Microsoft's Goal, Security Through Obscurity?

dave cutler writes "Salon has an amusing little wire article claiming that Microsoft argues that were they to provide any greater technical detail about protocols and APIs, it would make computers running their operating system far more vulnerable to cracking attacks." Update: 05/09 13:59 GMT by M : The benefit to customers of Microsoft integrating internet services into the operating system, as well as Microsoft's commitment to security, are exemplified in this article which notes yet another remote root hole in Microsoft's code.

WTF????

[user32.ExitWindowsEx]

As a result, even non-active Messenger users, or those who access the service using a third-party product such as Trillian, should upgrade to the new MSN Chat control.

TRILLIAN CONTAINS NO MICROSOFT CODE. THIS IS A FLAW IN MICROSOFT'S CODE, NOT THE PROTOCOL.

WTF was the author on?? HTF can he say this? It's blatantly wrong.

p.s. I'm a Trillian user.

Re:WTF????

[MaxwellStreet]

Makes you wonder if these things aren't being spun out to get people to use the latest version of MS's products - if for no other reason than to make their systems secure.

Don't use 3d party stuff. Use the latest from MS. It's secure this time. We promise. Really.

Vaguely reminds me of auto glass purveyors out in a parking lot with a bat.

Re:WTF????

[Merlin42]

This is an overstatement. This bug can be triggered from a web page that references the MSN Chat ActiveX Control, so if at some time in the past you installed the control then you are vulnerable even if you use trillian. The advisory states that the chat control is not installed by default with any other software so you are probably safe. Of course a better course of action for trillian users would be to verify that the control is not installed and uninstall it if it is installed.

This leads to a couple questions I do not personally know the answer to:
Is there a way to uninstall ActiveX controls?!?
Can I get a list of the ActiveX controls installed on my machine??!?

Re:WTF????

[Transient0]

---QUOTE---
"The attack doesn't happen through the chat client, so as long as you
have MSN Messenger installed, if I send you a special URL, I can own
you," said Marc Maiffret, Eeye's "chief hacking officer."
---ENDQUOTE---

This kind of paraphrasing is a disgrace to journalistic integrity. I present to slahdot an exclusive direct transcription of this statement, before the WashPost mangled it.

"M4RX M4IFFR3T d03Z n0t R007 j00 7hru 14M3 cl3n7 h4x. M4RX M4IFFR3T iz 31337-h4x0r. H3 wiLL *0WNZ* j00 W/ 1337 j00-R-3ll iF j00 hav m3$$3ng3r 0N j0r 14m3 b0x0r 47 4LL!!!!!!!!!11111111," said M4RX M4IFFR3T, Eeye's K1N6Z0r of 31337.

Re:WTF????

[Software]

Is there a way to uninstall ActiveX controls?!? Can I get a list of the ActiveX controls installed on my machine??!?

I believe that c:\winnt\Downloaded Program Files is a fairly comprehensive list of the ActiveX controls downloaded to your machine. You can delete them from the same folder. However, ActiveX controls can also be installed by Setup programs, etc. You have to run the uninstall program and hope for the best, or do some Registry fiddling.

MS Security Paradigm

[theFlux]

Yes, its true that the security through obscurity claims of MS seem like blowing smoke, but obscurity is an accepted security paradigm. Any CS course in security outta mention it, and you can read about it in "Security in Computing" by Pfleeger. Its always been my stance, however, that MS is taking the obscurity stance to propagate their business model and NOT to better security.

Re:MS Security Paradigm

[mjh]

Yes, obscurity is an accepted security paradigm. However, when people talk about "security through obscurity" they're typically talking about obscurity as the only security model. And that is a very risky model.

Of course, since Microsoft's API's are still hidden, we don't know whether or not they're using obscurity as their only model. However, it seems, from the alarming number of remote root exploits available it seems evident that Microsoft's claims for obscurity of their API's as a security measure is the only measure that they're taking. Which leaves one of two possibilities:

1. They are intentionally depending entirely on obscurity as a security practice.
2. They are conveniently coming up with security as the reason for further obscurity of their API's. IOW, the real reason for obscurity is to propagate their biz model (as you say) and not for security purposes.

I tend to believe the latter. But giving them the benefit of the doubt, we can only argue against the former. Which is that trusting your business to Microsoft's security practices is a very risky proposition.

They are right though

[anthony_dipierro]

Salon has an amusing little wire article claiming that Microsoft argues that were they to provide any greater technical detail about protocols and APIs, it would make computers running their operating system far more vulnerable to cracking attacks.

It would. It's not a good excuse, but it is true. In the short term, Microsoft cracks would increase.

Re:They are right though

[JordoCrouse]

It would. It's not a good excuse, but it is true. In the short term, Microsoft cracks would increase.

Mod this one up insightful.

For the first, say 5 months, it would be anarchy - People would be fixing bug 24 hours a day all around the world, just to stay a few steps ahead of the crackers. Then as soon as the largest holes are patched, there willl be peace in our time. Machines would be fairly secure, and we could go back to actually using our bandwidth and machines for important things instead of 3 MB of klez and sircam worms daily.

Instead Microsoft would rather keep the bugs obscured, so they will escape slowly over a number of years. And don't get me wrong, they will escape, there is no amount of obscurity that can mask the continious onslaught of people pouring over every inch of the code looking for holes.

Which method would you prefer?

Problem Is...

[4of12]

...that they are partially correct and justified in hiding certain secret keys as ways of preventing unauthorized use of products.

But that's an oversimplification that I'm afraid the lawyers and the court won't be able to clearly pick apart. Even the Microsoft VP testimony about the issue was sprinkled with constant reminders that this was "a confusing" technology. It is confusing. But it's essential for everyone to understand what it's purpose is and how it can be misused, too.

The part that rubs the wrong way, of course, is that the exact same arguments could be used to prevent a competitive implementation of an interface that Microsoft wants to own for themselves.

*thbppt*

[TVmisGuided]

*pauses to wipe coffee off monitor*

Three arguments against Microsoft's position:
Nimda.
Code Red.
The fact that a virus framework for .Net was released to the wild before the "official" .Net specification.
No, I don't believe them, not for a second. I'd sooner trust an armada of politicians and their attendant [strike]lackeys[/strike] lawyers.

'Nuff said.

Security from non-obscurity

[Reality+Master+101]

Microsoft is clearly ignoring history here. They should learn from the example of one of the oldest open-source programs out there. Clearly if there are lessons to be learned, we should learn from this piece of brilliantly designed software.

Of course, I am speaking of Sendmail.

Oops...

Re:yet another ROOT hole in MS Code?

[ryepup]

Yeah they have the concept of root, it is just implemented for every user.

MS can't have it both ways

[FearUncertaintyDoubt]

Hasn't MS claimed for years that it doesn't have secret APIs that only MS developers get access to? Haven't they always claimed that there is a level playing field for developers to create, oh, say, office suites for Windows? Now they say they can't turn over their secret APIs which they denied existed for security reasons?

Bill Gates can't be a borg. Nothing that is part machine could tolerate such inconsistency. Only humans can say that 1=0 and believe it.

Read the article

[Mordaximus]

IF you spent the time to read the article, instead of looking for sentences that outrage you, you might realise that the vulnerability affects the MSN Chat OCX.

In an advisory today, Eeye warned that the flaw in the "MSN Chat OCX control" enables an attacker to "supply and execute code on any machine on which MSN Messenger with the ActiveX is installed."

In other words, if those components are installed, even if you don't use them, you are at risk. You're right, it has nothing to do with Trillian.

The author is right, completely right. Try reading next time.

Do they read their own APIs?

[Darth]

If these security vulnerabilities are so easy and obvious from reading the APIs, then why can't Microsoft's programmers find and close the security holes before someone finds them? Don't they read and adhere to their own APIs?

If releasing the APIs means someone is going to easily figure out a way to damage the system, that just demonstrates that Microsoft isnt even trying to secure their products.

Re:not so crazy?

[Anarchofascist]

"....frequent security flaws in Linux and Apache. To continue the analogy, there are so many holes, it looks like a golf course."

I'd rather have a golf course (18 holes per 40 hectares) than swiss cheese (18 holes per pound).

Security Focus - Microsoft Anti-Disclosure Plan

[Seth+Finkelstein]

For some more technical coverage of Microsoft's views, take a look at

Microsoft Reveals Anti-Disclosure Plan

(emphasis in original)

Five computer security firms join Microsoft to set an official standard for limiting disclosure of software security holes

By Kevin Poulsen, Nov 9 2001 3:04AM

MOUNTAIN VIEW, Calif.--Microsoft and five major computer security companies rounded up the three-day Trusted Computing Forum on Thursday by formally announcing a coalition against full disclosure of computer vulnerability information, ending a week of intense speculation, and immediately sparking controversy.

...

A chief objective of the group is to discourage 'full disclosure,' the common practice of revealing complete details about security holes, even if publication might aide attackers in exploiting them.
'If it becomes hard to release vulnerabilities, that's a good way for Microsoft to get rid of some embarrassment.'
-- Marc Maiffret, eEye Digital Security

Sig: What Happened To The Censorware Project (censorware.org)

Re:not so crazy?

[thelexx]

"For one thing, it doesn't explain the frequent security flaws in Linux and Apache. To continue the analogy, there are so many holes, it looks like a golf course."

From the SecurityFocus vulnerability db:

IIS since 5.0 - 56 entries
Apache since 1.3.17 - 7 entries

Your argument is flawed at best, outright FUD at worst.

LEXX

Re:Why?

[ink]

I firmly believe that software should be held accountable to liability laws and consumer rights laws.

That would kill all free software. People could personally sue Linus for bugs in the Linux kernel that caused them problems: "I'm seeking $10,000 in damages because your stupid bottom handler for my POS Promise IDE controller caused me to lose all my data!". The listings on freshmeat would be a pool of future clients for lawyers, and not software projects. Amateurs wouldn't release code for any use whatsoever.

In short: that's a realy, realy, really, really bad idea.

Re:Amok .. amok .. amok ...

[HiredMan]

"I guess it's a matter of how hard you make it," Allchin replied. "We have to work on our reputation for security in the marketplace." from Jim Allchin, who oversees the Windows operating system.

This perfectly demonstrates the M$ sekurity mindset - they approach security problems as a PR problem NOT an actual usage or safety issue. What he SHOULD be saying is, "As the dominant OS in the consumer space we need to work to make our OS the most secure for our users because they are the biggest target and the least aware of the threat."Instead he's blathering about their "reputation" instead of actual security.

Bottomline is that M$ doesn't care about security - they only care about there reputation for security. Hence to them obscurity IS security to them and it becomes policy and is encouraged.

=tkk

Every crash is probably another exploitable hole

[tz]

And Microsoft still crashes a lot.

You are running some program and do something interesting, like accidently pasting a text document onto a URL and something crashes. Ah. Try it again. OK, if it is over 4800 or so bytes it crashes, bring up the debugger. Ah, at 4894 is the stack where the IP...

Here is the specific difference between closed and open models.

If I find it on Microsoft, about the only thing I can do is write a sploit for the skript kiddiez. Of course I can contact Microsoft, but they won't respond for the shorter of 4 months, or when the skript kiddiez get going. Even then it usually takes two weeks for a hotfix that breaks half the software on the server, and then another two weeks for a fix for the fix that I can apply. [Don't worry, I haven't run anything from Microsoft for several months and hope to stay Microsoft Free as much as possible].

If I find it on GNU/BSD/Linux, I pull up the source, add a test or whatever I deem appropriate and send a patch with a description of the problem and fix to the maintainer along with a little chiding about how embarrassing it should be to have such a hole. And the minor version is incremented the next day, so everyone doing apt-get regularly won't be affected, and in a few days every distribution will have it added to the security update section.

Even if I had the source to Micros... I probably wouldn't have enough to recompile or fix things. I could find the line of code causing the problem, but anyone who can write a sploit can read disassembly.

Microsoft's integration makes the problem worse since any problem with what should be middleware runs in the OS. A Netscape flaw on Linux wouldn't get you root (at least not directly - you would have to find a suid flawed program). But any problem with Outlook and/or IE gives you more than enough to cause problems.

Again, and to summarize, any software defect has a good potential to be exploited, without the source, so simply running something until it crashes (at least on MS) is a much more productive way to mine for exploitable security holes than reading through the source. The integration within MS software (the browser is part of the OS) makes the OS vulnerable because it includes the middleware, making it much larger and more complex (a flaw in IE thus *IS* a flaw in the OS), and as such cannot be sand-boxed easily.