Re: Microsoft finally acknowledges the security drumbeats

From: Alun Jones (alun@texis.com)
Date: 01/28/02 

From: alun@texis.com (Alun Jones)
Date: Mon, 28 Jan 2002 19:52:51 GMT

In article <hch58.14066$TI3.138576@typhoon.sonic.net>, Roger Marquis
<not-for-mail@roble.com> wrote:
>In comp.security.unix Alun Jones <alun@texis.com> wrote:
>>Can I ask you again to outline the "fundamental architectural" faults in
>>Windows NT/XP? Don't give me that marketing crap about "Internet Explorer is
>>part of the operating system". I could say that my car is part of my house,
>
>Perhaps it would be easier to do a google search on xp and security:
>
> FBI agency's Web site urges users to disable source of security
> flaw despite Microsoft's patch.
> http://www.pcworld.com/news/article/0,aid,77424,tk,dn122601X,00.asp

Security issue in driver; not OS or OS architecture.

> Office XP, Windows XP may send sensitive documents to Microsoft
> http://catless.ncl.ac.uk/Risks/21.82.html#subj4

Sending a core dump to the manufacturer of software, so that they can find and
fix the bug that caused the dump, must, by its very nature, include the entire
contents of memory. The same is true under Unix, and any other operating
system. Simple example - let's say the program crashes only when you type the
phrase "Fred sucks". Now, whether "Fred sucks" is a corporate secret or not,
you _have_ to provide that information to the vendor in order for them to find
the bug.

Choosing to avoid this is simple enough - you click the "Don't send" button.

> P3P, IE6 and Legal Liability
> http://catless.ncl.ac.uk/Risks/21.82.html#subj6

IE6 is an app, not part of the operating system. It does not run at elevated
privilege levels, and is not a part of the architecture of the OS.

> Latest Windows versions vulnerable to unusually serious hacker
> attacks http://abcnews.go.com/wire/SciTech/ap20011221_410.html

Again, the UPnP driver bug. Not an OS or architecture flaw. Drivers operate
at elevated privilege levels to access hardware; flaws in drivers _are_
serious, but not indicative of flaws in the OS or its architecture.

> Latest Version Of Microsoft Operating System Has Serious Flaws
> http://www.cbsnews.com/now/story/0,1597,322005-412,00.shtml

Again, the UPnP driver bug. Why are you posting several cites of the same
flaw as if it were some indication that there are several flaws?

> FBI urges further steps to safeguard Windows XP
>
> http://www.cnn.com/2001/TECH/internet/12/23/microsoft.hackers.ap/index.html

404 compliant - but I presume this is yet another reference to UPnP.

>Or, to quote Schneier:
>
> UPnP is a complex set of protocols to support ad hoc
> peer-to-peer networking. Even though no one uses it, it's
> installed in a bunch of Microsoft OSs. Even though no one
> needs it turned on, sometimes it's turned on by default. This
> kind of "feature feature feature" mentality, without regard to
> security, means this kind of thing is going to happen again and
> again. Until software companies are held liable for the code
> they produce, they will continue to pack their software with
> needless features and neglect to consider their associated
> security ramifications.

Again, the UPnP flaw is a driver problem, not an OS problem.

>and:
>
> Honestly, security experts don't pick on Microsoft because we
> have some fundamental dislike for the company. Indeed,
> Microsoft's poor products are one of the reasons we're in
> business. We pick on them because they've done more to harm
> Internet security than anyone else, because they repeatedly lie
> to the public about their products' security, and because they
> do everything they can to convince people that the problems lie
> anywhere but inside Microsoft. Microsoft treats security
> vulnerabilities as public relations problems. Until that
> changes, expect more of this kind of nonsense from Microsoft
> and its products. (Note to Gartner: The vulnerabilities will
> come, a couple of them a week, for years and years...until
> people stop looking for them. Waiting six months isn't going
> to make this OS safer.)

Again, this doesn't say that the flaw is in the architecture of the operating
system. Be careful to distinguish that from blanket descriptions of "Windows
XP" or "the OS", which are often used to describe the operating system, all
drivers that come with it, all applications that come with it, and often
anything even remotely related. I respect Bruce Schneier enough to think that
he is using the term "OS" to describe anything that comes on the Windows XP
disk, simply because that's easier than using a full description of OS, apps,
drivers, optional components, etc.

> Advisories:
> <http://www.eeye.com/html/Research/Advisories/AD20011220.html>

UPnP again.

> <http://www.nipc.gov/warnings/advisories/2001/01-030-2.htm>

UPnP again.

> <http://www.cert.org/advisories/CA-2001-37.html>

UPnP again - you're wasting my time.

> <http://www.microsoft.com/technet/security/bulletin/MS01-059.asp>

UPnP once more. What is this, shout the same thing over and over, and
eventually it'll become something it isn't? The UPnP flaw is a driver flaw,
not an OS design flaw.

> Gartner commentary:
> <http://news.cnet.com/news/0-1003-201-8254545-0.html?tag=prntfr>

What a surprise! Another link to description of the UPnP flaw.

> Forno's commentary:
> <http://www.infowarrior.org/articles/2001-15.html>

Do I even need to check this one? No, it's about UPnP again.

I asked, quite specifically, for backing to your assertion that the OPERATING
SYSTEM and its design were fundamentally flawed and required redesign and
rebuilding. As an answer, you've told me that a device driver and an app are
flawed; device drivers and apps are not the operating system. You've also
told me that it's a potential release of information to release information.
Duh. What you have not told me is whether or not you have any supporting
information as to your assertion that the Windows NT design is fundamentally
unsecure. It may very well be, and if it is, then I'm one of many people who
needs to know about it. But I'm far from comfortable with you playing
"Chicken Little". All you've pointed to so far is that there is rain.

Alun.
~~~~

[Note that answers to questions in newsgroups are not generally
invitations to contact me personally for help in the future.] 

-- 
Texas Imperial Software   | Try WFTPD, the Windows FTP Server. Find us at
1602 Harvest Moon Place   | http://www.wftpd.com or email alun@texis.com
Cedar Park TX 78613-1419  | VISA/MC accepted.  NT-based sites, be sure to
Fax/Voice +1(512)258-9858 | read details of WFTPD Pro for NT.