Posted on 01/15/2002 11:20:43 AM PST by general_re
The big news of late December was a security flaw in Microsoft's Universal Plug and Play system, a feature in a variety of Windows flavors. On the one hand, this is a big deal: the vulnerability can allow anyone to take over a target computer. On the other hand, this is just one of many similar vulnerabilities in all sorts of software -- Microsoft and non-Microsoft -- and one for which there is no rapidly spreading exploit.
There are several lessons from all of this.
One, the amount of press coverage is not indicative of the level of severity, and the press is the only way to get the news out to the public. This thing got Nimda-like press, but there was no exploit. While it is a critical patch to install, it's not severe enough to trigger the "wake up, drive to work, and install this patch now!" reflex. Unfortunately, the public will have patience for only so many of these stories before their eyes glaze over. The rate of patch installation is decreasing, as people simply stop paying attention.
Two, Microsoft still sacrifices accuracy for public relations value. Here's a quote from Scott Culp, manager of Microsoft's security response center: "This is the first network-based, remote compromise that I'm aware of for Windows desktop systems." I was all set to write a longish rant, calling the statement a lie and listing other network-based remote Windows compromises -- Back Orifice, Nimda, etc., etc., etc. -- but Richard Forno beat me to it. Read his excellent commentary on Microsoft and security.
To combat this, open and public discussion is important. In the first days of the vulnerability, there was a lot of debate in the press: which systems were vulnerable by default, how best to fix the problem, etc. Even the FBI got into the act, albeit with wrong information they later adjusted. The importance here is a multitude of voices and a multitude of views, something that secrecy won't provide. As Greg Guerin commented, when there's a fire in a theater, you want as many audience members as possible to shout "Fire!" rather than sitting around waiting for the theater manager to say it. The theater manager is going to put his own spin on the news, and it's not likely to be an unbiased one.
Three, bug secrecy hurts us all. According to reports, eEye Digital Security told Microsoft about this vulnerability nearly two months before Microsoft released its patch. What's with the two-month delay? It's a simple buffer overflow, and should be patched within days. Delays just increase the likelihood that someone will exploit the vulnerability. (To think, some time ago I criticized eEye for not waiting long enough before releasing a vulnerability. Shows how hard it is to get the balance right.)
Four, Microsoft still pays lip service to security. This vulnerability is a buffer overflow, the easy-to-use low-hanging-fruit automatic-tools-to-fix kind of security vulnerability. It's not new or subtle; buffer overflows have been causing serious security problems for decades. It's an obvious, stupid-ass programming mistake that ANY reasonably implemented security program should have caught. Remember Microsoft's big PR fuss about their Secure Windows Initiative? If it can't catch this simple stuff, how can it secure software against the complex attacks and vulnerabilities? This is a software quality problem, pure and simple. And the real solution is better software design, implementation, and quality procedures, not more patches and alerts and press releases.
And five, complexity equals insecurity. UPnP is a complex set of protocols to support ad hoc peer-to-peer networking. Even though no one uses it, it's installed in a bunch of Microsoft OSs. Even though no one needs it turned on, sometimes it's turned on by default. This kind of "feature feature feature" mentality, without regard to security, means this kind of thing is going to happen again and again. Until software companies are held liable for the code they produce, they will continue to pack their software with needless features and neglect to consider their associated security ramifications.
This vulnerability also illustrates why Microsoft is so keen on bug secrecy. The industry analysts at Gartner issued a warning, urging companies to delay upgrading to Windows XP for "three to six months," lest more of these kind of vulnerabilities surface. If Microsoft had learned of this vulnerability in secret, and fixed it in secret, Gartner would not make any such statements. No one would be the wiser. (But, of course, if Microsoft learned of this vulnerability in secret, what impetus would they have to fix it quickly? Wouldn't it be easier on everyone if they just rolled it into the next product update?)
Honestly, security experts don't pick on Microsoft because we have some fundamental dislike for the company. Indeed, Microsoft's poor products are one of the reasons we're in business. We pick on them because they've done more to harm Internet security than anyone else, because they repeatedly lie to the public about their products' security, and because they do everything they can to convince people that the problems lie anywhere but inside Microsoft. Microsoft treats security vulnerabilities as public relations problems. Until that changes, expect more of this kind of nonsense from Microsoft and its products. (Note to Gartner: The vulnerabilities will come, a couple of them a week, for years and years...until people stop looking for them. Waiting six months isn't going to make this OS safer.)
News
http://www.zdnet.com/zdnn/stories/news/0,4586,5100941,00.html
http://theregister.co.uk/content/55/23480.html
http://www.wired.com/news/business/0,1367,49301,00.html
http://www.msnbc.com/news/675850.asp?0dm=B13QT
News article with the Culp quote:
http://www.washingtonpost.com/wp-dyn/articles/A7050-2001Dec20.html
Advisories:
http://www.eeye.com/html/Research/Advisories/AD20011220.html
http://www.nipc.gov/warnings/advisories/2001/01-030-2.htm
http://www.cert.org/advisories/CA-2001-37.html
http://www.microsoft.com/technet/security/bulletin/MS01-059.asp
FBI's statement:
http://www.computerworld.com/storyba/0,4125,NAV47_STO66939,00.html
FBI's retraction:
http://www.nandotimes.com/technology/story/210127p-2028258c.html
http://www.computerworld.com/storyba/0,4125,NAV47_STO67069,00.html
Gartner commentary:
http://news.cnet.com/news/0-1003-201-8254545-0.html?tag=prntfr
Forno's commentary:
http://www.infowarrior.org/articles/2001-15.html
Gibson's commentary:
http://grc.com/UnPnP/UnPnP.htm
Other analysis:
http://www.securityfocus.com/columnists/50
http://www.internetnews.com/dev-news/article/0,,10_945371,00.html
Anyway, Bruce is hard on MS, but mostly justifiably, it seems to me. I suppose this'll just trigger another flame war, but there's some meat in here worth discussing.
Boy he has that right. Solving Microsoft problems and security issues has always generated a great income for me -- that allowed me to buy a Mac.
I would issue a warning to all companies not to upgrade to XP at all. If you are moving from NT (which you hopefully are) then the only answer is Windows 2000.
First, Microsoft says XP only...then owns up to capability that exists in Win Millennium, but "almost no manufacturers installed it"
Well, E Machines did!!
Now, someone using a "DNS Spoof" attack has succeeded in installing a SECOND Master Boot Record on the operating system...on a single hard disk with no logical partitions other than C.
"Fortunately" [?] the way I have the Internet set up on my e-Monster actually prevents me from connecting to the 'Net, thus preventing a dialout.
Incidently, since XP came out, the vast majority of scans detected by Black Ice have shifted to HTTP server scans to exploit the hole.
I'm typing this on a Win 98 machine and am looking for the patch on the Web. But, I gotta tell ya, this "takeover" of the machine is REAL!!
Click here: tech_index
Disclaimer: Opinions posted on Free Republic are those of the individual posters and do not necessarily represent the opinion of Free Republic or its management. All materials posted herein are protected by copyright law and the exemption for fair use of copyrighted works.