Slashdot Mirror

← Back to Stories (view on slashdot.org)

Microsoft Blasted For Lax Security

Posted by timothy on from the they're-also-the-biggest-target-though dept.

fducky writes "Once again Microsoft is blasted for lax security. This CNN article cites experts denouncing the recent Microsoft security efforts as rating an 'F'. The recent MS-SQL worm got this most recent round of MS bashing going. Google News has more stories on the subject."

13 of 395 comments (clear)

  1. Secure in failure by Anonymous Coward · · Score: 5, Funny

    I thought the MS-SQL worm worked in a very secure fashion. The servers offered a service, client worms connected and used it just as the software was designed. What's the problem? All it generated was traffic. From the network's POV, is it really any better if that traffic is /. commentary or pr0n? Or CNN stories?
    Also, during the height of worm activity the XP activation servers failed in a secure manner - that it, rather than allowing people to use unlicenced copies of XP willy-nilly, they erred on the side of caution. Note that from Microsoft's POV this is a secure failure mode, and is BY DESIGN.
    They're doing exactly what they set out to do, just as they always have. A CNN story won't affect that.

  2. It's not just microsoft by amigaluvr · · Score: 5, Insightful

    I hate to break it to you but Microsoft is popular, and hence they will be all the more targets of these worms. Every tiny fault will be implemented, and all operating systems have these.

    When another OS is popular, you'll see it happen to it too. I believe nobody is immune, only the popularity decides what is a vector for transmission

    Not necessarily bad coding or seciryty. Many other operating systems could be almost said to be 'hiding' in their obscurity

    Security by obscurity is no defence.

    Look at a recent article on Macintosh virus attacks. They used to be none-existent. Now with OSX they are up to half as common as Microsoft.

    And apple still only has a minor market share. That bares thinking about

    1. Re:It's not just microsoft by JanneM · · Score: 5, Insightful

      This is certainly a relevant point.

      Look at webservers, however. Apache is twice as popular as IIS, and yet there are several times more security issues with IIS than with Apache. That can not be explained by relative obscurity.

      --
      Trust the Computer. The Computer is your friend.
    2. Re:It's not just microsoft by Daniel+Dvorkin · · Score: 5, Insightful

      The "popularity defense" has some validity when you're talking about "general-purpose" viruses, particularly those that spread by e-mail, because Windows/Outlook really is far and away the most common OS and e-mail setup. But when you're talking about this kind of thing, it's bullshit. MS SQL Server is not the most popular DBMS, and MS IIS is not the most popular Web server -- and yet both are hit far, far more often than the market leaders (Apache in the second case, not sure about the first -- I think Oracle and DB2 trade off for the top spot.) And really, the number of regular Windows/Outlook viruses is out of proportion even to their popularity: their market share is about 95%, but their share of the virus market is more like 99.99%. (And if you have statistics to the contrary, you'll have to better than "Look at a recent article ...", sorry. That's about as credible as spam that starts out, "This program was featured on a major news show!")

      --
      The correlation between ignorance of statistics and using "correlation is not causation" as an argument is close to 1.
  3. Re:People are waking up... by rasafras · · Score: 5, Insightful

    So they forgot to update. The error here, believe it or not, isn't all upon Microsoft. First off, they didn't patch. Microsoft had the patch available since June. It's not like you never have to patch open-souce either... Second, Microsoft explicitly warns users of SQL databases to not put them openly on the internet, for obvious reasons. And yet, they did it anyway. You can blame Microsoft for this if you want, but it isn't car companies' fault that people get killed because they can't drive. Open source has its merits, as does Microsoft.

    --
    webpage
  4. What about the SysAdmins? by petabyte · · Score: 5, Insightful

    Now while I'm no fan of MS, do we really need to have stories everytime someone accueses Microsoft of having poor security? Might as well dedicate an entire section of Slashdot to their exploits. At least then I could turn it off in my preferences.

    And while there are plenty of problems for Microsoft to fix in their code - IE has plenty of unresolved issues - this issue was in large part due to System's Administrators. Let's let is slide that they were "just waiting for the next service pack to come along" so they could update and patch everything. I don't buy that as a good policy for maintaining system - if a patch is out and can be applied, use it. And why leave SQL systems on the internet without some sort of firewall or some sort of protection. If it has to be on the Net, why does it not have every possible security patch applied to it?

    I'm sure there are some valid reasons for having your system protected from this bug but in large part Admins dropped the ball.

    But thats my $.02

    1. Re:What about the SysAdmins? by trentfoley · · Score: 5, Insightful
      While I agree that there is rarely a reason to place a database server on the public internet, I take issue with your statement that it was in large part due to System's Administrators.

      Patches from Microsoft are not like patches from the OSS community. You don't get to see the code changes and don't know what the Microsoft patch will do and there is no way to know without trying it in a test environment. Ask around and see how many admins have been burned by applying a service pack or hot fix on a production machine even after testing it out in a lab! Microsoft patches are notoriously flawed and impact areas of operation that seemingly have no correlation to the bug being fixed.

      So, this particular bug was published six months ago. Is six months long enough to fully test an amorphous piece of software? Maybe if we had the source code, we would know what to test. However, without the source, we have to test everything. Because, you never know what other piece of code Microsoft is going to throw in.

  5. Richard M. Smith by foolip · · Score: 5, Funny
    Richard M. Smith, a Cambridge, Massachusetts-based computer security consultant

    Oh no you don't! Don't think you can fool us with that all too common last name. We know it's you, RMS!

  6. Re:People are waking up... by Zeinfeld · · Score: 5, Informative
    I found the quotes predictable and illogical. First the vulnerability was clearly there before the trustworthy computing initiative, a patch was released in June that almost certainly was as a result of the vulnerability being discovered as part of that initiative. So there is no way the idiot from TruSecure can fairly use the slapper worm to grade trustworthy computing.

    The bit that gets missed here is that security is not a product, its a process (something Bruce only seems to remember when writing his books). If we really want to go pointing fingers than how about the folk who designed buffer overflow bugs into the C programming language? Before C every programming language had array bounds checking built in. So who were the turkeys who decided that we should run without elimentary safety checking? Oh yes the same folk who gave us what people would now have us believe is the so-secure UNIX O/S.

    It took over ten years for the elimentary security boo-boos to get sorted in UNIX. For years the UNIX crew told us that shadow passwords were dangerous security through obscurity, only the world readable password file and the salt gave genuine security. Then along came crack. It still took four years for shadow passwords to become mainstream.

    Even today sendmail is installed by default in most UNIX installations, even though it is historically a security nightmare. Some of the bugs have been fixed but as a sendmail inc. employee admitted to me last week, it is still too dammn complicated for most people to understand how to configure it.

    I don't think that this point scoring does any good. UNIX and Windows both have major security problems. Windows has security problems in implementation, UNIX has them built into the architecture. There are still UNIX boxes shipping with rhosts, even though it has been demoinstrated time and again that rhosts is completely insecure. Instaling ssh does nothing to improve the security of the box unless you actually uninstall the rhost commands and the daemon.

    Folk who go on about how braindamaged Microsoft is should ask themselves how UNIX programmers managed to botch a command as simple as finger!

    --
    Looking for an Information Security student project suggestion?
    Try http://dotcrimeManifesto.com/
  7. Re:'F' even with a patch... - But WHICH patch? by the-matt-mobile · · Score: 5, Informative

    According to the CNN article: In October Microsoft released a fix for a different SQL Server problem that if installed in the expected manner would have made patched systems vulnerable again, he said. "If I followed their advice I'd have been vulnerable."

    As a server admin, how do you know which patches will cause more harm than good? Is a good server admin one who installs every patch that's released right away and breaks things, or one who doesn't and gets broken into? When we installed SQL Server's SP3 at work, we found that the statement "DBCC SHRINKDB('insertDatabaseNameHere')" was depricated and disabled in favor of using "DBCC SHRINKDATABASE('insertDatabaseNameHere')". This wasn't a new release... this was a service pack! I don't think you can solely blame admins for not patching. Some blame HAS to fall on the coders who left the hole open in the first place.

  8. Re:Let's give MS a chance... by EvilTwinSkippy · · Score: 5, Insightful
    So at what point is ragging on them about security going to be appropriate to you then? Last I checked they have an uninterrupted loosing streak going all they way back to winsock for WFW 3.11.

    PS, that was 10 year ago.

    You don't wake up one morning and decide to be security minded. That's like waking up one morning and deciding to be a ninja. Martial arts are a way of life, and the mindset required comes only after years of study and commitment.

    Microsoft's problems are a result of years of neglect and malpractice. You don't get to be that bad overnight. It takes work. Knitting a web browser into an operating system took effort. Knitting an LDAP directory into your domain security model, tied into your DNS and DHCP servers took effort. Creating a sytem by which you can embed executable commands into an office document took work. Making sure that your office document could execute command in your email client took work. Intermingling your email client with the server so that they are passing executable code back and forth took work.

    Meditate on this, Grasshopper.

    --
    "Learning is not compulsory... neither is survival."
    --Dr.W.Edwards Deming
  9. Firewalls anybody? by jay_sdk · · Score: 5, Insightful

    What are supposedly serious companies doing without firewalls blocking 1433 and 1434? I run a little home network, of which one machine has SQLServer 2000, but my firewall has been blocking all 1433 and 1434 as "suspicious UDP" data. This is a little less than $150 hardware box. What? Bank of America can't afford a firewall?

  10. How the public responds by erroneus · · Score: 5, Interesting

    The internet is becoming more and more important to the average "joe." So now, "things internet" are becoming newsworthy.

    I have discussed the recent worm attack with my non-tech associates and they actually had an opinion about Microsoft. That some agreed with me and others disagreed isn't as significant as the fact that they had an opinion.

    This is a tremendous change. Think on it.

    Some people strongly disagreed on Microsoft and how evil they are. Others nodded as if to say what I mentioned made a lot of sense. (I mentioned that "bugs" in software are part of Microsoft's business model -- people have to buy newer software to repair problems with their old software, especially after Microsoft stops supplying fixes for their older stuff... "Bugs == consumer incentive to upgrade.") This, of course, is now changing rapidly. "Bugs == consumer incentive to change."

    I think with the high-profile nature of attacks which exploit weaknesses in Microsoft products is really starting to create public opinion that never truly existed before. (Prior to this, people looked on Microsoft the way we look at the air we breathe -- "is there anything else to breathe?")

    I think this is a very good thing. It more than levels the playing field in the market for server and other products. I think leveraging Linux, Apache and various SQL servers in the server market is the only way to get Linux onto the Desktop at a later date. There is no way to get Linux onto the desktop until Linux is a household word. Once that is done, Desktop Linux will be chosen not for its performance, but for it's reliability and solidity.

    I think the days are short for people who prefer to have "unstable and colorful" displays... with the amazing power of today's PC, performance isn't an issue. Stability, reliability and security will be the main concern and even if Microsoft cleans up their act, their reputation will be enough to add doubt into consumers' hearts. The public is a moody beast and once bitten doesn't come back for any reason... usually. Just look at how long it took Nixon to return.

    The death of Microsoft is at hand...