Microsoft's Trick or Treat
Limping towards security
In the gothic novel of public opinion, Microsoft is a veritable "Dr. Jekyll and Mr. Hyde." The general business community regards Microsoft as a prominent and respected corporation with a substantial product line which has literally changed the face of modern-day computing. It's stock is on the rise (presumably in reaction to the highly publicized launch of XP), and quarterly earnings over the past year have met or exceeded industry projections.
In the last quarter, roughly 85 per cent of analysts have classified MSFT as a "buy" with more than half of those putting the stock in the "strong buy" category. With several technology companies posting losses in the billions alongside employee lay-offs into the thousands, some think Microsoft is looking pretty good. Many consider it a family of Shiny Happy People who want to buy the world a Coke and keep it company.
Saying that some in the information security community have a different view would be an understatement reminiscent of DNA's structure being described as "biologically interesting."
There are substantial numbers of people out there that openly despise Microsoft with an almost religious furor, describing it as a purveyor of garbage, devoid of any security knowledge, absorbed in an horrifying monopolistic quest for world domination. To them, Microsoft is a group of Evil Troglodytes on coke who want to make the world their company.
The vast majority of us are somewhere in the middle. To embrace Microsoft technologies is to engage in a bittersweet relationship between function and form, cost and capability, and simplicity and security. The latter is what tends to bite most of us in the back pocket. In between good and evil, we find ourselves with a job to do and a limited amount of time to do it in.
So when security issues arise that threaten our networks, they divert us from our goals, potentially expose resources, and rob us of our profits. However, we have to realize that security problems are part of the deal; they are the Yin intermingled with our Local Area Yang and will exist across the board.
In an amazing coincidence of almost serendipitous timing, my last "everything has security issues" article was immediately followed by multiple security advisories for varied distros of Linux, including issues with Apache. Sun also issued multiple advisories against different versions of Solaris and SunOS.
You see, security issues are here to stay. I'm not surrendering to the machine; I'm just accepting that it will always have to be oiled.
But there is hope on the horizon for MS shops. Microsoft has taken a look at the process through Code Red colored glasses, and has seen the light. In an unprecedented initiative, the company has been rolling out security provisions one after another in an effort to illustrate its commitment to security, and quell the fears of its customers.
Beauty in the Beast
Within a very short period of time, we saw the release of HFNetChk, IISLockdown, and URLScan. Shortly thereafter, details of the new Strategic Technology Protection Program (STPP) and its "Get Secure, Stay Secure" offerings were released. While there are some to whom this news will be as exciting as a conversation with Ben Stein after a bong hit, I think it is an important step for the company, if not the entire industry.
Some say it's "too little too late" or they're "closing the barn doors after the horses have left," but I don't there is such a thing when dealing with evolving technologies. While there may be plenty of historical evidence to dispute Microsoft's concern or capacity to secure its past products, I am optimistic about the "from here, forward" directive.
While the Microsoft security team has been beating against products for some time in an effort to increase their security, I have been of the mindset that true security in the product line can only be gained from a change in the development model -- and that change must be in the form of an Executive Decree.
This is now all taking place. Brian Valentine, Senior VP of the Windows division has made some very clear promises about what is to come: The company is committing resources, unifying divisions, and creating consortiums that will even include competitors, if that is what it takes.
SP3 for Win2k, due in February, promises to yield fixes based on a complete code-level review of all sensitive processes. And Bill Gates himself has been quoted as saying that there is "no higher priority for us than closing security holes." Some might simply consider this to be lip service or corporate rhetoric, but I don't think so. Special support services are being carved out, and enterprise tools created and distributed -- all for free.
Besides, I think they know that this is something that has to be done. The success of .Net depends upon it, and Microsoft knows it.
Given the vast range of public opinion about Microsoft, Robert Louis Stevenson himself would have difficulty fully describing the persona that is The Microsoft Monster. Only time will tell whether it will be man or beast.
© 2001 SecurityFocus.com, all rights reserved.
Tim Mullen is CIO of AnchorIS, a developer of secure, enterprise-based accounting software.