Microsoft Tries to gage security gremlins

[InfoSec News <isn () c4i org>]

Forwarded from: Justin Lundy <jbl () wasabi snetcorp com>

http://news.cnet.com/news/0-1003-200-7789528.html

By Robert Lemos
Special to CNET News.com
November 6, 2001, 4:00 a.m. PT
   
Microsoft's security response center must be feeling a little
punch-drunk these days.
  
After the one-two combination of the Code Red and Nimda worms that
targeted the company's server and PC software this past summer, the
titan announced an initiative in early October to promote
security-savvy administration among its partners.
   
However, almost every week since it announced its Strategic Technology
Protection Program, a new security flaw has cropped up. In the past
few weeks, holes have been found in Excel and PowerPoint and a new
system for protecting music content. A major security patch was issued
for Windows XP, and the company had to shut down part of its Passport
service to fix a set of flaws in the technology that Microsoft hopes
will become the foundation of its .Net initiative.
   
The company will have to do some fancy footwork to quell concerns of
its .Net partners and current customers, said John Pescatore, an
analyst with research firm Garner. The .Net initiative is Microsoft's
overarching plan for ubiquitous online services.
   
"Microsoft realizes that they have to be perceived as a more secure
company if .Net is ever going to be a success," Pescatore said.
   
In a column following the outbreaks of the Code Red and Nimda worms,
the analyst urged companies hit by both attacks to consider
alternatives to Microsoft's Internet Information Server (IIS)
software.
   
This week, Microsoft will meet with security experts, privacy
advocates and policy-makers at its Trusted Computing Conference in
Mountain View, Calif.
  
The meeting of the minds in the security world will give the software
giant a chance to renew its push to rewrite the ground rules for
disclosing information about vulnerabilities. The company wants to see
fewer details in the independent advisories that illuminate the holes
in its products; getting its way could give Microsoft a bit of
breathing room to respond to the flaws before malicious hackers target
its customers.
  
That could also help the company regain some of the credibility lost
in the recent security compromises.
   
In a recent essay, Scott Culp, program manager for Microsoft's
security response center, lambasted researchers and hackers who
provide snippets of program code to illustrate how a particular
vulnerability can be taken advantage of. Known as exploit code, the
partial programs usually make it easier to develop hacking tools and
worms that attack computers using a specific vulnerability.
   
"It's high time the security community stopped providing blueprints
for building these weapons," he wrote in the essay.
   
Many believe that is what happened in July, when more than 360,000
computers running Microsoft's Web server software fell prey to the
Code Red worm, a program that took advantage of a vulnerability known
as the printing ISAPI flaw. The company that found the flaw, eEye
Digital Security, worked with Microsoft to create a fix, but, in its
advisory, it also publicized details about the exploitation of the
vulnerability.
   
Consensus or concealment?

Microsoft's aim is to curtail hackers' access to such details.
   
"For its part, Microsoft will be working with other industry leaders
over the course of the coming months to build an industrywide
consensus on this issue," Culp wrote.
   
Yet others worry that Microsoft's main motive is to dial down its own
public-relations disasters.
   
"This conference is an ambush to push through Microsoft's beliefs on
limited disclosure to make it seem to be endorsed, when the larger
community hasn't even seen any details," said Russ Cooper, research
director with security firm TruSecure.
   
In the latest security faux pas, Microsoft released an update for
Windows XP that included, by Cooper's count, five security fixes, but
the company has issued advisories on only two.
   
"They promised more information to people about how to become secure
and stay secure, but what do we get? They keep ignoring the consumer,"
he said.
   
Electronic rights activists, worried about what .Net might mean for
privacy, aren't comforted by the knowledge that the giant has yet to
prove it can secure its systems.
   
Last week, a software engineer demonstrated a way to use several flaws
in the company's Passport authentication system--the key to security
for .Net.
  
"The security lapses further support our claims that Microsoft's
guarantees of privacy and security are deceptive and unfair to
consumers," Marc Rotenberg, director of the Electronic Privacy
Information Center, wrote in a letter to the Federal Trade Commission.
   
"Further, Microsoft's failure to disclose the actual risks associated
with the collection and use of personal information in the Passport
service constitutes an unfair and deceptive trade practice."



-
ISN is currently hosted by Attrition.org

To unsubscribe email majordomo () attrition org with 'unsubscribe isn' in the BODY
of the mail.