Microsoft stumbles on road to security
Recent bugs derail faith in software maker's ongoing initiatives.
MOUNTAIN VIEW, CALIF. - Despite what appear to be its best intentions, Microsoft is again stumbling as it tries to convince network executives it is serious about security.
Last week, at its Trusted Computing Conference, the company made itself a lightning rod in an old debate over the responsible disclosure of code used to exploit holes in software. At the conference, Microsoft and a group including @stake, Guardent and Internet Security Systems drafted a proposal for an industrywide code of conduct to ensure security vulnerabilities, such as worms and viruses, are reported responsibly and end users are safeguarded promptly.
But critics lashed out, writing a competing proposal and saying Microsoft was hijacking the disclosure issue to divert attention from its own security problems.
Security has been a touchy subject lately for Microsoft. Two weeks ago, a cornerstone of its .Net strategy, the Passport authentication service, was found to have a flaw that could expose credit card numbers. A week before, Microsoft issued a "critical" patch for Windows XP on the day the software was released. Microsoft also recently has suffered through the Code Red and Nimda attacks on its Web server software, Internet Information Server (IIS) and its Outlook e-mail client. And to add insult to injury, some security patches Microsoft has issued recently have caused systems to crash or be reconfigured in such a way as to expose other security vulnerabilities (read columnist Mark Gibbs' take on Microsoft's latest security proposal, as well as Scott Bradner's take on Passport).
Ironically, the scramble to patch and repatch is coming in the wake of last month's launch of Microsoft's Strategic Technology Protection Program, the latest in its line of highly hyped security programs to showcase Microsoft's commitment to secure software.
"Right now Microsoft is in a big hole and is trying to find its way out," says Edward Livengood, information security analyst for a midsized bank in the Midwest.
Try as it might, progress seems to be elusive, as exemplified at last week's conference. There, Microsoft led the charge to develop a standard for evaluating, fixing and disclosing security vulnerabilities, but it quickly found critics. The discussion hinged on a white paper by Scott Culp, manager of the Microsoft Security Response Center, which called on the security community to stop full disclosure of exploit code, the recipe for developing worms and viruses. Culp criticized the practice, saying security vulnerabilities should be discussed but in a "smart, prudent and responsible" way. Culp said so-called "script kiddies" use the code to attack servers and e-mail systems.
But critics say that Microsoft was trying to divert attention from its most recent problems and that full disclosure of exploit code can help IT executives and others fully understand vulnerabilities.
"This discussion was an ambush. No one was given time to devise a response," says Russ Cooper, editor of the NT BugTraq Web site and the surgeon general for TruSecure. "The talk is not about responsible disclosure, we are talking about public risk." Cooper responded by proposing the creation of the Responsible Disclosure Forum to govern disclosure practices.
"The industry has been talking about [full disclosure] for 10 years. Now it's time to come up with a solution for the industry," Culp said.
Security flaws that are tearing at the company's strategic plans fuel cynicism toward Microsoft's motives.
The hole discovered in Passport last week was a major blow to Microsoft's .Net initiative, which lays out an interconnected computing environment that runs over the Internet. Microsoft must convince IT executives it has a secure platform before .Net can take off, and Microsoft is touting Passport as .Net's universal authentication mechanism.
"Passport scares me to no end," says Robert Dennis, network administrator for an apparel manufacturer. "The recent vulnerability has retarded our development of .Net until there are security initiatives in place with Microsoft that show our intellectual property will not be at risk."
Microsoft is working on those initiatives. Last month, in response to the Code Red and Nimda worms, it launched its Strategic Technology Protection Program. The program is designed so IT executives can ensure that their servers are secure.
But again, the process ran into snags. The Security Tool Kit CD distributed as part of the program changed configurations of some users' IIS systems and reopened vulnerabilities.
"It runs perfectly on a default install of IIS, but who has a default install?" TruSecure's Cooper asks.
Microsoft has a major chance next year to convince IT executives security is of paramount concern when the company ships Windows.Net Server. The server will include patch and security management features. Also, IIS will not install by default and will only install after an administrator has walked through a series of questions about setup and intended use.
But most important, the server is the first product developed under Microsoft's Secure Windows Initiative. The initiative was launched early last year and is designed to make security a focal point for all its internal product development.
"We have seen Microsoft spend a lot of money on educating its developers on preventing bugs in code," says John Pescatore, an analyst with Gartner. "Our projection is that if Microsoft sticks to its Secure Windows Initiative that by 2005 the server [operating system] will be more secure and have less bugs than the industry average as defined by Solaris, AIX and HP-UX." However, Pescatore says, the two major stumbling blocks will be if Microsoft switches its tough security stance or if it fails to change the development culture within its ranks.
Culp says Microsoft will not waver on security."Security is key for .Net and key for the industry in general," he says.
It's Time to End Information Anarchy
Error 404--Not Found
From RFC 2068 Hypertext Transfer Protocol -- HTTP/1.1:
10.4.5 404 Not Found
The server has not found anything matching the Request-URI. No indication is given of whether the condition is temporary or permanent.
If the server does not wish to make this information available to the client, the status code 403 (Forbidden) can be used instead. The 410 (Gone) status code SHOULD be used if the server knows, through some internally configurable mechanism, that an old resource is permanently unavailable and has no forwarding address.