Slashdot Mirror
Microsoft Blasted For Lax Security
fducky writes "Once again Microsoft is blasted for lax security. This CNN article cites experts denouncing the recent Microsoft security efforts as rating an 'F'. The recent MS-SQL worm got this most recent round of MS bashing going. Google News has more stories on the subject."
There's a very big difference, though. First of all, the open-source nature of Linux means that weaknesses tend to be patched extremely quickly. I think Linus Torvalds said something like "with enough eyes, all bugs are shallow".
Another thing to remember is that the architecture of Linux is inherently much more secure. Remember how much trouble there was in simply making a proof of concept virus for Linux - and even that had to be run as root.
However, security by obscurity is basically shoving your head in the ground and not seeing any problems. Just because Microsoft doesn't tell anyone about a number of problems doesn't mean that word doesn't get out. I mean, how many people outside of the MS development team can easily access/acquire the source code to Windows so they can find the existing problems?
Let's have less security through obscurity and more security through actual security and proper maintainence.
Kierthos
(Yes, it's probably a pipe dream, I know.)
Mr. Hu is not a ninja.
But in a different way. You have Microsoft This, and Microsoft That, all tighly integrated, all sold as there is the only altenative, and all sharing the same funny idea about how safe is doing things in an unsafe way.
With Linux you have... see... the Linux kernel, and... well that stops there. Also you have a lot of alternative apps mostly multiplataform, with a few Linux that are linux only. If MySQL have a security problem, should not be counted as "linux fault", same with ssh, apache, sendmail, bind, etc.
But, if you want to count, don't know, mplayer security problems as it is not available under windows, well, you must also count all security problems of windows programs as windows security problems.
"But the philosophy of patching is fundamentally flawed and leaves people vulnerable, Cooper said."
can anyone explain to me a better method, since even thy mighty god linux is subject to the need occassionally along with every other major OS i can think of?
the paragraph continues with, "For example, Microsoft didn't follow its own advice as executives confirmed that an internal network was hit by the worm." to me, it seems that this statement doesn't support the previous. it would be better to place blame where it belongs, straight in the lap of the admins whose responsibility it is to keep their systems secure, and upon the heads of those who write exploitive code for the purpose of causing havoc.
i mean, more power to those who bring these issues to light, but doing so without perspective just looks like picking on an easy target.
It would have been nice to see some kind of list, or maybe a timeline of sorts with other MS security flaws.
That would be here.
it just seemed like they based their whole thesis of security shortcommings on one recent incident.
I think it has more to do with the anniversary of the Trustworthy Computing effort within Microsoft. It was a year ago that the Bill announced that security was their new focus, that all the software engineers were standing down for a month of no new code, just security bug-finding and bug-fixing. And there have been recent announcements reiterating this sort of "commitment".
Mind you, this worm is a poor example of Microsoft insecurity. Not only was there a patch out, but it was SQL - any admin who didn't have it patched should at least have had it firewalled. But the timing of it points out that Microsoft has had many years of insecure feature-oriented software engineering to go back and fix up, and that their "new direction" has a lot of inertia to overcome.
But:
1) It was difficult to install
2) They released a later patch which re-enabled the exploit
3) Their own admins didn't install the patch and Microsoft itself fell victim the exploit.
Which leads me to believe that while they can release patches for security - there is not enough ease an consistency to keep your systems "reliable". Many times a patch breaks functionality.
why do we keep posting these stories? why don't we post links to stories on how to setup secure firewalls, systems, etc? of course if you're a horrible administrator using a default installation of redhat / microsoft / etc. on a public network you should be beaten over the head for letting it on the public network in the first place.
I wonder if Microsoft considers this good PR. Why? because when they start heavily pushing .NET and their Palladium plan, they will use examples such as these worms as to why everyone must go on a platform where Microsoft must authorize every piece of software and every piece of hardware to work with it.
Interestingly enough, the Slammer worm also affected the .NET Framework SDK whether or not the full SQL Server was installed on the machine or not. This is because a component of SQL Server is included in the 1.0 release of the SDK. Microsoft issued a critical patch for this issue too.
Even after having spent spent 100M on their Trustworthy Computing Initiative by July of 2002, we have not seen a great deal of proactive security fixes from Microsoft. Instead, external exploits seem to still be easy (even old ones), and then Microsoft takes action. Microsoft software still has a lot of maturing to do. We shouldn't expect magic anytime soon.
One issue concerning differences in security regimes between UNIX and Windows system that rarely are discussed, is port scanning
When a Unix exploit emerges, the IT department at my University scripts a portscanner, identifies vulnerable machines and contacts their admins. If the machines are not patched within a certain time, they are disconnected from the network. I for example got an Email about my linux server being vulnerable for the openssh exploit even before I read about it on Slashdot. This way the University system is less prone to hacker attacks. My Windows 2000 box have never been patched and probably as secure as a sieve have never drawn attention from the IT department. I presume this is because a similar scanning procedure is significantly more difficult to launch. This way I suppose the Unix machines should de facto be much more secure than the Windows machines at the University.
Don't get me wrong - the sysadmins certainly have some responsibility. At the end of the day, they're paid to keep the system running. If the system isn't running, they're not doing their job. Ergo.
However, many people smarter than me (e.g. Bruce Schneier) have pointed out that Microsoft's patch policy is completely bankrupt. From the article: Another quote from the article: So here you have a vendor who:
- Can't keep their own systems patched, even 6 months after the fact.
- Issues patches that break previous patches.
How exactly are you supposed to stay on top of this? Re-test the system for every previous vulnerability after every single patch? While in an ideal world you'd say, "Yes - roll the patch out first on a test system and make sure it fixes the current issue and breaks nothing else." you'd have to be smoking crack to think many people have the manpower or time to do this.The core issue here is that Microsoft has built its software with very little attention to security, and you can't make up for that with a month or two of "security consciousness." They've explicitly sacrificed security at the altar of market share, and now it's coming back to bite them (and all their customers) in the ass.
This isn't as much "normalization" as it is "don't take so many drugs when you're designing tables."
there is a missing issue here: ms bent over backward over the last 7-10 years to sell their products to poeple based on *Ease of Use*. you don't have to be a rocket scientist (or unix guru) to do 'big things' with computers if you bought ms products. one of the key selling points was you didn't have to have these expense engineers to maintain the systems.
so between the 'it's easy' part and 'you don't need smart responsible people to manage it', is it any wonder that we have an epidemic of poorly maintained ms systems out there?
The nation's newest security administrations are extremely vulnerable as they are nearly all MS shops now. The irony is MS was chosen for their security strength. This information is very public and very disturbing.
The internet is becoming more and more important to the average "joe." So now, "things internet" are becoming newsworthy.
I have discussed the recent worm attack with my non-tech associates and they actually had an opinion about Microsoft. That some agreed with me and others disagreed isn't as significant as the fact that they had an opinion.
This is a tremendous change. Think on it.
Some people strongly disagreed on Microsoft and how evil they are. Others nodded as if to say what I mentioned made a lot of sense. (I mentioned that "bugs" in software are part of Microsoft's business model -- people have to buy newer software to repair problems with their old software, especially after Microsoft stops supplying fixes for their older stuff... "Bugs == consumer incentive to upgrade.") This, of course, is now changing rapidly. "Bugs == consumer incentive to change."
I think with the high-profile nature of attacks which exploit weaknesses in Microsoft products is really starting to create public opinion that never truly existed before. (Prior to this, people looked on Microsoft the way we look at the air we breathe -- "is there anything else to breathe?")
I think this is a very good thing. It more than levels the playing field in the market for server and other products. I think leveraging Linux, Apache and various SQL servers in the server market is the only way to get Linux onto the Desktop at a later date. There is no way to get Linux onto the desktop until Linux is a household word. Once that is done, Desktop Linux will be chosen not for its performance, but for it's reliability and solidity.
I think the days are short for people who prefer to have "unstable and colorful" displays... with the amazing power of today's PC, performance isn't an issue. Stability, reliability and security will be the main concern and even if Microsoft cleans up their act, their reputation will be enough to add doubt into consumers' hearts. The public is a moody beast and once bitten doesn't come back for any reason... usually. Just look at how long it took Nixon to return.
The death of Microsoft is at hand...
This is called regression testing, and it's pretty common in the software industry.
Common in the industry, sure, but I don't think it's common for software companies to expect the customers to do it for them. Are you really suggesting that we are supposed to regression-test every Microsoft-issued patch? Remind me what we pay Microsoft for, again?
Seriously, if a patch re-introduces a previous flaw, that's Microsoft's fault. They have access to regression tests, too, and it's their job to do them, since they are the vendor providing the software.
Do you test all food and water you consume? There are testing suites available. If you get sick from E. Coli or Salmonella or Cholera, well, then, that must be your fault for not regression-testing your food for all known pathogens before every bite. Should we all hire private security services in case the police can't do their job? But then what do we do if our private security people don't do their jobs?
Society works because we divide labor and rely on people to do their jobs. Microsoft clearly has not been doing its job, and the fact that it is possible for someone else to do Microsoft's job for them doesn't make it that person's responsibility to do so.
Down that path lies anarchy.
Yes, I remember the Lion worm. CNET thought it was big news when Lion spread to a few thousand systems before dying out.
Meanwhile, the SQL Slammer worm has spread to over 300,000 systems, but CNET assures us that it's just because of lazy SysAdmins.
But is it?
There are more Red Hat systems being used as Internet servers than there are MS SQL installations on the net.
So why is it that almost all of the Linux installations had current security patches, while so many of the MS SQL installations did not?
I'll tell you why.
It's because Linux systems are easier to maintain than MS software.
It's because MS is lazy and careless, and MS patches are buggy to the point that people avoid them.
And it's because people who run MS software for their websites are only semi-competent to begin with -- it doesn't take a brain surgeon to be aware of the fact that MS software violates standards, and has a reputation for lax security.
Personally, from having to manage Microsoft systems for the better part of 12 years, it was almost impossible to patch anything immediately, when a Security Fix was announced.
If you ever have managed Microsoft Products, it basically becomes a crap shoot with the following outcomes with regards to patching your systems:
1) Patch installs, breaks other services.
2) Patch installs, system becomes even more unstable.
(This is the worse because it looks like the system is working, but hits you in the middle of the day, usually during peak times.)
3) Complete failure to reboot after patch is installed, resulting in a very intensive recovery operation. (i.e. Reinstall OS, tape restore, or flash restore with floppy.) All data is usually lost since last backup.
In any case, it is completely laughable, and not applicable I believe if you completely blame Microsoft Admins on not applying these patches.
Especially with some of the messages posted here, such as "Oh, well you have to update your systems, stupid."
How simple and naive you are, and obviously anyone making such a statement has not an ounce of experience managing Microsoft server/desktop products.
I think the people who manage Microsoft Products, know more than anyone here, why it is preferable to update thier systems.
I think it is a serious insult to Microsoft' customers that Microsoft would publish a statement something of the akin "Well, they didn't update thier systems...ITS NOT OUR FAULT".
Bullpucky, and with that in mind however, continue reading.
The shear hell, you have to go through, to patch a monolithic, monster of bloatware that is a Microsoft OS, is purely not economically possible, if you can believe it, for some companies with large installations of Microsoft products.
Patching becomes a project something on the scale of a ERP implementation for some sites that are non trivial in size.
Furthermore, time after time, Microsoft provides NO WAY to reverse patches that they typically publish.. (also known as "HOT UPDATES/FIXES").
As most admins will tell you, HOT FIXES are risky, and can be impossible to reverse because Microsoft publishes these immediately, without thinking properly about the impact on the entire OS.
As I shall note later, this is why Microsft's OS is not practical to expose to the internet for any reason from a security perspective.
Therefore, many admins wait for the service packs to fix the problem, most of the time the service paks are more well thought out, and are for the most part reversible.
It is incredibly expensive, to mirror systems in a test lab, to test patches. EVEN THEN, the production systems are in no way representitive of the test systems. It is expensive, labor intensive to construct mirror systems and network services to make it viable to install hot fixes in a responsible way.
With that said, being a Linux convert, here is the problem and Microsoft isn't addressing it:
1) Microsoft's OS includes too many features out of the box, that Admins cannot control what they want installed.
It it REALLY stupid to put a graphical interface on the OS, espepcially when you are considering a highly secured server and making it a requirement to run it. There is absolutely no reason, why the OS has to carry around the code for a GUI when it is sitting in the server room, under lock N key.
Microsoft appearently doesn't understand software engineering principles regarding the total possible paths in a program and its reliability can only be increased statistically by eliminating the other execution paths in the software. That means not installing the GUI.
On Linux I can do this, easily, with ANY piece of software. Effectively reducing the function of the server to BARE BONES. Making it much faster to identify and fix problems, and of course much easier to update.
Well, you can't do this with a Microsoft product, and that is the root of the problem. In linux, I can slice and dice the OS down to its bones, if I need to.
Also, I would like to point out, linux isn't as complex to administrate as Windows when you start whacking the X server, games, DNS (directory software) and everything else when all I have running is sendmail. The system becomes a very very simple UNIT to admin in my infrastructure, with a very very easy and predictable means to upgrade and far fewer security risks as a result.
NOTICE TOO sendmail has nothing to do with the operating system.
Microsoft ties everything into the OS making it IMPOSSIBLE to build a secure system because you have to install ALL of the system or NONE AT ALL.
Microsoft uses the OPERATING SYSTEM to aggregate services, which as I pointed to above, is a fundamentally flawed software architecture.
Linux on the other hand uses the FILE SYSTEM to agregate services and the file system doesn't require you to even execute the code on start up.
Therefore even if you do a complete install on Linux, the system complexity doesn't increase, only what you include in your RC startup increases system risk to security or bugs that can make your system unstable.
The worse thing that happens is you increase the size of your file system.
As a result the uptime factors, and ease of maintance for Linux based systems easily out paces Microsoft's OS in any large deployment of the OS.
As a result it is impossible, because of these facts, to follow a responsible security policy with medium to large Microsoft IT installations.
I also think Microsoft should stop slapping its customers up in the press as to the importance of updating thier systems.
Most people already understand that, but they are being held hostage by the poor implementation of Microsoft software which by its very design, prevents practical and speedy updates of large installations of Microsoft OS's.
-Hack
Got Geometrodynamics? Awe, too hard to figure out? Too bad.
In mission critical applications that run 24/7, there is usually a formal process for requesting downtime that takes a week at a minimum. However, I aggree with you; it shouldn't be a big deal to reboot servers running Microsoft products because noone should ever run mission critical applications using Microsoft software.