Microsoft No Longer a 'Laughingstock' of Security? 282
Toreo asesino writes "In a Q&A with Scott Charney, the vice president of Trustworthy Computing at Microsoft, Charney suggests that security in Microsoft products has moved on from being the 'laughing stock' of the IT industry to something more respectable. He largely attributes this to the new Security Development Lifecycle implemented in development practices nearly six years ago. 'The challenge is really quite often in dealing with unrealistic expectations. We still have vulnerabilities in our code, and we'll never reduce them to zero. So sometimes we will have a vulnerability and people say to me, "So the [Security Development Lifecycle (SDL)] is a failure right?" No it isn't. It was our aspirational goal that the SDL will get rid of every bug.'"
Re:STILL the Laughing Stock! (Score:5, Informative)
Shift-Right-Click -> Run-As -> The-Following-User?
I do it all the time...
Poor security makes money. (Score:5, Informative)
Windows APIs are inherently insecure. (Score:5, Informative)
Until Microsoft abandons the entire "security zone" model and makes the HTML control default to a secure or "closed" state completely under the management of the calling application Windows security will never be anything but a joke. The recent hole in Yahoo Instant Messenger, for example, is primarily Microsoft's fault... because the "security zones" should not be able to "fail open". Blaming Yahoo for not 'sanitizing' the input is nuts.
No other HTML rendering library works this way. The two leading alternatives... Mozilla's Gecko and KDE's KHTML (and thus Apple's Webcore)... both implement a closed sandbox. If an application wants the page to have more capability, it must explicitly install hooks to grant it that capability. This way when an application renders a page using Gecko or KHTML there's no possibility of there being prepared holes to attack. In addition, when they DO install a controlled hole in the sandbox, they know that they're the only agency doing so... there's no concerns about some insecure ActiveX control in the system becoming an avenue of attack.
Until Microsoft completely changes the API for the HTML control they won't solve their image problem, and they shouldn't expect to... because until they do this, they have a problem and the image only reflects that.
ActiveX use in the HTML control, of course, is completely insane. Given all the layers of bandaids and patches and dialogs and settings and security levels wrapped around them, it's actually less effort to explicitly install a plugin than to open IE up to the point where you can use a "trusted" ActiveX control. They need to deprecate and eventually eliminate this.
There are other problems, too. Applications have to parse command lines completely, using their own code to break them up into arguments and perform wildcard expansion. Both OS X and Linux use the UNIX "exec" call, which doesn't require the application to add this additional evaluation step. Many of the "URI" related holes found in applications on Windows... including several recent ones involving IE, Firefox, and Second Life... are due to this flaw in Microsoft's APIs.
There's a second flaw in their URI handlers, and that is the inability to separate internal handlers that may expose more powerful capabilities than a sandboxed object should have access to with the ones that are designed for use by untrusted documents. The 'patch' to fix this is to try and sanitise the list of URI handlers that each application will use. This, like any other "sanitization-based" approach, is inherently flawed. They need to create a second registry that only supposedly secure applications will use... and then they won't need to worry about web pages containing links to ".CHM" files.
(Apple, by the way, has copied this flaw from Microsoft. But at least they don't share the rest of the burden)
The lack of a standard mechanism to bind network services to specific interfaces is a third problem. In UNIX most network services have traditionally been run from inetd, so if you replace inetd with something like xinetd or tcp wrappers you can prevent services from listening to anything but the local interface "localhost". This means that a firewall on UNIX is an extra defense, where on Windows it's the only way to keep insecure protocols from accepting connections from external sources.
For Microsoft to get the same reputation for security that UNIX based systems have earned, it will have to correct these flaws. The easiest way, perhaps, would be for it to BECOME a UNIX-based system. It wouldn't take much, so much of the API is already inherited from Microsoft's one-time infatuation with UNIX, and they ship a subset of teh UNIX API with Windows in the POSIX subsystem.
Or, though it would be less desirable from the point of view of people who have to write portable code, they could implement their own secure APIs and make the existing ones a deprecated and eventually optional add-in.
But so long as they keep the current API unchanged in all details, though, they can not solve these problems they're faced with.
Re:MIcrosoft guy says MS's security is ok? (Score:3, Informative)
SQL Server 2005 - http://secunia.com/product/6782/?task=advisories [secunia.com]
IIS6 - http://secunia.com/product/1438/?task=advisories [secunia.com]
Vista too is looking good so far too, but it's very new, and only time will tell - http://secunia.com/product/13223/?task=advisories [secunia.com].
Re:Says who? (Score:1, Informative)
What exactly do you mean by remote access? Are you talking about Remote Desktop being enabled by default? AFAIK it is disabled by default in Windows Server 2003. If you aren't talking about RDP, can you please elaborate what you mean by "remote access"?
And what about a domain controller advertising itself? First of all, Windows Servers are not domain controllers by default. You either have to create a domain or promote a server to be a domain controller. Second of all, I don't know what you mean by advertising itself, other than some type of NetBIOS broadcasts on the network? As far as the server "waiting for you to login", thats the point of a domain controller. And it's not like anyone can just randomly log into the domain controller without proper authentication. Workstations/servers are required to join the domain using an account with proper credentials (at least "server operator" group I believe). If a computer is trying to access domain resources without being on the domain, they are still required to be authenticated.
Moron hat for me... (Score:2, Informative)
Phone Quality (Score:5, Informative)
What's really funny is that 20 years ago, wired long distance carriers were waging advertising battles over who had the clearest call. Sprint's "Pin Drop" ads probably set the bar in this respect.
So, while you take the wired phone service for granted, it hasn't been that long since call quality was a very important part of a consumers purchasing system.
Go back another 20 years to the '60s and you still had a significant portion of the phone network that was manually switched by human operators.
Re:Says who? (Score:2, Informative)
It's a good thing that you're not totally sure, because then you'd be TOTALLY wrong instead of just PRETTY wrong.
http://www.windowsdevcenter.com/pub/a/windows/2004/05/04/serverhacks_remote.html
From reading the above article it's clear that remote desktop isn't enabled by default and if you ship out a server to a remote location without enabling remote desktop, you have to do some registry tweaking to enable it.
Re:rear-view mirror (Score:3, Informative)
http://www.av-comparatives.org/seiten/ergebnisse_2007_08.php [av-comparatives.org]
Those results are in improvement. The March results had them finding only 82%. Meanwhile, much more viable commercial products are around 99+%. Still, even for them, letting 50 out of every thousand bugs in doesn't say much about their security, even if OneCare is so much worse.