Home > Privacy, Security > Experts Say Microsoft Security Effort Failing Experts Say Microsoft Security Effort Failing Submitted by Jay Sabol 2003-01-31 Privacy, Security 41 Comments Computer security experts said on Thursday the recent “SQL Slammer” worm, the worst in more than a year, is evidence that Microsoft Corp.’s year-old security push is not working. About The Author Eugenia Loli Ex-programmer, ex-editor in chief at OSNews.com, now a visual artist/filmmaker. Follow me on Twitter @EugeniaLoli 41 Comments 2003-01-31 5:54 pm The real question is, why wasn’t the SQL port blocked out on everyone’s firewalls? That would have stopped this cold. 2003-01-31 6:10 pm I saw this posted on Reuters too. Was this put out by Apple? (“I’m going to buy a Mac..” he says) Who does this guy thinks he is? It’s not Microsoft’s fault if people don’t patch their systems. And then he blames the patch process itself? What OS out there doesn’t release patches? His argument doesn’t even make sense…unless he’s in the business of selling “self-correcting” software. Maybe he should stick to chasing after Bigfoot or his psychic hotline or whatever he used to do before becoming a “consultant”… 2003-01-31 6:18 pm Look, I’m an avowed Micro$oft basher, and I don’t blame Microsoft on this one. I blame the lazy, stupid DBA’s for not patching their installations of SQL Server, and I blame the lazy, stupid System Administrators for allowing that port to be open to the internet in the first place! Come-on folks! we can’t blame every problem on Micro$oft, we need to realistically put the blame where it really belongs (see the first paragraph). 2003-01-31 6:21 pm The massive amount of problems with security in Microsofts software and the poor updating ability of its products are the real issues. My co-worker recently spent an entire day trying to bring our Windows based servers up to date. Numerous hours and reboots later he finally finished. This is time consuming and labor intensive which costs an enormous amount of money. On the other hand our Linux firewall hasn’t needed a patch or reboot since about July. Actually the patch in July did not require a reboot. The basic problem with Microsofts products from an admin point of view is the admin becomes a “Patch Monkey” but that fits right in with the current CEO, “Monkey Boy”, so I guess thats alright. 2003-01-31 6:26 pm Why would anyone on a windows machine put his database server directly on the internet anyway? Never heard of n-tier? Use activeX (dcom) or even xml on your webserver to read your database values that are stored on a internal network server only. This way your data is secure with or without the so called patch. Or am I wrong? 2003-01-31 6:28 pm Ooh and if you don’t have money for a second server think about buying vmware or virtual pc. 2003-01-31 6:30 pm The real question is, why wasn’t the SQL port blocked out on everyone’s firewalls? That would have stopped this cold. My previous employer got hit with the worm despite appropriate firewall precautions. The reason? Infected laptops got plugged into the network behind the firewall after having their MSDE SQL Server instance infected from their home networks. Nothing beats good pre-emptive system administration and patching. Firewalls should be considered the first line of defense, not the final. 2003-01-31 6:30 pm I submitted this story because I myself use XP Pro and I know other users would want to have as much information about this as possible. I think it is the patch system that is the big problem. So many, many people don’t do that. Some don’t know to do it and others are leary of the patches themselves. Microsoft admits it got hit by Slammer too because some of its computers were not patched. I think all of us who use XP or other versions of Windows are sick of security problems. Aren’t you? I think Macs are less vulnerable simply because it isn’t the dominant platform. I think XP Pro is a great OS, but it has been over a year now since Gates brought everything to a halt in order to work on security and they simply have not been able to solve it. I think the patch system is good for people like us, but most people, I think, suffer from what I said above – even Microsoft suffers from it. They have to find a different way. The idea of Microsoft’s Trusted Computing is becoming a joke – and I take no joy in saying that. Last week, and I’m sorry, I don’t have the reference for it, a Microsoft executive, in talking about the Trustworthy Computing project, said the craziest thing. He said it is pretty much a ten year project! ROFL! Now, I know that can be interpreted in different ways, I just get the feeling Microsoft doesn’t have a handle on this at all. 2003-01-31 6:37 pm This is ridiculous 1) There was a patch released some time ago about this and this is also fixed in SP-3 BEFORE this worm started spread so people have no right to complain. 2) If you have properly configured your firewalls you’d be protected automatically. You can’t blame Microsoft for the tardiness of System/Database administrators. All software has bugs – if you don’t patch your systems – whatever OS/Server software they are running THEY WILL BE VULNERABLE TO ATTACKS. 2003-01-31 6:46 pm You’re right, it isn’t Microsoft’s fault – it is the sickos that create the viruses, it’s their fault. But, I believe Microsoft must find a way to deal with this other than patches people may or may not know about. As said before, even Microsoft itself got hit. Even if it isn’t fair to Microsoft, how can they possibly talk about Trusted Computing and have people take them seriously? I think Gates should do what he did last year – stop the whole show and find a way to improve this situation. .Net, Longhorn and Palldium and all that stuff can wait. 2003-01-31 6:47 pm Sorry, I wouldnt put all the blame on M$…but they still get some of the blame by default. Their products are all inherently insecure PERIOD Which is why it will take them the better part of 10 years to revamp all their code bases. The thing ppl need to understand about the M$ security initiative is that until they release new products under it…..we will continue to be patch monkeys. Although I much prefer Linux and Netware, I do think its unfair to claim M$ security initiative is failing before they have even had a chance to release new products under their new effort. If the next Windows server is just as bad, and it very well could, then let the flaming begin. Until then…..we will all have to be patchaholics. 2003-01-31 6:56 pm If you have properly configured your firewalls you’d be protected automatically That’s simply not true. A properly configured firewall solving all woes is a MYTH. What happens if someone finds and exploits an Apache worm though an HTTP request? No one is going to have port 80 shut off. As I said in a previous post, a firewall is only a first line of defense. You can’t blame Microsoft for the tardiness of System/Database administrators. All software has bugs – if you don’t patch your systems Not to split hairs, but *all* software has bugs regardless of how patched a system is. Whether an exploit has been discovered yet or not, many if not all programs have some sloppy code somewhere leaving a hole ripe for the picking. I’m not out to bash Microsoft on this one, but some of the blame has to fall on them for having written the code in the first place. As of right now, no one is patched for the unknown exploits that will be fixed in the next service pack. The problem Microsoft is being criticized for is not for their patches, but for their coding process that left a hole open in the first place. 2003-01-31 7:03 pm Uh.. SP3… — there ain’t SP3 for XP, so you are obviously talking about W2K — and as you can tell from the stats, the majority of systems run XP by now. In related news however, it has been said that, though widely unknown, SQL patches are NOT AT ALL part of any auto-update — all has to be done manually, which drives you insane if it’s for a bunch of machines — YES, this is _solely_ MS’s fault, because people weren’t even aware that this isn’t covered by auto-update. Call people st00pid for not patching..? Righties… so the #1 respected company, serving all the big business is run by a bunch of god-damn morons.. eh?! – Check out all the press HP got over at theinquirer.net and you know what I mean… then again – maybe not… 2003-01-31 7:14 pm Excuse me, but what is the solution if not patching? OpenBSD is often lauded as being the most secure OS by default, and their solution to security issues is… patches. The solutions put forth by other companies such as Sun, SGI, and HP? Patches. In all honesty, Microsoft has released one of the best patch tools ever made (Windows Update). I’d many regards I’d place the OS X patch tool above Windows Update, but there are certainly many others which horribly fail in comparison to Windows Update. Sun recently released a patch tool called “PatchPro” which was designed to bring a Windows Update level ease-of-use to patching Solaris. Before the solution (at least as I implemented it) was to drop every system to single user mode and apply the latest patch cluster available for a particular revision of Solaris, then reboot the system and hope everything came back up okay. PatchPro is designed to download signed patches from Sun, and furthermore lets you configure a policy so that it can be run incrementally. Patches which require a reboot or for the system to be in single user mode are “sequestered”, as are patches which depend on those patches. You can set up a script to check for sequestered patches, and will notify you if manual intervention is required. Unfortunately, PatchPro is a horrible piece of shit. It’s the poster boy for why system tools should not be written in Java. PatchPro doesn’t even check if there is adequate disk space to download patches before downloading them. So, that brings me back to my old reliable patch clusters. I’d say Microsoft has it figured out… but they suffer from a growingly more common affliction as well, lazy admin-itis. 2003-01-31 7:21 pm It’s not Microsoft’s fault if people don’t patch their systems. Perhaps, but it IS Microsofts fault that they didn’t patch their OWN systems. The problem is two fold. One is the flaw itself, and it can easily be something that is in older software. But the other is that MS is, demonstrably, “Talking the talk” but not “Walking the walk”. They’re not reading and complying with their own security dispatches. Why not? Why haven’t they patched all of their systems? Perhaps for the same reasons everyone else hadn’t patched their systems. Perhaps it is quite a difficult patch to apply. Perhaps it takes too long, or is overly invasive. You’d like to think that MS’s internal IT department is running around to EVERY MACHINE, every workstation, laptop, server and iPaq and updating it as soon as the Service Packs are released to production. “Hi, this is corporate IT. Today is a paid holiday as the entire company comes to a screeching halt while we patch and upgrade 8 zillion computers..” Yes, it’s extreme, but it’s clear that it’s what must be done. As everyone has said, “If everyone had patched their SQL Server, then this worm would have died before it got out”. But they didn’t, and the worm did get out. So, now, moreso than ever perhaps, MS knows what a real pain in the neck it is to have holes in software. What a huge hit it can be to a company. It’s hard. It’s a lot of work. It’s not fun work, but it’s a corporate attitude that has to be ingrained down to every worker. They should All Hail and rejoice when a new SP comes out. More progress, more holes filled, less chance of something like this happening again. But, of course, no one does that. Ah crap, another SP. Upgrade AGAIN. The system is at risk AGAIN. More downtime in the middle of my day AGAIN. Microsoft is simply a big fat juicy target, both their company and their customer base. But this is a technical problem and a political problem. If someone finds a hole a piece of OSS, we go “oh”, someone fixes it, and Those Who Care get the new release. However, if, say, OpenBSD has an exploit discovered, then their’s a big bruhaha. Why? Because part of OpenBSDs reputation is its security. Any discovery of insecurity brings question to their claims. “Gee if this slipped through, what else slipped through? Can we really trust these guys?” Microsoft said the same thing a year ago. Security is a high priority. We’re On It. Count On Us. And they got hammered because they didn’t do what they said they were going to do. This just hurts what credibility they have even more. 2003-01-31 7:22 pm //That’s simply not true// It simply *IS TRUE* in this instance. We’re talking about closing port 1433 (or whatever it is). Had that been done, SQL Slammer wouldn’t have affected those systems. Apparently, you have trouble sticking to the subject at hand. 2003-01-31 7:26 pm System admins should be forced BY LAW to patch their servers. I think this the best (and maybe the only) solution. The law forces you to protect your building against fire, because a fire is likely to spread. It’s the same thing with computers security. 2003-01-31 7:30 pm it is definatly microsoft to blame for this kind of things! they go and sell you a operating system and software wich does not need you to know anything about computers (yeahh.. this is what they keep telling all the time). and at the end… what is happening? ppl buy the software and are happy that with 3 mouse clicks they can configure a dns server, a ftp server, a http server and whatever…. and they think they understand the system. and microsoft keeps telling them, that their windows update system will keep them away from problems if they go and update their system regulary. but eaven after a update you are not on the secure site! and when you install windows 2k or xp you got that nice introduction screen, wich tells you all the nice stuff about windows and the features it offers. and on windows xp you eaven get some statements like: windows xp is the most secure windows system ever build by microsoft… it eaven includes a firewall to keep hackers out of your system (bla, bla, bla….) at the end: everyone is cooking with water. every software has problems. but the difference is how you threat them! if you start to prohibit everyone to publish security problems on the web and if you want to keep everyone quite about any problem your product has… then you have to deal with that kind of big problems. because when they hit the internet… they got realy fast around the world. and this is especialy a problem with microsoft products! security issues in the microsoft world are only waiting to get to be exploited. if i would be a hacker/cracker/whatever… then i would definatly try to code something to hit security issuses in microsoft operating system. because the chance that a security bug is still not fixed (eaven if the patch existed for long time) is much higher on a windows system then on any other system. 2003-01-31 7:33 pm Yeah. Sure they are. You see, you can’t call everyone who writes a virus a sicko. Many people write virus’ as a hobby and don’t release them into the wild. I remember reading articles about this one fellow that wrote a virus and accidentally let it out in the wild, next thing he knows hes the nets biggest enimie. So are crackers to blame? No. It’s MS’s fault for not coming up with a desent way of updating. 2003-01-31 7:51 pm It simply *IS TRUE* in this instance. We’re talking about closing port 1433 (or whatever it is). Had that been done, SQL Slammer wouldn’t have affected those systems. It simply is not true. Had port 1433 been blocked (I’m talking internally – of course it needs to be blocked to external internet users), legitimate users couldn’t access SQL Server through Enterprise Manager. The port has to be open to SOMEONE, otherwise SQL Server doesn’t do anything. But, like I mentioned in my first post, employees with legitimate access can easily wreak havok within a network if they plug in a laptop from an insecure home network. You have to be careful to not assume your network is secure just because you have a firewall properly configured. God I hope you aren’t a sysadmin. 2003-01-31 7:59 pm Microsoft issues a security patch for a programming error. Tells users to apply patch. Months later, programming error is exploited. Microsoft tells users it their own fault for not patching. Microsoft forgot to patch their own systems. Microsoft blames evil virus writers. Users blame evil virus writers. Evil virus writers laugh their asses off and look for next Microsoft programming error. Rinse, repeat ad nausea. 2003-01-31 8:44 pm Aside from the initial programming error exploited by the SQL Slammer worm, there are two parts that are more Microsoft’s fault than the sysadmin’s: 1) Microsoft introduced a patch that reversed the effect of the MS SQL patch that fixed the vulnerability. Oops. 2) Microsoft patches and service packs have a history of causing things to break, thus sysadmins are reluctant to apply them. 2003-01-31 9:13 pm In all honesty, Microsoft has released one of the best patch tools ever made (Windows Update) It is actually the WORST update system ever, it usually breaks more than it is fixing. Last (as in never again) time I used Windows Update it broke the sound (locked up the computer for 2-3 seconds before starting to play a sound) and the network (full duplex stopped working). 2003-01-31 9:26 pm I don’t necessarily agree with the author on this one. I think it sucks that the vulnerability existed in the first place, but there was a patch for it (not to mention the other arguments regarding firewall strategies, etc.) This brings up another issues though. I do agree with the author in that the patching process for Windows sucks since it usually requires a reboot for the patch to take effect. Most Windows admins that I know do not patch things right away because they can’t afford to take the system down in the middle of the day to apply a patch, and they don’t want to do it around midnight either. They want a life too I suppose. I recently upgraded some services installed on my BSD machine at work. I was able to stop each service, run the upgrades, and then restart the service with no down time on my server. I ran these updates during the middle of the day with little or no impact to those relying on my server. Windows needs to be able to do that for all of its patches. I realize that Microsoft is really trying to make things more secure, but when your foundation is flawed to begin with, I don’t think you can make much headway without a complete rewrite. I could be wrong though. It has happened before. 2003-01-31 9:39 pm This brings up another issues though. I do agree with the author in that the patching process for Windows sucks since it usually requires a reboot for the patch to take effect. … I recently upgraded some services installed on my BSD machine at work. I was able to stop each service, run the upgrades, and then restart the service with no down time on my server. This is the blessing and the curse of MS software. One of the ways the MS gets better performance out of their complex systems is the fact these services have deep roots directly into the kernel of the OS, whereas a majority of Unix services float on top is reasonable safety. If you were to run a monster Solaris patch, odds are pretty high you’d need to restart as well as there may be kernel or driver patches in the patch kit. However, for most applications, including databases, this is not an issue. MS’s system are very tightly integrated which is great for performance, but lousy for stability and (in this case) patching applications. 2003-01-31 10:16 pm “It is actually the WORST update system ever…” I don’t know if it’s the _worst_ ever, but it seems to have problems. I recently installed Win 2K on a fairly new P4 at an office I support. I did a normal install, installed the drivers that came with the motherboard, then installed SP3. It finished installing SP3, asked me to reboot, which I did, only it couldn’t ever boot up again – safe mode or not. I had to completely reinstall. That is just one example of the many problems I have had with windows update, and now I am pretty leary of installing patches. I won’t install them right away, until I get an idea of whether other people have had problems with them or not. With some patches, I never use them. Which is better, a secure system that doesn’t work, or an insecure one that is useable? 2003-01-31 11:05 pm My main computer uses a nice patching system: 1) Patches are downloadable from the Net or on CD 2) Patches can be applied temporary for testing to see if anything breaks. 3) Patches know which other patches are required before they can be installed. 4) Patches can obsolete older patches. 5) Patches that require a reboot, can be scheduled to be automatically enabled on the next reboot. 6) Patches can be installed/removed with a live system. 7) Once a patch is installed and tested, it can be final which saves disk space (they keep a backup of all the files they replace) 8) On boot, you can tell the system to not use the temporary patches. 9) You can schedule the system to periodicaly check for new updates. 10) You can sign up for a Fax every time a critical patch is replease. 11) Patches come with a cover letter to let you know what they are trying to fix. Long live OS/400… 2003-01-31 11:22 pm >>>Look, I’m an avowed Micro$oft basher, and I don’t blame Microsoft on this one. I blame the lazy, stupid DBA’s for not patching their installations of SQL Server, and I blame the lazy, stupid System Administrators for allowing that port to be open to the internet in the first place! true. but, microsoft software promotes the “monkeys punching buttons” atmosphere. there ARE good techs/admins that know MS…they are a minority though. i expect MS techs/admins that read this site NOT to have been hit. 2003-02-01 12:47 am My system had no problems… why? It was patched. It takes all of 10 seconds for me to open the control panel, hit windows update, wait a few secs, install the updates, then carry on with my day. I do this 2 times a week. Although even once a week would be often enough. NO peice of software is perfect, especially nothing so complex as an OS. I know, anti microsoft this anti microsoft that, yada yada yada. Windows XP is the FIRST ms OS I have paid for, and it was well worth the money. It is solid, fast, and does what I need. It is easy enough for people I know to hop on and get things done without a computer degree. Yet still strong enough to do the heavy computing I do. They released the updates months ago, noone has any excuse for not having them installed. If this was a failing brake part, and a car company had issued a “recall” (update) to fix the problem a year ago, and you ignored the letter, and then your cars brakes failed, causing you to lose control and hit a tree, you would not have a leg to stand on in court or anywhere else because they had offered to fix the problem and you did not do it. What makes microsoft any different that not only do they have to offer the fix, but come to your house, hold your hand, and do it for you? 2003-02-01 1:46 am My personal system didn’t get hit either, but that’s not the problem. The problem is that, like you, I feel compelled to check for security updates all the time. To do that with such frequency suggests we are anticipating problems – constantly. I have not tried to find fault in this thing, Of course Microsoft is bombared because they’re so dominant and widestread. I’m trying to find a better way. Updating my own system every single day, for that matter, is not the same as a sys admin having to decide when to update what. 2003-02-01 2:51 am > It takes all of 10 seconds for me to open the control panel, > hit windows update, wait a few secs, install the updates, > then carry on with my day This is true. But MS Office, SQL Server, and MS Money are some examples of Microsoft programs that need to keep patched, but have no “automatic” update mechanism like Windows Update. If you had the latest and greatest *Windows* patches, your SQL box would still have gotten this worm because SQL Server SP3 is a manual download as are all the mini-patches that continually accumulate to eventually form a new service pack. In order to be on top of the updates for these programs, you’d have to subscribe to bugtraq, or check the wesite for every program you’re running all the time, or hope you hear about a patch through the grape vine. 2003-02-01 4:33 am http://www.geeknewscentral.com/archives/000654.html then talk. M$ r REALLY freeking funny ppl 2003-02-01 10:08 am With firewalling, the problem is Windows doesn’t bundle one. With Win2000 Server alone, your only options are allow all to 1433 or allow none (per NIC). Windows firewalls are expensive (and hard for IT to explain their value to Management). But so many groups need SQL replication, which isn’t easy without following MSFT’s use of port 1433. Regardless of the SQL issue, the problem was mostly basic TCP/IP flooding. The same outages could have easily occurred with an HTTP hole in IIS. 2003-02-01 12:25 pm Well, Microsoft themselves didn’t patch their system. The virus spread too fast too quick that a lot of servers are affected. Nobody keeps in touch with the latest patches 24/7. Besides, I found this article rather stupid. We all know from tradition that Microsoft never gets it right with the first try. Take their push for Internet for example – it failed horribly. by time they got it right (Windows 98 with IE 4), 3-4 years had passed. Yes, they would get it done. But 1 year to change a big company’s corporate culture is a bit too much if you ask me. 2003-02-01 12:31 pm Are you aware that there is the office updates site: http://office.microsoft.com/ProductUpdates/default.aspx which is reached through the Help->Office on the web menu option. It has an identical “analyse and update” approach to Windows Update. 2003-02-01 5:08 pm Having announced the big security initiative over a year ago and there long range Trusted Computing project, one would think that Microsoft would add an entire section to their site that deals with security only. A plce where all updates and patches, not just for Windows, but for everything, could be downloaded. Not only that, but it could be an area to talk about security issues, tips for sys admins on the best way to apply patches, forums where people could point out possible weak areas that need attention. As far as I know, Microsoft (like many software companies) operates (regarding this type of thing) only from their own perspective. I think something like this could help people *and* Microsoft a lot. 2003-02-01 5:50 pm Are you aware that there is the office updates site No, I was not aware of that. I quit using Office when OpenOffice.org went 1.0. Does that ony work with Office XP? 2003-02-01 6:49 pm There is already a patch for the software, so how come this proves that Microsoft’s security effort failed. It just proves that the author of the news and the guys in it are plain idiots. The MS SQL worm is shown as the proof, but how many desktop users run MS SQL. The news has no worth at all. If you want security don’t use computers. I also loved the comment at the end that he will switch to Apple. Hehehehe. Hey, Microsoft has security problems, so let’s switch to Apple, spend thousands of dollars, receive less, and perhaps as more people switch you will also become target of hacker attacks, which will harm more, since Apple has no serious security policy at all. They don’t have to, since no matter what Apple do to their users, there are few users who will still use Apple. 2003-02-01 7:35 pm You have added absolutely nothing to this discussion. If you want security, don’t use computers – what a probing and deep insight 🙂 2003-02-01 9:14 pm I believe that it was introduced round about the time of the release of Office XP, but I note that the site includes advisories and patches for a number of different office versions. I do think that ‘self-healing’ software is the way to go, and that MS needs to extend this to SQL Server and other products. The problem is not the number of security holes in any given piece of software – there will always be a smart individual who can find a way in to any piece of interesting code, and then package and distribute that exploit such that hundreds of others can make use of it without that skill. We are also living in a world where most computer systems do not have a full-time sysadmin at the other end of it. Thousands of small business depend on server-side software, the internet and communications tools for their day-to-day activities. So, to support the unskilled mass of users out there, we need to find ways of auto-patching issues as they arise. But I see other comments on sites like this that *detest* auto-update as an invasion of privacy. You weighs your risk, and you takes your choice (but if you’re leaving your machine open to the world, its not just yourself that you are potentially harming!) 2003-02-01 9:31 pm I don’t know of ANY OS using a patch system as good as the Windows Update one. Heck, my XP keep getting updated automatically and I BARELY notice the download/installation process. Someone can do better than that ?