Posted on 09/15/2003 1:30:06 PM PDT by HAL9000
With the Blaster worm seeming to be under control, alleged virus-author Jeffrey Parson under house arrest in Minnesota, and hacker Adrian Lamo under the watchful eye of the feds, business-technology managers may have enjoyed a few hours of peace and quiet last week. But it was short-lived. On Sept. 10, Microsoft issued a security bulletin warning of three new critical vulnerabilities in the Windows operating system, sending systems administrators rushing to patch their computers. It's become an all-too-common scenario--and one that's causing some businesses to re-evaluate their heavy reliance on Microsoft products.A year-and-a-half after Bill Gates declared that trustworthy computing had become Microsoft's No. 1 priority, the software bugs keep coming. The latest vulnerabilities involve the Remote Procedure Call service in Windows, making it possible for a malicious hacker to take control of a target system, introduce an infectious worm, or launch a denial-of-service attack. A week earlier, Microsoft issued five other warnings, four involving the omnipresent Office applications suite. For the year, the tally stands at 39.
And those are just the holes that have been uncovered by others and reported to Microsoft. In addition, the software vendor is combing through its code, finding holes, and issuing patches without publicizing the flaws. No one knows how many more are yet to be uncovered. "There's no way to wrap your hands around that," says Dan Ingevaldson, engineering manager with security vendor Internet Security Systems Inc.
Some business and technology professionals are running out of patience. "The issues around these vulnerabilities are escalating to the point where it's not just CIOs or CTOs, it's corporate officers, it's boards of directors asking: 'What are we going to do?'" says Ruth Harenchar, CIO of Bowne & Co., which last week scrambled to patch 4,500 Windows PCs and 500 servers in the United States and more overseas. "The situation appears to be getting worse, not better."
The patching work has thrown Bowne & Co.'s technology projects off schedule. Now, the specialty-printing-services company is assessing its options. Among them: redesigning its network around a thin-client model to reduce the number of PCs running Windows and, on other machines, migrating to Linux. "It's getting to be enough of a burden that you have to seriously start thinking about alternatives," Harenchar says.
Raymond James & Associates has assembled a team of IT staffers to manage the constant patching. "Organizations have to mobilize and realize this is going to be a way of life for the foreseeable future," says VP of IS Gene Fredriksen.
The financial-services firm, with offices around the world, last week began the arduous task of patching 10,000 PCs and 1,000 servers. "The pressure is on," Fredriksen says. "Anybody that isn't patched by the weekend is going to have trouble." The fear is that the latest vulnerability leaves Windows computers open to a Blaster-like worm. "There's a very good chance that a worm is going to be developed" to take advantage of the latest security holes, says ISS's Ingevaldson.
"People are getting fed up," says Lloyd Hession, chief information security officer at financial-network provider Radianz, adding that the number of Windows patches is reaching "epic proportions." The situation is causing more than just a few disgruntled customers to re-evaluate how much they use Microsoft products. Says Gartner security analyst John Pescatore, "There's definitely a very large trend towards that."
The problem of buggy code isn't limited to Microsoft software. And, at a congressional subcommittee hearing on the vulnerability of the country's computing infrastructure to worms and viruses--a hearing that was held, coincidentally, on the same day last week that Microsoft issued its security bulletin--Symantec Corp. president John Schwarz testified that software vulnerabilities "are being exploited faster and more aggressively than ever."
But Microsoft is at the center of the storm because its software is so widely used and a favorite target of the malcontents who write viruses and hack systems. At the same hearing, Microsoft senior security strategist Philip Reitinger described Microsoft's security-response program as "state of the art." He admitted, though, that "much remains to be done."
Just what is Microsoft doing to fix things? Last year, the company interrupted product development to train its Windows programmers in techniques for writing more-secure code. It has made some products harder to hack by turning off settings that raise risks, and it's screening old code for problems. And the automatic-update technology introduced in Windows XP is now available in Windows Server 2003 and Windows 2000.
Other steps are in the works. They include a hardware approach to creating secure systems called the Next-Generation Secure Computing Base, extending automatic updates to more Microsoft products, new "protective" software that guards systems even when patches aren't applied, and antivirus products and services.
Jeff Jones, senior director of trustworthy computing security, says Microsoft is making progress and points to the fact that Windows Server 2003 had half as many patches as Windows 2000 after 90 days of availability. "That's a clear improvement," Jones says.
Some customers are satisfied Microsoft is doing everything it can. "Their intentions are good," says Robert Egan, VP of IT at Boise Cascade Corp., which recently created a task force to respond to Microsoft's security bulletins. Egan says the work involved is "tolerable" but adds that the real issue is that "we'd rather be spending time enhancing our systems" than fixing them.
That's the rub. Another business-technology executive estimates his company's IT department has wasted more than 1,000 hours patching Windows systems. He's looking at thin clients and Linux as alternatives to Windows and, late last week, he was drafting a letter to Microsoft. The message: He'd like Microsoft to reimburse his company for all those hours of lost productivity.
Yet, business better get used to it. CIOs need to "literally put a line item" in IT budgets to cover the ongoing cost of patches, advises Kerry Gerontianos, president of systems integrator Incremax Technologies Corp. On the old goal of administration-free Windows, Gerontianos says, "that was a dream."
Another business-technology executive estimates his company's IT department has wasted more than 1,000 hours patching Windows systems....
Yet, business better get used to it. CIOs need to "literally put a line item" in IT budgets to cover the ongoing cost of patches, advises Kerry Gerontianos, president of systems integrator Incremax Technologies Corp. On the old goal of administration-free Windows, Gerontianos says, "that was a dream."
Microsoft is going to need that $50B to finance a slush fund to discount their products in order to keep customers from defecting. They're already trying this with government customers.
Even so, these businesses are going to have to raise their prices to offset their costs of maintaining their legacy Windows computing infrastructure. So their customers (i.e. "us") get to pay yet another Microsoft Tax.
Thanks again, Microsoft.
Hint, viruses are transmitted by email... they have a different name when they break in directly over a TCP/IP, and this is the only kind *NIX boxes are really susceptible to...
Hint, viruses are transmitted by email... they have a different name when they break in directly over a TCP/IP port, and this is the only kind *NIX boxes are really susceptible to...
Heh. You still haven't responded to my assertion about Windows clustering -- show me evidence that basic features like process migration and memory ushering is supported. I see you decided to declare victory and run away.
Gee, then I must have hallucinated those countless executables I launched from email in the years I worked on Unix systems...
Hint, viruses are transmitted by email...
Bigger hint: Email is only *one* of many methods by which viruses spread.
they have a different name when they break in directly over a TCP/IP port, and this is the only kind *NIX boxes are really susceptible to...
You are grossly misinformed.
I see that your legendary poor reading comprehension is biting you in the ass once again. You apparently missed that Linux systems are typically rooted because of poor system administration, not underlying software vulnerabilities. Linux security can be fixed with good administration, but all the administration in the world on a Windows server won't help you if there is an exploit due to a software defect. Poor administration is not an intrinsic "vulnerability" of the OS, it is a person defect. A properly managed server without a defective OS should be safe on the Internet without a firewall. In terms of intrinsic OS vulnerabilities to hacking (i.e. software and design defects), Windows is far more vulnerable than Linux.
Which is why FreeBSD, which serves a remarkable percentage of pages on the Internet despite it being a relatively small percentage of servers, also had only a small number of exploits (in this particular study). The OS itself is as secure as any in common use, but all it takes is a stupid admin or lack thereof to be exploited.
Incidentally, the statistics in that particular study are dubious, primarily because the population was selected oddly out of all the exploited systems out there. There a couple specific documented incidents of rooted Windows servers alone that in sum total generated a larger number of incidents than the total they report. Unless they count a single hacker rooting over 2,000 Windows servers through one exploit a single "attack" (to give a real-world example out of many). But that would be liberal math.
I've just started using the latest Mozilla Firebird build - I've seen so many Freepers extolling Mozilla that I decided I ought to check it out. So far I really like what I see - it runs much more crisply than IE 6.
Ummm... Perhaps you should compare apples to apples. Many (most?) of those "security patches" under Linux are to fix behaviors that aren't really server exploits. In fact, some of them are to secure behaviors that aren't secured at all under Windows, due mostly to architectural differences; I think it is a bit much to assert equivalence. (Also, your count is wrong -- many of those security patches are actually bundles of multiple patches.)
Beyond this there is a need to test these patchs before they are moved into production.
You need to count your list of patches more closely.
I could only find 11 of your "Linux patches" that were actually for the Linux kernel. The rest of them were for open source software applications that are only bundled in Linux distributions. They also run on a variety of other Unix platforms (both proprietary and open source versions).
There's also a problem with comparing them directly. Microsoft is free to release security fixes along with other patches or service packs, without anyone but them knowing they are fixing security problems. They are only identifying patches as security problems when the exploit becomes publicly known.
On the other hand, an open source software vendor can't bundle a security fix into a larger patch and sneak it into the system, because everyone can see the code changes.
We are working tword getting the last of out NT servers out of the mix (domain controllers) and the next move from 2000 will be to *nix whenever possible..
Disclaimer: Opinions posted on Free Republic are those of the individual posters and do not necessarily represent the opinion of Free Republic or its management. All materials posted herein are protected by copyright law and the exemption for fair use of copyrighted works.