Slashdot Mirror
Looking Back At Windows Security In 2003
thebatlab writes "Help Net Security has an interesting look at security in Windows during 2003, with various blurbs from related parties at Microsoft as well as security 'bigwigs' such as Russ Cooper. It's interesting to read the comments from external parties, as they tend to be very reasoned comments and don't simply attack away over recent 'indiscretions' and 'security lapses' Microsoft has had over the year."
...where to get a definitive list of security holes in Windows (not Office or other add-ons) for the month of December?
Of course the same holds true for businesses, but there the problem was more of a problem with the "Default Installation". We have long known that default installations are inherently insecure.
Windows "out of the box" is as wide open as the goatse.cx guy.
45 5F E1 04 22 CA 29 C4 93 3F 95 05 2B 79 2A B2
There's a new worm out there that exploits a security hole still in Windows 2k/XP from when it was released.
It has the capability to shut down applications, goes right through anti-virus software (even the latest patches!!!), and gives total control of the victim computer to the creator of the worm.
An attempt by the powers that be to shut down it's source of updates was thwarted by various government agencies and the worm itself.
Unfortunately there is no patch to get rid of the W32.MS.AutoUpdateRequired worm.
It sucked!
<bows>
It is pitch black. You are likely to be eaten by a grue.
As opposed to what exactly?
Firebased computer walls? (In soviet russia?)
A hole in Windows was announced today. Thats great, as soon as Windows Update tells me there is a fix available, I'll click and reboot to apply it.
/me, goes to website, they list some long inexplicable explanation of the hole. Link to some .tar.zip.gz.bz2 file (this saves bandwidth). Just run it through tar -xvzjf and it will automagically extract. Run make clean; make superclean; make reallyfuckingsureyourclean; make install; (whoops, su; make install) and boom! its installed.
A hole in Linux was announced today. Developers released a patch in 34.36 minutes flat after hearing the news. Download and update today!
I dual-boot Linux with W98SE. Recently, after quite a while of using it and getting the W98 more and more "dirty" I decided to install the update. System got so unstable that I couldn't open Explorer without crashing. "Time for reinstall", I thought. Format, install, config, everything runs smoothly. Windows Update, system starts crashing really bad. Maybe I did something wrong? Format, reinstall, update. Crash. So now I run "vanilla" W98SE, without ANY updates, just pure CD install. The only protection is my firewall on a Linux box. Sucks, but what should I do? This way it can keep running for several hours, and with screensavers and power management disabled, for several days in a row. With patches, crashes notoriously. Keep it secure? How? By unplugging the net or the power supply??
45 5F E1 04 22 CA 29 C4 93 3F 95 05 2B 79 2A B2
And how do you propose this virus would spread?
Linux isn't quite the easy target that Windows is. Almost every Linux box is completely different when compared to another. Not everyone is using the same mail client, there are several different browsers that may or may not be used, and several different daemons that may or may not be available or exploitable.
You just can't easily write a virus that will infect a massive number of Linux machines.
Note that I'm not saying Linux machines are impervious to viruses; just that I'd be shocked if there was any Linux virus that infects more than a handful of machines.
Or how about just applying the patch that's been freely available for six months?
*glares at manager*
It basically says it all when an exploit that had been patched for months succeeds in bringing the internet to a crawl.
An In-Depth look Into Windows Security in 2003
by Mirko Zorz - Monday, 22 December 2003.
When it comes to security predictions for next year, basically everyone says it's going to be worst than this year despite the increased spending on security and some progress made when it comes to security awareness. Let's take a look at some interesting happenings that made the news during 2003 when it comes to Microsoft security and perhaps you'll be able to judge for yourself what 2004 will bring.
The experts that voice their opinion for this article are Russ Cooper (Surgeon General of TruSecure Corporation/NTBugtraq Editor), Ed Skoudis (a security geek who is focused on computer attacks and defenses, author of "Counter Hack" and "Malware: Fighting Malicious Code") and Arne Vidstrom (a security researcher and author of many security tools for Windows).
It's January and things don't look good
Just as we were getting used to writing 2003 instead of 2002 in our letters, here comes the Slammer worm and all hell brakes loose as thousands of computers are infected worldwide.
This, however, was not Microsoft's fault since a patch was available several months ago before the worm was unleashed. This has put the issue of irresponsible users into the spotlight while others said the reason why some servers weren't patched is because administrators are worried about the side-effects that come with a patch.
Russ Cooper said: "Firstly, SQL patches have been notoriously difficult to install, so I would argue that despite the availability of a patch, its lack of installation was not entirely the user's fault. Further, MSDE (Microsoft SQL Desktop Engine) inclusion in 3rd party software had never been tracked by Microsoft. This resulted in many people being vulnerable to Slammer who never knew they needed a patch. The method the SQL group has used to handle the SQL vs. MSDE issue have been very poor, with KB articles typically only being found by searching for SQL rather than MSDE. Finally the SQL Server Resolution Service, the service targeted by Slammer, isn't even mentioned in the SQL 7.0 documentation either as being present, installed, or enabled by default."
Lessons learned according to Cooper: "What Slammer showed us more than anything was the need to embrace more basic controls, such as "Default Deny". There's little reason to expose the SSRS to the Internet without any restrictions. Some hosting providers have argued that their customers required access to the service and, therefore, they exposed it directly to the Internet. While this might seem reasonable, the additional cost of locking down such connection points to, at least, an identifiable IP address range surely couldn't put them out of business compared to the risks they put the entire Internet at. Of course the same holds true for businesses, but there the problem was more of a problem with the "Default Installation". We have long known that default installations are inherently insecure. Knowing what you're installing, and installing only what you know, are crucial to achieving baseline security. The habit of simply accepting the defaults and no additional steps is yet another reason problems like this occur."
"Another aspect of "Default Deny" is the enforcement of *Outbound* rules as well as inbound. Habit says that inbound is what we fear, yet outbound is left entirely untouched. Slammer demonstrated just how harshly such a policy can affect the Internet. There was no reason for those systems to initiate connections outbound on UDP 1434, even if we accept there was a need to allow the inbound connections from other infected hosts. Ergo, had such rules been in place, machine
Slashdot: The antidote to well reasoned comments.
Hello, new sig.
Windows Security. That's like... Military Intelligence? Jumbo Shrimp? Microsoft Works?
Free your ecomony and enact the FairTax
"Microsoft have had their share of vunerabilities over the last year but not significantly more than linux has..."
Hello? What alternate universe are you living in? We spent a good chunk of our summer and fall chasing MS-BLAST infected computers. We had to detach computers from the network before upgrading them to XP, because if we didn't they'd get hit before we could patch them.
Perhaps you are playing semantic games - perhaps in absolute numbers there haven't been "that many" Windows exploits. But in terms of wasted IT time; in terms of network downtime; in terms of severity of attack there is just NO comparison. Our Linux, Solaris, and OS X boxes have required almost none of our time.
#DeleteChrome
okay AC, there is a plethora of reasons that windows is on 90% of all desktops.
- apple screwed the pooch by being overly proprietary back in the early 80's. they were just too damn expensive for mass penetration.
- compaq cloned the PC, got its bios to boot, etc...
- lotus 1-2-3 (any one remember when your spreadsheet program fit on a floppy!!) this program alone accounted for the mass igration to the PC architecture.
- ibm being dipshits about ms-dos. they could have had the rights for chump change.
- os/2 was the defacto desktop. ibm wanted a shitload of money (something like $200+ in the early 80's) microsoft came in with windows for 1/10 the price.
- microsoft did thing like give faulty errors with dr-dos when you tried to run windows on top of it. (keep in mind, windows ran on top of dos as late as ME) this has been long since documented.
- microsoft played the bundling game, gave away its office suite for next to nothing compared to others. remember when wordperfect and lotus were the standards? (remember, in word97, you can map every keystroke in wordperfect AND lotus123.)
- monoplistic practices...covered a time or two
- piracy. i, and probably everyone i kow got a "free" copy of office. don't think for a second that microsoft really cared that joe and jane homeowner were somehow "pirating" (giggle, giggle) office. well, if business knew you could get it at home "free", they knew they HAD TO pay for it, so, well, if you use office at work, you can bet employees can get it at home, and that eliminates any others from competition
technological merit does not always, or even often, win out. there are numerous reasons. hell, in 1949, we had a state fo the art bomber, the YB-49. it could fly farther, faster, stealthier, etc. and, check this out, it was a flying wing. based on a design from the horten bros. in germany. discovered after the war, and developed by jack northrup. but, stu symington (sec of defense) was buddy buddy with convair guys, and we ended up with B-36. then the B-47, then the B-52. 36 was a piece of shit, 47 almost as bad, and the 52 is a workhorse. long story short, when B-2 rolls out, who is there to receive a LONG overdue praise. jack northrup. oh yeah, the VHS vs. Beta thing too.My problem? I was perfectly gruntled, until some numbnuts came by and dissed me.
On your specific points:
Many (if not most) Windows programs get it wrong. Heck even Microsoft has been released games that can only be played if logged in as administrator.
Linux does let you do delegation, but that is mostly left as a user space implementation issue. That is the purpose of setuid/setgid, group memberships, sudo etc.
In areas like the construction industry, insurance companies take a very hard-nosed attitude towards various types of risky practices-and the difference in risks between those practices are reflected in insurance premiums. It would be straightforward to apply similar techniques to organizational security-but I suspect what we have here is a case of managerial resistance. The management types just don't want their practices closely scrutinized-they like things the way they are now. What I see, is a lot of folks taking enormous risks with other people's money.
"requires an administrator to be an expert in the intricacies of the operating system and how components interact"
Yes, someone who is NOT an expert is hardly qualified to be an administrator now are they?
"Linux only provides access controls for files and directories. In contrast, every object in Windows NT, from files to operating system data structures, has an access control list and its use can be regulated as appropriate. Linux security is all-or-nothing. Administrators cannot delegate administrative privileges: a user who needs any administrative capability must be made a full administrator, which compromises best security practices. In contrast, Windows NT allows an administrator to delegate privileges at an exceptionally fine-grained level."
Are you on crack? EVERYTHING is a file or directory on a linux system. There ISN'T a registry to hack. The most powerful and popular solutions for all tasks on linux also have built in ACL's for fine tuning access. Not to mention iptables which is a one stop kernel level firewalling and routing solution with flexibility windows never dreamed of with even 3rd party tools.
There is only ONE full administrator on a linux system, root. Any other service and it's configuration files will be owned by a group, members of said group can administrate it. Since EVERYTHING including hardware devices is a file on linux you can fine grain control access to every piece of software and/or hardware you like on the system. By setting permissions on the correct file you can even deny a user the ability to move an icon on their linux desktop.
"Linux has not supported key security accreditation standards. Every member of the Windows NT family since Windows NT 3.5 has been evaluated at either a C2 level under the U.S. Government's evaluation process or at a C2-equivalent level under the British Government's ITSEC process. In contrast, no Linux products are listed on the U.S. Government's evaluated product list."
Government accredits are meaningless, microsoft had to hack minimal posix compliance into windows before they could bribe their way in. The only reason it was allowed at all was that windows was already being used widely (at least in the US, don't follow the brits) and it's VERY expensive to go through the process.
"Linux system administrators must spend huge amounts of time understanding the latest Linux bugs and determining what to do about them. This is made complex due to the fact that there isn't a central location for security issues to be reported and fixed. In contrast, Microsoft provides a single security repository for notification and fixes of security related issues."
And yet somehow with a single command line I have all the fixes for the bugs that were discovered this morning. And windows update only has the bugs that were discovered 3 months ago with a couple exceptions.
I just hope that in the next few weeks we won't see a disaster like the Slammer worm.
That, in a nutshell, destroys the entire article. The end user shouldn't be forced to "hope" that bad things won't happen to their computers. Any vendor that instills so much lack of confidence in their products doesn't deserve the benefit of the doubt.
I don't doubt it would be possible to create an effective virus for Linux.
I agree with everything you stated. It's the diversity that makes Linux (and other operating systems) less vulnerable to such massive attacks. But everyone learns from their mistakes, even Microsoft (albeit slowly sometimes).
Currently, if you purchase a copy of XP and install it with neworking capabilities (even dialup), there is a good chance you won't get as far as Windows Update before you're rooted. I went through that a couple of months ago -- got the "Windows is Shutting Down" dialog before the Windows Update page could load. I knew how to abort the shutdown and patch the problem, and I really should have enabled the firewall first -- but joe average doesn't (and shouldn't have to) know this.
However, I also recall the Honeypot project having similar experiences with RedHat 6.2; because of a remote-root exploit (I think), the machine was hardly online a few minutes before being rooted. If I remember correctly (it was a long time ago), 6.2 was the latest retail RedHat release at the time.
Jump to now: RedHat now enables less services by default (but still has a record number of suid-root binaries...), and really pushes you to enable iptables at install time before any network interface is brought up. Likewise, SP2 for XP will be doing some things right, and I'm sure this will carry over to Longhorn and future versions.
I say: bravo on both sides. Firewalls enabled by default (like "opt-in" instead of "opt-out"), and taking security into consideration with every decision (as RedHat and Microsoft both are learning to do, though many others *cough*OpenBSD*cough* have known this for a while)...
NGWave - Fast Sound Editor for Windows
Maybe so, but you haven't mentioned any.
The quality of your admins has way more to do with ultimate security.
Can't argue with that.
Agreed that NT has access controls on every object. However they are not visible and not used very much by end users and administrators.
Much like *properly* setup sudoers, groups and file ownerships/permissions.
The UNIX ones are simple and very easy to understand.
That's because they're so primitive. Not to mention some of them aren't really logical - like needing read *and* execute permissions to list the contents of a directory.
Here you have the choice between complicated (you do know the difference between discretionary and inherited rights filters?) and pervasive (every object) versus simple and pretty much only on files (which almost every OS object is anyway).
Properly setting up a combination of sudo, groups and file permissions and ownerships is a monumental task and an administrative nightmare. Not saying ACLs are a walk in the park, but when you're finished with sudo & co you've got an ugly hack around a fundamentally broken design, when you're finished with ACLs you've got an elegant and maintainable solution.
The Windows acceditation is a crock. It is in a non-networked environment with no floppy disk or CD drive.
That's because, IIRC, being without a network and floppy drive were *requirements* of the accreditation - IOW, *no accredited OS* could have had them.
(And we won't even go into the ability of any process in a desktop session being able to send messages to any other process which is probably the flaw Microsoft alludes to).
This was fairly well rebutted at the time - applications can be written so that this can't occur.
In Linux you have to understand chmod.
This is ridiculously (and irresponsibly) oversimplified. You have to understand group participations, file ownerships, permissions, SUID, GID, sticky permissions and the subtly different ways some file permissions can act on different platforms. This is before worrying about things like limitations on how many groups a user can be in and other weird things that only happen on some platforms. Not to mention the inescapable fact that on most unixes, practically all important services and administrative tasks have to spend some time with the unlimited priviliges of UID 0.