Probably the biggest problem MS face is that they are the biggest target for hackers! Of course, when they release a patch, it not only provides the fix but also advertises the bug to potential hackers (a bit of a catch 22).
Naturally, if this fix is not easy to implement they are probably making matters worse!
>Probably the biggest problem MS face
Secure software is not retro engineered to be secure - it is built from the ground up. The biggest challenge Microsoft faces is learning how to build it secure in the foundry and not after the software has been on the web for a couple of years.
Microsofts legacy of adaptation instead of innovation will haunt them for decades.
My understanding is that MS stay at the forefront of technology by releasing software as soon as possible - perhaps not the most dependable strategy with regard to quality!
Great post Brett...
I exploited a security hole for Mac's Microsoft Office X. Funny part, the hole had to be intentionally put there. Microsoft Mac Development (MACBU) tried to blow it off as nothing. I pushed further to exploit the hole through another forum? where I knew a MACBU programmer hung out? I got their attention and a personal call. :) After I sold out to some free goodies? I closed my mouth.
The next major update after the first release? the hole was patched. I believe they were banking on the new users of Mac OS X not knowing much about the unix based OS, and used that to do their snooping around. Who knows? I still keep my eye on them.
Microsoft has a history of legal issues surrounding their security and their ability to nose around. Even if they say they do it to learn how to provide better tech support or product development (bah!)
A history like theirs... who would trust them?
Being known for holes, and many exploits in their NT software that they won't fix (or can't) they will always be open to hackers.
How to fix 95% of all problems:
Dear Software Engineering Staff,
It is the policy of Micro-Software Company, Inc. that from this day forward, any software which uses any buffer that can be populated by a variable-length data string shall perform bounds checking upon that buffer, and shall discard any data which overflows or underflows the bounds of that buffer.
This software feature shall be explicitly verified at all software critical design reviews, and again before any software is released to any publicly-accessible distribution channel.
Failure of software engineering personnel to conform to this policy will result in immediate termination - and revocation of all outstanding stock options.
|Probably the biggest problem MS face is that they are the biggest target for hackers! |
As a security consultant, I'd have to disagree. MS's code is significantly less secure than its competitors.
MS's development strategy is always to "let the computer do the work". In other words, they consistently move in a direction in which code gets bloated etc, but features can be added easily. This is a much different approach than the traditional UNIX squeeze-it-to-the-last-bit mentality. MS's approach is not inherently bad: they have produced, in many areas, but especially the most external ones (UI for instance) very rich features. It's just their focus is on the externals, not the internals.
What's more, they are very focused on integrating the Internet with the Windows desktop. Thus, IE and Outlook are very integrated with each other and with the Windows system, much more than let's say Opera and Eudora. So there is a lot of interaction between these components, and thus greater potential for vulnerability. IE is designed to easily run mobile code on the system through a variety of ways (like ActiveX) - it's hard to get Opera to do the same.
I don't directly fault MS on these decisions. It's a question of which is more valuable to the user (consumer): rich featureset and UI, or internal robustness. Integration or privillege separation. People vote with their pocket books, and so far, people have voted for MS (although that is beginnng to change...).
What I must blame MS for, and quite admantantly at that, is their arrogant, and even down right deceptive, attitude towards security. Whereas most other companies attempt to publicize security issues (Netscape, for instance, will give you a reward if you find a bug), MS does everything it can to downplay them. Every advisory they release has a big section called "Mitigating Factors", where MS tries to convice you not to be scared. Some of the "factors" are outright ridicuolous if you read them! Why do they do this? Shouldn't they be trying to convince people of the need to patch, not the other way arround!
They also refuse to give credit to the discoverer if they don't like them. I know of no other company that does this! The recent critical update to all Windows (discussed on WebmasterWorld), for instance, was discovered independently and released via iDEFENSE (an security company, not related to my company [qDefense]), and reported to MS, yet MS refused to credit them.
And, with MS being by far the least secure platform, they have the audacity to advertise the security of windows as a feature over other platforms. It's the ol' if-you-lie-enough-they'll-believe-it plan. (But at least here, it doesn't seem to be working - Windows is getting a well discovered reputation for lacking security)
Correct that MS won't give credit where credit is due. I spent many hours talking with them, and explaining how I was able to shut down the exploit i discovered. I am by no means a professional programmer or security consultant - but the time I invested would have been better enjoyed with some credit. The free stuff handed to me (anything I wanted) was nice... but... credit for the find would have done me good professionally.
Anyway... that is M$
Like most large companies these days, MSFT is more about marketing than making good products but at least they don't outsource all their development overseas, or do they?
I don't trust this windows machine to operate for more than 3 days at a time without a major crash, course that's better than WinME where the max was about 3 hours.
It's the same old stability Vs user interface issue. The real problem M$ will face will be when the open source community catches up with them in the interfaces but M$ has been smart in this by pushing forward their own "Proprietary" technologies (by using their market position). The only amazing part for me in this article is that 1/4 th of security expert think M$ products are secure?
>I don't trust this windows machine to operate for more than 3 days
I reboot atleast once every 5-6 hours. More if I am running very many Microsoft apps like ie, media player, or office.
If I'm just running Opera, Open Office, and some non-MS email apps, I reboot about twice a day.
You actually got ME to work?
After tinkering for 2 days with ME on one PC, we gave up and then had a running battle to get a refund (from the retailer)... It kinda put me of buying MS products for life.
But I just love it when someone comes into the office with a "web site built using Publisher!" :0
I wish I could find the (now who was it Ford or GM or are they, oh well...) reply to MS.
I'm not too big of a blog reader, but this one is fascinating:
I don't want this to go in the direction of Mac vs. PC (so lets not go there - smile)
Directing this at Security and Stability - Why don't more IT professionals look to Mac OS X? The Unix based OS has a lot to offer. Unix is a more secure solution. Even our military and government are making the change. So how is OS X messure up with IT professionals?
|If you have configured your system correctly and are compulsive about applying your vendor's security patches promptly, a typical Unix system will be more secure than a typical NT system. However, you also have to factor in the experience of the people running the server host and software. A Unix system administered by a novice system administrator will be far less secure than an NT system set up by a seasoned Windows NT system administrator. |
Servers and OS. I like the directions OS X is moving in contrast to Windows... especially when it comes to security. I personally try to keep my Mac M$ free to reduce security problems. I keep my PC a PC and keep anything personal off my PC.
A programmer friend of mine once remarked that Microsoft Windows in particular was never really built on good foundations to start with. 3.1 had more bugs than features and what is often called an 'update' is really a nice way of saying "Er.....we messed up". However, one can compare software development to engine building really. You HOPE you got the crankshaft specification right, and then months later when you add the supercharger, you discover the crank can't handle it.
To be fair, they do the best they can based on what they know and perhaps a few a few hunches thrown in. The biggest problem is that Windows now occupies a whole gigabyte and with such a complex system, things inevitably go wrong. Finding the cause is often a nightmare. Mind you, one could always go back to Dos, or better still 'format c:' - no clutter and a very stable system. Maybe thats why I still drive my VW Beetle....
|I reboot atleast once every 5-6 hours. |
I am not going to defend MS security (or lack), but I just don't see rebooting happening around me or with any of my machines. I constants run 40 to 45 services - Homesite, Dreamweaver, Outlook, Access, 3 or more instances of IE and often Enterprise Manager at the same time. I am running with 640 MB of RAM and Windows 2000.
In my old office the only people rebooting were using ME or 98. It just did not happen.
I shut my computer down on Fridays... just to be safe.
There was a side issue in the report too:
|administrators lacked...the confidence that a patch won't bring down a production system |
This is so true! Not only is it difficult to have the confidence in the original product's security, with any MS patch there is also a significant concern about what else the patch could break/alter/remove.
Patching MS systems always feels like a leap of faith.
I don't trust the company...
Forget the anti-trust issue...
Forget the general sliminess...
The eat their own...
I'm a self taught NT 4 MCSE. Admittedly, I was a paper MCSE, but I did it when working tech support. I didn't take a class, the study guides didn't exist at the time, I read the Resource Guides. Read the Win95 guide 2-3 times, the NT 4 guide once (all 6 books), busted ass to get my cert.
However, they didn't vary the questions, and courses were able to teach to the exam.
They didn't bother fixing the exams, instead they announced that they would kill our certifications about 2 years before we expected them to. It was understood that NT 3.51 would go away when NT 5 was released, and NT 4 would go away when the next one came. Well, they killed NT 3.51 when Win2K came out, and announced that NT 4 would die in one year.
Now, if I had invested $15k getting certified, I'd have been even more livid than I was as a college freshman that invested about $900 (did 5 tests in high school/senior summer, 1 in college).
The thing was amazingly bloody. The ease of certification was a BIG part of how quickly MS ate Novell's market. The MCSEs were their troops in the field busy replacing Netware servers with NT Servers. When we stopped being convenient, they threw us on an upgrade treadmill. Might as well get all those raises and bring them straight into Microsoft's pockets, huh?
At the time, an MCSE was worth approx. $10k/year. With certification costs costing most people $15k, a three year cycle doesn't really work out.
The process was amazingly bloody, and Microsoft backed down. They decided that something like NT 4.0 MCSE forever.
In the mean time, I wonder how many betrayed MCSEs decided to invest the money learning Linux and start replacing NT Servers with Linux servers?
Microsoft MCSE NT 4.0, Citrix Certified Administrator - MetaFrame 1.8
typed on a Powerbook G4 while making some tweaks on my OS X Server and a Linux Server... the other Linux servers and the OpenBSD servers are doing great... We're about two ways from finishing our conversion of a newly acquired company's software from MS SQL + IIS + ASP to PostgreSQL + Apache + PHP. That's about 3-4 SQL licenses + Win2K Server licenses that they won't sell for their clients in the next few months.
Every little bit help, but I've been busy removing NT Servers instead of upgrading them for a while, and I hope that other burned MCSEs are doing the same.
Hey guys, I'm not sure what OS you are running or what level of hardware you have but machines crashing and needing a reboot twice a day?
What type of work are you guys and gals doing, have you thought about upgrading your hardware? a little more ram might help or perhaps better quality?
I know MS aren't great and I agree with the posts about ME (waste of time) but i've run 2000 and xp without to reboot twice a day!
It could also be that I do very little DB work, when I do I have to stop everything but then the db has over 500000 records. The rest DMMX, Flash, photoshop.
Hey, I agree on the rebooting thing. I run [gasp!] Win98 [don't say anything ;)] and my PC can easily run for several days without a reboot. IMO Internet Explorer is the biggest source of crashes - if I use other browsers i'm fine.
>Secure software is not retro engineered to be >secure - it is built from the ground up.
That is true, but moores law makes it impossible to design large systems this way.
Even on 12 month projects, by the time you are ready to test, there is a usually better/more secure way of designing it.
.NET is engineered to be secure from the ground up. Each program that is run has certain rights that are separate from the rights of the person running the program. These rights can be controlled on a procedure by procedure basis.
I would bet money that Microsoft is busy re-writing most of their programs using .NET.
Xoc, don't rememeber where I saw it, but there was a news item (maybe on cnet?) about how a microsoft site built using .NET revealed its source, including passwords to the database, due to a "debugging feature" in .NET.
This was on a production Microsoft website!
More bad news for security..
Windows crashes costing £1.1 Billion p/a
Vunerabilities found increase by 81.5% on 2001
Lack of testing & lack of early planning blamed.
Oh, I don't doubt that there are security holes in .NET. Just that the infrastructure is built with security in mind. That means that there will be far fewer of them, especially after the initial shakeout, and they will be easier to patch.
Just due to the fact that .NET string data type doesn't allow buffer overflows will kill more than half the security holes.
|Microsoft Windows in particular was never really built on good foundations to start with. 3.1 had more bugs ... |
Of course! It was based on MS-DOS which IBM had to rewrite after finding a couple of hundred bugs in a couple of thousand lines of assembler.
And good old Bill didn't write the DOS code, he licensed it from another Seattle guy, then sold it for what it was worth -- cheap, under $50 a copy -- when CP/M went for a few hundred.
Um, I had friends at Microsoft who worked on DOS and OS/2. They uniformly complained about the crappy quality of the code coming from IBM.
Xoc, sure, on later versions after Micro-soft hired some folks who knew what they were doing. Remember the nick of the first version? Q-DOS, "quick and dirty operating system."
As much as I don't like MS products, to be honest I wouldn't want to be in their shoes. They have a gigantic universe of users working with systems that are based -- however indirectly -- on legacy system in turn based on assumptions that were made more than 30 years ago. If they couldn't envision more than 640K of RAM (remember HIMEM.sys), how could they foresee the advances that have led to so many people being interconnected for so many hours of each day and the security problems that would run rampant?
To me it's almost a miracle that the whole house of cards hasn't come tumbling down much sooner.
If 90% of the cars on the road were made by Toyota, you would see the headline: "Study Finds Most Fatal Crashes Involve Toyotas."
It's statistics, folks.
And everything I've read here so far is devoid of hard facts.
Plus, if MS's security is so bad, where are the big disasters?
Outside of the denial-of-service attacks that got a lot of press a couple of years ago what's happened?
Most IT crimes are inside jobs. Somebody's paid to leave a system vulnerable or sells a password.
The myth of the mad hacker diverting funds to a Swiss bank account is crap.