Gartner slams MS security after latest flaw
No improvement till 2004
The latest flaw with a major Microsoft product shows Redmond is unlikely to have anything that approximates to secure software until 2004 at the earliest.
That's the damning assessment of analysts Gartner in response to a serious, but little publicised, vulnerability with FrontPage Server Extensions that emerged last week.
The vulnerability could be used in denial-of-service attack or possibly manipulated to run arbitrary code on vulnerable servers. MS has released a patch to fix the problem, which arises in a buffer overrun flaw with the SmartHTML Interpreter component of FrontPage Server Extensions.
That's nothing particularly out of the ordinary, Gartner sagely notes, but it does provide evidence that "Microsoft has a long way to go before it can deliver on its much-publicised promise of Trustworthy Computing".
Gartner Research Director Rich Fogull forecasts that, "due to legacy code and resistance to cultural change, Microsoft will not deliver necessary security improvements before 2004".
The assessment is noteworthy because it was Gartner's assessment that it was time to consider an alternative to IIS in the wake of worms like Nimda and Code Red, that caused Microsoft to formulate its Trustworthy Computing push in the first place.
In fairness security is an issue for the whole industry, and Microsoft is always prime target for miscreants. That's the territory that goes with being the world's biggest software company.
That said treating security as an afterthought is a failure of developers most readily observed among denizens of Redmond. Until a major cultural shift takes hold (and we think Gartner is been a tad optimistic in its assessment here) world+dog will have to deal with the usual, irksome blow of buffer overflows and arbitrary code exploits for the foreseeable future.
As an example of this we need look no further than recent reports on BugTraq of a buffer overflow vulnerability involving Microsoft's PPTP (Point to Point Tunnelling Protocol) implementation. This flaw might make it possible to inject malicious code over VPN connections.
Nasty - but difficult to exploit, it appears.
There's no patch from Microsoft as yet. The suggested workaround, to prevent exploitation at the PPTP client, is to restrict access to the client by blocking TCP port 1973 at a firewall. ®