Microsoft's Security Report Card

Decaffeinated Jedi writes "In January 2002, Microsoft launched an initiative called 'Trustworthy Computing' aimed at building better security into its products. It's now two years later, and News.com serves up a report card evaluating Microsoft's efforts. Kevin Kean, a group manager at Microsoft's Security Response Center, points out that customers are better off now than they were before the company made the move to refocus on security issues. An analyst quoted in the article, Stephen O'Grady, agrees that he would give Microsoft 'improved marks,' but also notes that the company is not yet where it needs to be in terms of security. He goes on to suggest, however, that 'the numbers indicate that they are at least taking it seriously.' It sounds like Microsoft might have earned itself an Incomplete on this report card."

Let's be honest

[ObviousGuy]

Is any software really at the point where we can install it and forget about it?

Security is a job for all of us, not just Microsoft.

As long as hackers out there have the tuits to break into systems, security is everyone's business.

Re:Let's be honest

[bryhhh]

I think that it is great that less critical problems are being found now then with Windows 2000, and I hope the trend continues.

The quantity seems to have dropped, but the severity seems to keep increasing.

Just look at the havok caused by the recent RPC worms.

- I'm also in disbelief that Microsoft still haven't released a patch for the %00 bug in IE that allows spammers and malicious web admins to obscure the real URL the user is being directed to, perhaps Microsoft don't see a bug which could be used to trick people out of their hard earned cash as a Critical problem?

Re:Let's be honest

[bryhhh]

Microsoft don't see a bug which could be used to trick people out of their hard earned cash as a Critical problem?

They wouldn't see it as a bug, heck that's exactly what Microsoft have been doing to their customers for years!

Re:Let's be honest

[j3110]

I have to give MS two thumbs up. They now have automatic updates pushed to clients. They also have the Server tools to cache the updates locally for networks, and push them from there so you can hold updates back if they break some internal software.

MS is also working on more secure technologies like .Net. In the future, code written for windows will be written in .Net by default, and buffer overflows will pretty much go away.

MS is working on code signing at every level of the system. This means no more boot viruses, no more trojans.

MS is still lacking on speed to update. The RPC bug was on the streets long enough for exploits to be written BEFORE they got even the smallest patch out. The big worms came after they did get the patch out, but people weren't updating.

Where does Linux stand in all of this?

Updates are usually still handled manually with apt-get update/upgrade. RedHat has live notification, but it's still done manually for the most part, which slows down the process. There are wasy of caching apt packages for internal use by making your own apt-source, but they can be difficult to implement. You can do similar things with RedHat, but there isn't a lot of work being done in this area.

Open Source developers still hug C and hate most anything running in any other safer languages because of performance. Despite it actually costing more man hours to manually go out and install new versions of SSH, bind, sendmail, etc. every 3 months, for some odd reason open source developers value cpu clock cycles on a machine that sits idle 99% of the time more than an actual person that can hardly find 5 minutes, and usually admins so many computers it turns into an all-nighter.

Open Source people see code signing as a way to enact DRM and are fighting it.

Open Source releases updates within minutes of being aware of prossible security problems, sometimes it can take an hour or a day on less critical projects, but for the most part updates are very quick.

I see progress in MS land, but Open Source people are fighting the future, and are living in status quo. There's no reason why 99% of the daemons out there couldn't be written in Python or Java (with Kaffe even). There's no real reason to fight TCP yet.

OK, I'm VERY sorry but...

[TheMMaster]

I am not quite sure if this is off-topic, but I'm going to take a gamble here :)

""There is an order of magnitude--more people using Automatic Update and downloading patches," Microsoft's Kean said."

This would be the system that gave the world the "DRM or be unpatched" situation, right? how trustworthy.... changing functionality along with a "security" patch

I know that bashing microsoft is a favorite past-time here :) but I'm really bothered that this "report card" doesn't include anything from the myrad of unpatched internet explorer holes and the way microsoft relicenses PATCHES... I mean, really EULA's for PATCHES? what if I DON'T agree???

really HOW is this "trustworthy" ??

I am REALLY impressed by the stupidity of these "reviewers" and how easily people forget these sorts of things... cudos to microsoft PR... AGAIN :)

I REALLY needed to get this of off my chest :)

Re:Microsoft Security

[bryhhh]

Microsoft Security. What's it all about?

Well that's an easy answer. It's all about educating 'users'.

1. Don't open emails unless you are certain it is from a trusted source.

2. Keep your system patched

3. Ensure you have Anti Virus software installed, and up-to-date.

4. Use the firewall built into XP, or install one of the many free (for personal use) 3rd party firewalls, or even better look for an ISP that firewalls sensitive ports for you.

This is all basic stuff, but many home users don't really give a stuff if their machine is taking part in a DDoS attack, as long as they can still get to their email, view web pages, send instant messages and download pr0n (actually - forget the last one, that's us geeks)

80::20 rule applied to Microsft Security

[leoaugust]

"Customers are better off today than they were a year ago, and they will be even better off in the future," said Kevin Kean, a group manager at Microsoft's Security Response Center.

What a well worded articulation - almost Greenspan-ish like in a sense that it looks like he is saying something, but you can never hold him upto for "whatever he is saying." And I think this quote summarises the whole article well.

It is 80:20 rule or in Microsoft's case 40:60 rule. In the first year you move 40 % of the distance towards the the Security Goal-Post. So, "Customers are better off today than they were a year ago, . In the next year you move another 40 % towards the goal. So, "Customers are better off two years from today than they will be a year from today. . An so on and on ...

Now if the security Goal Post moves and you find yourself heading in the wrong direction, as it always does in Real life, you can frame your message as follows. You are now 60 % away from the old place. So, "Customers are better off today than they were a year ago, . In the next year you move another 60 % away from the old place. So, "Customers are better off two years from today than they will be a year from today. . An so on and on ...

So,

• "Customers are better off today than they were a year ago,
• and
• they will be even better off in the future,"

And how can you be wrong when you say it the way it is said. What a well worded articulation.

Re:Secure Means

[Daengbo]

There's this old military joke about the word secure, and I'll try to remember it correctly:

• Tell the Air Force to secure a building, and they'll lock the doors and windows.
• tell the Army to secure the same building, and they'll post and roam guards.
• Tell the Marines to secure it, and they'll run in shooting and kill all the AF and USA guys.

Where does MS fall on that scale?

Give them an "F" on the report card

[QuantGuy]

Three observations.

• First, Microsoft gets no points for "taking security more seriously," because that's a DUH! instinct. Consider that large parts of the public sectors in Israel, the UK, India, China and Germany have decided to go the open source route -- in part because of security fears. Consider also that Microsoft's deferred revenues (new contracts!) were off by ~$600M last quarter; Connors specifically pointed out that this was because "salespeople were helping customers deal with security." Ballmer must be crapping himself. So what we're seeing is a survival instinct, not shrewdness, on Microsoft's part. So, no points for that.
• Second, the scourge that is the Windows security problem has reached the level of pandemic in 80-90% of all companies. The patch-and-pray vicious cycle is overwhelming everything else. For IT staffs, it's Love in the Time of Cholera out there. As we speak, the spreadsheet monks at Gartner and IDC are probably flailing wildly as they attempt to update their TCO models.
• Third, I resent the fact that Microsoft has commingled the need to fix a serious quality and customer satisfaction issue (shoddy code) with the implementation of market-preserving technologies (e.g., Palladium^H^H^H^H^H^H^H^H^H er, the "Next Generation Trusted Computing Base"). Business model enforcement through cryptography should not be confused with security.

Re-writing Windows from the ground up seems to me to be the best remedy. Forcibly breaking backwards compatibility should be a design goal.

Re:Can't get into Yale with this...

[Malor]

I don't know what planet you're from, but on EARTH, we Linux admins have been scrambling just as desperately as Microsoft admins for the last year or so.

I've had a hypothesis for some time that the security flaw rate in Linux would decline over time and eventually approach zero, where Microsoft's would stay essentially constant. I believed this would happen because the Linux source was open and all the security holes would gradually be found and squashed, where the Microsoft source, being closed, wouldn't be as closely examined and would remain a fertile field for new exploits forever.

Well, in 2003, my pretty little hypothesis sure wasn't looking too good. I haven't actually compared numbers, but I felt like there were just as many bad critical bugs on Linux as there were on Microsoft. From my perception, the Linux rate rose, while the Microsoft rate dropped, which is exactly opposite what I was expecting.

I still believe that closed source is "fake" security, and that the only way to get REAL security is for everything to be open, but in terms of actual number of published exploits, both systems appear to be about equal at the moment.

And the standards to which Microsoft needs to be held are pretty much immaterial; only Microsoft can fix that code, where anyone can, in theory, fix bugs in OSS. Personally, I think we can use them as a yardstick, but we shouldn't be flinging mud.... very many more years like 2003, and they'll be flinging lots more of it back at us.

In 2003, OSS security sucked. I hope 2004 is better.

Re:They've still got a ways to go.

[Clovert+Agent]

If you don't use Windows Update to handle your security patching, it's quite a bit of work to patch a system.

Uh-huh. And you use what to update your Linux systems? Do you manually visit every relevant website and download updates, compile and reinstall everything, resolving dependencies by hand?

Or do you use apt, up2date, emerge...? I'm not clear on how this differs from Windows Update, with the obvious exception of altered EULAs and similar nastiness. There's no excusing that.

My point is that updating any OS without some sort of frontend to do the legwork is horrible. Bash MS, sure, but bash fairly. They've got a decent-and-improving frontend to their patching, a variety of tools to check your network for patch levels, and so on. Good enough? Depends on your environment, but it's a LOT better than nothing.

Yeah, right...

[pjrc]

If Microsoft were really taking security seriously, why would they not yet fix the IE phishing (URL obfuscation) bug. This is such a simple thing to fix, and it has been public knowledge since at least December 9.

For an indication of just how seriously Microsoft is taking security, rather than quickly fixing the bug, Microsoft is advising users to manually type URLs rather than click on hyperlinks. Well, of course, only malicious hyperlinks... but because of this bug, a scammer's link appears to be to the genuine website. Of course, they offer other gems, such as a chuck of javascript you can run to tell you the URL of the website you're actually viewing, since their software can't be bothered with giving you a correct indication. Or you can launch notepad and copy a shortcut. Yeah, everyone should have to go to the trouble of doing these steps, because they couldn't manage to get a fix out quickly (within the 1 week between the disclosure and scam artists starting to use it to trick end users to disclose sensitive indo). Microsoft also suggest viewing email at text-only... effectively reading all the html source, and changing to the high security profile )turning off all the dangerous technologies they have "innovated" over the years: ActiveX, scripting, etc...) not because they will help you avoid being tricked, but because it will limit the damage.

All because they couldn't fix this simple problem quickly.

Yeah, that's taking security seriously!

Seeing it in another perspective

[euggie]

I am reading a lot of MS-bashing here. But let's take a look at some facts here:

Consider a pretty standard setup--the OS, plus ftpd and httpd--here's the count of errata advisory between M$ Win2k Server and RedHat 9:

Microsoft: 1, for the botched FrontPage Extension patch released in November.
RedHat: 4, for the following:
1. Dec 2nd: Updated 2.4 kernel fixes privilege escalation security vulnerability RHSA-2003:392-05
2. Dec 16th: Updated lftp packages fix security vulnerability RHSA-2003:403-07
3. Dec 17th: Updated httpd packages fix Apache security vulnerabilities RHSA-2003:320-09
4. Dec 24th: Updated 2.4 kernel fixes various bugs RHBA-2003:394-08

Not to mention I will need to think about what to do when RH9 becomes EOL in April.

Interesting.

I am by no means by pro-MS here. If I have my way it'd be all qmail and publicfile. In fact, I don't have the balls to put my company's Exchange server directly on the 'net; I put it behind a RedHat box running perdition, and have qmail as the MX, behind an IOS IDS/FW.

Trust needs to be earned, and MS is slowly earning mine in the security front. I don't trust MS software enough to stick them directly on the Internet yet, but they did earn my trust to let Windows Update automatically sort things out: Not a glitch in the last 18 months.

The fact of a matter is, with a little clue as a admin, Windows can be made pretty secure. Being clueless, Linux can be made to be a big wad of swiss cheese.

We Linux and /. crowds--me included--can be an arrogant and blinded bunch. Sure, we can sit around bashing MS and fool ourselves on how insecure Windows is, but that doesn't accomplish anything. MS is catching up /fast/; that's fact. If we remain complacent, we can fall behind sooner than you think.

Now that you have the facts... Go ahead, mod me down.

Glass Houses?

[gregarican]

This honestly isn't intended to be a troll, but I'm sure it will probably be modded as such. Microsoft has had a slew of issues trying to patch apparently flawed reused code (since all Windows versions are built on top of each other's code, with reportedly Longhorn being the first "from scratch" Windows version). The fact that the same buffer overflows are so pervasive in their product line is inexcusable. Input validation and boundary checks are basics most folks learn in CS101 - Introduction to Programming. You wouldn't expect such flaws in each and every version of Windows software.

All of that being said, no technology area is devoid of security flaws. Look at the recent attention given to H.323 standard vulnerabilities due to default ASN.1 parsing. That affects many vendors and product lines. Today I read an ISC diary entry detailing a couple of exploits that affect non-Windows environments. Apache, OpenSSH, QMail, Sendmail, etc. have all had their share of recently announced flaws.

Of course Open Source Software *should* be more secure since many eyes can review the code as it is maintained and updated. But the fact that nevertheless there are significant flaws and exploits in this area further proves my point. Microsoft is the largest software company on the planet so of course they have a target on their back. There are no doubt many third party organizations dedicated to doing nothing but trying to break Windows in order to submit security reports. Of course there are anonymous black hats doing the same but for other obvious reasons.

If the same manpower and effort was dedicated to breaking Linux and OSS applications (which currently have much less exposure and market share) I am sure that even more holes would be poked into what most folks on this board defend as being the silver bullet against corporate greed, monopolistic tyranny, and gaping security holes.