i-Technology Opinion: Security Not a Microsoft Priority @ LINUX

i-Technology Opinion: Security Not a Microsoft Priority

'A cursory glance at two Microsoft-related security disclosures in February reveals that, for all of the rhetoric, Microsoft is very slow to respond to critical vulnerabilities' contends LinuxWorld advocacy editor Steve Suehring. 'It appears that Microsoft is merely controlling the information,' he continues, 'rather than controlling the security vulnerabilities and protecting their customers. In addition, old bugs are showing up in new versions of their products.' As Suehring notes: 'Complexity is the enemy of security.'

Reader Feedback : Page 1 of 1

#8	nouser commented on the 9 Mar 2005 >dtl commented on 9 March 2005: > > * " Many vulnerabilities for Linux systems are fixed >the same day that they are disclosed." > > I'm sure that patch was thoroughly tested, it >compiled, ship it, yehaaa let em buck... Heh. As opposed to Microsoft's stance: "I'm sure our software isn't vulnerable, and anyway we have to test, test, and re-test and even then the patch will have unintended consequences, better wait to release it, yehaaa let those customers get their systems hacked..."
#7	dtl commented on the 9 Mar 2005 " Many vulnerabilities for Linux systems are fixed the same day that they are disclosed." I'm sure that patch was thoroughly tested, it compiled, ship it, yehaaa let em buck...
#6	John_P_Scott commented on the 8 Mar 2005 You can quickly disable the firewall from command via a netsh command. Disable: netsh firewall set opmode disable Enable: netsh firewall set opmode enable
#5	AaronW commented on the 8 Mar 2005 Didn't SP2 make it impossible in Windows for an application to fill in an invalid source IP address? If this is the case, I wonder if this problem cropped up because Microsoft cannot generate the LAND attack with an up to date version of their OS. Also, I wonder what sort of vulnerabilities exist in Windows for IPv6? -Aaron
#4	David Mohring commented on the 8 Mar 2005 Even Garner analyst Neil MacDonald has finally realized: "Microsoft's overriding goal should be to eliminate the need for (antivirus) and (anti-spyware) products, not simply to enter the market with look-alike products at lower prices,..." href="[visit link]">[visit link] Microsoft's desktop security issues stem from its continued reliance on the Antivirus industries "Infect-Scan-Remove" approach. In comparison, right from the outset, open source desktop platforms and applications have relied almost wholly on closing the infectable vectors, the exploited vulnerabilities used by malware, as quickly as possible. The result is that both the KDE and GNOME desktop environments are a lot more secure and even more secureABLE. href="[visit link];cid=11539203">[visit link];cid=11539203 Follow this Usenet thread from September 2000 href="[visit link]@heretic.ihug.co.nz">[visit link]@heretic.ihug.co.nz The thread covers the argument over securing applications Vs scan and repair in detail. David Harley and Robert Moir are two Anitvirus industry leaders. It also includes the prediction that Microsoft would eventually get into the antivirus/antimalware industry. With XP SP2, Microsoft have only just begun to adopt some of the "new" defence strategies outlined by myself in the above thread. However, in my opinion, Microsoft still has yet to secure the actual applications exploited, and five years after the release of Windows 2000, has yet to provide a safe desktop environment for business. To quote Dr. Blaine Burnham, the former director of the Georgia Tech Information Security Center (GTISC) and previously with the National Security Agency (NSA), "Security is a system wide property". That requires applications, middleware, libraries and the operating system itself to be secured before the whole system can be declared secure.( If you have a spare hour, listen to Dr. Blaine's USENIX 2000 keynote href="[visit link]">[visit link] ) The Linux, Mozilla, KDE and GNOME based projects provide a more secure desktop environment because the developers and distributions secure the applications themselves where the application's vulnerabilities can be exploited. In most cases an updated package is available within days of the discovery. After years of double digit vulnerabilities discovered in Microsoft's Internet Explorer, Microsoft has reluctantly changed its mind again and offered yet another upgrade to IE7, but only for users of XP and the mythical Longhorn. Meanwhile 21 out of 87 Secunia advisories are marked as "Unpatched" in XP professional. href="[visit link]">[visit link] For a company with the financial resources of Microsoft, that is not even close to being a good enough passing grade. It the result of longterm neglect of the securty issues and the result will not be secured by any magic bullet based scan or behavour constraint system. href="[visit link]">[visit link] Shop around and compare other vendors current ( number of serous issues unpatched ) security status. href="[visit link]">[visit link] In late 1998 a number of securty experts wrote to Microsoft in an open letter; a number of anti-virus companies signed it saying "hey, here at the things you can actually do to Microsoft Word to dramatically reduce the chances of virus infection" href="[visit link]">[visit link] It took over four years of the worst publicity and intense pressure from the security community before Microsoft finally began to react. href="[visit link]">[visit link] Its time to raise the level of expected security in application and desktop design. href="[visit link]@heretic.ihug.co.nz">[visit link]@heretic.ihug.co.nz href="[visit link]@localhost.localdomain">http://groups
#3	Patch-free March commented on the 8 Mar 2005 and in other news...Microsoft's Security Response Center has given advance notice to customers not to expect any security patches for this month!!
#2	jschottm commented on the 8 Mar 2005 Every company that does computer work has to be a security company now. Many companies are completely dependent on computers and most of their crown jewels are stored on them. Many home users have sensitive banking information stored on their computers. Building broken software that allows system disruption or data to be stolen will loose customers. Part of my job is to migrate systems from Windows to Linux, specifically because of security and stability issues.
#1	Tassach commented on the 8 Mar 2005 There is NO legitimate reason whatsoever for a modern, patched operating system to be vulnerable to a simple, 8-year-old DOS attack. What's next, reintroduction of the Ping Of Death vulnerability? This is sloppy quality control, pure and simple. This incident is just another example which demonstrates the importance (or more accurately, the lack thereof) that Microsoft's corporate culture places on security. Hasn't anyone at Microsoft ever heard about regression testing? Microsoft has consistantly demonstrated that, regardless of what their press releases say, security is NOT one of their priorities. People need to start waking up and realizing this before they entrust their critical infrastructure to Microsoft products.