Slashdot Mirror
MS Exec: 'Our products just aren't engineered for security'
Various Microsoft news tidbits contributed by numerous readers: Phoebus0 notes that Microsoft's Vice-President in charge of Windows development states flat out that Microsoft products aren't engineered for security, absolutely guaranteeing he'll have tomorrow's Ditherati quote. Many readers submitted this Knowledge Base article stating that Microsoft is mystified by a wave of successful hacks on assorted versions of Windows (there's also a news report on this). Microsoft has another security bulletin out on the digital certificate spoofing bug that has caused them so many problems recently.
the link above just goes to front of a tech section, here's a direct link to the story3 25075&REQSESS=HM5797&REQHOST=site1&REQAUTH=2313828 &2131REQEVENT=&CARTI=115571&CCAT=1&CCHAN=13&CFLAV= 1
http://www.cw360.com/bin/bladerunner?REQUNIQ=1031
You are completely clueless. Microsoft has lots of things that are completely specific to windows (like _ltot) that have leading underscores. That is how Microsoft (sometimes) tell you things aren't part of ANSI C. You are right, snprintf isn't part of the standard. Blame ANSI, not Microsoft.
And I doubt they use "%13s" or directives like this in sprintf(), or if their version even supports these constructs.
That works just fine.
Microsoft: "Our products aren't engineered for security"
.net developer conference in Seattle, USA.
Friday 6 September 2002
Brian Valentine, senior vice-president in charge of Microsoft's Windows development, has made a grim admission to the Microsoft Windows Server
click here
"I'm not proud," he told delegates yesterday (5 September). "We really haven't done everything we could to protect our customers. Our products just aren't engineered for security," admitted Valentine, who since 1998 has headed Microsoft's Windows division.
In August the company put out eight security bulletins. This month it has released two, so far, with the latest urging users to patch a flaw in its digital certificate technology that could allow attackers to steal a user's credit card details.
Microsoft's regular stream of security bulletins has continued despite Bill Gates company-wide Trustworthy Computing Initiative, announced earlier this year.
The Initiative was launched with a memo from Bill Gates, Microsoft's chairman and chief software architect, and saw the company halt production on new code in all of its products while employees scanned every line of existing code in search of vulnerabilities.
"We realised that we couldn't continue with the way we were building software and expect to deliver secure products," Valentine said.
But the company is dealing with a problem that is not easily resolved. Valentine told developers at the conference that as the company works to shore up its products the security dilemma will evolve as hackers become more sophisticated.
"It's impossible to solve the problem completely," Valentine said. "As we solve these problems there are hackers who are going to come up with new ones. There's no end to this."
Microsoft has also been employing new tools developed by Microsoft Research that are designed to detect errors in code during the development process, Valentine said.
According to Chandra Mugunda, a software consultant with Dell who attended Valentine's presentation, buggy software is "an industry-wide problem, not just a Microsoft problem. But they're the leaders, and they should take the lead to solve them," he said.
I worked there at one point and can say that this is definitely not the case. Microsoft products are just as well architected as any other product on the market - but for goodness sakes they are bigger than most applications on the market. Hell the Word codebase is larger than some application servers! The larger and more complex an application gets - the more interactions you have - the more bugs you're going to have. Any non-trivial piece of software is going to have bugs.
:)
That much should be obvious - even to the legendary trolls of slashdot
95 isn't supported ( ok, I can understand that )
98 isn't supported ( getting a little too close for my comfort )
ME isn't supported ( didn't that just come out 2 years ago? )
2K isn't supported ( What about people running servers? )
Just another tactic to force people to upgrade
As someone who is actually subscribed to receive these bulletins from MSFT, I note that they sent a second revision out today. I quote:
"And like that
Consider the above statement. Then go back to 1994 and set up three corporate LANs: one with Microsoft Lan Manager 2.x, one with Novell 3.11, and one with Vines. Use them intensively in a large, multi-site corporate environment for 6 months. Then tell me again that Microsoft's products are "just as well architected" as others on the market???
The point being that the LAN problem (to take one example) had already been solved by 199x. Microsoft ignored everything that had already been done and created its own "standard", which was decidedly inferior to the competition.
sPh
You mean fixed the same day it was announced by Microsoft. This bug has been discussed on Bugtraq for a month now.
You have drives that contain \Winnt? That's a problem too: install to a different directory.
How many people create a restricted user for IIS, rather than running it as LocalService?
I suspect the problem lies more with the components installed on the system, than on Windows & IIS themselves. For example, our Linux server was being exploited for spam recently. They shut down sendmail as a daemon, but the spam still flowed. It turns out that somebody had installed an old version and buggy version of Formmail. Grrr.
Probbably one of the best resources for tightening ANY Windows machine is the NSA's own guide(nsa2.www.conxion.com)
We have used this for our migrations and proved indespensible.
Isn't that the point though. Unix learned that it needed to be secure. And it changed and adapted to suit itself to the multi-user environment (where a lot of the users were college kids, just exploring what they could do with a computer).
Linux came along after Unix had learned to be secure, and was designed from the gound up with that model in mind.
OTOH, DOS was a single user operating system, and didn't need to be secure. When viruses started showing up, they were fixed in DOS not by improving intrinsic security, but by adding on a virus-proofing package. Windows descended from that. (And there doesn't seem to have been a fresh rewrite at any point, MS PR to the contrary.)
So Linux was designed from the start with security as a consideration. Not always a major consideration, but at leas a present one. It's been through many cycles of change and improvement, and at each step along the way, security has been considered.
Windows, OTOH, has always addressed security via add-on programs. (Well, NT made some attempt at security, e.g., it created users that it could be difficult to get into. And admin priviledges. I admit I don't know what they were...)
Still, in Linux security was built in from the beginning, and user interfaces was an add-on. In Windows, user interfaces were built-in from the beginning, and security was an add-on. In both cases the add-ons have gotten a lot better than they were.
I feel that the Linux windowing environment is now on a par with Windows, or perhaps better, but that it still falls short of the Mac. I feel, based solely on news reports, that the Windows security, while improved, is still lacking.
And to me, this is largely irrelevant. The MS licenses are so bad, that I wouldn't recommend them even if I thought that they were the best contender in all other aspects. I intend to file for retirement the day my company installs a system with Windows XP, as I don't want to be associated with any company that is either that suicidal or that unethical. (They've got to be either one or the other. Agreeing to a contract without understanding it is suicidal. Agreeing to that contract [I've only seen pieces, but that's enough] is suicidal even if you *do* understand it. The alternative is that they understand it, and intend to ignore it. [I'm not sure this is possible, but they might think that it is.] And that's too unethical for me.)
I think we've pushed this "anyone can grow up to be president" thing too far.
- preceeds single character flags
e.g.: foo -v
-- preceeds multicharacter flags
e.g.: foo --version
Not all programs (especially X11 stuff) follows this rule, but gnu stuff generally does.
Well.. except some folks have plugged into tux's family friendly lemon tree/suger cane farm and made a real nice device's for extracting suger from the cane, a pump for the spring water, and juice from the lemon, infact in most cases you can get the suger, and the lemon juice in concentrate.. you just add water to the proper amount and stir..... its just a matter of mixing it up in the glass in the proper amounts... and of course... you have to bring your own glass :)...
Sure, back in the day it was a pretty raw process to go with the tux brand..... but its gotten pretty simple these days... sure when mixed by the novice, its not as easy to drink as Bills...
Personally.. I started drinking tux simply because I wanted to learn more about making lemonade...
ASP apps running on it that maketing had contracted out without IT knowledge
That's not a valid reason to stick with IIS.
Ha, Windows is not so amazing. Windows, when not infected with M$Office, can be made perfectly stable and well-behaved, even if achieving that does sometimes involve a dead chicken.
But that WORD runs *is* amazing, what with the core bug (writes to a null pointer) that traces back to the DOS4 era and the SHARE fix to prevent DOS4 from leaving files open on disk. Nearly every weird or destructive behaviour in Word or Excel is some manifestation of this bug, from corrupting the document if worked on from a floppy, to refusing to save in native format (insisting your disk is full), to nuking the FAT on that partition. (Yes, the bug *can* do that.) How it manifests is probably dependent on Windows VSHARE, which is borkend to varying degrees in all versions of Windows.
So akin to what you wrote, I'd say their biggest problem is that they never ever clean up a codebase, but rather pile fix upon kludge forever.
~REZ~ #43301. Who'd fake being me anyway?
It can via the RENDER extension, with proper hardware accelleration. This was just implemented in 4.x though, I believe.
w ww.xfree86.org/~keithp/render/protocol.htm l
Here's some info...
http://www.xfree86.org/~keithp/render/
http://
You don't want to be using it in remote display mode though. It slows it down quite significantly.
Once again, this requires an *accellerator*! This hardware must also support the render extension. All modern cards do this, and it works perfectly in X.
Unfortunately, don't neglect the fact that just up the street are dozens of vendors selling other attractive goodies (let's call them cookies and cake, I guess) that many people depend on, but that don't work unless you have a glass of Bill's lemonade in hand.
In the antitrust case, this was called the "application barrier to entry" and was one of the main reasons that MS was declared a monopolist.
Naaa...he means this FUD for Thought:
Bug Triad Whacks Microsoft Browser
Researchers discover that three "low risk" bugs can combine to send a Windows system up in flames.
By Brian McWilliams, Sep 4 2002 9:25AM
To prove that no security bug is truly harmless, a security group has stitched together two minor flaws in Microsoft's Internet Explorer 6.0 browser with a small glitch in Windows Media Player to create one seriously powerful attack.
By coaxing IE users to view a Web page containing the special code, an attacker can silently force Windows 98, Windows 2000, or Windows XP users to run a malicious program of the attacker's choice.
The security group, Malware.com, has created a harmless demonstration micro shit of the flaw which downloads and runs an executable program that fills the victim's computer screen with flames.
A Malware.com member who uses the nickname "Http-equiv" says he named the vulnerability "Stench" to dramatize why it's dangerous for Microsoft to downplay and delay patching security bugs that it considers minor.
"Their patching tiny pinprick holes and not the overall problems, their mitigating factors, their ignoring small demonstrated flaws, all add up into a monster problem, which basically stinks," said Http-equiv in an e-mail interview Tuesday.
Internet Explorer currently contains at least 18 security bugs, many of them low-risk annoyances. Because it allows an attacker to run code on a victim's machine, Stench is the most serious security issue currently facing IE, according to Thor Larholm, a researcher with Pivx Solutions who tracks IE vulnerabilities.
Larholm said the information provided in the Malware.com advisory could easily be used to create a harmful exploit.
"Follow the steps and you're done. I could let my 12-year-old cousin do this," said Larholm, who added that because all three bugs have been known to Microsoft for many months, Malware.com's release of the information was "by the book" and does not constitute what Microsoft calls "irresponsible disclosure."
A Microsoft representative said the company was currently studying the report and would take appropriate action.
Company Patchwork Faulted According to Http-equiv, the exploit depends in part on a known quirk in how Microsoft's media player handles self-extracting Windows Media Download (WMD) files.
"If we can place our 'goodies' inside the
Using a year-old IE bug known as the "codebase local path" vulnerability -- a bug that was only partially fixed by Microsoft last March -- the Stench exploit is able to unpack and execute the malicious code without triggering IE's security settings, he said.
According to Larholm, a major update to Internet Explorer known as IE6 Service Pack One could include fixes for numerous bugs, including those exploited by Stench. Microsoft quietly released SP1 to its download servers in late August but removed the upgrade shortly afterwards without explanation.
On August 22, Microsoft issued a cumulative patch for IE that addressed several severe bugs did not include complete fixes for the codebase localpath and numerous other vulnerabilities, Larholm said.
Malware.com's Stench advisory, posted to security mailing lists on August 21, concluded with the following statement: "Instead of sitting around trying to thinking up ways that all these things cannot work, simply fix it the first time round. There is no such thing as 'mitigating factors' and 'hurdles'. This is a lie. Pure fantasy. Fiction. Fix it when you can! For every way you think it cannot be done, there are 10 ways it actually can!"
...I just generated a message to people and potential clients regarding these issues.
The jist of it is that there are security problems that cannot ever be fixed by Microsoft with their products. If they wish to stay with Microsoft, they have to remain vulnerable until such time they release their new products which address the concern and in most cases, pay a lot of money to get them.
Meanwhile, free solutions exist to replace the proble products and while they aren't trouble-free themselves, they do tend to get fixed much more quickly and there is no additional cost for those fixes in most cases.
When addressing securty concerns of today, NOW is the time -- not waiting for the next generation OS and then waiting for it to be stabilized.
One of my targets for the message was "Resident Data" (http://www.residentdata.com) which is a company that functions by serving up the results of background checks to its subscribers. (It shares sensitive and private information about individuals for money to clients.) They are PROUDLY a ",,,Microsoft Only..." shop.
Frankly, that attitude scares the $#!+ out of me. It's all well and good to favor one product over another due to familiarity and comfort, etc. But it's utterly irresponsible to attempt to call "secure" their data when it's housed in a "...Microsoft Only..." environment.
If the company I cite as an example is any indication of what is actually going on out there in practice, I'm genuinely frightened at how our public and private records are being managed.
To me this is a major privacy concern and there should be an initiative that demands that SECURE STORAGE and SECURE METHODS be deployed to secure the information. If there are significant threats discovered, it should be their legal responsibility and requirement to either secure the data properly or shut down the operation until such a time that is can be certified as secure. This is not "Anti-Microsoft" sentiment speaking -- this is Privacy/Security sentiment.
The problem is much larger than just the products -- it's how and where they are used.
So they say, "Our products aren't secure... but our NEW stuff will be! For real! Honest!" And then Palladium comes out. And wonder of wonders, it won't be secure. And they'll say, "Oh, well, yeah, this isn't perfectly secure, but our *NEXT* generation will be! For real! Honest!" And then the next generation will come out, and it will have holes, too.
I'm fairly well convinced at this point that Microsoft's history of poor security technologies and practices is, if not entirely deliberate, at least unconsciously encouraged. An evolutionary defense, perhaps. If products are touted as secure, but aren't really secure, and if the next generation is claimed to be the fix to all the current problems... then the average person/company will probably eat it up. Why?
Because eternal vigilance is the price of freedom, and most people don't want to believe that. There is no magic bullet for safety or security. The only way to have anything resembling good security, is to keep working at it. The more you work at it, the better it will be. There's a point of diminishing returns, of course, and if you spend all your time on safety, you'll never get to spend any of your time doing the things that you're protecting... but if you spend no time on security, you have no right to complain when it fails. This goes for computer software, physical security, national security, whatever.
But a lot of people don't understand that. They hear about "new, *really* secure" things, and they think, "Well, once we have that, then we'll be secure, and won't need to think about security any more!" But it doesn't work that way. It never has, and it seems unlikely that it ever will. People need to be made to understand, whether they like it or not, that the only way you can have security, is if you keep working at it. And a lot of people don't want to have to think about failures of security, and what they have to do to prevent them.
The worst part is, no matter what you do, there's always ways around it. Before a year ago, how many people would have thought it absurd that terrorists could simultaneously hijack four airplanes and use them to entirely demolish the World Trade Center towers and severely scar the Pentagon? Surely our security was better than that?
This is not a call to action for our country, or Linux advocacy, or whatever. I'm just trying to analyze why it is that Microsoft can keep getting away with this. I think the main reason is that when Microsoft says things, people believe them, even when what Microsoft says is the same known lies they've been saying for years. Why do they believe? Because human denial is an immensely powerful force. And Microsoft knows it.
"Destroy science and religion. Science would re-emerge exactly the same; but not religion." - Penn Jillette, paraphrased
In my article I said the implications of embedding a macro language in data files guaranteed insecurity. Slowfight suggested I was being credulous conspiracy nut. So I went searching for proof. Here is something virus expert Rob Slade wrote in in 1995 .
Thank you for taking the time to write to us.
The article also mentions that "While Microsoft has confirmed that the flaw
does exist, it's important to note that actually exploiting it would be
difficult, for several reasons... etc."
The security of your personal and financial information is of the utmost
importance to us. Your access to Internet banking is secured through the use
of firewalls, cryptographic techniques and stringent internal access
procedures. In addition, we have regular and independent audits on our
computer banking systems to ensure that security meets or exceeds banking
standards.
As you may already know, we use secure 128-bit encryption - one of the
highest forms of encryption technology available today. Encryption scrambles
all information between your personal computer and our computers and
guarantees one of the highest levels of security, privacy and
confidentiality. There are literally thousands of millions of possible
"passwords", or combinations of 128 bits. In order to unscramble the
information, someone would need to find a digital "key", or a very large
password. This requires months, or even years of calculations using
sophisticated computers. It took the Swedes the equivalent of 70 years of
computer time to decipher 10 increasingly difficult codes set by author
Simon Singh in his international bestseller ``The Code Book.'' Since the key
changes with every connection (*session* encryption), the calculations would
have to be performed all over again when unscrambling additional
information.
As you know, the Internet banking service does not provide access to cash
withdrawals. In the case of an account discrepancy, however, we would trace
the details of the transaction using our complete audit trails. If your
Internet Banking password does not work and requires a password reset in
order to access the secure site, we must follow a stringent verification
process to validate your identity. Once the password is reset, you are
required to follow the registration process before gaining entry.
We welcome comments and suggestions about the content of future upgrades to
our on-line services. Your remarks have been noted for review with the PC
and Internet Banking team.