Microsoft has been getting a lot of bad press lately. Security concerns with Windows NT even prompted the US Army to move its hacked Web site from NT servers to WebStar servers running the MacOS. But does this mean Microsoft software is less secure than other software? A variety of experts think so, claiming the software giant is offering more functionality at the expense of security. Microsoft defends its strategy, saying users want ease of use and more features. And several users said they approve of that strategy. In the end, it's up to users to let the company know whether they are happy with the trade-off or if they want defaults to be set for greater security and more hand-holding.
Or they can switch to other software, like the US Army did, citing the fact that the MacOS doesn't have support for remote log-ins or a command shell to provide remote access via a DOS prompt.
Scott Culp, security product manager for Windows NT Server, said NT provides tools to disable remote log-ins and that nearly all Unix systems have a command shell. `Whether or not an operating system has a remote command shell says nothing about its ability to withstand other attacks such as denial of service attacks,' he added.
Microsoft software experiences the same types of security woes other platforms do but its troubles are more prominent because more people are using Microsoft products than products from other software vendors, Culp says.
Without question, Microsoft's dominance in the OS market plays a big part in the headlines - the sheer numbers of users of the software make it an easy and huge target for hackers, increase the chances that security flaws will be discovered and heighten the impact from spreading viruses.
Hegemony not the only issue. But numerous experts, analysts and hackers say Microsoft's hege-mony isn't the only problem. `They certainly don't have a very secure environment. There are so many holes in the Microsoft environment that any [worthy] hacker is going to figure out how to break in,' said Anne Thomas, a senior analyst at the Patricia Seybold Group.
`It's the dominant OS out there, so it's going to attract the attention. On the other hand, Windows has extremely sloppy security,' said Bruce Schneier, author of Applied Cryptography and a founder and chief technology officer of Counterpane Internet Security, a Minneapolis-based provider of managed security services.
What often upsets people is that Microsoft hasn't learned from the mistakes made in older operating systems, noted Jon McCown, technical director of network security at the US company International Computer Security Association (ICSA). `Categories of attack that are well understood are cropping up in Windows,' he said. `They're doing a forthright job of addressing them, but there's a concern about what we don't know about yet; what's still in the OS or in the servers that will become an issue.'
It has been suggested that Microsoft's security weakness has to do with the evolution of Windows from a single-user, desktop OS to an OS for multi-user, networked computers.
Windows is desktop software that `was never really intended as network architecture', said Jeff Tarter, editor and publisher of Massachusetts-based Softletter. However, Microsoft is rewriting a lot of the code for Windows 2000, as it did for Windows NT, which should help make it more secure, he added.
Culp acknowledges that the Windows NT security architecture is more `robust' than its predecessors.
`NT is an entirely different animal altogether,' he said. `It was built from the ground up with a brand new architecture . . . to be used as an enterprise-class OS with security as a primary requirement.' But Culp also defended the strength of all Windows in general, saying security was `woven' into the OS rather than `bolted on' afterward. Others are sceptical.
`Microsoft's OS was never designed with security in mind,' said Schneier. `For Microsoft, security is always an afterthought.'
Trade-off: Security versus functionality. Factors listed by experts interviewed over the past few weeks that lead to security problems for Microsoft include:
Its reliance on the COM (Component Object Model) specification for running application components on multiple platforms, specifically ActiveX controls, which are reusable component program objects similar to Java applets and which can be attached to an e-mail or downloaded from a Web site. The most dangerous are pre-installed ActiveX controls which contain functions that can be executed on a computer but run without digital signatures used by other ActiveX controls; Windows NT's `insecure' default installation, which assumes the user or network administrator will be knowledgeable enough to change the settings to a higher security level;Use of executable code in data files in Microsoft Office products, primarily macros, which are saved commands that can be recalled with a single command or keystroke;Tight integration of its applications with its OS, and lack of tight administration control in the OS over privileges and access controls, which allow applications and macros to execute other programs;Use of hidden and/or undocumented APIs (application programming interfaces) or features that can give hackers back doors into Microsoft applications and which don't get the scrutiny of code made public to developers; Faulty implementation of the Point-to-Point Tunneling Protocol (PPTP), which enables the extension of corporate networks through private `tunnels' over the Internet. It is still vulnerable to `offline password-guessing attacks from hacker tools such as L0phtcrack', according to Schneier's report at http://www.counterpane. com/pptp.html.
In general, the experts agreed that these technologies provide greater ease of use and functionality to users but said they also open the system up to secu-rity vulnerabilities. Microsoft counters that many of the features can be either disabled, like macros and ActiveX controls, or made more secure with the use of third-party specialised software.
Thomas of the Patricia Seybold Group said Microsoft's main problem has to do with COM, which `opens the system up to all kinds of nasty, dangerous situations'.
COM's integration with Microsoft Word allowed the prolific Melissa virus to spread so quickly in March, she said.
`It's a hard trade-off,' Thomas said. `You can do without this incredibly powerful technology that makes your system so much more automatic, or you can shut off that automatic capability and not have that tight integration, but have protection against viruses.'
Java applets are designed to minimise security violations by being executed in a `sandbox' - a secure area of the computer that isolates Java applets and keeps them from damaging files - whereas ActiveX controls rely on the applet being signed by the creator, whom the user will, ideally, know and trust.
Dangers of ActiveX. ActiveX controls were particularly assailed. Allowing remote systems to run arbitrary code on a local system is a `massive security risk', hacker Tweety Fish wrote. `It's been proven time and time again that Microsoft's implementation of ActiveX can be broken pretty easily . . .'
ActiveX controls can be automatically launched when a user goes to an HTML page or clicks on an e-mail attachment. They can be used to do malicious things like run programs on a user's computer, read system files and create files, among other things, according to Richard Smith, a security expert and president of Phar Lap Software, a Massachusetts company that makes real-time OSes for embedded systems.
`I don't think anybody right now, frankly, has a handle on the scope of the [ActiveX] problem,' said Smith. `ActiveX really opens up a can of worms.'
Microsoft has released an average of about two to three security patches a month over the past year, Smith said, adding that he suspects that most Microsoft users have not downloaded them.
Within the past year, while Microsoft has had about 10 separate bugs in IE that enable code in messages to read files, Netscape Communications has had one, according to Smith.
Microsoft's Culp argued that COM does not pose a security risk, and countered that Microsoft allows users to configure their software to give them the balance of functionality and security.
For instance, users can disable macros and ActiveX controls, and a new security patch for Office allows users to decide whether to allow Office documents to launch automatically when they're hosted on Web sites, he said. In addition, a new security configuration toolkit that ships with Windows 2000 will allow users to customise their software to the security level they desire, Culp said.
`We don't force anybody into a particular stance,' he said. `We provide tools to allow you to make that decision.'
But several experts said Microsoft should ship its software in the highest security mode rather than a more risky `open' default.
`The operating system should be fail-safe enough [especially on a server OS like NT] that a non-administrator user has to work pretty hard to allow the machine to be compromised,' said Tweety Fish. `The fact that macros in Microsoft Word can run any DOS executable and access any system function is a massive security hole, and for Microsoft to claim anything else is specious marketing spin.'
Users can't make knowledgeable choices of what features to disable if they don't fully understand the dangers involved, said Tweety Fish. Instead, they should feel confident that their software is secure and as they start to understand the risks they can modify the security themselves, he said.
Eric Schultz, director of Microsoft Content for Security-Focus, which operates a portal site at http://www.securityfocus.com, specifically complained that Windows NT's default installation can allow hackers to get a lot of information, including access to `blank administrator passwords, disabled security policies, and weak permissions over critical system files'.
But Microsoft can't be expected to make the security decisions for its users, particularly when opting for greater security for some users at the expense of less functionality for others, Culp argued.
`There's always a trade-off between convenience and security,' he said. `Everybody has a proper point where they balance security against usability. Any two people are going to have a different point that's right for them.'
Virtually all general-purpose operating systems default to usability over security rather than in a `locked down' mode, Culp added.
Russ Cooper, editor of the NT Bugtraq mailing list (http://www.securityadvice.com), defended macros. `Although relatively insecure, [macros are] still very much in demand.
`Internet technologies are not designed to be secure. They're designed to be interactive.'
Cooper said users should be more responsible. `Microsoft is providing us with tools that will help us, but at the same time we as consumers are not taking the responsibility to learn basics about using this stuff,' he said.
But other experts argued that Microsoft has a responsibility to provide greater user safety than they do now, even if it might take more time and money to develop products that are more secure.
Technical debates aside, most of the critics complained that Microsoft often treats security issues like PR problems that need to be averted and not resolved.
The main security problem is `marketing-driven product design at Microsoft, and the fact that they will not consider any given security risk a problem until it becomes a problem in the press', said Tweety Fish.
He and others complained that Microsoft often denies security problems before being forced to address them with a fix after they are made public, and that the company tries to minimise their scope and put a spin on them.
For instance, the company downplayed the Jet/ODBC (open database connectivity) exploit in a Microsoft Security Bulletin over a year ago so that `almost nobody' bothered to install the patch and users were caught off-guard when it made headlines recently, the hacker said.
The company downplays the extent of a problem by not mentioning all the situations in which it could arise, saying it is limited to only specific situations and claiming that no customers have been affected, the experts said. For instance, when issuing alerts about browser bugs Microsoft usually doesn't point out that they can occur in e-mail, said Smith of Phar Lap.
But Smith and some of the others conceded that Microsoft's response time has improved in the past few years. For example, Microsoft released a workaround immediately and a patch four days later for a recent security exploit in Internet Information Server (IIS), and `that's probably as responsive as any company would be', said McCown of ICSA.
`A quick fix may break something else,' said Schultz of Security-Focus. `They're being thorough. It may not be as quick as some people might like.'
Culp denied the allegations that the company is reluctant to admit exploits or their scope. The company's security response team is quick to address and fix problems, monitors security mailing lists for reports and works closely with security groups, he said.
When a vulnerability is confirmed, the company sends e-mail alerts to customers who have asked to be put on a list at firstname.lastname@example.org and others, and posts information on its security Web site at www.microsoft.com/support and www.microsoft.com/ security/services/bulletin.asp, Culp said. Microsoft has more than 200 full-time employees working on nothing but security, he added.
`We look into every issue that's reported,' he said. `Out of those 10,000 queries and reports [received in the past year] and all the things posted to the mailing lists, there have been about 30 issues that we have needed to provide a patch for this year,' and 40 or 45 over the last 12 months, Culp said.
Only about 5 per cent of the reports Microsoft gets turn out to be bona fide security vulnerabilities, according to Culp. Many end up being problems due to unclear documentation, incorrect implementations of the software or code, or users not following best practices, he said.
In recent swift work, Microsoft released a security bulletin just hours after an IE vulnerability was announced on September 10, telling users how to protect against it while a patch is developed, Culp noted.
Meanwhile, Microsoft has taken a new approach and put a Windows 2000 test server online for users to try to hack. The system has held up although it got off to a rocky start and was down for several days after lightning hit a router right after it was put online.
Cooper of NTBugtraq predicted that the security situation will improve for Microsoft as consumers become more savvy and demand more security in products.
`Certainly there's been a change in Microsoft in the last two years to do things with far more security in mind,' he said. `The reality is they're doing it to an extent that consumers will tolerate and to an extent that consumers will demand.'
Users are content. Several users said they have no complaints with Microsoft's products or attitude.
`From my perspective, what Microsoft is doing is right on target,' said Greg Scott, IS manager at Oregon State University's College of Business in Corvalis.
`I want the interoperability the tools provide me so I can move things cleanly, simply and easily between systems. And I'm willing to suffer the minor inconvenience of having to pay more attention to security and patches,' he said. `As long as they provide patches and fixes in an appropriate timeframe, then I'll use their products.'
Another user said he likes Microsoft software specifically because of its integration. Ty Simone, IS manager at Onsite Sycom Energy, an energy service company based in California, said he's not bothered by Microsoft's usability versus security trade-off.
`I would much rather have the control here than have Microsoft saying 'You can't do anything until you change something',' he said. `For example, the default for IE is medium. If they set it to high, until I get to that user and set it to medium that user couldn't access the corporate intranet, much less the Internet.'
Simone also praised Microsoft for reacting swiftly and forthrightly when issues arise, noting that Unix users don't get security bulletins e-mailed to them like Windows users do.
Unix gets more hacks but less press than NT does, Simone said, adding that `it's not popular to bash the little guy'.
Unix, Linux, MacOS. So how do the Windows alternatives fare? The MacOSX `add-on programs look to be just as vulnerable [as Windows] - there are permissions problems and plenty of coding issues', Dr. Mudge of Boston-based hacker group L0pht Heavy Industries wrote in an e-mail. `However, a quick look would imply that the core OS might be much more secure than NT's core components. This is most likely due to the fact that the new MacOSs are really BSD 4.4 [Unix] and mach memory systems. Both have been around for decades to have the kinks worked out of.'
Meanwhile, open-source operating systems tend to be more easily secured than closed-source ones like NT, `because there are more people doing more work to find the holes, and it's easier for researchers to develop patches for exploits they find', hacker Tweety Fish said.
The most secure platform `out-of-the-box' is OpenBSD because security is a focus on the project, he said. `It is not perfect; no OS is, but with OpenBSD you can guarantee that security is their first priority.'
The favoured underdog, Linux, is considered experimental at this point, but it may end up giving NT a good run for its money, according to Winn Schwartau, founder of Security Experts consultancy in Florida. Most of his clients, which include governments, NATO and other multinational organisations, use Unix now, he added.
Despite the complaints about the security in Microsoft software, Culp said customers - including government agencies and organisations in the healthcare, insurance and banking industries - feel comfortable using the company's products.
And Cooper of NT Bugtraq noted that Windows is `hugely accepted, widely deployed and largely liked' by users. `I don't think Windows is more or less secure than some other operating system,' Cooper said. `There are technologies from Microsoft that are good; there are others that are not good; and there are others that still need to be refined and improved, but that are still very much in demand.'
But hacker Space Rogue, a member of the L0pht Heavy Industries, summed up what he and others see as Microsoft's security challenges. `Windows has three strikes against it, as I see it. Popular OS, weak security, easy to use, oh, and it is made by MS, the company everyone loves to hate.'
Microsoft releases updated IE security patchMicrosoft has released a patch for Internet Explorer that it promises completely eliminates the security problems which existed with the browser software. An initial patch announcement was made on September 10, but the patch available as of late last week is more far-reaching, Microsoft said in a statement posted last week on its security Web site. The security holes in Internet Explorer were discovered in late August.
The patch eliminates the `ImportExportFavorites' vulnerability, which affected computers connected to the Internet, Microsoft said. The security hole made it possible for a Web site operator to carry out any functions that visitors to a Web site could do on their own computers, such as deleting or modifying files or reformatting the hard drive. It derived from a feature in IE 5 which let users export a list of their favourite Web sites to a file, or import a file with a list of favourite Web sites.
The new patch also plugs security holes which resulted from several ActiveX controls, Microsoft said. These existed both in versions 4.01 and 5 of the Internet Explorer. The ActiveX weakness allowed hackers to manipulate programs on a user's computer when they visited a Web page or received e-mail via Microsoft's Outlook program. An ActiveX control is software which is shipped with Internet Explorer that enables a program to add user interface functions.
Microsoft's security Web site can be found at http://www.microsoft.com/security/default.aspBy Mary Lisbeth D'Amico