Microsoft Blasted For Lax Security

fducky writes "Once again Microsoft is blasted for lax security. This CNN article cites experts denouncing the recent Microsoft security efforts as rating an 'F'. The recent MS-SQL worm got this most recent round of MS bashing going. Google News has more stories on the subject."

'F' even with a patch...

While it is stupid of MS not to update their own servers, you can't blame them for the SQL worm. They issued a patch months ago...it's no one's fault but the server admins.

Re:'F' even with a patch...

[Znonymous+Coward]

How can you keep up with so many updates most of wich require a reboot.

It's not just microsoft

[amigaluvr]

I hate to break it to you but Microsoft is popular, and hence they will be all the more targets of these worms. Every tiny fault will be implemented, and all operating systems have these.

When another OS is popular, you'll see it happen to it too. I believe nobody is immune, only the popularity decides what is a vector for transmission

Not necessarily bad coding or seciryty. Many other operating systems could be almost said to be 'hiding' in their obscurity

Security by obscurity is no defence.

Look at a recent article on Macintosh virus attacks. They used to be none-existent. Now with OSX they are up to half as common as Microsoft.

And apple still only has a minor market share. That bares thinking about

Re:It's not just microsoft

[JanneM]

This is certainly a relevant point.

Look at webservers, however. Apache is twice as popular as IIS, and yet there are several times more security issues with IIS than with Apache. That can not be explained by relative obscurity.

Re:It's not just microsoft

[Daniel+Dvorkin]

The "popularity defense" has some validity when you're talking about "general-purpose" viruses, particularly those that spread by e-mail, because Windows/Outlook really is far and away the most common OS and e-mail setup. But when you're talking about this kind of thing, it's bullshit. MS SQL Server is not the most popular DBMS, and MS IIS is not the most popular Web server -- and yet both are hit far, far more often than the market leaders (Apache in the second case, not sure about the first -- I think Oracle and DB2 trade off for the top spot.) And really, the number of regular Windows/Outlook viruses is out of proportion even to their popularity: their market share is about 95%, but their share of the virus market is more like 99.99%. (And if you have statistics to the contrary, you'll have to better than "Look at a recent article ...", sorry. That's about as credible as spam that starts out, "This program was featured on a major news show!")

Re:It's not just microsoft

[banzai51]

I disagree. There are plenty of security issues with Apache. The only difference is that people attack IIS far more often. If the Apache group had half the ill will of Microsoft, how many worms would devistate Open Source software?

Re:People are waking up...

[rasafras]

So they forgot to update. The error here, believe it or not, isn't all upon Microsoft. First off, they didn't patch. Microsoft had the patch available since June. It's not like you never have to patch open-souce either... Second, Microsoft explicitly warns users of SQL databases to not put them openly on the internet, for obvious reasons. And yet, they did it anyway. You can blame Microsoft for this if you want, but it isn't car companies' fault that people get killed because they can't drive. Open source has its merits, as does Microsoft.

Re:Perhaps going after those whom cause the issue.

[ryochiji]

>So why not go after those with open computers

Or why not go after the software vendor that wrote and sold vulnerable software? Or go after the software vendor for dumbing down systems so much that incompetent admins are put in charge to maintain them?

Personally, I don't think the whole "blame game" is very effective...but that's just me.

Let's give MS a chance...

[sterno]

Okay, I'll be the first to bash Microsoft and say that their security sucks. I'll be the first to say that their initative to improve security is marketing smoke and mirrors. But let's give them a real chance to prove this to us. The vunerability that caused the Slammer worm is one that they actually found and fixed a long time ago. This is admins not doing a good job of keeping up to date and fixing problem.

Furthermore, the product that was compromised is legacy from before their big embracing of security. Let's see what happens with its next major release. If that still had big gaping problems, then we can hang them from the tallest tree.

Re:Let's give MS a chance...

[EvilTwinSkippy]

So at what point is ragging on them about security going to be appropriate to you then? Last I checked they have an uninterrupted loosing streak going all they way back to winsock for WFW 3.11.

PS, that was 10 year ago.

You don't wake up one morning and decide to be security minded. That's like waking up one morning and deciding to be a ninja. Martial arts are a way of life, and the mindset required comes only after years of study and commitment.

Microsoft's problems are a result of years of neglect and malpractice. You don't get to be that bad overnight. It takes work. Knitting a web browser into an operating system took effort. Knitting an LDAP directory into your domain security model, tied into your DNS and DHCP servers took effort. Creating a sytem by which you can embed executable commands into an office document took work. Making sure that your office document could execute command in your email client took work. Intermingling your email client with the server so that they are passing executable code back and forth took work.

Meditate on this, Grasshopper.

Re:Let's give MS a chance...

[Tom]

They've had a year. Have you seen any noticeable increase in windows security? Neither have I.

Let's see what happens with its next major release.

If the car you're driving is known to spontaneously explode when the wrong song is played on the radio - would you also continue driving it and wait for next years model?

What about the SysAdmins?

[petabyte]

Now while I'm no fan of MS, do we really need to have stories everytime someone accueses Microsoft of having poor security? Might as well dedicate an entire section of Slashdot to their exploits. At least then I could turn it off in my preferences.

And while there are plenty of problems for Microsoft to fix in their code - IE has plenty of unresolved issues - this issue was in large part due to System's Administrators. Let's let is slide that they were "just waiting for the next service pack to come along" so they could update and patch everything. I don't buy that as a good policy for maintaining system - if a patch is out and can be applied, use it. And why leave SQL systems on the internet without some sort of firewall or some sort of protection. If it has to be on the Net, why does it not have every possible security patch applied to it?

I'm sure there are some valid reasons for having your system protected from this bug but in large part Admins dropped the ball.

But thats my $.02

Re:What about the SysAdmins?

[trentfoley]

While I agree that there is rarely a reason to place a database server on the public internet, I take issue with your statement that it was in large part due to System's Administrators.

Patches from Microsoft are not like patches from the OSS community. You don't get to see the code changes and don't know what the Microsoft patch will do and there is no way to know without trying it in a test environment. Ask around and see how many admins have been burned by applying a service pack or hot fix on a production machine even after testing it out in a lab! Microsoft patches are notoriously flawed and impact areas of operation that seemingly have no correlation to the bug being fixed.

So, this particular bug was published six months ago. Is six months long enough to fully test an amorphous piece of software? Maybe if we had the source code, we would know what to test. However, without the source, we have to test everything. Because, you never know what other piece of code Microsoft is going to throw in.

Re:What about the SysAdmins?

[Arethan]

How exactly are you supposed to stay on top of this? Re-test the system for every previous vulnerability after every single patch?

Actually, yes. This is called regression testing, and it's pretty common in the software industry. Not only are security holes quite often the result of a bug, but their behavior is quite similar to a bug. Either it is fixed, or it isn't. The same script kiddie code won't affect a successfully fixed security hole, even if the fix opens up a new hole, the old one is fixed. Because the regression test also checks previous holes, you can be assured that the fix hasn't reopened any of them.

As for the manpower problem, there are regression testing suites available that cut the manpower down to nearly nothing. Your manpower argument could be applied to Linux just as easily. The kernel has too much code and too many contributers, it will never work. But at the end of the day, if Linus runs 'make' and your bug-fix fails, then your code is fucked and gets rolled back, end of story.

On the other hand, I do agree with your last paragraph. MS has dug themselves a pretty deep hole. It will take years of code auditing to really fix the problem. By then, the next version of Windows will be out, and all their efforts wil have been wasted. They are honestly better off just focusing all of their newfound security awareness into their next product lines, and continuing to make the less-then-stellar patches we're used to for their current products. Oh well, guess you can't have your cake and eat it to. *shrug*

Other focus today...

[mseeger]

• Microsoft Blasted For Lax Security: 19 comments
• Science Fiction and Smart Mobs: 28 comments
• A Simple Grid Computing Synchronization Solution: 35 comments
• Science: Space Shuttle Columbia Breaks Up Over Texas: 1161 comments

Even as security issues are top news usually on Slashdot, this shows where our hearts are.

Yours, Martin

Re:will happen on linx as well

[bogie]

Possibly, but considering how Apache soundly outnumbers IIS installs for webserving, where are all the Apache worms? Oh sure there have been some problems with Apache, but compared to "which worm is it this week" IIS, Apache is a solid as a rock. Where does that arguement about installed base stand now? That default answer MS users give about installed base is bunk. Open Source compared to MS software is flat out more secure. I doubt you will ever see the day when Linux email clients like Pine or Evolution start causing billions in damage each year like Outlook does.

Re:People are waking up...

[platypus]

Well, I'm running windows servers and linux (suse) servers. And I certainly see a difference between the feasiblity of being up to date security wise with each system.
First, with a typical windows system, it's IMO damn hard to know what components you are running and how it all works together - i.e. what breaks if you lock something down at installation time.

Later on, it's also sometimes very hard (IMO) to know if I have to patch or not. For instance, is it really a good to not update internet explorer since this is a server anyway? Maybe somewhere down in IIS something might use one of IE's components (pulled-out-of-my-ass example btw.).
Add to that that some patches seem to need an updated IE, for to me unknown reasons...

Sometimes something might break (as reportet on ntbugtraq), and it's not really transparent for me if this can be reverted.

Compare that to (SuSE) linux. Download rpm, install, done (in many cases, when not, it's always explained in the advisories what to do).
If something breaks, uninstall the rpm and reapply the old on. Nearly no downtime, I just have then to find out what didn't work.

Just from the feeling, I'm a lot more scared when I have to install a ms security fix than when I do the same on linux. And the fact that microsoft was caught with their pants down this time seems to suggest I'm in "respectable" society.

Not so fast...

[ryanvm]

I see a lot of people stepping up and complaining that it's not Microsoft's fault as much as it is the sloppy admins. Yes - Microsoft systems that were hit by this worm were poorly managed. However, the problem is that shitty admins are exactly who Microsoft designed this "server" operating system to be managed by.

Who certifies system administrators that can barely format a floppy? Microsoft. Who crafted a Fisher-Price operating system with inadequate "wizards" to help unqualified administrators bungle their way through setting up a server? Microsoft. And who pitches their operating system as having a lower cost TCO because you don't need skilled labor to run them? Microsoft.

So when you want to complain that it's the admins that make these systems insecure, remember these are the admins that Microsoft picked.

Microsoft and Monocropping

[EvilTwinSkippy]

In nature an acre of land can have species of flora ranging from moss to trees. We took down the trees and replaced them with one plant, say wheat. That wasn't good enough. We had to have only the [desirable adjective] wheat, so we only planted one strain of one species of wheat. Now, we are so bent on repeatability that isn't even good enough, so we are planting acres of clones of the same imdividual plant.

Now if that plant had any vulnerabilities to disease, you are hosed. All of the fields of this same plant are going to die in exactly the same manner at exactly the same time.

Meditate on this, Grasshopper.

I don't really want to give them a chance

[PotatoHead]

because they have had enough already.

Anyone with that much money in the bank can damn well afford to produce products that actually are best in class. They are number one right now, but clearly do not deserve to stay there when we know there are better and cheaper ways to do things.

Re:People are waking up...

I don't think that this point scoring does any good. UNIX and Windows both have major security problems.

I remember a security seminar I attented where the lecturer took a neutral stance toward whether Unix or Windows was more secure. His philosophy was "go with what you know". If you live and breathe Windows, you probably keep up to date with the latest Microsoft news, releases and patches just as well as a Sun/Unix geek might stay up to date with Solaris patches and updates. Knowing network security (gosh, let's protect the potentially vulnerable ports on our server from being publically reachable) is essential to both.

So many new administrators are getting Windows or Linux or other products and implementing them without the experience of security lessons learned from the past. It takes a mass event like this one to re-educate the newbies.

As a reminder for everyone designing, "one degree of separation" architecture, remember that Suki is one of your potential customers.

Since when?

[EvilTwinSkippy]

Pop quiz hotshot. You have a perfectly operational database that is processing admissions for your organization. If that puppy is down, tickets aren't sold, and people show up with pitchforks at your door.

Now said system was purchased against your recommendation, is proprietary in nature, and the company that made it was bought out by another company, so you can't even get a straight answer on simple questions anymore. The department responsible for this purchase has never hired the person promised to maintain the system, nor have you been sent out for training on its maintenace.

A week after this system is installed a third party contractor installs a replication system so your ticketing system can be connected to a big web server in another state. You don't really know what ports need to be open, how they are being used, and every time you tweak the littlest thing the entire operation comes to a grinding halt.

And you expect me to apply patches at random. Especially when they require taking the system offline, and each has the risk of incapacitating your operations. Right.

Blame me all you want. But the seeds of ruin were planted further up in the decision making process.

Linux may be next . . .

[Eric+Damron]

Okay, anyone who has read my posts knows that I'm not a Microsoft supporter. I find it hard not to see the humor in Microsoft's own servers getting hit when the vulnerability was not new and patchable especially after they proclaimed that they were now striving to be secure.

However, after laughing myself sick, the seriousness of the situation darkened my mood. Although I believe that Linux is currently a more secure platform, it is not a platform without flaws. Linux could be the next security nightmare if we don't occasionally do a reality check.

Part of Microsoft's strength and ironically part of the reason that Microsoft products tend to be vulnerable to attack is the fact that Microsoft strives to give the customer everything including the kitchen sink.

To do this, products are made with far too much power. VBA is an example of this. Combining data with code is not a good idea. It makes it very convenient for the customer and unfortunately the black hats as well.

Right now Microsoft is pushing their .NET platform. They are hopeful that this will become the development platform of choice across multiple OSes. Parts of the Linux community are scrabbling to enable Linux to benefit from this emerging technology thought the Mono project.

If successful it may become possible to run many applications that will be developed on the Windows OS that are targeted for the .NET platform. If Microsoft introduces a .NET version of their flagship Office package it is likely to incorporate some form of VBA. Running a VBA enable application on Linux will not help the security of the Linux platform.

Firewalls anybody?

[jay_sdk]

What are supposedly serious companies doing without firewalls blocking 1433 and 1434? I run a little home network, of which one machine has SQLServer 2000, but my firewall has been blocking all 1433 and 1434 as "suspicious UDP" data. This is a little less than $150 hardware box. What? Bank of America can't afford a firewall?

Is it Microsoft's fault?

[GuardianKnight]

I don't normally chime in, but I thought that I would for this one. Let me start by saying that I don't like MS...I'm using a mac as we speak (with Safari)...and I'm a Senior UNIX admin at work....anyway...

Can we really blame MS for this? They released a patch in July...MS can't be held accountable for Windows Admins for not updating their software (I'm not saying it's the admins fault either...I know that admin spend 80 - 90% of their time putting out brushfires, and can't find time to do patches). Now, do I think that MS needs to find a better way to notify customers of new patches...b/c I know that I don't have time to sit around and browse and go through what I've installed and what I haven't (are you listening Sun?!?!)

So for example...If I don't stay up to date on all the Solaris/Linux patches does that mean that Solaris/Linux is a security prone OS? Heck, no!

there is a HUGE difference

[b17bmbr]

every two years m$ totally changes their server products. what you knew with nt4 is obsolete with win2k, is useless with .NET/whatever server. you learn to admin unix, your skills improve over time, 'cause your doing the same things you were 5 years ago. with m$ servers, you have to learn all over again, and you are at m$'s mercy to provide patches, etc. so no, don't compare unix to m$. unix had its growing pains sure, but it is a mature product. and linux is becoming one really fast. every freakin ne m$ product is a NEW product. and it experiences the same crap over and over. why does m$ do it? somebody who knows, please do tell.