[ISN] Microsoft's New Security Mojo

From: InfoSec News (isn@private)
Date: Mon Nov 17 2003 - 01:49:01 PST

  • Next message: InfoSec News: "[ISN] Pickpockets turn to technology"

    Forwarded from: Richard Forno <rforno@private>
    
    Microsoft's New Security Mojo
    Richard Forno
    12 Nov 2003
    Copyright (c) 2003 by author. Permission granted to reproduce in entirety
    with credit to author.
    
    http://www.infowarrior.org/articles/2003-06.html
    
    Recently, Microsoft announced a program to offer rewards in exchange
    for information leading to the arrest and conviction of those who
    exploit its flagship Windows product through viruses, worms, and other
    forms of malicious code.  Yet, despite the software giant's own
    executives saying publicly over a year ago that their products
    "weren't designed for security" the company continues to point fingers
    at third parties, hackers, and crackers as the source of the many
    problems plaguing the Windows-based portions of the Internet.  It also
    demonstrates the ineffective organized chaos that remains Microsoft's
    response to the marketplace demands for better-developed,
    better-tested products.
    
    Security (or lack thereof) in Microsoft's products has adversely
    impacted corporate profits for years, and finally is beginning to
    affect Microsoft's future profit potential as well. As a result,
    Microsoft suddenly is committed to improving security, despite its
    years of sitting idle. Hence the company's mad rush to inject
    "security" into every product, speech, and statement to reassure its
    customers that Windows is still a worthy operating environment to
    spend money on. It's even sponsored an upcoming report critical of
    Linux security to help spread fear, uncertainty, and doubt about
    Microsoft's chief competitor and underscore why Windows is a better
    product. Sadly, rather than address its own problems, the company is
    content to use creative marketing as a substitute for good security
    and software development.
    
    The problem isn't that virus-writers are exploiting Windows, it's that
    Microsoft makes Windows easy to exploit by anyone with a modicum of
    programming know-how -- and instead of accepting responsibility, the
    company is trying to pass the blame for such problems off onto others.
    Creating a rewards program is a clever, low-cost way of diverting
    public attention away from the many problems resulting from its
    history of exploit-friendly programming practices so it doesn't have
    to address the root causes that forced the creation of the rewards
    program in the first place.  It also allows the company to portray
    itself taking the moral high ground (albeit illusory) in its approach
    to proactive product security.
    
    The rewards program builds on the company's recent announcement to
    convert its traditional as-necessary security bulletin and
    patch-release process into a predictable monthly one.  Interestingly,
    Microsoft's October 2003 white paper discussion of the new security
    release process says this will make it easier for customers to stay
    current through a single cumulative monthly patch that fixes reported
    problems in Windows. That sounds perfectly reasonable until one reads
    that "Microsoft will make an exception to the above release schedule
    if we determine that customers are at immediate risk from viruses,
    worms, attacks or other malicious activities. In such a situation
    Microsoft may release security patches as soon as possible to help
    protect customers."
    
    Given that the majority of Microsoft security bulletins deal with
    these very problems, one wonders if this new policy really makes a
    difference by improving security or if it means that to reduce the
    number of security bulletins (and associated negative media coverage)
    Microsoft will be more selective in what it deems an "immediate risk"
    to customers. It's likely that the company will seldom release a
    bulletin-patch outside of its assigned monthly schedule, since it
    would not only undermine its new policy but put it in the unfortunate
    position of having to defend what makes one problem "more critical"
    than another and warrant a special release.
    
    Admittedly, a monthly patch-release schedule may make it easier for
    customers to stay current, but also means that a potential adversary
    knows exactly when to release his next malicious code or exploit
    technique to the world. Network administrators likely will resent
    being kept in the dark between monthly patches, never knowing if their
    networks are endangered or being compromised until the next security
    bulletin is announced.
    
    Patching aside, it's more interesting - and seems very convenient -
    that the company responsible for the majority of digital problems in
    cyberspace in recent years is now offering a remedy for these
    recurring problems in the form of Trustworthy Computing and the next
    version of Windows code-named Longhorn. Of course, to receive this
    much-desired increase security, users must pay for it via a product
    upgrade.  Unless I'm mistaken, this sounds a bit like the Mafia
    offering "protection" services to local neighborhood businesses to
    protect against security problems it creates (or tolerates) as a form
    of revenue. Pay for your "protection" or be "at-risk" (wink-wink)
    until you do.
    
    Microsoft has an established history of such sneaky practices to get
    what it wants from its customers. Remember that over a decade ago, the
    company intentionally caused early versions of Windows to display
    error messages if installed on anything other than the Microsoft
    version of DOS - once users installed MS-DOS, the error messages
    disappeared. More recently, to fix a series of critical
    vulnerabilities in the Windows Media Player last year, Microsoft
    forced users to accept the imposition of new and controversial digital
    rights management (DRM) software as part of the security "fix."  Of
    course, users were free to not install the fix if they didn't want the
    DRM software on their systems, but would remain at-risk to attack and
    exploitation from any number of criminals on the Internet as a result.
    
    This brings up the question of how the definition of "security" is
    changing to fit marketplace needs.  The MSDN website shows DRM is a
    core 'security' function of Longhorn that runs in what Microsoft calls
    the Secure Execution Environment.  The very fact that an operating
    system - the engine that runs our computers and touches everything we
    do on them - is based on a DRM foundation (with "hooks" for third
    parties including Microsoft to determine what may be done with what
    information on a computer) is frightening. Ask any objective security
    professional -- DRM should not be viewed as a function of security but
    rather an add-on function of revenue protection for those industries
    based on digital content.
    
    Home and business users alike should not be forced into a Mafia-like
    protection agreement to be secure in cyberspace. Nor should the
    fundamental definition of security be extended - or twisted - to
    include invasive mechanisms of profit-protection for industries unable
    to adapt their business models for the Information Age. Until
    Microsoft takes a realistic view of security and defines effective
    real-world ways of improving product security in the present day -
    such as cleaning up the existing Windows code instead of greedily
    forcing mass upgrades - its existing customers will be reluctant to
    adopt a newer version of the Windows product line no matter what the
    speeches and marketing material promise.
    
    Microsoft chairman Steve Ballmer recently said the company's rewards
    program makes it clear that Microsoft is "taking security seriously."  
    What he meant to say was that it's clear that Microsoft is taking its
    security reputation seriously.  That's a big difference.
    
    # # # # #
    
    Brian Valentine Statement on Windows Insecurity
    http://archive.infoworld.com/articles/hn/xml/02/09/05/020905hnmssecure.xml
    
    White Paper: Revamping the Security Bulletin Release Process
    http://www.microsoft.com/technet/treeview/default.asp?url=/technet/security/
    bulletin/revsbwp.asp
    
    # # # # #
    
    Security technologist Richard Forno is the former Chief Security
    Officer at Network Solutions and author of "Weapons of Mass Delusion:
    America's Real National Emergency." His home in cyberspace is
    http://www.infowarrior.org/.
    
    
    
    -
    ISN is currently hosted by Attrition.org
    
    To unsubscribe email majordomo@private with 'unsubscribe isn'
    in the BODY of the mail.
    



    This archive was generated by hypermail 2b30 : Mon Nov 17 2003 - 04:52:15 PST