Windows 2003 Gets Its First Major Security Vulnerability

Last week, I got a curious phone call from one of Microsoft's public relations firms asking whether I was available for a call later that day to discuss a recently discovered critical security vulnerability. Intrigued by the nature of the call, I agreed.

You might already be familiar with the topic of the call, which ended up being a big story late last week. Microsoft wanted to discuss Security Bulletin MS03-026 (Buffer Overrun In RPC Interface Could Allow Code Execution). The vulnerability is notable for several reasons. First, it's the first Windows Server 2003 security vulnerability that Microsoft has labeled "critical." Second, it affects virtually every Windows NT-based OS in mainstream use, including Windows 2003, Windows XP (32- and 64-bit versions), Windows 2000, NT 4.0, and NT Server 4.0, Terminal Server Edition. (On a curious side note, the bulletin notes that Windows Me isn't affected, but neither are any of the Windows 9x OSs, from what I can tell.)

So why did Microsoft want to discuss the vulnerability and resultant patch ahead of its public announcement? Well, MS03-026 is a bit embarrassing to the company, and I think it wanted to address the public relations problems the vulnerability might cause. At first glance, the vulnerability is nothing out of the ordinary: A security vulnerability in a Windows Distributed COM (DCOM) remote procedure call (RPC) interface could let an intruder gain remote access to a Windows-based system, over a network or the Internet, and run code with Local System privileges. Although no systems have yet been compromised, a well-written hack could install software; view, change, or delete data; or perform most any other action imaginable on the affected system. More information about the vulnerability and a download for the patch are available at the link below.

Aside from the serious security concerns surrounding this vulnerability, I'm more concerned with Microsoft's desire to discuss this problem and the bizarre reactions to this problem I've seen in the press and from readers. I feel that by highlighting this problem, Microsoft has needlessly drawn attention to the fact that Windows 2003 has been compromised, making that event sound more important than it is. Let me explain.

I don't think anyone honestly believed that Windows 2003 would remain unhacked forever. And I don't think Microsoft's claim of "most secure Windows ever" is unfounded, even given this vulnerability. But I don't know what the company gains from saying more than "lesson learned." One of the comments I heard during the call was that many people at Microsoft felt that the company should have found this vulnerability during the infamous 2002 Trustworthy Computing code review--when the company halted development of Windows 2003 and other products to reorganize its development methodology and look for security holes. Today, I'm told, the company has upgraded the process to look for this kind of mistake. I don't think we could expect anything less.

From a customer standpoint, any critical security vulnerability, especially one whose patch requires a system reboot, is a problem for several reasons. First, I don't think many customers yet trust Microsoft to release high-quality patches or trust that installing a patch won't cause other problems. Second, a system reboot is often expensive and disruptive. And finally, no one cares that no systems have yet been compromised; as a Windows customer, you can't help feeling like you're playing a security version of Russian roulette. No one wants to be first.

From my viewpoint, freaking out over this vulnerability, beyond any valid concerns you have about the expense and effort of rolling out the fix, isn't time well spent. Improving Windows security is an ongoing activity in Redmond, and I don't mean to be cavalier about the topic. However, if we'd all been clamoring for security during the OS wars, the office suite wars, or the browser wars, we would have gotten it. Ultimately, Microsoft is a customer-driven company that depends on its users upgrading regularly. If we don't feel that the company's latest products don't answer our concerns--which are now prioritized to include high security--then maybe it's time to look elsewhere. But honestly, I don't think you've any reason to believe that the security in Linux or Mac OS X is any better, unless of course you're a real gambler. Spin that wheel.

More About Windows and Antivirus

Last week's column about Microsoft and antivirus technology bundling garnered a large reader response. Unlike some articles I've written, however, the reaction was expected; the topic seems to ignite strong feelings. I don't have the exact figures, but most readers who wrote strongly agreed that Microsoft needs to offer antivirus technology and regular antivirus definition updates for free. However, a strong contingent of readers feel that Microsoft shouldn't do so for various reasons, including the fact that the company already faced serious legal problems for bundling Microsoft Internet Explorer (IE) and other products in Windows. Some suggested that antirust technology is simply an excuse for the company's shoddy software: If Windows were well written, they argued, we wouldn't need this protection. I'm not sure I agree with that last point--I believe attackers target Windows only because it's the most popular platform. Surely Linux and the Mac OS would have similar problems if the market share picture were reversed.

I still feel strongly that antivirus protection should be a key feature of Windows Longhorn and a benefit that customers receive simply by choosing Windows. Plenty of technological precedents for adding such technology to Windows exist, and if Microsoft is serious about "trustworthy computing," few decisions could show that concern more clearly than bundling antivirus technology--for free--in Windows.

Microsoft Security Bulletin MS03-026: Buffer Overrun In RPC Interface Could Allow Code Execution (823980)

Hide comments


  • Allowed HTML tags: <em> <strong> <blockquote> <br> <p>

Plain text

  • No HTML tags allowed.
  • Web page addresses and e-mail addresses turn into links automatically.
  • Lines and paragraphs break automatically.