Microsoft criticized for lack of software security

[William Knowles <wk () C4I ORG>]

http://news.cnet.com/news/0-1003-200-1823167.html

By Paul Festa and Joe Wilcox
Staff Writers, CNET News.com
May 5, 2000, 4:15 p.m. PT

Look at it this way: The "Love" bug isn't a bug after all. It's a
feature.

That's the wry analysis of security experts in the wake of the
destructive global spread of the "I Love You" virus and its variants.
They say the worm's lightning-fast spread is a perfect demonstration
of Microsoft's powerful technologies working exactly as they were
designed to operate.

The fundamental problem, these experts say, is a market-driven impulse
to include as much functionality as possible in applications at the
expense of security. While all companies face the same pressures from
customers, none is as famous as Microsoft for yielding to it.

"At Microsoft, they always go for more functionality over security,"
said Gary McGraw, vice president of corporate technology at Reliable
Software Technologies. "That's what the marketplace wants, because the
marketplace isn't very educated about security. It's easy to sell
products that aren't perfect to people who are ignorant. The
customers' No. 1 job isn't security, it's getting their job done."

For its part, Microsoft insists it provides adequate security features
but lets customers choose how much they need. "There's always a trade
off between ease of use and security," said Scott Culp, a program
manager with the software maker's security response center. "As a
general rule, if you want to have higher security, you're going to
take a bit of a cost in not being quite as easy to use. We provide
features in all our products to let you decide where that balance is
for you."

The origin of the current security quagmire lies in the development of
computing applications that predate the Internet.

In designing desktop applications such as Word and Excel, Microsoft
created individual scripts, or macros, for automating tasks within
them. The software maker decided to create a common scripting language
that all the disparate applications could understand, and it took the
form of the Visual Basic programming language and its scripting
language, VBScript.

These languages were a boon for Windows developers. They also wound up
being the languages of choice for the author of the I Love You virus.

"What we've seen here is the result of adding a powerful language to
applications that interface with the Internet, which is the source of
dangerous data. It's a very dangerous combination," said Security
Focus analyst Elias Levy, moderator of the Bugtraq security mailing
list. "The scripting language makes a lot of sense with a lot of tasks
on the desktop, but you have to be very careful when you interface
them with something as dangerous as the Internet.

But Culp said blaming programming languages is an oversimplification
of the real problem. "The issue here isn't scripting," he said. "It's
the social phenomenon of virus writing.

"That virus could have been written as an executable or on any
platform or in a nonscripting language. Just because this virus was
written in a scripting language, and we happen to support scripting in
our operating system, doesn't make it a security issue."

The problem also goes back to Microsoft's corporate philosophy and how
it designs products. The software maker's success stems partly from
its ability to tightly tie applications to each other and to its
flagship Windows operating system. Word and Excel, for example, use
not only common scripting languages but also common components that
make them easier to use and customize.

But as Microsoft has increased the ties between applications and the
operating system, particularly bundling Outlook with Office and
hooking it to Internet Explorer, the company has created new security
vulnerabilities, analysts say.

"Microsoft has built in the ideal virus transmission mechanism into
the operating system," said Gartner Group analyst John Pescatore.

One problem is Outlook's extensive dependence on Visual Basic and the
ways hackers can exploit it. Another is the ease with which scripts
can manipulate Outlook's address book and also affect the operating
system regardless of other security measures, such as password
protection.

Viruses are a long-standing problem. In the past, system
administrators contended with small windows of time during which
infected files could get into their networks ahead of antivirus
updates and be distributed by a few people, either inside or outside
the organization.

"Now, with mechanisms built into Windows and Office, Microsoft is
doing it for (virus writers)," Pescatore said. "Here is your address
book, so send out the virus to everybody there at the speed of your
CPU instead of relying on the person dumb enough to send infected
email."

"If that were off by default, it would be a whole lot more secure,"
said Reliable's McGraw. "Having it on by default is typical of
Microsoft's approach...In the case of the Love bug, it isn't even a
bug. It's just insecurely designed. It's not badly designed; Microsoft
intended for it to be that way."

Analysts say these recent outbreaks are similar to the Morris worm
that a dozen years ago crippled Unix systems and brought down the
young Internet. That virus exploited ties between Unix sendmail and
the operating system to redistribute itself via people's address
books, similar to what is happening with Outlook and Windows today.

Microsoft's critics frequently point to the Java programming language,
developed by Sun Microsystems, as a security paragon--at least
compared with Microsoft security methods.

"The Java approach is completely different," said McGraw, who is also
co-author of a book on Java security. "It was designed to protect
ignorant people from their own ignorance. And that may be a better
model for the future economy, with everything computerized and
software truly ubiquitous."

Java's security model works by establishing a so-called sandbox that
limits the areas of the computer the code can manipulate. Microsoft's
technologies, including Visual Basic and ActiveX--another frequent
target of analysts' security gripes--rely on the "trust" model,
leaving PC users to decide whether to grant incoming scripts and
ActiveX components power over their computers.

"The people who designed Java wrote it so that you can run whatever
you get as long as the model is perfect," said McGraw. "That leaves
room for error. But Microsoft lets you decide whether to give over
complete control. The I Love You thing is a perfect example of what
happens when you give that control with two clicks of the mouse. It's
incredible. That's all it takes to give away the keys to your
computer."

Other analysts agreed that Microsoft has a lot to learn from Java.

"Visual Basic...and Active X are nowhere near the security posture of
Java," Gartner's Pescatore said. "Java was designed with security in
mind. Visual Basic was designed to allow novice users to build
anything. C++ is not much better. (In) all programming languages until
Java came along, most of the common ones were pretty insecure from a
security perspective."

McGraw warned that as more things become computerized, the "trust"
model will increasingly fail to protect people.

Although market forces will continue to pressure Microsoft and others
to give security short shrift in favor of functionality, McGraw said
he has some hope that the new exigencies of online commerce will exert
pressures in the opposite direction.

"If you look at particular verticals, like the financial guys, they're
getting much more particular about security," he said. "That's a
harbinger for the future. As e-business really starts to happen,
people are going to be paying much more attention and actually
designing their stuff to be secure."


*-------------------------------------------------*
"Communications without intelligence is noise;
Intelligence without communications is irrelevant."
Gen. Alfred. M. Gray, USMC
---------------------------------------------------
C4I Secure Solutions             http://www.c4i.org
*-------------------------------------------------*

ISN is sponsored by SecurityFocus.com
---
To unsubscribe email LISTSERV () SecurityFocus com with a message body of
"SIGNOFF ISN".