Experts: Microsoft security gets an 'F'

SAN FRANCISCO, California (Reuters) -- Computer security experts say the recent "SQL Slammer" worm, the worst in more than a year, is evidence that Microsoft's year-old security push is not working.

"Trustworthy Computing is failing," Russ Cooper of TruSecure Corp. said of the Microsoft initiative. "I gave it a 'D-minus' at the beginning of the year, and now I'd give it an 'F."'

The worm, which exploited a known vulnerability in Microsoft's SQL Server database software, spread through network connections beginning January 25, crashing servers and clogging the Internet.

Public reminded of risks

It hit a year and one week after Microsoft Chairman Bill Gates sent a company-wide e-mail saying Microsoft would make boosting security of its software a top priority.

Microsoft placed responsibility on computer users who failed to install a patch that had been available since at least last June.

"The single largest message is: keep your system up to date with patches," Microsoft Chief Security Officer Scott Charney said.

But the philosophy of patching is fundamentally flawed and leaves people vulnerable, Cooper said. For example, Microsoft didn't follow its own advice as executives confirmed that an internal network was hit by the worm.

"Microsoft was completely hosed (from Slammer). It took them two days to get out from under it," said Bruce Schneier, chief technology officer of Counterpane Internet Security, a network monitoring service provider. "It's as hypocritical as you can get."

Fix could have nullified problems

"We should have done a better job" in protecting the company's own network, Mike Nash, corporate vice president of Microsoft's security business unit, said. "We understood some things customers were facing and it, in some ways, helped us. It was a learning course."

There was another misstep on Microsoft's part that illustrates the problems with patches, Cooper said.

In October Microsoft released a fix for a different SQL Server problem that if installed in the expected manner would have made patched systems vulnerable again, he said. "If I followed their advice I'd have been vulnerable."

Microsoft spokesman Rick Miller said administrators were given the option with the fix to install it so the patch was intact. He also said he knew of no customers who installed the fix and were still hit by the worm.

Implementing fix proves complex

But, most people installing the fix would not necessarily have known how to install it in a safe way, Cooper countered.

Microsoft released a service pack that would have fixed the problems the week before Slammer hit. But not only are there too many patches to keep up with, people are reluctant to install them for fear they will interfere with their systems.

Microsoft admits making a mistake with the SQL fix and has "egg on our face" over being hit by the worm, Miller said.

"What this demonstrates and what we readily acknowledge is the patch management process is too complex," he said. "Microsoft is committed to reorganizing our patch system and delivering high-quality patches in a streamlined way."

Demanding better products

Nash defended the Trustworthy Computing initiative, saying the company's security process and culture have changed. For instance, all Windows developers have received special security training, he said.

However, the fruits of that may not show up until future versions of products are released, said Richard M. Smith, a Cambridge, Massachusetts-based computer security consultant. "I'd rather they focus on the problems we have today."

"The problem is the whole patch regime has lots and lots of problems," he said. "It would be much better if the software shipped from Microsoft with fewer problems to begin with."

The solution: install patches, along with firewalls and other security software and services, as well as demand better products from Microsoft, the experts said.

Thinking of switching

In the meantime, Schneier said he was thinking of switching from Windows to the Macintosh platform because of all the security issues. "My wife has a Mac and she doesn't worry about viruses, trojans, leaks..., " he said.

A Consumer Reports survey last year found that virus infection rates on Macs are half what they are on Windows, noted Smith. "Is that because Macs are safer? I think the answer is yeah."

Good find gekko :D

Microsoft Users: Keep updated on your software so you aren't vulnerable.

Microsoft admits to ****ing up! lol, I haven't seen them say that for awhile. And when someone said "The problem is the whole patch regime has lots and lots of problems," he said. "It would be much better if the software shipped from Microsoft with fewer problems to begin with." :lol: That is so true:D But I wonder how MS's sales of new software, etc....this year will do after what has happened already. Maybe some companies will think twice about staying with MS.

Originally posted by GameMaster
Good find gekko :D

Microsoft Users: Keep updated on your software so you aren't vulnerable.

Yes Gekko, this is an EXCELLENT Find, perhaps Bill Gates should TEST his own damn software before he unlshes it on us!

If Moronsoft can't even make their dung-heaps work why should we? I hate Winblows XP and Product Activation, which is why Linux is next up for me, I'd like to see some class-action suits comeout of this, if only to allow M$ to take the heat for ebing stupid.

Also lkeep in mind most Experts don't even BOTHER to PATCH Windows because they don't know how!

Case and point, use a Mac or Linux PC.

if an expert cant update windows. he's not really an expert is he?


also with so many people searching and trying so damn hard to exploit any hole they can find in windows....... obviously theres going to be a ton of holes found....... search for something long enough. your going to find it.



odd. i just love to talk about the other side of things. cuz if it was other people kinda being on MS's side, id be tearing em up. i do hate MS. i just like playin the other side. =)

Originally posted by gekko
A Consumer Reports survey last year found that virus infection rates on Macs are half what they are on Windows, noted Smith. "Is that because Macs are safer? I think the answer is yeah."
I'm gonna go out on a limb here and say that people don't give a **** about infecting macs. Everyone makes viruses, worms, etc for Windows because most people use Windows systems.

But I do have to agree that the number of patches that Microsoft puts out is rediculous. If they think for one second that everyone has the ablility to download all hte patches as soon as they come out, they are extremely dumb. I'd say that most internet users are on 56k, and when those patches reach 30mb, 56k users can't really just go download them. I'm lucky, and happen to LAN with a buddy every weekend that happens to have cable, so I can keep up with them.

But seriously Microsoft, get with it. Make your product right the first time. You don't have to release a new freaking version of windows every year. Take your time on hte next Windows and make it right.

56K...meh try that with my 33.6K mind you...heh

Gee I wonder how vunerable Bill Gates computers are as if he even bothers to have them patched up.

I'm gonna go out on a limb here and say that people don't give a **** about infecting macs. Everyone makes viruses, worms, etc for Windows because most people use Windows systems.

Almost, but not quite. True, a great many virus/worm writers code for windows because it's a monoculture, and as any farmer will tell you, entire crops will be lost by a single infection when there is a monoculture. So lesson 1: viruses for MS products have a very wide range.

There's a little more to it than that though.

Microsoft still rely heavily on their "security through obscurity" model (especially since they don't want to open up their source code), in that they think if they don't tell anyone about the gaping errors in their code, they're safe. So many hackers like to try and show them that a security through obscurity model is stupid and doesn't work. A great many of these people are WHite Hats (read: hackers who crack systems in order to tell the manafacturer just how it's broken to encourage them to make a fix). Lesson 2: security through obscurity doesn't work.

Microsoft write inherently insecure code rather an awful lot (some of you may have heard of Outlook/Lookout/Outbreak's latest vulnerability, if not check it out, it's so hilariouly stupid), so it is often simple to write code that will do tremendous damage. The constant bufer overflows and elevation of priviliges are made worse by the fact that most of MS's products are integrated with one another inextricably (namely that Internet Exploder + Windows Media Player = your desktop, Internet Exploder = your email renderer in Outbreak, on and on and on...), so that a vuln in one part of a program can cause a fault in another apparently unrelated program which may have access to more critical data. UNIX (and remember, Windows is now the only major operating system not to be based on UNIX) is inherently moer secure in this respect in that everything is separated out much more (very lose way of putting it, but suffice to say no core program integrates with another core program anything like Windows does). Lesson 3: don't write such retarded code and "feature"-ridden programs in future, arseholes.

Finally, everyone hates MS. Well, mostly. Almost no hacker writes worms for UNIX systems because most of them have too much respect for it. The argument that Windows gets more viruses is because it has a 90% market share may be true for the desktops, but what about the server market where the real big juicy stuff lies? There's alot more kudos in bringing down the Bank of AMericas ATM servers than there is in making Mrs. Postlethwaites computer to reboot every 15 minutes. But 75% of servers run some flavour of UNIX (especialy Apache webservers), so why aren't there more cases of Apache servers crashing than there are of IIS exploits? Apache is also full of holes, but they get patched within hours rather than weeks, and Apache still works afterwards.

But I do have to agree that the number of patches that Microsoft puts out is rediculous.

You should start using Linux then, and be shocked. I typically install about two patches a day over 3 computers. Bug fixes in the OSS community happen fast and furious. They tend to be about 30 KB or so as well.

if an expert cant update windows. he's not really an expert is he?

I'm going to give you the benefit of the doubt Null and assume you've never had any contact with windows servers (eeeuch). I had to do an emergency patch on an Exchange server, and no it is not a simple matter of double clicking on an exe like you're used to. This patch involved putting about fifteen different files in different places manually (mostly .dll's) and then hand-editing some .dat and .ini files. Afterwards Kerberos broke.

MS's server patches are notorious for being impossible to install, and often break mission crticial apps when applied. Hence even if the staff ARE trained enough to install the patches, they typically wait a few weeks so they can hear feedback from other victi^H^H^H^H^H users, to see what the patch does and doesn't break. In some cases, there is NO workaround, and if you do install the patch, you have to rewrite your custom app in order to have a working system. So do you spend thousands more on "uneccesary" R&D, or just not bother with that irritating little patch? I know what I'd say if I were in maangement.

Microsoft Users: Keep updated on your software so you aren't vulnerable.

Keeping patched up helps, but it's best off if you start from a secure base, no? Would you build a granite fortress on top of a frozen lake?

Also lkeep in mind most Experts don't even BOTHER to PATCH Windows because they don't know how!

Unfortunately, Cyrax is right. MS server software requires people of a lesser degree of ability than UNIX sysadmins (disclaimer - I am a Linux sysadmin) since they're easier to use, so companies can get away with cheaper personnel. Unfortunately, this has led to the assumption in many smaller outfit that the office "IT whizz" who configures everyone's email accounts and chage the colour of his desktop *without even looking for the buttons* is able to handle a full blown server. One of our clients who we've since upgraded to Linux got a company-wide multiple virus infections due to the fact that the Exchange AV software they paid a fortune for was never updated in the three years the system was running had never been updated. We caught one computer with no less than 18 seperate installations of the Sub7 trojan. All they ever did to the server was put it in a cupboard, reboot it every few days and chuck a DAT in it every week. Nobody administered it at all.

The fact that these SQL servers were even visible from the internet is shocking enough. Every database server should be sat behind a firewall that only allows connection from local machines. Period. Other than not being able to afford more than one computer, this is incompetence to the point of stupidity. This simple little step would have stopped Slammer in it's tracks. As it was, people left their servers right open and boomph, in came the worm.

The solution: install patches, along with firewalls and other security software and services, as well as demand better products from Microsoft, the experts said.

What the experts don't say s that you still need someone with an IQ above room temperatuer to keep something like a database server operating. No firewall is inexcusable in the case of large companies.

sdtPikachu walks away shaking his head in disbelief

I'm impresed by your vast knowledge Sdt. Pikachu. I am in awe.

Unfortunately, it kinda goes with my job now. Sigh. I should be getting drunk and dancing with nekkid girls. Boo for computers!

Pika!!!!!! WTF... you only have 338 posts? That seems very weird....





And... I have never gotten a patch on my stuff that MS made... and haven't gotten a virus yet.


*KNOCKS ON WOOD*

Ok, guys, more on "Bill Gates: Grade - F-F-F-FAILING" for those of you who don't have a problem with SOUTH Korea, even if they have a problem with US.

All right, I was talking to a friend who's a Sun Microsystems nut, just like I am (Although I'm a Linux nut, nut a Sun-Only nut, I give other UNIX based systems a chance as well, even if theya ren't 100% from Sun) and this is what she told me:

Because of a "Bug" in South Korea's Version of Microsoft Windoze, ALL VERSIONS, including suXP, had a MAJOR Security hole that brought down MORE THAN THREE QUARTERS, now think about that ofr a Minute, MORE THAN THREE QuARTERS, of SOUTH Korea's Internet Services!!!

SOUTH Korea was offline for over a month after this!

I have an idea that'll save the ARMY (That's the Aint' Ready for the Marines Yet, CamFu meaning I want to see you and Gekko do an ARMY Vs. Marines post again) a crapload of money, as well as making sure we NEVER have to land a troop in NORTH Korea.

Let's "Modify" SOUTH Korea's Version of Windoze and send it to NORTH Korea as a "Gift", this copy of windows will be designated "Windows Blows UP" (Until Paid for), which they can use to run their missles, it'll also ahve an "Integrated Crash-Starter" more commonly known as an M$ Virus so North Korea can blow THEMSLEVS up.


Now think about that, had the SOUTH Korean version of Windows been released in the USA would Bill HELLS Gates (Hey his middile initial is H) have ANYONES money right now?


Yes Gekko, Microshafts security get's an "F", but right now I think we need to go down a few letters to "R" and called the grade "Ruined".

If you could "grade" M$ With a latter grade using any letter in the Alphabet, I might ave to give them a "Y" as in "Y are they STILL in Buisness?!?!"


Please share more Anti-M$ Stories, about crappy security holes and the chimps who trry to run a M$ server, If some yahoo can bring dwon the internet for most of SOUTH Korea, using nothing more than Windows, I think we should exile it's infamous creator to Iraq, Afganistan or some other terrorist country like NORTH Korea, and let him develop his own WMD (Weapon of Mass Destruction), it's called Microsoft WIndows and it has the potential to make all the traffic lights in the world turn Red at the same time.

Practice your traffic signals boys, maybe Bill Gates will kill us all with Windows PCs.

No wait, he's already doing that, if they don't CAUSE an accident, they're going to overflow in landfills when everybody thorws these POS's away, way to go Bill, you're slowly killing all of the planets good humans, the few of us who haven't bought into your plan for World Domniation.

Saddam has Iraq, Bill Gates has the USA and the "Ciivilized" world that we live in.

So, who else has a story about Microsoft nearly causing the end of the world? Please share if you do, and no, don't put up any Y2K stories, they're ancient history now.