Microsoft's security push lacks oomph

The company's initiatives haven't prevented major flaws in Windows XP or Internet Explorer. Though Microsoft says it's working hard to close the holes, security experts are irked.

Robert Lemos Staff Writer, CNET News.com
Robert Lemos
covers viruses, worms and other security threats.
Robert Lemos
5 min read
Microsoft's security initiatives and the release of the company's "most secure operating system yet" haven't quashed myriad holes that security experts say put customers in harm's way.

Although the software titan has been touting the need for security through its Secure Windows Initiative, the recent revelation of a severe flaw in the company's flagship Windows XP operating system--combined with the discoveries of several recent Internet Explorer browser holes--has left security experts questioning whether Microsoft can fully lock down its products.

"It's not about security mechanisms and initiatives, but in the end how secure the code is," said Marc Maiffret, chief hacking officer with eEye Digital Security, the Aliso Viejo, Calif., company that found the hole in Windows XP. If left unchecked, that hole could let hackers take over a computer user's PC remotely. Microsoft itself deemed the flaw "critical" for desktop PC users.

Steve Lipner, director of security assurance for Microsoft, said the company is working hard to close the holes, but that security is an evolutionary process. "It is so hard to predict what will happen on that score," Lipner said. "But our objective is to drive the number of (security) bulletins to zero."

Still, the Redmond, Wash.-based giant has had difficulty keeping code hackers from ferreting out flaws in its products.

In the past two months, for example, more than half a dozen security problems have been found with the latest version of Internet Explorer. The most recent: Almost three weeks ago, a 31-year-old Austin, Texas-based security researcher revealed a bug in IE 6. The bug could let an attacker send an HTML e-mail, which in turn could steal cookies, allow access to files, or direct the victim to a false Web site that, to the average person, would be almost indistinguishable from the real thing.

The researcher, who asked to be identified by his online handle, ThePull, said an attacker who could fool a victim into clicking a simple Web link in e-mail could make off with the victim's digital keys to, say, any online account that has its log-in information saved as a cookie.

Microsoft has refused to comment on the latest IE issue, and no patch had been issued as of Thursday evening. That has many security pros, including Maiffret, irked.

"Right now, there is a known vulnerability and there is no way to turn it off," he said. "To leave everyone wide open is like Ford Motor knowing that their car's tires are bad and not saying anything."

Microsoft's Lipner said the company's policy is not to discuss such issues while they are under investigation.

"We always monitor mailing lists and so forth to see if the vulnerability is being used to harm customers," Lipner said, "but until then we believe it is best to wait."

The bigger they are...
Microsoft is a natural target for code hackers because of its dominant position in the industry. Such security problems, though, have become a black eye for the company because of its multibillion-dollar bet on its overarching .Net initiative, a set of software technologies designed to deliver services easily and securely over the Internet.

Security experts fear that e-business could suffer if .Net becomes successful and is not adequately secured. In fact, antivirus companies just this week received a copy of the first virus capable of infecting files based on Microsoft's .Net Intermediate Language, or MSIL.

Gartner analyst David Smith says because the term .Net is quite vague, confusion over what constitutes a .Net vulnerability will continue.

see commentary

"You can say you have a firewall and white papers that show how secure the technology is, but that still doesn't matter if you still have buffer overflows in your code," Maiffret said.

Other researchers drew parallels between Microsoft's current silence and the nearly two months the company stayed mum on the flaws in Windows XP. Those were activated through Universal Plug and Play, a networking protocol integrated into Windows XP that lets devices recognize each other automatically.

"Microsoft treats security bulletins as PR problems," said Bruce Schneier, chief technology officer of network protection company Counterpane Internet Security. "If Microsoft had its way and there was bug secrecy, we wouldn't know that any of this happened."

Chris Wysopal, director of research and development for security company @Stake, argued that an early warning can sometimes actually hurt security, tipping off malicious attackers to the vulnerability.

Still, Wysopal said, with the Plug and Play incident, Microsoft could have told customers to just turn off the function if they weren't using it.

"It does make sense to warn people up front that they can take actions now," Wysopal said. "I would like to see people not rely on patches so much. I was disappointed with the FBI's retraction (after they) proposed a solution that did not require a patch."

The FBI released an advisory Dec. 21 outlining how people could turn off Universal Plug and Play, but the agency later partially retracted the advisory and recommended that Microsoft's patch be installed instead.

"There are all these vendors that are writing products that rely on UPnP," said Russ Cooper, editor of NTBugTraq and a security researcher with technology company TruSecure. "So would Microsoft want to tell their users to turn it off? No."

Other researchers echoed the concern over the Universal Plug and Play standard, saying that security never had been a primary concern for the technology.

"UPnP just has to work; it doesn't have to be good," said Counterpane's Schneier.

However, Microsoft's Lipner said the vulnerability in the Universal Plug and Play component of Windows XP is fairly complex and of a type that hasn't been recognized by the code-auditing tools the software giant uses to detect software bugs.

"There is nobody who is more disappointed than I am when one of these vulnerabilities is found," Lipner said. "But at the same time, I don't think two or three months' experience with a new product is a statistical sample to say what we have done and have not done."

Improving security is not a quick process, but it is happening, Lipner said. Last June, a new kind of buffer overflow in the company's Index server software led to a proliferation of the Code Red worm. Now Microsoft's auditing software is designed to detect such a problem.

"We have to continue doing this," Lipner said, "finding new security problems and fixing them before the product ships--and, unfortunately, after the product ships."

Measured by the number of security bulletins the company has released, Microsoft's progress in security is mixed. In 1999, the company issued 60 security advisories, followed by a whopping 100 in 2000. That fell back to 60 last year.

Lipner said the company would continue to analyze every problem to help eliminate flaws in future products.

"In 2004," Lipner said, "if we only have one advisory, you know we will be doing analysis on that flaw to make sure we catch it the next time around."