Slashdot Mirror
Microsoft vs. Computer Security
ArieKremen writes "The Slate has a piece written for the average user attempting to explain why Windows is `still` grappling with security issues. Although Gates made security and privacy top priority four years ago, not much progress has been made." From the article: "Microsoft customers haven't stopped worrying. A year later, Windows was hit with several nasty worms, including Slammer, Sobig, and Blaster. The viruses caused major traffic bottlenecks throughout the world, which cost tens of billions of dollars to clean up. Vulnerabilities deemed 'critical' have forced the company to release an almost unending stream of patches and fixes to the Windows operating system, Microsoft Office, and Internet Explorer." An interesting look at the whole issue.
Some kind of anti-microsoft site?
Computer security will get worse before it gets better. It's the second hardest problem in computing, coming second only to DRM; which is provely impossible to do properly.
The problem comes from many quaters: some theortical, some practical, some managerial. For example:
I could go on for quite sometime.. the point to appreciate here is that it isn't all Microsoft's fault but they could do a whole lot more. If we could just get rid of the overflows that would be a good start!
Simon
Gates urged that new design approaches must "dramatically reduce" the number of security-related issues as well as make fixes easier to administer. "Eventually," he added, "our software should be so fundamentally secure that customers never even worry about it."
Fair enough, but regardless of what is happening in the way of "new design approaches", the current installed base is the problem. The best ways to show dedication to the reduction of security issues would be a) rigorous code review + pre-emptive bugfixes and b) more rapid response to issues that are found elsewhere. There have been improvements, but the sum of the successes will not outweigh the sum of the failures.
I want to drag this out as long as possible. Bring me my protractor.
"That's the big problem with many of the Microsoft glitches. They're not limited to the vulnerable Microsoft application. The vulnerable app provides a gateway for compromising the whole PC."
I would like to know where everyone heard this crap, and why they keep repeating it vebatim., because it's a bunch of bullshit. Flaws in Microsoft products have no greater danger than equivalent flaws in any other Windows application.
A remote code execution flaw in IE executes code with the users rights, and therefore gets access to what the user has access too.
A remote code execution flaw in Firefox executes code with the users rights, and therefore gets access to what the user has access too
There is no special conduit that Microsoft apps have to the windows kernel or any other windows system object.
If you browse the web using firefox while running as administrator and you get hit with an exploit that exploit will have full access to your system.
I don't always use unix-like operating systems; but when I do, I prefer FreeBSD.
Considering where they started, just getting to BAD is a tenfold increase! And to be honest, they have come a long way. They just have a VERY long way to go.
Perhaps more accurately, users of windows have made no progress. Quite a few of the worms that have made big headlines over the last few years are ones that make use of exploits for which patches were already available. It's long been said that people are the greatest security problem. And I believe that applies to Microsoft's security problems as well. As long as the education of Microsoft's user base is neglected (or actively refused by some), MS's efforts (feeble as they may seem at times) will have limited success.
Yeah, I started to make a similar post, but then I decided it wasn't so absurd. Probably on the high side, but it's not as much as it sounds like. 10M IT workers, even if they only averaged a salary of $100/day would be $1B. And that doesn't even factor in possible data loss which would result in users redoing their work.
https://www.eff.org/https-everywhere
Microsoft has a long history of secret APIs used only by their applications. I remember some sort of hubbub about this around '94 when they were taking over the office suite market.
More recently the DOJ at least accused Microsoft of using secret APIs in support of IE, Messenger, Media Player, and Outlook Express.
I don't necessarily think that you are wrong, but the situation is certainly not as cut-and-dried as you seem to think it is.
-Peter
One thing to help would be a default account type in the Users group, and if currently an admin, switch your group to Users. Third parties need to fix their programs that requires more privileges (not necessarily admin) after the program is installed because of write access to system folders and HKEY_LOCAL_MACHINE. Vista fixes this, but if you ask me I think MS is only encouraging the bad behavior of alot of third party programs by providing this method of keeping non-compliant applications compatible with least privilege. (Keep in mind, there are a$$holes like Even Balance who purposely wrote their anti-cheat to require true admin privileges)
Sure they have a firewall... you're screwed as admin because the code that launched can also create an exception for itself via netsh command or damn it all to hell and disable the firewall via "net stop". Malware does do this today, and sad how easy it was stopped.
Don't want to run as non-admin? XP can run specified apps automatically with User privileges even if you are admin (and I am not talking about Run As with a lower privileged account). And for fuck's sake, don't take the default of "SYSTEM" for your apache or whatever server software services.
Blame the user, not the software.
I was wondering why the fact that they keep releasing a "constant stream" of patches is a bad thing, since the OSS community does the same thing (Now, I'm not trying to compare the quality or the type of patch).
I work at Microsoft.
The other day, we had to have a little talk with one of our developers; he didn't understand why it was bad that his application generates an error message that writes the administrator password to the Event Viewer logs. What was that I heard about every developer being thoroughly trained in secure coding practices?
Even though security is supposedly top priority, we find ourselves unable to force our developers to adhere to policy and write code that can run under a non-admin or non-system account. The higher ups steam roll over us when we fight the fight.
The problem is that there are two groups at MS; the business side, and the technical side. The business side calls the shots, and they don't listen to the technical side.
Sure, there's plenty of talk about security, but no real action. PR is cheap.
"The whole article is a troll....Its filled with 'feelings' and 'impressions' by people cited as experts, without examination of their claims - nor an inquiry to factual matters."
The article is correct. The reason it is not filled with objective evidence is because there currently no objective, agreed upon method of measuring code or system security. In the absence of objective data, the opinions of experts are the best thing we have.