Microsoft failing security test?

[InfoSec News <isn () c4i org>]

http://www.zdnet.com/zdnn/stories/news/0,4586,5101593,00.html?chkpt=zdhpnews01

By Robert Lemos
Special to ZDNet News 
January 11, 2002 4:38 AM PT
 
Microsoft's security initiatives and the release of the company's
"most secure operating system yet" haven't quashed myriad holes that
security experts say put customers in harm's way.

Although the software titan has been touting the need for security
through its Secure Windows Initiative, the recent revelation of a
severe flaw in the company's flagship Windows XP operating
system--combined with the discoveries of several recent Internet
Explorer browser holes--has left security experts questioning whether
Microsoft can fully lock down its products.

"It's not about security mechanisms and initiatives, but in the end
how secure the code is," said Marc Maiffret, chief hacking officer
with eEye Digital Security, the Aliso Viejo, Calif., company that
found the hole in Windows XP. If left unchecked, that hole could let
hackers take over a computer user's PC remotely. Microsoft itself
deemed the flaw "critical" for desktop PC users.

Steve Lipner, director of security assurance for Microsoft, said the
company is working hard to close the holes, but that security is an
evolutionary process. "It is so hard to predict what will happen on
that score," Lipner said. "But our objective is to drive the number of
(security) bulletins to zero."

Still, the Redmond, Wash.-based giant has had difficulty keeping code
hackers from ferreting out flaws in its products.

In the past two months, for example, more than half a dozen security
problems have been found with the latest version of Internet Explorer.  
The most recent: Almost three weeks ago, a 31-year-old Austin,
Texas-based security researcher revealed a bug in IE 6. The bug could
let an attacker send an HTML e-mail, which in turn could steal
cookies, allow access to files, or direct the victim to a false Web
site that, to the average person, would be almost indistinguishable
from the real thing.

The researcher, who asked to be identified by his online handle,
ThePull, said an attacker who could fool a victim into clicking a
simple Web link in e-mail could make off with the victim's digital
keys to, say, any online account that has its log-in information saved
as a cookie.

Microsoft has refused to comment on the latest IE issue, and no patch
had been issued as of Thursday evening. That has many security pros,
including Maiffret, irked.

"Right now, there is a known vulnerability and there is no way to turn
it off," he said. "To leave everyone wide open is like Ford Motor
knowing that their car's tires are bad and not saying anything."

Microsoft's Lipner said the company's policy is not to discuss such
issues while they are under investigation.

"We always monitor mailing lists and so forth to see if the
vulnerability is being used to harm customers," Lipner said, "but
until then we believe it is best to wait."

The bigger they are...

Microsoft is a natural target for code hackers because of its dominant
position in the industry. Such security problems, though, have become
a black eye for the company because of its multibillion-dollar bet on
its overarching .Net initiative, a set of software technologies
designed to deliver services easily and securely over the Internet.  
Security experts fear that e-business could suffer if .Net becomes
successful and is not adequately secured.

"You can say you have a firewall and white papers that show how secure
the technology is, but that still doesn't matter if you still have
buffer overflows in your code," Maiffret said.

Other researchers drew parallels between Microsoft's current silence
and the nearly two months the company stayed mum on the flaws in
Windows XP. Those were activated through Universal Plug and Play, a
networking protocol integrated into Windows XP that lets devices
recognize each other automatically.

"Microsoft treats security bulletins as PR problems," said Bruce
Schneier, chief technology officer of network protection company
Counterpane Internet Security. "If Microsoft had its way and there was
bug secrecy, we wouldn't know that any of this happened."

Chris Wysopal, director of research and development for security
company @Stake, argued that an early warning can sometimes actually
hurt security, tipping off malicious attackers to the vulnerability.

Still, Wysopal said, with the Plug and Play incident, Microsoft could
have told customers to just turn off the function if they weren't
using it.

"It does make sense to warn people up front that they can take actions
now," Wysopal said. "I would like to see people not rely on patches so
much. I was disappointed with the FBI's retraction (after they)  
proposed a solution that did not require a patch."

The FBI released an advisory Dec. 21 outlining how people could turn
off Universal Plug and Play, but the agency later partially retracted
the advisory and recommended that Microsoft's patch be installed
instead.

"There are all these vendors that are writing products that rely on
UPnP," said Russ Cooper, editor of NTBugTraq and a security researcher
with technology company TruSecure. "So would Microsoft want to tell
their users to turn it off? No."

Other researchers echoed the concern over the Universal Plug and Play
standard, saying that security never had been a primary concern for
the technology.

"UPnP just has to work; it doesn't have to be good," said
Counterpane's Schneier.

However, Microsoft's Lipner said the vulnerability in the Universal
Plug and Play component of Windows XP is fairly complex and of a type
that hasn't been recognized by the code-auditing tools the software
giant uses to detect software bugs.

"There is nobody who is more disappointed than I am when one of these
vulnerabilities is found," Lipner said. "But at the same time, I don't
think two or three months' experience with a new product is a
statistical sample to say what we have done and have not done."

Improving security is not a quick process, but it is happening, Lipner
said. Last June, a new kind of buffer overflow in the company's Index
server software led to a proliferation of the Code Red worm. Now
Microsoft's auditing software is designed to detect such a problem.

"We have to continue doing this," Lipner said, "finding new security
problems and fixing them before the product ships--and, unfortunately,
after the product ships."

Measured by the number of security bulletins the company has released,
Microsoft's progress in security is mixed. In 1999, the company issued
60 security advisories, followed by a whopping 100 in 2000. That fell
back to 60 last year.

Lipner said the company would continue to analyze every problem to
help eliminate flaws in future products.

"In 2004," Lipner said, "if we only have one advisory, you know we
will be doing analysis on that flaw to make sure we catch it the next
time around."

 


-
ISN is currently hosted by Attrition.org

To unsubscribe email majordomo () attrition org with 'unsubscribe isn' in the BODY
of the mail.