Search /
Docfinder:
Advanced search  |  Help  |  Site map
RESEARCH CENTERS
SITE RESOURCES
Click for Layer 8! No, really, click NOW!
Networking for Small Business
TODAY'S NEWS
Latest iPhone 6 concept design inspired by Apple iOS 7 debut
Most Data Breaches Caused by Human Error, System Glitches
Google Project Loon: It's a bird! It's a plane! It's the Internet!
Shootout results: Best security tools for small business
Can Red Hat do for OpenStack what it did for Linux?
What's next for Wi-Fi?
Cisco impresses with first crack at next-gen firewall
Facebook to announce mysterious new product next week
China trounces US in TOP500 supercomputer race
Microsoft Office 365 lands in US iPhone App Store
European and US cloud providers go head-to-head after NSA revelations
Oracle to ship 40 security fixes for Java SE
iPhone 6 rumor rollup for the week ending June 14
Why password-only authentication is passe
CEO paychecks: Winners and losers
Startup uses new technology to out-Akamai Akamai
iPad 5 rumor rollup for the week ending June 12
Ten best practices for the cloud
Windows 8 Update: Microsoft teams with Best Buy to boost Windows 8 sales
US prosecutors propose kill switch to prevent smartphone theft
FDA calls on medical device makers to focus on cybersecurity
10 iOS 7 features that could make enterprises smile
IT on the edge: CIOs who (literally) keep the lights on
Happy Father's Day to my dad, the hobbyist programmer
OMG KLP – Rumor outs purported details of Android 5.0
/

Microsoft stumbles on road to security

Recent bugs derail faith in software maker's ongoing initiatives.

Related linksToday's breaking news
Send to a friendFeedback

By John Fontana
Network World, 11/12/01

MOUNTAIN VIEW, CALIF. - Despite what appear to be its best intentions, Microsoft is again stumbling as it tries to convince network executives it is serious about security.

Last week, at its Trusted Computing Conference, the company made itself a lightning rod in an old debate over the responsible disclosure of code used to exploit holes in software. At the conference, Microsoft and a group including @stake, Guardent and Internet Security Systems drafted a proposal for an industrywide code of conduct to ensure security vulnerabilities, such as worms and viruses, are reported responsibly and end users are safeguarded promptly.

But critics lashed out, writing a competing proposal and saying Microsoft was hijacking the disclosure issue to divert attention from its own security problems.

Security has been a touchy subject lately for Microsoft. Two weeks ago, a cornerstone of its .Net strategy, the Passport authentication service, was found to have a flaw that could expose credit card numbers. A week before, Microsoft issued a "critical" patch for Windows XP on the day the software was released. Microsoft also recently has suffered through the Code Red and Nimda attacks on its Web server software, Internet Information Server (IIS) and its Outlook e-mail client. And to add insult to injury, some security patches Microsoft has issued recently have caused systems to crash or be reconfigured in such a way as to expose other security vulnerabilities (read columnist Mark Gibbs' take on Microsoft's latest security proposal, as well as Scott Bradner's take on Passport).

Ironically, the scramble to patch and repatch is coming in the wake of last month's launch of Microsoft's Strategic Technology Protection Program, the latest in its line of highly hyped security programs to showcase Microsoft's commitment to secure software.

"Right now Microsoft is in a big hole and is trying to find its way out," says Edward Livengood, information security analyst for a midsized bank in the Midwest.

Try as it might, progress seems to be elusive, as exemplified at last week's conference. There, Microsoft led the charge to develop a standard for evaluating, fixing and disclosing security vulnerabilities, but it quickly found critics. The discussion hinged on a white paper by Scott Culp, manager of the Microsoft Security Response Center, which called on the security community to stop full disclosure of exploit code, the recipe for developing worms and viruses. Culp criticized the practice, saying security vulnerabilities should be discussed but in a "smart, prudent and responsible" way. Culp said so-called "script kiddies" use the code to attack servers and e-mail systems.

But critics say that Microsoft was trying to divert attention from its most recent problems and that full disclosure of exploit code can help IT executives and others fully understand vulnerabilities.

"This discussion was an ambush. No one was given time to devise a response," says Russ Cooper, editor of the NT BugTraq Web site and the surgeon general for TruSecure. "The talk is not about responsible disclosure, we are talking about public risk." Cooper responded by proposing the creation of the Responsible Disclosure Forum to govern disclosure practices.

"The industry has been talking about [full disclosure] for 10 years. Now it's time to come up with a solution for the industry," Culp said.

Security flaws that are tearing at the company's strategic plans fuel cynicism toward Microsoft's motives.

The hole discovered in Passport last week was a major blow to Microsoft's .Net initiative, which lays out an interconnected computing environment that runs over the Internet. Microsoft must convince IT executives it has a secure platform before .Net can take off, and Microsoft is touting Passport as .Net's universal authentication mechanism.

"Passport scares me to no end," says Robert Dennis, network administrator for an apparel manufacturer. "The recent vulnerability has retarded our development of .Net until there are security initiatives in place with Microsoft that show our intellectual property will not be at risk."

Microsoft is working on those initiatives. Last month, in response to the Code Red and Nimda worms, it launched its Strategic Technology Protection Program. The program is designed so IT executives can ensure that their servers are secure.

But again, the process ran into snags. The Security Tool Kit CD distributed as part of the program changed configurations of some users' IIS systems and reopened vulnerabilities.

"It runs perfectly on a default install of IIS, but who has a default install?" TruSecure's Cooper asks.

Microsoft has a major chance next year to convince IT executives security is of paramount concern when the company ships Windows.Net Server. The server will include patch and security management features. Also, IIS will not install by default and will only install after an administrator has walked through a series of questions about setup and intended use.

But most important, the server is the first product developed under Microsoft's Secure Windows Initiative. The initiative was launched early last year and is designed to make security a focal point for all its internal product development.

"We have seen Microsoft spend a lot of money on educating its developers on preventing bugs in code," says John Pescatore, an analyst with Gartner. "Our projection is that if Microsoft sticks to its Secure Windows Initiative that by 2005 the server [operating system] will be more secure and have less bugs than the industry average as defined by Solaris, AIX and HP-UX." However, Pescatore says, the two major stumbling blocks will be if Microsoft switches its tough security stance or if it fails to change the development culture within its ranks.

Culp says Microsoft will not waver on security."Security is key for .Net and key for the industry in general," he says.

Related Links

Contact Senior Editor John Fontana

Other recent articles by Fontana

It's Time to End Information Anarchy
Culp's paper.

Error 404--Not Found

Error 404--Not Found

From RFC 2068 Hypertext Transfer Protocol -- HTTP/1.1:

10.4.5 404 Not Found

The server has not found anything matching the Request-URI. No indication is given of whether the condition is temporary or permanent.

If the server does not wish to make this information available to the client, the status code 403 (Forbidden) can be used instead. The 410 (Gone) status code SHOULD be used if the server knows, through some internally configurable mechanism, that an old resource is permanently unavailable and has no forwarding address.

 
NWFusion offers more than 40 FREE technology-specific email newsletters in key network technology areas such as NSM, VPNs, Convergence, Security and more.
Click here to sign up!
New Event - WANs: Optimizing Your Network Now.
Hear from the experts about the innovations that are already starting to shake up the WAN world. Free Network World Technology Tour and Expo in Dallas, San Francisco, Washington DC, and New York.
Attend FREE
Your FREE Network World subscription will also include breaking news and information on wireless, storage, infrastructure, carriers and SPs, enterprise applications, videoconferencing, plus product reviews, technology insiders, management surveys and technology updates - GET IT NOW.