What is Microsoft doing to close security holes as people discover and report them? If Windows NT is Microsoft's flagship product, the company ought to be guarding NT with all the resources it has, scouring all associated code to look for ways of breaking in and crashing the system. The result would be Microsoft's beating the hackers to the punch.
Unfortunately, I don't see Microsoft taking this approach. Even when handed an exploit, complete with source code, on a silver platter, Microsoft still doesn't find all the ways hackers could use the code. This lack of attention indicates that Microsoft isn't seriously trying to find new holes. GetAdmin is just one of several cases in point. Microsoft released two hotfixes for the GetAdmin exploit over the course of 10 business days and still didn't fix all the associated problems! After the second fix was released, users quickly revealed that yet another related problem could quite easily crash an NT system entirely. The egg on Microsoft's face could have been avoided with a shield of diligence.
Microsoft is merely putting out the fires as legitimate researchers and would-be intruders discover them. Microsoft's security team could be much more proactivelike fire spotters looking for smoldering problems before they get out of control.
Furthermore, contrary to popular belief, Microsoft does not always reveal all the necessary information about a particular security exploit. In fact, Microsoft sometimes understates the potential dangers. The GetAdmin attack is an example. Microsoft claims this exploit is only a local attack problem, when a hacker can easily run GetAdmin remotely if an NT system is running on a Web or Telnet server. A hacker can launch the GetAdmin attack from a remote browser by placing the GetAdmin.exe program in the IIS /scripts directory. Similarly, giving people Telnet access to an NT system means that a hacker could launch the attack using a Telnet client.
Microsoft's practice of downplaying the severity and potential of a given exploit simply must stop. This practice is placing all NT users in more jeopardy than necessary. Not completely revealing the full scope of a security exploit makes no sense. The correct information always turns up quickly on the Internet anywayso why try to downplay security risks?
