Security UPDATE, Web exclusive, May 21, 2003
Microsoft recently launched the Windows Server 2003 OS. It's probably the company's best effort to date at rolling out a secure product. So far, no one has reported security problems with the new OS, but it's still early. Attackers haven't yet hammered on Windows 2003 enough to determine whether its armor has chinks.
However, Microsoft's effort to establish itself as a maker of trustworthy computing products has encountered some other difficulties. As you'll learn from the news story "Hotmail and .NET Passport Open to Account Theft?" in this week's Security UPDATE, Microsoft Passport has an exploitable vulnerability. The Passport problem's simplicity shows that developers didn't think broadly enough about how attackers might try to subvert Passport security. Microsoft has corrected the problem, which is good--but I'm sure Passport account holders wonder whether the service contains other problems.
The NTBugtraq mailing list recently brought to light a second trustworthiness problem--with the Windows Update service. Countless users rely on the service to obtain patches for their Microsoft products. On May 12, Bob Terry posted a message to the list stating that while he was patching systems, Windows Update began reporting back to his systems that no updates were available. He wondered whether the service was down.
NTBugtraq Editor Russ Cooper posted a reply stating that many other users were reporting similar problems. After comparing notes with other users and checking further, Cooper posted another message to the list that summarizes his findings. He discovered that many users had to tweak various aspects of their systems and perform secondary or tertiary checks to determine whether their systems were up-to-date. Below you'll find what Cooper had to say, excerpted for brevity (or you can read Cooper's entire post \[http://ntbugtraq.ntadvice.com/default.asp?pid=36&sid=1&A2=ind0305&L=ntbugtraq&F=P&S=&P=4505\]). "For at least the past several days, Windows Update has been providing consumers with false information. Windows Update users would connect \[and\] initiate the scan. \[The scan\] would complete and inform \[users that\] their system needed no patches. Wonderful, a clean bill of health, or so the consumer thought.
"In reality, some flaw in the Windows Update process has led it to conclude that a system in need of critical security patches is instead clean and good to go on the Internet. In other words, if the security check fails, tell consumers they're just fine and don't need anything ...
"You wouldn't believe the number of individual \[reports about problems with Windows Update\] I've received. No doubt Microsoft receives far more than I do. I can't believe that huge corporations are having the problems they are, nor can I believe they haven't received a reasonable answer from Microsoft as to why the problems exist ...
"If \[those at Microsoft were\] serious about beginning to tackle the trustworthiness of Microsoft, they'd have done something a year ago when I first called Windows Update a dog. See for yourself, look at my previous musings \[http://ntbugtraq.ntadvice.com/default.asp?pid=36&sid=1&A2=ind0204&L=ntbugtraq&F=P&S=&P=6886; http://ntbugtraq.ntadvice.com/default.asp?pid=36&sid=1&A2=ind0204&L=ntbugtraq&F=P&S=&P=6990\], then tell me what's been fixed or improved. If, like me, you see nothing ... then the Trustworthy Computing Initiative once again gets an 'F'."
Cooper makes some reasonable observations and valid points. If Windows Update doesn't behave properly, Microsoft should return a message stating that the service is experiencing a problem instead of returning the ambiguous message "no updates available."
The Passport vulnerability and the Windows Update errors seem to reveal a lack of perspective on Microsoft's part. Granted, software will continue to have flaws. However, if we're to trust Microsoft's secure computing initiative as the company undoubtedly wants us to, then Microsoft's software and services must become more secure--and that security includes being more informative.
What do you think? Is Trustworthy Computing trustworthy yet? Send me an email with your thoughts and experiences.