Home page logo

isn logo Information Security News mailing list archives

Microsoft Redux
From: InfoSec News <isn () c4i org>
Date: Thu, 25 Oct 2001 03:39:21 -0500 (CDT)

Forwarded from: security curmudgeon <jericho () attrition org>


Microsoft Redux
        by Carole Fennelly

It's deja-vu, all over again. 

Yet another worm attacks Microsoft servers, leading me to add yet another
article to my continuing saga on Microsoft infestations: 

"Worm Droppings"  (August, 2001)
"MS Right" (October, 2000)
"Feeding the Virus Frenzy" (June, 2000)

So why bother writing another one? Well, the difference this time is
that research and advisory group Gartner - not typically controversial
- advised (http://www.gartner.com/DisplayDocument?doc_cd=101034)
companies to consider dropping Microsoft's IIS web server in favour of
iPlanet or Apache.

I've been saying for years that we should address the root cause of
viruses and worms: poor development practices. It is much more
efficient to find and correct problems in products *before* they are
shipped to thousands of customers than to have those customers
retroactively apply patches. Obviously, no software is perfect and
sometimes patches are necessary. But, come on - Microsoft has released
over 50 security advisories this year alone. It appears that they are
outsourcing system test to the customer while at the same time
demanding that discovered vulnerabilities not be disclosed to the
public: http://www.newsbytes.com/news/01/171173.html
They can't have it both ways.

Critics of the Gartner report claim Gartner's recommendations are a
knee-jerk reaction that would cause more harm than good. It is
irresponsible to just rip out an application without justifiable
cause. This is a valid point - you should use the application that
best suits your business requirements, and not just follow the herd.

But it wasn't that long ago that many IT shops were forced to switch
to Microsoft platforms because management bought into Microsoft's
marketing claims significantly reduced administration costs.  Hey, any
college kid can run an NT machine. Cut the IT staff and get rid of
those expensive Unix geeks. Now NT administrators are suffering the
consequences of the perception that they aren't as technical as the
Unix guys. News flash: Windows administrators can and should be just
as technically savvy as their Unix counterparts. Microsoft offers no
free ride on administration, as has been clearly demonstrated.

Any software product with such a frequently repeated track record of
security problems deserves the reputation it acquires - and this is
not limited to Microsoft. For years, the Internet's most popular Mail
Transfer Agent package, sendmail, earned a deserved reputation for
poor security. Many sites chose to look at alternatives to sendmail,
having grown tired of dealing with the bug-of-the-week. Others, who
wanted the features unique to sendmail, invested time and effort to
develop the expertise to run sendmail securely.

There clearly is a serious issue with Microsoft's IIS server, and I
don't buy the argument that it's just because Microsoft is a favourite
target for hackers. It's been demonstrated on a Attrition survey
(http://www.attrition.org/mirror/attrition/os-graphs.html) and on the
Netcraft web server survey (http://www.netcraft.com/survey/)  that
Microsoft web servers do *not* dominate the market in anything but


ISN is currently hosted by Attrition.org

To unsubscribe email majordomo () attrition org with 'unsubscribe isn' in the BODY
of the mail.

  By Date           By Thread  

Current thread:
  • Microsoft Redux InfoSec News (Oct 25)
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]