[thelist] FYI - Plug this MS Application Hole

Ken Schaefer ken at adOpenStatic.com
Thu Sep 4 09:17:36 CDT 2003


Here's my opinion:

a) Lots of older Microsoft products were conceived in an era where we didn't
have the ubiqutious connectivity that we now do. The corporate network was
not connected to the rest of the big, nasty, internet. So the concept of
defensive programming was not really high on anyone's agenda

b) 5 years ago, and 10 years ago, there was much more competition in the OS,
Office application (Word Perfact, Quatto Pro, Lotus 123) and collaboration
markets (Notes, Groupwise etc). Functionality was king (because that enabled
you to sell new versions), and security wasn't a concern. This was something
that afflicted all PC vendors, not just Microsoft. It's just that most of
the others died along the way.

c) Microsoft platforms are more widespread than others. Additionally,
Microsoft isn't viewed nicely in many communities. So, if you were going to
write a virus/trojan, would you target an obscure operating system like OS/2
Warp? or a widespread system like Windows NT/2000/XP? Especially if the
latter is made by one of the most unpopular software companies out there?

Certainly, there were lots of Solaris machines hit by the Sadmind worm that
went around last year. It's not as if a self-propogating trojan can't be
written for any other OS that has a non-trivial installation.

d) Personally, I don't think Linux, or MacOS is any more secure than Windows
because the "developers" need to go a step further. Plenty of *Nix software
has had plenty of security holes. <humour>Look at Sendmail</humour>.
Seriously, if you look at Bugtraq (link posted earlier), it's obvious that
there are huge numbers of exploits in huge numbers of products.

e) It is certainly possible to build secure apps using any major platform.
This year's eWeek (www.eWeek.com) openHack challenge pitted a Microsoft
solution (.net app, with Windows 2000 Server and SQL Server 2000) against an
Oracle/Red Hat solution. Both of which exhibited no non-trivial
vulnerabilities (which, IIRC, is a first). eWeek's site is throwing up a
bunch of 404s at the moment. How MS implemented their web app is detailed
here:
http://msdn.microsoft.com/library/default.asp?url=/library/en-us/dnnetsec/html/openhack.asp

f) In 5 years time, I don't think we're going to be having this discussion
(well, not in the same light). Microsoft's going to have a raft of products
that are going to be a lot more robust than what's available now. So will
every other major vendor. Even now you can, just, start to see the trend. If
you look at Windows 2003 Server, in the (approximately) 5 months that it's
been available, there's only been a single patch for a remote exploit (well,
two as of yesterday). Compare that to Windows 2000 Server, and Windows NT
Server before that, and the trend is looking good (for systems
administrators everywhere). However, not only are the products becoming more
robust, there are far better tools coming out to scan networks, and patch
networks automatically.

Now these are just my opinions :-) and worth exactly what you paid for them.
My background is in systems administration though (Windows, *Nix, and a bit
of Novell). I work in a large .edu (a Uni) environment, where we have *no*
organisational firewall whatsoever, so pretty much all our machines are
exposed to everything under the sun (unless you implement something for your
Unit or Faculty).

Cheers
Ken

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
From: "Sarah" <poohbear at designshift.com>
Subject: RE: [thelist] FYI - Plug this MS Application Hole


: Here's a question for those of you with a better understanding of security
: issues than I have. Do you think that Microsoft products have so many
: security problems because they develop sub-par products, or because the
: various flavours of Windows are the most commonly used OS, and therefore
: come under more attack by "crackers"? Or, is it possible that other
: software "distributors" (for lack of a better word), such as Apple or
: Linux, *need* to put in the extra effort to make their products more
: secure, simply in order to gain any kind of significant market share vs.
: Microsoft?
:
: (I hope this doesn't start a flame war, I am just looking for some
informed
: opinions on this subject.)



More information about the thelist mailing list