Thread: Experts: Microsoft security gets an 'F'
View Single Post

Old 02-04-2003, 10:19 PM   #8
sdtPikachu
Super Toaster!
 
sdtPikachu's Avatar
 
sdtPikachu is offline
Location: London, UK
Now Playing:
Posts: 384
Default
Quote:
I'm gonna go out on a limb here and say that people don't give a **** about infecting macs. Everyone makes viruses, worms, etc for Windows because most people use Windows systems.
Almost, but not quite. True, a great many virus/worm writers code for windows because it's a monoculture, and as any farmer will tell you, entire crops will be lost by a single infection when there is a monoculture. So lesson 1: viruses for MS products have a very wide range.

There's a little more to it than that though.

Microsoft still rely heavily on their "security through obscurity" model (especially since they don't want to open up their source code), in that they think if they don't tell anyone about the gaping errors in their code, they're safe. So many hackers like to try and show them that a security through obscurity model is stupid and doesn't work. A great many of these people are WHite Hats (read: hackers who crack systems in order to tell the manafacturer just how it's broken to encourage them to make a fix). Lesson 2: security through obscurity doesn't work.

Microsoft write inherently insecure code rather an awful lot (some of you may have heard of Outlook/Lookout/Outbreak's latest vulnerability, if not check it out, it's so hilariouly stupid), so it is often simple to write code that will do tremendous damage. The constant bufer overflows and elevation of priviliges are made worse by the fact that most of MS's products are integrated with one another inextricably (namely that Internet Exploder + Windows Media Player = your desktop, Internet Exploder = your email renderer in Outbreak, on and on and on...), so that a vuln in one part of a program can cause a fault in another apparently unrelated program which may have access to more critical data. UNIX (and remember, Windows is now the only major operating system not to be based on UNIX) is inherently moer secure in this respect in that everything is separated out much more (very lose way of putting it, but suffice to say no core program integrates with another core program anything like Windows does). Lesson 3: don't write such retarded code and "feature"-ridden programs in future, arseholes.

Finally, everyone hates MS. Well, mostly. Almost no hacker writes worms for UNIX systems because most of them have too much respect for it. The argument that Windows gets more viruses is because it has a 90% market share may be true for the desktops, but what about the server market where the real big juicy stuff lies? There's alot more kudos in bringing down the Bank of AMericas ATM servers than there is in making Mrs. Postlethwaites computer to reboot every 15 minutes. But 75% of servers run some flavour of UNIX (especialy Apache webservers), so why aren't there more cases of Apache servers crashing than there are of IIS exploits? Apache is also full of holes, but they get patched within hours rather than weeks, and Apache still works afterwards.

Quote:
But I do have to agree that the number of patches that Microsoft puts out is rediculous.
You should start using Linux then, and be shocked. I typically install about two patches a day over 3 computers. Bug fixes in the OSS community happen fast and furious. They tend to be about 30 KB or so as well.

Quote:
if an expert cant update windows. he's not really an expert is he?
I'm going to give you the benefit of the doubt Null and assume you've never had any contact with windows servers (eeeuch). I had to do an emergency patch on an Exchange server, and no it is not a simple matter of double clicking on an exe like you're used to. This patch involved putting about fifteen different files in different places manually (mostly .dll's) and then hand-editing some .dat and .ini files. Afterwards Kerberos broke.

MS's server patches are notorious for being impossible to install, and often break mission crticial apps when applied. Hence even if the staff ARE trained enough to install the patches, they typically wait a few weeks so they can hear feedback from other victi^H^H^H^H^H users, to see what the patch does and doesn't break. In some cases, there is NO workaround, and if you do install the patch, you have to rewrite your custom app in order to have a working system. So do you spend thousands more on "uneccesary" R&D, or just not bother with that irritating little patch? I know what I'd say if I were in maangement.

Quote:
Microsoft Users: Keep updated on your software so you aren't vulnerable.
Keeping patched up helps, but it's best off if you start from a secure base, no? Would you build a granite fortress on top of a frozen lake?

Quote:
Also lkeep in mind most Experts don't even BOTHER to PATCH Windows because they don't know how!
Unfortunately, Cyrax is right. MS server software requires people of a lesser degree of ability than UNIX sysadmins (disclaimer - I am a Linux sysadmin) since they're easier to use, so companies can get away with cheaper personnel. Unfortunately, this has led to the assumption in many smaller outfit that the office "IT whizz" who configures everyone's email accounts and chage the colour of his desktop *without even looking for the buttons* is able to handle a full blown server. One of our clients who we've since upgraded to Linux got a company-wide multiple virus infections due to the fact that the Exchange AV software they paid a fortune for was never updated in the three years the system was running had never been updated. We caught one computer with no less than 18 seperate installations of the Sub7 trojan. All they ever did to the server was put it in a cupboard, reboot it every few days and chuck a DAT in it every week. Nobody administered it at all.

The fact that these SQL servers were even visible from the internet is shocking enough. Every database server should be sat behind a firewall that only allows connection from local machines. Period. Other than not being able to afford more than one computer, this is incompetence to the point of stupidity. This simple little step would have stopped Slammer in it's tracks. As it was, people left their servers right open and boomph, in came the worm.

Quote:
The solution: install patches, along with firewalls and other security software and services, as well as demand better products from Microsoft, the experts said.
What the experts don't say s that you still need someone with an IQ above room temperatuer to keep something like a database server operating. No firewall is inexcusable in the case of large companies.

sdtPikachu walks away shaking his head in disbelief
__________________
"If you believe in the existence of fairies at the bottom of the garden you are deemed fit for the bin. If you believe in parthenogenesis, ascension, transubstantiation and all the rest of it you are deemed fit to govern the country." - Jonathan Meades
  Reply With Quote