Feeds

Forget California, it's time to recall Microsoft

Enough already with the patching...

  • alert
  • submit to reddit

SANS - Survey on application security programs

Opinion A sign on a Trenton, NJ railroad bridge says "Trenton Makes, The World Takes."  In light of recent history, a sign at Sea-Tac airport should probably read "Microsoft Makes, The World Quakes."

For the second time this year, Microsoft is the source of a major internet security event. First was Slammer/Sapphire in January that seriously impacted networks and corporations around the world, including shutting down ATM machines at some large banks. And now, we've got MSBlaster taking advantage of a years-old vulnerability in Microsoft Windows operating systems. But unlike Slammer that only targeted servers, this one goes after desktop computers as well - meaning that ninety percent of the world's computers are potential targets and victims this week.  Consumer desktops are significantly more plentiful than corporate ones but less-protected against viruses, worms, and other attacks. As low-hanging fruit goes, they're a perfect target of opportunity for cyber-mischief.

According to a Wired story today, Microsoft is confused why these worms continue plaguing users when the company's made great effort to improve the patch delivery process. Microsoft says it's working with federal law enforcement to find out who's behind the dastardly deed that's giving the software monopoly yet another embarrassing black eye in the media. This is a typical Microsoft response full of proactive sound of fury, but signifying nothing helpful.  And the media's full of reporting about the pervasiveness of MSBlaster and what people can do to protect themselves against this "latest" cyber-threat.

Yet Microsoft says third-party software accounts for half of all Windows crashes. Funny, it also blamed the competing DR-DOS for Windows 3.1 crashes in an  attempt to get people to buy MS-DOS back in the 1980s. (It was later discovered that Microsoft had engineered false error messages to trick users into buying MS-DOS.) It also said Internet Explorer couldn't be removed from Windows 95 without crippling the operating system, and was proven wrong by enterprising researchers. So Microsoft's track record for veracity isn't exactly stellar when it comes to its products and business practices.

But, few if any are mentioning the real issues here:  MSBlaster's ability to affect practically all versions of Windows shows that despite Microsoft's marketing flacks, there is still significant code shared between all versions of Windows. Anyone who thinks DOS is dead, or Windows XP's code internals have little in-common with Windows NT 4 should think again. MSBlaster proves it.

Also, MSBlaster takes advantage of known vulnerable network ports in Windows, ports that any competent network administrator or internet provider should have closed long, long ago. In fact, there's probably no good reason why these ports should be enabled on consumer versions of Windows or supported by ISP networks, for that matter. In other words, it baffles the mind why these well-known ports continue to be a major security vulnerability in Windows.

Of course, Microsoft pledges to continue working on its patch distribution process as part of its larger "Trustworthy Computing" initiative. That's all well and good, but does this mean the security of our networked systems has been reduced to the repeated mantra of "run the patch" and then sit back to wait for the next pair (exploit and fix - a matched set!) to be released? Hopefully not. Security is a two-part process requiring the network staff to administer their resources appropriately and the software vendors to produce code that's much more reliable than it is now.

As it did with the Slammer worm in January, Microsoft proudly says it made available a patch for Windows far in advance of the vulnerability being exploited on a massive scale.  But many users didn't get the message or download the patch - either because home users didn't realize that the automatic Windows Update process was designed for just that reason (or would "do it later") or, in the case of large companies, network administrators likely were too busy installing any number of other patches required (at least 30, according to the number of security bulletins so far in 2003) to keep their Microsoft systems operating in a somewhat more secure manner from week to week. (And we wonder why help desk staffs burn out so quickly.)

If Microsoft really wanted to resolve its software problems, it would take greater care to ensure such problems were fixed before its products went on sale - and thus reverse the way it traditionally conducts business. Doing so means less resources wasted by its customers each year patching and re-patching their systems, hopefully meaning more is available for effective network planning, design, and management to support a robust defense-in-depth security strategy. Customers shouldn't be forced to spend their money cleaning up after Microsoft's mistakes, laziness, or general complacency, but on improving their information environments to take full advantage of the many benefits of the Information Age.

More importantly, why are we - users, administrators, media, and the government - praising Microsoft for their response to this critical problem? If something's wrong with a product, responsible companies are obligated to fix it as a matter of good business practice. A responsible adult knows that if you make a mess, you're expected to clean it up, regardless if anyone compliments you for your efforts. Did anyone expect widespread praise to be heaped on Ford Motors after its Explorer fiasco a few years back? Hardly - there was a serious problem with one of its products, and the company fixed it, albeit under the threat of lawsuits from victims or their families.

But that's not the case with software, from Microsoft or anyone else. When you acquire software, you don't really "buy" it, but rather purchase a license to use it "as is" for a period of time, and the vendor is under no obligation to fix anything wrong with its product. If you take the time to read the thousands of words in a typical software End User License Agreement (EULA) - and many people don't - you'll see that by installing and using the software, you indemnify the vendor against any claims, losses, or problems resulting from using its software, even if the vendor knew about the problem before it sold the product. In some cases, as this Register article notes, you agree to let Microsoft remotely modify your software and you can't hold it liable if something breaks as a result.

Code Red, Love Bug, Slammer, Nimda, Pretty Park, BubbleBoy, Melissa, Code Red II, MSBlaster, and numerous other high-profile Microsoft-sponsored incidents... many view them as "the price of doing business in the Information Age" and cheerfully spend (or lose) increasing amounts of money with each new incident arising from poorly designed software. But rather than face reality by conducting a dollars-and-sense risk assessment of their IT operation to see how much Microsoft's vulnerabilities cost their enterprise annually, these sheeple - at all levels of government, industry, and society - prefer tolerating mediocrity to efficiency and reliability in their software assets, because they're either too lazy to investigate alternatives or don't want to propose changes to the comfortable status quo.

What recourse do you have in such cases?  You can't just sue the software vendor for problems with their product like you can the maker of a vehicle or appliance since you've given up those rights by using the product under the terms of its license agreement. The only option you have is continue using the software in question and scrambling to update your systems whenever a new problem presents a danger to your information assets. In other words, when Microsoft says "patch" you salute and say "how soon?"

Or, you can vote with your pocketbook and move to an alternative software product that works better, costs less to buy and maintain, and won't burn out your network support staff.  Nobody's saying you must use any one particular product or operating system, and they all tend to perform the same basic functions needed in today's working society - although some are better at it than others. It may take a little bit of effort to switch and get used to the new product, but the long-term payoff will be worth it.

After all, in the real world, if you don't like Ford trucks, you can buy a Jeep instead. ®

Copyright © 2003, Richard Forno. All rights reserved.

High performance access to file storage

More from The Register

next story
Obama allows NSA to exploit 0-days: report
If the spooks say they need it, they get it
Samsung Galaxy S5 fingerprint scanner hacked in just 4 DAYS
Sammy's newbie cooked slower than iPhone, also costs more to build
Putin tells Snowden: Russia conducts no US-style mass surveillance
Gov't is too broke for that, Russian prez says
Snowden-inspired crypto-email service Lavaboom launches
German service pays tribute to Lavabit
Mounties always get their man: Heartbleed 'hacker', 19, CUFFED
Canadian teen accused of raiding tax computers using OpenSSL bug
One year on: diplomatic fail as Chinese APT gangs get back to work
Mandiant says past 12 months shows Beijing won't call off its hackers
Call of Duty 'fragged using OpenSSL's Heartbleed exploit'
So it begins ... or maybe not, says one analyst
prev story

Whitepapers

Top three mobile application threats
Learn about three of the top mobile application security threats facing businesses today and recommendations on how to mitigate the risk.
Combat fraud and increase customer satisfaction
Based on their experience using HP ArcSight Enterprise Security Manager for IT security operations, Finansbank moved to HP ArcSight ESM for fraud management.
The benefits of software based PBX
Why you should break free from your proprietary PBX and how to leverage your existing server hardware.
Five 3D headsets to be won!
We were so impressed by the Durovis Dive headset we’ve asked the company to give some away to Reg readers.
SANS - Survey on application security programs
In this whitepaper learn about the state of application security programs and practices of 488 surveyed respondents, and discover how mature and effective these programs are.