Security Flaws May Be Microsoft's Undoing

tarpitt writes: "According to this article in the LA Times, repeated software flaws in Microsoft products has begun to raise concerns that they 'threaten the stability of a major piece of the world economy and to raise questions about Microsoft's future.' Flawed security is seen as a stumbling block to accepting Microsoft sponsored on-line services. It is also driving discussion about making software manufacturers liable for damages caused by flawed products." This piece in eWeek on troubles with XP's automatic updates is an interesting companion; releasing often doesn't seem to be enough. Update: 01/15 15:00 GMT by J : Bruce Schneier's January Crypto-Gram came out this morning, and is also topical: "Microsoft treats security vulnerabilities as public relations problems. Until that changes, expect more of this kind of nonsense..."

I've heard this argument before...

[tswinzig]

...except instead of 'security' it was 'stability.' Now Win2K/WinXP can stay up and running for weeks and months on end, and you don't hear too much about Windows stability problems for users of the new OS versions.

Windows has been unstable for years. Did it threaten Microsoft even one iota? Nope.

Dream on, sorry...

Interesting to note the official response here

[doug363]

I found it interesting that Microsoft's employees have acknowledged problems and said that they're working to fix them:

Microsoft acknowledges that it needs to do a better job of making the systems it sells more secure. The Redmond, Wash.-based company has begun offering free virus-related support, intensified its checks for holes and convened an industry working group on how to create a world of "trusted computing."

"We're going to make our systems more resistant and more resilient," said Microsoft's director of security assurance, Steve Lipner. "We want to be unquestionably, unequivocally the best."

[snip]

Microsoft's Lipner agreed that there are trade-offs between features customers want and security. He said the company has changed its approach. New versions of Outlook block incoming mail from spreading through the address book, and the Information Server is now turned off within the network server software.

"If the question is, 'is there tension between feature-rich, usable products and secure products?' the answer is 'absolutely,'" Lipner said. "We're absolutely moving that line more toward security, and if we have to give up some functionality or ease of use, we're paying that price."

This is markedly different from the previous Microsoft responses on security. Based on the previous responses, I would have expected them to deny that the problem was with their software, and say that the problem was with rogue hackers (running Linux or something... God only knows what those Linux types get up to ;-)). But here this guy says right out that their software needs to be more secure. Is this really a shift in company-wide policy? Has MS really had a change of heart? Could it be that he's trying to talk up Microsoft's commitment to security without doing anything? Or could he want to improve the influence and size of his little corner of the world? Judging by the spate of dodgy XP patches, something went wrong, and possibly in his department. It would be interesting to read a full interview which really got into the nitty gritty on what happened around some of the recent problems. Of course, the odds of Lipner agreeing to such an interview are pretty slim.

Unpatched IE security hole list

[tomgilder]

Hello! I'm sure everyone will be glad to know that currently IE (even
a fully patched IE6) can currently...

* Run any command or program off the hard disk
* Monitor the users clipboard, and steal the contents
* Read or steal any file off the local disk
* Check existence of any local file
* Access the DOM, cookies, or read the content of any other website
regardless of domain, protocol or security zones
* Fake the file name in a download dialog

..although most of those only work if active scripting is enabled.

These security holes are all *proven* to work, and could easily be
used to create a devastating worm. Some of them are about a month old,
and still not patched by MS. Delightful.

The two latest exploits are http://tom.vpwsys.co.uk/clipboard/ (mine!)
and http://www.osioniusx.com - see http://www.securityfocus.com for
more.

Re:Unpatched IE security hole list

[diogenes57]

More patched IE 6.0 security holes are available here and a further demonstration of the GetObject() vulnerability is available here.

When a hole is discovered on a new piece of software and the patch hasn't been released yet, should we abandon the product until it's fixed? What if your corporation runs ASP, MSSQL, and IIS and a flaw is discovered; should you switch to PHP, MySQL, and Apache? Imagine how much time and money that would cost.

Register article

[nagora]

You all need to have a look at this article at the Reg'.

TWW

Re:Windows Update Down Again ?

Many countries have consumer protection laws that forbids any such attempt to remove liability for a product you sell. That is, it doesn't matter if you agree to such a thing since the law says it is void. This may not nessecarilly apply to companies (that is not private persons) buying things though since they are not consumers in the aspect of that law. So that case any such license agreement is irelevant since the law says so meaning they ARE liable.

Re:Actually, they're better

[jeremyp]

Come on, that list is more than 6 months out of date. No objective stats of occurrences of incidents are provided (try the CERT site for that). Many of the references to advisories/bug reports etc are even older than 6 months (a quick scan shows two or three that appear to have been logged in the year 2000, the rest seem to be mainly 1999). The newest CERT advisory on sendmail for instance was raised in 1997 on version 8.8.4. In fact, basically the whole list comes under the categories a) running out-of-date software, b) running software on machines that don't need it. e.g. DNS on a machine that isn't a DNS server.

In fact there is a more up to date and better structured list here:

http://www.sans.org/top20.htm

Even on this page, taking the sendmail example (ref U2) again, the most recent bug report they quote is on 8.8.4 which is ancient (8.8 was release before any of sendmail's current Open Source competitors were even written). Which means that this vulnerability is really an instance of not keeping your software up to date (included in G1).

Use your common sense, the biggest computer security problem at the moment is viruses and worms which affect mainly Windows systems mainly because of the popularity of Windows, particularly amongst non technical users.

Re:I despise XP

[overturf]

Misinformation. This account is used by the "Remote Assistance" feature that lets you grant someone access to remotely troubleshoot your machine. It is only available once you've generated a request for remote assistance and can easily be completely disabled in control panel.

MS Support Link on this

Needless to say, if you live 5 states away and have ever tried to talk your parents or friends through support over the phone: "No.. don't click that one... click on the ADVANCED button... now what do you see...?" -- this is much better.

Re:Liability.

[sparkz]

Now that would hit OSS hard - if a sysadmin uses free/open software which trashes the database, his company could sue the sysadmin, not the developer.

Take the recent /bin/login bug - how many thousands of eyes have passed over that source before it was spotted? If the sysadmin gets hit by a 0-day exploit before he's even heard of the bug, surely nobody could say that the developer(s) nor the sysadmin should take responsibility.

Miss Thistlebottom is shocked!

[Edward+W.]

Miss Thistlebottom, my seventh grade English teacher, asked me to relay this message: "Did you say 'flaws . . . HAS begun'"?