Commentary: Microsoft's security woes

By David Smith, Gartner Analyst

The "donut" virus has been called the first .Net virus. Written by a 19-year-old Czech hacker, it has revealed that Microsoft faces continued security problems, even with its relatively new .Net technology.

This latest security problem is actually the repackaging of an already known Windows vulnerability. An enterprising hacker was able to augment a native Windows assembler code virus with the Microsoft Intermediate Language (MSIL)--the intermediate code used by the .Net Framework. The virus is able to execute under versions of Windows previous to Windows XP due to backward-compatibility features. On Windows XP, MSIL implementation details correctly prevent execution of the virus.

It is not a Web services virus because it doesn't propagate through any Web service interface vulnerabilities. The reporting by the press that it is a .Net virus or a Web services virus likely results from the .Net moniker being closely associated with Web services and general confusion regarding the term .Net.

Like Java, the .Net Framework has been engineered to deal with security issues like buffer overruns through its managed code concepts, such as type safety enforcement. However, as with all first-generation software and with the continued requirements for backward compatibility, this virus will likely not be the last vulnerability associated with .Net. Because the term .Net is quite vague, confusion over what constitutes a .Net vulnerability will continue. Customers, however, will not care which piece of software is vulnerable--just that a vulnerability exists.

As Microsoft and other software vendors have learned, plenty of savvy attackers can find weak spots in computer software and break into the more than 50 million computers exposed to the Internet today.

	See news story: Microsoft's security push lacks oomph

Gartner repeats its advice that companies should elevate security as an evaluation criterion when deciding about major platform procurements or upgrades. Without market pressure on software vendors to provide more-secure products, companies and consumers alike will remain in a vicious cycle of hacks, patches and more hacks.

Microsoft has made some progress with managed code under .Net, but security once again has proven only as strong as its weakest link.

(For a related commentary on a recent security problem with Windows XP, see gartner.com.)

Entire contents, Copyright © 2002 Gartner, Inc. All rights reserved. The information contained herein represents Gartner's initial commentary and analysis and has been obtained from sources believed to be reliable. Positions taken are subject to change as more information becomes available and further analysis is undertaken. Gartner disclaims all warranties as to the accuracy, completeness or adequacy of the information. Gartner shall have no liability for errors, omissions or inadequacies in the information contained herein or for interpretations thereof.