Slashdot Mirror
Microsoft's Security Report Card
Decaffeinated Jedi writes "In January 2002, Microsoft launched an initiative called 'Trustworthy Computing' aimed at building better security into its products. It's now two years later, and News.com serves up a report card evaluating Microsoft's efforts. Kevin Kean, a group manager at Microsoft's Security Response Center, points out that customers are better off now than they were before the company made the move to refocus on security issues. An analyst quoted in the article, Stephen O'Grady, agrees that he would give Microsoft 'improved marks,' but also notes that the company is not yet where it needs to be in terms of security. He goes on to suggest, however, that 'the numbers indicate that they are at least taking it seriously.' It sounds like Microsoft might have earned itself an Incomplete on this report card."
Is any software really at the point where we can install it and forget about it?
Security is a job for all of us, not just Microsoft.
As long as hackers out there have the tuits to break into systems, security is everyone's business.
I have been pwned because my
Funny, it seems to imply in the news.com article that less advisories are better than more... hell, I think my ol' comp running win98 went for many months last year without a single advisory notice when I clicking into the Windows update site. Pfft. So therefore win98 is safer than Server 2003... :P
0- Eamonman Proud member of DNRC
I thought an Incomplete actually counted as an F.
I think the appropriate grade for this would be an IP (in progress).
That MS is actually improving security is good for all of us.
It's about time, and they still have a long way to go, but increasing security gives less room for E-mail viruses, worms and other network-hogging exploits.
Hmm... Any chance of a class-action suit from people who do NOT use Microsoft, addressing the way their lack of security has wrecked important services for non-MS users?
After all, those of us who don't use MS have never accepted their EULAs, but they've still wreaked havoc for our systems.
Could at least lead to an even further increased MS focus on security, which would help everyone...
I'm a dreamer, the world is my playpen. But hey, I'm a serious person, I can't dream all the time.
And so we have a report card that wouldn't get you accepted to a state university, by the largest, most economically endowed entity in the world.
I'm sorry, Microsoft, but you have to be held to higher standards, not lower. Open source is able to do better with infinitely less.
If a bunch of hobbiests were able to colonize the moon, would we hold back any criticism of NASA?
Or maybe we've just figured out a better way of doing things. In which case, maybe the soft spot for the dinosaurs is somewhat warranted.
Just trying to figure out what needs to be updated is a pain in itself, unless you figure out that you need the MBSE. Then you need to wade through the security bulletins, which sometimes contain the patch (in varying locations of the document and with no fewer than two pages to go through to get to the patch) and sometimes tell you to go to Windows Update. Not an option when you're trying to cut a disc for a client, or are dealing with an environment that doesn't allow Windows Update for security reasons.
Grabbing MBSE and every available patch from the website and applying said patches to a fresh Windows XP installation took about two and a half hours, and was incomplete (MBSE reported four patches that weren't applied). Windows Update isn't appropriate for a fresh install because of things like Blaster that will automatically infect the system upon connection to the Internet.
Then, there's all the defaults they've got to have their system phone home, such as sa.windows.com for searches, IE automated updates, WMP automated updates (including DRM), ntp.windows.com, Automated Windows Update. Locking down a Windows XP system is an exercise in frustration.
Trustworthy computing? Methinks not. Linux/BSD/OSX may have their myriad security and design flaws (except OpenBSD, which has yet to have a remote root compromise), but Windows XP holds a special place in my heart. Microsoft has admitted they've got an issue with security, which is a good thing, but now they should really address it -- they should be doing everything possible for the user to take control of his/her system, instead of heading the other way.
It's about as big an oxymoron as Microsoft Works.
Striking fear in the authors of godawful fanfiction, I am here, appearing in darkness, Tuxedo Jack!
I am not quite sure if this is off-topic, but I'm going to take a gamble here :)
:) but I'm really bothered that this "report card" doesn't include anything from the myrad of unpatched internet explorer holes and the way microsoft relicenses PATCHES... I mean, really EULA's for PATCHES? what if I DON'T agree???
:)
:)
""There is an order of magnitude--more people using Automatic Update and downloading patches," Microsoft's Kean said."
This would be the system that gave the world the "DRM or be unpatched" situation, right? how trustworthy.... changing functionality along with a "security" patch
I know that bashing microsoft is a favorite past-time here
really HOW is this "trustworthy" ??
I am REALLY impressed by the stupidity of these "reviewers" and how easily people forget these sorts of things... cudos to microsoft PR... AGAIN
I REALLY needed to get this of off my chest
Fighting for peace is like fucking for virginity
Microsoft Security. What's it all about?
Well that's an easy answer. It's all about educating 'users'.
1. Don't open emails unless you are certain it is from a trusted source.
2. Keep your system patched
3. Ensure you have Anti Virus software installed, and up-to-date.
4. Use the firewall built into XP, or install one of the many free (for personal use) 3rd party firewalls, or even better look for an ISP that firewalls sensitive ports for you.
This is all basic stuff, but many home users don't really give a stuff if their machine is taking part in a DDoS attack, as long as they can still get to their email, view web pages, send instant messages and download pr0n (actually - forget the last one, that's us geeks)
It is a responsibility of the end-user to keep a computer secure. If you are in control of your PC, it is your responsibility.
If the end user was to grant full control over his computer to Microsoft, then it wouldn't be his responsibility to keep it up to date.
'Secure' technlologies like the DRM used in iTunes' M4P and WMP's WMA files are exactly that - granting some of your control over your computer to those companies in exchange for being able to get music files.
In this case, by granting some of your control over your PC to Microsoft (allowing them to automatically update your PC with new fixes) you can gain more security.
But do you really want to leave your security and privacy in the hands of a corporation? Or would you rather spend the time to do it yourself? You can't have it both ways. Either you keep your PC secure (either by updating Windows often and using a firewall and not visiting random sites and opening random attachments, etc., or by switching to a more secure operating system), or you let someone else do it for you.
using namespace slashdot;
troll::post();
Oh - I thought you said "at that point where we can throw it away and forget about it."
What a well worded articulation - almost Greenspan-ish like in a sense that it looks like he is saying something, but you can never hold him upto for "whatever he is saying." And I think this quote summarises the whole article well.
It is 80:20 rule or in Microsoft's case 40:60 rule. In the first year you move 40 % of the distance towards the the Security Goal-Post. So, "Customers are better off today than they were a year ago, . In the next year you move another 40 % towards the goal. So, "Customers are better off two years from today than they will be a year from today. . An so on and on ...
Now if the security Goal Post moves and you find yourself heading in the wrong direction, as it always does in Real life, you can frame your message as follows. You are now 60 % away from the old place. So, "Customers are better off today than they were a year ago, . In the next year you move another 60 % away from the old place. So, "Customers are better off two years from today than they will be a year from today. . An so on and on ...
So,
And how can you be wrong when you say it the way it is said. What a well worded articulation.
To see a world in a grain of sand, and then to step back and see the beach where the sand lies
- Tell the Air Force to secure a building, and they'll lock the doors and windows.
- tell the Army to secure the same building, and they'll post and roam guards.
- Tell the Marines to secure it, and they'll run in shooting and kill all the AF and USA guys.
Where does MS fall on that scale?Put identity in the browser.
SEMESTER 2, 2003
PRODUCTIVITY 101 3 HRS 80% C
ECONOMICS 307 3 HRS 100% A
CREATIVITY 92 3 HRS 67% D
GOV'T STUDIES 203 3 HRS 100% A
COSC 507 ADVANCED 3 HRS 78% C
MONO 302 3 HRS 100% A
BORE 405 3 HRS 100% A
THFT 305 3 HRS 100% A
LIES 205 3 HRS 100% A
SCUR 101 3 HRS 20% F
MONO 400 3 HRS 100% A
CONV 101 3 HRS 10% F
HID 205 3 HRS 70% C
OVERALL AVG. 78% C
This explains why mediocre rules the market.
Re-writing Windows from the ground up seems to me to be the best remedy. Forcibly breaking backwards compatibility should be a design goal.
1. Don't open emails unless you are certain it is from a trusted source.
That's the big problem here. When your email client, by default, displays HTML and executes macros and scripts, you're extra vulnerable. Even if it's from your pal Bob that you've known for 40 years, his computer may have been owned by a worm and just emailed all his friends seeking to propagate. You say 'hey it's from Bob, I trust him' and open it. Boom, you're owned too, and may never know it.
Bad design is bad design, there's no two ways about it.
that they've discovered their security problem is much bigger than they thought it was.
Sure they've progressed in terms of there's more known security holes fixed now than there was 1-2 years back, but there's also far more security holes that have been identified and at (seemingly) a much faster rate than 1-2 years ago.
In other words, 2 years ago, they rated a 4/10 in terms of security. Today, I'd say they probably rate 20/50. Overall, my impression is that they've essentially stayed in place in terms of removing security holes from their products.
If you think that I'm being unfair, consider how long it's taking new security holes to get fixed now versus 2 years ago - it seems to be generally longer.
Also, consider that MS has now taken the step of bundling security updates into big bunches, to ease the pain of applying them - that they've had to resort to this is a reasonable indication (IMHO) that the quantity of security holes being *fixed* has gone up significantly.
Finally, consider the rate at which security holes are being uncovered - it would have to start dropping off dramatically if MS was being successful in fixing their problems. That certainly doesn't seem to have happened.
Microsoft BS7799 certified?
I don't know about the 7799 part, but Microsoft is certainly BS certified.
"Your effort to remain what you are is what limits you."
For an indication of just how seriously Microsoft is taking security, rather than quickly fixing the bug, Microsoft is advising users to manually type URLs rather than click on hyperlinks. Well, of course, only malicious hyperlinks... but because of this bug, a scammer's link appears to be to the genuine website. Of course, they offer other gems, such as a chuck of javascript you can run to tell you the URL of the website you're actually viewing, since their software can't be bothered with giving you a correct indication. Or you can launch notepad and copy a shortcut. Yeah, everyone should have to go to the trouble of doing these steps, because they couldn't manage to get a fix out quickly (within the 1 week between the disclosure and scam artists starting to use it to trick end users to disclose sensitive indo). Microsoft also suggest viewing email at text-only... effectively reading all the html source, and changing to the high security profile )turning off all the dangerous technologies they have "innovated" over the years: ActiveX, scripting, etc...) not because they will help you avoid being tricked, but because it will limit the damage.
All because they couldn't fix this simple problem quickly.
Yeah, that's taking security seriously!
PJRC: Electronic Projects, 8051 Microcontroller Tools
I am reading a lot of MS-bashing here. But let's take a look at some facts here:
/. crowds--me included--can be an arrogant and blinded bunch. Sure, we can sit around bashing MS and fool ourselves on how insecure Windows is, but that doesn't accomplish anything. MS is catching up /fast/; that's fact. If we remain complacent, we can fall behind sooner than you think.
Consider a pretty standard setup--the OS, plus ftpd and httpd--here's the count of errata advisory between M$ Win2k Server and RedHat 9:
Microsoft: 1, for the botched FrontPage Extension patch released in November.
RedHat: 4, for the following:
1. Dec 2nd: Updated 2.4 kernel fixes privilege escalation security vulnerability RHSA-2003:392-05
2. Dec 16th: Updated lftp packages fix security vulnerability RHSA-2003:403-07
3. Dec 17th: Updated httpd packages fix Apache security vulnerabilities RHSA-2003:320-09
4. Dec 24th: Updated 2.4 kernel fixes various bugs RHBA-2003:394-08
Not to mention I will need to think about what to do when RH9 becomes EOL in April.
Interesting.
I am by no means by pro-MS here. If I have my way it'd be all qmail and publicfile. In fact, I don't have the balls to put my company's Exchange server directly on the 'net; I put it behind a RedHat box running perdition, and have qmail as the MX, behind an IOS IDS/FW.
Trust needs to be earned, and MS is slowly earning mine in the security front. I don't trust MS software enough to stick them directly on the Internet yet, but they did earn my trust to let Windows Update automatically sort things out: Not a glitch in the last 18 months.
The fact of a matter is, with a little clue as a admin, Windows can be made pretty secure. Being clueless, Linux can be made to be a big wad of swiss cheese.
We Linux and
Now that you have the facts... Go ahead, mod me down.
umm how about switching to a more secure OS so you don't have to put up with all that BS.
.net crap
Your choice of OS doesn't make your system secure. What makes a system secure is a user that has a clue.
In the past 3 years I have only used linux at home. Never had to worry about viruses, nor spam (yeah, that's right, I averaged 2-3 peices a year), nor spyware (spam maker), nor adware (spam maker), nor web browsing issues (IE security flaws). Now I spend more time cleaning up all this crap then anything cause I have to have a winblows box at home so i can do
Like you, I've not had a Virus in countless years. I don't get spam, My system has no spyware, or adware or web browsing issues (Firebird rules!), and I run a Windows box (Prerequisite of being a Windows Sysadmin). Had I have been an uneducated user, I'm sure I would have fallen fowl of most (if not all) of the issues you have listed.
But at least I never had to reinstall my entire OS because a windows update failed (which just happened to my brother yesterday, and I have seen it several other times, too!)
There are aproximately 3000 Windows PC's on the university network that I admin, and I don't see Windows Update issues that you see. Occasionaly a patch will fail, but if you know what you doing it is quite simple to fix, without having to resort to a complete re-install. Reinstalls are for failed disks and compromised machines.
So, no, it is not just about educating users, it is about makeing a more secure system!
But who makes the system secure? Why _educated_ users do. - If a user is clueless, the odds are that they will be compromised, regardless of what OS they choose.
Windows is crap,when will the world realize this?
I'm beginning to think you are a troll.
All of that being said, no technology area is devoid of security flaws. Look at the recent attention given to H.323 standard vulnerabilities due to default ASN.1 parsing. That affects many vendors and product lines. Today I read an ISC diary entry detailing a couple of exploits that affect non-Windows environments. Apache, OpenSSH, QMail, Sendmail, etc. have all had their share of recently announced flaws.
Of course Open Source Software *should* be more secure since many eyes can review the code as it is maintained and updated. But the fact that nevertheless there are significant flaws and exploits in this area further proves my point. Microsoft is the largest software company on the planet so of course they have a target on their back. There are no doubt many third party organizations dedicated to doing nothing but trying to break Windows in order to submit security reports. Of course there are anonymous black hats doing the same but for other obvious reasons.
If the same manpower and effort was dedicated to breaking Linux and OSS applications (which currently have much less exposure and market share) I am sure that even more holes would be poked into what most folks on this board defend as being the silver bullet against corporate greed, monopolistic tyranny, and gaping security holes.