[ISN] You Call This Trustworthy Computing?

InfoSec News isn at c4i.org
Tue Feb 15 03:08:12 EST 2005


By John Foley 
Feb. 14, 2005 

When Bill Gates takes the stage at the RSA conference in San Francisco
this week, you can be sure he'll give an upbeat assessment of Windows
security. The pending acquisition of security vendor Sybari Software
Inc., disclosed last week, adds to a growing portfolio of products
that promise to batten down Windows networks. And, as he's done in the
past, Microsoft's chairman likely will detail other accomplishments
and forward-looking plans that portray a company delivering on his
3-year-old promise to make Windows environments "trustworthy."

It's a compelling message, except for one unavoidable fact: The
software patches just keep coming.

Microsoft last week issued a dozen security bulletins addressing 17
software vulnerabilities, tantamount to a shotgun blast of holes
through the company's product line. Nine bulletins, many graded
"critical" in importance, affect various versions of Windows. Others
address problems with Microsoft's .Net Framework, SharePoint Services,
Windows Media Player, MSN Messenger, Internet Explorer, and Office

Even Microsoft's most-secure operating system, Windows XP Service Pack
2, wasn't immune: More than half the bulletins involve SP2. To repair
all the vulnerabilities in all affected products would require more
than 60 patches on English-language computers alone. "It's an almost
endless list," says Kyle Ohme, director of IT with Freeze.com, a
Web-site operator that uses about four dozen Windows servers, some of
which are IBM blade servers, to offer screen savers to millions of
users each day.

By Microsoft's own account, the vulnerabilities leave its software
open to everything from buffer overruns to remote code execution. Just
one day after Microsoft posted the patches, someone released exploit
code to attack one of the vulnerabilities. "If we don't patch, we
definitely have the ability to be exploited relatively soon," Ohme

So Ohme and many IT professionals like him were busy last week
assessing, downloading, testing, and deploying Microsoft's latest
round of patches across their IT infrastructures. It's a process that
can take days or even weeks.

"For us, and the resources we have, it could [have been] a daunting
task to get all of those patches to all of our systems quickly
enough," says Daniel Hereford, data-security officer with First Bank
and Trust Co. In January, the bank began using a service from Qualys
Inc. to locate vulnerabilities and ensure that they're fixed, and now
it reacts more quickly to Microsoft's monthly security bulletins.  
"Ninety percent of our software-security issues are centered around
Windows," Hereford says.

Despite all the work involved, it's an improvement compared with
Windows security three years ago. In January 2002, following the Code
Red and Nimda virus attacks that hit many Microsoft customers hard,
Gates made "trustworthy computing" the company's top priority. Since
then, Microsoft has trained its programmers to write more-secure code,
established a predictable patch schedule, released more-secure
operating systems (Windows Server 2003 and Windows XP), and acquired
security products from other companies to fill gaps in its own line.  
"They've taken the right initiatives," Hereford says.

There's still much more to do, as last week's bug blast and Sybari
acquisition demonstrate. Key missing pieces are Windows Update
Services and Microsoft Update, both of which promise to help companies
roll out patches more quickly to Windows and other Microsoft products.  
Windows Update Services, which has been delayed twice, is in testing
now and scheduled for availability by midyear.

And, while Microsoft has acquired a variety of security companies and
products over the past two years--including GeCAD Software
(antivirus), Giant Company Software (spyware detection), and Pelican
Software (behavior-based security)--it hasn't shown how or when all
the pieces will fit together.

Microsoft security VP Mike Nash last week tried to clear up some of
the confusion. During a Webcast to discuss the newly issued patches
and the Sybari acquisition, Nash said Microsoft is "working hard" on
desktop antivirus software that's based on the GeCAD antivirus
scanning engine. That software will be tweaked to work with the Sybari
products this year. The Sybari acquisition is expected to close by
midyear, pending regulatory approval (see story, All For One:  
Microsoft Ups Its Security Software Tools [1]).

Nash acknowledged it's important that customers be able to manage
Microsoft's security tools together. "We do think that there needs to
be a management capability to allow enterprises to both control and
monitor their security technologies like anti-spam and antivirus," he
said. "We're currently working through specific requirements."

There appears to be a ready market for security products that come
directly from Microsoft. Last month, the company released a test
version of the Giant Software tool, now called Windows AntiSpyware,
and it's already been downloaded more than 5 million times. The
product will go through at least one more test before release, Nash
says. However, there's a problem: Windows AntiSpyware itself has
become the target of virus writers. Malicious code aimed at the
product attempts to suppress warning messages it displays and to
delete all files within the program's folder. "This is the beginning
of a wave of attempts to undermine the effectiveness of this new
product," predicts Gregg Mastoras, senior security analyst with
security software company Sophos plc.

Microsoft officials insist things are moving in the right direction,
pointing out that Windows Server 2003 has had half as many security
bulletins as Windows 2000 Server over the same period, that the number
of annual security bulletins is on a downward trend, and that there's
a sharp increase in usage of its software-update services. Last week,
the company released a test version of Windows Server 2003 Service
Pack 1, which promises improved security. "We have made progress
toward our goals," writes a company spokeswoman, "but there is still a
lot of work to be done."

That includes delivering a more bulletproof version of Windows. "They
still haven't shipped a desktop operating system that was designed and
coded after they started caring about security," says Gartner analyst
John Pescatore via E-mail. The next-generation of Windows, code-named
Longhorn, is due next year. Among other other security advances,
Longhorn is expected to minimize situations in which PC users have
administrative privileges, leaving systems more open to attack.

Many customers credit Microsoft with making progress. "Microsoft is
absolutely stepping up to the challenge," says Jason Stefanich,
client-server engineering manager with Dow Corning Corp., where
high-priority patches are usually completed within a day.

Even so, Dow Corning is using a product from Ardence Inc. that moves
the operating system off desktop PCs and onto servers, in part to
provide better security and more manageable updates. And while the
manufacturer uses Windows XP to drive those PCs, it hasn't yet
upgraded to Service Pack 2, which Microsoft bills as its most-secure
desktop environment. "It breaks a lot of [applications]. We can't have
8,000 people calling our help desk with issues," Stefanich says.  
"Microsoft missed the boat with SP2."

So it goes. Microsoft customers are getting better at securing their
Windows environments, partly because Microsoft is providing tools to
help, but also through increased attention to internal processes, use
of third-party products, and new tactics. Freeze has placed Windows'
Internet Information Services, a favorite target of hackers, behind a
firewall. Instead, its Windows-based Web servers run open-source
Apache software.

No one is calling Windows security easy. "It's a big pain," says an IT
manager with an East Coast manufacturing company who manages about 200
PCs. "It's not something we feel is under our control." The company is
contemplating a move to Microsoft's Systems Management Server to
automate software updates. How are those done now? Manually, one
computer at a time.

Microsoft remains focused on making things better, says the
spokeswoman. "Ultimately, what matters is not what we say, but what we
do," she says. When Bill Gates talks this week, that's something to

-- With George V. Hulme and TechWeb's Gregg Keizer

[1] http://www.informationweek.com/story/showArticle.jhtml?articleID=60400364

More information about the ISN mailing list