Re: Microsoft finally acknowledges the security drumbeats
From: Philip J. Koenig (See_email_@ddress_below.This_one_is.invalid)Date: 01/29/02
- Next message: John R Pierce: "Re: Microsoft finally acknowledges the security drumbeats"
- Previous message: phn@icke-reklam.ipsec.nu: "Re: Source Code Malicious Code Analysis"
- In reply to: Roger Marquis: "Re: Microsoft finally acknowledges the security drumbeats"
- Next in thread: John R Pierce: "Re: Microsoft finally acknowledges the security drumbeats"
- Reply: John R Pierce: "Re: Microsoft finally acknowledges the security drumbeats"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
From: Philip J. Koenig <See_email_@ddress_below.This_one_is.invalid> Date: Tue, 29 Jan 2002 11:37:13 -0800
In article <kfC58.14480$TI3.144252@typhoon.sonic.net>, not-for-mail@roble.com
(Roger Marquis) writes...
> In comp.security.unix Alun Jones <alun@texis.com> wrote:
> >> http://catless.ncl.ac.uk/Risks/21.82.html#subj6
> >IE6 is an app, not part of the operating system. It does not run at elevated
> >privilege levels, and is not a part of the architecture of the OS.
>
> Again, your definition of what constitutes the operating is
> non-standard. Even Microsoft has said that IE is part of the OS. Have
> you tried removing it? Can you use any recent version of Windows
> without it?
Microsoft tried that tact during the anti-trust trial and it was
debunked. Go see www.98lite.net sometime for details. (I don't
know about W2k/XP.. but Microsoft's attempt to further embed IE
into the OS has as much to do with marketing objectives vis-a-vis
the antitrust trial as anything else)
> >Be careful to distinguish that from blanket descriptions of "Windows
> >XP" or "the OS", which are often used to describe the operating system, all
> >drivers that come with it, all applications that come with it, and often
> >anything even remotely related.
>
> The term OS is inclusive because that's the way Windows is designed.
> Even accepting your rhetorical and inaccurate description of OS the
> problem is clear: the OS fails to enforce adequate protection between
> system and user space (memory, disk, devices).
I think Alun makes a good point. If the security problems go
away when removing IE, or by fixing bugs in a certain driver,
then it may not be the doom scenario you paint that the OS is
un-fixable. Win2K/XP is probably a decent foundation if they
lock down all the scripting/uPnP/IE/etc stuff and start doing
more scrutiny on security, buffer overflow issues, public
disclosure, etc.
> Microsoft made a design decision to run UPnP with full administrator
> privileges in order to limit context switching and increase
> performance. It's the same fundamental architectural flaw that gives
> IIS full administrator privileges. It's one of several fundamental
> architectural flaws that Microsoft has not indicated they have any
> intention of changing. That's why the recently security directive /
> press release has not been taken seriously by the information security
> community.
If processes like IIS running with admin priveleges is the
issue, then I don't see what's so difficult about changing this,
or by giving admins an option how they want to run it. I doubt
it takes an OS rewrite to accomplish such a thing.
Furthermore, to imply that "everyone in the security community
agrees" about their announcement is facetious.
I have no doubt the letter from Gates to employees was "leaked
on purpose" as a PR ploy, but that doesn't mean they aren't
going to do anything, or that they can't do anything with
what they have. I think a lot can be improved with an attitude
change, and the recent Nimda/CodeRed/Sircam/bla bla bla stuff
has now started to turn the PR tide against them. If there is
one thing MS is sensitive to, it's public perception. Pity it
takes people getting to the end of their rope this way for them
to take the problem seriously (and pity the MS lemmings take so
long to wakeup and smell the coffee), but I do suspect there
is going to be some somewhat new priorities over there now
that they're starting to see it hit them in the bottom line.
There have been many very very simple no-brainer things that
MS could have done in the past to improve the situation, and
which they have now belatedly done. The "IIS lockdown tool"
comes to mind. Under the category of "duh", it sets the IIS
default settings to something without everything turned on.
They should have shipped IIS that way by default 5 years ago.
Another are the "security rollup" patches. This nonsense of
having to wade through piles of poorly-organized junk in
order to figure out what to patch, and do every one of them
separately (rebooting the #*(%&#*$#$ machine after every one)
is ridiculous. Like various other vendors, MS apparently
figures if they make it hard to ascertain out how many patches
they've released, dummies will be fooled into thinking the OS
is more bug-free than it really is. If they are really "getting"
it, they will dump this nonsense, and stop doing things like
constantly screwing around with file versions and dates to
keep people confused, etc.
-- Philip J. Koenig The Electric Kahuna Organization [anti-spammed] ----------------Computers & Communications for the New Millennium------------- * To send email, remove numbers and spaces: pjkunet64 @ ekahuna27 . com * * Email Blacklists: stop using innocent users as pawns. * * Simple answers are for simple minds. Try a new way of looking at things. *
- Next message: John R Pierce: "Re: Microsoft finally acknowledges the security drumbeats"
- Previous message: phn@icke-reklam.ipsec.nu: "Re: Source Code Malicious Code Analysis"
- In reply to: Roger Marquis: "Re: Microsoft finally acknowledges the security drumbeats"
- Next in thread: John R Pierce: "Re: Microsoft finally acknowledges the security drumbeats"
- Reply: John R Pierce: "Re: Microsoft finally acknowledges the security drumbeats"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
