[ISN] Analyst claims additional security layers in Windows add to risk

From: InfoSec News (isn@private)
Date: Tue Mar 09 2004 - 00:38:15 PST

  • Next message: InfoSec News: "[ISN] Jury: Man hacked cop radio"

    http://www.computerweekly.com/articles/article.asp?liArticleID=128907
    
    by Cliff Saran 
    9 March 2004 
    
    Microsoft is planning a series of security improvements to Windows, 
    yet each layer of software protection it adds increases the security 
    risk, an analyst firm has warned. 
    
    A report by Burton Group said that although Windows 2003 could be 
    deployed as a flexible and inexpensive application server, its 
    security has a chequered past. According to Dan Blum, senior 
    vice-president and research director at Burton Group, attacks such as 
    Nimda, Code Red and Slammer have slowed Windows server adoption in 
    large enterprise extranet and service provider environments, where 
    Linux/Unix servers are generally preferred.
    
    The problem lies with Win32, the programming interface used by most 
    applications, he said. 
    
    Because there is no code access control in Win32 subsystems, Com, or 
    ActiveX, Blum warned that any software component running on the 
    Windows system could invoke any other component and attempt to do 
    anything it wants. 
    
    Malicious programs have many opportunities to attempt buffer overflow 
    or other attacks to subvert discretionary access controls and other 
    system protections. In other words, a rogue Win32 program would be 
    able to undo any steps Microsoft may take to lock down Windows 
    security. 
    
    The report recommended that users avoid ActiveX and the Win32 
    application programming interfaces and instead develop code in .net, 
    an architecture based on managed code, which reduces the effect of 
    programming errors.
    
    Blum said, "Like Java, managed code based on .net runs in a sandbox." 
    Such a sandbox is designed to prevent the code from crashing the 
    operating system. The code runs on a virtual machine rather than 
    computer hardware. As a result, it is much harder to compromise, he 
    added. 
    
    Security problems are exacerbated by the fact that Windows 2003 is 
    designed to be an integrated platform and as a result is based on 
    complex dependencies between various operating system components. 
    
    To tighten security on a Linux or Unix platform users can remove 
    functionality by configuring the kernel or recompiling it, but this is 
    not as easy on Windows. "All Linux and Unix operating systems are much 
    simpler than Windows," said Blum. 
    
    Bradley Tipp, national system engineer responsible for security at 
    Microsoft, defended Windows 2003's security. "With an integrated 
    approach it is much easier to apply patches, since the user does not 
    have to go to multiple supplies to secure the operating system," he 
    said. 
    
    
    
    -
    ISN is currently hosted by Attrition.org
    
    To unsubscribe email majordomo@private with 'unsubscribe isn'
    in the BODY of the mail.
    



    This archive was generated by hypermail 2b30 : Tue Mar 09 2004 - 03:26:24 PST