Microsoft: Bad security, or bad press?
(IDG) -- Microsoft has been getting a lot of bad press lately over security vulnerabilities in Internet Explorer, Office and Hotmail, among other software. Security concerns with Windows NT even prompted the U.S. Army to move its hacked Web site from NT servers to WebStar servers running the MacOS.
But does this mean Microsoft software is less secure than other software?
A variety of experts think so, claiming the software giant is offering more functionality at the expense of security. Microsoft defends its strategy, saying users want ease-of-use and more features.
And several users said they approve of that strategy. In the end, it's up to users to let the company know whether they are happy with the trade-off or if they want defaults to be set for greater security and more hand-holding.
Another option users have is to switch software like the Army did. The Army cited the fact that the MacOS doesn't have support for remote logons or a command shell to provide remote access via a DOS prompt.
Scott Culp, security product manager for NT Server, says NT provides tools to disable remote logons and that nearly all Unix systems have a command shell. "Whether or not an operating system has a remote command shell says nothing about its ability to withstand other attacks such as denial of service attacks."
Microsoft software experiences the same types of security woes other platforms do but its troubles are more prominent because more people are using Microsoft products than products from other software vendors, Culp says.
Without question, Microsoft's dominance in the operating system market plays a big part in the headlines - the sheer number of users of the software makes it an easy and huge target for hackers, increases the chances that security flaws will be discovered and heightens the impact from spreading viruses.
Hegemony not the only issue
But numerous experts, analysts and hackers say Microsoft's hegemony isn't the only problem.
"They certainly don't have a very secure environment. There are so many holes in the Microsoft environment that any [worthy] hacker ... is going to figure out how to break in," says Anne Thomas, a senior analyst at the Patricia Seybold Group in Boston.
"It's the dominant operating system out there, so it's going to attract the attention. On the other hand, Windows has extremely sloppy security," says Bruce Schneier, author of Applied Cryptography and a founder and chief technology officer of Counterpane Internet Security, a provider of managed security services in Minneapolis, Minn.
What often upsets people is that Microsoft hasn't learned from the mistakes made in older operating systems, notes Jon McCown, technical director of network security at the International Computer Security Association in Reston, Va. Categories of attack that are well understood are cropping up in Windows.
"They're doing a forthright job of addressing them, but there's a concern about what we don't know about yet; what's still in the operting system or in the servers that will become an issue."
Evolution of Windows
It has been suggested that Microsoft's security weakness have to do with the evolution of Windows from a single-user desktop operating system to a multiuser operating system.
Windows is desktop software that "was never really intended as network architecture," says Jeff Tarter, editor and publisher of Softletter, based in Watertown, Mass. However, Microsoft is rewriting a lot of the code for Windows 2000, as it did for NT, which should help make it more secure, he adds.
Culp acknowledges that the NT security architecture is more "robust" than its predecessors.
"NT is an entirely different animal altogether," he says. "It was built from the ground up with a brand new architecture ... to be used as an enterprise class operating system with security as a primary requirement." But Culp also defended the strength of all Windows in general, saying security was "woven" into the operating rather than "bolted on" afterward.
Others are skeptical
"Microsoft's operating system was never designed with security in mind," Schneier says. "For Microsoft, security is always an afterthought."
One example is Microsoft's implementation of file-sharing networking services in Windows 95 and 98, says Tweety Fish, a member of the hacker group Cult of the Dead Cow. Where previous versions of Windows weren't designed for networked computers, Microsoft made TCP/IP file sharing the default on Windows 95 and 98 without explaining the consequences of sharing files over the Internet to users who weren't savvy about network security, he wrote in an e-mail response to questions. Microsoft could have also used a more secure method for file sharing.
Trade-off: Security vs. functionality
Factors listed by experts interviewed over the past few weeks that lead to security problems for Microsoft include:
-- The company's reliance on the Component Object Model specification for running application components on multiple platforms, specifically ActiveX controls, which are reusable component program objects similar to Java applets and which can be attached to an e-mail or downloaded from a Web site. The most dangerous are pre-installed ActiveX controls which contain functions that can be executed on a computer but run without digital signatures used by other ActiveX controls.
-- NT's "insecure" default installation, which assumes the user or network administrator will be knowledgeable enough to change the settings to a higher security level.
-- The company's use of executable code in data files in Microsoft Office products, primarily macros, which are saved commands that can be recalled with a single command or keystroke.
-- The company's tight integration of its applications with its operating system, and lack of tight administration control in the operating system over privileges and access controls, which allow applications and macros to execute other programs.
-- The company's use of hidden and/or undocumented APIs or features that can give hackers back doors into Microsoft applications and which don't get the scrutiny of code made public to developers.
-- The company's faulty implementation of the Point-to-Point Tunneling Protocol, which enables the extension of corporate networks through private "tunnels" over the Internet. It is still vulnerable to "offline password-guessing attacks from hacker tools such as L0phtcrack," according to Schneier's report at http://www.counterpane.com/pptp.html.
In general, the experts agreed that these technologies provide greater ease of use and functionality to users but say they also open the system up to security vulnerabilities. Microsoft counters that many of the features can be either disabled, like macros and ActiveX controls, or made more secure with the use of third-party specialized software.
COM opens the door
Thomas of the Patricia Seybold Group says Microsoft's main problem has to do with COM, which "opens the system up to all kinds of nasty, dangerous situations." COM's integration with Microsoft Word allowed the prolific Melissa virus to spread so quickly in March, she says.
"It's a hard trade-off," Thomas says. "You can do without this incredibly powerful technology that makes your system so much more automatic, or you can shut off that automatic capability and not have that tight integration, but have protection against viruses."
Java applets are designed to minimize security violations by being executed in a "sandbox" - a secure area of the computer that isolates Java applets and keeps them from damaging files - whereas ActiveX controls rely on the applet being signed by the creator, whom the user will, ideally, know and trust.
Dangers of ActiveX
Allowing remote systems to run arbitrary code on a local system is a "massive security risk," hacker Tweety Fish wrote. "It's been proven time and time again that Microsoft's implementation of ActiveX can be broken pretty easily ..."
ActiveX controls can be automatically launched when a user goes to an HTML page or clicks on an e-mail attachment. They can be used to do malicious things like run programs on a user's computer, read system files and create files, among other things, according to Richard M. Smith, a security expert and president of Phar Lap Software, a Cambridge, Mass. company that makes real-time operating systems for embedded systems.
"I don't think anybody right now, frankly, has a handle on the scope of the [ActiveX] problem," Smith says. " ActiveX really opens up a can of worms."
Microsoft has released an average of about two to three security patches a month over the past year, Smith says, adding that he suspects that most Microsoft users have not downloaded them. Within the past year, while Microsoft has had about 10 separate bugs in IE that enable code in messages to read files, Netscape has had one, according to Smith.
Default "open" or "closed"
Microsoft's Culp argued that COM does not pose a security risk, and countered that Microsoft allows users to configure their software to give them the balance of functionality and security.
For instance, users can disable macros and ActiveX controls, and a new security patch for Office lets users decide whether to allow Office documents to launch automatically when they're hosted on Web sites, he says. In addition, a new security configuration tool kit that ships with Windows 2000 will allow users to customize their software to the security level they desire, Culp says.
"We don't force anybody into a particular stance," he says. "We provide tools to allow you to make that decision."
But several experts say Microsoft should ship its software in the highest security mode rather than a more risky "open" default.
"The operating system should be fail safe enough [especially on a server operating system like NT] that a nonadministrator user has to work pretty hard to allow the machine to be compromised," hacker Tweety Fish wrote. "The fact that macros in Microsoft Word can run any DOS executable and access any system function is a massive security hole, and for Microsoft to claim anything else is specious marketing spin."
Users can't make knowledgeable choices of what features to disable if they don't fully understand the dangers involved, Tweety Fish says. Instead, they should feel confident that their software is secure and as they start to understand the risks they can modify the security themselves.
Eric Schultz, director of Microsoft Content for Security-Focus, which operates a portal site at http://www.securityfocus.com, specifically complained that Windows NT's default installation can allow hackers to get a lot of information, including access to "blank administrator passwords, disabled security policies, and weak permissions over critical system files."
But Microsoft can't be expected to make the security decisions for its users, particularly when opting for greater security for some users at the expense of less functionality for others, Culp argues.
"There's always a trade-off between convenience and security," he says. "Everybody has a proper point where they balance security against usability. Any two people are going to have a different point that's right for them."
Virtually all general-purpose operating systems default to usability over security rather than in a "locked down" mode.
Russ Cooper, editor of the NT Bugtraq mailing list (www.securityadvice.com), defended macros. "Although relatively insecure, [macros are] still very much in demand. ... Internet technologies are not designed to be secure. They're designed to be interactive."
Cooper says users should be more responsible. "Microsoft is providing us with tools that will help us, but at the same time we as consumers are not taking the responsibility ... to learn basics about using this stuff," he says.
But other experts argue that Microsoft has a responsibility to provide greater user safety than it is now, even if it might take more time and money to develop products that are more secure.
"In the car industry they have to build with safety in mind. Car makers couldn't get away with this," said Avi Rubin, a principal member of the technical staff at AT&T Labs in Florham Park, N.J., and author of The Web Security Sourcebook. "They're more concerned with the bottom line and profits, and that's upsetting."
"Setting the default to dangerous doesn't work in any other industry," Schneier says of Counterpane.
Offering zero-administration capabilities and features that, in their default mode, reduce the level of security in the software, is a strategic decision on Microsoft's part, the experts say.
Phar Lap's Smith questioned the need for some of the features Microsoft provides at the expense of security, saying he'd like to turn them off but doesn't always get that option.
To simplify things for the administrator, Microsoft is promoting ease-of-use over "robustness of control," hacker Tweety Fish says. However, if the operating system doesn't adequately handle the behind-the-scenes work, security holes can be opened up without the administrator's awareness.
"Unix variants have a long way to go to match the ease of use of NT, but on the other hand, with a little bit of knowledge [in Unix], you can know EXACTLY what your machine is doing, which is the most important aspect of server administration," Tweety Fish wrote.
Meanwhile, Schultze of Security-Focus predicted that security problems with NT and its predecessors will pale in comparison to security issues that will arise with Windows 2000, which will offer more complexity to secure. "There will be more opportunities for things to go wrong," he says.
For instance, Schultze says Windows 2000 defaults to enabling a host of encryption authentication schemes, including LanMan, which he says is easy to decrypt, and users have to go in and disable any schemes they don't want to use. However, the chances that an administrator won't tighten the system down are great.
Culp disputes this, noting that in Windows 2000 Microsoft is using security standards like the Kerberos protocol, putting the software to heavy testing including specific attempts to break into it, and has been beta testing it for two years.
Tight integration, loose administration, hidden APIs
Microsoft prides itself on the tight integration of its applications with its operating system - a matter that sparked an antitrust lawsuit by the U.S. government. But while this integration lets users easily work between the programs, it also makes it easy for flaws in one application to affect the entire system, according to Rubin at AT&T.
"There are no security perimeters around any of the applications," he says. "The fact that Word macros can access an Excel database and Excel files can launch other programs with a 'call function'" in Outlook, for example, creates a hacker-friendly environment.
Part of the problem is Microsoft's use of so-called hidden APIs, which are kept secret from third-party developers, Rubin says. These allow Microsoft developers to take shortcuts but can also lead to security problems because they aren't scrutinized as public ones are.
Hacker Tweety Fish accuses Microsoft of historically implementing "horribly insecure" APIs.
"Both Back Orifice and BO2K were built using standard Microsoft APIs; every piece of scary, worrisome functionality is BUILT IN to Microsoft Windows," he wrote. "If these APIs were open to public scrutiny, I doubt such terrible ideas as WNetEnumCachedPasswords [which cheerfully reveals all cached passwords on the system] would exist."
Microsoft's Culp couldn't categorically deny that the company uses hidden APIs, but in general he argued that integration is necessary to give advanced products to users.
"Microsoft doesn't believe that the way to provide security is to make our applications incompatible with each other," he says. "That's not what our customers want. They want seamless integration."
Tightly integrated applications provide productivity improvements and can still be secured, Culp says. For example, Office 2000 macros can be disabled or allowed to run: automatically, only when digitally signed, or only when signed from trusted sources.
Technical debates aside, most of the critics complained that Microsoft often treats security issues like PR problems that need to be averted and not resolved.
The main security problem is "marketing driven product design at Microsoft, and the fact that they will not consider any given security risk a problem until it becomes a problem in the press," hacker Tweety Fish says.
He and others complained that Microsoft often denies security problems before being forced to address them with a fix after they are made public, and that the company tries to minimize their scope and put a spin on them.
For instance, the company downplayed the Jet/ODBC [open database connectivity] exploit in a Microsoft Security Bulletin over a year ago so that "almost nobody" bothered to install the patch and users were caught off-guard when it made headlines recently, the hacker says.
The company downplays the extent of a problem by not mentioning all the situations in which it could arise, saying it is limited to only specific situations and claiming that no customers have been affected, the experts say. For instance, when issuing alerts about browser bugs Microsoft usually doesn't point out that they can occur in e-mail, Smith says.
But Smith and some of the others conceded that Microsoft's response time has improved in the past few years. For example, Microsoft released a workaround immediately and a patch four days later for a recent security exploit in Internet Information Server, and "that's probably as responsive as any company would be," McCown says.
"A quick fix may break something else," Schultze of Security-Focus says. "They're being thorough. It may not be as quick as some people might like."
Culp denied the allegations that the company is reluctant to admit exploits or their scope. The company's security response team is quick to address and fix problems, monitors security mailing lists for reports and works closely with security groups, he said.
When a vulnerability is confirmed, the company sends e-mail alerts to customers who have asked to be put on a list at firstname.lastname@example.org and others, and posts information on its security Web site at www.microsoft.com/support and www.microsoft.com/security/services/bulletin.asp, Culp said. Microsoft has more than 200 full-time employees working on nothing but security, he added.
"We look into every issue that's reported," he said. "Out of those 10,000 queries and reports (received in the past year) and all the things posted to the mailing lists, etc. there have been about 30 issues that we have needed to provide a patch for this year," and 40 or 45 over the last 12 months, Culp said.
Only about 5 percent of the reports Microsoft gets turn out to be bonafide security vulnerabilities, according to Culp. Many end up being problems due to unclear documentation, incorrect implementations of the software or code, or users not following best practices, he said.
In recent swift work, Microsoft released a security bulletin just hours after an IE vulnerability was announced September 10, telling users how to protect against it while a patch is developed, Culp noted.
Meanwhile, Microsoft has taken a new approach and put a Windows 2000 test server online for users to try to hack. The system has held up although it got off to a rocky start and was down for several days after lightning hit a router right after it was put online.
Cooper of NTBugtraq predicted that the security situation will improve for Microsoft as consumers become more savvy and demand more security in products.
"Certainly there's been a change in Microsoft in the last two years to do things with far more security in mind," he said. "The reality is they're doing it to an extent that consumers will tolerate and to an extent that consumers will demand."
Users are content
Several users said they have no complaints with Microsoft's products or attitude.
"From my perspective, what Microsoft is doing is right on target," said Greg Scott, IS manager at Oregon State University's College of Business in Corvalis.
"I want the interoperability the tools provide me so I can move things cleanly, simply and easily between systems. And I'm willing to suffer the minor inconvenience of having to pay more attention to security and patches," he said. "As long as they provide patches and fixes in an appropriate timeframe, then I'll use their products."
Another user said he likes Microsoft software specifically because of its integration. Ty Simone, IS manager at Onsite Sycom Energy Corp., an energy service company based in Carlsbad, California, said he's not bothered by Microsoft's usability versus security tradeoff.
"I would much rather have the control here than have Microsoft saying 'You can't do anything until you change something,'" he said. "For example, the default for IE is medium. If they set it to high, until I get to that user and set it to medium that user couldn't access the corporate intranet, much less the Internet."
Simone also praised Microsoft for reacting swiftly and forthrightly when issues arise, noting that Unix users don't get security bulletins e-mailed to them like Windows users do.
Unix gets more hacks but less press than NT does, Simone says, adding that "It's not popular to bash the little guy."
Unix, Linux, MacOS
So how do the Windows alternatives fare?
The MacOSX "add-on programs look to be just as vulnerable (as Windows) -- there are permissions problems and plenty of coding issues," Dr. Mudge of Boston-based hacker group L0pht Heavy Industries wrote in an e-mail. "However, a quick look would imply that the core OS might be much more secure than NT's core components. This is most likely due to the fact that the new MacOS's are really BSD 4.4 (Unix) and mach memory systems. Both have been around for decades to have the kinks worked out of."
Meanwhile, open source operating systems tend to be more easily secured than closed source ones like NT, "because there are more people doing more work to find the holes, and it's easier for researchers to develop patches for exploits they find," hacker Tweety Fish said.
The most secure platform "out-of-the-box" is OpenBSD because security is a focus on the project, he said. "It is not perfect; no OS is, but with OpenBSD you can guarantee that security is their first priority."
The favored underdog, Linux, is considered experimental at this point, but it may end up giving NT a good run for its money, according to Winn Schwartau, founder of Security Experts consultancy in St. Petersburg, Florida, and author of "Information Warfare" and other books. Most of his clients, who include governments, NATO and other multinational organizations, use Unix now, he added.
Despite the complaints about the security in Microsoft software, Culp said customers-including government agencies and organizations in the healthcare, insurance and banking industries-feel comfortable using the company's products.
And Cooper of NT Bugtraq noted that Windows is "hugely accepted, widely deployed and largely liked" by users.
"I don't think Windows is more or less secure than some other operating system," Cooper said. "I think that there are technologies from Microsoft that are good; there are others that are not good; and there are others that still need to be refined and improved, but that are still very much in demand."
But hacker Space Rogue, a member of the L0pht Heavy Industries, summed up what he and others see as Microsoft's security challenges.
"Windows has three strikes against it, as I see it. Popular OS, weak security, easy-to-use, oh, and it is made by MS, the company everyone loves to hate."
Tack this on to Web e-mail security -- attachments
RELATED IDG.net STORIES:
Microsoft releases updated IE security patch
Microsoft's main security Web page
|Back to the top||
© 2001 Cable News Network. All Rights Reserved.|
Terms under which this service is provided to you.
Read our privacy guidelines.