http://www.informationweek.com/story/showArticle.jhtml;jsessionid=NKDW2KTVVSCQ4QSNDBCSKH0CJUMEKJVN?articleID=60400363 By John Foley InformationWeek Feb. 14, 2005 When Bill Gates takes the stage at the RSA conference in San Francisco this week, you can be sure he'll give an upbeat assessment of Windows security. The pending acquisition of security vendor Sybari Software Inc., disclosed last week, adds to a growing portfolio of products that promise to batten down Windows networks. And, as he's done in the past, Microsoft's chairman likely will detail other accomplishments and forward-looking plans that portray a company delivering on his 3-year-old promise to make Windows environments "trustworthy." It's a compelling message, except for one unavoidable fact: The software patches just keep coming. Microsoft last week issued a dozen security bulletins addressing 17 software vulnerabilities, tantamount to a shotgun blast of holes through the company's product line. Nine bulletins, many graded "critical" in importance, affect various versions of Windows. Others address problems with Microsoft's .Net Framework, SharePoint Services, Windows Media Player, MSN Messenger, Internet Explorer, and Office suite. Even Microsoft's most-secure operating system, Windows XP Service Pack 2, wasn't immune: More than half the bulletins involve SP2. To repair all the vulnerabilities in all affected products would require more than 60 patches on English-language computers alone. "It's an almost endless list," says Kyle Ohme, director of IT with Freeze.com, a Web-site operator that uses about four dozen Windows servers, some of which are IBM blade servers, to offer screen savers to millions of users each day. By Microsoft's own account, the vulnerabilities leave its software open to everything from buffer overruns to remote code execution. Just one day after Microsoft posted the patches, someone released exploit code to attack one of the vulnerabilities. "If we don't patch, we definitely have the ability to be exploited relatively soon," Ohme says. So Ohme and many IT professionals like him were busy last week assessing, downloading, testing, and deploying Microsoft's latest round of patches across their IT infrastructures. It's a process that can take days or even weeks. "For us, and the resources we have, it could [have been] a daunting task to get all of those patches to all of our systems quickly enough," says Daniel Hereford, data-security officer with First Bank and Trust Co. In January, the bank began using a service from Qualys Inc. to locate vulnerabilities and ensure that they're fixed, and now it reacts more quickly to Microsoft's monthly security bulletins. "Ninety percent of our software-security issues are centered around Windows," Hereford says. Despite all the work involved, it's an improvement compared with Windows security three years ago. In January 2002, following the Code Red and Nimda virus attacks that hit many Microsoft customers hard, Gates made "trustworthy computing" the company's top priority. Since then, Microsoft has trained its programmers to write more-secure code, established a predictable patch schedule, released more-secure operating systems (Windows Server 2003 and Windows XP), and acquired security products from other companies to fill gaps in its own line. "They've taken the right initiatives," Hereford says. There's still much more to do, as last week's bug blast and Sybari acquisition demonstrate. Key missing pieces are Windows Update Services and Microsoft Update, both of which promise to help companies roll out patches more quickly to Windows and other Microsoft products. Windows Update Services, which has been delayed twice, is in testing now and scheduled for availability by midyear. And, while Microsoft has acquired a variety of security companies and products over the past two years--including GeCAD Software (antivirus), Giant Company Software (spyware detection), and Pelican Software (behavior-based security)--it hasn't shown how or when all the pieces will fit together. Microsoft security VP Mike Nash last week tried to clear up some of the confusion. During a Webcast to discuss the newly issued patches and the Sybari acquisition, Nash said Microsoft is "working hard" on desktop antivirus software that's based on the GeCAD antivirus scanning engine. That software will be tweaked to work with the Sybari products this year. The Sybari acquisition is expected to close by midyear, pending regulatory approval (see story, All For One: Microsoft Ups Its Security Software Tools [1]). Nash acknowledged it's important that customers be able to manage Microsoft's security tools together. "We do think that there needs to be a management capability to allow enterprises to both control and monitor their security technologies like anti-spam and antivirus," he said. "We're currently working through specific requirements." There appears to be a ready market for security products that come directly from Microsoft. Last month, the company released a test version of the Giant Software tool, now called Windows AntiSpyware, and it's already been downloaded more than 5 million times. The product will go through at least one more test before release, Nash says. However, there's a problem: Windows AntiSpyware itself has become the target of virus writers. Malicious code aimed at the product attempts to suppress warning messages it displays and to delete all files within the program's folder. "This is the beginning of a wave of attempts to undermine the effectiveness of this new product," predicts Gregg Mastoras, senior security analyst with security software company Sophos plc. Microsoft officials insist things are moving in the right direction, pointing out that Windows Server 2003 has had half as many security bulletins as Windows 2000 Server over the same period, that the number of annual security bulletins is on a downward trend, and that there's a sharp increase in usage of its software-update services. Last week, the company released a test version of Windows Server 2003 Service Pack 1, which promises improved security. "We have made progress toward our goals," writes a company spokeswoman, "but there is still a lot of work to be done." That includes delivering a more bulletproof version of Windows. "They still haven't shipped a desktop operating system that was designed and coded after they started caring about security," says Gartner analyst John Pescatore via E-mail. The next-generation of Windows, code-named Longhorn, is due next year. Among other other security advances, Longhorn is expected to minimize situations in which PC users have administrative privileges, leaving systems more open to attack. Many customers credit Microsoft with making progress. "Microsoft is absolutely stepping up to the challenge," says Jason Stefanich, client-server engineering manager with Dow Corning Corp., where high-priority patches are usually completed within a day. Even so, Dow Corning is using a product from Ardence Inc. that moves the operating system off desktop PCs and onto servers, in part to provide better security and more manageable updates. And while the manufacturer uses Windows XP to drive those PCs, it hasn't yet upgraded to Service Pack 2, which Microsoft bills as its most-secure desktop environment. "It breaks a lot of [applications]. We can't have 8,000 people calling our help desk with issues," Stefanich says. "Microsoft missed the boat with SP2." So it goes. Microsoft customers are getting better at securing their Windows environments, partly because Microsoft is providing tools to help, but also through increased attention to internal processes, use of third-party products, and new tactics. Freeze has placed Windows' Internet Information Services, a favorite target of hackers, behind a firewall. Instead, its Windows-based Web servers run open-source Apache software. No one is calling Windows security easy. "It's a big pain," says an IT manager with an East Coast manufacturing company who manages about 200 PCs. "It's not something we feel is under our control." The company is contemplating a move to Microsoft's Systems Management Server to automate software updates. How are those done now? Manually, one computer at a time. Microsoft remains focused on making things better, says the spokeswoman. "Ultimately, what matters is not what we say, but what we do," she says. When Bill Gates talks this week, that's something to remember. -- With George V. Hulme and TechWeb's Gregg Keizer [1] http://www.informationweek.com/story/showArticle.jhtml?articleID=60400364 _________________________________________ Bellua Cyber Security Asia 2005 - http://www.bellua.com/bcs2005
This archive was generated by hypermail 2.1.3 : Tue Feb 15 2005 - 02:25:36 PST