LMFAO. I'm looking forward, personally, to the day that Sun is delisted from the exchange.
Posted on 05/29/2002 8:21:28 AM PDT by Dominic Harr
By Tim Mullen
May 27, 2002
The success of "SQLSpida," the worm that targets MS-SQL servers set upon the Net with a blank "SA" password, is testament to how badly basic security education is still needed.
As always, I place primary blame on the administrators of these boxes-leaving the SA password blank on any installation is a rookie move. To do so on a production machine placed on the Internet is just plain stupid. You have probably guessed that my use of "primary" infers a secondary party in responsibility; and indeed it does: Microsoft.
Microsoft has been riding the fence between marketing a concept of "trustworthy computing" and delivering a product that caters to the least common technically proficient denominator. Most products have been specifically designed to allow anyone who can click "Next" to perform a successful installation, but when it comes to their defense of insecure default software settings, they have a matter-of-fact way of telling everyone that they should know better.
For instance, Microsoft knows that the default application extension mappings in IIS are deadly, and we are blamed for not removing or remapping them; yet they are all enabled by default, and one must drill down deep into the interface to turn them off. In default installations of SQL, the SA user can perform remote system-level functions, yet they allow the password to be blank, and they don't even give us the functionality of renaming the account. Administrators are expected to set proper ACL's on system files, but even in their Advanced Server product, Microsoft assumes the admin to be so inept that Windows Explorer hides the contents of the WINNT directory so that the user won't monkey with them.
Litchfield says he provided fully-functioning exploit code to Microsoft, and it still took them a week to respond with simple confirmation they were able to recreate the issue.
It is time for Microsoft to start shipping products with more secure default settings, and to require a certain level of expertise from the administrators of these systems.
Vendor Notification Alerts
But safer out-of-the-box settings are not the only thing we need -- clouds continue to billow on the vulnerability landscape. Too many software vendors are so busy working on the Next Big Thing that they are unnecessarily putting their customers at risk by sitting on security patches for their current products.
If you are not familiar with David Litchfield or Next Generation Security Software, then you should be. Litchfield probably has the world record for discovering the most buffer overflows. And like many other security professionals, he won't disclose details of his exploits to the public until the vendor can release a patch.
But how long is one to wait for the vendor the get their act together? How long must customers' systems lay in wait of exploitation before a patch is released?
Last month, Litchfield discovered a remotely exploitable vulnerability in Sun's iPlanet. Though Sun has already developed a patch for this critical issue, Litchfield says, they have decided not to release it until the end of next month so it can be included in a rollup package. So much for customer service.
And if you think the current scans for SQL Server are high, you ain't seen nuthin' yet. Litchfield has also discovered a heap based buffer overflow in SQLServer 2000 that allows an unauthenticated attacker to gain remote control over the server in the context of the SQLSERVER service. Just the mention of this type of exploit makes a blackhat's mouth water in Pavlovian response.
But even though he provided fully-functioning exploit code to Microsoft, Litchfield tells me it took them a week to respond with simple confirmation they were able to recreate the issue. This is simply unacceptable. Litchfield claims similar discoveries that even eight months later have still not been addressed by Microsoft.
Enter the Vendor Notification Alerts (VNA). Litchfield has decided to roll out an interesting vulnerability alert system somewhere between "full" and "wait for a patch" disclosure.
These VNA's will disclose the vendor and problem product, along with general exploitation protection methods, without giving away too much detail about the vulnerability itself. In this way, the heat can be turned up on the vendor and customers can be alerted to the fact that problems exist, but a blackhat won't get enough information to design an exploit.
To date, 15 such issues exist with other products, including more issues with Oracle, and can be viewed on NGSSoftware's web site.
In addition, Litchfield's "Typhon II" vulnerability assessment tool will have checks for most of these vulnerabilities built into it. Though I'm not one to make public endorsements for commercial products, I can tell you that purchasing a product that alerts you to problems vendors haven't even addressed yet is most definitely a smart thing to consider.
Any successful company knows a customer's interests should come first. If the timely distribution and maintenance of critical security patches for their products is too much for a vendor to deal with, they should get out of the software business. Hopefully NGSSoftware's VNA idea will catch on, and patch production can take priority without exposing the customer to unnecessary risk.
Once upon a time, they wouldn't tell you what went into sausage, either.
Most food companies didn't want to publish ingredients lists. Because they don't have anything to gain, it's the consumer's problem if a product has defects. Never expect the fish-monger to yell, "rotten fish for sale".
Note: To answer up front the MS workers who call all criticism of MS 'MS Bashing', please note that Sun is also mentioned as taking a month too long to release a patch they have ready. This is also unacceptable, and Sun should be leaned on to improve.
Of course, considering the 8+ months which the article claims MS is sitting on even admitting that a problem exists -- forget actually getting a patch without public shame driving MS -- Sun smells pretty good by comparison.
But still Sun needs to be pushed to release patches when ready.
We had to fight for food labelling, too. This is just the latest incarnation of the same problem.
Microsoft has been riding the fence between marketing a concept of "trustworthy computing" and delivering a product that caters to the least common technically proficient denominator. Most products have been specifically designed to allow anyone who can click "Next" to perform a successful installation, but when it comes to their defense of insecure default software settings, they have a matter-of-fact way of telling everyone that they should know better.
While MS may eventually own up to newly discovered defects, what gets me is this attitude thing.
It is hard to imagine such an attitude, coming from the side we are on -- the side of honest businessmen.
But considering we're talking about a criminal enterprise who has had to break the law to sell their products, I think it makes perfect sense. They don't get make their money filling customer needs, they make their money thru coercion.
So their response to product defects is to try an coerce the people who know about the defects into not informing anyone of the product defects.
That's MS's "marketing" approach.
Then again, many of us prefer an honest business to a mafia-style one, no matter how much more money the criminals make.
Besides, we'll see how well MS does over the next 5 years, now that they're going to be forced to actually obey the laws of the land, like the rest of us . . .
Ill-gotten empires tend to crumble quickly, if history is any judge.
Instead, Sun breaks every bribery law to get politicians to beat down Microsoft instead of competing to win against them. Of course, Microsoft stands very tall despite the setting Sun, because Microsoft does have products people are willing to pay for.
Do you really think that the Windows OS is the only revenue generating product of Microsoft? Microsoft: 200+ products in 100+ countries.
P.S. I just looked at Solaris 9. Funny thing. They are including auto-update as a new feature. Considering that the feature has been around for Microsoft products for years, is Sun going to tout that as "innovation"?
I think that MS doesn't make but a tiny fraction of their sales to consumers. 90% of MS's sales are to OEM's, retailers and corporate IT shops.
And MS is very, very guilty of using coercion to keep those from offering consumers other choices. A mountain of evidence was reviewed by MS-friendly appeals and Supreme courts.
Certainly, crime pays.
And if you're trying to sell the line that MS is the "innocent victim of a vast anti-MS conspiracy", you're going to have to go speak to other MS 'strategic partners' for sympathy.
Because pretty much everyone *not* fiscally tied to MS sees their criminal behavior!
Kinda like how script-kiddies call VB and ASP 'programming'.
MS is the 'Brittney Spears' of software.
You do see how you're this board's MS equivilant of James Carville, I'm sure. I suppose everyone has to make a living, but I'm constantly amazed at the things some folks will do for money.
When computer OEM's were complaining that MS made them pay a fee for each computer sold, regardless if it had an MS OS installed, they should blame themselves. Reason? Those same OEMs were cheating on their reporting to MS what computer had an MS OS installed in order to pay less. Hence, MS simply priced DOS as flat cost per computer sold. MS even lowered the price per computer.
These facts are never presented in the anti-MS argument.
When they pointed that out, I agreed that the behavior was wrong and that CSC should be punished.
It's very interesting how the people tied to MS react -- deny everything, ignore the conviction, continue to support the crime and the criminals.
Point blank -- ya'll don't care that your corporate sugar daddy is not an honest business. As long as they have money, they can pay you to ignore the law, the ethics and normal common sense. You're no different than James Carville, Paul Begala, etc.
You'd defend Osama Bin Laden, if he paid you. Disgusting, but it *is* a free country, even for the criminals.
Disclaimer: Opinions posted on Free Republic are those of the individual posters and do not necessarily represent the opinion of Free Republic or its management. All materials posted herein are protected by copyright law and the exemption for fair use of copyrighted works.