Information Security News mailing list archives
Re: Experts: Microsoft security gets an 'F'
From: InfoSec News <isn () c4i org>
Date: Tue, 4 Feb 2003 04:49:18 -0600 (CST)
Forwarded from: Mark Bernard <mbernard () nbnet nb ca> Dear Associates, Actually this statement may not be far from the truth, however it needs to be quantified. Typically within the information security program framework we measure the success of any program by the reduction in the number of incidents of a specific targeted group. The question should be, has the number of occurrences of this particular type of incident been reduced overall? If the group making the statement has measured the success of the Microsoft's initiative against how many systems were actually infected they may be using the wrong set of quantifiable criteria, thus their statement would be unjustified. A typical program takes three years to mature and will need to be tweaked a couple times before it hit 100% of the target. I should also qualify my statement, I am in no way a Microsoft supporter. I truly believe that when a group dominates a market place such as Microsoft has, the market in question becomes unhealthy. However, that's good for information security professionals. More balance is necessary. Happy hunting! Mark. ----- Original Message ----- From: "InfoSec News" <isn () c4i org> To: <isn () attrition org> Sent: Monday, February 03, 2003 2:24 AM Subject: [ISN] Experts: Microsoft security gets an 'F'
http://www.cnn.com/2003/TECH/biztech/02/01/microsoft.security.reut/ February 1, 2003 SAN FRANCISCO, California (Reuters) -- Computer security experts say the recent "SQL Slammer" worm, the worst in more than a year, is evidence that Microsoft's year-old security push is not working. "Trustworthy Computing is failing," Russ Cooper of TruSecure Corp. said of the Microsoft initiative. "I gave it a 'D-minus' at the beginning of the year, and now I'd give it an 'F."' The worm, which exploited a known vulnerability in Microsoft's SQL Server database software, spread through network connections beginning January 25, crashing servers and clogging the Internet. Public reminded of risks It hit a year and one week after Microsoft Chairman Bill Gates sent a company-wide e-mail saying Microsoft would make boosting security of its software a top priority. Microsoft placed responsibility on computer users who failed to install a patch that had been available since at least last June. "The single largest message is: keep your system up to date with patches," Microsoft Chief Security Officer Scott Charney said. But the philosophy of patching is fundamentally flawed and leaves people vulnerable, Cooper said. For example, Microsoft didn't follow its own advice as executives confirmed that an internal network was hit by the worm. "Microsoft was completely hosed (from Slammer). It took them two days to get out from under it," said Bruce Schneier, chief technology officer of Counterpane Internet Security, a network monitoring service provider. "It's as hypocritical as you can get."
[...] - ISN is currently hosted by Attrition.org To unsubscribe email majordomo () attrition org with 'unsubscribe isn' in the BODY of the mail.
Current thread:
- Experts: Microsoft security gets an 'F' InfoSec News (Feb 02)
- <Possible follow-ups>
- Re: Experts: Microsoft security gets an 'F' InfoSec News (Feb 04)
- RE: Experts: Microsoft security gets an 'F' InfoSec News (Feb 05)
- RE: Experts: Microsoft security gets an 'F' InfoSec News (Feb 10)
- Re: Experts: Microsoft security gets an 'F' InfoSec News (Feb 11)