Search /
Advanced search  |  Help  |  Site map
Click for Layer 8! No, really, click NOW!
Networking for Small Business
Heartbleed bug is irritating McAfee, Symantec, Kaspersky Lab
Server makers rushing out Heartbleed patches
6 Social Media Mistakes That Will Kill Your Career
4 Qualities to Look for in a Data Scientist
Big bucks going to universities to solve pressing cybersecurity issues
Mozilla appoints former marketing head to interim CEO
Box patches Heartbleed flaw in its cloud storage systems
Obama administration backs disclosing software vulnerabilities in most cases
6 Amazing Advances in Cloud Technology
Collaboration 2.0: Old meets new
Data breaches nail more US Internet users, regulation support rises
With a Wi-Fi cloud service, Ruckus aims to help hotspot owners make money
How to get Windows Phone 8.1 today
Secure browsers offer alternatives to Chrome, IE and Firefox
10 Big Data startups to watch
Big data drives 47% growth for top 50 public cloud companies
Here are the options with Heartbleed-flawed networking gear (Hint: there aren't many)
Akamai admits its OpenSSL patch was faulty, reissues keys
Second Google Glass user attacked in San Francisco in two months
Microsoft puts the squeeze on Windows to shoehorn it into 16GB devices
An unnecessary path to tech: A Bachelor's degree
Heartbleed Bug hits at heart of many Cisco, Juniper products
iPhone 6 rumor rollup for the week ending April 11

Microsoft stumbles on road to security

Recent bugs derail faith in software maker's ongoing initiatives.

Related linksToday's breaking news
Send to a friendFeedback

MOUNTAIN VIEW, CALIF. - Despite what appear to be its best intentions, Microsoft is again stumbling as it tries to convince network executives it is serious about security.

Last week, at its Trusted Computing Conference, the company made itself a lightning rod in an old debate over the responsible disclosure of code used to exploit holes in software. At the conference, Microsoft and a group including @stake, Guardent and Internet Security Systems drafted a proposal for an industrywide code of conduct to ensure security vulnerabilities, such as worms and viruses, are reported responsibly and end users are safeguarded promptly.

But critics lashed out, writing a competing proposal and saying Microsoft was hijacking the disclosure issue to divert attention from its own security problems.

Security has been a touchy subject lately for Microsoft. Two weeks ago, a cornerstone of its .Net strategy, the Passport authentication service, was found to have a flaw that could expose credit card numbers. A week before, Microsoft issued a "critical" patch for Windows XP on the day the software was released. Microsoft also recently has suffered through the Code Red and Nimda attacks on its Web server software, Internet Information Server (IIS) and its Outlook e-mail client. And to add insult to injury, some security patches Microsoft has issued recently have caused systems to crash or be reconfigured in such a way as to expose other security vulnerabilities (read columnist Mark Gibbs' take on Microsoft's latest security proposal, as well as Scott Bradner's take on Passport).

Ironically, the scramble to patch and repatch is coming in the wake of last month's launch of Microsoft's Strategic Technology Protection Program, the latest in its line of highly hyped security programs to showcase Microsoft's commitment to secure software.

"Right now Microsoft is in a big hole and is trying to find its way out," says Edward Livengood, information security analyst for a midsized bank in the Midwest.

Try as it might, progress seems to be elusive, as exemplified at last week's conference. There, Microsoft led the charge to develop a standard for evaluating, fixing and disclosing security vulnerabilities, but it quickly found critics. The discussion hinged on a white paper by Scott Culp, manager of the Microsoft Security Response Center, which called on the security community to stop full disclosure of exploit code, the recipe for developing worms and viruses. Culp criticized the practice, saying security vulnerabilities should be discussed but in a "smart, prudent and responsible" way. Culp said so-called "script kiddies" use the code to attack servers and e-mail systems.

But critics say that Microsoft was trying to divert attention from its most recent problems and that full disclosure of exploit code can help IT executives and others fully understand vulnerabilities.

"This discussion was an ambush. No one was given time to devise a response," says Russ Cooper, editor of the NT BugTraq Web site and the surgeon general for TruSecure. "The talk is not about responsible disclosure, we are talking about public risk." Cooper responded by proposing the creation of the Responsible Disclosure Forum to govern disclosure practices.

"The industry has been talking about [full disclosure] for 10 years. Now it's time to come up with a solution for the industry," Culp said.

Security flaws that are tearing at the company's strategic plans fuel cynicism toward Microsoft's motives.

The hole discovered in Passport last week was a major blow to Microsoft's .Net initiative, which lays out an interconnected computing environment that runs over the Internet. Microsoft must convince IT executives it has a secure platform before .Net can take off, and Microsoft is touting Passport as .Net's universal authentication mechanism.

"Passport scares me to no end," says Robert Dennis, network administrator for an apparel manufacturer. "The recent vulnerability has retarded our development of .Net until there are security initiatives in place with Microsoft that show our intellectual property will not be at risk."

Microsoft is working on those initiatives. Last month, in response to the Code Red and Nimda worms, it launched its Strategic Technology Protection Program. The program is designed so IT executives can ensure that their servers are secure.

But again, the process ran into snags. The Security Tool Kit CD distributed as part of the program changed configurations of some users' IIS systems and reopened vulnerabilities.

"It runs perfectly on a default install of IIS, but who has a default install?" TruSecure's Cooper asks.

Microsoft has a major chance next year to convince IT executives security is of paramount concern when the company ships Windows.Net Server. The server will include patch and security management features. Also, IIS will not install by default and will only install after an administrator has walked through a series of questions about setup and intended use.

But most important, the server is the first product developed under Microsoft's Secure Windows Initiative. The initiative was launched early last year and is designed to make security a focal point for all its internal product development.

"We have seen Microsoft spend a lot of money on educating its developers on preventing bugs in code," says John Pescatore, an analyst with Gartner. "Our projection is that if Microsoft sticks to its Secure Windows Initiative that by 2005 the server [operating system] will be more secure and have less bugs than the industry average as defined by Solaris, AIX and HP-UX." However, Pescatore says, the two major stumbling blocks will be if Microsoft switches its tough security stance or if it fails to change the development culture within its ranks.

Culp says Microsoft will not waver on security."Security is key for .Net and key for the industry in general," he says.

Related Links

Contact Senior Editor John Fontana

Other recent articles by Fontana

It's Time to End Information Anarchy
Culp's paper.

Error 404--Not Found

Error 404--Not Found

From RFC 2068 Hypertext Transfer Protocol -- HTTP/1.1:

10.4.5 404 Not Found

The server has not found anything matching the Request-URI. No indication is given of whether the condition is temporary or permanent.

If the server does not wish to make this information available to the client, the status code 403 (Forbidden) can be used instead. The 410 (Gone) status code SHOULD be used if the server knows, through some internally configurable mechanism, that an old resource is permanently unavailable and has no forwarding address.

NWFusion offers more than 40 FREE technology-specific email newsletters in key network technology areas such as NSM, VPNs, Convergence, Security and more.
Click here to sign up!
New Event - WANs: Optimizing Your Network Now.
Hear from the experts about the innovations that are already starting to shake up the WAN world. Free Network World Technology Tour and Expo in Dallas, San Francisco, Washington DC, and New York.
Attend FREE
Your FREE Network World subscription will also include breaking news and information on wireless, storage, infrastructure, carriers and SPs, enterprise applications, videoconferencing, plus product reviews, technology insiders, management surveys and technology updates - GET IT NOW.