[thelist] FYI - Plug this MS Application Hole
Ken Schaefer
ken at adOpenStatic.com
Wed Sep 3 23:58:32 CDT 2003
Bruce,
Over the next couple of years you will start to see major changes in the way
that Microsoft ships products. A lot of products will be a lot more secure,
there will be a lot more published at release time showing how to secure a
product, and the default options will be such that hardly anything will work
unless you explicitly turn it on.
Additionally, the actual underlying lanaguage used to program a lot of MS
products will change from what's currently being used, to managed .Net
languages, avoiding a lot of the problems that we have at the moment.
None of this is going to happen instantaneously - there's a lot of legacy
code, and a lot of legacy apps built on top of that legacy code. But things
will happen. Having recently attended TechEd, it has been pleasantly
suprising to see the amount of work that has been done. If you use SQL
Server, and have a look at the post-SP3 Books Online, you will see that a
vast number of changes have been made - all the code samples have been
reviewed, all the the permissions on sprocs have been changed. If you look
at Windows 2003, the number of remote exploits in the past 4.5 months has
been 2 (well, 1 until yesterday).
If you look at the number of whitepapers, and prescriptive architecture
solutions that MS is now putting out (both for it's own internal developers,
and for external users) you will see a vast improvement in what's available.
Not only in the quality, but also the timeliness of release. For example,
ASP.Net developers can access Building Secure ASP.Net applications, for
free:
http://msdn.microsoft.com/library/default.asp?url=/library/en-us/dnnetsec/html/ThreatCounter.asp
Check out the rest of the Patterns and Practices site here:
http://www.microsoft.com/resources/practices/
I honestly believe that Microsoft now thinks that it's important that it's
products be more secure. Not necessarily because security is good. But
because customers are starting to demand it.
Cheers
Ken
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
From: "bruce" <bedouglas at earthlink.net>
Subject: RE: [thelist] FYI - Plug this MS Application Hole
: Actually...
:
: I tend to believe it will end if/when a serious class action suit hits
msoft
: for their lousy attempts at security. I've had to spend God only knows how
: many hours over the past 3-4 years dealing with my systems and
: patching/protecting/etc.... Not because I had very many issues, but
because
: others didn't bother to secure their systems, and why would they!
:
: I'd be willing to bet that there has probably been more the $4-5 Billion
: spent dealing with msoft security issues, by people like me who spend 5-10
: hours here/there trying to deal with the security issues caused by msoft.
: the hours add up when you're talking rates of ~$50.00/hr... which is
: considerably less than i would normally get from my regular 8-5...
:
: If msoft, had bothered to write a little/lot better code, as well as ship
: the IIS/FTP/ETc.. servers in a seriously tied down/closed state as the
: default... a good deal of pain could have been avoided. And while the
msoft
: license might say i have no recourse to them regarding my own box, i'm
: willing to bet a serious class action directed towards them for actions
from
: other boxes, would have a serious impact!!
:
: i'm also willing to bet that it would get past the 1st initial court
: hearings...
:
: peace...
:
: -Bruce
:
:
: -----Original Message-----
: From: thelist-bounces at lists.evolt.org
: [mailto:thelist-bounces at lists.evolt.org]On Behalf Of Ken Schaefer
: Sent: Wednesday, September 03, 2003 7:36 PM
: To: thelist at lists.evolt.org
: Subject: Re: [thelist] FYI - Plug this MS Application Hole
:
:
: It will never end: http://www.securityfocus.com/archive/1
: It doesn't matter what you run - it'll have bugs in it.
:
: Cheers
: Ken
More information about the thelist
mailing list