Commentary: Microsoft lacks motivation to change security

[William Knowles <wk () C4I ORG>]

http://news.cnet.com/news/0-1005-200-2528362.html?tag=st.ne.1430735..ni

By CNET News.com Staff
August 15, 2000, 1:00 p.m. PT
By Neil MacDonald, Gartner Analyst

Every week, some headline seems to call attention to a security
vulnerability in a Microsoft product. Because Microsoft's products are
so widely used, they will be the targets of more attacks, so more
vulnerabilities will come to light.

Nevertheless, Gartner believes this analysis is superficial. The
situation is far more complex, and other factors come into play,
including

* Microsoft's business model

* Bundling and "feature creep"

* Microsoft's development process

* ActiveX

* Tight integration of Microsoft's operating system (OS) and
  applications


Microsoft's business model requires perpetual change. This approach
creates an environment in which each new version of its OS and
application software has little public exposure before it gets
released into the mainstream.

The constant inclusion of new features in Microsoft's software, and
the bundling of new technologies into Microsoft's OS and application
products, have created large, monolithic applications that are
impossible to debug for all security vulnerabilities. For example, by
various estimates, Windows 2000 contains 30 million to 40 million
lines of code, and the development team involved thousands of people.

The addition of many new security technologies, however, does not mean
that Windows 2000 is fundamentally a more secure product.

Microsoft's development process has not fundamentally changed with
respect to security. Microsoft still does not make security training
mandatory for its developers. Microsoft has found that being reactive
to security works well; it quickly fixes newly identified bugs. This
approach is easier than preventing the vulnerabilities from occurring
in the first place.

For Microsoft, the top priority is getting products out the door, and
the marketing department can diffuse any security problems once a
product has shipped.

Microsoft's ActiveX programming model provides no mechanism for
"sandboxing" code, Its digital signature mechanism provides
insufficient protection for the use of ActiveX controls on the
Internet.

The tight integration of Microsoft's OS and applications has created
an environment conducive to malicious code. The highly publicized "I
Love You" worm showed how malicious code can take advantage of this
integration.

Likewise with the more recent exploits involving ActiveX. In most
cases, Windows loads ActiveX controls without user intervention. These
pieces of code can do whatever the computer user has rights to do on
the machine.

Worse, Microsoft Office documents are treated as ActiveX controls and
can load without intervention. A recent exploit documented by the SANS
Institute illustrates just how serious exploits can be that involve a
combination of Windows, Internet Explorer, ActiveX and Office.

Despite the headlines that these security exploits bring, consumers
and enterprises have not changed their purchasing patterns in favor of
more secure products. They have not voted for better security with
their pocketbooks. Accordingly, Microsoft's approach to security is
pragmatic.

Security is important to Microsoft but only to the extent that it does
not inhibit the adoption of its products. Thus, Gartner expects that
such headlines will continue to appear.


*==============================================================*
"Communications without intelligence is noise;  Intelligence
without communications is irrelevant." Gen Alfred. M. Gray, USMC
================================================================
C4I.org - Computer Security, & Intelligence - http://www.c4i.org
*==============================================================*

ISN is hosted by SecurityFocus.com
---
To unsubscribe email LISTSERV () SecurityFocus com with a message body of
"SIGNOFF ISN".