In response to Microsoft’s latest vulnerability announcement, a group of security analysts at Gartner has released a research note that advises enterprises against using Windows Server 2003 in mission-critical applications exposed to the Internet before the second quarter of 2004.
“We may have to revise this cautious position if Microsoft fails to commit publicly to extraordinary efforts to eliminate glaring holes in its operating system,” the research note said.
The note also recommends that enterprises install the latest Microsoft patch on all PCs and servers, block vulnerable ports as they are identified, correctly configure enterprise firewalls, and install personal firewalls on all PCs and intrusion prevention software on all business-critical Windows servers. The goal: “to avoid the mass attacks that will almost inevitably attempt to exploit this vulnerability within the next few weeks.”
Richard Stiennon, vice president of research for Internet security at Gartner and one of the authors of the research note, said that when he and fellow Gartner analysts tell clients to patch and block, as they have for past Microsoft vulnerabilities, those clients are becoming increasingly upset about receiving such recommendations.
“It is advice that is so obvious yet so difficult to do. And it often has to be done at horrendous cost,” Stiennon told the E-Commerce Times.
“One major financial institution had to go to its board of directors to approve an additional $10 million to finish this patch,” he added. “After MS Blast and the cost of patching that, it’s, ‘Here we go again,’ as new vulnerabilities are found deeply ingrained in Microsoft systems.”
Stiennon also mentioned the plight of another financial institution that was forced to take down its IT system for three weeks to patch its Windows desktop machines.
Not Just for Servers Anymore
Stiennon said that in the past, enterprises deployed firewalls mostly for servers and mobile computers, believing that desktop PCs were protected by the servers to which they were connected. Now, enterprises are deploying firewalls for desktop machines as well.
Noting that personal firewalls did a good job of thwarting worms like MS Blast, Stiennon said Gartner is recommending firewalls for all computers, including desktops.
“It is another expense, though enterprises understand that the cost is lower than repairing computers after an attack,” he said.
Additionally, Gartner’s research note stated, “Enterprises should continue to heavily weigh the cost of continually patching Microsoft products when deciding which operating system to purchase.”
Indeed, Stiennon said the latest vulnerability, along with news that a portion of Microsoft’s source code was leaked onto the Internet, has sparked debate about whether enterprises should have a diverse computing environment or rely on a monolithic solution.
“My prediction is that enterprises will think twice before installing Windows ATMs, Windows telephone systems, Windows security [systems],” he said. “Given these vulnerabilities, businesses [adding Windows machines will] have to deal with one more machine to track down and patch every month.”
The Facts of Life
However, Jim Hurley, vice president for security and privacy at Aberdeen Group, told the E-Commerce Times that the difficulty of updating Windows systems to guard against vulnerabilities depends on the degree to which an organization has automated its update process.
Hurley said the predilection for enterprises using Windows is to have a central staging system that pushes out SMS technology to its client computers. According to him, the most common method of achieving this is twofold. For employees who turn on their PCs each morning, a macro is built into the boot sequence that patches Windows automatically. Those who leave their computers running are notified that a patch is available. Once activated, the patching process then takes about two or three seconds to complete.
Hurley intimated that concerns about Windows might be overstated. “Patches and vulnerabilities are a fact of life,” he said.
Seeking a Model
Indeed, Guardent CTO Jerry Brady pointed out that the computer industry, for all intents and purposes, is still maturing and has taken a while to grasp risk models.
“No one has figured out yet what the dominant model will be for managing software vulnerabilities,” Brady told the E-Commerce Times. “Something has got to break soon, because [the present commercial software models] do not fit the risk preferences that companies prefer.”
Until recently, he said, the commercial vendor model had an advantage because its source code was not accessible to hackers. Usually, vendors like Microsoft had a grace period of knowing a vulnerability existed before it could be exploited.
Now, as software becomes larger and more complex, vendors like Microsoft will have to find a different method of conducting defect management, most likely some combination of longer release cycles and more expensive software.
“No one has figured out a [product] life cycle that has made sense,” Brady said.
Meanwhile, the recent news about Windows source-code leaks demonstrates the worst elements of closed-source software, Brady said. Because using Microsoft’s proprietary code would violate the law under the Digital Millennium Copyright Act (DMCA), “the bad guys get to find out about it before the good guys.”
In contrast to Windows, Stiennon said, Linux enables computers to communicate using standard protocols that are tested in an open forum.
“The irony here is that, if Microsoft announces more vulnerabilities more quickly, they are leaking out the notion that open source is actually a better process” in defending against vulnerabilities, Stiennon said.
Gartner is fickle. They will ride the waves. If MS is popular they will tout them as the inventors of democracy and the AM erican way. When a new worm comes out they will shun them and say they invented tornados. It’s good business for them. Almost every analyst out there today is full of crap anyway. What they want is the most print time. They say whatever is going to get them printed, because that’s more money for them. The people who you should listen to the opinions of are programmers and hackers (and crackers 😉 They sit in front of this code day in and day out. Without them there would be no computers. They are the most insightful people in the entire freakin industry, yet these idiot analysts get the print time.
Not to say I don’t think MS isn’t incompetent. They are in the 3rd year of their "secured computing initutive." These last years have been the worst in their history. And they don’t care! It’s cheaper for them to spin the stoy than it is to audit their code. If they _really_ cared about security, they could have secured windows. Something as simple as a non-executable stack and randomized memory address space would significantly slow down or even stop 99% of the buffer overflow-related worms. Instead, we see worms infecting tens of millions of computers in under five minutes.
I think what was found in one of the comments of the leaked source sums up their entire attitude towards security. "may be off by -1".
On the subject of how much of the total source code was leaked, it’s 13 million lines. I don’t care if that’s 1% or 100%, 13 million lines of code is an obscene AM ount. Consider this: there is a generally accepted rule that there’s about one mistake per thousand lines of code. Some idiot pundits are going around saying most of the win2k holes have been closed. This is simply not true. Some of these exploits are in code that dates back to the late ’80s. Microsoft doesn’t release new products, they slap new code on top of old products. So the current versions of windows share 90% of their code with each other. Much of this VERY old code. If they think most of win2k’s buffer overflows have been found, I can’t wait to see the look of surprise when winsock2 is pwnd and every application that uses it is pwnd along with it.
p.s. quit it with the flash ads. I practice what I preach and use linux on the desktop; and flash for linux is awful and uses a lot of cpu time. Especially for 5 flash ads in one page. gif animations aren’t that bad. I can deal with those. What I don’t want to deal with is cpu usage jumping to 30% every time I visit your site.