Microsoft gets serious about security

by Preston Gralla

Microsoft just announced its security bulletins for March, and there was a critical Outlook vulnerability, a problem with MSN Messenger, and trouble with Microsoft Windows Media Services in Windows 2000. Nothing truly earth-shaking.

The very ordinariness of the announcement shows that Microsoft has gotten its once-chaotic responses to security issues under control. In fact, despite criticisms lobbed at the company by many, it really has gotten religion when it comes to security. Is it perfect? No. At times, it releases ill-tested patches and updates. I, for one, have gotten into the habit of waiting a week after it releases any patch or security update, to see whether widespread problems with it are reported.

But the regularity of its monthly security announcements like this one, and its quick response to security dangers, show that Microsoft means business when it comes to security.

It's easy to criticize Microsoft in this; after all, almost all of the worms and viruses set loose affect Microsoft products. But that's not because Windows is inherently more insecure than other operating systems. Willie Sutton, the well-known bank robber, was said to have once been asked why he robbed banks. His alleged answer: "Because that's where the money is." The same thing holds true for why worm-writers and malware authors target Windows - that's where the users are. When it comes to security, Microsoft has been the victim of its own success.

So I'll be downloading the latest security patches in about a week. It'll be a mundane act, but one that reflects that despite complaints to the contrary, Microsoft has gotten serious about security.

Do you think Microsoft has gotten serious about security? Let me know either way.


2004-03-10 13:15:37
What's your IP address?
Just kidding.
2004-03-10 13:43:53
Thank God!
But that's not because Windows is inherently more insecure than other operating systems.

Thank God someone else said that! I've always thought the same thing, but according to any Linux / Mac zealot that's not the case...but maybe that's just them being weird.

2004-03-10 15:45:09
Actually I would take issue with Windows being less secure than some other solutions. There are a number of reasons for this, some of which reflect poorly on Microsoft's past decisions, and others which are just a matter of having to support security-hole-ridden legacy clients and protocols until the end of time (I mean, if modern Unix's were required to support all of the r* commands for compatibility reasons, what would we be saying about security). Other problems are due to the silly way that Windows users typically run their systems as admins.

Perhaps what bothers me the most is not that the default installation is inherently insecure (I mean, other OS's install with pretty loose policies for legacy reasons... every installed a vanilla copy of Solaris?). The real problem is how tough it is for a "smart" user (or even an expert) to secure a windows system without the aid of third party tools (ie. firewalls, a/v software, etc). I mean, if I go to another OS (ie. Linux or OS X), even if it starts out with insecure defaults, I can quickly configure very restrictive firewall policies and utilize non-privileged logins to cover myself. On windows this is not so easy or configurable, and until very recently was not even possible (without 3rd party software).

Then even with IP firewalls, many users have to run Netbios in one form or another. This means that ports 137 and 139 must be opened. Unfortunately, since Netbios is a foreign network protocol tunneled over IP, virtually all services on the system are accessed through these ports. There is no effective means to say "I want to allow file sharing but disallow mmc management access" at the network level.

I know that if another OS were the primary contender for user's desktops it would be the main target, but I have to think it wouldn't be as bad for most of the alternatives. Despite how good it feels to have Microsoft addressing some of these issues, it is just going to take them a long time to undo the damage done from twenty years of lousy and capricious design decisions. A lot of other systems were designed in an environment that had to be mindful of security concerns, whereas MS technology for many years just tried to bulldoze through the problems after the fact.

Windows is less secure than most other systems. They're working to change that, but it is true.
2004-03-10 15:47:11
Thank God!
Thank God someone else said that! I've always thought the same thing, but according to any Linux / Mac zealot that's not the case...but maybe that's just them being weird.

Can we have some facts to back this point up? When people actually compare design decisions made by Microsoft and by Linux/Mac OS X developers, they've found that up until very recently Windows has always taken the 'least secure, easiest to use' route. (i.e. Let's enable potentially dangerous feature X for customers so that it will 'just work'.) Doing things like leaving IIS on by default on Win 2K and leaving the RPC port open (even on XP IIRC) were not prudent moves from a security perspective. Their IIS security model also gives too much permission to certain extensions, unlike Linux/Apache. Once you involve other MS products like Office and particularly Outlook, we could go on and on about poor security decisions. In fact, IMHO, they're red flags that the company has in the past not taken security as seriously as it should have.

I do applaud Microsoft for their increased attention to security, but realistically, most of this attention is very recent and due directly to massive exploits of various security holes. Linux and Mac OS X were designed from the ground up to avoid leaving obvious holes open for people to exploit, taking a "closed unless you open it" approach to security. Any platform can be exploited, but some have historically done a better job of "locking the doors" and keeping people out than others.

People who are inexperienced with computers and use an older version of a Microsoft OS (like Win 98, ME or in some respects 2000) very much need to deal with a bunch of security issues that they don't even understand just to keep their machine from being hijacked by a virus or worm. If MS had took some reasonable security measures from the start, measures that Unix has been using for decades, then these people wouldn't have to constantly be updating their OS and firewall protection just to keep using their computer.

While it is very true that some portion of this problem is due to Microsoft's dominance in the desktop OS market, they really could have made some prudent decisions that would have avoided possibly a large majority of these exploits from ever taking off. If you dismiss the 'zealots' without even trying to figure out whether or not they actually have a point, then are they really the zealots here?

2004-03-10 15:48:55
Sorry, first sentence should read:

I would take issue with the statement that Windows is not less secure than other systems
2004-03-10 16:23:37
2004-03-11 08:48:14
Yes, but..
As a broadband user I have no problem applying the numerous patches and service packs to our XP machines at home, but the this wasn't the case when I went around to see a friend who's PC was "doing odd things" (he had 800 infected files, 2 viruses and a worm). As a diallup user he was keen to apply the 49 missing updates, but this would have kept his phone tied up for most of the day and his wife did actually need to use it as well.

Problem is, the updates keep getting bigger and bigger, and when the typical diallup user sees the remaining download time bar at some 4 hours are they seriously going to wait and finish the download ? XP is especially bad for this and I don't honestly know what the answer is..

2004-03-11 11:39:50
Yes, but..
I recently ran in to this with my father-in-law. He has three computers which formerly connected to the internet via dial-up (and three teenagers who are always downloading and installing wonderful jewels from the internet). He got DSL, so I purchased a broadband router and installed a network covering all of the computers. One of the first tasks I was going to accomplish was to download all patches/service packs and clean the computers from the nasties. However, just plugging any of these PCs into an Ethernet network caused them to fload the broadband router with packets. It overloaded the NAT tables and nothing could get out to the internet... so much for downloading patches. If these were linux or unix machines, I would log in to single user mode, kill all unnecessary processes and be assured that I could do system maintenance without combating all this crap. But it's Windows... and I'm going to spend the better part of my Saturday fixing the stupid stuff Microsoft peddles on the unsuspecting populace.

At least once I clean it up, there will be an external firewall in place to add some barbed wire to their systems. Now if I can just get the to agree to only give the kids non-privileged accounts...
2004-03-15 16:59:17
See Outlook vulnerability bulletin and CERT advisory.

It only took MS only 10 months to reissue the bulletin in order to bump the severity from "imporant" to "critical" after they were initially informed of the matter. A phenomenally quick response.

The reason for this change was the fact that it occured to them that people with other than non-default settings were affected. Basing the severity rating of a vulnerability on the number of users potentially affected is incredibly brilliant.

It was also an amazing tactical move to invent "patch day", so patches don't get issued willy nilly (like, say, in the soonest possible timeframe) and make it hard for people to stay up to date.

Completely awe inspiring also how there is a patch freeze period when a new service pack is imminent, during which new fixes that will not make it into the service pack are held back, so that the poor stressed customers won't be confused.

Yes, Microsoft is dead serious about security. Crackers and script kiddies beware, Big Daddy Bill is coming for you.

2004-03-16 15:36:02
A sane article
I don't think anybody technically serious would claim that windows is less secure. On the contrary it is secure and most probably more secure than any other OS, however providing patches to home users is a big problem Microsoft has to solve. That's where I think Microsoft is lagging, of course not behind Linux, but behind the perfect desired solution.
2004-03-16 15:42:15
Thank God!
"Linux and Mac OS X were designed from the ground up to avoid leaving obvious holes open for people to exploit, taking a "closed unless you open it" approach to security."

Please don't insult us. I am a programmer, I have programmed for Unix/Linux mostly, I know allmost everything about Operating Systems, the history of Linux etc... What the hell makes you believe that Linus was thinking security first when he first implemented it. What makes you think that MacOS X is designed security in mind. Please be reasonable, you are talking to technical guys here. Only political people would claim that. However I understand you if you repeat what you read. Nothing in Unix or Linux has anything to do with special security. The only good thing about Unix was this super user separation, and for that windows xp had the same. If you would consider Windows 95 or 98 I could understand, but XP vs Unix? Most of the security problems come from services with ports open by default. Almost all linux services has security patches, you probably don't hear about it or that you just don't read about them.

The only problem Microsoft had is that opening these ports by default even though many home users didn't need them. That's where Microsoft made a serious mistake, that's the only place you can really criticize Microsoft fairly.

2004-03-16 16:04:17
Is it?
Linux vs. Windows Viruses