Microsoft’s serious commitment to security

In many recent interviews Microsoft has vowed their firm commitment to security all the wile demonstrating the exact opposite.

Case in point: On December 28th US-CERT issued security advisory VU#181038 pertaining to all versions of Microsoft operating systems. This is a 0-day vulnerability.

We all know that US-CERT generally issues advisories (at least) a few days after the initial discovery. In this case the vulnerability and corresponding incidents where first discovered on December 27th according to McAfee.

Upon examining the Microsoft security bulletin 912840 associated with this vulnerability you will notice that it was Published December 28th. The same day as the US-CERT announcement and one day after its initial discovery. A serious vulnerability that effects ALL versions of the number one most used operating system in the world, and they wait a day to even post an advisory on their web site?

Even this isn’t what bothers me the most. What really got me was when I visited trying t to find more information. At current they have a giant flash animation (it takes up about 75% of the page) that contains a sun flower set against the recognizable windows “blue sky, green grass” backdrop wearing sunglasses with the heading “start having fun”. So this vulnerability isn’t being displayed prominently. Lets look closer at the front page and see if we can find a link to information on this vulnerability. Look all you want, its not there. No mention on the home page at all.

So lets click on security. Its sure to be listed there. Once again, look all you like. You won’t find it.

No patch exists, it results in a remote code execution on a fully patched Windows XP, 2003 server, etc and Microsoft makes no mention of it on both their home page and their security page.

I think its time Microsoft stop jawing about this commitment to security and start demonstrating it.

Common Criteria and windows

It was just announced that MS Windows XP SP2 and 2k3 server have been accredited with the Common Criteria evaluation level 4+.

For those of you who don ‘t know, the common criteria is an ISO standard that was created to provide a common way of evaluating and rating security. It combines the USs old Orange Book evaluation with the DoD ‘s redbook and the Canadian CTCPEC and the EUs ITSEC. It has 7 Evaluation Levels of Assurance (EALs) 1 being the lowest and 7 being the highest.

Now here is ware things start to get shaky. Windows has achieved 4+. Novell has had 4+ for Open Enterprise server for some time and it appears that Suse and RedHat are both going for evaluations and will likely achieve 4+.

The reason for this is that 4+ is the highest level of accreditation that a commercial product can hope to achieve. It is this fact that makes me believe the Common Criteria is doing a disservice to the security community.

I find it hard to believe that additional security can not be added to windows, that it can ‘t be more secure than it is now. But yet we have hit a wall with the CC. What motivation does Microsoft or others have to improve on their security if they are already accredited at the highest possible level?

Windows security is a joke

All of this was gleened from the most recent Crypto-Gram

One person ‘s experience trying to secure Windows. One interesting point: after he does a clean install, he doesn ‘t have time to download all the security patches before his computer is infected by malware. Worth reading.


The security of your computer and your network depends on two things: what you do to secure your computer and network, and what everyone else does to secure their computers and networks. It ‘s not enough for you to maintain a secure network. If everybody else doesn ‘t maintain their security, we ‘re all more vulnerable to attack.

In early May, stories were written saying that Microsoft would make this upgrade available to all XP users, both licensed and unlicensed. To me, this was a very smart move on Microsoft ‘s part. Think about all the ways it benefits Microsoft. One, its licensed users are more secure. Two, its licensed users are happier. Three, worms that attack Microsoft products are less virulent, which means Microsoft doesn ‘t look as bad in the press. Microsoft wins, Microsoft ‘s customers win, the Internet wins. It ‘s the kind of marketing move that businessmen write best-selling books about.
Sadly, the press was wrong. Soon after, Microsoft said the initial comments were wrong, and that SP2 would not run on pirated copies of XP. Those copies would not be upgradeable, and would remain insecure. Only legal copies of the software could be secured.
This is the wrong decision, for all the same reasons that the opposite decision was the correct one.

This decision, more than anything else Microsoft has said or done in the last few years, proves to me that security is not the first priority of the company. Here was a chance to do the right thing: to put security ahead of profits. Here was a chance to look good in the press, and improve security for all their users worldwide. Microsoft claims that improving security is the most important thing, but their actions prove otherwise.

Microsoft admits to themselves that they suck

quotes from an internal memo sent to Microsoft Chairman Bill Gates on February 21, 1997 by C++ general manager Aaron Contorer, a software expert.
“There is a huge switching cost to using a different operating system,” he wrote Gates.
“It is this switching cost that has given customers the patience to stick with Windows through all our mistakes, our buggy drivers, our high TCO, our lack of a sexy version at times…
“It would be so much work to move over that they hope we just improve Windows rather than force them to move,” he said.