Posted on 09/15/2003 1:30:06 PM PDT by HAL9000
With the Blaster worm seeming to be under control, alleged virus-author Jeffrey Parson under house arrest in Minnesota, and hacker Adrian Lamo under the watchful eye of the feds, business-technology managers may have enjoyed a few hours of peace and quiet last week. But it was short-lived. On Sept. 10, Microsoft issued a security bulletin warning of three new critical vulnerabilities in the Windows operating system, sending systems administrators rushing to patch their computers. It's become an all-too-common scenario--and one that's causing some businesses to re-evaluate their heavy reliance on Microsoft products.A year-and-a-half after Bill Gates declared that trustworthy computing had become Microsoft's No. 1 priority, the software bugs keep coming. The latest vulnerabilities involve the Remote Procedure Call service in Windows, making it possible for a malicious hacker to take control of a target system, introduce an infectious worm, or launch a denial-of-service attack. A week earlier, Microsoft issued five other warnings, four involving the omnipresent Office applications suite. For the year, the tally stands at 39.
And those are just the holes that have been uncovered by others and reported to Microsoft. In addition, the software vendor is combing through its code, finding holes, and issuing patches without publicizing the flaws. No one knows how many more are yet to be uncovered. "There's no way to wrap your hands around that," says Dan Ingevaldson, engineering manager with security vendor Internet Security Systems Inc.
Some business and technology professionals are running out of patience. "The issues around these vulnerabilities are escalating to the point where it's not just CIOs or CTOs, it's corporate officers, it's boards of directors asking: 'What are we going to do?'" says Ruth Harenchar, CIO of Bowne & Co., which last week scrambled to patch 4,500 Windows PCs and 500 servers in the United States and more overseas. "The situation appears to be getting worse, not better."
The patching work has thrown Bowne & Co.'s technology projects off schedule. Now, the specialty-printing-services company is assessing its options. Among them: redesigning its network around a thin-client model to reduce the number of PCs running Windows and, on other machines, migrating to Linux. "It's getting to be enough of a burden that you have to seriously start thinking about alternatives," Harenchar says.
Raymond James & Associates has assembled a team of IT staffers to manage the constant patching. "Organizations have to mobilize and realize this is going to be a way of life for the foreseeable future," says VP of IS Gene Fredriksen.
The financial-services firm, with offices around the world, last week began the arduous task of patching 10,000 PCs and 1,000 servers. "The pressure is on," Fredriksen says. "Anybody that isn't patched by the weekend is going to have trouble." The fear is that the latest vulnerability leaves Windows computers open to a Blaster-like worm. "There's a very good chance that a worm is going to be developed" to take advantage of the latest security holes, says ISS's Ingevaldson.
"People are getting fed up," says Lloyd Hession, chief information security officer at financial-network provider Radianz, adding that the number of Windows patches is reaching "epic proportions." The situation is causing more than just a few disgruntled customers to re-evaluate how much they use Microsoft products. Says Gartner security analyst John Pescatore, "There's definitely a very large trend towards that."
The problem of buggy code isn't limited to Microsoft software. And, at a congressional subcommittee hearing on the vulnerability of the country's computing infrastructure to worms and viruses--a hearing that was held, coincidentally, on the same day last week that Microsoft issued its security bulletin--Symantec Corp. president John Schwarz testified that software vulnerabilities "are being exploited faster and more aggressively than ever."
But Microsoft is at the center of the storm because its software is so widely used and a favorite target of the malcontents who write viruses and hack systems. At the same hearing, Microsoft senior security strategist Philip Reitinger described Microsoft's security-response program as "state of the art." He admitted, though, that "much remains to be done."
Just what is Microsoft doing to fix things? Last year, the company interrupted product development to train its Windows programmers in techniques for writing more-secure code. It has made some products harder to hack by turning off settings that raise risks, and it's screening old code for problems. And the automatic-update technology introduced in Windows XP is now available in Windows Server 2003 and Windows 2000.
Other steps are in the works. They include a hardware approach to creating secure systems called the Next-Generation Secure Computing Base, extending automatic updates to more Microsoft products, new "protective" software that guards systems even when patches aren't applied, and antivirus products and services.
Jeff Jones, senior director of trustworthy computing security, says Microsoft is making progress and points to the fact that Windows Server 2003 had half as many patches as Windows 2000 after 90 days of availability. "That's a clear improvement," Jones says.
Some customers are satisfied Microsoft is doing everything it can. "Their intentions are good," says Robert Egan, VP of IT at Boise Cascade Corp., which recently created a task force to respond to Microsoft's security bulletins. Egan says the work involved is "tolerable" but adds that the real issue is that "we'd rather be spending time enhancing our systems" than fixing them.
That's the rub. Another business-technology executive estimates his company's IT department has wasted more than 1,000 hours patching Windows systems. He's looking at thin clients and Linux as alternatives to Windows and, late last week, he was drafting a letter to Microsoft. The message: He'd like Microsoft to reimburse his company for all those hours of lost productivity.
Yet, business better get used to it. CIOs need to "literally put a line item" in IT budgets to cover the ongoing cost of patches, advises Kerry Gerontianos, president of systems integrator Incremax Technologies Corp. On the old goal of administration-free Windows, Gerontianos says, "that was a dream."
I was just going by what the article said. It doesn't seem like I'm dowloading more than that a month, but I could be. I've never had twelve at a time, though. Let me check...
For all available updates, I'm showing seven installed updates for September, five from August, seven from July, two from June, three from May, ten from April, three from March, eight from February, and four from January = 5.4 per month.
For Critical, Security, and Recommended Updates, I'm showing two for September, four for August, six for July, two for June, three for May, seven for April, three for March, eight for February, and one for January = 4 per month.
Redhat itself comes with hundreds of third party applications one fo the errors was for "Hangul Terminal is a terminal emulator for the X Window System, based on Xterm." unlike the windows updates of which by inspection looks to be about 75% OS related, linux updates to the kernel or core servers (Apcahe/MySql/Sendmail) are far less frequent.
Is Linux perfect, no but a server which does not have literally hundreds of apps installed requires far less patching than windows, and most of those do not require a reboot..
They are included in most Linux distributions. They aren't Linux, or even part of Linux, at least in terms of who is "responsible". They are maintained by separate teams of developers, and blaming "Linux" would be like blaming Microsoft for a bug in Photoshop.
One could contend that some of them are necessary for Linux to be "useful" and equivalent to Windows. Therefore, it might be fair to include them in an overall comparison to Microsoft.
However, there are also a number of applications that have no direct equivalent on a Windows desktop, and typically don't exist except in enterprise server configurations. Unless your Microsoft patch count includes those types of applications or server software, it wouldn't be a fair comparison.
Start adding on the security patches numbers for applications for the Linux Kernel like PHP and the security swiss cheese Apache and the numbers for Linux get VERY ugly.
Check your list again. They were already included.
Yes, but how many of these are actual server security patches the normal server admins actually need to use? We use exposed Linux servers all over the Internet running fiber backbones in a number of capacities (over my objections, actually) and I believe they have had exactly one security bulletin over the last year and a half that actually required them to patch something (one of the daemons, in that case). Our admins are pretty sharp and our security is tight, but the only box ever rooted on our network was a Win2k box that we let someone host there for free. We run a ton of completely exposed Linux servers, and we see every vulnerability that pops up and aggressively watch that stuff, but we've needed to patch something exactly once in 18 months. And I know why that list doesn't compute; most of the "security patches" on that list are things that concern desktop users, not any of the server applications we are likely to use. I certainly know that the couple Windows servers we have (which are not exposed) have been patched multiple times in the same period, and these boxes are not even routable from the Internet.
As for Apple, they are running a FreeBSD kernel (very secure), but who knows what vulnerabilities they've added on top of it. I'll say that the jury is out on the security merits of MacOS X, though it should be pretty good in theory.
Microsoft themselves claimed (in court) that IE was an integral and unseparable part of Windows
Personally, I wouldn't claim that IIS is part of Windows, even though it was on the Windows distribution disk(s). It took a separate, overt action on the part of the user to install it.
However, the problem with comparing a Windows-only application from Microsoft to an open source application that happens to run on Linux is that Linux is usually only one of the supported platforms.
In only a quick scan, I can identify several of them that also run on Windows: Mozilla, Ethereal, PHP, Apache, VNC, Lynx, Netscape, MySQL, and Ghostscript all have Windows source and binary distributions, although I don't know if they were exploitable. If you want to attribute them as Linux security problems, then they are potential Windows security problems as well -- even though they are not Microsoft products.
Cry me a river! No pity from me PE!
It's not that big a deal when you've only got a few computers that you have to deal with... But I've got clients with lots of users, scattered all over the country, many of which don't have direct Internet access, though they still have access to email, and it's damned near impossible to patch a Windows system that doesn't have Internet access. In other cases, we've got some schools who are clients, and they simply don't have the man power to run around to over 2000 systems to apply patches, or run Windows Update (can't apply patches without having local administrator access, and there's no way that the student are getting that sort of local access). Even if you can get all of their patches in downloadable form, then you have to take the time to be sure that they're rolled out, something that can take over an hour to do properly.
If you're dealing with a large system, it gets very time consuming and very expensive, very quickly!
Mark
Mark
Actually, on a client system where I installed an OEM copy of WindowsXP, complete with SP1, when I went out to WindowsUpdate two weeks ago, I was informed that there were 28 critical updates... How long has WinXP SP1 been out? BTW, I suspect that the number is now greater.
Mark
No, genius. The point is that you turn off what you don't need and configure it so that it is secure as possible. We probably have around ten different network daemons running on them at any given moment on average. Nonetheless, the OS has not needed to be patched and only one of the myriad of daemons that we run had to be patched. These boxes do most everything that a normal Unix server does plus some extra things most Unix servers do not. They have simply been trouble free for the most part and no security vulnerabilities have been published for the various applications we use (excepting the one).
Disclaimer: Opinions posted on Free Republic are those of the individual posters and do not necessarily represent the opinion of Free Republic or its management. All materials posted herein are protected by copyright law and the exemption for fair use of copyrighted works.