Gartner slams MS security after latest flaw

No improvement till 2004

Wed 2 Oct 2002 // 20:02 UTC

The latest flaw with a major Microsoft product shows Redmond is unlikely to have anything that approximates to secure software until 2004 at the earliest.

That's the damning assessment of analysts Gartner in response to a serious, but little publicised, vulnerability with FrontPage Server Extensions that emerged last week.

The vulnerability could be used in denial-of-service attack or possibly manipulated to run arbitrary code on vulnerable servers. MS has released a patch to fix the problem, which arises in a buffer overrun flaw with the SmartHTML Interpreter component of FrontPage Server Extensions.

That's nothing particularly out of the ordinary, Gartner sagely notes, but it does provide evidence that "Microsoft has a long way to go before it can deliver on its much-publicised promise of Trustworthy Computing".

Gartner Research Director Rich Fogull forecasts that, "due to legacy code and resistance to cultural change, Microsoft will not deliver necessary security improvements before 2004".

The assessment is noteworthy because it was Gartner's assessment that it was time to consider an alternative to IIS in the wake of worms like Nimda and Code Red, that caused Microsoft to formulate its Trustworthy Computing push in the first place.

In fairness security is an issue for the whole industry, and Microsoft is always prime target for miscreants. That's the territory that goes with being the world's biggest software company.

That said treating security as an afterthought is a failure of developers most readily observed among denizens of Redmond. Until a major cultural shift takes hold (and we think Gartner is been a tad optimistic in its assessment here) world+dog will have to deal with the usual, irksome blow of buffer overflows and arbitrary code exploits for the foreseeable future.

As an example of this we need look no further than recent reports on BugTraq of a buffer overflow vulnerability involving Microsoft's PPTP (Point to Point Tunnelling Protocol) implementation. This flaw might make it possible to inject malicious code over VPN connections.

Nasty - but difficult to exploit, it appears.

There's no patch from Microsoft as yet. The suggested workaround, to prevent exploitation at the PPTP client, is to restrict access to the client by blocking TCP port 1973 at a firewall. ®

Topics

Special Features

Vendor Voice

Resources

Software

Gartner slams MS security after latest flaw

No improvement till 2004

External Links

More about

TIP US OFF

Other stories you might like

UK unions publish AI bill to protect workers from 'risks and harms' of tech

Huawei's latest flagship smartphone contains no world-shaking silicon surprises

Oracle scores big win with Fujitsu Japan for its Alloy partner cloud

Reducing the cloud security overhead

Meta lets Llama 3 LLM out to graze, claims it can give Google and Anthropic a kicking

US Air Force says AI-controlled F-16 fighter jet has been dogfighting with humans

Ransomware feared as IT 'issues' force Octapharma Plasma to close 150+ centers

Crooks exploit OpenMetadata holes to mine crypto – and leave a sob story for victims

Stability AI decimates staff just weeks after CEO's exit

IBM accused of cheating its own executive assistants out of overtime pay

Google fires 28 staff after sit-in protest against Israeli cloud deal ends in arrests

Feds hit coding boot camp with big fine for allegedly conning students

About Us

Our Websites

Your Privacy