[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Regulation of Security Professionals and Nondisclosure...



http://slashdot.org/comments.pl?sid=22710&cid=2444955

Don't you dare hack .net (Score:5, Interesting) 
by wedogs (jonhart_99@yahoo.com) on 3:51 18th October, 2001
(#2444955) 
(User #96591 Info | http://slashdot.org/) 

 Culp says? 
"First, let's state the obvious. All of these worms made 
use of security flaws in the systems they attacked, and 
if there hadn't been security vulnerabilities in Windows®,
 Linux, and Solaris®, none of them could have been written. 
This is a true statement, but it doesn't bring us any 
closer to a solution. While the industry can and should 
deliver more secure products, it's unrealistic to expect 
that we will ever achieve perfection. All non-trivial 
software contains bugs, and modern software systems are 
anything but trivial. Indeed, they are among the most 
complex things humanity has ever developed. Security 
vulnerabilities are here to stay." 

In the above argument, Culp uses truth to validate 
fallacy. It's true that no code is perfect. It's 
false that security will improve by mandating gag orders. 

More to the point, Microsoft is especially frustrated 
with flaws being exposed in their code. Frankly, I 
believe the hacks associated with Microsoft products 
differ fundamentally from the flaws discovered in 
Solaris and Linux. When a Linux exploit is discovered, 
hackers and maintainers consider it a design flaw. 
Therefore, exploits are generally fixed pretty fast 
on Linux -- usually within a few days. The same is 
true for Solaris. 

Apparently however, Microsoft does not consider 
certain exploits to be design flaws. Sometimes, 
hackers simply leverage "features" (e.g. undocumented 
APIs) that Microsoft deliberately designed into their 
applications and/or systems. 

Microsoft applications tend to execute arbitrary code. 
In other words, Microsoft deliberately empowers IIS, 
Exchange, Internet Explorer, Outlook and certain 
Office applications to execute unchecked commands 
fed over the Internet. Once hackers discover these 
(badly!) hidden APIs, it is only a matter of time 
before someone sends you an email which does 
something nasty to your computer. 

Interestingly, despite these obvious security 
issues, Microsoft wants their programs to execute 
arbitrary code. Remember the Microsoft Word viruses?
Remember the Excel viruses? Heck, email viruses were 
fiction until Exchange and Outlook... 

Microsoft has had years of experience and feedback since 
the first MS-Word virus. Obviously, they understand the 
risks of allowing applications to execute arbitrary 
code. Nevertheless, they continue to build this ability 
into all their major products. 

In fact, arbitrary code execution appears to be one of 
the core technologies behind Microsoft's .NET initiative. 
I suspect this is why Microsoft was so reluctant to 
repair the security flaws within IIS. Code Red and 
Nimda exploits APIs that Microsoft intends for their 
.NET initiative. Disabling these APIs would cripple 
.NET. Therefore, Microsoft did not fix IIS until they 
could re-think the design of .NET. 

Culp states that vulnerabilities are here to stay. Most 
likely, .NET will reinforce his point. Given their 
track record, I expect .NET to be Microsoft's magnum 
opus of security deficiency. 

At this late stage, re-designing .NET is out of the 
question. I guess Culp feels controlling what the
world is allowed to communicate about .NET is easier. 
-- 
Kristian Köhntopp, NetUSE AG, Dr.-Hell-Straße, D-24107 Kiel
Tel: +49 431 386 435 00, Fax: +49 431 386 435 99