you're all patched" message to the admin.
    
    * Internet Information Services cannot be trusted out of the box but 
    instead must be carefully security hardened beyond anything that 
    Microsoft normally recommends, and many IIS features must be disabled in 
    order to achieve a trustworthy subset of Microsoft software.
    
    * ... more ...
    
    If Microsoft intends to launch a PR/advertising campaign against Linux, 
    perhaps it would take a moment out of its busy schedule to explain why 
    it won't publish a book that tells the truth and provides warnings in 
    advance that the only way to safely operate a Windows computer is to 
    subscribe to infosec mailing lists such as bugtraq and full-disclosure 
    in order to remain constantly aware of the real-world condition and 
    capabilities of attackers?
    
    Microsoft suppresses awareness of vulnerabilities in order to profit.
    
    The only way to achieve security in computing is through awareness.
    
    Therefore, Microsoft's profits cause additional insecurity. Go figure.
    
    Sincerely,
    
    Jason Coombs
    jasonc@private
    
    
    
    -
    ISN is currently hosted by Attrition.org
    
    To unsubscribe email majordomo@private with 'unsubscribe isn'
    in the BODY of the mail.
    



    This archive was generated by hypermail 2b30 : Thu Nov 13 2003 - 09:51:58 PST