Microsoft tries to cage security gremlins

The software giant meets with security experts in the midst of widespread criticism over serious software flaws and the company's attempts to rein in hackers.

Robert Lemos
Robert Lemos Staff Writer, CNET News.com
Robert Lemos
covers viruses, worms and other security threats.
3 min read
Microsoft's security response center must be feeling a little punch-drunk these days.

After the one-two combination of the Code Red and Nimda worms that targeted the company's server and PC software this past summer, the titan announced an initiative in early October to promote security-savvy administration among its partners.

However, almost every week since it announced its Strategic Technology Protection Program, a new security flaw has cropped up. In the past few weeks, holes have been found in Excel and PowerPoint and a new system for protecting music content. A major security patch was issued for Windows XP, and the company had to shut down part of its Passport service to fix a set of flaws in the technology that Microsoft hopes will become the foundation of its .Net initiative.

The company will have to do some fancy footwork to quell concerns of its .Net partners and current customers, said John Pescatore, an analyst with research firm Gartner. The .Net initiative is Microsoft's overarching plan for ubiquitous online services.

"Microsoft realizes that they have to be perceived as a more secure company if .Net is ever going to be a success," Pescatore said.

In a column following the outbreaks of the Code Red and Nimda worms, the analyst urged companies hit by both attacks to consider alternatives to Microsoft's Internet Information Server (IIS) software.

This week, Microsoft will meet with security experts, privacy advocates and policy-makers at its Trusted Computing Conference in Mountain View, Calif.

The meeting of the minds in the security world will give the software giant a chance to renew its push to rewrite the ground rules for disclosing information about vulnerabilities. The company wants to see fewer details in the independent advisories that illuminate the holes in its products; getting its way could give Microsoft a bit of breathing room to respond to the flaws before malicious hackers target its customers.

That could also help the company regain some of the credibility lost in the recent security compromises.

In a recent essay, Scott Culp, program manager for Microsoft's security response center, lambasted researchers and hackers who provide snippets of program code to illustrate how a particular vulnerability can be taken advantage of. Known as exploit code, the partial programs usually make it easier to develop hacking tools and worms that attack computers using a specific vulnerability.

"It's high time the security community stopped providing blueprints for building these weapons," he wrote in the essay.

Many believe that is what happened in July, when more than 360,000 computers running Microsoft's Web server software fell prey to the Code Red worm, a program that took advantage of a vulnerability known as the printing ISAPI flaw. The company that found the flaw, eEye Digital Security, worked with Microsoft to create a fix, but, in its advisory, it also publicized details about the exploitation of the vulnerability.

Consensus or concealment?
Microsoft's aim is to curtail hackers' access to such details.

"For its part, Microsoft will be working with other industry leaders over the course of the coming months to build an industrywide consensus on this issue," Culp wrote.

Yet others worry that Microsoft's main motive is to dial down its own public-relations disasters.

"This conference is an ambush to push through Microsoft's beliefs on limited disclosure to make it seem to be endorsed, when the larger community hasn't even seen any details," said Russ Cooper, research director with security firm TruSecure.

In the latest security faux pas, Microsoft released an update for Windows XP that included, by Cooper's count, five security fixes, but the company has issued advisories on only two.

"They promised more information to people about how to become secure and stay secure, but what do we get? They keep ignoring the consumer," he said.

Electronic rights activists, worried about what .Net might mean for privacy, aren't comforted by the knowledge that the giant has yet to prove it can secure its systems.

Last week, a software engineer demonstrated a way to use several flaws in the company's Passport authentication system--the key to security for .Net.

"The security lapses further support our claims that Microsoft's guarantees of privacy and security are deceptive and unfair to consumers," Marc Rotenberg, director of the Electronic Privacy Information Center, wrote in a letter to the Federal Trade Commission.

"Further, Microsoft's failure to disclose the actual risks associated with the collection and use of personal information in the Passport service constitutes an unfair and deceptive trade practice."