News

Nearly One Year Later, Trustworthy Computing a Work in Progress

• By Stephen Swoyer
• 01/15/2003

Microsoft Corp. closed the book on a tumultuous 2002 in which it sent most of its developers back to school for a month-long crash course in “Secure by Design” programming. The effort was part of Microsoft’s “Trustworthy Computing” initiative, which amounted to a public relations mea culpa in which the software giant pledged to start taking the security of its products more seriously.

As a result of the Secure by Design refresher course, during which time development on the software giant’s forthcoming Windows Server 2003 all but ground to a halt, Microsoft says that Windows developers received security and trust training, and new code testing processes were put in place.

The jury is still out on whether or not Windows Server 2003 will be the most secure Windows ever – after all, Microsoft announced only last week that it will ship its next-generation server operating system on April 24th.

According to Russ Cooper, long-time Microsoft-watcher and editor of Tru-Secure Corp.’s Windows NT Bugtraq Mailing List, 2002 was “an incredibly quiet year” for Microsoft, at least with respect to security vulnerabilities and its existing Windows operating systems.

First of all, there weren’t any blockbuster worms or exploits on the order of 2001’s trifecta of Code Red (in at least two variants), Code Blue and Nimda. Nor were there any embarrassing mistakes related to Microsoft security patches, such as, for example, an update that the software giant released in June 2001 which caused patched Exchange messaging servers to fail.

Altogether, Microsoft released 72 security bulletins last year, well off the record pace that it set in 2000, when it issued 100, but more than 2001, when it released 60. NTBugtraq’s Cooper cautions that the security bulletins that Microsoft chooses to release tell only part of the story, however. “[That number] really doesn’t account for all of the vulnerabilities that they acknowledged. Certainly, there were [undocumented fixes for] vulnerabilities included in IE service packs or OS service packs, so I don’t like to use that number as an indicator.”

But Cooper isn’t convinced that IT managers are doing a better job of patching vulnerable servers, or of removing non-essential services and components, or of locking down their systems. He cites the example of the SQL Spida worm, which caused problems in 2002 by exploiting an Internet-facing port on vulnerable SQL Server systems. “I don’t think that computers are any more secure in 2002 than they were in 2001. I think that there are as many vulnerable IIS servers out there as there were in the past. The best indicator of that … in 2002 was SQL Spida. What are people doing with [port] 1433 open to the Internet? What idiot configured that box?”

For the record, Cooper says that he’s convinced that Microsoft Chairman and Chief Software Architect Bill Gates, along with Craig Mundie, its senior vice president and chief technology officer for advanced strategies and policy, are serious about Trustworthy Computing and Secure by Design development. The problem, Cooper says, is the marketing-driven culture that is still dominant at Microsoft: “They have to figure out how to re-teach the people who’ve been thinking in a very marketing-oriented fashion to not think that way, and still appease their shareholders.

As an example, Cooper singles out Microsoft’s System Update Server, a standalone product designed to make Microsoft software updates and security patches available to LAN-based clients on enterprise networks. Says Cooper: “When [Microsoft] finally made it available, they released a version that is deficient. It can’t even be used in a normal environment. It provides no auditing capabilities. Then they say that their next version will come out when Longhorn [the next version of the Windows client OS] is released. Why did they have to wait for Longhorn? Sounds like [they’re] putting features over security to me!”

At the same time, Cooper acknowledges that Microsoft is dealing with problems of scale that no other vendor – not even IBM – must negotiate. “If you look at the number of people who use Microsoft products and appreciate what the scope is that MS has to consider for any given security issue, nobody else in the world has that to deal with this.”

Nevertheless, he believes that Microsoft must do still more to improve the security of its products. He cites the example of a common scenario whereby an Exchange administrator can view e-mail formatted in HTML – even if she has disabled this feature. For security purposes, many IT organizations specifically prevent e-mail from being displayed in HTML.

Cooper says that Microsoft can do other things, as well, to reassure its customers that it is serious about Trustworthy Computing. “I would like to see them say: ‘We are going to keep current products based on market usage secure. We’re not going to give you an elaborate document about product support and when we’re going to cut off support. We are not going to use security as an upgrade mechanism.’”