2CPU.com » News » August 2004 » Windows Not Expected Secure Until 2011

Slashdot has linked to an interview in Wired Magazine with Microsoft's Security Program Manager, Stephen Toulouse.

WIRED: It's been more than a month since the first news of Download.Ject, and you still haven't issued a real fix for Internet Explorer. How long is it going to take? TOULOUSE: The first step was to block this specific attack. The malicious software was being delivered from a server in Russia. We worked with law enforcement to get that shut down. And our product teams released an update that blocked the downloads that Ject had hacked. It was not specifically a security update for Internet Explorer. We're still working on that.

Read the remainder of the interview for yourself.

08/19/2004 03:24 PM: Windows XP/Windows Server 2003 64-Bit Updated by Jim_
OSNews let me know that updated builds of Windows XP/Windows Server 2003 64-Bit are now available for download. Windows XP Professional x64 Edition Customer PreviewWindows Server 2003 for 64-Bit Exten...

08/10/2004 02:20 PM: Windows XP SP2 Network Installation Package by Jim_
Hooz let me know that Microsoft has posted a link to their Network Installation Package for Windows XP Service Pack 2. They've released this to make it easier on us IT professionals who'll be installi...

08/02/2004 01:52 PM: Windows Server 2003 gets free X86-64 upgrade options by Forge
Cnet notes this morning that purchasers of Windows 2003 Server are going to get their 64bit OS for free:customers that buy a 64-bit Opteron or Xeon server and pay for a license to Windows Server 2003 ...

07/28/2004 02:09 PM: Microsoft Delays Windows XP64 by Jim_
C|Net is reporting that Microsoft will be delaying an update to Windows Server 2003 (SP1) and its first version of Windows for 64-bit processors. The software maker said Windows Server 2003 Service P...

07/13/2004 02:24 PM: Microsoft Delays Windows XP Service Pack 2 by Jim_
Microsoft's eagerly anticipated Service Pack 2 for Windows XP has been delayed again! Slashdot has the information. Microsoft has once again delayed its release of Service Pack 2 for Windows XP, thoug...

07/07/2004 09:19 PM: MS Windows XP 64-bit Edition Does not Run on Intel by Jim_
X-Bit is running a report from InfoWorld stating that Microsoft's upcoming 64-bit version of Windows XP does not run on Intel's recently released 64-bit processors. ...current beta version of Microsof...

07/07/2004 06:39 PM: Windows XP 64 Security Update by Jim_
AMDZone is reporting that Microsoft has released a security patch for Windows XP 64. Adodb.stream provides a method for reading and writing files on a hard drive. This by-design functionality is some...

06/30/2004 02:08 PM: Windows XP64 will be OEM-only! by Jim_
The Inquirer is reporting that Microsoft Windows XP64 will only be available in OEM form. No retail version of the operating system is expected. Microsoft is working on a scheme to allow people to tra...

06/16/2004 05:09 PM: Windows XP SP2 RC2 is finally out by Jim_
Lots of us have been waiting for Windows XP Service Pack 2 with bated breath for awhile now, and apparently it's at least made it to RC2! If you're brave enough to try it, you can grab it over here. ...

05/25/2004 08:22 PM: Microsoft creating Windows for supercomputers by Jim_
Hooz let me know about this story over at C|Net. Microsoft has launched an effort to produce a version of Windows for supercomputers. Trying to gain share in a market currently dominated by open-sourc...

Methos Registered User Posts: 89 Joined: 2002-12-28

#31544 Posted on: 08/31/2004 06:57 PM I don't think that he really means that 'Windows Will Be Secure in 2011', though it does make for a good headline. Computer Security is going to be an important part of every OS's future, not just windows, and everyone had better have a long term plan for it, or they are going to find themselves sad pandas. I'd rather read that they are in year 3 of their 10 year plan than read 'Oh yeah, we fixed that shit, we is goods to go'. I'm curious to know if any of the major linux distributors have any such long term plans.

DPMitchell Retired Researcher Posts: 149 Joined: 2004-08-21

#31545 Posted on: 08/31/2004 08:02 PM So Microsoft thinks security is a hard probelm and will take years. Why is that supposed to be perceived as negative? Let's take a quick look at the CERT advisories on security vulnerabilities: Windows - 1076 reports Linux - 1136 reports IIS - 171 reports APACHE - 260 reports This doesn't tell me that open source software is better or more safe. Windows is under heavy attack all the time, but I see no evidence that switching to Linux really solves that problem. PS. BSD - 177 reports (grin)

rmn oh my, it's huge! Posts: 5894 Joined: 2002-01-26

#31546 Posted on: 08/31/2004 09:10 PM How does the number of reports tell you anything about how serious they are? It's like comparing a guy with "one injury" (lost a leg) with another thas has "30 injuries" (scratches and skin cuts). I agree Windows isn't particularly less secure than other operating systems, though; it usually boils down to the administrator. A known vulnerability can usually be avoided. But vulnerabilities in Windows are harder to find and understand correctly, due to its closed source nature, and therefore harder to work around. RMN ~~~

Occupant Registered User Posts: 2405 Joined: 2002-03-04

#31547 Posted on: 08/31/2004 09:19 PM Originally posted by DPMitchell So Microsoft thinks security is a hard probelm and will take years. Why is that supposed to be perceived as negative? Let's take a quick look at the CERT advisories on security vulnerabilities: Windows - 1076 reports Linux - 1136 reports IIS - 171 reports APACHE - 260 reports This doesn't tell me that open source software is better or more safe. Windows is under heavy attack all the time, but I see no evidence that switching to Linux really solves that problem. PS. BSD - 177 reports (grin) Also keep in mind, the time lag between reports and fixes. I think most linux fixes are available in hours to days, where windows its weeks to months... (sometimes many many months)

AssKoala Anti-Zealot @ GATech Posts: 3302 Joined: 2002-01-02

#31548 Posted on: 08/31/2004 10:06 PM Originally posted by Occupant Also keep in mind, the time lag between reports and fixes. I think most linux fixes are available in hours to days, where windows its weeks to months... (sometimes many many months) And in many cases, they don't (completely) work the first time and take a couple weeks or months to get truly fixed. As rmn said, Security is all under the care of the Administrator. If you're running a system that hasn't been rebooted in two weeks, chances are its open for attack. Security is active, not passive, no matter what Operating System you're using. Note that there are security oriented projects (Gentoo Hardened, SELinux) and, of course, the BSD's (OpenBSD being the security focused OS). These have their own exploits that are occasionally found (except OpenBSD which hasn't had a remote exploit in how long?) and as such require updating on a regular basis. Me Webpage | If you always think like an expert, you'll always be a beginner. | "A handful of knowledgeable people is more effective than an army of fools" -Writing Secure Code, 2nd Ed.

Vuke69 Bitpimp Posts: 341 Joined: 2001-03-16

#31549 Posted on: 08/31/2004 10:16 PM Originally posted by DPMitchell So Microsoft thinks security is a hard probelm and will take years. Why is that supposed to be perceived as negative? Let's take a quick look at the CERT advisories on security vulnerabilities: Windows - 1076 reports Linux - 1136 reports IIS - 171 reports APACHE - 260 reports This doesn't tell me that open source software is better or more safe. Windows is under heavy attack all the time, but I see no evidence that switching to Linux really solves that problem. PS. BSD - 177 reports (grin) That is not an apples to apples comparison. Windows is one small, clearly defined OS, and a handfull of apps and services from a single vendor. Linux is an all together different beast. There are dozens upon dozens of different distros, and tens of thousands of apps and services included in each. Even if you just compare kernel to kernel, it's impossible. With windows there is one kernel (per release) plus the microsoft supplied patches to that kernel. With linux there are literally thousands of different kernel revisions, from major revisions, down to daily builds. Plus many thousand more kernel patches made by whover picks up a keyboard and fixes or enhances something. The only somewhat fair and unbiased comparison I can think of is to take the whole of the code that would be concidered part of either Windows, or Linux, in the eyes of CERT. And come up with either advisories per line of code, or per MB of code, or something similar, for each platform. Possibly weighted values based on severity, and remove all the duplicates. (there are many dupes on the linux side) If nothing else, it would be a generic metric for the security quality of the code. In such a comparison, I am quite comfident that windows would come out looking like a silly, insecure, toy; just waiting to break. But I must also add, that just because a particular vuln is in an OS, does not by any means that it is exploitable on any given box. A good Windows admin can lock down a Windows box just as good as a good Linux admin could to a Linux box. On the other side of the coin, a lazy or incompetent admin could easily take the most secure platform possible, and make it wide open, in only a couple of keystrokes, or mouse clicks. The moral of the story is: It's the man that makes the security, and its the man that can break the security. The other moral of the story is: Dont take for granted that something is secure, only to have a 12 year old prove you wrong. Turn off all unneeded services, block all unneeded ports, and guard the hell out of any services and ports you must have up/open.

DPMitchell Retired Researcher Posts: 149 Joined: 2004-08-21

#31550 Posted on: 09/01/2004 12:05 AM Its a given that just looking at numbers of CERT reports doesn't tell you everything, although its a big sample size, so it does say that on the average, there is no obvious evidence that one system is intrisically more secure than the other. I'm trying to be skeptical, not dogmatic. Microsoft says it will take years to make Windows secure, which doesn't surprise me. I don't think this means Microsoft programmers are incompetant, or that Linux programmers will achieve security any sooner. It's interesting because security is a big part of the marketing campaign for open source products. Convert, and you will not be a target of hackers. The argument never really appealed to me. Its like telling a company they won't be bombed if their employees convert to another religion.

XWRed1 Registered User Posts: 185 Joined: 2001-08-27

#31551 Posted on: 09/01/2004 12:35 AM How does the number of reports tell you anything about how serious they are? It's like comparing a guy with "one injury" (lost a leg) with another thas has "30 injuries" (scratches and skin cuts). Or maybe a high number of reports is good? A higher number might mean more people are finding more vulnerabilities and fixing them before they are used in the wild.

stmok23 Registered User Posts: 797 Joined: 2002-02-02

#31552 Posted on: 09/01/2004 12:46 AM Generally, more bad reports are interpreted as bad. Less problems the better. But this "number of reports" BS doesn't include factors discussed in this thread or previous threads relating to OSs and security. Please stop posting the numbers of CERT advisories, because they simply mean jacksh*t to folks who know what's going on. They're often used by third-parties paid by MS to spread FUD to potential users wishing to use open-source solutions. Sempron (Socket 754): 2x Abit NF8-V (nForce3 250Gb) and ASRock K8SLI-eSATA2 (ULi M1697) Dual CPU love: Supermicro P6DBE (i440BX), PIIIDRE (i840), 2x PIIIDR3 (i840), 4x ASUS P3C-D (i820), and ACorp 6A815EPD1 (i815EP) OSs?: Linux, Solaris and BSDs.

rmn oh my, it's huge! Posts: 5894 Joined: 2002-01-26

#31553 Posted on: 09/01/2004 12:51 AM Originally posted by Vuke69 Windows is one small, clearly defined OS, and a handfull of apps and services from a single vendor. Is it? Windows NT, 98, ME, 2000, XP, some of which come in flavours of Home, Workstation, Professional, Server, Advanced Server and Datacenter, and can include different versions of IIS, MSIE and OE (which I mention because they're the main "swiss cheese" elements). True, it doesn't have as many personalities as Linux (from those 1136 reports, probably no distro suffers from more than half), but it's still quite far from a "clearly defined OS". I'm pretty sure Microsoft could make Windows "secure" (in terms of bugs, at least - some features will always be a tradeoff between functionality and security) in 4 or 5 years... if they stopped changing it. But they won't, so new bugs and new "feature-based" vulnerabilities will keep popping up. RMN ~~~

DPMitchell Retired Researcher Posts: 149 Joined: 2004-08-21

#31554 Posted on: 09/01/2004 02:37 AM Thanks, I was waiting for someone to suggest I was being paid by Microsoft, and to use the term "FUD".

incognito9 Registered User Posts: 314 Joined: 2002-09-17

#31555 Posted on: 09/01/2004 02:54 AM Windows is actually expected to be secure someday? That's Great!!

Vuke69 Bitpimp Posts: 341 Joined: 2001-03-16

#31556 Posted on: 09/01/2004 06:32 AM Originally posted by rmn Is it? Windows NT, 98, ME, 2000, XP, some of which come in flavours of Home, Workstation, Professional, Server, Advanced Server and Datacenter, and can include different versions of IIS, MSIE and OE (which I mention because they're the main "swiss cheese" elements). RMN ~~~ To some extent yes, but many of the flavours have very little difference between them. For example, the difference between XP home and professional is only 3-4 .DLLs everything else is identical. The difference between the four 2k versions is somewhat larger, but not by a great margin. 2003 server I'm not so sure about, there has got to be at least a dozen different versions, and all I have ever used is standard. So you do have a valid point, but it would still be possible come up with a list (yes a very large list) of every discrete version of every file ever distributed with windows of any version. But if that list were made, I would highly doubt that the total size would be greater than 4-5 GB. Is that an absurd ammount of code? Yes, by all means. Is it more than a comparable list of linux? No way in hell. Just to pull numbers out of my ass ( I like to do that, I guess ) I would guesstimate that the linux list would be closer to the 100-150GB range, if not larger. If my head is up my ass, please, someone tell me. But I think I have a valid argument. Also, I am in no way bashing windows. I have been using linux since approx 1997, and windows not much earlier than that. Dos was my first true love. I have approx equal experience on each. And each have their strong points and their weak points. I use both at home, and I use both at work, hell my job is getting them to play nice together. And they really do complement each other quite nicely. I do however have a couple of problems with microsoft as a company, and some of their business tactics. But that can be a subject of a different oral bowl movement.

AssKoala Anti-Zealot @ GATech Posts: 3302 Joined: 2002-01-02

#31557 Posted on: 09/01/2004 08:34 AM Originally posted by Vuke69 If my head is up my ass, please, someone tell me. But I think I have a valid argument. It's pretty far up there. The argument is valid only if you you make things up. 100-150GB? Are you throwing in every package you can think of? Those numbers aren't for Linux + every package in a distro. Mozilla has vulnerability advisories, they don't get applied to the Linux total. Go to Secunia, OSVDB, Securityfocus, whatever, and watch the vulnerabilities out for everything every day. You'd be surprised how many Linux kernel vulnerabilities are out regularly compared to the number of Windows kernel vulnerabilities. Windows gets attacked with separate parts, the Linux kernel alone can pull off an amazing number of holes. Checking out the source code can tip you off for that in some areas. In other words, Linux is no more secure than Windows. If you haven't installed/patchedAndRebuilt a new kernel in two or three weeks, chances are you've got a nice hole that needs exploiting. Security is active. Me Webpage | If you always think like an expert, you'll always be a beginner. | "A handful of knowledgeable people is more effective than an army of fools" -Writing Secure Code, 2nd Ed.

Vuke69 Bitpimp Posts: 341 Joined: 2001-03-16

#31558 Posted on: 09/01/2004 10:38 AM Every package in every release of ever major distro, with no duplicates. Thats what they count as linux. To me, linux is a kernel. But that wouldn't be a fair comparison either. What would you propose as a fair basis of comparison? I do however wonder where they came up with those CERT advisory numbers. For example, searching through the CERT database, I can only find 65 that even mention Apache, thats a few shy of 260. And most of them are not really for Apache, they are for third party app servers, and misc modules. The more I think about it though, this is a really stupid argument. Why did I ever open my mouth (er... keyboard?) So I'm going to shut my mouth now, and stay out of the OS holy war.

Vuke69 Bitpimp Posts: 341 Joined: 2001-03-16

#31559 Posted on: 09/01/2004 10:41 AM Originally posted by AssKoala Security is active. I second that .

sAvAgE69 Unregistered

#31560 Posted on: 09/01/2004 11:14 PM Originally posted by DPMitchell So Microsoft thinks security is a hard probelm and will take years. Why is that supposed to be perceived as negative? Let's take a quick look at the CERT advisories on security vulnerabilities: Windows - 1076 reports Linux - 1136 reports IIS - 171 reports APACHE - 260 reports This doesn't tell me that open source software is better or more safe. Windows is under heavy attack all the time, but I see no evidence that switching to Linux really solves that problem. PS. BSD - 177 reports (grin) Price of Windows License Depends on what you buy Price of BSD License FREE Price of Linux FREE Every Operating system has it's bugs and the fixes are out in linux the development and fixes do come out faster than windows.

AssKoala Anti-Zealot @ GATech Posts: 3302 Joined: 2002-01-02

#31561 Posted on: 09/01/2004 11:27 PM Originally posted by sAvAgE69 Price of Windows License Depends on what you buy Price of BSD License FREE Price of Linux FREE Every Operating system has it's bugs and the fixes are out in linux the development and fixes do come out faster than windows. Price of time spent per hour on irc channels and googling bug fixes, hardware support intricacies, reading manuals for Linux and BSD..... TCO isn't initial cost alone, not that TCO of BSD or Linux are greater than Windows, only that there are far more factors involved. Me Webpage | If you always think like an expert, you'll always be a beginner. | "A handful of knowledgeable people is more effective than an army of fools" -Writing Secure Code, 2nd Ed.

rmn oh my, it's huge! Posts: 5894 Joined: 2002-01-26

#31562 Posted on: 09/02/2004 01:50 AM Most "TCO" studies about Windows assume that everyone knows how to use Windows, and that no-one knows how to use the alternatives. As they all become more and more similar, that argument is kind of hard to hold up. Easy issues are usually easy to solve in any OS. With more complex issues, you'll always need to spend some time investigating and learning (or pay someone to solve them for you). There's probably more information available about Windows, but most if it is more superficial, and it's much harder to contact the developers directly. I use mainly Windows because it gets the job done and runs most of the software I need or like. But if I was developing software for a specific task, or setting up a "mission critical" server, I'd probably go for Linux / BSD / QNX instead. RMN ~~~

Big B Psychic or Psycho? Posts: 3631 Joined: 2001-07-03

#31563 Posted on: 09/02/2004 03:09 AM No OS is 100% foolproof. No OS will ever be 100% secure. Why? Humans screw stuff up, and there will always be a security bug somewhere at some time on some OS, regardless of where it came from. It does not matter if it's Windows, Linux, *BSD, Mac OS, QNX, etc...none are perfectly secure. I don't care what anyone says, there has to be some kind of administration to keep things in check. MSI Z97S SLI Plus.Pentium G3258 @ 4.3GHz. 8GB GSkill DDR3-2133. Seagate 320GB. WD 1TB+160GB+160GB. LG DVDRW. XFX Radeon 7850. XFX 650W PSU. CoolerMaster 212 EVO. Win 7

Kimpsu Registered User Posts: 515 Joined: 2003-01-09

#31564 Posted on: 09/02/2004 06:18 PM Originally posted by sAvAgE69 Price of Windows License Depends on what you buy Price of BSD License FREE Price of Linux FREE Every Operating system has it's bugs and the fixes are out in linux the development and fixes do come out faster than windows. But if you actually want some support for that... how much does a Red Hat Enterprise Linux AS server operating system, for example, cost? I'll tell you: for Intel x86, Intel Itanium2, Intel EM64T, AMD64, IBM POWER series it costs $1499 for the standard edition, and $2499 for the premium. for IBM zSeries & s/390* standard costs $15000 and premium $18000 *IBM zSeries & s/390 subscriptions include the ability to run and support up 25 Enterprise Linux AS instances/images per subscription, per engine. http://www.redhat.com/software/rhel/purchase/index.html

scythe Quad nutty Posts: 538 Joined: 2002-09-25

#31565 Posted on: 09/05/2004 01:24 AM windows isn't secure... neither is linux... in my experience any server box with an os on it that is serving anything and is connected to the internet isn't secure and is a risk. how much of a risk is up to the systems administrator. you put up a firewall... you have a real dmz for the web stuff and you block the hell out of the stuff on the internal network. pay attention to what is going on in your network and pay especially close attention to the "how much", "where" and "when" of your network traffic. if you give a damn about or continue to argue about who's system is less/more secure you're just spending more time not paying attention to what you are being paid to pay attention to... that's just my take on it. - Q6600 @ 3.0ghz (333x9) - 4x1gb DDR2 800 - HD4890 - Asus Maximus Formula X38 - 150GB RaptorX - Antec P180v2 w/ 550w Real Power Pro -

2CPU.com » News » August 2004 » Windows Not Expected Secure Until 2011