RE: Microsoft developers feel Windows pain

[InfoSec News <isn () c4i org>]

Forwarded from: Marc Maiffret <marc () eeye com>

| -----Original Message-----
| From: owner-isn () attrition org 
| [mailto:owner-isn () attrition org] On Behalf Of InfoSec News
| Sent: Thursday, February 07, 2002 10:50 PM
| To: isn () attrition org
| Subject: [ISN] Microsoft developers feel Windows pain 
| 
| http://news.com.com/2100-1001-832048.html
<snip>
| Microsoft's security-assurance group has become the software 
| giant's taskmaster for the next month.
<snip>
| The goal is to make an everyday user's computer secure by 
| default, he said. "Not everyone needs IIS (Microsoft's Web 
| server) by default," he said. "Not everyone uses Index Server 
| by default. So today, those features are turned off by default."

This same speech was giving for XP before it was released. However,
Windows XP home/pro were actually running more SYSTEM level services
by default than any other MS OS ever. But... Maybe this next time
around they will really stick to their word.

| Code modified by the new security initiative will be 
| incorporated into Windows .Net Server when it ships, and into 
| Windows XP via Service Pack 1, Howard said.

So widely deployed Windows 2000 is not going to get any security
loving? Only if the IT world drops win2k and goes to XP will they
actually (hopefully) have an MS OS that has actually been made with
security in mind?
 
| Microsoft hopes the consistent mantra of "security, security, 
| security" will push developers--both inside and outside the 
| company--to build security into their products, eliminating 
| the need to repeat the monthlong review.

What is this idea of a month long review? Are executives within MS
seriously being mislead to believe they can truly perform a _GOOD_
security audit of XP and .NET within a month? This sounds great for
the press (the idea that microsoft is dropping everything), about as
great as Oracles off the wall unbreakable campaign. Maybe if MS said
they were going to drop everything for 6 months... Then they'd
actually show they were putting the needed time into it. A month will
amount to nothing. Half of that month will be just getting the
corporate political BS out of the way. So maybe you'll have two weeks
in the end of real technical work being done beyond policies that
amount to little or nothing.

<snip>

| "It's going to be difficult," said Mary Ann Davidson, chief 
| security officer for database maker Oracle. "It is a good 
| thing they are doing this, and it will be good for the 
| industry. But directing corporate culture of any nature is 
| like turning a battleship."

Why would anyone interview Oracle to counterpoint Microsoft security?
Oracle obviously has been shown to understand security a lot less than
most software vendors.

I will repeat myself again... The day that Microsoft, or any major
software vendor, starts releasing security bulletins on flaws, that
they researched, within their own software... That is the day these
software vendors will show they are being proactive about security.
Until then this is all still talk and large PR departments at work.
No, every 8 months service packs with hidden fixes is not being
proactive.

Security is not a social problem, it's a technical one and it requires
technical solutions. OpenBSD is a good example of a development team
that does actively research vulnerabilities within their software and
releases patches for those vulnerabilities. If only these billion
dollar companies could take the time to learn something from the
little guys they'd see security is not a hard thing to achieve.

Signed,

Marc Maiffret
Chief Hacking Officer
eEye Digital Security
T.949.349.9062
F.949.349.9538
http://eEye.com/Retina - Network Security Scanner 
http://eEye.com/Iris - Network Traffic Analyzer
http://eEye.com/SecureIIS - Stop known and unknown IIS vulnerabilities 



-
ISN is currently hosted by Attrition.org

To unsubscribe email majordomo () attrition org with 'unsubscribe isn' in the BODY
of the mail.