Looking Back At Windows Security In 2003

thebatlab writes "Help Net Security has an interesting look at security in Windows during 2003, with various blurbs from related parties at Microsoft as well as security 'bigwigs' such as Russ Cooper. It's interesting to read the comments from external parties, as they tend to be very reasoned comments and don't simply attack away over recent 'indiscretions' and 'security lapses' Microsoft has had over the year."

Does anyone know...

[biendamon]

...where to get a definitive list of security holes in Windows (not Office or other add-ons) for the month of December?

Re:Looking Back At Windows Security In 2003

I think a balanced analysis would agree that they are certainly getting better: both in terms of acknowledging critical issues and issuing patches in a more timely manner.

They have a long way to go, but who doesn't have security problems these days? Only OpenBSD, which ships with virtually everything switched off so that it can claim "no hole in over 7 years in the default install" ... ahem.

AC

Myth: Linux is more secure than Windows NT.

Reality: The Linux security model is weak

All systems are vulnerable to security issues; however it's important to note that Linux uses the same security model as the original UNIX implementations--a model that was not designed from the ground up to be secure.

• Linux only provides access controls for files and directories. In contrast, every object in Windows NT, from files to operating system data structures, has an access control list and its use can be regulated as appropriate. Linux security is all-or-nothing. Administrators cannot delegate administrative privileges: a user who needs any administrative capability must be made a full administrator, which compromises best security practices. In contrast, Windows NT allows an administrator to delegate privileges at an exceptionally fine-grained level.
• Linux has not supported key security accreditation standards. Every member of the Windows NT family since Windows NT 3.5 has been evaluated at either a C2 level under the U.S. Government's evaluation process or at a C2-equivalent level under the British Government's ITSEC process. In contrast, no Linux products are listed on the U.S. Government's evaluated product list.
• Linux system administrators must spend huge amounts of time understanding the latest Linux bugs and determining what to do about them. This is made complex due to the fact that there isn't a central location for security issues to be reported and fixed. In contrast, Microsoft provides a single security repository for notification and fixes of security related issues.
• Configuring Linux security requires an administrator to be an expert in the intricacies of the operating system and how components interact. Misconfigure any part of the operating system and the system could be vulnerable to attack. Windows NT security is easy to set up and administer with tools such as the Security Configuration Editor.

Re:Myth: Linux is more secure than Windows NT.

[openmtl]

Re: ACLS - OK yup ACLS are fine BUT wow can you really turn these into a nightmare with a few clicks. Worse still just pickup a system from the last person and try and see what fancy ACLs they tried to implement.

ACLs are a powerful feature BUT really need to have very strict documentation defining whats been done in an organisation.

The Orange Book evaluated standalone systems only. I like my Internet ! This C2 stuff is generally discussed as marketing aid and ignores the fine details of the underlying criteria. What is certified is not "Windows NT" but a very precise combination of hardware and software.

The exclusion of Linux is because the whole program for evaluation requires a Vendor. There is no vendor for Linux. If anyone wants to get a TTAP Evaluation facility to do such an evaluation then why not the DoD themselves. The SELinux would be a good start plus the 2.6.X kernel capabilities and with the ACLs that are now part of Linux.

Windows admins must also evaluate each report that comes out. With Linux (the kernel) there is just a single Linux repository - with a distrbution there is also a single repository (of that distro). Same as Windows.

Configuring Windows security is also no mean feat either especially not in an AD environment. Lets face it both Linux and Windows can be made to be complex. The advantage that Linux has NOW is that Novell have bought SuSE. Novell has the best trust model of all. I imagine (well I hope) that some of the ease-of-use of Novell will be integrated into SuSE and then by default fall into Linux userspace routines. Fact is not much at a kernel level needs to now be changed on Linux. With 2.6 its fairly well ready to rock.

Re:Myth: Linux is more secure than Windows NT.

[shaitand]

"requires an administrator to be an expert in the intricacies of the operating system and how components interact"

Yes, someone who is NOT an expert is hardly qualified to be an administrator now are they?

"Linux only provides access controls for files and directories. In contrast, every object in Windows NT, from files to operating system data structures, has an access control list and its use can be regulated as appropriate. Linux security is all-or-nothing. Administrators cannot delegate administrative privileges: a user who needs any administrative capability must be made a full administrator, which compromises best security practices. In contrast, Windows NT allows an administrator to delegate privileges at an exceptionally fine-grained level."

Are you on crack? EVERYTHING is a file or directory on a linux system. There ISN'T a registry to hack. The most powerful and popular solutions for all tasks on linux also have built in ACL's for fine tuning access. Not to mention iptables which is a one stop kernel level firewalling and routing solution with flexibility windows never dreamed of with even 3rd party tools.

There is only ONE full administrator on a linux system, root. Any other service and it's configuration files will be owned by a group, members of said group can administrate it. Since EVERYTHING including hardware devices is a file on linux you can fine grain control access to every piece of software and/or hardware you like on the system. By setting permissions on the correct file you can even deny a user the ability to move an icon on their linux desktop.

"Linux has not supported key security accreditation standards. Every member of the Windows NT family since Windows NT 3.5 has been evaluated at either a C2 level under the U.S. Government's evaluation process or at a C2-equivalent level under the British Government's ITSEC process. In contrast, no Linux products are listed on the U.S. Government's evaluated product list."

Government accredits are meaningless, microsoft had to hack minimal posix compliance into windows before they could bribe their way in. The only reason it was allowed at all was that windows was already being used widely (at least in the US, don't follow the brits) and it's VERY expensive to go through the process.

"Linux system administrators must spend huge amounts of time understanding the latest Linux bugs and determining what to do about them. This is made complex due to the fact that there isn't a central location for security issues to be reported and fixed. In contrast, Microsoft provides a single security repository for notification and fixes of security related issues."

And yet somehow with a single command line I have all the fixes for the bugs that were discovered this morning. And windows update only has the bugs that were discovered 3 months ago with a couple exceptions.

Should I patch?

[SharpFang]

I dual-boot Linux with W98SE. Recently, after quite a while of using it and getting the W98 more and more "dirty" I decided to install the update. System got so unstable that I couldn't open Explorer without crashing. "Time for reinstall", I thought. Format, install, config, everything runs smoothly. Windows Update, system starts crashing really bad. Maybe I did something wrong? Format, reinstall, update. Crash. So now I run "vanilla" W98SE, without ANY updates, just pure CD install. The only protection is my firewall on a Linux box. Sucks, but what should I do? This way it can keep running for several hours, and with screensavers and power management disabled, for several days in a row. With patches, crashes notoriously. Keep it secure? How? By unplugging the net or the power supply??

Re:Slashdottism

[RoLi]

The same happened to a friend of mine, too.

Isn't it funny that nevertheless Microsoft marketing has brainwashed the masses to the point that they actually believe that WinXP has become more secure than Win9x? (Fact: There never was a worm comparable to W32.Blaster on Windows9x)

Re:Its crap but just as crap as anyone else

[93+Escort+Wagon]

"Microsoft have had their share of vunerabilities over the last year but not significantly more than linux has..."

Hello? What alternate universe are you living in? We spent a good chunk of our summer and fall chasing MS-BLAST infected computers. We had to detach computers from the network before upgrading them to XP, because if we didn't they'd get hit before we could patch them.

Perhaps you are playing semantic games - perhaps in absolute numbers there haven't been "that many" Windows exploits. But in terms of wasted IT time; in terms of network downtime; in terms of severity of attack there is just NO comparison. Our Linux, Solaris, and OS X boxes have required almost none of our time.

Re:you know

[b17bmbr]

if windows really was as bad as you say it is, it wouldnt' be in NINETY PERCENT of all desktops.

okay AC, there is a plethora of reasons that windows is on 90% of all desktops.

1. apple screwed the pooch by being overly proprietary back in the early 80's. they were just too damn expensive for mass penetration.
2. compaq cloned the PC, got its bios to boot, etc...
3. lotus 1-2-3 (any one remember when your spreadsheet program fit on a floppy!!) this program alone accounted for the mass igration to the PC architecture.
4. ibm being dipshits about ms-dos. they could have had the rights for chump change.
5. os/2 was the defacto desktop. ibm wanted a shitload of money (something like $200+ in the early 80's) microsoft came in with windows for 1/10 the price.
6. microsoft did thing like give faulty errors with dr-dos when you tried to run windows on top of it. (keep in mind, windows ran on top of dos as late as ME) this has been long since documented.
7. microsoft played the bundling game, gave away its office suite for next to nothing compared to others. remember when wordperfect and lotus were the standards? (remember, in word97, you can map every keystroke in wordperfect AND lotus123.)
8. monoplistic practices...covered a time or two
9. piracy. i, and probably everyone i kow got a "free" copy of office. don't think for a second that microsoft really cared that joe and jane homeowner were somehow "pirating" (giggle, giggle) office. well, if business knew you could get it at home "free", they knew they HAD TO pay for it, so, well, if you use office at work, you can bet employees can get it at home, and that eliminates any others from competition

technological merit does not always, or even often, win out. there are numerous reasons. hell, in 1949, we had a state fo the art bomber, the YB-49. it could fly farther, faster, stealthier, etc. and, check this out, it was a flying wing. based on a design from the horten bros. in germany. discovered after the war, and developed by jack northrup. but, stu symington (sec of defense) was buddy buddy with convair guys, and we ended up with B-36. then the B-47, then the B-52. 36 was a piece of shit, 47 almost as bad, and the 52 is a workhorse. long story short, when B-2 rolls out, who is there to receive a LONG overdue praise. jack northrup. oh yeah, the VHS vs. Beta thing too.

Re:Its crap but just as crap as anyone else

1. With Microsoft's OS it is the ONLY OS known to fall by the millions by a one line script virus, lets see a Linux based virus or worm that can knock down millions of Linux boxes like can happen with Windows...

2. As far as comparing apt-get to windows update, with Windows update you HAVE to have Internet Explorer installed to use it, why does Microsoft make a update tool that is not tied to a particular web browser, maybe something that is "stand alone". Same with a lot of software that mysteriously requires Internet Exploiter to be installed in order to run- (kind of fishy to me)
apt-get does not require any browser installed or even a particular GUI and can be run from the command line...

As far as security goes I would trust Linux a LOT more for critical mission deployments than I would the kludge from Microsoft...

Re:Its crap but just as crap as anyone else

[Cyno]

How many worms did you have to clean off your Linux systems last year?

Linux may not be much more secure than Windows but at least my Linux boxes don't go spreading malicious code around my office faster than I can patch 'em. In fact, I don't remember ever patching in Linux box in 2003. Hrmmm, I wonder why that is..

At least with Linux I don't have to worry about security unless I put it in a production environment. Then I only need to worry about keeping up-to-date with patches.

My Linux desktop doesn't get viruses, send viruses, or take out office routers. I wish I could say the same for my Microsoft products.

Re:Its crap but just as crap as anyone else

[forevermore]

Microsoft have had their share of vunerabilities over the last year but not significantly more than linux has

Yes, they may have. But unlike Windows, all of the linux software had patched versions out within a matter of hours. You are correct, however, in that it's up to the admins to apply the patches, but in my experience, linux admins are a lot more vigilant about this sort of thing.

Also, no linux "virus" ever filled my inbox with hundreds of huge attachments claiming that I needed to update Windows or see the latest cool screensaver.

Oh, and if you're using firewall "software" in linux, you're doing something wrong. All you need is a little knowhow and iptables (or even ipchains), and you'll see that machine FAR outperform any non-kernel-based solutions.

Re:Hail to the new troll, same as the old troll

[Liquidrage]

What virus was it?

In the several years employeed at the same place I've never had an email virus at my company's headquaters nor where I'm contracted too. Nor have I heard of anyone there getting one. Both places use exchange are NT domains, everyone uses Outlook, etc.
Both places have admins that know what the hell they are doing.

I have seen one spread like wild fire at another place I do a few hours of work for here and there. And that place has $8 an hour admins that have no clue what they're doing and aren't qualified to work the help desk.

Generally, it seems Linux is a more locked down OS and therefore more secure. But to me what makes the biggest difference is to be a *nix admin you have to have a freaking clue. To be an windows admin you don't and it often shows.

Need to look at Security Holistically

[randall_burns]

Organizational Security is typically only as strong as the weakest link. If you have an organization that doesn't do proper background checks on its personnel or uses negative management techniques, the risk imposed by those practices can swamp stuff like the risk associated with a particular version of software.

In areas like the construction industry, insurance companies take a very hard-nosed attitude towards various types of risky practices-and the difference in risks between those practices are reflected in insurance premiums. It would be straightforward to apply similar techniques to organizational security-but I suspect what we have here is a case of managerial resistance. The management types just don't want their practices closely scrutinized-they like things the way they are now. What I see, is a lot of folks taking enormous risks with other people's money.

Don't know the details

[SuperKendall]

As I said, we got a message from corporate HQ telling us to turn off Preview and also not to click on stuff that does not come from people we know (more likely the outbreaks were from people clicking on things they should not). They had to get themselves off a few blacklists it seems as a result...

This is not a small company either, around 3000 people. Yes, we do have admins that know what the hell they are doing. Sometimes, stupid users click on links or bring in laptops and that is it.

The thing is, even if a UNIX admin is doing a poor job you aren't as likely to see a "wildfire" spread of infection, more like a slow burn.

Re:My guess.

[sfe_software]

I don't doubt it would be possible to create an effective virus for Linux.

I agree with everything you stated. It's the diversity that makes Linux (and other operating systems) less vulnerable to such massive attacks. But everyone learns from their mistakes, even Microsoft (albeit slowly sometimes).

Currently, if you purchase a copy of XP and install it with neworking capabilities (even dialup), there is a good chance you won't get as far as Windows Update before you're rooted. I went through that a couple of months ago -- got the "Windows is Shutting Down" dialog before the Windows Update page could load. I knew how to abort the shutdown and patch the problem, and I really should have enabled the firewall first -- but joe average doesn't (and shouldn't have to) know this.

However, I also recall the Honeypot project having similar experiences with RedHat 6.2; because of a remote-root exploit (I think), the machine was hardly online a few minutes before being rooted. If I remember correctly (it was a long time ago), 6.2 was the latest retail RedHat release at the time.

Jump to now: RedHat now enables less services by default (but still has a record number of suid-root binaries...), and really pushes you to enable iptables at install time before any network interface is brought up. Likewise, SP2 for XP will be doing some things right, and I'm sure this will carry over to Longhorn and future versions.

I say: bravo on both sides. Firewalls enabled by default (like "opt-in" instead of "opt-out"), and taking security into consideration with every decision (as RedHat and Microsoft both are learning to do, though many others *cough*OpenBSD*cough* have known this for a while)...

Re:The Last Line of the Article Says...

[sfe_software]

That, in a nutshell, destroys the entire article. The end user shouldn't be forced to "hope" that bad things won't happen to their computers.

You've summed it up quite nicely. Back before Windows 2000, I just didn't understand why anyone put up with Windows at all. The fact that people considered daily reboots "normal" was pathetic.

Only now the situation is a bit different. 2000/XP are both very stable, and if properly patched are most always relatively secure. I still trust Linux or BSD a lot more, which is why my Windows machines are protected with a Linux/iptables firewall; but you have to admit that Windows has gotten much better. Again, though, if properly patched.

I believe (correct if wrong) that nearly all of the major exploits in the last few years were patched long before they became a problem; in many cases, months passed between the time a problem was fixed and the time it was exploited (thus giving plenty of time for testing and deployment).

Microsoft tried to remedy the problem with the "auto update" feature, which most of us didn't like. Fine. Now they're finally getting it right, and making things much better starting with SP2 (firewall enabled by default, etc). Sure, *nix has been doing it right for much longer, but you have to admit that things are getting a lot better in the Windows world...

Re:2003 was a wormy year.

[drsmithy]

You need an account with permission to run said binaries, at least on my machines. This assumes that I modify the "default deny" policy and make an exception for you. Of course, that policy was implemented before it was *ever* on a network

If you somehow manage to penetrate *without* an account, you'll still have to deal with system accounts having a home directory of /dev/null, and some creative usage of things like chattr [1], chmod, and tripwire. Oh, and check out "man last[1]".

Thus your machine is reasonably atypical even for a managed linux box, let alone one being used as a single-user desktop for an ignorant end user like the average Windows machine.

Not to mention most of that won't help you if a worm somehow convinces you to run it (the way 99% of them are spread). A worm doesn't need root permissions to edit your .bashrc, wipe out your home directory or mail itself to every email address it can find in on your machine.

My conclusion: whoever attacked the Debian and GNU machines had a damn good chance of succeeding.

We aren't trying to compare against the Debian machines, we're trying to compare against the typical Windows box - directly connected to the internet, unmanaged and under the control of an ignorant end user.

IMHO the single best way to spread malware in linux would be to compromise a distro or source project. I can't see malware affecting end users in a large way otherwise - there's too many variables.

As I said, it's very rare to find linux machines without tools like mail and bash - which is really all a worm needs to propogate. If you can edit your .bashrc script, so can a worm to start itself off every time you login. If you can start a program that listens on an unprevileged port, so can a worm. If you can "ping -f", so can a worm. If you can accidentally erase every file in your home directory, so can a worm. If you're running something like ssh-add on login to prompt you for an SSH password, a worm can fake it and capture your password.

Anything a normal user can do, a worm can do. Everything a worm needs to do, a normal user can do. Every tool (and usually far, far more) a worm needs to do its work, is installed on the average linux box.

I personally don't think Linux will be in widespread enough use to really get hit hard by a worm for a few years yet, but it *will* happen eventually (same for OS X).