Re: Gates: 'You don't need perfect code' for good security

["Matthew Murphy" <mattmurphy () kc rr com>]

"William Warren" <hescominsoon () adelphia net> wrote:
> Beaty, Bryan wrote:
>
> > Correct me if I am wrong but...
> >
> > I believe every worm listed below could have been prevented had everyone
> > patched their systems.
> the blaster worm preceded the patch so this argument is DOA

Actually, you're dead wrong on that point.  MS03-026 was released about a
month and a half before Blaster began spreading.  Although it left other
vulnerabilities that were (at the time) unknown, the flaw exploited by
Blaster was patched.

> > I would like the security community to take more responsibility for
> > their own (in)actions. If you were hit by Blaster then you failed to
> > enforce a good patch management policy. Who's fault is that? Patch
> > management is boring and so we often ignore it. Hackers and worms simply
> > take advantage of our laziness. I guess blaster could be a form of
> > social engineering. "I know admins don't patch so I can write a worm and
> > kill the world."
> note above

The above has been noted, though only for its inaccuracies.  He makes a very
good point.  No code is bug-free, this is a fact. So, the only way anyone in
the security community can *hope* to stay up to date is with good patching /
FW policy.  Any good network admin should be using firewalling to block port
135 both directions, inside the LAN and out.  If users have a problem with
that, tough.  Also, you should regularly install patches to protect systems
inside the firewall.

> > There is no such thing as perfect code. If you want a completely secure
> > system you can buy them but they are unbelievably expensive. If you have
> > a business justification for something that secure then buy it.
> > Otherwise you have to live with what you can get from Linux, UNIX, or
> > even Microsoft.
> >
> > Microsoft has at least come out with some very good patch management
> > systems lately (SUS) and they are free. Red Hat charges me a yearly fee
> > for their RHN.
> you do not have to pay for RHN to get redhat patches.  I rh9 for a bit
> on this notebook(had vid issues with all distros here) and was able to
> get all updates without subbing to RHN.

Right, but of course you'd rather stick to Windows Update and HFNetChk when
you could have a tool like SUS which is far better for no fee.  Like it or
not, Microsoft has the best security response process of any vendor, in
terms of getting patches out once they are available.

> MS has no choice but to come
> out with free patching tools because of the huge amount of patches for
> all MS products.

Even though MS, by the time you factor in the large number of components
they ship, has had many times fewer patch releases than competing Linux
distributions?

1. OpenSSH v. Remote Desktop / Terminal Services
OpenSSH: Two vulnerabilities in recent weeks
RD/Terminal Services: Zero vulnerabilities this year

2. Sendmail v. Exchange
As buggy as many people claim Exchange is, it has had two patches this
year -- if you include OWA.  Even though it provides substantially larger
amounts of functionality for some uses, it has still had fewer
vulnerabilities than its main competitor, Sendmail.

3. Apache v. IIS
Apache 2.0 especially, has never established itself as a server worthy of
production use, due to the fact that it is riddled with security
vulnerabilities.  Apache 1.3 has also had some vulnerabilities -- the recent
sub-request issue, Chunked encoding, etc.  IIS has steadily improved in
security, particularly with IIS 6.0.  For a relatively new product, IIS has
always been an innovator in security.  Especially on Windows platforms, IIS
offers many times better security and performance.  That said, I do realize
that Apache 1.3 was not initially written for Win32.  However, its Unix
releases also lack much of the account seperation found in IIS 6.  It is
currently not possible to serve requests from different sites as different
users in 1.3.

> I run Astaro Security Linux here at the house..blaster
> and its ilk got killed at my then cable modem and never made it in.  I
> have netbios blocked incoming and outgoing and all e-mail is scanned at
> the firewall with all executable attachments being blocked.

That would be the policy that all networks should use -- firewalling.  Funny
that the same practices, even on an unpatched Windows XP system, would have
been sufficient at blocking the worm.  As long as port 135 the related
NetBIOS services (137, 139, 445, 593, etc.) were blocked, this worm would
not make it in.  And, truthfully, one should automatically block ports not
in use by a system behind the firewall.

> However it is funny MS wants to make automated patch downloading mandatory
when on
> every machine here the automatic windows update did not catch wind of
> new patches available on WU for sometimes after 7 days of the release on
> WU.  MS has a long way to go on their patching..both in terms of quality
> of software and patches and delivery.

I am ignoring your "quality of software" argument, because it is simply
moot.  There is little difference in quality of software, and your previous
point outlines Gates' original statement quite well -- you don't need
perfect code.  And, your complaint about WU has been noted by Microsoft.  WU
is an on-access utility -- you only learn about patches when you check it.
This is perfectly sufficient for the millions of occasional users of home
PC's out there.  But, when a problem begins is when you need to patch an
entire network asap.  Microsoft has created tools like SUS for this purpose.
For free, we might add.

> > I believe the #1 security threat today is poor patch management. Is that
> > Microsoft's fault?
>
> the number one security threat today is exploits that target a weak
> security model to a degree that exploits can be so easily 0-day released
> without anyone knowing.  Also even with all patches right now IE(and
> therefore windows) is still subject to remote download and installation
> of programs without user notification(this is widely known just google
> for it).

Oh my god, IE's caching model is buggy (and I do mean buggy).  Yes, after
the recently released security bugs in the "caching" functionality of IE,
said functionality has obviously been implemented without concern for
security.  Unfortunately, IE's many additional features do make it prone to
areas of poor code impacting a large amount of functionality.  In my
opinion, one should be able to disable MS' proprietary extensions to the
JavaScript standard in IE, to reduce the attack surface of the browser back
to normal levels.  That is one place where MS has really done a poor job of
product quality assurance.

A more general problem is that MS has never allowed security to drive a
software decision (unless it was specificially a security tool, such as
URLScan).  This is why you see worthless, buggy, features like DOM caching
in Internet Explorer.  However, even an IE vulnerability is not the end of
the world.  Disable Active Desktop, and Web Folder View, and the shell's
exploit vector is closed.  This limits the exploitation of these
vulnerabilities to those users who continue to browse malicious sites, or
*STILL* haven't secured Outlook (Express) to process messages in Restricted
Sites.  An even better option is the "Read messages as plain text" option in
OE 6.0 SP1 and Outlook XP.  Fact is, you don't get exploited if you have
responsible browsing and e-mail reading practices.  I ran IE 5.5 Gold
without one patch installed for a year and a half, and never was exploited.
Looking back at it, it probably wasn't the smartest thing I've ever done,
but knowing that there were bugs required me to be a smarter browser.

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html