Posted on 05/29/2002 8:21:28 AM PDT by Dominic Harr
By Tim Mullen
May 27, 2002
The success of "SQLSpida," the worm that targets MS-SQL servers set upon the Net with a blank "SA" password, is testament to how badly basic security education is still needed.
As always, I place primary blame on the administrators of these boxes-leaving the SA password blank on any installation is a rookie move. To do so on a production machine placed on the Internet is just plain stupid. You have probably guessed that my use of "primary" infers a secondary party in responsibility; and indeed it does: Microsoft.
Microsoft has been riding the fence between marketing a concept of "trustworthy computing" and delivering a product that caters to the least common technically proficient denominator. Most products have been specifically designed to allow anyone who can click "Next" to perform a successful installation, but when it comes to their defense of insecure default software settings, they have a matter-of-fact way of telling everyone that they should know better.
For instance, Microsoft knows that the default application extension mappings in IIS are deadly, and we are blamed for not removing or remapping them; yet they are all enabled by default, and one must drill down deep into the interface to turn them off. In default installations of SQL, the SA user can perform remote system-level functions, yet they allow the password to be blank, and they don't even give us the functionality of renaming the account. Administrators are expected to set proper ACL's on system files, but even in their Advanced Server product, Microsoft assumes the admin to be so inept that Windows Explorer hides the contents of the WINNT directory so that the user won't monkey with them.
Litchfield says he provided fully-functioning exploit code to Microsoft, and it still took them a week to respond with simple confirmation they were able to recreate the issue.
It is time for Microsoft to start shipping products with more secure default settings, and to require a certain level of expertise from the administrators of these systems.
Vendor Notification Alerts
But safer out-of-the-box settings are not the only thing we need -- clouds continue to billow on the vulnerability landscape. Too many software vendors are so busy working on the Next Big Thing that they are unnecessarily putting their customers at risk by sitting on security patches for their current products.
If you are not familiar with David Litchfield or Next Generation Security Software, then you should be. Litchfield probably has the world record for discovering the most buffer overflows. And like many other security professionals, he won't disclose details of his exploits to the public until the vendor can release a patch.
But how long is one to wait for the vendor the get their act together? How long must customers' systems lay in wait of exploitation before a patch is released?
Last month, Litchfield discovered a remotely exploitable vulnerability in Sun's iPlanet. Though Sun has already developed a patch for this critical issue, Litchfield says, they have decided not to release it until the end of next month so it can be included in a rollup package. So much for customer service.
And if you think the current scans for SQL Server are high, you ain't seen nuthin' yet. Litchfield has also discovered a heap based buffer overflow in SQLServer 2000 that allows an unauthenticated attacker to gain remote control over the server in the context of the SQLSERVER service. Just the mention of this type of exploit makes a blackhat's mouth water in Pavlovian response.
But even though he provided fully-functioning exploit code to Microsoft, Litchfield tells me it took them a week to respond with simple confirmation they were able to recreate the issue. This is simply unacceptable. Litchfield claims similar discoveries that even eight months later have still not been addressed by Microsoft.
Enter the Vendor Notification Alerts (VNA). Litchfield has decided to roll out an interesting vulnerability alert system somewhere between "full" and "wait for a patch" disclosure.
These VNA's will disclose the vendor and problem product, along with general exploitation protection methods, without giving away too much detail about the vulnerability itself. In this way, the heat can be turned up on the vendor and customers can be alerted to the fact that problems exist, but a blackhat won't get enough information to design an exploit.
To date, 15 such issues exist with other products, including more issues with Oracle, and can be viewed on NGSSoftware's web site.
In addition, Litchfield's "Typhon II" vulnerability assessment tool will have checks for most of these vulnerabilities built into it. Though I'm not one to make public endorsements for commercial products, I can tell you that purchasing a product that alerts you to problems vendors haven't even addressed yet is most definitely a smart thing to consider.
Any successful company knows a customer's interests should come first. If the timely distribution and maintenance of critical security patches for their products is too much for a vendor to deal with, they should get out of the software business. Hopefully NGSSoftware's VNA idea will catch on, and patch production can take priority without exposing the customer to unnecessary risk.
You stretch the truth again, Harr. I said that I have never had a Microsoft product fail to the point that it was unusable. Sure, I have had IIS crash, and Exchange crash, but I have also had the UNIX mail servers crash and Apache bit the dust. Never have I had to abandon a project using a Microsoft product.
You have twisted what I said to become a lie. Again, you lie because you are afraid to face reality, and that reality is that Microsoft is competing is the industry like it never has before. .NET SCARES you to death.
Pharmaceuticals are heavily tested before they're allowed to be sold to the public.
Interesting point, in fact, as it is a perfect example for what I mean. Once upon a time, pharmaceuticals put cocaine in cough syrup because they didn't have to tell anyone what went into their products. Only forcing them to publicly label the pharmaceuticals put an end to it.
Are you advocating a return to those days? Somehow I doubt it . . .
And we're not just talking about bugs and holes. Spyware is becoming a problem with software. I write financial information systems, and if I were of such a mind to, I could build in some pretty "useful" spyware.
Once upon a time, companies didn't want to release what they put into sausage
No, Harr. Just competent, something you will never be.
So IIS crashing didn't cause you to abandon IIS as a tool? Problems with MS tools didn't cause you to abandon the tools, instead you claim you just gave your client a defective product.
Yep, that is the MS way!
I repeat -- I don't believe you're a developer. You're a salesman.
Sell it to someone else. The other folks here might not have the experiences that I have, that cause me to doubt you. Good luck with them.
More urban legend. It seems everyone calims they can verify this but even in the court cases where someone had rought this up they never have proof.
All that criticism of MS out there, and only the MS salesmen are 'unbiased arbiters of truth'.
Hee.
Most salesmen don't believe their own lies, from my experience, and are just playing word games with 'spin' lines. I wonder -- do ya'll believe your own sales pitch?
Again, you are not my hero, so don't expect me to impress you. Frankly, I am glad CSC has you on their staff. I can use the break in the market. HA! Guys like you have so much arrogance that the clients can't wait to have us involved and throw you out. You just keep selling your ABM, and I'll just keep racking up the wins.
Harr, you don't have any! You are your best fan! Experiences, what, your "12 web projects"??? Get real. I've put more projects under my belt than you have had birthdays.
Haahaahahahahahahah!
Sun machines are very good machines, but very overpriced. The 'bang-for-the-buck' just isn't there. I like PC clones, you get more for your money.
McNealy is a dweeb, and I wish he'd step down.
I do like the 'Java' group -- Gosling, etc. I respect them. But I do not care for Sun, beyond that.
Haahahahahahaha!
"MS is the innocent victim. Critics of MS are all bigots. Critics of MS just 'hate' MS. Cricits of MS just suffer from envy."
Yeah, right, if you say so!
Sure, you have.
Uh hunh.
You've no reason to lie about that, now, do you? It's not like you're here selling MS -- oh wait, you are . . .
IBM, HP, Oracle, and literally a thousand other companies make that very unlikely.
In fact, there are many of us that wish Sun would either drop the hardware focus or just spin off the Java division into it's own independent group.
Besides, I'm a developer -- I will just move to the next technology. Could even be .NET, as you already know, I'm working with C# also. I'm technology agnostic. Ironically enough, I'm exactly the type of developer that .NET is going to have to win over if it expects to survive.
I would *never* lock myself into a single vendor, like you have. I have skills, so I don't have to.
Harr, wanna match them bona fids? I am proud of my past and use it to its fullest advantage.
No, Harr. Microsoft needs developers who can consistently provide services without trashing Microsoft. Frankly, Microsoft could care less about you. They care about the customers who use their products in their daily operations. Developers? There are more than are needed as it is.
You'll have to wait a bit for his response. I hear that slashdot is down for a moment for him to get his programmed response.
Disclaimer: Opinions posted on Free Republic are those of the individual posters and do not necessarily represent the opinion of Free Republic or its management. All materials posted herein are protected by copyright law and the exemption for fair use of copyrighted works.