Slashdot is powered by your submissions, so send in your scoop

 



Forgot your password?
typodupeerror
×
Security Microsoft

Microsoft Blasted For Lax Security 402

fducky writes "Once again Microsoft is blasted for lax security. This CNN article cites experts denouncing the recent Microsoft security efforts as rating an 'F'. The recent MS-SQL worm got this most recent round of MS bashing going. Google News has more stories on the subject."
This discussion has been archived. No new comments can be posted.

Microsoft Blasted For Lax Security

Comments Filter:
  • there was a post like this, well I'd be richer than Bill Gates himself.
  • by Anonymous Coward on Saturday February 01, 2003 @01:19PM (#5204707)
    While it is stupid of MS not to update their own servers, you can't blame them for the SQL worm. They issued a patch months ago...it's no one's fault but the server admins.
    • by Znonymous Coward ( 615009 ) on Saturday February 01, 2003 @01:40PM (#5204879) Journal
      How can you keep up with so many updates [microsoft.com] most of wich require a reboot.

    • Comment removed (Score:5, Informative)

      by account_deleted ( 4530225 ) on Saturday February 01, 2003 @03:01PM (#5205316)
      Comment removed based on user account deletion
      • But a service pack is _WAY_ different then a hotfix/patch. Services packs do need to be tested a lot because many times there are changes in functionality. A hotfix (released in Jul for this particular problem) has never (to my knowledge at lest) changed anything. So sure, you have to reboot, but that's the only excuse for not installing a patch right away... but months later?
        • But a service pack is _WAY_ different then a hotfix/patch. .... So sure, you have to reboot, but that's the only excuse for not installing a patch right away... but months later?

          OK: Let's me get this straight:

          • MS publishes their hotfixes with a warning that they may break things and you should only install them if you're having problems;
          • Sysadmins are at fault for not ignoring MSs warning and blindly installing all hot-fixes immediately
          • If you'd blindly installed all MS hotfixes, you might break earlier hotfixes
          • Service Packs are mostly just rolled-together hotfixes, but they are known to wilfully break things;
          • Despite MS warnings to the contrary, Service Packs need regression testing but hot fixes don't.
          A hotfix (...) has never (to my knowledge at lest) changed anything.
          • The hot fix that would have blocked code red was undone by a later hot fix.
          • The hotfix that would have blocked slammer was at risk of being, itself, slammed by a later hotfix installed in the 'normal' way.
          • MS's own servers were broken by the slammer virus.
          Just how much knowledge do you have, anyways?
    • by realdpk ( 116490 ) on Saturday February 01, 2003 @03:24PM (#5205464) Homepage Journal
      Heh, did you read the article? No, you didn't.

      A recent patch sent out in October actually made the servers vulnerable again. So if you patched with the old patch, and then the one in October, you were screwed.
  • by kumar303 ( 646540 ) on Saturday February 01, 2003 @01:21PM (#5204720) Homepage
    doh! from the CNN article: "The single largest message is: keep your system up to date with patches," Microsoft Chief Security Officer Scott Charney said. But the philosophy of patching is fundamentally flawed and leaves people vulnerable, Cooper said. For example, Microsoft didn't follow its own advice as executives confirmed that an internal network was hit by the worm.
  • by Anonymous Coward on Saturday February 01, 2003 @01:24PM (#5204741)
    I thought the MS-SQL worm worked in a very secure fashion. The servers offered a service, client worms connected and used it just as the software was designed. What's the problem? All it generated was traffic. From the network's POV, is it really any better if that traffic is /. commentary or pr0n? Or CNN stories?
    Also, during the height of worm activity the XP activation servers failed in a secure manner - that it, rather than allowing people to use unlicenced copies of XP willy-nilly, they erred on the side of caution. Note that from Microsoft's POV this is a secure failure mode, and is BY DESIGN.
    They're doing exactly what they set out to do, just as they always have. A CNN story won't affect that.
  • by amigaluvr ( 644269 ) on Saturday February 01, 2003 @01:25PM (#5204745) Journal
    I hate to break it to you but Microsoft is popular, and hence they will be all the more targets of these worms. Every tiny fault will be implemented, and all operating systems have these.

    When another OS is popular, you'll see it happen to it too. I believe nobody is immune, only the popularity decides what is a vector for transmission

    Not necessarily bad coding or seciryty. Many other operating systems could be almost said to be 'hiding' in their obscurity

    Security by obscurity is no defence.

    Look at a recent article on Macintosh virus attacks. They used to be none-existent. Now with OSX they are up to half as common as Microsoft.

    And apple still only has a minor market share. That bares thinking about
    • However, security by obscurity is basically shoving your head in the ground and not seeing any problems. Just because Microsoft doesn't tell anyone about a number of problems doesn't mean that word doesn't get out. I mean, how many people outside of the MS development team can easily access/acquire the source code to Windows so they can find the existing problems?

      Let's have less security through obscurity and more security through actual security and proper maintainence.

      Kierthos
      (Yes, it's probably a pipe dream, I know.)
    • by JanneM ( 7445 ) on Saturday February 01, 2003 @01:42PM (#5204895) Homepage
      This is certainly a relevant point.

      Look at webservers, however. Apache is twice as popular as IIS, and yet there are several times more security issues with IIS than with Apache. That can not be explained by relative obscurity.
    • by Daniel Dvorkin ( 106857 ) on Saturday February 01, 2003 @01:44PM (#5204908) Homepage Journal
      The "popularity defense" has some validity when you're talking about "general-purpose" viruses, particularly those that spread by e-mail, because Windows/Outlook really is far and away the most common OS and e-mail setup. But when you're talking about this kind of thing, it's bullshit. MS SQL Server is not the most popular DBMS, and MS IIS is not the most popular Web server -- and yet both are hit far, far more often than the market leaders (Apache in the second case, not sure about the first -- I think Oracle and DB2 trade off for the top spot.) And really, the number of regular Windows/Outlook viruses is out of proportion even to their popularity: their market share is about 95%, but their share of the virus market is more like 99.99%. (And if you have statistics to the contrary, you'll have to better than "Look at a recent article ...", sorry. That's about as credible as spam that starts out, "This program was featured on a major news show!")
      • Well if I have to do your research for you I will, take a look at this then

        http://news.zdnet.co.uk/story/0,,t269-s2129682,0 0. html?rtag=zdnetukhompage
        • Well if I have to do your research for you I will, take a look at this then

          http://news.zdnet.co.uk/story/0,,t269-s2129682,0 0. html?rtag=zdnetukhompage


          If you were posting this to say that SQL Server is more popular than one thinks because some small vendors bundle SQL Server stuff in thier product means "diddly squat". Oracle and DB2 have a much bigger market in other vendor's software. That is not research.
      • Looks like we have the "Microsoft" moderators here again. Within a couple of minutes, every pro-Microsoft comment, no matter how off topic or mundane was modded up and sensible anti-Microsoft comments modded down.

        The parent comment makes a valid point, it should be modded up to match the +3 score of its parent.

        • "Looks like we have the "Microsoft" moderators here again."

          See told you, my comment gets previous modded down, even though pointing out an interesting post is clearly on-topic.
    • by EvilTwinSkippy ( 112490 ) <yoda@NosPAM.etoyoc.com> on Saturday February 01, 2003 @02:18PM (#5205076) Homepage Journal
      In nature an acre of land can have species of flora ranging from moss to trees. We took down the trees and replaced them with one plant, say wheat. That wasn't good enough. We had to have only the [desirable adjective] wheat, so we only planted one strain of one species of wheat. Now, we are so bent on repeatability that isn't even good enough, so we are planting acres of clones of the same imdividual plant.

      Now if that plant had any vulnerabilities to disease, you are hosed. All of the fields of this same plant are going to die in exactly the same manner at exactly the same time.

      Meditate on this, Grasshopper.

    • Look at a recent article on Macintosh virus attacks. They used to be none-existent. Now with OSX they are up to half as common as Microsoft.

      and 3/4 of all numbers supporting an argument are made up on the spot.

      Microsoft's problem is that they have blurred the distinction between the OS and applications. They received a boost to performance and ease of use, but are paying a cost in massive internal complexity.

    • You're right. People are the problem.

      I don't do Windows but I would assume that they've got a procedure that's as easy as "apt-get update ; apt-get upgrade" in their more recent offerings. I don't know if they ship their systems with sensible defaults on their services (IE: Disabled by default or listening on the localhost interface only if the OS really needs them.) One thing they're still doing wrong is allowing people to run with full administrative privilidges. They need to force people to run under a limited user level account, force (at the very least) the administrative side to have a password and if the user side has a password, prevent the user and administrative password from being the same.

  • Besides the one recent example of the SQL worm cited in the article, CNN made no mention of other security problems. This isn't to say that they aren't there because they obviously are, but it just seemed like they based their whole thesis of security shortcommings on one recent incident. It would have been nice to see some kind of list, or maybe a timeline of sorts with other MS security flaws. The article seemed like some kind of publicity plug for "TruSecure Corp."
    • by bourne ( 539955 )

      It would have been nice to see some kind of list, or maybe a timeline of sorts with other MS security flaws.

      That would be here [microsoft.com].

      it just seemed like they based their whole thesis of security shortcommings on one recent incident.

      I think it has more to do with the anniversary of the Trustworthy Computing [wired.com] effort within Microsoft. It was a year ago that the Bill announced that security was their new focus, that all the software engineers were standing down for a month of no new code, just security bug-finding and bug-fixing. And there have been recent announcements reiterating this sort of "commitment".

      Mind you, this worm is a poor example of Microsoft insecurity. Not only was there a patch out, but it was SQL - any admin who didn't have it patched should at least have had it firewalled. But the timing of it points out that Microsoft has had many years of insecure feature-oriented software engineering to go back and fix up, and that their "new direction" has a lot of inertia to overcome.

  • by sterno ( 16320 ) on Saturday February 01, 2003 @01:33PM (#5204807) Homepage
    Okay, I'll be the first to bash Microsoft and say that their security sucks. I'll be the first to say that their initative to improve security is marketing smoke and mirrors. But let's give them a real chance to prove this to us. The vunerability that caused the Slammer worm is one that they actually found and fixed a long time ago. This is admins not doing a good job of keeping up to date and fixing problem.

    Furthermore, the product that was compromised is legacy from before their big embracing of security. Let's see what happens with its next major release. If that still had big gaping problems, then we can hang them from the tallest tree.
    • by PotatoHead ( 12771 ) <doug@NoSpAM.opengeek.org> on Saturday February 01, 2003 @02:39PM (#5205183) Homepage Journal
      because they have had enough already.

      Anyone with that much money in the bank can damn well afford to produce products that actually are best in class. They are number one right now, but clearly do not deserve to stay there when we know there are better and cheaper ways to do things.

    • by EvilTwinSkippy ( 112490 ) <yoda@NosPAM.etoyoc.com> on Saturday February 01, 2003 @03:04PM (#5205330) Homepage Journal
      So at what point is ragging on them about security going to be appropriate to you then? Last I checked they have an uninterrupted loosing streak going all they way back to winsock for WFW 3.11.

      PS, that was 10 year ago.

      You don't wake up one morning and decide to be security minded. That's like waking up one morning and deciding to be a ninja. Martial arts are a way of life, and the mindset required comes only after years of study and commitment.

      Microsoft's problems are a result of years of neglect and malpractice. You don't get to be that bad overnight. It takes work. Knitting a web browser into an operating system took effort. Knitting an LDAP directory into your domain security model, tied into your DNS and DHCP servers took effort. Creating a sytem by which you can embed executable commands into an office document took work. Making sure that your office document could execute command in your email client took work. Intermingling your email client with the server so that they are passing executable code back and forth took work.

      Meditate on this, Grasshopper.

      • It is all very well blaming the MS programmers for these holes - and some of that is justified - but several of those points you make were policy decisions made right at the very top by His Billiousness for non-technical reasons.
        Embedding the web-browser was done to screw Netscape by inserting a replacement which could not be removed (even though early versions could be).
        Other decisions here will have had similar backgrounds.

        Under these circumstanced, 'Trustworthy Computing' is nothing but a PR exercise. Correcting design errors like that is an impossible job. I believe that the original NT security model was fundamentally sound, but the add-ons have killed it. MS show no signs of learning this, XP is more bloated than ever.

        The *nix model of discrete components which can be installed separately when required, or replaced by other components which do the same job (sendmail/postfix ) is simply safer. An additional advantage is that there is no 'standard configuration' which Virus/Trojan writers can assume present, not that that would have helped with a one-component worm like this one.

    • by Tom ( 822 ) on Saturday February 01, 2003 @03:33PM (#5205521) Homepage Journal
      They've had a year. Have you seen any noticeable increase in windows security? Neither have I.

      Let's see what happens with its next major release.

      If the car you're driving is known to spontaneously explode when the wrong song is played on the radio - would you also continue driving it and wait for next years model?
  • by petabyte ( 238821 ) on Saturday February 01, 2003 @01:33PM (#5204811)
    Now while I'm no fan of MS, do we really need to have stories everytime someone accueses Microsoft of having poor security? Might as well dedicate an entire section of Slashdot to their exploits. At least then I could turn it off in my preferences.

    And while there are plenty of problems for Microsoft to fix in their code - IE has plenty of unresolved issues - this issue was in large part due to System's Administrators. Let's let is slide that they were "just waiting for the next service pack to come along" so they could update and patch everything. I don't buy that as a good policy for maintaining system - if a patch is out and can be applied, use it. And why leave SQL systems on the internet without some sort of firewall or some sort of protection. If it has to be on the Net, why does it not have every possible security patch applied to it?

    I'm sure there are some valid reasons for having your system protected from this bug but in large part Admins dropped the ball.

    But thats my $.02
    • but ... what if this patch breaks your important system???? what is common for ms patchs....
      then you get f*** for taking down a working system and you can never prove you had done something necessary
      if you can't trust the patches you have to wait 'till you have feedback from other users
      that means to have to check for every patch in combination to every applications you use
      at many points it is even easier to "drop the ball" and reinstall after something happened
    • by trentfoley ( 226635 ) on Saturday February 01, 2003 @02:08PM (#5205036) Homepage Journal
      While I agree that there is rarely a reason to place a database server on the public internet, I take issue with your statement that it was in large part due to System's Administrators.

      Patches from Microsoft are not like patches from the OSS community. You don't get to see the code changes and don't know what the Microsoft patch will do and there is no way to know without trying it in a test environment. Ask around and see how many admins have been burned by applying a service pack or hot fix on a production machine even after testing it out in a lab! Microsoft patches are notoriously flawed and impact areas of operation that seemingly have no correlation to the bug being fixed.

      So, this particular bug was published six months ago. Is six months long enough to fully test an amorphous piece of software? Maybe if we had the source code, we would know what to test. However, without the source, we have to test everything. Because, you never know what other piece of code Microsoft is going to throw in.

      • And all OSS sysadmins have both the time and the experience to look over all the patches for their servers. Riiiiiiiight

        Sorry, but I know plenty of Linux sysadmins. All of them take the same basic method for patching I do: Try it on a test system, if it works, apply it to all the systems. None of them, even the ones that are programmers too, have the knowledge to dig through the code to figure out precisely what it does. What's more even if they did have the knowledge, it would help at all. It's not like there is going to be something glaringly obviously wrong in the patch. If it causes problem it will be because of an unforseen interaction between something they happen to be running and the patch. This isn't something you can see just by looking at the code to the patch.

        IT seems that OSS people get a real warm, fuzzy feeling from being able to get the code. Fine, but you need to realise that 99.% of the time it doesn't matter because you lack the skill, time or both to evaluate it. Are you honestly telling me that you looked at ALL the code on your system? I mean all of it, every program, every module, every driver. Then can you further say that you understand it all, it all makes sense and how it works together? Of course not. I am sure by and large you just use it and don't give it a second though.

        Really the only way to test a new patch is to try it on a test server. Even if you have all the code to the whole system the amount of time and skill necessary to fully analize all of it just isn't worth it compared to quick, emperical testing espically when it's possable that you can miss something (after all if the patch just came out it's obvious that everyone else missed this before now).

        But what REALLY pissess me off about this whole thing is that you should NEVER have your SQL ports open ot the Internet. Ever. Period. There is no reason. YOu need to access it remotly? Fine, VPN. Ideally, database servers should run on a private, firewalled internal network. If this isn't workable, then on seperate firewalled servers. If they have to run on teh same server as the web server because of money (and I can understand that) then the server needs to have a firewall on it. I don't care what SQL server you use, this holds true. It is not something for public access.
    • by legLess ( 127550 ) on Saturday February 01, 2003 @02:10PM (#5205048) Journal
      Actually, no - perhaps you should have read the article before trotting out the tired, old "Blame the sysadmins" line.

      Don't get me wrong - the sysadmins certainly have some responsibility. At the end of the day, they're paid to keep the system running. If the system isn't running, they're not doing their job. Ergo.

      However, many people smarter than me (e.g. Bruce Schneier) have pointed out that Microsoft's patch policy is completely bankrupt. From the article:
      "Microsoft was completely hosed (from Slammer). It took them two days to get out from under it," said Bruce Schneier, chief technology officer of Counterpane Internet Security, a network monitoring service provider. "It's as hypocritical as you can get."
      Another quote from the article:
      In October Microsoft released a fix for a different SQL Server problem that if installed in the expected manner would have made patched systems vulnerable again
      So here you have a vendor who:
      1. Can't keep their own systems patched, even 6 months after the fact.
      2. Issues patches that break previous patches.
      How exactly are you supposed to stay on top of this? Re-test the system for every previous vulnerability after every single patch? While in an ideal world you'd say, "Yes - roll the patch out first on a test system and make sure it fixes the current issue and breaks nothing else." you'd have to be smoking crack to think many people have the manpower or time to do this.

      The core issue here is that Microsoft has built its software with very little attention to security, and you can't make up for that with a month or two of "security consciousness." They've explicitly sacrificed security at the altar of market share, and now it's coming back to bite them (and all their customers) in the ass.
      • by Arethan ( 223197 ) on Saturday February 01, 2003 @03:01PM (#5205315) Journal
        How exactly are you supposed to stay on top of this? Re-test the system for every previous vulnerability after every single patch?


        Actually, yes. This is called regression testing, and it's pretty common in the software industry. Not only are security holes quite often the result of a bug, but their behavior is quite similar to a bug. Either it is fixed, or it isn't. The same script kiddie code won't affect a successfully fixed security hole, even if the fix opens up a new hole, the old one is fixed. Because the regression test also checks previous holes, you can be assured that the fix hasn't reopened any of them.

        As for the manpower problem, there are regression testing suites available that cut the manpower down to nearly nothing. Your manpower argument could be applied to Linux just as easily. The kernel has too much code and too many contributers, it will never work. But at the end of the day, if Linus runs 'make' and your bug-fix fails, then your code is fucked and gets rolled back, end of story.

        On the other hand, I do agree with your last paragraph. MS has dug themselves a pretty deep hole. It will take years of code auditing to really fix the problem. By then, the next version of Windows will be out, and all their efforts wil have been wasted. They are honestly better off just focusing all of their newfound security awareness into their next product lines, and continuing to make the less-then-stellar patches we're used to for their current products. Oh well, guess you can't have your cake and eat it to. *shrug*
    • I totally agree. Microsoft's recent security efforts far exceed anything done by any other vendor aside from the OpenBSD team. Sysadmins had six months to patch, and any responsible firewall manager should have had those ports blocked. This is a case of shitty network management, and should be treated and touted as such.
    • Since when? (Score:3, Insightful)

      Pop quiz hotshot. You have a perfectly operational database that is processing admissions for your organization. If that puppy is down, tickets aren't sold, and people show up with pitchforks at your door.

      Now said system was purchased against your recommendation, is proprietary in nature, and the company that made it was bought out by another company, so you can't even get a straight answer on simple questions anymore. The department responsible for this purchase has never hired the person promised to maintain the system, nor have you been sent out for training on its maintenace.

      A week after this system is installed a third party contractor installs a replication system so your ticketing system can be connected to a big web server in another state. You don't really know what ports need to be open, how they are being used, and every time you tweak the littlest thing the entire operation comes to a grinding halt.

      And you expect me to apply patches at random. Especially when they require taking the system offline, and each has the risk of incapacitating your operations. Right.

      Blame me all you want. But the seeds of ruin were planted further up in the decision making process.

  • Why does Microsoft's "grade" drop when they released a patch for the worm a long time ago? All OS's have security problems. It think it is more accurate to say that Microsoft SQL Server Admins get an "F", not Microsoft itself. This is not to say that I think MS has good security, but it's an unfair slam when the worm is really the fault of admins who failed to apply a vendor patch.
    • by funkman ( 13736 ) on Saturday February 01, 2003 @01:41PM (#5204883)
      But:
      1) It was difficult to install
      2) They released a later patch which re-enabled the exploit
      3) Their own admins didn't install the patch and Microsoft itself fell victim the exploit.

      Which leads me to believe that while they can release patches for security - there is not enough ease an consistency to keep your systems "reliable". Many times a patch breaks functionality.
      • And its not really just any one single incidence of a bug exploit or code vulnerability that is the problem.. It's an immense PATTERN of errors.. many of which amount to wide and gaping holes in the security of a system, and many of which simply cause software to perform poorly.

        I'm no programmer.. in fact, I'm just a hardware geek trying to break into the IT field and not succeeding very well at it, but I can think of half a dozen times in the last couple years where some major M$ security flaw has been caused by an unchecked buffer....

        Now, I MAY be in error here... but they loosely covered buffers in my Intro to Comp Sci. course in college... and they repeatedly went off on making sure to close them up and the like... (I majored in Religion, so my coding vernacular is likely not up to snuff, please forgive.)

        Considering the thousands of such vulnerabilities that have been reported over the years (I mean, this is a fairly common screwup..), would it not be safe to assume that a company with ANY sense that its products might need to be secure, and that actually tests its products properly and does adequate QC, would at the very least go through and check the code for such an obvious source of problems? It's not like M$ lacks the manpower, or money.

        I've not yet gotten edjumacated properly and switched to Linux, BSD, or some other Open Source OS.. but what this weakness on my part has allowed is an extensive history of playing with M$... and it's my opinion that they just don't test their software properly before releasing it. They've released buggy pieces of crap for YEARS that are unstable as heck, and its often not until the second or third service pack release that the software actually becomes somewhat reliable (if at all)..

        That's M$'s shell game.. Release buggy and insecure software, blame everyone else, and at the same time keep users scrambling to buy the newest releases in a vain hope that M$ might actually have a working solution for them. All the while M$ rakes in the dough. They can do it because they are a virtual monopoly with all that comes with it.
  • by foolip ( 588195 ) on Saturday February 01, 2003 @01:34PM (#5204824) Homepage
    Richard M. Smith, a Cambridge, Massachusetts-based computer security consultant

    Oh no you don't! Don't think you can fool us with that all too common last name. We know it's you, RMS!

  • by vena ( 318873 ) on Saturday February 01, 2003 @01:35PM (#5204831)
    "But the philosophy of patching is fundamentally flawed and leaves people vulnerable, Cooper said."

    can anyone explain to me a better method, since even thy mighty god linux is subject to the need occassionally along with every other major OS i can think of?

    the paragraph continues with, "For example, Microsoft didn't follow its own advice as executives confirmed that an internal network was hit by the worm." to me, it seems that this statement doesn't support the previous. it would be better to place blame where it belongs, straight in the lap of the admins whose responsibility it is to keep their systems secure, and upon the heads of those who write exploitive code for the purpose of causing havoc.

    i mean, more power to those who bring these issues to light, but doing so without perspective just looks like picking on an easy target.
    • If a vehicle has a design flaw, we call that a recall. The manufacturer is still on the hook, even if a fix is available. Why do you think they bother to mail you recall notices?

      A software "patch" is a "recall" by another name.

      Besides, can you name the last patch you installed that didn't require upgrading some other component of the operting system?

    • can anyone explain to me a better method, since even thy mighty god linux is subject to the need occassionally along with every other major OS i can think of?

      I can't. But Bruce Schneier can [counterpane.com]

  • by n3rd ( 111397 ) on Saturday February 01, 2003 @01:35PM (#5204833)
    We've had this discussion before, and we're having it yet again.

    Who's to blame in this situation? I clearly feel it's the administrative and their immediate managers both at Microsoft and any organization that was hit with the worm. The administrators should keep up with the newest patches and update systems during the maintanance window. Managers should ensure the administrators have applied the patches.

    The argument about downtime and untested patches will surely be seen here as well. That argument is not OS specific. Sure, on Windows you generally need to reboot after applying a patch, but what if this happened to Oracle? You would need to take the server down, patch and bring it back up. As for testing, this is again an OS independent. At one time or another I'm sure every piece of software has released a patch that has introduced new bugs, it happens.

    Either way, there will be Microsoft bashing in the thread, but regardless of which OS you're running situations like this will arise.
    • The administrators should keep up with the newest patches and update systems during the maintanance window.

      Any organization that applies patches willy-nilly without preforming application tests is going to have problems. A company that just applies patches with testing is going to have problems that are going to be as big, if not bigger than the security issues that arise from not patching.

    • There is an expression 'Fool me once, shame on you, fool me twice, shame on me'. MS has its share of people hacking it and attacking it. But the problem is that with this amount of attention something should have changed!

      Ok blame the admin's. But that is like saying a if somebody cuts off their leg with a chainsaw it is the owners fault for not being careful. Yes the chainsaw user is at fault. But the chainsaw manufacturers were also at fault because the saws kept running when the human let go. That intensified the problem. These days all of these "dangerous" tools have safety checks, etc so catastrophic things do not occur anymore. And it has made a huge difference. This is the same situation with MS and its security problems. At some point in time MS has to start changing its habits and thinking about how to address the issue. Because thus far it has not worked worth a DAMM!

  • by mseeger ( 40923 ) on Saturday February 01, 2003 @01:35PM (#5204836)
    • Microsoft Blasted For Lax Security: 19 comments
    • Science Fiction and Smart Mobs: 28 comments
    • A Simple Grid Computing Synchronization Solution: 35 comments
    • Science: Space Shuttle Columbia Breaks Up Over Texas: 1161 comments

    Even as security issues are top news usually on Slashdot, this shows where our hearts are.

    Yours, Martin

  • According to the article, the patch was released about a week before the attacks started.


    Some people blame the admins for not applying the patches, but should you?

    Some things to consider about patches:

    • How often should patches be applied? And will you need to take down the system when you apply the patches
    • When you install some patches, some companies include new terms that allow they to have complete control of your machine, if you install the patch.
    • A patch may introduce a new problem

    • Personally I'm not blaming Microsoft for the 'slammer'. They patched it in July so I'm blaming the morons that

      1. Haven't bothered to keep their SQL servers up to date

      and

      2. Allow anyone from the internet to connect to that port anyway!

      Auntie Gayle's Basic Firewalling Guide for fuckwits

      1. Drop EVERYTHING!

      2. Specifically open the ports you need.

      3. If you do this the other way round (i.e. only drop known problem ports/protocols while leaving everything else open) please report for immediate recycling.

      The one thing Microsoft are responsible is for making the sysadmin job seem so easy any moron can do it. This encourages companies to employ button pushers and we end up with things like the 'slammer' debacle.
  • by cptgrudge ( 177113 ) on Saturday February 01, 2003 @01:39PM (#5204866) Journal
    ...it's done.

    How much longer is this going to continue? My family is not that tech savvy, and they crack jokes about Microsoft's security, or lack thereof. It always seems to me that all these industry groups talk about Microsoft's horrible security record, and Microsoft responds in turn with, "We're doing our best to improve security in our products, for the betterment of the consumer, business, and mankind, forever. Amen." But Microsoft never seems to be called on it.

    Are previously Microsoft customers starting to move their business elsewhere? Or does Microsoft's monopoly status simply enable them to say certain things on the surface, and then snicker behind closed doors later? I have to think that eventually, the onus would be on them to fix these things, or their business will fall to those companies that make better, more secure products.

    It reminds me of the Oakland Raiders in the latest Superbowl. They simply looked like they weren't in it to win. Microsoft gives me the feeling that they really don't feel like focusing on making secure products is really that important of a goal to them.

    Perhaps other companies feel differently.

  • Has anyone else noticed how uniformly negative CNN's (supposedly unbiased) coverage of Microsoft has been lately? Now why could that be happening?

    I'm at least as anti-Microsoft as the average Slashdotter, but this is getting a bit ridiculous. Aside from the fact that a patch was available, what the heck is a database server doing with a direct Internet connection? Five years ago, when I started designing web applications it was common practice to put web servers in a DMZ, with a firewall between the web server and any DB/app servers.

    This isn't Security 101, it's Remedial Common Sense 050!

  • Sorry, I've known this (and my clients are becoming {finally!} increasingly aware) for ages.

    Yes, Windows (and related products) blow in regards to security, it just means that we have to go an extra (or more) step to make sure they don't blow up in our faces.

    Yes, I run WinNT at work, it's stable, and not been disrupted by exploits/worms/virus/holes/whathaveyou, simply because I take the time to *make sure* it doesn't.

    We all know that even *nix can have problems, so this is hardly surprising.

    Still, it's /., so it must be News for Nerds.
  • by Kewjoe ( 307612 )
    I wonder if Microsoft considers this good PR. Why? because when they start heavily pushing .NET and their Palladium plan, they will use examples such as these worms as to why everyone must go on a platform where Microsoft must authorize every piece of software and every piece of hardware to work with it.
  • by jdkane ( 588293 ) on Saturday February 01, 2003 @01:54PM (#5204974)
    Interestingly enough, the Slammer worm also affected the .NET Framework SDK whether or not the full SQL Server was installed on the machine or not. This is because a component of SQL Server is included in the 1.0 release of the SDK. Microsoft issued a critical patch for this issue too. [microsoft.com] Even after having spent spent 100M [internetnews.com] on their Trustworthy Computing Initiative by July of 2002, we have not seen a great deal of proactive security fixes from Microsoft. Instead, external exploits seem to still be easy (even old ones), and then Microsoft takes action. Microsoft software still has a lot of maturing to do. We shouldn't expect magic anytime soon.
  • Cultural Issue (Score:3, Insightful)

    by the eric conspiracy ( 20178 ) on Saturday February 01, 2003 @01:55PM (#5204982)
    Gates says security is job #1 and sends all his programmers to security training.

    Well, that's nice - but is that really going to do it?

    How do you really get secure software? Doesn't that arise over time, as software matures and the flaws are found in the code base?

    Is that something Microsoft can embrace as a model for their business? Isn't Microsoft really about making money by churning it's user base through upgrades every two years?

    It seems to me that it is going to be very difficult for a company that makes it's money by selling 'features' to end users and churning its software base every few years to achieve the level of maturity in is code base that is necessary to to arrive at a reasonable secure product.

    The fact is that Microsoft's business managers with bottom line responsibility are going to do waht is necessary to get new versions out - each version with an ever increasing feature set. No matter how well Microsoft trains its developers, this process is going to leadt to security issues.

  • Ports ports ports... (Score:2, Interesting)

    by sedna ( 601993 )

    One issue concerning differences in security regimes between UNIX and Windows system that rarely are discussed, is port scanning

    When a Unix exploit emerges, the IT department at my University scripts a portscanner, identifies vulnerable machines and contacts their admins. If the machines are not patched within a certain time, they are disconnected from the network. I for example got an Email about my linux server being vulnerable for the openssh exploit even before I read about it on Slashdot. This way the University system is less prone to hacker attacks. My Windows 2000 box have never been patched and probably as secure as a sieve have never drawn attention from the IT department. I presume this is because a similar scanning procedure is significantly more difficult to launch. This way I suppose the Unix machines should de facto be much more secure than the Windows machines at the University.
  • "News for Nerds".

    Hmmm... this isn't exactly news to us, is it?

  • Think about this: If you require the populace to get the patch from you then you can monitor key propagation and identify copies.

    Now imagine a further twist, prepare the code so that it has "flaws"

    Now imagine an even more cynical view: Fund a security watchdog group who have some "amazing" guys that find these problems and publish them.

    Hedley
  • Not so fast... (Score:5, Insightful)

    by ryanvm ( 247662 ) on Saturday February 01, 2003 @02:18PM (#5205074)
    I see a lot of people stepping up and complaining that it's not Microsoft's fault as much as it is the sloppy admins. Yes - Microsoft systems that were hit by this worm were poorly managed. However, the problem is that shitty admins are exactly who Microsoft designed this "server" operating system to be managed by.

    Who certifies system administrators that can barely format a floppy? Microsoft. Who crafted a Fisher-Price operating system with inadequate "wizards" to help unqualified administrators bungle their way through setting up a server? Microsoft. And who pitches their operating system as having a lower cost TCO because you don't need skilled labor to run them? Microsoft.

    So when you want to complain that it's the admins that make these systems insecure, remember these are the admins that Microsoft picked.
  • Microsoft's security problems are going to destroy the company. The security problems are more important on the server end, because they customers will demand it, if not yet, soon.

    Microsoft has been drudging uphill on the server market since the mid 90's with windows NT, since then they have only achieved a strong foothold in the mid-low end server market, which is now becoming seriously challenged by Linux.

    While Linux may not be fundamentally more secure then NT it defiantly has the perception of being so because windows is a vastly larger target with there desktop dominance; every time one hears about a windows exploit that effects the perceived security of all windows, whether it was a client side IE exploit, or a server side only exploit.

    I think Microsoft needs to put the fix on the security problem very quickly or suffer a serious erosion of people using Microsoft for critical applications, to do this I think that at a minimal they need to do the following:

    Perception:

    Put a hard line between the server and desktop market. i.e. drop the Windows name for the server end, call it something like TrustIx Enterprise, anything but windows, that was when there are security exploits for the desktop it doesn't go against the server end.

    Make security the number feature requirement in all server products.

    Hire a bunch of top security guys, make a big splash about being "unbreakable" like oracle did.

    Technology:

    Implement the latest security technology, like the new stack protection ideas in OpenBSD.

    Be much more aggressive with auto updating, so that unpatched machines get automatically patched, all of the big headline worms on NT exploited holes that had been patched for over 6 months. Any server on the internet should by default auto-update patches.

    Patches must be 99.99 correct, meaning that when auto-patching happens it does not break anything. Microsoft should offer a guaranty that if a patch does break something they will fix it; i.e. send people out and fix it for the company. And pay for any lost revenue to the patch.

    Lax security costs Microsoft more then they can imagine, with a total saturation of the desktop market there is no-where to go but down. Their only hope for continued growth is expanding in other markets, with so much already invested on the server side it is crucial that security is given a number one priority, otherwise they will lose all that they have done and pull the whole company down with it.

    -Jon

  • Folks remember that wehn MS first started hiring devloeprs in its beginnings that those devlopers :

    -Were not skilled in unix security precautions because UNix vendors had changed their lcienses to close code to those in cs at schools.

    -Were influenced to push code out the door rather than refactor, retest, and rewrok to produce security compliant code.

    -MS's recent code retraining cannot rease almost 30 years of bad programmign prqactices within MS itself..

    The only way for MS to get better is to immediately fire every programmer, which wil not happen and thus the conversion to Linux and MacOSX will gain full speed in the next few months..

  • there is a missing issue here: ms bent over backward over the last 7-10 years to sell their products to poeple based on *Ease of Use*. you don't have to be a rocket scientist (or unix guru) to do 'big things' with computers if you bought ms products. one of the key selling points was you didn't have to have these expense engineers to maintain the systems.

    so between the 'it's easy' part and 'you don't need smart responsible people to manage it', is it any wonder that we have an epidemic of poorly maintained ms systems out there?

  • by Eric Damron ( 553630 ) on Saturday February 01, 2003 @03:03PM (#5205327)
    Okay, anyone who has read my posts knows that I'm not a Microsoft supporter. I find it hard not to see the humor in Microsoft's own servers getting hit when the vulnerability was not new and patchable especially after they proclaimed that they were now striving to be secure.

    However, after laughing myself sick, the seriousness of the situation darkened my mood. Although I believe that Linux is currently a more secure platform, it is not a platform without flaws. Linux could be the next security nightmare if we don't occasionally do a reality check.

    Part of Microsoft's strength and ironically part of the reason that Microsoft products tend to be vulnerable to attack is the fact that Microsoft strives to give the customer everything including the kitchen sink.

    To do this, products are made with far too much power. VBA is an example of this. Combining data with code is not a good idea. It makes it very convenient for the customer and unfortunately the black hats as well.

    Right now Microsoft is pushing their .NET platform. They are hopeful that this will become the development platform of choice across multiple OSes. Parts of the Linux community are scrabbling to enable Linux to benefit from this emerging technology thought the Mono project.

    If successful it may become possible to run many applications that will be developed on the Windows OS that are targeted for the .NET platform. If Microsoft introduces a .NET version of their flagship Office package it is likely to incorporate some form of VBA. Running a VBA enable application on Linux will not help the security of the Linux platform.

  • Admins are the problem, and microsoft is the problem as well. In fact, the main issue is that microsoft is breeding lazy and dumb administrators.

    That's not going to say all windows admins are dumb. And there definitely are lazy and dumb Unix admins, too. However, from what I've seen in several companies, the ratios are that most windows admins don't know what the hell they're talking about, and if you take away their wizards and their mouse, they're lost like newborns. Most Unix admins do know what's going on and can bring a system back from states way beyond where the only microsoft solution would've been a reinstall.

    Why is that? Because windows is marketed and sold as if every dumbass could run a server. It really isn't a surprise. There's a truth to all the sayings that start with "if planes/houses/whatever were built the way microsoft makes software..."
    The most important part is that nobody has ever gone around and tried to sell people on the idea that being a doctor, or flying a plane or building a house is an easy task.
    Guess what, neither is running the corporate serverfarm.

    I call that a scam, plain and simple. A scam that has - according to the various overblown estimates on virus and worm damage - done several trillions in damage.

    Is it the fault of the lazy sysadmin who didn't do his job? Yes, it is. But he was very much tricked into a very wrong picture about what exactly his job is in the first place.

    And so far, we've all been lucky. None of the viruses that I've seen were even close to the level of sophistication that, say, some very early (C64 and amiga age) real viruses had.
    • > I call that a scam, plain and simple. A scam that has - according to the various overblown estimates on virus and worm damage - done several trillions in damage.

      Usual MS bashing aside, I've sometimes seriously considered the idea that Windows is an inside joke that's blown out of proportions. This would go in line with their EULAs that deny all responsibility. It's hilarious but sad that so many people and organizations entrust anything valuable to MS software, because there is no basis for trust in the license.

  • Firewalls anybody? (Score:5, Insightful)

    by jay_sdk ( 646566 ) on Saturday February 01, 2003 @03:32PM (#5205507)
    What are supposedly serious companies doing without firewalls blocking 1433 and 1434? I run a little home network, of which one machine has SQLServer 2000, but my firewall has been blocking all 1433 and 1434 as "suspicious UDP" data. This is a little less than $150 hardware box. What? Bank of America can't afford a firewall?
  • by erroneus ( 253617 ) on Saturday February 01, 2003 @04:00PM (#5205683) Homepage
    The internet is becoming more and more important to the average "joe." So now, "things internet" are becoming newsworthy.

    I have discussed the recent worm attack with my non-tech associates and they actually had an opinion about Microsoft. That some agreed with me and others disagreed isn't as significant as the fact that they had an opinion.

    This is a tremendous change. Think on it.

    Some people strongly disagreed on Microsoft and how evil they are. Others nodded as if to say what I mentioned made a lot of sense. (I mentioned that "bugs" in software are part of Microsoft's business model -- people have to buy newer software to repair problems with their old software, especially after Microsoft stops supplying fixes for their older stuff... "Bugs == consumer incentive to upgrade.") This, of course, is now changing rapidly. "Bugs == consumer incentive to change."

    I think with the high-profile nature of attacks which exploit weaknesses in Microsoft products is really starting to create public opinion that never truly existed before. (Prior to this, people looked on Microsoft the way we look at the air we breathe -- "is there anything else to breathe?")

    I think this is a very good thing. It more than levels the playing field in the market for server and other products. I think leveraging Linux, Apache and various SQL servers in the server market is the only way to get Linux onto the Desktop at a later date. There is no way to get Linux onto the desktop until Linux is a household word. Once that is done, Desktop Linux will be chosen not for its performance, but for it's reliability and solidity.

    I think the days are short for people who prefer to have "unstable and colorful" displays... with the amazing power of today's PC, performance isn't an issue. Stability, reliability and security will be the main concern and even if Microsoft cleans up their act, their reputation will be enough to add doubt into consumers' hearts. The public is a moody beast and once bitten doesn't come back for any reason... usually. Just look at how long it took Nixon to return.

    The death of Microsoft is at hand...
  • In another post I mention that patching is dangerous and hard to do for an average developer. Why risk your dev time by executing complex patches? I bet more than anything most companies were bit by small and unknown installation of DBs inside of their intranets.

    So while some will harp on Admins for not patching, I claim that Admins can only track so much. If I need to develope something on a MS SQL Server where I need to tinker with the entire DB(ie. I need admin rights) I am going to install one on a throw away machine. I am not going to case patches since the installation will not be used in production and its hard to do right. I will not ask the Admins to maintain it since its not for them.

    Why is patching software on MS platforms somewhat like open heart surgery? It looks so complex I wonder how do Admins work with 10+ machine clusters. If it wasn't so complex I may just patch my small test DB instead of ignoring warnings. Until the patching process becomes much less risky and painful then this will happen over and over again.
  • by GuardianKnight ( 80165 ) on Saturday February 01, 2003 @04:22PM (#5205814) Homepage
    I don't normally chime in, but I thought that I would for this one. Let me start by saying that I don't like MS...I'm using a mac as we speak (with Safari)...and I'm a Senior UNIX admin at work....anyway...

    Can we really blame MS for this? They released a patch in July...MS can't be held accountable for Windows Admins for not updating their software (I'm not saying it's the admins fault either...I know that admin spend 80 - 90% of their time putting out brushfires, and can't find time to do patches). Now, do I think that MS needs to find a better way to notify customers of new patches...b/c I know that I don't have time to sit around and browse and go through what I've installed and what I haven't (are you listening Sun?!?!)

    So for example...If I don't stay up to date on all the Solaris/Linux patches does that mean that Solaris/Linux is a security prone OS? Heck, no!
  • by hackus ( 159037 ) on Saturday February 01, 2003 @05:14PM (#5206244) Homepage
    Personally, from having to manage Microsoft systems for the better part of 12 years, it was almost impossible to patch anything immediately, when a Security Fix was announced.

    If you ever have managed Microsoft Products, it basically becomes a crap shoot with the following outcomes with regards to patching your systems:

    1) Patch installs, breaks other services.

    2) Patch installs, system becomes even more unstable.
    (This is the worse because it looks like the system is working, but hits you in the middle of the day, usually during peak times.)

    3) Complete failure to reboot after patch is installed, resulting in a very intensive recovery operation. (i.e. Reinstall OS, tape restore, or flash restore with floppy.) All data is usually lost since last backup.

    In any case, it is completely laughable, and not applicable I believe if you completely blame Microsoft Admins on not applying these patches.

    Especially with some of the messages posted here, such as "Oh, well you have to update your systems, stupid."

    How simple and naive you are, and obviously anyone making such a statement has not an ounce of experience managing Microsoft server/desktop products.

    I think the people who manage Microsoft Products, know more than anyone here, why it is preferable to update thier systems.

    I think it is a serious insult to Microsoft' customers that Microsoft would publish a statement something of the akin "Well, they didn't update thier systems...ITS NOT OUR FAULT".

    Bullpucky, and with that in mind however, continue reading.

    The shear hell, you have to go through, to patch a monolithic, monster of bloatware that is a Microsoft OS, is purely not economically possible, if you can believe it, for some companies with large installations of Microsoft products.

    Patching becomes a project something on the scale of a ERP implementation for some sites that are non trivial in size.

    Furthermore, time after time, Microsoft provides NO WAY to reverse patches that they typically publish.. (also known as "HOT UPDATES/FIXES").

    As most admins will tell you, HOT FIXES are risky, and can be impossible to reverse because Microsoft publishes these immediately, without thinking properly about the impact on the entire OS.

    As I shall note later, this is why Microsft's OS is not practical to expose to the internet for any reason from a security perspective.

    Therefore, many admins wait for the service packs to fix the problem, most of the time the service paks are more well thought out, and are for the most part reversible.

    It is incredibly expensive, to mirror systems in a test lab, to test patches. EVEN THEN, the production systems are in no way representitive of the test systems. It is expensive, labor intensive to construct mirror systems and network services to make it viable to install hot fixes in a responsible way.

    With that said, being a Linux convert, here is the problem and Microsoft isn't addressing it:

    1) Microsoft's OS includes too many features out of the box, that Admins cannot control what they want installed.

    It it REALLY stupid to put a graphical interface on the OS, espepcially when you are considering a highly secured server and making it a requirement to run it. There is absolutely no reason, why the OS has to carry around the code for a GUI when it is sitting in the server room, under lock N key.

    Microsoft appearently doesn't understand software engineering principles regarding the total possible paths in a program and its reliability can only be increased statistically by eliminating the other execution paths in the software. That means not installing the GUI.

    On Linux I can do this, easily, with ANY piece of software. Effectively reducing the function of the server to BARE BONES. Making it much faster to identify and fix problems, and of course much easier to update.

    Well, you can't do this with a Microsoft product, and that is the root of the problem. In linux, I can slice and dice the OS down to its bones, if I need to.

    Also, I would like to point out, linux isn't as complex to administrate as Windows when you start whacking the X server, games, DNS (directory software) and everything else when all I have running is sendmail. The system becomes a very very simple UNIT to admin in my infrastructure, with a very very easy and predictable means to upgrade and far fewer security risks as a result.

    NOTICE TOO sendmail has nothing to do with the operating system.

    Microsoft ties everything into the OS making it IMPOSSIBLE to build a secure system because you have to install ALL of the system or NONE AT ALL.

    Microsoft uses the OPERATING SYSTEM to aggregate services, which as I pointed to above, is a fundamentally flawed software architecture.

    Linux on the other hand uses the FILE SYSTEM to agregate services and the file system doesn't require you to even execute the code on start up.

    Therefore even if you do a complete install on Linux, the system complexity doesn't increase, only what you include in your RC startup increases system risk to security or bugs that can make your system unstable.

    The worse thing that happens is you increase the size of your file system.

    As a result the uptime factors, and ease of maintance for Linux based systems easily out paces Microsoft's OS in any large deployment of the OS.

    As a result it is impossible, because of these facts, to follow a responsible security policy with medium to large Microsoft IT installations.

    I also think Microsoft should stop slapping its customers up in the press as to the importance of updating thier systems.

    Most people already understand that, but they are being held hostage by the poor implementation of Microsoft software which by its very design, prevents practical and speedy updates of large installations of Microsoft OS's.

    -Hack

You are in a maze of little twisting passages, all different.

Working...