Comments
By Roger Strukhoff
Richard Davies wrote: The UK has a good crop of technology pioneers in cloud computing - for example ElasticHosts, FlexiScale, Flexiant, OnApp - and also some strong government initiatives such as G-Cloud. We will have to see whether this kind of technical leadership converts into swift mass-market adoption or not.
Jan. 8, 2012 11:38 AM EST
Cloud Expo on Google News
Did you read today's front page stories & breaking news?

SYS-CON.TV: Eclipse Adds SOA, AJAX, and Flex Tools. Guests Mike Milinkovich and Mike Tylor

SYS-CON.TV
Cloud Expo & Virtualization 2009 East
PLATINUM SPONSORS:
IBM
Smarter Business Solutions Through Dynamic Infrastructure
IBM
Smarter Insights: How the CIO Becomes a Hero Again
Microsoft
Windows Azure
GOLD SPONSORS:
Appsense
Why VDI?
CA
Maximizing the Business Value of Virtualization in Enterprise and Cloud Computing Environments
ExactTarget
Messaging in the Cloud - Email, SMS and Voice
Freedom OSS
Stairway to the Cloud
Sun
Sun's Incubation Platform: Helping Startups Serve the Enterprise
POWER PANELS:
Cloud Computing & Enterprise IT: Cost & Operational Benefits
How and Why is a Flexible IT Infrastructure the Key To the Future?
Click For 2008 West
Event Webcasts
News
i-Technology Opinion: Security Not a Microsoft Priority
"It's Time for Microsoft to Devote More Attention to Providing Timely Fixes for Its Software and Less Time Telling Us How Good I

By: Steve Suehring
Mar. 8, 2005 12:00 AM

Folks out of Redmond have been talking more than normal about the advantages of Microsoft's security and track record. Witness the statements from Microsoft's Chief of Security in this article and Bill Gates himself speaking about security in an interview with the BBC.
With these statements in mind, a reader might assume that Microsoft is responding to vulnerabilities quickly in order to ensure that their customers are protected. One might assume that Microsoft is performing adequate testing and performing due diligence to ensure that old bugs don't pop up again in new versions of software. However, a cursory glance at two Microsoft-related security disclosures in February reveals that, for all of the rhetoric, Microsoft is very slow to respond to critical vulnerabilities. It appears that Microsoft is merely controlling the information rather than controlling the security vulnerabilities and protecting their customers. In addition, old bugs are showing up in new versions of their products.

As released onto the Bugtraq mailing list, both Windows XP Professional with SP2 and Windows Server 2003 are vulnerable to an old, old, old,, and incredibly enough, previously-patched flaw in their TCP stack. The attack, called a LAND attack, causes a DoS condition against the operating systems.

Of course, it's only applicable if XP SP2 isn't running the Windows firewall but that's the case within many (most?) corporate networks today. In addition, Windows Server 2003 is not running with its own firewall rather it's probably hidden behind an external firewall. However, if that server happens to be running a public web server or another TCP-based service on the Internet, it's vulnerable to this attack.

Microsoft was notified 10 days ago about this vulnerability and has done nothing about it, no fix, not even an announcement. Meanwhile, the computers are vulnerable to the first person that can write a shell script to exploit this DoS.

Another critical vulnerability patched last month allows an attacker to craft a URL that, when viewed with Internet Explorer, results in the URL being viewed at the security level of the "Local" zone which has much less protection than other zones in Internet Explorer's protection scheme. More details on this vulnerability are located in this post to the Bugtraq mailing list. While the vulnerability itself isn't of issue here, the length of time until the fix was released is certainly cause for concern. According to the post, Microsoft was informed of the vulnerability on February 16, 2004, over one year ago. It took until September for an initial fix to be released for testing which didn't even fix the problem. Only last month was the patch released to the public.

Microsoft classified this vulnerability as critical but yet sat on the information for nearly a year. The only people who have known about this vulnerability for the last 12 months are Microsoft, the person who disclosed the vulnerability, and any other malicious user anywhere in the world. Microsoft merely controlled the information while leaving the general public at risk of having this critical vulnerability exploited on unwitting user's computers.

The "MSN Messenger PNG Image Parsing Vulnerability" disclosed last month by Core Security is another example of an unacceptable delay in disclosing the vulnerability and providing a fix. Microsoft was originally informed of this critical vulnerability on August 23, 2004 yet a fix wasn't released until February 8, 2005.

Like other vulnerabilities, Microsoft also classified the MSN Messenger vulnerability as critical yet took nearly 6 months to release a fix. While this vulnerability doesn't affect as many users as the Internet Explorer vulnerability it's still important to fix this flaw in a timely manner. Again, the only people to know about the vulnerability are Microsoft, the discoverer, and anyone else in the world who also discovered the vulnerability but didn't report it.

Contrast Microsoft's policy of information control rather than vulnerability control with any given Linux vendor's policy of open information and rapid release of fixes. Many vulnerabilities for Linux systems are fixed the same day that they are disclosed. In addition, Linux vendors frequently fix third-party software packages that can be installed on their systems. That would be akin to Microsoft releasing fixes for software like Winamp or Real Player.

Some might point out that Microsoft's delay in producing patches for these and other vulnerabilities is caused by the sheer complexity of producing patches for their software. Microsoft cannot simply patch the vulnerability and release the patch to the public, much testing needs to be done in order to ensure that the patch doesn't create unforeseen problems with other software.

Testing is a reason for a delay in releasing a patch but it's certainly not Microsoft's reason. How quick we forget the re-release of patches because of "unexpected consequences." I would also hope that any testing performed on a patch doesn't take a year, which was the length of time between the latest Internet Explorer vulnerability report and the patch being released to the public.

If complexity is the reason for the delay in releasing a patch, then Microsoft has indeed learned nothing from its repeated attempts to improve security and it only furthers my point that Microsoft truly does not understand computer security. Complexity is the enemy of security. If the software is sufficiently complex as to cause a months-long delay in fixing a critical vulnerability then it's time to solve the root problem rather than merely and continually treating the symptoms.

It's time for Microsoft to devote more attention to providing timely fixes for its software and less time telling us how good it is at security.

Published Mar. 8, 2005— Reads 14,808 — Feedback 8
Copyright © 2005 SYS-CON Media, Inc. — All Rights Reserved.
Syndicated stories and blog feeds, all rights reserved by the author.
About Steve Suehring
Steve Suehring is a technology architect and engineer with a solid background in many areas of computing encompassing both open and closed source systems, he has worked with a variety of companies from small to large, including new and old economy, to help them integrate systems and provide the best use of available technologies. He has also taken a hands-on approach with many projects and frequently leads teams of engineers and developers, and has written magazine articles as well as a book on the MySQL database server. He has also performed technical editing on a number of other titles.

In order to post a comment you need to be registered and logged in.

Register | Sign-in

Reader Feedback: Page 1 of 1

>dtl commented on 9 March 2005:
>
> * " Many vulnerabilities for Linux systems are fixed >the same day that they are disclosed."
>
> I'm sure that patch was thoroughly tested, it >compiled, ship it, yehaaa let em buck...

Heh. As opposed to Microsoft's stance: "I'm sure our software isn't vulnerable, and anyway we have to test, test, and re-test and even then the patch will have unintended consequences, better wait to release it, yehaaa let those customers get their systems hacked..."

" Many vulnerabilities for Linux systems are fixed the same day that they are disclosed."

I'm sure that patch was thoroughly tested, it compiled, ship it, yehaaa let em buck...

You can quickly disable the firewall from command via a netsh command.
Disable:
netsh firewall set opmode disable

Enable:
netsh firewall set opmode enable

Didn't SP2 make it impossible in Windows for an application to fill in an invalid source IP address? If this is the case, I wonder if this problem cropped up because Microsoft cannot generate the LAND attack with an up to date version of their OS.

Also, I wonder what sort of vulnerabilities exist in Windows for IPv6?

-Aaron

Even Garner analyst Neil MacDonald has finally realized: "Microsoft's
overriding goal should be to eliminate the need for (antivirus) and
(anti-spyware) products, not simply to enter the market with look-alike products
at lower prices,..."http://news.com.com/Gartner+takes+Microsoft+to+task/2100-7355_3-5582742.html
Microsoft's desktop security issues stem from its continued reliance on the
Antivirus industries "Infect-Scan-Remove" approach. In comparison, right from
the outset, open source desktop platforms and applications have relied almost
wholly on closing the infectable vectors, the exploited vulnerabilities used by
malware, as quickly as possible.
The result is that both the KDE and GNOME desktop environments are a lot more
secure and even more secureABLE.http://slashdot.org/comments.pl?sid=137937&cid=11539203
Follow this Usenet thread from September 2000http://www.google.com/groups?threadm=slrn8sj1ac.6m4.heretic@heretic.ihug.co.nz
The thread covers the argument over securing applications Vs scan and repair
in detail. David Harley and Robert Moir are two Anitvirus industry leaders. It
also includes the prediction that Microsoft would eventually get into the
antivirus/antimalware industry. With XP SP2, Microsoft have only just begun to
adopt some of the "new" defence strategies outlined by myself in the above
thread. However, in my opinion, Microsoft still has yet to secure the actual
applications exploited, and five years after the release of Windows 2000, has
yet to provide a safe desktop environment for business.
To quote Dr. Blaine Burnham, the former director of the Georgia Tech
Information Security Center (GTISC) and previously with the National Security
Agency (NSA), "Security is a system wide property". That requires applications,
middleware, libraries and the operating system itself to be secured before the
whole system can be declared secure.( If you have a spare hour, listen to Dr.
Blaine's USENIX 2000 keynotehttp://technetcast.ddj.com/tnc_play_stream.html?stream_id=411)
The Linux, Mozilla, KDE and GNOME based projects provide a more secure
desktop environment because the developers and distributions secure the
applications themselves where the application's vulnerabilities can be
exploited. In most cases an updated package is available within days of the
discovery. After years of double digit vulnerabilities discovered in Microsoft's
Internet Explorer, Microsoft has reluctantly changed its mind again and offered
yet another upgrade to IE7, but only for users of XP and the mythical Longhorn.
Meanwhile 21 out of 87 Secunia advisories are marked as "Unpatched" in XP
professional.http://secunia.com/product/22/For
a company with the financial resources of Microsoft, that is not even close to
being a good enough passing grade. It the result of longterm neglect of the
securty issues and the result will not be secured by any magic bullet based scan
or behavour constraint system.http://woct-blog.blogspot.com/2005/01/smoke-and-mirrors-awareness-day.html
Shop around and compare other vendors current ( number of serous issues
unpatched ) security status.http://secunia.com/product/
In late 1998 a number of securty experts wrote to  Microsoft in an open
letter; a number of anti-virus companies signed it saying "hey, here at the
things you can actually do to Microsoft Word to dramatically reduce the chances
of virus infection" http://news.bbc.co.uk/hi/english/static/audio_video/programmes/panorama/transcripts/transcript_03_07_00.txt
It took over four years of the worst publicity and intense pressure from the
security community before Microsoft finally began to react. http://www.theregister.co.uk/2002/01/17/ms_highest_priority_must/
Its time to raise the level of expected security in application and desktop
design.http://groups.google.com/groups?selm=slrnaghlie.1h4.heretic@heretic.ihug.co.nz
http://groups

and in other news...Microsoft's Security Response Center has given advance notice to customers not to expect any security patches for this month!!

Every company that does computer work has to be a security company now. Many companies are completely dependent on computers and most of their crown jewels are stored on them. Many home users have sensitive banking information stored on their computers. Building broken software that allows system disruption or data to be stolen will loose customers. Part of my job is to migrate systems from Windows to Linux, specifically because of security and stability issues.

There is NO legitimate reason whatsoever for a modern, patched operating system to be vulnerable to a simple, 8-year-old DOS attack. What's next, reintroduction of the Ping Of Death vulnerability? This is sloppy quality control, pure and simple.
This incident is just another example which demonstrates the importance (or more accurately, the lack thereof) that Microsoft's corporate culture places on security. Hasn't anyone at Microsoft ever heard about regression testing?

Microsoft has consistantly demonstrated that, regardless of what their press releases say, security is NOT one of their priorities. People need to start waking up and realizing this before they entrust their critical infrastructure to Microsoft products.


Your Feedback
nouser wrote: >dtl commented on 9 March 2005: > > * " Many vulnerabilities for Linux systems are fixed >the same day that they are disclosed." > > I'm sure that patch was thoroughly tested, it >compiled, ship it, yehaaa let em buck... Heh. As opposed to Microsoft's stance: "I'm sure our software isn't vulnerable, and anyway we have to test, test, and re-test and even then the patch will have unintended consequences, better wait to release it, yehaaa let those customers get their systems hacked..."
dtl wrote: " Many vulnerabilities for Linux systems are fixed the same day that they are disclosed." I'm sure that patch was thoroughly tested, it compiled, ship it, yehaaa let em buck...
John_P_Scott wrote: You can quickly disable the firewall from command via a netsh command. Disable: netsh firewall set opmode disable Enable: netsh firewall set opmode enable
AaronW wrote: Didn't SP2 make it impossible in Windows for an application to fill in an invalid source IP address? If this is the case, I wonder if this problem cropped up because Microsoft cannot generate the LAND attack with an up to date version of their OS. Also, I wonder what sort of vulnerabilities exist in Windows for IPv6? -Aaron
David Mohring wrote: Even Garner analyst Neil MacDonald has finally realized: "Microsoft's overriding goal should be to eliminate the need for (antivirus) and (anti-spyware) products, not simply to enter the market with look-alike products at lower prices,..."http://news.com.com/Gartner+takes+Microsoft+to+task/2100-7355_3-5582742.html Microsoft's desktop security issues stem from its continued reliance on the Antivirus industries "Infect-Scan-Remove" approach. In comparison, right from the outset, open source desktop platforms and applications have relied almost wholly on closing the infectable vectors, the exploited vulnerabilities used by malware, as quickly as possible. The result is that both the KDE and GNOME desktop environments are a lot more secure and even more secureAB...
Patch-free March wrote: and in other news...Microsoft's Security Response Center has given advance notice to customers not to expect any security patches for this month!!
jschottm wrote: Every company that does computer work has to be a security company now. Many companies are completely dependent on computers and most of their crown jewels are stored on them. Many home users have sensitive banking information stored on their computers. Building broken software that allows system disruption or data to be stolen will loose customers. Part of my job is to migrate systems from Windows to Linux, specifically because of security and stability issues.
Tassach wrote: There is NO legitimate reason whatsoever for a modern, patched operating system to be vulnerable to a simple, 8-year-old DOS attack. What's next, reintroduction of the Ping Of Death vulnerability? This is sloppy quality control, pure and simple. This incident is just another example which demonstrates the importance (or more accurately, the lack thereof) that Microsoft's corporate culture places on security. Hasn't anyone at Microsoft ever heard about regression testing? Microsoft has consistantly demonstrated that, regardless of what their press releases say, security is NOT one of their priorities. People need to start waking up and realizing this before they entrust their critical infrastructure to Microsoft products.
Latest Cloud Developer Stories
By Maureen O'Gara
Swisscom, the Swiss telecom, is going into the cloud business. Its subsidiary Swisscom IT Services AG has signed up with Red Hat as a Certified Cloud Provider and launched a public cloud Infrastructure-as-a-Service (IaaS) cloud targeting enterprise-class customers primarily in ...
By Maureen O'Gara
Apache Deltacloud, the Red Hat-contributed ReSTful API that abstracts differences between clouds so services on any cloud can be managed – provided of course there’s a driver – has graduated from the Apache Foundation’s incubator and is now a full-fledged Top-Level Project (TLP)....
By Maureen O'Gara
In a surprise move on Tuesday, January 10, Oracle wheeled out its Big Data Appliance. That’s the one it said in October would be ready sometime in the first half. Only nobody believed it meant early in the first half. Heck, it’s not even clear anybody thought Oracle could make ...
By Elizabeth White
Rackspace Hosting, the service leader in cloud computing, on Thursday announced its acquisition of SharePoint911, an industry leader in SharePoint consulting, training, and "JumpStart" services within SharePoint. The unification of both companies provides capabilities to deliver ...
By Glenn Rossman
CloudLinux, Inc., on Thursday released CafeFS 3, a virtualized file system for shared hosters that cages each customer within its own virtualized file system. CageFS becomes part of CloudLinux OS at no additional charge. CloudLinux OS, the only commercially-supported Linux OS m...
MORE »
Subscribe to the World's Most Powerful Newsletters
Subscribe to Our Rss Feeds & Get Your SYS-CON News Live!
Click to Add our RSS Feeds to the Service of Your Choice:
Google Reader or Homepage Add to My Yahoo! Subscribe with Bloglines Subscribe in NewsGator Online
myFeedster Add to My AOL Subscribe in Rojo Add 'Hugg' to Newsburst from CNET News.com Kinja Digest View Additional SYS-CON Feeds
Publish Your Article! Please send it to editorial(at)sys-con.com!

Advertise on this site! Contact advertising(at)sys-con.com! 201 802-3021
SYS-CON Featured Whitepapers
Most Read This Week
By Jeremy Geelan
By Bob Hockman
By Brian McCallion
By Steven Yaskin
By Jeremy Geelan
By Jeremy Geelan
By Udayan Banerjee
By Jeremy Hess
By Udayan Banerjee
By Maureen O'Gara
By Liz McMillan
By Hollis Tibbetts
ADS BY GOOGLE

Breaking Cloud Computing News
AMD (NYSE: AMD) announced today that industry veteran John Byrne has been appointed senior vice pres...
Feb. 16, 2012 04:05 PM EST
MORE »