Security Flaws May Be Microsoft's Undoing

tarpitt writes: "According to this article in the LA Times, repeated software flaws in Microsoft products has begun to raise concerns that they 'threaten the stability of a major piece of the world economy and to raise questions about Microsoft's future.' Flawed security is seen as a stumbling block to accepting Microsoft sponsored on-line services. It is also driving discussion about making software manufacturers liable for damages caused by flawed products." This piece in eWeek on troubles with XP's automatic updates is an interesting companion; releasing often doesn't seem to be enough. Update: 01/15 15:00 GMT by J : Bruce Schneier's January Crypto-Gram came out this morning, and is also topical: "Microsoft treats security vulnerabilities as public relations problems. Until that changes, expect more of this kind of nonsense..."

Liability.

[Lemmy+Caution]

The article mentioned a shift in political attitude: lawmakers are considering suspending the protection against liabilty that software makers now enjoy.

Insofar as it's true that software is flakier and more vulnerable than other products, the questions we might ask are the extent to which liabiliy has motivated other product manufacturers to be a lot more careful in their manufacturing processes, and the extent to which software is "inherently" impossible to get right. Is that perception that software should be exempt from the sort of standards that other goods have accurate, or has that perception been constructed by years of poor software and a lack of accountability?

Re:Liability.

[MisterBlister]

Software liability also has has consequences for Open Source that must be explored. If Microsoft is liable for bad software, that would also open up Open Source and Free Software programmers to the same liability -- just because you give something away for free doesn't limit your liability if commercial vendors are also held liable. And what OSS/FS companies/vendors/developers can afford to worry about being hit with a liability suit, especially when they are unlikely to derive anywhere near Microsoft-scale profits on their work in the first place?

Those who yell and scream that Microsoft should be held liable should be careful what they wish for...liability laws would kill off most all of OSS/FS faster than they would kill Microsoft.

Re:Liability.

[Restil]

First of all, its not IMPOSSIBLE to get software right. No more difficult than it is to build a car or a housse correctly, and while on occasion they break down, generally speaking they function as they're supposed to with minimal failures.

You've heard the joke about the first woodpecker destroying civilization if buildings were built the way that software was written. There's a fundamental truth here. Coders, for the most part, are sloppy. Why? Because they CAN be. However, there are examples of cases where software was done correctly the first time. It takes careful planning and controls and peer review, and in most cases the end result is clean code in less time than it would have taken to do it sloppy and spend lots of time cleaning up bugs.

There SHOULD be accountability here. But people don't hold Microsoft accountable. And I don't blame the monopoly factor either. People have just been brainwashed to believe that its NORMAL that computers crash. Its NORMAL that there are viruses. These things are just a part of life, and there can't be anything done about it. And as long as they believe that, they will keep buying into Microsoft.

These things generally don't bother the individual. They bother a large corporation as a whole that has to deal with the cleanup after one of the messier outlook viruses goes around. But, the corporation, run by people, simply look past the problem. The sys admins might be screaming bloody murder about it, but everyone else just considers it to be the status quo and goes on with their lives as best they can while the servers are being reloaded.

In my opinion, Sircam was the first windows virus/worm that had the potential to have a real effect on how people looked at Microsoft. If the virus was somewhat more malicious and made the data that was being sent out easily readable (as well as passing along a virus) and a few big corps had a lot of confidential internal memos sent all over the world.... THEN maybe people would start to reconsider the value of Microsoft
brand products, as soon as it is made clear to them, that its Microsoft and their software that made all this possible.

-Restil

Re:Liability.

[Goonie]

First of all, its not IMPOSSIBLE to get software right. No more difficult than it is to build a car or a housse correctly, and while on occasion they break down, generally speaking they function as they're supposed to with minimal failures.

Hmmm, we've been building permanent dwellings for thousands of years. We've been building software for fifty, and doing so on a large scale for about thirty.

Not to mention that the complexity and novelty of the average piece of software dwarfs that of all but the most unique and large-scale building projects.

You've heard the joke about the first woodpecker destroying civilization if buildings were built the way that software was written. There's a fundamental truth here. Coders, for the most part, are sloppy. Why? Because they CAN be. However, there are examples of cases where software was done correctly the first time. It takes careful planning and controls and peer review, and in most cases the end result is clean code in less time than it would have taken to do it sloppy and spend lots of time cleaning up bugs.

And you think that planning, control, and peer review comes free, and without a lot of pain getting it wrong first?

Software is still relatively new, and the most complex design task humanity undertakes. It's no wonder we haven't perfected the engineering of it.

Re:Liability.

[IronChef]

Your mistake is wanting to fix the problem rather than litigating a solution. Silly rabbit, you must be some kind of Canadian or something!

Re:Liability.

[bockman]

Software should be sold with a label indicating its quality level, as certified by well-defined and verifiable standards:

• level-0 is the software provided as-it-is or whith disclaimers that nullify any liability (that is 99% of today commercial and free software)
• other levels could be defined for software which promises (and therefore is liable for) a well-specified level of accuracy/data integrity/security.

Companies would price their software accordingly with the quality level they warrant, and people and company could make their own cost/quality/risk trade-off analysis and freely use whathever they want.

Note that in theory an open-source redistributor could achieve quality level > 0 by submitting the products it distributes to rigorous qualification tests and patching the software accordingly. A problem could be that they should publish their patches, making easier for the competition to do the same. But this is nothing new, being the same dilemma that open-source distributors already face for the works which goes in packaging/integrating the free software.

Ahem...

[nurightshu]

...begun to raise concerns...

Begun to raise concerns?! That's like saying, "In other news, repeated appearances of the star Sol on an approximate 24 hour basis have begun to raise concerns that it may do so tomorrow."

Microsoft never built operating systems with security in mind. The last time I checked, the security testing group at MS consisted of two Norwegian Black rats, a four-year-old, and a blind, deaf, chimpanzee with a drinking habit. It still hasn't occurred to them that improving their security might, in fact, be a good thing.

There, I feel better.

Re:Ahem...

[servasius_jr]

The last time I checked, the security testing group at MS consisted of two Norwegian Black rats, a four-year-old, and a blind, deaf, chimpanzee with a drinking habit.

This allegation you're making is both hurtful and untrue. That chimpanzee is a friend of mine, and I'll have you know that he only drinks socially, and conducts himself with the utmost professionalism.

Product liability

[stjobe]

A blue-ribbon panel of technology experts assembled by the National Academy of Sciences said lawmakers should consider ending Microsoft's and other software companies' special protection from product liability lawsuits, which have long forced makers of cars, medical devices and just about everything else to pay closer attention to the safety of their wares.

Interesting, but in the case of free software, what would this mean for the developers? We all want Microsoft to be held responsible in some way for their security holes and such, but would we want to be treated the same way ourselves? What would happen when an author of a piece of free software was dragged to court because the software was buggy? And what would happen if it was Microsoft who did the dragging?

Re:Product liability

[sheldon]

Such a move will further entrench software development into the hands of a few large companies.

Is it good? I don't know, I guess it depends on what your priorities are. If what you really want is rock solid quality software, then yes it's good.

If you want rapid innovation, then probably not.

It'd definately kill off free software because you'd need to be trained, licensed and bonded in order to write software. Just like engineers who design bridges, etc.

Perhaps it is the natural progression of the market. If you look at other industries, over time they concentrated their power into the hands of a few large companies. Oil, Automobiles, Televisions, Radio, etc.

That's why it's always important to see both sides of an issue. The title of this article as posted to /. is pretty anti-Microsoft. But ask yourself, out of all the companies developing software which one has the intelligence and the financial resources to react to such a change?

The only one I can think of is Microsoft. This wouldn't be their undoing, it'd only make them stronger.

Microsoft isn't going anywhere, time to get used to that.

I've heard this argument before...

[tswinzig]

...except instead of 'security' it was 'stability.' Now Win2K/WinXP can stay up and running for weeks and months on end, and you don't hear too much about Windows stability problems for users of the new OS versions.

Windows has been unstable for years. Did it threaten Microsoft even one iota? Nope.

Dream on, sorry...

Patches not enough

[smoon]

I recently had to rebuild a web server after a machine crashed, and getting NT4, IIS Option pack, etc. up and running with all patches was a _very_ long task.

It's not enough that Microsoft patches their products -- they are still shipping CDs of NT4 and win2k with the original 'release' of the product, so installing it means the original install plus a dozen or more service packs, hotfixes, etc. This makes it very tempting for internal corporate PC usage to just skip most of the patches to save time, and makes the process of securing Microsoft software that much more difficult.

They should just release new 'point' versions of the OS with every service pack, and stop selling the out of date CDs! Maybe this would cut down on the useless churn of moving from NT4 to 2K to XP to whatever -- and that would have to be good.

The Nightmare

[Convergence]

The nightmare scenario.. Three hours from when a widespread bug (like the recent XP one) and having millions of windows machines trashing everything they touch.

That is the future, and it will happen someday.

• Here's how:

Use the warhol worm spreading technique. Read it and be frightened. He claims 8 MINUTES from first infection to millions of infections.

I'm not quite as confident as he is in that number. But I'll definitely agree that 2 hours is more than enough time. (1 million vulnerable hosts, 5 scans/sec. Start with 1000 hosts, each second, 5000 probes, finding one vulnerable host. Thus, after 15 minutes, 2000 hosts, and doubling every 15 minutes.)

And, the more vulnerable hosts, the faster it spreads.

Now imagine a truly destructive payload. One which does not delete files, but corrupts them, starting with the fileservers. It restores datestamps to make it impossible to identify what files are corrupted.

Three hours from exploit to millions of computers corrupting thousands of files. Antivirus won't keep up, hell, warninsgs won't even reach most people until after its demolished their fileserver. With obfuscation techniques, the worm could survive 3 hours without being reverse-engineered.

It spreads so fast, there's no defense. It spreads so fast, you won't be aware its trashing all files until its already started. The only reason we've survived this long is that nobody really competent has worked on a worm.

Be afraid. Be very afraid. The only question is when it will occur, and whether you will be running Windows when the time comes. I hope you keep good backups.

Losing the press?

[banky]

In the "Great OSS Boom of '99" the press was all awash with Linux this, Linux that. MS stayed true to its course, kept on with the updates, and got XP out the door.

Now it seems things have changed: more and more, I am seeing articles that are negative of MS. "XP isn't stable", "too many updates", "XP isn't secure", "W2k was fine, why did they change it?" is what I see more and more of. Red Hat gets decent nods, and now even Apple of all people is selling a Unix operating system, albeit one that is packaged in a lamp.

Is MS at risk of losing the press?

Articles like this must drive them absolutely BONKERS. Forget the /. bias, we're nothing. An article a week like this, even as a back-page editorial, is enough to cost them how many customers?

How many of the system integrators like the guy in the article will just give up and stop dealing with XP, or worse yet, call Big Blue?

If MS loses the appeal of the popular press - promoting every new release as stable and secure - then they're screwed, even without the class action suits and liability claims. Any more FBI warnings will serve as months of fodder for the rags to hammer on them.

Unpatched IE security hole list

[tomgilder]

Hello! I'm sure everyone will be glad to know that currently IE (even
a fully patched IE6) can currently...

* Run any command or program off the hard disk
* Monitor the users clipboard, and steal the contents
* Read or steal any file off the local disk
* Check existence of any local file
* Access the DOM, cookies, or read the content of any other website
regardless of domain, protocol or security zones
* Fake the file name in a download dialog

..although most of those only work if active scripting is enabled.

These security holes are all *proven* to work, and could easily be
used to create a devastating worm. Some of them are about a month old,
and still not patched by MS. Delightful.

The two latest exploits are http://tom.vpwsys.co.uk/clipboard/ (mine!)
and http://www.osioniusx.com - see http://www.securityfocus.com for
more.

Go ahead and take the lead

[Dr.+Tom]

Next time you release a software product, delete that "NO WARRANTY" clause from the license. State that you will fix any bugs that are found for one full year from when the user downloaded the program. You may even be confident enough of your code to offer a money-back guarantee (if it's shareware, for example). See how adding lines like that to your tarball affects how you code and debug.

Dare Microsoft to even think about this. Their worst fear is a world where people choose software based on quality.

Seriously, we don't need to whine about what some legislators are doing about the big bad wolf's coding practices. What we need to do is start setting the example. Say "I write good code!" and stand behind those words. Somebody who knows how should create a version of the GPL that includes appropriate warrantees for Free Software. The "Quality GPL" (GQL?). You don't have to use it, if you think your code is buggy or is a development version. Right now we just click on "Stable Branch" and that sends a message to those in the know, but how much better if you go visit a software repository and find piles of code that are stamped with a license that guarantees that the product is free from defects in workmanship (modifying the source code voids the original warranty, of course, and people who re-release modified code are under obligation to change the license to reflect that).

We want people to get the idea that software that claims to be stable yet comes with the phrase "NO WARRANTY" is probably a steaming turd. Especially if they paid good money for it.

Naturally, you can't predict how some people will use your product. "No, sir, the VCR does not function under water." Your code might not work on an SGI, either, if you developed it under HPUX. Using the product in a manner not intended will void the warranty. Sometimes it's not a bug, it really is a feature (or the lack of one). But if somebody finds a bug, you WILL fix it, won't you? Why not put that in writing? Even offer a monetary reward to the first finder (how about $2.56?) of every bug.

Note that agreeing to fix bugs, or claiming that your product is bug free, is completely different from assuming liability if the user uses your program to kill himself. That's a completely different story.

Security flaws in XP?

[Rinikusu]

that's the most stupJ00 4r3 0wn3d!id thing I've ever heard! My Windows XP box h45 b33n h4x0rd h4h4h4h4h4! sorry, I don't know what's wrong with my keyboard10wn3dj00 it keeps messing up.. but anyway, Microsoft security is perfectly fine here

Unix, Windows, and the Secure Tao

[_Sprocket_]

Yes, Microsoft products have security faults, whose doesn't? Microsoft's get more notice because of the insane amount of marketshare they have, also Microsoft's software is less mature than the UNIX offerings people often compare it to in terms of tight security.

...

I remember back in the late 80s and early 90s how much of a joke UNIX security in general was.

...

Unix security is better now, but that's in large part due to maturity...Microsoft software will improve as well..Look at how much they've improved stability already when compared to Win95...It will happen...slowly, perhaps.

In a previous comment on another article, I noted that Unix has spent its time "in the trenches". Infosec history is full of Unix and its exploits... and its eventual improvement. But it is too easy to look at this history and learn the wrong lesson.

Unix's history of security flaws is less about Unix and more about infosec awareness. Unix changed as the understanding of infosec and security principles changed. While time has allowed more of these flaws to be discovered and removed from the Unix code base, the process over the years has been more about knowing what to look for (or even to bother looking). And as this understanding of infosec principles, concepts, and procedures has increased entirely new chunks of unix code has materialized - sometimes to fill a void, but often to replace another project's functionality with a new design that has taken security issues in consideration during its inception.

In short, Unix does benefit from its maturity. But the greater lesson is the infosec mind set. The tao of security, if you will. And these are concepts that can be applied to any project / OS.

The claims that Microsoft will "get there" with maturity are misleading. Microsoft may indeed improve. But its not maturity of their code base that's at issue. The issue is whether Microsoft will begin to understand Security and design systems based on that understanding.

Microsoft has shown signs of improvement with a sudden handful of security tool offerings. But unfortunately, these are really superficial afterthoughts to an already flawed environment.

Microsoft's problem is not technical; its cultural. Microsoft is a technology company that excels at marketing. Articles by Microsoft coders talk about the push from Marketing to add additional features at the cost of bug-hunting and resolution.

This kind of environment clashes with two infosec concepts. The first is that vulnerabilities are bugs - something malfunctions in an unexpected way, leaving the system vulnerable to intentional manipulation of this bug. The second is that there is an inverse relationship between functionality and security. Increasing the number of features, and the ease of using these features, often threatens a system's security.

Marketing at Microsoft will first have to care about infosec issues (this may be happening as Microsoft gets more and more negative press). Then Microsoft will have to strive to design secure systems even at the cost of features (and possibly even abandoning or severely restructuring current systems).

It will take a maturity of a different kind.

Quote of the day

[mcrbids]

Ok, Quotes of the day;

First:

"Microsoft treats security problems as public relations problems," said Bruce Schneier of Counterpane Internet Security in Cupertino, Calif.

And then:

"We're going to make our systems more resistant and more resilient," said Microsoft's director of security assurance, Steve Lipner. "We want to be unquestionably, unequivocally the best."

Director of Security Assurance ??!?!

If you can imagine a more Dilbertified position within a company....