Return-Path: <sentto-279987-3632-1004450909-fc=all.net@returns.onelist.com> Delivered-To: fc@all.net Received: from 204.181.12.215 [204.181.12.215] by localhost with POP3 (fetchmail-5.7.4) for fc@localhost (single-drop); Tue, 30 Oct 2001 06:09:09 -0800 (PST) Received: (qmail 32614 invoked by uid 510); 30 Oct 2001 14:07:46 -0000 Received: from n6.groups.yahoo.com (216.115.96.56) by 204.181.12.215 with SMTP; 30 Oct 2001 14:07:46 -0000 X-eGroups-Return: sentto-279987-3632-1004450909-fc=all.net@returns.onelist.com Received: from [10.1.4.53] by n6.groups.yahoo.com with NNFMP; 30 Oct 2001 14:08:30 -0000 X-Sender: fc@red.all.net X-Apparently-To: iwar@onelist.com Received: (EGP: mail-8_0_0_1); 30 Oct 2001 14:08:29 -0000 Received: (qmail 11246 invoked from network); 30 Oct 2001 14:08:29 -0000 Received: from unknown (10.1.10.26) by l7.egroups.com with QMQP; 30 Oct 2001 14:08:29 -0000 Received: from unknown (HELO red.all.net) (65.0.156.78) by mta1 with SMTP; 30 Oct 2001 14:08:29 -0000 Received: (from fc@localhost) by red.all.net (8.11.2/8.11.2) id f9UE8Xu05550 for iwar@onelist.com; Tue, 30 Oct 2001 06:08:33 -0800 Message-Id: <200110301408.f9UE8Xu05550@red.all.net> To: iwar@onelist.com (Information Warfare Mailing List) Organization: I'm not allowed to say X-Mailer: don't even ask X-Mailer: ELM [version 2.5 PL3] From: Fred Cohen <fc@all.net> X-Yahoo-Profile: fcallnet Mailing-List: list iwar@yahoogroups.com; contact iwar-owner@yahoogroups.com Delivered-To: mailing list iwar@yahoogroups.com Precedence: bulk List-Unsubscribe: <mailto:iwar-unsubscribe@yahoogroups.com> Date: Tue, 30 Oct 2001 06:08:33 -0800 (PST) Reply-To: iwar@yahoogroups.com Subject: [iwar] [fc:Microsoft.Says."Worms".Had.Help] Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 8bit Microsoft Says "Worms" Had Help Horvitz Newspapers Inc., 10/29/2001 <a href="http://www.antionline.com/showthread.php?threadid=121505">http://www.antionline.com/showthread.php?threadid=121505> On the eve of launching its Windows XP operating system this Thursday, Microsoft Corp. is on the offensive about security flaws in its software. The fact that security holes or ``vulnerabilities'' have led to computer viruses or Internet ``worms'' like Code Red or Nimba, the Redmond software maker says, doesn't mean it's at fault. Last Tuesday, Scott Culp, the manager of Microsoft's Security Response Center, posted an essay to this effect at TechNet, the company's security Web site. In it, Culp pointed a long finger of shame at certain computer security experts, claiming they are to blame for helping spread worms. It's true: Truth is stranger than fiction. What's also true is that half the time Microsoft sets out to improve its image, it ends up making it worse. Culp's essay, titled ``It's Time to End Information Anarchy,'' is a case in point. For one thing, Code Red and Nimba couldn't have come into being if there hadn't been a hole in Microsoft's Internet Information Server software -- a general point that Culp openly admits. But it's not so much what he says as how he says it -- in what is a larger Microsoft security campaign aimed at combating viruses. The essay is part of a ``Strategic Technology Protection Program'' launched Oct. 3. The security community, which includes both professionals at companies and hackers in white hats, exists in part to root out flaws in software, then report them to the software's maker. What Culp is up in arms about is that some security folk post step-by-step details on the Web for exploiting the flaw they've found -- before Microsoft can issue a security patch to take care of it. ``The relationship (to) the recent spate of worms is undeniable,'' Culp wrote. ``Clearly, the publication of exploit details about the vulnerabilities'' -- including ready-to-use worm code -- ``contributed to their use as weapons.'' The 30-odd security firms or professionals who post ``exploit code'' call it putting pressure on Microsoft or other software makers to act quickly to issue a patch. Culp calls it ``information anarchy.'' To some, those words might translate as ``freedom of speech.'' Steve Lipner, who got promoted on Oct. 3 from security manager to the equally Orwellian ``director of security assurance,'' said by phone yesterday that it has no more to do with freedom of speech than yelling ``fire'' in a crowded theater -- something that he and Culp (who was not available) point to as questionable, if not illegal, when there is no fire. ``I don't know what the First Amendment applies to,'' Lipner said. ``But I think it's fair to call on the community of people who do computer security work to say, hey, these exploit details don't do anything but put customers at risk.'' As far as issuing patches, Lipner acknowledged that Microsoft can take weeks or even months to issue a patch for a particular problem. But that, he noted, is due to the need for research and testing. ``We're not sitting on our hands drinking latte up here between the time a security vulnerability is reported to us and the time we issue a (patch),'' Lipner said. ``We'll check it. We'll build the patch. We'll test the patch,'' Lipner said, along with addressing whether other versions of Windows or Microsoft software might have the same problem. ``The patches go out to thousands of customers. We can't just throw it up on the Web,'' Lipner said. ``We have to make sure the patch solves the problem.'' Microsoft isn't alone in this. Culp and Lipner point out that the operating systems of other companies have flaws just like Windows, including the the open-source Linux operating system and the Solaris system made by Microsoft's arch rival, Sun Microsystems Inc. Right about now, I can hear proponents of Linux or Solaris howling that Windows, by far, has the most holes. Lipner counters this by pointing out a recent column at a Web site called TechRepublic. In it, the author -- 30-year security consultant John McCormick -- tabulated all the security flaws reported to an online service called BugTraq. Though Windows NT 4, the older network version of Windows, topped the list for with 71 vulnerabilities in 2000, McCormick notes that a RedHat version of Linux (6.2) was a close second at 65. So far in 2001, the study shows Windows 2000 much farther down the list at No. 6 -- below various versions of Linux and Solaris. Oddly enough, the very column Microsoft is handing out urges the company to do more to protect computer systems. ``All this doesn't mean that I don't like Linux or that I'm a champion of Bill Gates and his Microsoft cronies,'' McCormick wrote. ``I believe that simply because of its vast market share, Microsoft should be feeling a tremendous responsibility to make certain that its software isn't just profitable. It should also be as secure as it can be made because any problems will have such a huge impact. ``Unfortunately,'' McCormick added, ``the Redmond giant doesn't appear to feel that responsibility.'' Not so, says Lipner. He points to a new Security Tool Kit that Microsoft will make available in the next few weeks that covers all the patches issued for Windows 2000 to date -- a sort of all-in-one that will be available for free online at www.microsoft.com/security/kitinfo.asp. It's all part of a continuing commitment to security, Lipner said, that began long before Code Red and the company's current security initiative. And ``we're absolutely not trying to point fingers,'' Lipner added of Culp's essay. ``If we're passionate about it, it just means we're passionate about protecting customers.'' © 2001 Horvitz Newspapers Inc. ------------------------ Yahoo! Groups Sponsor ---------------------~--> Get your FREE VeriSign guide to security solutions for your web site: encrypting transactions, securing intranets, and more! http://us.click.yahoo.com/UnN2wB/m5_CAA/yigFAA/kgFolB/TM ---------------------------------------------------------------------~-> ------------------ http://all.net/ Your use of Yahoo! Groups is subject to http://docs.yahoo.com/info/terms/
This archive was generated by hypermail 2.1.2 : 2001-12-31 20:59:58 PST