Microsoft chief software architect Bill Gates claimed this week that his company has made great security strides, responding quickly enough to the increasing threat of attackers who are now using automated techniques to strike more quickly at exposed Windows systems.
Gates pointed to improvements in the time it has taken Microsoft to respond to significant security issues, as well as improvements to defense measures that will be rolled out in the upcoming months — primarily default enablement of the Windows XP firewall and automatic update features.
However, security analysts agreed that as far as Microsoft has come, the company has just as far to go before Windows systems are secure. During a speech in Australia, Gates sang the praises of Microsoft’s efforts to screen out spam and urged the use of firewalls, saying that the Internet must be made as reliable and secure as other “utilities.”
In response to this comment, Gartner research vice president Richard Stiennon said that the Internet is far from being a utility. “It has still got an aspect of the wild west to it, with thousands of providers and no standards body to come together on how to approach things,” Stiennon told TechNewsWorld.
“It’s also reactive, as organizations and groups do take the appropriate action when necessary, but it’s a growing, living organism and it’s still going to catch colds and have rotting parts that fall off and die.”
Matter of Time
Pointing to the average 100 days to fix a security hole in other operating systems, Gates claimed that Microsoft had dramatically reduced its turnaround time on Windows vulnerabilities to fewer than 48 hours.
Gates blamed lack of firewalls and strong passwords for security breaches, and said Microsoft must reduce the number of security updates for Windows to one or two per year.
However, Stiennon warned of the required testing and potential side effects of the security-focused Windows XP Service Pack 2, and said that the lack of time required for attackers to leverage exploits is worrisome.
“The concern is that the exploit will be available before Microsoft knows about it,” Stiennon said. “Right now, they’re relying on third parties.”
“So far, the perception out there is that they’re actually slow,” Stiennon added, referring to Microsoft’s talk of SP2 since last winter, but no announced release date.
While Gates can claim some success with Microsoft’s quickened security response and new, monthly security-update schedule — praised for reducing the burden of a constant and confusing stream of patches — Microsoft’s Internet Explorer continues to be an avenue of attack against Internet users.
Last week, Microsoft Internet Information Services (IIS) servers were compromised to deliver malicious code to visitors of those infected sites. The Russian group’s site that was spreading the code was taken down before the attack could spread significantly, but security experts expressed concern over the new tactic.
“They’ve developed a new trick to hit fully patched IIS boxes, and if you go to a malicious Web site, it can infect at will and it’s silent,” iDefense director of malicious code intelligence Ken Dunham told TechNewsWorld. “What’s interesting about the IIS incident is that somehow they were able to hack into boxes of some very big companies. Nobody knows how they got into those boxes.”
Dunham said that a combination of two things — the availability of malicious source code that allows attackers to “cut and paste” dangerous code, and the rapid escalation of vulnerabilities, particularly with Explorer — have combined to put users and the Internet at large at greater risk.
Dunham said that last week’s IIS attacks bordered on chaos. Security experts had a difficult time figuring out the attack, determining whether customers were hit and what vulnerabilities were being exploited. The security expert added that Microsoft has made efforts to improve its software, pursue attackers and strengthen defense, but more effort is needed.
“They’ve taken many steps in the right direction, but they have many more to take,” Dunham said. “It’s a huge undertaking.”