Windows 2000: Microsoft's most successful failure

Battle-hardened hymn to the public

  • alert
  • submit to reddit

Reducing security risks from open source software

Comment Someone once asked Pable Picasso which one of his many paintings was his favorite. His reply: the next one. Ask Steve Ballmer which version of Windows is the most secure and guess what his answer will be?

I noticed that Microsoft is ready to release Security Rollup 5 for Windows 2000. It's not a service pack, it's more of a convenience pack - all the hotfixes since SP4 rolled up into one big install. This precedes the end of mainstream support for Windows 2000, which runs out the end of this month.

Five years. Has it really been that long already? It doesn't seem that long ago that I was so eager to abandon NT4 and install the flashy new 2000. But a lot happened in those five years. The Internet changed, security has changed, and the world has changed.

I think that Windows 2000 has probably been one of Microsoft's greatest sources of bad press in the entire history of the company. But it also defined the company into what it is today. Windows 2000 was meant to be their most secure operating system ever but it turned out to be an absolute security disaster. Somehow Microsoft managed to not only recover from that disaster but also to turn security into one of their greater assets. It turns out, then, that Windows 2000 was their most successful failure so far.

Things were different in the year 2000. Programmers felt vindicated that the Y2K bug didn't turn out to be that big of a deal. We made it past January 1st, and then it was time to move on. Windows 2000 came out that first quarter, just as security was becoming more interesting to more people -- and Windows was a good place to start. It was also seemed to be the start of a new breed of Windows hackers.

That year went on with a flood of vulnerabilities found in Windows 2000, many of them affecting IIS. It got to the point where any pen-tester (or hacker) knew they were pretty much guaranteed to find a way in once they saw they were attacking an IIS-based website. In other words, you could go to nearly any company, no matter how big they were, and break in to their IIS server within minutes. It went that way well into 2001.

How bad was it? It was really bad. Unfortunately, many break-ins went unnoticed, and those that were noticed were kept very quiet. Banks, government and military sites, ecommerce sites - rest assured, they all got hacked.

But could you really blame Microsoft? Most of the hacks weren't anything fancy, just the same old exploits that Microsoft had already fixed. People just weren't installing the patches. And no matter how hard we tried, no one seemed to get it. It was nearly impossible to sell preventative security at that time. I remember once asking another consultant, "What do we have to do, hack everyone to get them to understand?"

Things changed that summer.

It all started in May of 2001. I began getting calls from companies I had tried selling security services to in the past but were never interested. Now they needed my help because something happened. It seemed like dozens of people had their websites defaced with the words: "fu*k USA Government, fu*k PoizonBOx." It was the first time many companies had ever experienced a worm. And it would certainly not be the last.

The sadmind/IIS worm was amusing and it generated a bit of work for the security industry, but it was nothing compared to what happened that July.

I still remember that day quite well - the internet was slow, my IDS was going crazy, and I saw a lot of emails from Marc Maiffret appear on the various security mailing lists. Code Red he called it. And it seemed like everyone had it.

I remember later that night thinking that my job would never be the same - for many of us, it was the 9/11 of Internet security. However, it still wasn't over and it only got worse from there. By the end of that year you could plug a Windows system into the Internet and be infected with a dozen worms before you even had a chance to download the latest updates. Nowadays, it takes less than five minutes.

There was a lot of blaming going on around, that time. Some people blamed security researchers for making the vulnerabilities public. You could trace nearly every major worm back to a flaw found by some security researcher. If they would just keep things quiet, some argued, then we wouldn't have all those problems. But that argument was weak, as some hackers already knew about these flaws and quietly exploited them, publicity or not.

People blamed Microsoft, but let's try a reality check: did administrators really need more than six months to install an update? Yeah, it was Microsoft programmers who wrote the buggy code, but were they any different than most programmers at that time? Were they not just a reflection of society's attitude about security? Besides, a large part of this code was written half a decade before, when security was an enhancement, not a user requirement. Administrators at the time were just lazy. Or lame.

The problem was that back then you couldn't just go to WindowsUpdate and see what hotfixes you needed to install. You had to go through the entire list of fixes one-by-one and make sense of it all. To make things worse, Microsoft had distributed enough buggy hotfixes by then to make administrators wary of installing anything too quickly. We have to admit that Microsoft's patching strategy was truly a mess at that time. Nothing was consistent and there seemed to be little communication anywhere.

Then something strange happened, something you rarely see in the corporate world. Microsoft stepped up to not only take responsibility, but to embrace their failure as their highest priority bug fix. They stopped trying so hard to look good and just admitted they had security problems that needed fixing. As Bill Gates put it in his famous trustworthy computing memo, "The challenge here is one that Microsoft is uniquely suited to solve."

Most people scoffed at this announcement. It sounded great on the memo, but you can't turn a big ship around that quickly. We really doubted they suddenly got it and that now they would change.

But Gates was right, Microsoft was uniquely suited to solve that problem. They threw a lot of resources at it and things started to slowly change. Microsoft developers started talking about security issues like they knew what they were saying. They had a much bigger presence at security conferences. IIS servers weren't so easy to break in to anymore. Most amazing was that when Windows XP SP2 came out last year, we saw that security had become a priority over all other features.

Still, they had a lot of work ahead of them. It took a couple more major worms, Blaster and Slammer to work out their emergency response plans. By the time Sasser came out, they'd brought their recovery time down to five days, compared to 38 days with Blaster. The battle-hardened MSRC was showing signs of triumph. It was by no means a victory, but they weren't getting their butts kicked anymore either.

Microsoft's problems didn't only benefit Microsoft; we're all a bit smarter nowadays. My mother-in-law talks about firewalls. My neighbor can now use the word phishing in a sentence. And the other day I overheard my son explaining to his younger brother the evils of spyware.

It may take another decade and a few more product versions before Microsoft can finally claim victory over security issues, but they now have the infrastructure, the experience, and the momentum to make those changes.

Copyright © 2005, SecurityFocus logo

Mark Burnett is an independent researcher, consultant, and writer specializing in Windows security. He is the author of Hacking the Code: ASP.NET Web Application Security (Syngress), co-author of the best-selling book Stealing The Network: How to Own the Box (Syngress), and co-author of Maximum Windows 2000 Security (SAMS Publishing). He is a contributor and technical editor for Special Ops: Host and Network Security for Microsoft, UNIX, and Oracle. Mark speaks at various security conferences and has published articles in Windows IT Pro Magazine (formerly Windows & .NET Magazine), Redmond Magazine, Information Security, Windows Web Solutions, Security Administrator and various other print and online publications. Mark is a Microsoft Windows Server Most Valued Professional for Internet Information Services.

Related stories

Study: Flaw disclosure hurts software makers' stock
Hack can upgrade XP Home to XP Pro Lite
Sly Intel CEO warns that Apple is the safer computer buy
Deleting spyware: a criminal act?
Witty worm traced to 'Patient Zero'

Mobile application security vulnerability report

More from The Register

next story
LibreSSL RNG bug fix: What's all the forking fuss about, ask devs
Blow to bit-spitter 'tis but a flesh wound, claim team
Microsoft: You NEED bad passwords and should re-use them a lot
Dirty QWERTY a perfect P@ssword1 for garbage websites
Manic malware Mayhem spreads through Linux, FreeBSD web servers
And how Google could cripple infection rate in a second
NUDE SNAPS AGENCY: NSA bods love 'showing off your saucy selfies'
Swapping other people's sexts is a fringe benefit, says Snowden
Own a Cisco modem or wireless gateway? It might be owned by someone else, too
Remote code exec in HTTP server hands kit to bad guys
British data cops: We need greater powers and more money
You want data butt kicking, we need bigger boots - ICO
Crooks fling banking Trojan at Japanese smut site fans
Wait - they're doing online banking with an unpatched Windows PC?
NIST told to grow a pair and kick NSA to the curb
Lrn2crypto, oversight panel tells US govt's algorithm bods
prev story


Top three mobile application threats
Prevent sensitive data leakage over insecure channels or stolen mobile devices.
The Essential Guide to IT Transformation
ServiceNow discusses three IT transformations that can help CIO's automate IT services to transform IT and the enterprise.
Mobile application security vulnerability report
The alarming realities regarding the sheer number of applications vulnerable to attack, and the most common and easily addressable vulnerability errors.
How modern custom applications can spur business growth
Learn how to create, deploy and manage custom applications without consuming or expanding the need for scarce, expensive IT resources.
Consolidation: the foundation for IT and business transformation
In this whitepaper learn how effective consolidation of IT and business resources can enable multiple, meaningful business benefits.