Follow Slashdot blog updates by subscribing to our blog RSS feed

 



Forgot your password?
typodupeerror
×
Microsoft Security

Looking Back At Windows Security In 2003 327

thebatlab writes "Help Net Security has an interesting look at security in Windows during 2003, with various blurbs from related parties at Microsoft as well as security 'bigwigs' such as Russ Cooper. It's interesting to read the comments from external parties, as they tend to be very reasoned comments and don't simply attack away over recent 'indiscretions' and 'security lapses' Microsoft has had over the year."
This discussion has been archived. No new comments can be posted.

Looking Back At Windows Security In 2003

Comments Filter:
  • Does anyone know... (Score:5, Interesting)

    by biendamon ( 723952 ) on Monday December 22, 2003 @06:34PM (#7790475)
    ...where to get a definitive list of security holes in Windows (not Office or other add-ons) for the month of December?
  • Hey, Sherlock.... (Score:3, Insightful)

    by tarquin_fim_bim ( 649994 ) on Monday December 22, 2003 @06:35PM (#7790480)
    "What Slammer showed us more than anything was the need to embrace more basic controls, such as "Default Deny"."

    Do you think that that giving your user name and password to strangers might be a bit suspect too?
  • by SharpFang ( 651121 ) on Monday December 22, 2003 @06:37PM (#7790498) Homepage Journal
    Of course the same holds true for businesses, but there the problem was more of a problem with the "Default Installation". We have long known that default installations are inherently insecure.

    Windows "out of the box" is as wide open as the goatse.cx guy.
    • by JoeBaldwin ( 727345 ) on Monday December 22, 2003 @06:47PM (#7790588) Homepage Journal
      No shit, I installed XP and I already had Blaster. I hadn't installed anything, downloaded email, downloaded anything, but it was there.

      This, if you don't know, is called Microsoft Security :)
      • Re:Slashdottism (Score:3, Interesting)

        by RoLi ( 141856 )
        The same happened to a friend of mine, too.

        Isn't it funny that nevertheless Microsoft marketing has brainwashed the masses to the point that they actually believe that WinXP has become more secure than Win9x? (Fact: There never was a worm comparable to W32.Blaster on Windows9x)

      • A freshly installed system on the internet is called a honey pot.

        If you've read any of the honey pot related articles around here, it's not surprising at all that you got infected that fast.

    • "Windows "out of the box" is as wide open as the goatse.cx guy."

      Yes, a new .sig!
    • Windows "out of the box" is as wide open as the goatse.cx guy.

      So does that make the Blaster worm and others like them a virtual suppository?

    • For any random IP, you'll see an average of one worm hit every 30 seconds. It varies depending on time of day, phase of moon, etc, but that's about what it averages out to.

      So the average Windows user doing a nice fresh install of XP, or switching on their newly purchased WinXP machine with marginally patched OEM install is almost certain to get infected by something, even if the _very first thing_ they do is start downloading the latest security patches.

      Windows firewall would help, but it's switched off b
  • It's interesting to read the comments from external parties, as they tend to be very reasoned

    -SNIP-

    Yeah, and if I poke you in the eye with a sharp stick every morning, you'll get used to it. It might even appear "reasoned".

  • by key nell ( 55408 ) on Monday December 22, 2003 @06:39PM (#7790517)
    There's a new worm out there that exploits a security hole still in Windows 2k/XP from when it was released.

    It has the capability to shut down applications, goes right through anti-virus software (even the latest patches!!!), and gives total control of the victim computer to the creator of the worm.

    An attempt by the powers that be to shut down it's source of updates was thwarted by various government agencies and the worm itself.

    Unfortunately there is no patch to get rid of the W32.MS.AutoUpdateRequired worm.
  • by TheDarkener ( 198348 ) on Monday December 22, 2003 @06:42PM (#7790546) Homepage
    It sucked!

    <bows>
  • at Windows security, one thought comes to mind - eeeek.
  • j00 w3r3 h4xx0r3d!!!!!!
  • Rophel. (Score:2, Funny)

    by i_am_syco ( 694486 )
    Windows Security is an oxymoron. Just like the French fish who cleaned everything from Finding Nemo.
  • by Anonymous Coward on Monday December 22, 2003 @06:49PM (#7790605)
    A hole in Windows was announced today. Thats great, as soon as Windows Update tells me there is a fix available, I'll click and reboot to apply it.

    A hole in Linux was announced today. Developers released a patch in 34.36 minutes flat after hearing the news. Download and update today! /me, goes to website, they list some long inexplicable explanation of the hole. Link to some .tar.zip.gz.bz2 file (this saves bandwidth). Just run it through tar -xvzjf and it will automagically extract. Run make clean; make superclean; make reallyfuckingsureyourclean; make install; (whoops, su; make install) and boom! its installed.
  • Should I patch? (Score:5, Interesting)

    by SharpFang ( 651121 ) on Monday December 22, 2003 @06:50PM (#7790615) Homepage Journal
    I dual-boot Linux with W98SE. Recently, after quite a while of using it and getting the W98 more and more "dirty" I decided to install the update. System got so unstable that I couldn't open Explorer without crashing. "Time for reinstall", I thought. Format, install, config, everything runs smoothly. Windows Update, system starts crashing really bad. Maybe I did something wrong? Format, reinstall, update. Crash. So now I run "vanilla" W98SE, without ANY updates, just pure CD install. The only protection is my firewall on a Linux box. Sucks, but what should I do? This way it can keep running for several hours, and with screensavers and power management disabled, for several days in a row. With patches, crashes notoriously. Keep it secure? How? By unplugging the net or the power supply??
    • Re:Should I patch? (Score:4, Insightful)

      by abh ( 22332 ) <ahockley@gmail.com> on Monday December 22, 2003 @06:54PM (#7790658) Homepage
      Windows 9x was never intended to be secure... it's a wide-open home user OS... don't feel like logging on? Just hit the cancel button at the logon screen.

      If you're going to discuss Windows security, for god's sake at least do it with a version of Windows designed to be at least somewhat secure (2003, XP, 2000, or even NT).
      • Re:Should I patch? (Score:3, Insightful)

        by Tony-A ( 29931 )
        If you're going to discuss Windows security, for god's sake at least do it with a version of Windows designed to be at least somewhat secure

        You're missing the point.
        The more secure Microsoft Windows is the old unpatched "insecure" Windows.
        That says something about how effective Microsoft has (NOT) been with its security endeavors.
    • by Dark Lord Seth ( 584963 ) on Monday December 22, 2003 @07:23PM (#7790862) Journal
      How? By unplugging the net or the power supply??

      Don't worry, MS is working hard on coding a new exploit that works even when your PC is offline and disconnected from the net! Due Real Soon Now(tm)!

    • Planned obsolescence.
  • by daddy norcal ( 734037 ) on Monday December 22, 2003 @06:55PM (#7790665) Homepage
    One word: Slammer.

    It basically says it all when an exploit that had been patched for months succeeds in bringing the internet to a crawl.

    • by Lxy ( 80823 ) on Monday December 22, 2003 @10:11PM (#7791878) Journal
      Microsoft puts itself in a catch-22 with this one.

      Microsoft released a patch, yes. There are two people who wouldn't install it: those who don't have a clue about being a sysadmin (MCSE) and those who know MS's history of distributing broken patches.

      The first group (mostly made of MCSE-only admins) are either too ignorant to install patches timely or are too stupid to know that your SQL server has no need to be internet-accesible. IIRC the only way to get slammer was to have your unpatched SQL server live to the world, something that anyone even slightly security concious wouldn't have done. Unfortunately, MS markets themselves as the easy delpoyment/any idiot can admin. So, they market themselves to idiots, then blame the idiots for not taking care of their servers. Umm... sure.

      Secondly is the smart group who knows better than to deploy ANY MS patch without testing it. Having a patch 2 months before the worm hits is fine and good, but often times testing a patch takes that long. In the case of slammer these are the guys who know to keep their SQL servers behind the firewall. Slammer was mostly due to group #1. In the case of IIS and other internet services, however, a patch may not be deployed in a timely manner.

      Combine MS's past of releasing broken patches with their careful marketing to idiots and you see how easily this crap happens.
  • by Anonymous Coward on Monday December 22, 2003 @06:55PM (#7790669)
    The site took forever for me to load. Looks like it is slashdotted. Here's the full text:

    An In-Depth look Into Windows Security in 2003
    by Mirko Zorz [mailto] - Monday, 22 December 2003.

    When it comes to security predictions for next year, basically everyone says it's going to be worst than this year despite the increased spending on security and some progress made when it comes to security awareness. Let's take a look at some interesting happenings that made the news during 2003 when it comes to Microsoft security and perhaps you'll be able to judge for yourself what 2004 will bring.

    The experts that voice their opinion for this article are Russ Cooper (Surgeon General of TruSecure Corporation/NTBugtraq Editor), Ed Skoudis (a security geek who is focused on computer attacks and defenses, author of "Counter Hack" and "Malware: Fighting Malicious Code") and Arne Vidstrom (a security researcher and author of many security tools for Windows).

    It's January and things don't look good

    Just as we were getting used to writing 2003 instead of 2002 in our letters, here comes the Slammer worm [net-security.org] and all hell brakes loose as thousands of computers are infected worldwide.

    This, however, was not Microsoft's fault since a patch was available several months ago before the worm was unleashed. This has put the issue of irresponsible users into the spotlight while others said the reason why some servers weren't patched is because administrators are worried about the side-effects that come with a patch.

    Russ Cooper said: "Firstly, SQL patches have been notoriously difficult to install, so I would argue that despite the availability of a patch, its lack of installation was not entirely the user's fault. Further, MSDE (Microsoft SQL Desktop Engine) inclusion in 3rd party software had never been tracked by Microsoft. This resulted in many people being vulnerable to Slammer who never knew they needed a patch. The method the SQL group has used to handle the SQL vs. MSDE issue have been very poor, with KB articles typically only being found by searching for SQL rather than MSDE. Finally the SQL Server Resolution Service, the service targeted by Slammer, isn't even mentioned in the SQL 7.0 documentation either as being present, installed, or enabled by default."

    Lessons learned according to Cooper: "What Slammer showed us more than anything was the need to embrace more basic controls, such as "Default Deny". There's little reason to expose the SSRS to the Internet without any restrictions. Some hosting providers have argued that their customers required access to the service and, therefore, they exposed it directly to the Internet. While this might seem reasonable, the additional cost of locking down such connection points to, at least, an identifiable IP address range surely couldn't put them out of business compared to the risks they put the entire Internet at. Of course the same holds true for businesses, but there the problem was more of a problem with the "Default Installation". We have long known that default installations are inherently insecure. Knowing what you're installing, and installing only what you know, are crucial to achieving baseline security. The habit of simply accepting the defaults and no additional steps is yet another reason problems like this occur."

    "Another aspect of "Default Deny" is the enforcement of *Outbound* rules as well as inbound. Habit says that inbound is what we fear, yet outbound is left entirely untouched. Slammer demonstrated just how harshly such a policy can affect the Internet. There was no reason for those systems to initiate connections outbound on UDP 1434, even if we accept there was a need to allow the inbound connections from other infected hosts. Ergo, had such rules been in place, machine

  • HA! (Score:4, Funny)

    by thepuma ( 721283 ) * on Monday December 22, 2003 @06:58PM (#7790689) Homepage
    Windows Security. That's like... Military Intelligence? Jumbo Shrimp? Microsoft Works?
  • by randall_burns ( 108052 ) <randall_burns@@@hotmail...com> on Monday December 22, 2003 @07:23PM (#7790867)
    Organizational Security is typically only as strong as the weakest link. If you have an organization that doesn't do proper background checks on its personnel or uses negative management techniques, the risk imposed by those practices can swamp stuff like the risk associated with a particular version of software.


    In areas like the construction industry, insurance companies take a very hard-nosed attitude towards various types of risky practices-and the difference in risks between those practices are reflected in insurance premiums. It would be straightforward to apply similar techniques to organizational security-but I suspect what we have here is a case of managerial resistance. The management types just don't want their practices closely scrutinized-they like things the way they are now. What I see, is a lot of folks taking enormous risks with other people's money.

  • by cacepi ( 100373 ) on Monday December 22, 2003 @08:06PM (#7791217)
    I just hope that in the next few weeks we won't see a disaster like the Slammer worm.

    That, in a nutshell, destroys the entire article. The end user shouldn't be forced to "hope" that bad things won't happen to their computers. Any vendor that instills so much lack of confidence in their products doesn't deserve the benefit of the doubt.
    • by sfe_software ( 220870 ) on Monday December 22, 2003 @08:51PM (#7791500) Homepage
      That, in a nutshell, destroys the entire article. The end user shouldn't be forced to "hope" that bad things won't happen to their computers.

      You've summed it up quite nicely. Back before Windows 2000, I just didn't understand why anyone put up with Windows at all. The fact that people considered daily reboots "normal" was pathetic.

      Only now the situation is a bit different. 2000/XP are both very stable, and if properly patched are most always relatively secure. I still trust Linux or BSD a lot more, which is why my Windows machines are protected with a Linux/iptables firewall; but you have to admit that Windows has gotten much better. Again, though, if properly patched.

      I believe (correct if wrong) that nearly all of the major exploits in the last few years were patched long before they became a problem; in many cases, months passed between the time a problem was fixed and the time it was exploited (thus giving plenty of time for testing and deployment).

      Microsoft tried to remedy the problem with the "auto update" feature, which most of us didn't like. Fine. Now they're finally getting it right, and making things much better starting with SP2 (firewall enabled by default, etc). Sure, *nix has been doing it right for much longer, but you have to admit that things are getting a lot better in the Windows world...
  • by ratfynk ( 456467 ) on Monday December 22, 2003 @10:01PM (#7791835) Journal
    I do not see any security. As Gates/Balmer have said "it would be far too expensive to fix Windows" Besides by fixing Windows, the forced $upgrade$ incentive would go away. The problem with the MS software model is that if you make it too good no one will upgrade. Like banks and OS2, IBM focused on getting the security right, look what happened!
  • Patching only stops attackers who exploit vulnerabilities found by others. A serious attacker (one with a specific target and some form of gain in mind) may have the ability to find new vulnerabilities. They won't talk about it, so the patchmakers won't know to close the hole.

    Finding new vulnerabilities isn't hard. Remember ntcrash? [attrition.org] Variations on that theme should discover new holes automatically over time.

You know you've landed gear-up when it takes full power to taxi.

Working...