Slashdot Mirror

← Back to Stories (view on slashdot.org)

Microsoft Blasted For Lax Security

Posted by timothy on from the they're-also-the-biggest-target-though dept.

fducky writes "Once again Microsoft is blasted for lax security. This CNN article cites experts denouncing the recent Microsoft security efforts as rating an 'F'. The recent MS-SQL worm got this most recent round of MS bashing going. Google News has more stories on the subject."

8 of 395 comments (clear)

  1. It's not just microsoft by amigaluvr · · Score: 5, Insightful

    I hate to break it to you but Microsoft is popular, and hence they will be all the more targets of these worms. Every tiny fault will be implemented, and all operating systems have these.

    When another OS is popular, you'll see it happen to it too. I believe nobody is immune, only the popularity decides what is a vector for transmission

    Not necessarily bad coding or seciryty. Many other operating systems could be almost said to be 'hiding' in their obscurity

    Security by obscurity is no defence.

    Look at a recent article on Macintosh virus attacks. They used to be none-existent. Now with OSX they are up to half as common as Microsoft.

    And apple still only has a minor market share. That bares thinking about

    1. Re:It's not just microsoft by JanneM · · Score: 5, Insightful

      This is certainly a relevant point.

      Look at webservers, however. Apache is twice as popular as IIS, and yet there are several times more security issues with IIS than with Apache. That can not be explained by relative obscurity.

      --
      Trust the Computer. The Computer is your friend.
    2. Re:It's not just microsoft by Daniel+Dvorkin · · Score: 5, Insightful

      The "popularity defense" has some validity when you're talking about "general-purpose" viruses, particularly those that spread by e-mail, because Windows/Outlook really is far and away the most common OS and e-mail setup. But when you're talking about this kind of thing, it's bullshit. MS SQL Server is not the most popular DBMS, and MS IIS is not the most popular Web server -- and yet both are hit far, far more often than the market leaders (Apache in the second case, not sure about the first -- I think Oracle and DB2 trade off for the top spot.) And really, the number of regular Windows/Outlook viruses is out of proportion even to their popularity: their market share is about 95%, but their share of the virus market is more like 99.99%. (And if you have statistics to the contrary, you'll have to better than "Look at a recent article ...", sorry. That's about as credible as spam that starts out, "This program was featured on a major news show!")

      --
      The correlation between ignorance of statistics and using "correlation is not causation" as an argument is close to 1.
  2. Re:People are waking up... by rasafras · · Score: 5, Insightful

    So they forgot to update. The error here, believe it or not, isn't all upon Microsoft. First off, they didn't patch. Microsoft had the patch available since June. It's not like you never have to patch open-souce either... Second, Microsoft explicitly warns users of SQL databases to not put them openly on the internet, for obvious reasons. And yet, they did it anyway. You can blame Microsoft for this if you want, but it isn't car companies' fault that people get killed because they can't drive. Open source has its merits, as does Microsoft.

    --
    webpage
  3. What about the SysAdmins? by petabyte · · Score: 5, Insightful

    Now while I'm no fan of MS, do we really need to have stories everytime someone accueses Microsoft of having poor security? Might as well dedicate an entire section of Slashdot to their exploits. At least then I could turn it off in my preferences.

    And while there are plenty of problems for Microsoft to fix in their code - IE has plenty of unresolved issues - this issue was in large part due to System's Administrators. Let's let is slide that they were "just waiting for the next service pack to come along" so they could update and patch everything. I don't buy that as a good policy for maintaining system - if a patch is out and can be applied, use it. And why leave SQL systems on the internet without some sort of firewall or some sort of protection. If it has to be on the Net, why does it not have every possible security patch applied to it?

    I'm sure there are some valid reasons for having your system protected from this bug but in large part Admins dropped the ball.

    But thats my $.02

    1. Re:What about the SysAdmins? by trentfoley · · Score: 5, Insightful
      While I agree that there is rarely a reason to place a database server on the public internet, I take issue with your statement that it was in large part due to System's Administrators.

      Patches from Microsoft are not like patches from the OSS community. You don't get to see the code changes and don't know what the Microsoft patch will do and there is no way to know without trying it in a test environment. Ask around and see how many admins have been burned by applying a service pack or hot fix on a production machine even after testing it out in a lab! Microsoft patches are notoriously flawed and impact areas of operation that seemingly have no correlation to the bug being fixed.

      So, this particular bug was published six months ago. Is six months long enough to fully test an amorphous piece of software? Maybe if we had the source code, we would know what to test. However, without the source, we have to test everything. Because, you never know what other piece of code Microsoft is going to throw in.

  4. Re:Let's give MS a chance... by EvilTwinSkippy · · Score: 5, Insightful
    So at what point is ragging on them about security going to be appropriate to you then? Last I checked they have an uninterrupted loosing streak going all they way back to winsock for WFW 3.11.

    PS, that was 10 year ago.

    You don't wake up one morning and decide to be security minded. That's like waking up one morning and deciding to be a ninja. Martial arts are a way of life, and the mindset required comes only after years of study and commitment.

    Microsoft's problems are a result of years of neglect and malpractice. You don't get to be that bad overnight. It takes work. Knitting a web browser into an operating system took effort. Knitting an LDAP directory into your domain security model, tied into your DNS and DHCP servers took effort. Creating a sytem by which you can embed executable commands into an office document took work. Making sure that your office document could execute command in your email client took work. Intermingling your email client with the server so that they are passing executable code back and forth took work.

    Meditate on this, Grasshopper.

    --
    "Learning is not compulsory... neither is survival."
    --Dr.W.Edwards Deming
  5. Firewalls anybody? by jay_sdk · · Score: 5, Insightful

    What are supposedly serious companies doing without firewalls blocking 1433 and 1434? I run a little home network, of which one machine has SQLServer 2000, but my firewall has been blocking all 1433 and 1434 as "suspicious UDP" data. This is a little less than $150 hardware box. What? Bank of America can't afford a firewall?