Posted on 05/29/2002 8:21:28 AM PDT by Dominic Harr
By Tim Mullen
May 27, 2002
The success of "SQLSpida," the worm that targets MS-SQL servers set upon the Net with a blank "SA" password, is testament to how badly basic security education is still needed.
As always, I place primary blame on the administrators of these boxes-leaving the SA password blank on any installation is a rookie move. To do so on a production machine placed on the Internet is just plain stupid. You have probably guessed that my use of "primary" infers a secondary party in responsibility; and indeed it does: Microsoft.
Microsoft has been riding the fence between marketing a concept of "trustworthy computing" and delivering a product that caters to the least common technically proficient denominator. Most products have been specifically designed to allow anyone who can click "Next" to perform a successful installation, but when it comes to their defense of insecure default software settings, they have a matter-of-fact way of telling everyone that they should know better.
For instance, Microsoft knows that the default application extension mappings in IIS are deadly, and we are blamed for not removing or remapping them; yet they are all enabled by default, and one must drill down deep into the interface to turn them off. In default installations of SQL, the SA user can perform remote system-level functions, yet they allow the password to be blank, and they don't even give us the functionality of renaming the account. Administrators are expected to set proper ACL's on system files, but even in their Advanced Server product, Microsoft assumes the admin to be so inept that Windows Explorer hides the contents of the WINNT directory so that the user won't monkey with them.
Litchfield says he provided fully-functioning exploit code to Microsoft, and it still took them a week to respond with simple confirmation they were able to recreate the issue.
It is time for Microsoft to start shipping products with more secure default settings, and to require a certain level of expertise from the administrators of these systems.
Vendor Notification Alerts
But safer out-of-the-box settings are not the only thing we need -- clouds continue to billow on the vulnerability landscape. Too many software vendors are so busy working on the Next Big Thing that they are unnecessarily putting their customers at risk by sitting on security patches for their current products.
If you are not familiar with David Litchfield or Next Generation Security Software, then you should be. Litchfield probably has the world record for discovering the most buffer overflows. And like many other security professionals, he won't disclose details of his exploits to the public until the vendor can release a patch.
But how long is one to wait for the vendor the get their act together? How long must customers' systems lay in wait of exploitation before a patch is released?
Last month, Litchfield discovered a remotely exploitable vulnerability in Sun's iPlanet. Though Sun has already developed a patch for this critical issue, Litchfield says, they have decided not to release it until the end of next month so it can be included in a rollup package. So much for customer service.
And if you think the current scans for SQL Server are high, you ain't seen nuthin' yet. Litchfield has also discovered a heap based buffer overflow in SQLServer 2000 that allows an unauthenticated attacker to gain remote control over the server in the context of the SQLSERVER service. Just the mention of this type of exploit makes a blackhat's mouth water in Pavlovian response.
But even though he provided fully-functioning exploit code to Microsoft, Litchfield tells me it took them a week to respond with simple confirmation they were able to recreate the issue. This is simply unacceptable. Litchfield claims similar discoveries that even eight months later have still not been addressed by Microsoft.
Enter the Vendor Notification Alerts (VNA). Litchfield has decided to roll out an interesting vulnerability alert system somewhere between "full" and "wait for a patch" disclosure.
These VNA's will disclose the vendor and problem product, along with general exploitation protection methods, without giving away too much detail about the vulnerability itself. In this way, the heat can be turned up on the vendor and customers can be alerted to the fact that problems exist, but a blackhat won't get enough information to design an exploit.
To date, 15 such issues exist with other products, including more issues with Oracle, and can be viewed on NGSSoftware's web site.
In addition, Litchfield's "Typhon II" vulnerability assessment tool will have checks for most of these vulnerabilities built into it. Though I'm not one to make public endorsements for commercial products, I can tell you that purchasing a product that alerts you to problems vendors haven't even addressed yet is most definitely a smart thing to consider.
Any successful company knows a customer's interests should come first. If the timely distribution and maintenance of critical security patches for their products is too much for a vendor to deal with, they should get out of the software business. Hopefully NGSSoftware's VNA idea will catch on, and patch production can take priority without exposing the customer to unnecessary risk.
IIS is a piece of junk. SQLServer is barely adequate, but even a simple MYSQL instance configured right can blow it out of the water.
MS has made it's sales of SQLServer by doing what ya'll are doing -- fraudulently promising companies that SQLServer can compete. Then those companies get inside it, and are trapped. The ones capable of doing so migrate away from SQLServer, and a small portion -- about 20% of the market -- are stuck, locked in. Which is, of course, your plan.
MS is the Brittnely Spears of software. Use control of distribution channels and industry clout to sell the ignorant on low-quality product.
Certainly that's a proven successful business model. But don't go trying to sell me on the idea that cash makes quality.
Ah, you missed my entire post on the subject? I'd be happy to repeat --
Anti-trust laws like the Sherman Act are necessary to defend the free market against monopolistic control. Anyone violating them is guilty of attacking the free market. The laws are not anachronisms, they are living, vital parts of what is left of our capitalist system. The 'victim' is our capitalist free-market -- and anyone who values that market.
Which apparently doesn't include you.
Sodomy laws are a 'victimless' crime.
No paralell what-so-ever. Apples and chainsaws.
"It ain't done until Lotus won't run".
Remember that famous line? MS used Windows as leverage against Lotus, WordPerfect, Netscape, etc, etc. Illegally, it is now clear.
So MS didn't "beat" Lotus legally.
MS has had to cheat, had to break the law. They've proven unable to win any other way.
With ketchup, please.
I don't know, the idea that, "they won in the past, so they'll win in the future" doesn't seem very sound to begin with.
Then add in the conviction, and the coming punishments, and the business restrictions, and the lawsuits, and the current dominance of Java . . .
It's not denial. It's a sound analysis, to my eyes. There is much evidence of a tidal shift.
You cannot possibly lay claim that all their revenue, of over $40 billion, is from coercion, illegal practices, and the production of lousy products. Microsoft obviously, but not to you, makes products that work and people are willing to pay for them.
If you want to continue to lay claim otherwise, please do. CSC is a competitor to my company, and I hope you guys produce the most ridiculous proposals for your clients. I always love to win through competition, but if you want me to beat you because of your anti-Microsoft stance, by all means, please continue.
You can continue to challenge my status as a developer, but you are not my hero, and so I won't bother to try to impress you.
Just like with the .NET claim you made, I honestly would like to know some details about your career.
You've said that you're just so good with MS products you've never even had IIS go down on you. Never had SQLServer problems. Never had Exchange or MS Project issues.
That makes you the world's greatest living developer. I talk to lots of developers. Many, many MS developers. And everyone, and I mean everyone, has had problems with MS stuff not working as advertised.
So your claims make you the greatest living MS developer! So naturally I'd be curious to find out just a few details. What was the last project you delivered? I just finished an 'OnCall' system for our Help Desk. It has java applet for the front-end, a servlet for the middle tier and a SQLServer 7 back end (the fella who 'owned' the data, in what he calls the 'Hawk' system, didn't know anything else, and wouldn't use anything else), which gave us several problems that MS tech support couldn't resolve. Most annoying was the way SQLServer handles joins. Then there were problems with IIS. For one thing, we had to spend an additional $800 to buy JRun so IIS could run servlets!
So what's your secret? Are you the best developer in the world? Or are you just making all this up to try and sell MS? You make amazing claims, which you seem unwilling to explain at all.
Even Bush2k can admit part of the truth about IIS, for goodness sake!
Software you can't see the source-code for is like food they won't let you see the ingredients list for.It's their intellectual property. My company won't tell people precisely what's in our products either. If we did we'd be out of business...and our replacements wouldn't be Americans.
Our brains, ingenuity, and creativity give Americans advantages over the rest of the world, with its cheap labor and raw materials. We're insane if we gut the laws that allow us to protect our intellectual property.
-Eric
Heeheehee.
There it is again, any critics of MS must be bigots!
Haahaahaha!
Absolutely.
And you do agree that your customers have no way of knowing what, if any, really bad things are hidden in the software?
A company could build in all sorts of nasty things, either on purpose or on accident, agreed?
So I repeat -- software you can't review the source-code for is like a sausage that they refuse to tell you what meat is in it.
And you have the time to review the 44,000,000+ lines of code in Windows XP? You argument makes no practical sense. Second, are you expert enough to understand the complexity of the operating system and all of its subsystems? Ya, know, it is not written in Java. ;>
You don't know the metal in the frame of your care or engine, the metal of the aircraft you last flew in, or the pesticides used in that last green bean you ate, so why try to hammer Microsoft for not sharing their internal secrets?
Face it, you HATE Microsoft, and your efforts show your bias. You have stated in many ways that you want them out of business.
Disclaimer: Opinions posted on Free Republic are those of the individual posters and do not necessarily represent the opinion of Free Republic or its management. All materials posted herein are protected by copyright law and the exemption for fair use of copyrighted works.