Slashdot Mirror
Microsoft Blasted For Lax Security
fducky writes "Once again Microsoft is blasted for lax security. This CNN article cites experts denouncing the recent Microsoft security efforts as rating an 'F'. The recent MS-SQL worm got this most recent round of MS bashing going. Google News has more stories on the subject."
there was a post like this, well I'd be richer than Bill Gates himself.
While it is stupid of MS not to update their own servers, you can't blame them for the SQL worm. They issued a patch months ago...it's no one's fault but the server admins.
doh! from the CNN article: "The single largest message is: keep your system up to date with patches," Microsoft Chief Security Officer Scott Charney said. But the philosophy of patching is fundamentally flawed and leaves people vulnerable, Cooper said. For example, Microsoft didn't follow its own advice as executives confirmed that an internal network was hit by the worm.
I thought the MS-SQL worm worked in a very secure fashion. The servers offered a service, client worms connected and used it just as the software was designed. What's the problem? All it generated was traffic. From the network's POV, is it really any better if that traffic is /. commentary or pr0n? Or CNN stories?
Also, during the height of worm activity the XP activation servers failed in a secure manner - that it, rather than allowing people to use unlicenced copies of XP willy-nilly, they erred on the side of caution. Note that from Microsoft's POV this is a secure failure mode, and is BY DESIGN.
They're doing exactly what they set out to do, just as they always have. A CNN story won't affect that.
I hate to break it to you but Microsoft is popular, and hence they will be all the more targets of these worms. Every tiny fault will be implemented, and all operating systems have these.
When another OS is popular, you'll see it happen to it too. I believe nobody is immune, only the popularity decides what is a vector for transmission
Not necessarily bad coding or seciryty. Many other operating systems could be almost said to be 'hiding' in their obscurity
Security by obscurity is no defence.
Look at a recent article on Macintosh virus attacks. They used to be none-existent. Now with OSX they are up to half as common as Microsoft.
And apple still only has a minor market share. That bares thinking about
Besides the one recent example of the SQL worm cited in the article, CNN made no mention of other security problems. This isn't to say that they aren't there because they obviously are, but it just seemed like they based their whole thesis of security shortcommings on one recent incident. It would have been nice to see some kind of list, or maybe a timeline of sorts with other MS security flaws. The article seemed like some kind of publicity plug for "TruSecure Corp."
So they forgot to update. The error here, believe it or not, isn't all upon Microsoft. First off, they didn't patch. Microsoft had the patch available since June. It's not like you never have to patch open-souce either... Second, Microsoft explicitly warns users of SQL databases to not put them openly on the internet, for obvious reasons. And yet, they did it anyway. You can blame Microsoft for this if you want, but it isn't car companies' fault that people get killed because they can't drive. Open source has its merits, as does Microsoft.
webpage
Or why not go after the software vendor that wrote and sold vulnerable software? Or go after the software vendor for dumbing down systems so much that incompetent admins are put in charge to maintain them?
Personally, I don't think the whole "blame game" is very effective...but that's just me.
---
Open Source Shirts
Okay, I'll be the first to bash Microsoft and say that their security sucks. I'll be the first to say that their initative to improve security is marketing smoke and mirrors. But let's give them a real chance to prove this to us. The vunerability that caused the Slammer worm is one that they actually found and fixed a long time ago. This is admins not doing a good job of keeping up to date and fixing problem.
Furthermore, the product that was compromised is legacy from before their big embracing of security. Let's see what happens with its next major release. If that still had big gaping problems, then we can hang them from the tallest tree.
This sig has been temporarily disconnected or is no longer in service
Now while I'm no fan of MS, do we really need to have stories everytime someone accueses Microsoft of having poor security? Might as well dedicate an entire section of Slashdot to their exploits. At least then I could turn it off in my preferences.
And while there are plenty of problems for Microsoft to fix in their code - IE has plenty of unresolved issues - this issue was in large part due to System's Administrators. Let's let is slide that they were "just waiting for the next service pack to come along" so they could update and patch everything. I don't buy that as a good policy for maintaining system - if a patch is out and can be applied, use it. And why leave SQL systems on the internet without some sort of firewall or some sort of protection. If it has to be on the Net, why does it not have every possible security patch applied to it?
I'm sure there are some valid reasons for having your system protected from this bug but in large part Admins dropped the ball.
But thats my $.02
Why does Microsoft's "grade" drop when they released a patch for the worm a long time ago? All OS's have security problems. It think it is more accurate to say that Microsoft SQL Server Admins get an "F", not Microsoft itself. This is not to say that I think MS has good security, but it's an unfair slam when the worm is really the fault of admins who failed to apply a vendor patch.
Oh no you don't! Don't think you can fool us with that all too common last name. We know it's you, RMS!
But in a different way. You have Microsoft This, and Microsoft That, all tighly integrated, all sold as there is the only altenative, and all sharing the same funny idea about how safe is doing things in an unsafe way.
With Linux you have... see... the Linux kernel, and... well that stops there. Also you have a lot of alternative apps mostly multiplataform, with a few Linux that are linux only. If MySQL have a security problem, should not be counted as "linux fault", same with ssh, apache, sendmail, bind, etc.
But, if you want to count, don't know, mplayer security problems as it is not available under windows, well, you must also count all security problems of windows programs as windows security problems.
I am always running behind on M$ patches for 2 reasions:
#1. MS patches have "blown up" my win boxes before.
#2. There are so many you can't keep up.
And automatic update that comes with Windows 2000 SP3 has also hosed my PC.
Karma: The shiznight, mostly because I am the Drizzle.
"But the philosophy of patching is fundamentally flawed and leaves people vulnerable, Cooper said."
can anyone explain to me a better method, since even thy mighty god linux is subject to the need occassionally along with every other major OS i can think of?
the paragraph continues with, "For example, Microsoft didn't follow its own advice as executives confirmed that an internal network was hit by the worm." to me, it seems that this statement doesn't support the previous. it would be better to place blame where it belongs, straight in the lap of the admins whose responsibility it is to keep their systems secure, and upon the heads of those who write exploitive code for the purpose of causing havoc.
i mean, more power to those who bring these issues to light, but doing so without perspective just looks like picking on an easy target.
We've had this discussion before, and we're having it yet again.
Who's to blame in this situation? I clearly feel it's the administrative and their immediate managers both at Microsoft and any organization that was hit with the worm. The administrators should keep up with the newest patches and update systems during the maintanance window. Managers should ensure the administrators have applied the patches.
The argument about downtime and untested patches will surely be seen here as well. That argument is not OS specific. Sure, on Windows you generally need to reboot after applying a patch, but what if this happened to Oracle? You would need to take the server down, patch and bring it back up. As for testing, this is again an OS independent. At one time or another I'm sure every piece of software has released a patch that has introduced new bugs, it happens.
Either way, there will be Microsoft bashing in the thread, but regardless of which OS you're running situations like this will arise.
Even as security issues are top news usually on Slashdot, this shows where our hearts are.
Yours, Martin
Possibly, but considering how Apache soundly outnumbers IIS installs for webserving, where are all the Apache worms? Oh sure there have been some problems with Apache, but compared to "which worm is it this week" IIS, Apache is a solid as a rock. Where does that arguement about installed base stand now? That default answer MS users give about installed base is bunk. Open Source compared to MS software is flat out more secure. I doubt you will ever see the day when Linux email clients like Pine or Evolution start causing billions in damage each year like Outlook does.
If you wanna get rich, you know that payback is a bitch
Well, I'm running windows servers and linux (suse) servers. And I certainly see a difference between the feasiblity of being up to date security wise with each system.
First, with a typical windows system, it's IMO damn hard to know what components you are running and how it all works together - i.e. what breaks if you lock something down at installation time.
Later on, it's also sometimes very hard (IMO) to know if I have to patch or not. For instance, is it really a good to not update internet explorer since this is a server anyway? Maybe somewhere down in IIS something might use one of IE's components (pulled-out-of-my-ass example btw.).
Add to that that some patches seem to need an updated IE, for to me unknown reasons...
Sometimes something might break (as reportet on ntbugtraq), and it's not really transparent for me if this can be reverted.
Compare that to (SuSE) linux. Download rpm, install, done (in many cases, when not, it's always explained in the advisories what to do).
If something breaks, uninstall the rpm and reapply the old on. Nearly no downtime, I just have then to find out what didn't work.
Just from the feeling, I'm a lot more scared when I have to install a ms security fix than when I do the same on linux. And the fact that microsoft was caught with their pants down this time seems to suggest I'm in "respectable" society.
Funny, my linux box was infected with two worms in the last two years but my windows 2000 box hadn't been hit. Windows Update is easy to use, and I run it every few weeks, but the assorted packages on my linux box are much harder to track and keep patched so I miss patches that I should apply. I may have been hit more, these are only the hits that I noticed, but for me Windows is *already* more secure than linux.
.NET, what do you think Microsoft's programmers use to write code? I suspect that a large percentage of the problems on Microsoft's network were caused by boxes managed by individual users.
Also, note, MSDE was installed as part of Visual Studio
I'm at least as anti-Microsoft as the average Slashdotter, but this is getting a bit ridiculous. Aside from the fact that a patch was available, what the heck is a database server doing with a direct Internet connection? Five years ago, when I started designing web applications it was common practice to put web servers in a DMZ, with a firewall between the web server and any DB/app servers.
This isn't Security 101, it's Remedial Common Sense 050!
"They that can give up essential liberty to obtain a little temporary safety deserve neither liberty nor safety."
also, we could go after the people who get mugged too, as they clearly aren't doing everything they can do to protect themselves from muggings, and it encourages muggers to mug you and I then. Or for that matter, people whose cars break down during rush hour. The list goes on and on...
JWall: GUI client for IPTables
I wonder if Microsoft considers this good PR. Why? because when they start heavily pushing .NET and their Palladium plan, they will use examples such as these worms as to why everyone must go on a platform where Microsoft must authorize every piece of software and every piece of hardware to work with it.
Worst than this, lets suppose that you want to be patched at any cost, as soon at it appears. Another patch coming from microsoft for another MS SQL problem disabled this patch (this is in the CNN article linked in this story), so you must be half responsible, half not, to have one patch applied and not the later one, to be safe.
Interestingly enough, the Slammer worm also affected the .NET Framework SDK whether or not the full SQL Server was installed on the machine or not. This is because a component of SQL Server is included in the 1.0 release of the SDK. Microsoft issued a critical patch for this issue too.
Even after having spent spent 100M on their Trustworthy Computing Initiative by July of 2002, we have not seen a great deal of proactive security fixes from Microsoft. Instead, external exploits seem to still be easy (even old ones), and then Microsoft takes action. Microsoft software still has a lot of maturing to do. We shouldn't expect magic anytime soon.
Gates says security is job #1 and sends all his programmers to security training.
Well, that's nice - but is that really going to do it?
How do you really get secure software? Doesn't that arise over time, as software matures and the flaws are found in the code base?
Is that something Microsoft can embrace as a model for their business? Isn't Microsoft really about making money by churning it's user base through upgrades every two years?
It seems to me that it is going to be very difficult for a company that makes it's money by selling 'features' to end users and churning its software base every few years to achieve the level of maturity in is code base that is necessary to to arrive at a reasonable secure product.
The fact is that Microsoft's business managers with bottom line responsibility are going to do waht is necessary to get new versions out - each version with an ever increasing feature set. No matter how well Microsoft trains its developers, this process is going to leadt to security issues.
Weird view. So if you neglect to lock your door, you're just as responsible as the burglar who carries off your stuff, and ought to be prosecuted for willful negligence?
Okay! Yet another federal law enforcement bureaucracy is born: The Patch Enforcement Agency. It can parallel the organization of the Lock Enforcement Agency and the Don't Go Walking In Central Park After Dark Enforcement Agency.
That's what we need. More ways to hold victims responsible for the acts of criminals.
Here's an idea: why not just let nature (or in this case, the free market) take its course? sysadmins who neglect to patch their servers get fired, and those who employ such sysadmins lose business. The problem will take care of itself without introducing any new government meddling to gum up the works and make life harder for everyone.
This is sadly reminiscent of our present foreign policy. We can't catch Osama, we need the Saudis' oil, we're scared of North Korea, so we attack some tinpot dictator we're pretty sure we can beat.
Personally I'm not blaming Microsoft for the 'slammer'. They patched it in July so I'm blaming the morons that
1. Haven't bothered to keep their SQL servers up to date
and
2. Allow anyone from the internet to connect to that port anyway!
Auntie Gayle's Basic Firewalling Guide for fuckwits
1. Drop EVERYTHING!
2. Specifically open the ports you need.
3. If you do this the other way round (i.e. only drop known problem ports/protocols while leaving everything else open) please report for immediate recycling.
The one thing Microsoft are responsible is for making the sysadmin job seem so easy any moron can do it. This encourages companies to employ button pushers and we end up with things like the 'slammer' debacle.
One issue concerning differences in security regimes between UNIX and Windows system that rarely are discussed, is port scanning
When a Unix exploit emerges, the IT department at my University scripts a portscanner, identifies vulnerable machines and contacts their admins. If the machines are not patched within a certain time, they are disconnected from the network. I for example got an Email about my linux server being vulnerable for the openssh exploit even before I read about it on Slashdot. This way the University system is less prone to hacker attacks. My Windows 2000 box have never been patched and probably as secure as a sieve have never drawn attention from the IT department. I presume this is because a similar scanning procedure is significantly more difficult to launch. This way I suppose the Unix machines should de facto be much more secure than the Windows machines at the University.
The bit that gets missed here is that security is not a product, its a process (something Bruce only seems to remember when writing his books). If we really want to go pointing fingers than how about the folk who designed buffer overflow bugs into the C programming language? Before C every programming language had array bounds checking built in. So who were the turkeys who decided that we should run without elimentary safety checking? Oh yes the same folk who gave us what people would now have us believe is the so-secure UNIX O/S.
It took over ten years for the elimentary security boo-boos to get sorted in UNIX. For years the UNIX crew told us that shadow passwords were dangerous security through obscurity, only the world readable password file and the salt gave genuine security. Then along came crack. It still took four years for shadow passwords to become mainstream.
Even today sendmail is installed by default in most UNIX installations, even though it is historically a security nightmare. Some of the bugs have been fixed but as a sendmail inc. employee admitted to me last week, it is still too dammn complicated for most people to understand how to configure it.
I don't think that this point scoring does any good. UNIX and Windows both have major security problems. Windows has security problems in implementation, UNIX has them built into the architecture. There are still UNIX boxes shipping with rhosts, even though it has been demoinstrated time and again that rhosts is completely insecure. Instaling ssh does nothing to improve the security of the box unless you actually uninstall the rhost commands and the daemon.
Folk who go on about how braindamaged Microsoft is should ask themselves how UNIX programmers managed to botch a command as simple as finger!
Looking for an Information Security student project suggestion?
Try http://dotcrimeManifesto.com/
I see a lot of people stepping up and complaining that it's not Microsoft's fault as much as it is the sloppy admins. Yes - Microsoft systems that were hit by this worm were poorly managed. However, the problem is that shitty admins are exactly who Microsoft designed this "server" operating system to be managed by.
Who certifies system administrators that can barely format a floppy? Microsoft. Who crafted a Fisher-Price operating system with inadequate "wizards" to help unqualified administrators bungle their way through setting up a server? Microsoft. And who pitches their operating system as having a lower cost TCO because you don't need skilled labor to run them? Microsoft.
So when you want to complain that it's the admins that make these systems insecure, remember these are the admins that Microsoft picked.
Now if that plant had any vulnerabilities to disease, you are hosed. All of the fields of this same plant are going to die in exactly the same manner at exactly the same time.
Meditate on this, Grasshopper.
"Learning is not compulsory... neither is survival."
--Dr.W.Edwards Deming
because they have had enough already.
Anyone with that much money in the bank can damn well afford to produce products that actually are best in class. They are number one right now, but clearly do not deserve to stay there when we know there are better and cheaper ways to do things.
Blogging because I can...
Folks remember that wehn MS first started hiring devloeprs in its beginnings that those devlopers :
-Were not skilled in unix security precautions because UNix vendors had changed their lcienses to close code to those in cs at schools.
-Were influenced to push code out the door rather than refactor, retest, and rewrok to produce security compliant code.
-MS's recent code retraining cannot rease almost 30 years of bad programmign prqactices within MS itself..
The only way for MS to get better is to immediately fire every programmer, which wil not happen and thus the conversion to Linux and MacOSX will gain full speed in the next few months..
Don't Tread on OpenSource
I don't think that this point scoring does any good. UNIX and Windows both have major security problems.
I remember a security seminar I attented where the lecturer took a neutral stance toward whether Unix or Windows was more secure. His philosophy was "go with what you know". If you live and breathe Windows, you probably keep up to date with the latest Microsoft news, releases and patches just as well as a Sun/Unix geek might stay up to date with Solaris patches and updates. Knowing network security (gosh, let's protect the potentially vulnerable ports on our server from being publically reachable) is essential to both.
So many new administrators are getting Windows or Linux or other products and implementing them without the experience of security lessons learned from the past. It takes a mass event like this one to re-educate the newbies.
As a reminder for everyone designing, "one degree of separation" architecture, remember that Suki is one of your potential customers.
there is a missing issue here: ms bent over backward over the last 7-10 years to sell their products to poeple based on *Ease of Use*. you don't have to be a rocket scientist (or unix guru) to do 'big things' with computers if you bought ms products. one of the key selling points was you didn't have to have these expense engineers to maintain the systems.
so between the 'it's easy' part and 'you don't need smart responsible people to manage it', is it any wonder that we have an epidemic of poorly maintained ms systems out there?
Now said system was purchased against your recommendation, is proprietary in nature, and the company that made it was bought out by another company, so you can't even get a straight answer on simple questions anymore. The department responsible for this purchase has never hired the person promised to maintain the system, nor have you been sent out for training on its maintenace.
A week after this system is installed a third party contractor installs a replication system so your ticketing system can be connected to a big web server in another state. You don't really know what ports need to be open, how they are being used, and every time you tweak the littlest thing the entire operation comes to a grinding halt.
And you expect me to apply patches at random. Especially when they require taking the system offline, and each has the risk of incapacitating your operations. Right.
Blame me all you want. But the seeds of ruin were planted further up in the decision making process.
"Learning is not compulsory... neither is survival."
--Dr.W.Edwards Deming
According to the CNN article: In October Microsoft released a fix for a different SQL Server problem that if installed in the expected manner would have made patched systems vulnerable again, he said. "If I followed their advice I'd have been vulnerable."
As a server admin, how do you know which patches will cause more harm than good? Is a good server admin one who installs every patch that's released right away and breaks things, or one who doesn't and gets broken into? When we installed SQL Server's SP3 at work, we found that the statement "DBCC SHRINKDB('insertDatabaseNameHere')" was depricated and disabled in favor of using "DBCC SHRINKDATABASE('insertDatabaseNameHere')". This wasn't a new release... this was a service pack! I don't think you can solely blame admins for not patching. Some blame HAS to fall on the coders who left the hole open in the first place.
Okay, anyone who has read my posts knows that I'm not a Microsoft supporter. I find it hard not to see the humor in Microsoft's own servers getting hit when the vulnerability was not new and patchable especially after they proclaimed that they were now striving to be secure.
.NET platform. They are hopeful that this will become the development platform of choice across multiple OSes. Parts of the Linux community are scrabbling to enable Linux to benefit from this emerging technology thought the Mono project.
.NET platform. If Microsoft introduces a .NET version of their flagship Office package it is likely to incorporate some form of VBA. Running a VBA enable application on Linux will not help the security of the Linux platform.
However, after laughing myself sick, the seriousness of the situation darkened my mood. Although I believe that Linux is currently a more secure platform, it is not a platform without flaws. Linux could be the next security nightmare if we don't occasionally do a reality check.
Part of Microsoft's strength and ironically part of the reason that Microsoft products tend to be vulnerable to attack is the fact that Microsoft strives to give the customer everything including the kitchen sink.
To do this, products are made with far too much power. VBA is an example of this. Combining data with code is not a good idea. It makes it very convenient for the customer and unfortunately the black hats as well.
Right now Microsoft is pushing their
If successful it may become possible to run many applications that will be developed on the Windows OS that are targeted for the
The race isn't always to the swift... but that's the way to bet!
What are supposedly serious companies doing without firewalls blocking 1433 and 1434? I run a little home network, of which one machine has SQLServer 2000, but my firewall has been blocking all 1433 and 1434 as "suspicious UDP" data. This is a little less than $150 hardware box. What? Bank of America can't afford a firewall?
Ah internet comics[userfriedly.org]
"Learning is not compulsory... neither is survival."
--Dr.W.Edwards Deming
The internet is becoming more and more important to the average "joe." So now, "things internet" are becoming newsworthy.
I have discussed the recent worm attack with my non-tech associates and they actually had an opinion about Microsoft. That some agreed with me and others disagreed isn't as significant as the fact that they had an opinion.
This is a tremendous change. Think on it.
Some people strongly disagreed on Microsoft and how evil they are. Others nodded as if to say what I mentioned made a lot of sense. (I mentioned that "bugs" in software are part of Microsoft's business model -- people have to buy newer software to repair problems with their old software, especially after Microsoft stops supplying fixes for their older stuff... "Bugs == consumer incentive to upgrade.") This, of course, is now changing rapidly. "Bugs == consumer incentive to change."
I think with the high-profile nature of attacks which exploit weaknesses in Microsoft products is really starting to create public opinion that never truly existed before. (Prior to this, people looked on Microsoft the way we look at the air we breathe -- "is there anything else to breathe?")
I think this is a very good thing. It more than levels the playing field in the market for server and other products. I think leveraging Linux, Apache and various SQL servers in the server market is the only way to get Linux onto the Desktop at a later date. There is no way to get Linux onto the desktop until Linux is a household word. Once that is done, Desktop Linux will be chosen not for its performance, but for it's reliability and solidity.
I think the days are short for people who prefer to have "unstable and colorful" displays... with the amazing power of today's PC, performance isn't an issue. Stability, reliability and security will be the main concern and even if Microsoft cleans up their act, their reputation will be enough to add doubt into consumers' hearts. The public is a moody beast and once bitten doesn't come back for any reason... usually. Just look at how long it took Nixon to return.
The death of Microsoft is at hand...
I don't normally chime in, but I thought that I would for this one. Let me start by saying that I don't like MS...I'm using a mac as we speak (with Safari)...and I'm a Senior UNIX admin at work....anyway...
Can we really blame MS for this? They released a patch in July...MS can't be held accountable for Windows Admins for not updating their software (I'm not saying it's the admins fault either...I know that admin spend 80 - 90% of their time putting out brushfires, and can't find time to do patches). Now, do I think that MS needs to find a better way to notify customers of new patches...b/c I know that I don't have time to sit around and browse and go through what I've installed and what I haven't (are you listening Sun?!?!)
So for example...If I don't stay up to date on all the Solaris/Linux patches does that mean that Solaris/Linux is a security prone OS? Heck, no!
The Microsoft security strategy is much like the idea of going to a crowded beach and leaving your wallet in your shoe. Just my two cents...
Good question, why did several of the root DNS servers go down? If I remember right, they run BIND.
My guess: Flooding from infected personal boxes caused a DoS on the SQL servers and routers resulting in some service used by Windows Update to be unavailable. It is also possible that the people maintaining those servers didn't do their job, but there are other possible explanations.
Personally, from having to manage Microsoft systems for the better part of 12 years, it was almost impossible to patch anything immediately, when a Security Fix was announced.
If you ever have managed Microsoft Products, it basically becomes a crap shoot with the following outcomes with regards to patching your systems:
1) Patch installs, breaks other services.
2) Patch installs, system becomes even more unstable.
(This is the worse because it looks like the system is working, but hits you in the middle of the day, usually during peak times.)
3) Complete failure to reboot after patch is installed, resulting in a very intensive recovery operation. (i.e. Reinstall OS, tape restore, or flash restore with floppy.) All data is usually lost since last backup.
In any case, it is completely laughable, and not applicable I believe if you completely blame Microsoft Admins on not applying these patches.
Especially with some of the messages posted here, such as "Oh, well you have to update your systems, stupid."
How simple and naive you are, and obviously anyone making such a statement has not an ounce of experience managing Microsoft server/desktop products.
I think the people who manage Microsoft Products, know more than anyone here, why it is preferable to update thier systems.
I think it is a serious insult to Microsoft' customers that Microsoft would publish a statement something of the akin "Well, they didn't update thier systems...ITS NOT OUR FAULT".
Bullpucky, and with that in mind however, continue reading.
The shear hell, you have to go through, to patch a monolithic, monster of bloatware that is a Microsoft OS, is purely not economically possible, if you can believe it, for some companies with large installations of Microsoft products.
Patching becomes a project something on the scale of a ERP implementation for some sites that are non trivial in size.
Furthermore, time after time, Microsoft provides NO WAY to reverse patches that they typically publish.. (also known as "HOT UPDATES/FIXES").
As most admins will tell you, HOT FIXES are risky, and can be impossible to reverse because Microsoft publishes these immediately, without thinking properly about the impact on the entire OS.
As I shall note later, this is why Microsft's OS is not practical to expose to the internet for any reason from a security perspective.
Therefore, many admins wait for the service packs to fix the problem, most of the time the service paks are more well thought out, and are for the most part reversible.
It is incredibly expensive, to mirror systems in a test lab, to test patches. EVEN THEN, the production systems are in no way representitive of the test systems. It is expensive, labor intensive to construct mirror systems and network services to make it viable to install hot fixes in a responsible way.
With that said, being a Linux convert, here is the problem and Microsoft isn't addressing it:
1) Microsoft's OS includes too many features out of the box, that Admins cannot control what they want installed.
It it REALLY stupid to put a graphical interface on the OS, espepcially when you are considering a highly secured server and making it a requirement to run it. There is absolutely no reason, why the OS has to carry around the code for a GUI when it is sitting in the server room, under lock N key.
Microsoft appearently doesn't understand software engineering principles regarding the total possible paths in a program and its reliability can only be increased statistically by eliminating the other execution paths in the software. That means not installing the GUI.
On Linux I can do this, easily, with ANY piece of software. Effectively reducing the function of the server to BARE BONES. Making it much faster to identify and fix problems, and of course much easier to update.
Well, you can't do this with a Microsoft product, and that is the root of the problem. In linux, I can slice and dice the OS down to its bones, if I need to.
Also, I would like to point out, linux isn't as complex to administrate as Windows when you start whacking the X server, games, DNS (directory software) and everything else when all I have running is sendmail. The system becomes a very very simple UNIT to admin in my infrastructure, with a very very easy and predictable means to upgrade and far fewer security risks as a result.
NOTICE TOO sendmail has nothing to do with the operating system.
Microsoft ties everything into the OS making it IMPOSSIBLE to build a secure system because you have to install ALL of the system or NONE AT ALL.
Microsoft uses the OPERATING SYSTEM to aggregate services, which as I pointed to above, is a fundamentally flawed software architecture.
Linux on the other hand uses the FILE SYSTEM to agregate services and the file system doesn't require you to even execute the code on start up.
Therefore even if you do a complete install on Linux, the system complexity doesn't increase, only what you include in your RC startup increases system risk to security or bugs that can make your system unstable.
The worse thing that happens is you increase the size of your file system.
As a result the uptime factors, and ease of maintance for Linux based systems easily out paces Microsoft's OS in any large deployment of the OS.
As a result it is impossible, because of these facts, to follow a responsible security policy with medium to large Microsoft IT installations.
I also think Microsoft should stop slapping its customers up in the press as to the importance of updating thier systems.
Most people already understand that, but they are being held hostage by the poor implementation of Microsoft software which by its very design, prevents practical and speedy updates of large installations of Microsoft OS's.
-Hack
Got Geometrodynamics? Awe, too hard to figure out? Too bad.
every two years m$ totally changes their server products. what you knew with nt4 is obsolete with win2k, is useless with .NET/whatever server. you learn to admin unix, your skills improve over time, 'cause your doing the same things you were 5 years ago. with m$ servers, you have to learn all over again, and you are at m$'s mercy to provide patches, etc. so no, don't compare unix to m$. unix had its growing pains sure, but it is a mature product. and linux is becoming one really fast. every freakin ne m$ product is a NEW product. and it experiences the same crap over and over. why does m$ do it? somebody who knows, please do tell.
My problem? I was perfectly gruntled, until some numbnuts came by and dissed me.
Actually you are both right. Although Service Packs often roll up hot-fixes, they also can include many more bug fixes that weren't deemed important enough to require releasing as a hot-fix. Thus they are much more likely to include a deliberate incompatible change that breaks an application (i.e. DirectX N+1, or the above-mentioned DBCC behaviour).
However, although hot-fixes are usually small changes targetted to fix a particular problem, they do not undergo the full regression testing that a service pack does. Most MS hot-fixes come with an CYA warning that you shouldn't apply it unless you believe you are in a situation exhibiting the problem and requiring the hot-fix. Since code modularization at Microsoft seems to be dictated at least as much by the marketing and legal departments as by good software engineering practice, a hot-fix has a not-insignificant chance of having an unexpected side effect (witness the problem with the October hot-fix).
So whether it's a hot-fix or a Service Pack, you wind up having to regression test your 3rd-party applications before deployment, and if you think most IT departments can afford to do that with every "hot-fix of the week" you're out to lunch. Most admins would probably have deployed SP3 after performing their own regression tests in another few weeks.
That said, what kind of idiots connect 120,000 unprotected database servers out on the net? I doubt all were in the position of the poor slob a few levels above in this thread who had deployment mandated by upper management.
Laissez lire, et laissez danser; ces deux amusements ne feront jamais de mal au monde. - Voltaire
Sitting at Starbucks wireless, completely insecure connection on my Mac running OS X. Am I worried, no. Is it because there are few viruses written for OS X? no. Is it because there are plenty of viruses/exploits written for UNIX based OSes.... OS X being one of them, a valid reasoned to be worried but still I am not.
I'm not worried because I have a firwall that works out of the box to protect me from said viruses and expoits and is easy to turn on and configure.
XP also has a firwall available, but, it is hidden in an obscure location and has NO configuration I tried to turn the firewall on and every time I did this it would say that yes it was on, but then I would go back to verify this and NO it was not. Ten times I tried this... to no avail. What use is a firewall if it won't even stay on? Furthermore it has one option ON or OFF, what does that mean? What is it doing? Can I open a port or lock down soemthing it doesn't turn off... ??????
Yes there are shareware and even free firewalls available for XP but that means I have to find them and configure them and pray that they will play nice.
Macs are and always have been more secure than Windows machines.
Why do virus writers and hackers pick Windows? I'd say that it's because it is the easiest OS to exploit. The fact that it is the most prevalent is irrelevant.
A fool throws a stone into a well and a thousand sages can not remove it.
I'm not sure what that 80% refers to, or even if it's accurate. Even if it is, many Linux 'fixes' would never even be considered for patching by MS. Linux fixes range from the benign and theoretical to the very serious. Linux patches are generally released almost immediately after a bug is found that might (in theory) be exploited, or used as part of an exploit. (e.g. someone finds the possibility of a buffer or stack overflow).
Windows patches, on the other hand, often aren't released until somebody proves that a bug is exploitable/ exploited. Even when a proof of concept (or even wild) exploit is made available, security experts sometimes have to argue with MS about whether the exploit is serious enough to be worth fixing. I remember one recent case where MS downgraded a pair of bugs as minor and refused to release a fix. When frustrated security experts were able to combine those bugs to enable arbitrary command execution (their sample code: format a hard drive), they were criticized for not giving MS advanced warning(!).
Nontheless, when MS finally released the fix for these same bugs, they classified them as moderate. Some people think that, having just released one crutitical patch, they didn't want to face the embarrassment of two severe bug fixes in one week.
Because Windows patches are rarely released until the problem is both proven and serious, MS security patches are far more critical to install. Unfortunately, MS security patches are also problem plagued. System admins have no way of knowing exactly what a patch will do. Some patches undo each other, some patches break other (sometimes seemingly unrelated) systems. Because of the nature of closed source, System admins who have problems with a patch can find themselves stuck between a rock and a hard place. They can either install the patch and break their installation, or leave the system unpatched. In either case, they must beg for a compatible fix. The OS solution of engineering their own patch is generally not feasable -- possibly even illegal.
Both the cost and public embarrassment of repeated fixes to a given problem discourage MS from releasing patches against bug fixes. Lack of the ability of a customer to provide -- much less prove -- their own version of a fix exacerbates the problem.
In this environment of fear, uncertainty and doubt, an MS system administrator must decide if, when and how to install their patch. sometimes they get it wrong.
Linux admins face a similar problem, but with a good deal more information and control. Systems are generally more compartmented, so interactions between parts is better understood. If installation of a patch causes problems, users have the ability to examine the source code of the changes, get an exact understanding of what they're doing and determine whether their best course of action is to patch the patch or fix the problem elsewhere. If the solution turns out to be a further patch, they have the ability to release their own fix in hopes of having it folded back into the 'official' distribution. This is an option which most MS users will probably never have.
OS Software is like love: The best way to make it grow is to give it away.
OK: Let's me get this straight:
- MS publishes their hotfixes with a warning that they may break things and you should only install them if you're having problems;
- Sysadmins are at fault for not ignoring MSs warning and blindly installing all hot-fixes immediately
- If you'd blindly installed all MS hotfixes, you might break earlier hotfixes
-
Service Packs are mostly just rolled-together hotfixes, but they are known to wilfully break things;
- Despite MS warnings to the contrary, Service Packs need regression testing but hot fixes don't.
A hotfix (...) has never (to my knowledge at lest) changed anything.-
The hot fix that would have blocked code red was undone by a later hot fix.
-
The hotfix that would have blocked slammer was at risk of being, itself, slammed by a later hotfix installed in the 'normal' way.
- MS's own servers were broken by the slammer virus.
Just how much knowledge do you have, anyways?OS Software is like love: The best way to make it grow is to give it away.
...that the basic security model in place for software today for mitigating the risk of an attacker modifying service code (0wning y0ur b0xen) is to automate the process of modifying your service code via patching.
DDL