MS Security Plan: OK, Kind Of

[InfoSec News <isn () c4i org>]

http://www.wired.com/news/technology/0,1282,47299,00.html

By Michelle Delio 
2:00 a.m. Oct. 4, 2001 PDT 

Microsoft's newest security initiative is drawing jeers and a few
cheers from industry experts.

Many experts said Microsoft's Strategic Security Protection Program
plan announced Wednesday is nothing more than a half-hearted attempt
to assuage increasing demands from government, industry and consumers
for better product security, before the government intervenes and
business falls.

Admitting that it has a "special obligation to help ensure the
security of the Internet and our customers' data," Microsoft said it
will offer free security support services, a free CD that contains all
current system-specific security patches, and automatic bi-monthly
delivery and installation of new security patches via the Internet.

Brian Valentine, senior vice president of the Windows Division at
Microsoft, said the rallying cry of the new initiative is, "We will
not rest until your business is secure. Period."

But some security experts said if Microsoft stands by that promise,
its employees won't be getting much sleep, and charge that simply
improving the delivery method of patches for insecure products is not
enough to provide real security.

Releasing software riddled with security holes is simply unacceptable,
Air Force CIO John Gilligan told the FBI on Monday, according to an
agent who attended the briefing.

Gilligan said government agencies and businesses can no longer afford
to play a constant game of hunt-and-patch, and demanded that software
companies test their products thoroughly before releasing them.

Gilligan added the government might have to impose security standards
on software manufacturers if they don't begin to take security
seriously, particularly in light of the Sept. 11 terrorist attacks.

"Absolutely, Microsoft is going about this totally the wrong way,"
said Nick Marken, a software and security consultant for New York
state. "A big part of this SSPP program is focused on delivering
security patches. But they should be focusing on delivering more
secure products instead of implementing all kinds of spiffy plans to
patch those products."

"If they focus on patching holes, instead of ensuring the holes don't
exist, Microsoft techies are going to be running around like chickens
with their heads cut off," Marken said. "This new initiative is just a
gesture, not a real response, to the increasing industry and consumer
demand for more secure software. And I can see the government stepping
in to set security standards."

Microsoft's Valentine defended the SSPP program's emphasis on patches.

"Naturally, vulnerabilities will exist, and we need to increase our
engineering investment and work with government agencies, the
appropriate consulting agencies, to minimize those vulnerabilities,"
Valentine said in a press statement.

Joey Maier, a systems administrator and security engineer, thought
that delivering patches directly to end users was a good idea, but
warned that systems administrators probably wouldn't sign up for the
service.

"Most of us have discovered that adding patches to a production system
without testing them first is a good way to break your existing
applications," Maier said.

Other security experts said patches only solve known security issues.

"There's that golden rule of security that states that security is an
ongoing process and patches and updates are an important part of it,"
Dave Kroll, president of Finjan Software, a security software firm,
said.

"But security administrators shouldn't rest well at night just because
all software patches are installed. Patches won't protect you from the
next unpublished vulnerability. Installation of patches seems to be
proactive, but actually it is in reaction to a database of known
vulnerabilities."

Gilligan's briefing focused on Microsoft-specific worms and viruses
such as Code Red, Nimda and Melissa, as did a report last week from
Gartner security analyst John Pescatore recommending in no uncertain
terms that businesses switch to non-Microsoft Web server software in
the wake of this summer's worm attacks.

The report stated that "viruses and worms will continue to attack IIS
until Microsoft has released a completely rewritten, thoroughly and
publicly tested, new release of IIS.... This move should include any
Microsoft .NET Web services, which requires the use of IIS."

Microsoft's Valentine said in a statement that the next version of its
hacker-plagued IIS Web server software will not be written, but will
be "locked down by default," with the pre-defined configurations set
to the highest security levels.

"The security community has always wanted Microsoft to issue products
that are locked down by default. So there should be rejoicing that MS
appears to have finally listened to all the pleading from the experts
in the security and network field," Marquis Grove, of Security News
Portal, said.

"If the products then prove to be less then secure, it will be because
of defects or bugs within the products themselves rather than some
lapse by an administrator who was not familiar with the entire gamut
of security settings within Microsoft products."

Grove also pointed out that Code Red and Nimda took advantage of holes
in IIS' code, not faulty security settings.

Jack Dahany, vice president of server security at Watchguard
Technologies, also noted that the availability of patches from
Microsoft didn't stop the spread of Code Red or Nimda, but said that
Microsoft's program was a step in the right direction.

"Granted, Microsoft is not, as they should be, rewriting their
products to be more secure, because that is pretty hard and takes
quite some time," Dahany said. "And the outcome of that effort would
not necessarily be markedly better security."

"SSPP is good common-sense guidance for a user community that needs
it. I think that Microsoft has done their users a real service with
this," Dahany said. "It is a public acknowledgement that their systems
need more protection than they arrive with out of the box, and it is
also a signal that Microsoft is now going to play a real part in the
security education and training of their customers."

Microsoft's Valentine said he has complete faith in the initiative.

"I cannot emphasize enough how very serious we are about this
program," Valentine said in a statement.



-
ISN is currently hosted by Attrition.org

To unsubscribe email majordomo () attrition org with 'unsubscribe isn' in the BODY
of the mail.