Microsoft No Longer a 'Laughingstock' of Security?

Toreo asesino writes "In a Q&A with Scott Charney, the vice president of Trustworthy Computing at Microsoft, Charney suggests that security in Microsoft products has moved on from being the 'laughing stock' of the IT industry to something more respectable. He largely attributes this to the new Security Development Lifecycle implemented in development practices nearly six years ago. 'The challenge is really quite often in dealing with unrealistic expectations. We still have vulnerabilities in our code, and we'll never reduce them to zero. So sometimes we will have a vulnerability and people say to me, "So the [Security Development Lifecycle (SDL)] is a failure right?" No it isn't. It was our aspirational goal that the SDL will get rid of every bug.'"

the bar is set so high.

[yagu]

I have to sometimes wonder how, when security is considered so important, how Microsoft has been allowed to take so long. It's also a bit funny to consider how high the bar is set that they get credit for achieving "no longer the laughingstock..." status.

It kind of reminds me of the cell phone industry and their "high" standard where they get away with advertising braggadocio like "the provider with the fewest dropped calls". It's funny, I grew up with a phone infrastructure where I never experienced a dropped call -- granted, a less complex (wired) achievement, but had "wired" phone service been invented today, I suspect the standard would have been "less dropped calls", too... because maximized profit dominates the industries' collective motivations, not quality products.

(Case in point... if you'd ever owned the amazing Harmony() remote controls before they were bought by Logitech, they were wonderful devices -- rock solid, great feel to them... now, they're sexied up with cheap buttons, lousy feel, and questionable reliability. And get ready, Logitech just bought Slimline devices. Thought the Squeezebox was a great gadget? Better get the remaining quality ones before profit-think forges it into a cheap crappy imitation of it's former self.)

And, to save you all a little time.... mod(self, -1, offtopic);

Re:the bar is set so high.

[encoderer]

I LOVE how many people misunderstand what UAC is and what it will accomplish.

I recently opined on this subject and I'd rather not retype it, so here's the copy/paste from a few weeks ago. Please excuse the parts that are obvious retorts and don't really apply here....

1. I wasn't bashing Linux or OSX or anything else for being insecure. Well, I suppose you could say I was, but if you do, you'd have to acknowledge that I was bashing them all equally. And I certainly gave them credit for being more secure than Windows (the fence analogy, 9 feet vs 6 feet). As desperately as you want me to be, I'm not a windows fanboy or a microsoft apologist. If I were you could dismiss me. I'm a realist. Just that simple.

2. If you think that UAC is "security by annoyance" than you are not seeing the big picture! As more and more people buy new computers with Vista (which is a predetermined reality. A truly bad OS could hurt MSFT, but not in one product cycle.), anyway, as people buy these computers, and load up their software, you're going to see--I believe--darwin-like natural selection occur. You're going to see Vista-friendly apps "selected" in the wild, making them more popular, which makes them more selected, and a positive feedback loop occurs.

In a roundabout way--in a way much less destructive than your "break compatability" suggestion--the "annoyance" of UAC has driven users to more secure software. It's actually an inspired piece of psychology meeting software. They tried to make users care about security. They've promoted things like running only at the PowerUser level or below, running with aggressive IE security settings, etc. But users just don't care. A computer to them is a tool and nothing more and that's that. They want to just do what they want to do. So by creating UAC prompts for bad-actors and non-secure apps, it aligns the users interest with the interest of us security-minded folks. Not brilliant, but, perhaps, inspired.

3. Only in the beatnik granola eating linux world (sorry for the stereotype) can anyone take seriously your suggestion for just breaking compatibility with every app that today throws a UAC. It's just not REALISTIC. It's not even utopian. It's an under-thought solution that suggests that there's no other way to solve the problem than to throw away BILLIONS AND BILLIONS of dollars worth of labor.

Windows is a powerful brand. But again, most users see a PC as a tool and Windows is maybe like the toolbox. A good toolbox can make your life easier. Your suggestion is to make a toolbox that none of the users existing tools will fit into. But that would cause them to just throw out that toolbox. And they'd keep using the insecure software. What Microsoft is trying to do is point out in an in-your-face way that "the tool you just picked up is not safe to use." Over time, I find it likely that they'll replace their unsafe tools. People deep down WANT to conform, they WANT to meet expectations, they WANT to be responsible. But VERY few would just be cool with throwing out all their tools and never using them and replacing them all at once because their new toolbox said the tools were unsafe and wouldn't let them use them anymore.

4. My point, for reiteration, is REALISM. We have a real problem. It's not just Microsofts problem. It's the entire software industry. Very few companies are concerned with making secure software. In all fairness, this wasn't an issue until the advent of the ubiquitous high speed internet connection, which hit critical mass no more than 7 years ago.

We have to accept that this problem exists. And we have to accept reality:

- Microsoft is not going away. Windows is not going away. Even if Microsoft never sold another copy of windows it would STILL be on hundreds of millions of computers for YEARS and YEARS to come.

- Tens--even hundreds--of billions of dollars of software exists (both in-house and commercial) that relies on Administrator privs or otherwise insecure techniques. All of this software, every last byt

rear-view mirror

Inasmuch as this constitutes any sort of admission that Microsoft products were not always exemplars of good security, it should not be forgotten that Microsoft has always insisted that they were.

So really, they are not saying anything different than they have always said. "Back then" when their products were insecure, they insisted that their products were secure. Now, they are admitting that "back then" their products were not secure, and are continuing to insist that their products are secure.

Why should we believe them? Once bitten, twice shy, and with good reason.

not there yet

[Reader+X]

I concede that MS is not the laughingstock that it once was, but they are a ways from the respect that some of their competitors of similar scale (cough*IBM*cough) have long since earned. Eliminating the repeat vulnerabilities such as the recent ANI vuln might be a good place to start.

I say, set a standard

[downix]

I'm thinking (in part to stroke Theo's ego a bit) set OpenBSD as the security standard out there. Every OS, compare it security-wise to OpenBSD. Put a "percentage" for how secure, then we can see hard numbers for how securly an OS is out of the box.

Re:Says who?

[mpapet]

You've never noticed the Microsoft public relations jugernaut then.

I admin a combination of 2000/2003/2003r2 boxes and there are still things that make a security-minded sysadmin's head spin.

-The boxes *still* advertise and have a great number of open ports.
-Root is *still* is allowed remote access by default. System root, under a domain controller still advertises itself as ready and waiting for you to login.
-Did I mention root remote control is still enabled by default?
-I doubt most win32 sysadmins have any idea the number of undocumented systems logging in and doing who-knows-what to the system. If they configured and read their logs the way I do, at least a few of them would wonder what the heck is going on.
-Don't get me started with their Rube Goldberg security objects system. Complex and extremely difficult to use, yet exceptions abound when trying to simultaneously harden a system and keep the undocumented features from throwing errors.

Their security reputation has been purchased and PHB's everywhere are lulled into another false sense of security. The good news is I'll never run out of work because they require so much baby sitting compared to a Linux server.

Re:A good example - IIS

[asuffield]

There are only two "Important" bulletins for IIS 6, while IIS 5 has almost 30 bulletins over the same inital time period. It is amazing how far IIS has come since that nightmare that was IIS 4.

You do realise that you are measuring the "quality" of IIS by counting the number of security flaws that Microsoft will admit to having fixed?

You're not counting the number of known flaws. You're not counting the number of flaws that Microsoft knows about. You're not even counting the number of flaws that they've actually fixed. You're interpreting this change in the numbers as indicating an improvement, when it might just as easily indicate that they fix less flaws than they used to.

And don't forget that Microsoft has a long history of not bothering to fix security flaws until significant numbers of exploits have been noticed in the wild. We can only guess at how many unfixed flaws there are in IIS today.

Re:MIcrosoft guy says MS's security is ok?

[TheRaven64]

SunOS was famously insecure, as was Irix. Why pick on just two vendors. It wasn't until the '90s that anyone could say 'UNIX security' without laughing. Take a look at the CVS logs from the first year of the OpenBSD project, when they first did a full audit on code much of which dated back to the original BSD UNIX, used as a base by a lot of commercial UNIX vendors and found hundreds of vulnerabilities. Now, OpenBSD enjoys a good reputation for security, but it's taken over a decade of continuous code auditing to get there.

Re:MIcrosoft guy says MS's security is ok?

[homer_ca]

Oracle is much worse. Look at archives of the Bugtraq list around the time of their "Unbreakable" marketing campaign.

Re:Of COURSE they're not the laughing stock...

[badboy_tw2002]

I think the Singularity OS (interestingly enough its being developed at Microsoft Research) has a pretty cool model of forcing components in the system to only interact over a well established contract. They also have the concept of installing built into the OS, such that only verified code can be built into the system. If you can't run a malicious program and it can't get out of its box, what can it do? I just wish they would release more to the public for outside analysis of their ideas.

Re:Says who?

[morgan_greywolf]

I just did a net view on three different DCs and the only two shares advertised by default are NETLOGON and SYSVOL. That's correct, but I'm not sure where the grandparent was talking about shares.

Remote Desktop is not enabled by default on a Win2K3 box. You need to explicitly turn it on. In fact even after you turn it on in default configuration, the Domain Admins group isn't even given rights to log on and needs to be explicitly granted those rights. Uh, no, I'm also pretty sure it's enabled by default.

Re:May we be...

[jnf]

Putting aside that you put OSX into that list (which is at least 5 years behind the security curve), Vista is honestly on par with a hardened linux (i.e. grsec/pax/etc) and openbsd. Over the past few years MS has actually made huge leaps towards better security, and the security of Vista shows it. You state that the whether the security of windows is yet to be seen, but you neglect that Vista has been out for about a year now, without a single critical flaw found to date, nor a single reliably exploitable heap overflow, and so on. Really, anyone who refuses to see the about-face that ms has taken is guilty of just being blindly zealoted.

Re:May we be...

[mrseth]

Maybe I am confused, but how do you explain this?