Slashdot Mirror
Microsoft Blasted For Lax Security
fducky writes "Once again Microsoft is blasted for lax security. This CNN article cites experts denouncing the recent Microsoft security efforts as rating an 'F'. The recent MS-SQL worm got this most recent round of MS bashing going. Google News has more stories on the subject."
I thought the MS-SQL worm worked in a very secure fashion. The servers offered a service, client worms connected and used it just as the software was designed. What's the problem? All it generated was traffic. From the network's POV, is it really any better if that traffic is /. commentary or pr0n? Or CNN stories?
Also, during the height of worm activity the XP activation servers failed in a secure manner - that it, rather than allowing people to use unlicenced copies of XP willy-nilly, they erred on the side of caution. Note that from Microsoft's POV this is a secure failure mode, and is BY DESIGN.
They're doing exactly what they set out to do, just as they always have. A CNN story won't affect that.
I hate to break it to you but Microsoft is popular, and hence they will be all the more targets of these worms. Every tiny fault will be implemented, and all operating systems have these.
When another OS is popular, you'll see it happen to it too. I believe nobody is immune, only the popularity decides what is a vector for transmission
Not necessarily bad coding or seciryty. Many other operating systems could be almost said to be 'hiding' in their obscurity
Security by obscurity is no defence.
Look at a recent article on Macintosh virus attacks. They used to be none-existent. Now with OSX they are up to half as common as Microsoft.
And apple still only has a minor market share. That bares thinking about
So they forgot to update. The error here, believe it or not, isn't all upon Microsoft. First off, they didn't patch. Microsoft had the patch available since June. It's not like you never have to patch open-souce either... Second, Microsoft explicitly warns users of SQL databases to not put them openly on the internet, for obvious reasons. And yet, they did it anyway. You can blame Microsoft for this if you want, but it isn't car companies' fault that people get killed because they can't drive. Open source has its merits, as does Microsoft.
webpage
Okay, I'll be the first to bash Microsoft and say that their security sucks. I'll be the first to say that their initative to improve security is marketing smoke and mirrors. But let's give them a real chance to prove this to us. The vunerability that caused the Slammer worm is one that they actually found and fixed a long time ago. This is admins not doing a good job of keeping up to date and fixing problem.
Furthermore, the product that was compromised is legacy from before their big embracing of security. Let's see what happens with its next major release. If that still had big gaping problems, then we can hang them from the tallest tree.
This sig has been temporarily disconnected or is no longer in service
Now while I'm no fan of MS, do we really need to have stories everytime someone accueses Microsoft of having poor security? Might as well dedicate an entire section of Slashdot to their exploits. At least then I could turn it off in my preferences.
And while there are plenty of problems for Microsoft to fix in their code - IE has plenty of unresolved issues - this issue was in large part due to System's Administrators. Let's let is slide that they were "just waiting for the next service pack to come along" so they could update and patch everything. I don't buy that as a good policy for maintaining system - if a patch is out and can be applied, use it. And why leave SQL systems on the internet without some sort of firewall or some sort of protection. If it has to be on the Net, why does it not have every possible security patch applied to it?
I'm sure there are some valid reasons for having your system protected from this bug but in large part Admins dropped the ball.
But thats my $.02
Oh no you don't! Don't think you can fool us with that all too common last name. We know it's you, RMS!
But in a different way. You have Microsoft This, and Microsoft That, all tighly integrated, all sold as there is the only altenative, and all sharing the same funny idea about how safe is doing things in an unsafe way.
With Linux you have... see... the Linux kernel, and... well that stops there. Also you have a lot of alternative apps mostly multiplataform, with a few Linux that are linux only. If MySQL have a security problem, should not be counted as "linux fault", same with ssh, apache, sendmail, bind, etc.
But, if you want to count, don't know, mplayer security problems as it is not available under windows, well, you must also count all security problems of windows programs as windows security problems.
Possibly, but considering how Apache soundly outnumbers IIS installs for webserving, where are all the Apache worms? Oh sure there have been some problems with Apache, but compared to "which worm is it this week" IIS, Apache is a solid as a rock. Where does that arguement about installed base stand now? That default answer MS users give about installed base is bunk. Open Source compared to MS software is flat out more secure. I doubt you will ever see the day when Linux email clients like Pine or Evolution start causing billions in damage each year like Outlook does.
If you wanna get rich, you know that payback is a bitch
Well, I'm running windows servers and linux (suse) servers. And I certainly see a difference between the feasiblity of being up to date security wise with each system.
First, with a typical windows system, it's IMO damn hard to know what components you are running and how it all works together - i.e. what breaks if you lock something down at installation time.
Later on, it's also sometimes very hard (IMO) to know if I have to patch or not. For instance, is it really a good to not update internet explorer since this is a server anyway? Maybe somewhere down in IIS something might use one of IE's components (pulled-out-of-my-ass example btw.).
Add to that that some patches seem to need an updated IE, for to me unknown reasons...
Sometimes something might break (as reportet on ntbugtraq), and it's not really transparent for me if this can be reverted.
Compare that to (SuSE) linux. Download rpm, install, done (in many cases, when not, it's always explained in the advisories what to do).
If something breaks, uninstall the rpm and reapply the old on. Nearly no downtime, I just have then to find out what didn't work.
Just from the feeling, I'm a lot more scared when I have to install a ms security fix than when I do the same on linux. And the fact that microsoft was caught with their pants down this time seems to suggest I'm in "respectable" society.
How can you keep up with so many updates most of wich require a reboot.
Karma: The shiznight, mostly because I am the Drizzle.
But:
1) It was difficult to install
2) They released a later patch which re-enabled the exploit
3) Their own admins didn't install the patch and Microsoft itself fell victim the exploit.
Which leads me to believe that while they can release patches for security - there is not enough ease an consistency to keep your systems "reliable". Many times a patch breaks functionality.
The bit that gets missed here is that security is not a product, its a process (something Bruce only seems to remember when writing his books). If we really want to go pointing fingers than how about the folk who designed buffer overflow bugs into the C programming language? Before C every programming language had array bounds checking built in. So who were the turkeys who decided that we should run without elimentary safety checking? Oh yes the same folk who gave us what people would now have us believe is the so-secure UNIX O/S.
It took over ten years for the elimentary security boo-boos to get sorted in UNIX. For years the UNIX crew told us that shadow passwords were dangerous security through obscurity, only the world readable password file and the salt gave genuine security. Then along came crack. It still took four years for shadow passwords to become mainstream.
Even today sendmail is installed by default in most UNIX installations, even though it is historically a security nightmare. Some of the bugs have been fixed but as a sendmail inc. employee admitted to me last week, it is still too dammn complicated for most people to understand how to configure it.
I don't think that this point scoring does any good. UNIX and Windows both have major security problems. Windows has security problems in implementation, UNIX has them built into the architecture. There are still UNIX boxes shipping with rhosts, even though it has been demoinstrated time and again that rhosts is completely insecure. Instaling ssh does nothing to improve the security of the box unless you actually uninstall the rhost commands and the daemon.
Folk who go on about how braindamaged Microsoft is should ask themselves how UNIX programmers managed to botch a command as simple as finger!
Looking for an Information Security student project suggestion?
Try http://dotcrimeManifesto.com/
I see a lot of people stepping up and complaining that it's not Microsoft's fault as much as it is the sloppy admins. Yes - Microsoft systems that were hit by this worm were poorly managed. However, the problem is that shitty admins are exactly who Microsoft designed this "server" operating system to be managed by.
Who certifies system administrators that can barely format a floppy? Microsoft. Who crafted a Fisher-Price operating system with inadequate "wizards" to help unqualified administrators bungle their way through setting up a server? Microsoft. And who pitches their operating system as having a lower cost TCO because you don't need skilled labor to run them? Microsoft.
So when you want to complain that it's the admins that make these systems insecure, remember these are the admins that Microsoft picked.
Now if that plant had any vulnerabilities to disease, you are hosed. All of the fields of this same plant are going to die in exactly the same manner at exactly the same time.
Meditate on this, Grasshopper.
"Learning is not compulsory... neither is survival."
--Dr.W.Edwards Deming
I don't think that this point scoring does any good. UNIX and Windows both have major security problems.
I remember a security seminar I attented where the lecturer took a neutral stance toward whether Unix or Windows was more secure. His philosophy was "go with what you know". If you live and breathe Windows, you probably keep up to date with the latest Microsoft news, releases and patches just as well as a Sun/Unix geek might stay up to date with Solaris patches and updates. Knowing network security (gosh, let's protect the potentially vulnerable ports on our server from being publically reachable) is essential to both.
So many new administrators are getting Windows or Linux or other products and implementing them without the experience of security lessons learned from the past. It takes a mass event like this one to re-educate the newbies.
As a reminder for everyone designing, "one degree of separation" architecture, remember that Suki is one of your potential customers.
According to the CNN article: In October Microsoft released a fix for a different SQL Server problem that if installed in the expected manner would have made patched systems vulnerable again, he said. "If I followed their advice I'd have been vulnerable."
As a server admin, how do you know which patches will cause more harm than good? Is a good server admin one who installs every patch that's released right away and breaks things, or one who doesn't and gets broken into? When we installed SQL Server's SP3 at work, we found that the statement "DBCC SHRINKDB('insertDatabaseNameHere')" was depricated and disabled in favor of using "DBCC SHRINKDATABASE('insertDatabaseNameHere')". This wasn't a new release... this was a service pack! I don't think you can solely blame admins for not patching. Some blame HAS to fall on the coders who left the hole open in the first place.
Okay, anyone who has read my posts knows that I'm not a Microsoft supporter. I find it hard not to see the humor in Microsoft's own servers getting hit when the vulnerability was not new and patchable especially after they proclaimed that they were now striving to be secure.
.NET platform. They are hopeful that this will become the development platform of choice across multiple OSes. Parts of the Linux community are scrabbling to enable Linux to benefit from this emerging technology thought the Mono project.
.NET platform. If Microsoft introduces a .NET version of their flagship Office package it is likely to incorporate some form of VBA. Running a VBA enable application on Linux will not help the security of the Linux platform.
However, after laughing myself sick, the seriousness of the situation darkened my mood. Although I believe that Linux is currently a more secure platform, it is not a platform without flaws. Linux could be the next security nightmare if we don't occasionally do a reality check.
Part of Microsoft's strength and ironically part of the reason that Microsoft products tend to be vulnerable to attack is the fact that Microsoft strives to give the customer everything including the kitchen sink.
To do this, products are made with far too much power. VBA is an example of this. Combining data with code is not a good idea. It makes it very convenient for the customer and unfortunately the black hats as well.
Right now Microsoft is pushing their
If successful it may become possible to run many applications that will be developed on the Windows OS that are targeted for the
The race isn't always to the swift... but that's the way to bet!
What are supposedly serious companies doing without firewalls blocking 1433 and 1434? I run a little home network, of which one machine has SQLServer 2000, but my firewall has been blocking all 1433 and 1434 as "suspicious UDP" data. This is a little less than $150 hardware box. What? Bank of America can't afford a firewall?
The internet is becoming more and more important to the average "joe." So now, "things internet" are becoming newsworthy.
I have discussed the recent worm attack with my non-tech associates and they actually had an opinion about Microsoft. That some agreed with me and others disagreed isn't as significant as the fact that they had an opinion.
This is a tremendous change. Think on it.
Some people strongly disagreed on Microsoft and how evil they are. Others nodded as if to say what I mentioned made a lot of sense. (I mentioned that "bugs" in software are part of Microsoft's business model -- people have to buy newer software to repair problems with their old software, especially after Microsoft stops supplying fixes for their older stuff... "Bugs == consumer incentive to upgrade.") This, of course, is now changing rapidly. "Bugs == consumer incentive to change."
I think with the high-profile nature of attacks which exploit weaknesses in Microsoft products is really starting to create public opinion that never truly existed before. (Prior to this, people looked on Microsoft the way we look at the air we breathe -- "is there anything else to breathe?")
I think this is a very good thing. It more than levels the playing field in the market for server and other products. I think leveraging Linux, Apache and various SQL servers in the server market is the only way to get Linux onto the Desktop at a later date. There is no way to get Linux onto the desktop until Linux is a household word. Once that is done, Desktop Linux will be chosen not for its performance, but for it's reliability and solidity.
I think the days are short for people who prefer to have "unstable and colorful" displays... with the amazing power of today's PC, performance isn't an issue. Stability, reliability and security will be the main concern and even if Microsoft cleans up their act, their reputation will be enough to add doubt into consumers' hearts. The public is a moody beast and once bitten doesn't come back for any reason... usually. Just look at how long it took Nixon to return.
The death of Microsoft is at hand...