Windows 2000: Microsoft's most successful failure
Battle-hardened hymn to the public
Comment Someone once asked Pable Picasso which one of his many paintings was his favorite. His reply: the next one. Ask Steve Ballmer which version of Windows is the most secure and guess what his answer will be?
I noticed that Microsoft is ready to release Security Rollup 5 for Windows 2000. It's not a service pack, it's more of a convenience pack - all the hotfixes since SP4 rolled up into one big install. This precedes the end of mainstream support for Windows 2000, which runs out the end of this month.
Five years. Has it really been that long already? It doesn't seem that long ago that I was so eager to abandon NT4 and install the flashy new 2000. But a lot happened in those five years. The Internet changed, security has changed, and the world has changed.
I think that Windows 2000 has probably been one of Microsoft's greatest sources of bad press in the entire history of the company. But it also defined the company into what it is today. Windows 2000 was meant to be their most secure operating system ever but it turned out to be an absolute security disaster. Somehow Microsoft managed to not only recover from that disaster but also to turn security into one of their greater assets. It turns out, then, that Windows 2000 was their most successful failure so far.
Things were different in the year 2000. Programmers felt vindicated that the Y2K bug didn't turn out to be that big of a deal. We made it past January 1st, and then it was time to move on. Windows 2000 came out that first quarter, just as security was becoming more interesting to more people -- and Windows was a good place to start. It was also seemed to be the start of a new breed of Windows hackers.
That year went on with a flood of vulnerabilities found in Windows 2000, many of them affecting IIS. It got to the point where any pen-tester (or hacker) knew they were pretty much guaranteed to find a way in once they saw they were attacking an IIS-based website. In other words, you could go to nearly any company, no matter how big they were, and break in to their IIS server within minutes. It went that way well into 2001.
How bad was it? It was really bad. Unfortunately, many break-ins went unnoticed, and those that were noticed were kept very quiet. Banks, government and military sites, ecommerce sites - rest assured, they all got hacked.
But could you really blame Microsoft? Most of the hacks weren't anything fancy, just the same old exploits that Microsoft had already fixed. People just weren't installing the patches. And no matter how hard we tried, no one seemed to get it. It was nearly impossible to sell preventative security at that time. I remember once asking another consultant, "What do we have to do, hack everyone to get them to understand?"
Things changed that summer.
It all started in May of 2001. I began getting calls from companies I had tried selling security services to in the past but were never interested. Now they needed my help because something happened. It seemed like dozens of people had their websites defaced with the words: "fu*k USA Government, fu*k PoizonBOx." It was the first time many companies had ever experienced a worm. And it would certainly not be the last.
The sadmind/IIS worm was amusing and it generated a bit of work for the security industry, but it was nothing compared to what happened that July.
I still remember that day quite well - the internet was slow, my IDS was going crazy, and I saw a lot of emails from Marc Maiffret appear on the various security mailing lists. Code Red he called it. And it seemed like everyone had it.
I remember later that night thinking that my job would never be the same - for many of us, it was the 9/11 of Internet security. However, it still wasn't over and it only got worse from there. By the end of that year you could plug a Windows system into the Internet and be infected with a dozen worms before you even had a chance to download the latest updates. Nowadays, it takes less than five minutes.
There was a lot of blaming going on around, that time. Some people blamed security researchers for making the vulnerabilities public. You could trace nearly every major worm back to a flaw found by some security researcher. If they would just keep things quiet, some argued, then we wouldn't have all those problems. But that argument was weak, as some hackers already knew about these flaws and quietly exploited them, publicity or not.
People blamed Microsoft, but let's try a reality check: did administrators really need more than six months to install an update? Yeah, it was Microsoft programmers who wrote the buggy code, but were they any different than most programmers at that time? Were they not just a reflection of society's attitude about security? Besides, a large part of this code was written half a decade before, when security was an enhancement, not a user requirement. Administrators at the time were just lazy. Or lame.
The problem was that back then you couldn't just go to WindowsUpdate and see what hotfixes you needed to install. You had to go through the entire list of fixes one-by-one and make sense of it all. To make things worse, Microsoft had distributed enough buggy hotfixes by then to make administrators wary of installing anything too quickly. We have to admit that Microsoft's patching strategy was truly a mess at that time. Nothing was consistent and there seemed to be little communication anywhere.
Then something strange happened, something you rarely see in the corporate world. Microsoft stepped up to not only take responsibility, but to embrace their failure as their highest priority bug fix. They stopped trying so hard to look good and just admitted they had security problems that needed fixing. As Bill Gates put it in his famous trustworthy computing memo, "The challenge here is one that Microsoft is uniquely suited to solve."
Most people scoffed at this announcement. It sounded great on the memo, but you can't turn a big ship around that quickly. We really doubted they suddenly got it and that now they would change.
But Gates was right, Microsoft was uniquely suited to solve that problem. They threw a lot of resources at it and things started to slowly change. Microsoft developers started talking about security issues like they knew what they were saying. They had a much bigger presence at security conferences. IIS servers weren't so easy to break in to anymore. Most amazing was that when Windows XP SP2 came out last year, we saw that security had become a priority over all other features.
Still, they had a lot of work ahead of them. It took a couple more major worms, Blaster and Slammer to work out their emergency response plans. By the time Sasser came out, they'd brought their recovery time down to five days, compared to 38 days with Blaster. The battle-hardened MSRC was showing signs of triumph. It was by no means a victory, but they weren't getting their butts kicked anymore either.
Microsoft's problems didn't only benefit Microsoft; we're all a bit smarter nowadays. My mother-in-law talks about firewalls. My neighbor can now use the word phishing in a sentence. And the other day I overheard my son explaining to his younger brother the evils of spyware.
It may take another decade and a few more product versions before Microsoft can finally claim victory over security issues, but they now have the infrastructure, the experience, and the momentum to make those changes.
Mark Burnett is an independent researcher, consultant, and writer specializing in Windows security. He is the author of Hacking the Code: ASP.NET Web Application Security (Syngress), co-author of the best-selling book Stealing The Network: How to Own the Box (Syngress), and co-author of Maximum Windows 2000 Security (SAMS Publishing). He is a contributor and technical editor for Special Ops: Host and Network Security for Microsoft, UNIX, and Oracle. Mark speaks at various security conferences and has published articles in Windows IT Pro Magazine (formerly Windows & .NET Magazine), Redmond Magazine, Information Security, Windows Web Solutions, Security Administrator and various other print and online publications. Mark is a Microsoft Windows Server Most Valued Professional for Internet Information Services.
Study: Flaw disclosure hurts software makers' stock
Hack can upgrade XP Home to XP Pro Lite
Sly Intel CEO warns that Apple is the safer computer buy
Deleting spyware: a criminal act?
Witty worm traced to 'Patient Zero'
Sponsored: Global DDoS threat landscape report