Posted on 09/15/2003 1:30:06 PM PDT by HAL9000
With the Blaster worm seeming to be under control, alleged virus-author Jeffrey Parson under house arrest in Minnesota, and hacker Adrian Lamo under the watchful eye of the feds, business-technology managers may have enjoyed a few hours of peace and quiet last week. But it was short-lived. On Sept. 10, Microsoft issued a security bulletin warning of three new critical vulnerabilities in the Windows operating system, sending systems administrators rushing to patch their computers. It's become an all-too-common scenario--and one that's causing some businesses to re-evaluate their heavy reliance on Microsoft products.A year-and-a-half after Bill Gates declared that trustworthy computing had become Microsoft's No. 1 priority, the software bugs keep coming. The latest vulnerabilities involve the Remote Procedure Call service in Windows, making it possible for a malicious hacker to take control of a target system, introduce an infectious worm, or launch a denial-of-service attack. A week earlier, Microsoft issued five other warnings, four involving the omnipresent Office applications suite. For the year, the tally stands at 39.
And those are just the holes that have been uncovered by others and reported to Microsoft. In addition, the software vendor is combing through its code, finding holes, and issuing patches without publicizing the flaws. No one knows how many more are yet to be uncovered. "There's no way to wrap your hands around that," says Dan Ingevaldson, engineering manager with security vendor Internet Security Systems Inc.
Some business and technology professionals are running out of patience. "The issues around these vulnerabilities are escalating to the point where it's not just CIOs or CTOs, it's corporate officers, it's boards of directors asking: 'What are we going to do?'" says Ruth Harenchar, CIO of Bowne & Co., which last week scrambled to patch 4,500 Windows PCs and 500 servers in the United States and more overseas. "The situation appears to be getting worse, not better."
The patching work has thrown Bowne & Co.'s technology projects off schedule. Now, the specialty-printing-services company is assessing its options. Among them: redesigning its network around a thin-client model to reduce the number of PCs running Windows and, on other machines, migrating to Linux. "It's getting to be enough of a burden that you have to seriously start thinking about alternatives," Harenchar says.
Raymond James & Associates has assembled a team of IT staffers to manage the constant patching. "Organizations have to mobilize and realize this is going to be a way of life for the foreseeable future," says VP of IS Gene Fredriksen.
The financial-services firm, with offices around the world, last week began the arduous task of patching 10,000 PCs and 1,000 servers. "The pressure is on," Fredriksen says. "Anybody that isn't patched by the weekend is going to have trouble." The fear is that the latest vulnerability leaves Windows computers open to a Blaster-like worm. "There's a very good chance that a worm is going to be developed" to take advantage of the latest security holes, says ISS's Ingevaldson.
"People are getting fed up," says Lloyd Hession, chief information security officer at financial-network provider Radianz, adding that the number of Windows patches is reaching "epic proportions." The situation is causing more than just a few disgruntled customers to re-evaluate how much they use Microsoft products. Says Gartner security analyst John Pescatore, "There's definitely a very large trend towards that."
The problem of buggy code isn't limited to Microsoft software. And, at a congressional subcommittee hearing on the vulnerability of the country's computing infrastructure to worms and viruses--a hearing that was held, coincidentally, on the same day last week that Microsoft issued its security bulletin--Symantec Corp. president John Schwarz testified that software vulnerabilities "are being exploited faster and more aggressively than ever."
But Microsoft is at the center of the storm because its software is so widely used and a favorite target of the malcontents who write viruses and hack systems. At the same hearing, Microsoft senior security strategist Philip Reitinger described Microsoft's security-response program as "state of the art." He admitted, though, that "much remains to be done."
Just what is Microsoft doing to fix things? Last year, the company interrupted product development to train its Windows programmers in techniques for writing more-secure code. It has made some products harder to hack by turning off settings that raise risks, and it's screening old code for problems. And the automatic-update technology introduced in Windows XP is now available in Windows Server 2003 and Windows 2000.
Other steps are in the works. They include a hardware approach to creating secure systems called the Next-Generation Secure Computing Base, extending automatic updates to more Microsoft products, new "protective" software that guards systems even when patches aren't applied, and antivirus products and services.
Jeff Jones, senior director of trustworthy computing security, says Microsoft is making progress and points to the fact that Windows Server 2003 had half as many patches as Windows 2000 after 90 days of availability. "That's a clear improvement," Jones says.
Some customers are satisfied Microsoft is doing everything it can. "Their intentions are good," says Robert Egan, VP of IT at Boise Cascade Corp., which recently created a task force to respond to Microsoft's security bulletins. Egan says the work involved is "tolerable" but adds that the real issue is that "we'd rather be spending time enhancing our systems" than fixing them.
That's the rub. Another business-technology executive estimates his company's IT department has wasted more than 1,000 hours patching Windows systems. He's looking at thin clients and Linux as alternatives to Windows and, late last week, he was drafting a letter to Microsoft. The message: He'd like Microsoft to reimburse his company for all those hours of lost productivity.
Yet, business better get used to it. CIOs need to "literally put a line item" in IT budgets to cover the ongoing cost of patches, advises Kerry Gerontianos, president of systems integrator Incremax Technologies Corp. On the old goal of administration-free Windows, Gerontianos says, "that was a dream."
Good luck.
Also I use a great web mail server. All my email is double filtered automatically to eliminate virses. I never accept email directly. There is no need to "accidentally" download viruses from malicious people who spam the web seeking more victims. I have excellent anti-virus software and a great firewall installed.
I use an older version of the Mozilla Browser about 30% of the time. It is a really excellent browser, but I am cautious about the latest Mozilla builds.
Oh, I'm quite sure you're wrong. These hackers only do it because they dislike Bill Gates. Why, if the whole world ran Linux on MacIntosh machines, there would be no virus problem. /sarcasm
"Ya pays yer money, and ya takes yer chance."
Microsoft has not encouraged a healty, competitive marketplace in software, but ultimately, this guy made the choice to buy and use Microsoft's software. He should consider it a lesson learned, and move along.
If MS 'went away,' Lotus Notes users would have reason to worry. (Yes, all 3 of us.)
That is based on somewhat of a false premise. Not all operating systems are equally vulnerable to hacking and exploits no matter how common it is. Linux makes up a large percentage of the servers on the Internet, yet they do not get hacked in proportion to their ubiquitousness. And FreeBSD (and its other *BSD relatives in general), which also makes up a very important portion of the Internet server market (many of the biggest sites use it on their server front-ends) is legendary for being extremely difficult to crack.
If, for example, FreeBSD became the predominant operating system on the Internet, I would expect virus and worm exploits to drop to nearly zero because it simply does not offer the kinds of vulnerabilities that Windows does on a daily basis. It isn't that nobody has looked or tried, but that the code is very clean and the operating system is carefully engineered and well-designed with bulletproof-ness as a very high priority. Linux isn't as clean as FreeBSD, but it also tends to have far fewer vulnerabilities of this type in practice.
A small part of this can be attributed to the relative ubiquity of Windows, but the larger part can be attributed to the fact that Windows has consistently been more exploitable in practice and the internal architecture of the operating system gives many opportunities to hackers.
Wanna be Penguified? Just holla!
Got root?
Good luck.
Right on. He obviously didn't read the gobbledygook in the EULA.
Disclaimer: Opinions posted on Free Republic are those of the individual posters and do not necessarily represent the opinion of Free Republic or its management. All materials posted herein are protected by copyright law and the exemption for fair use of copyrighted works.