Analyst claims additional security layers in Windows add to risk

[InfoSec News <isn () c4i org>]

http://www.computerweekly.com/articles/article.asp?liArticleID=128907

by Cliff Saran 
9 March 2004 

Microsoft is planning a series of security improvements to Windows, 
yet each layer of software protection it adds increases the security 
risk, an analyst firm has warned. 

A report by Burton Group said that although Windows 2003 could be 
deployed as a flexible and inexpensive application server, its 
security has a chequered past. According to Dan Blum, senior 
vice-president and research director at Burton Group, attacks such as 
Nimda, Code Red and Slammer have slowed Windows server adoption in 
large enterprise extranet and service provider environments, where 
Linux/Unix servers are generally preferred.

The problem lies with Win32, the programming interface used by most 
applications, he said. 

Because there is no code access control in Win32 subsystems, Com, or 
ActiveX, Blum warned that any software component running on the 
Windows system could invoke any other component and attempt to do 
anything it wants. 

Malicious programs have many opportunities to attempt buffer overflow 
or other attacks to subvert discretionary access controls and other 
system protections. In other words, a rogue Win32 program would be 
able to undo any steps Microsoft may take to lock down Windows 
security. 

The report recommended that users avoid ActiveX and the Win32 
application programming interfaces and instead develop code in .net, 
an architecture based on managed code, which reduces the effect of 
programming errors.

Blum said, "Like Java, managed code based on .net runs in a sandbox." 
Such a sandbox is designed to prevent the code from crashing the 
operating system. The code runs on a virtual machine rather than 
computer hardware. As a result, it is much harder to compromise, he 
added. 

Security problems are exacerbated by the fact that Windows 2003 is 
designed to be an integrated platform and as a result is based on 
complex dependencies between various operating system components. 

To tighten security on a Linux or Unix platform users can remove 
functionality by configuring the kernel or recompiling it, but this is 
not as easy on Windows. "All Linux and Unix operating systems are much 
simpler than Windows," said Blum. 

Bradley Tipp, national system engineer responsible for security at 
Microsoft, defended Windows 2003's security. "With an integrated 
approach it is much easier to apply patches, since the user does not 
have to go to multiple supplies to secure the operating system," he 
said. 



-
ISN is currently hosted by Attrition.org

To unsubscribe email majordomo () attrition org with 'unsubscribe isn'
in the BODY of the mail.