Microsoft vs. Computer Security
Why the software giant still can't get it right.
By Adam L. Penenberg
Posted Monday, Jan. 9, 2006, at 1:10 PM ET
http://www.slate.com/id/2133993/
Four years ago, Bill Gates dispatched a companywide e-mail promising that
security and privacy would be Microsoft's top priorities. Gates urged that
new design approaches must "dramatically reduce" the number of
security-related issues as well as make fixes easier to administer.
"Eventually," he added, "our software should be so fundamentally secure that
customers never even worry about it."
Microsoft customers haven't stopped worrying. A year later, Windows was hit
with several nasty worms, including Slammer, Sobig, and Blaster. The viruses
caused major traffic bottlenecks throughout the world, which cost tens of
billions of dollars to clean up. Vulnerabilities deemed "critical" have
forced the company to release an almost unending stream of patches and fixes
to the Windows operating system, Microsoft Office, and Internet Explorer.
Just last week, another problem reared its heada security hole that could
allow Windows users to become infected with adware, spyware, or viruses by
simply viewing an e-mail, instant message, or Web page. When Microsoft
dragged its heels on issuing a patch, the SANS Institute, an organization
that tracks security threats, took the extraordinary step of recommending
that users download an unofficial patch developed by a Russian programmer.
(Microsoft had planned to release its fix on Jan. 10, but ultimately bowed
to pressure and issued it five days earlier.)
With the company's security problems still monopolizing the news, you might
have expected that Bill Gates would address the vulnerability at the
Consumer Electronics Show in Las Vegas. Instead, he boasted how Microsoft's
new operating system, Vista, would extend the company's tendrils into your
living room. Sure, it might be nice to connect your computer and your
television set. But is it worth it to give hackers access to your
television?
SANS' list of the Top 20 most threatening security vulnerabilities includes
products from Oracle, Apple, Cisco, Mozilla, and even anti-virus software
vendors. But Microsoft is still the dominatrix of the desktop and runs about
90 percent of the world's computers, making it the biggest target for
hackers, crackers, pirates, and thieves. Microsoft's security problems run
much deeper than just being the most popular, though, and that is why many
computer security pros despise Microsoft.
While the company claims that Vista will be more secure against hack
attacks, the computer security professionals I talked to are skeptical. "We
hear this each and every time Microsoft comes out with a new operating
system," says Brian Martin, an independent computer security consultant. "It
is still built on the same legacy code, it is still written without adhering
to secure coding practices, it is still thrown to the masses without
adequate security testing."
Richard Forno, a principal consultant for KRvW Associates and a former
senior security analyst for the House of Representatives, believes that
Microsoft is a threat to national security. The White House, Congress, and
Department of Defense all run Windows and send and receive e-mail on MS
Exchange Serverexploitable Microsoft products that offer a "target-rich
environment for malicious code."
Case in point: buffer overflow attacks, a popular technique for exploiting
Microsoft products. By flooding a program with too much data, a hacker can
track and manipulate the overflow and trick the system into following his
instructions as if he were the system administrator. The technique has been
known for decades, yet Microsoft still hasn't come up with a way to defend
against it. Although Oracle, Linux, UNIX, and even Apple iTunes have fallen
prey to buffer overflow attacks, the number that have afflicted Microsoft
products far outstrips them.
Buffer-overflow vulnerabilities are simply programming errors; they occur
when coders fail to deploy proper memory-management techniques. When
Microsoft shipped XP and its 50 million lines of code in 2001, it claimed it
was the most secure operating system it had ever developed and that the
company had paid special attention to buffer overflows. Within two months,
researchers at eEye Digital Security found a hole in the code that left it
vulnerable to buffer overflowsand the operating system has been plagued
with these holes ever since.
Security consultant A.J. Reznor points out that every major worm other than
the original Morris Worm from 1988 has leveraged a hole in Microsoft
products. Reznor refuses to work with Microsoft products but still actively
loathes the company because his network becomes "saturated with crap flying
out of [Windows] machines." Spammers route their junk through MS machines
infected with a trojana harmful computer program disguised as an innocuous
onethat turns these machines into "zombies." "Even if we don't use them, we
suffer from them," he says. "Kind of like secondhand smoke."
Microsoft's security problems are only going to get worse. The company
designs its products to work together, creating a Microsoft monoculture.
Because there are so many shared paths from Internet Explorer, Outlook, and
Windows Media Player into the operating system, if you exploit one, you
exploit them all. Vista promises to continue this consolidation by making
the operating system the glue that connects users to their PCs, televisions,
PDAs, and portable music and video players.
What can you do to protect yourself? Besides avoiding Microsoft products,
one way would be to use substitutes whenever possible. If you run Windows or
the upcoming Vista, use a different e-mail program, browser, and/or media
player than the ones that come in the box. Stay up to date on patches and
anti-virus software. And the next time Bill G. promises to make software
that is so fundamentally secure that customers never have to worry about it,
ask him what decade he plans to release it.
Adam L. Penenberg is an assistant professor at New York University and
assistant director of the business and economic reporting program in the
school's department of journalism. You can e-mail him at
[EMAIL PROTECTED]
You are a subscribed member of the infowarrior list. Visit
www.infowarrior.org for list information or to unsubscribe. This message
may be redistributed freely in its entirety. Any and all copyrights
appearing in list messages are maintained by their respective owners.
