« Don't say you've got it unless you've checked first | Main | GURLs: Google URLs for fun and fortune »
August 25, 2003
More on Trust, the Internet, and Microsoft
I've had a number of discussions since I wrote about how poor software development, Microsoft's predominantly, is the most serious threat to widespread Internet adoption (and connectivity).
A week later now, the world has a heightened appreciation for how vulnerable Microsoft's software is, and how unrealistic it is to put the burden on the end-user to patch, patch, patch, and patch again.
Patching and anti-virus can only be effective when there's enough time between the discovery of the vulnerability and/or exploit to develop the patch or virus signature file, make it available, distribute it, make sure it gets installed (and doesn't break anything else). In the old days, that cycle could take months, even years, before the exploit would show up (which would still be successful because people didn't bother to patch it). In the last month, that has changed completely.
First, we had the announcement by Microsoft of the most wide-spread, most serious vulnerability in recent history, followed up only a month later by an exploit. A month would seem like enough time, but a process developed around a 3-, 6-, or even 9-month notice-to-patched cycle doesn't compress to a month easily. Many organizations were just mobilizing wide-scale Windows updates, after completing testing and pilot deployments of the patch, when MSBlaster hit, shortly followed by Nachi-A. They may have been able to temporarily block the ports used by these worms, but Microsoft uses those ports for the majority of their network applications (Exchange, Windows file and print services). These organizations were reduced to complete network shut-downs and manual machine-by-machine patching.
The processes and tools (when there are tools) just aren't built to move so quickly. And the evening news doesn't report on the "potential" for a worm, they only report when the sky is falling, so most end-users didn't get the message (repeated often enough to notice) until they were already hit.
Of course, users of Linux, Unix, and Macintosh systems were only indirectly affected (by the Windows machines who were slowing down the network).
Then, in the middle of the Blaster/Nachi worm fiasco, SoBig.F was released. This was a zero-day virus, based on the previous SoBig, but changed enough that anti-virus signatures did not detect it. The anti-virus signatures were only made available hours before SoBig.F was showing up in tens of thousands of email boxes, and the attachment being opened by end-users confident that their anti-virus program was protecting them. And it appears that this is only the first of many iterations of SoBig that will be tested on the world's Microsoft email systems in the near future.
Of course, users of all non-Microsoft email systems were not affected, except indirectly with dozens of emails from their Micrsoft-using friends and associates.
What's the solution? It almost seems an impass now.
If anything, it's becoming more obvious that Microsoft software has a much higher TCO in the security category than almost any other main-stream software. Maybe that's because it's a bigger target, maybe it's just worse software, but regardless, it clearly costs more to secure a Microsoft network than a network based on Novell, Linux, Macintosh, or Unix. I wonder if that is factored into Microsoft's TCO analyses.
The solutions that people are starting to implement do not look favorable for Microsoft. After a lot of networks blocked the ports (135, etc) used by MSBlaster and Nachi-A, Exchange suddenly became one of the most cumbersome email programs to use (ie VPNs are being implemented at record paces). I've been involved with several organizations who are discussing further security restrictions for Microsoft-based networks, including building "walled garden" networks that put Microsoft clients on the Internet only with very strict (and less accomodating) security policies, and with more restrictive access to servers. A lot of companies and individuals running Windows for Web and email servers, as well as desktops are seriously looking at Linux, Unix and Macintosh as more trusted alternatives, if they haven't already moved.
It's fortunate that we have so many choices and alternatives, even in a world that's almost entirely dominated by Microsoft's insecure software.
Posted by pete at August 25, 2003 12:53 PM
Comments
Your comments about sobig.f/exchange remind me of the oracle marketing fiasco when they decided to market their product to replace exchange server. Sobig.f does not exploit a vulnerability in exchange server, it exploits the client system. people who use email servers other than exchange are just as vulnerable to sobig.f if their client systems are running windows/outlook, and a VPN isn't going to help you in this regard *AT ALL*. Moving to Linux, Unix, and Macintosh isn't going to help you one bit either if you don't understand where your vulnerabilitys lie and how to use that knowledge to secure your systems/networks, you'd still be a target to any script kiddie out there with half a clue, becuase you'd be without a clue at all.
Posted by: subsoniq at August 31, 2003 12:34 PM