Microsoft: "Our products aren't engineered for security" [Duh!]

Brian Valentine, senior vice-president in charge of Microsoft's Windows development, has made a grim admission to the Microsoft Windows Server .net developer conference in Seattle, USA.

"I'm not proud," he told delegates yesterday (5 September). "We really haven't done everything we could to protect our customers. Our products just aren't engineered for security," admitted Valentine, who since 1998 has headed Microsoft's Windows division.

In August the company put out eight security bulletins. This month it has released two, so far, with the latest urging users to patch a flaw in its digital certificate technology that could allow attackers to steal a user's credit card details.

Microsoft's regular stream of security bulletins has continued despite Bill Gates company-wide Trustworthy Computing Initiative, announced earlier this year.

The Initiative was launched with a memo from Bill Gates, Microsoft's chairman and chief software architect, and saw the company halt production on new code in all of its products while employees scanned every line of existing code in search of vulnerabilities.

"We realised that we couldn't continue with the way we were building software and expect to deliver secure products," Valentine said.

But the company is dealing with a problem that is not easily resolved. Valentine told developers at the conference that as the company works to shore up its products the security dilemma will evolve as hackers become more sophisticated.

"It's impossible to solve the problem completely," Valentine said. "As we solve these problems there are hackers who are going to come up with new ones. There's no end to this."

Microsoft has also been employing new tools developed by Microsoft Research that are designed to detect errors in code during the development process, Valentine said.

According to Chandra Mugunda, a software consultant with Dell who attended Valentine's presentation, buggy software is "an industry-wide problem, not just a Microsoft problem. But they're the leaders, and they should take the lead to solve them," he said.

Microsoft operating systems are trivial for unauthorized users to crack because Microsoft is institutionally incapable of developing good software.

Give it a rest, HAL. There are a truckload of recent Apple security updates listed on Apple's website. I suppose they're "institutionally incapable of developing good software", as well ... http://www.info.apple.com/usen/security/security_updates.html

Security updates

Security updates are listed below according to the software release in which they first appeared. Where possible, CVE IDs are used to reference the vulnerabilities for further information.

Security Update 2002-08-23

This security update is for Mac OS X 10.2 (Jaguar) and applies the fixes contained in Security Update 2002-08-02 which was for Mac OS X 10.1.5.

Security Update 2002-08-20

Secure Transport: This update enhances the certificate verification in OS X and is now in full compliance with the Internet X.509 Public Key Infrastructure Certificate and CRL Profile (RFC2459).

Security Update 2002-08-02

OpenSSL: Fixes security vulnerabilities CAN-2002-0656, CAN-2002-0657, CAN-2002-0655, and CAN-2002-0659. Details are available via: http://www.cert.org/advisories/CA-2002-23.html
mod_ssl: Fixes CAN-2002-0653, an off-by-one buffer overflow in mod_ssl Apache module. Details are available via: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-0653
Sun RPC: Fixes CAN-2002-039, a buffer overflow in the Sun RPC XDR decoder. Details are available via: http://bvlive01.iss.net/issEn/delivery/xforce/alertdetail.jsp?oid=20823

Security Update 7-18-02

Software Update: Contains Software Update client 1.4.7 which adds cryptographic signature verification to the softwareupdate command line tool. This provides an additional means to perform software updates in a secure manner, along with the existing Software Update capability contained in System Preferences.

Security Update 7-12-02

Software Update: Fixes CVE ID CAN-2002-0676 to increase the security of the Software Update process for systems with Software Update client 1.4.5 or earlier. Packages presented via the Software Update mechanism are now cryptographically signed, and the new Software Update client 1.4.6 checks for a valid signature before installing new packages.

Security Update July 2002

Apache: Fixes CVE ID CAN-2002-0392 which allows remote attackers to cause a denial of service and possibly execute arbitrary code. Further details are available from: http://www.cert.org/advisories/CA-2002-17.html
OpenSSH: Fixes two vulnerabilities, CAN-2002-0639 and CAN-2002-0640, where a remote intruder may be able to execute arbitrary code on the local system. Further details are available from: http://www.cert.org/advisories/CA-2002-18.html

Mac OS X 10.1.5

sudo - Fixes CAN-2002-0184, where a heap overflow in sudo may allow local users to gain root privileges via special characters in the -p (prompt) argument.
sendmail - Fixes CVE-2001-0653, where an input validation error exists in Sendmail's debugging functionality which could lead to a system compromise.

Internet Explorer 5.1 Security Update (April 2002)

This addresses a vulnerability that could allow an attacker to take over your computer. The update is available via the Mac OS X Software Update Preference pane, and also via: http://www.microsoft.com/security/security_bulletins/ms02019_mac.asp

Mac OS X 10.1.4

TCP/IP broadcast: Addresses CAN-2002-0381 such that TCP/IP connections now check and block broadcast or multicast IP destination addresses. Further details at: http://www.FreeBSD.org/cgi/query-pr.cgi?pr=35022

Security Update - April 2002

Apache - updated to version 1.3.23 in order to incorporate the mod_ssl security fix.
Apache Mod_SSL - updated to version 2.8.7-1.3.23 to address the buffer overflow vulnerability CAN-2002-0082 which could potentially be used to run arbitrary code. Further Details at: http://archives.neohapsis.com/archives/bugtraq/2002-02/0313.html
groff - updated to version 1.17.2 to address the vulnerability CAN-2002-0003, where an attacker could gain rights as the 'lp' user remotely. Further details at: http://online.securityfocus.com/advisories/3859
mail_cmds - updated to fix a vulnerability where users could be added to the mail group
OpenSSH -- updated to version 3.1p1 to address the vulnerability CAN-2002-0083, where an attacker could influence the contents of the memory. Further details at: http://www.pine.nl/advisories/pine-cert-20020301.html
PHP - updated to version 4.1.2 to address the vulnerability CAN-2002-0081, which could allow an intruder to execute arbitrary code with the privileges of the web server. Further details at:
rsync - updated to version 2.5.2 to address the vulnerability CAN-2002-0048 which could lead to corruption of the stack and possibly to execution of arbitrary code as the root user. Further details at:
sudo - updated to version 1.6.5p2 to address the vulnerability CAN-2002-0043, where a local user may obtain superuser privileges. Further details at:

Mac OS X v10.1.3

openssh - Updated to version 3.0.2p1 to address several vulnerabilities in the previous version. For details, please refer to: http://www.openssh.com/security.html

Mac OS X v10.1 Security Update 10-19-01

Fixes the vulnerability described in http://www.stepwise.com/Articles/Admin/2001-10-15.01.html where an application can be granted root access privileges.

Internet Explorer 5.1.1

IE 5.1.1 - Fixes a problem with IE 5.1 bundled with Mac OS X v10.1 where Internet Explorer executes downloaded software automatically, which could result in data loss or other harm. More information is available in the Knowledge Base article 106503.

Mac OS X v10.1

crontab - Fixes the vulnerability described in FreeBSD-SA-01:09 where local users can read arbitrary local files that conform to a valid crontab file syntax.
fetchmail
- - Fixes the buffer overflow vulnerability described in FreeBSD-SA-01:43
- - Fixes the large header problem described in BugTraq MDKSA-2001:063: fetchmail
- - Fixes the memory overwrite vulnerability described in BugTraq ESA-20010816-01: fetchmail-ssl
ipfw - Fixes the vulnerability described in FreeBSD-SA-01:08.ipfw where a remote attack may be constructed with TCP packets with the ECE flag set.
java - Fixes the vulnerability described in:http://sunsolve.Sun.COM/pub-cgi/retrieve.pl?doctype=coll&doc=secbull/216&type=0&nav=sec.sbl&ttl=sec.sbl where an untrusted applet may monitor requests to and responses from an HTTP proxy server.
open() syscall - Fixes the vulnerability described in FreeBSD-SA-97:05.open where another user on the system could do unauthorized I/O instructions
OpenSSL - Included version 0.9.6b which contains a number of fixes from the previous version. See http://www.openssl.org/ for details.
procmail - Fixed the vulnerability described in Red Hat RHSA-2001:093-03 where signals are not handled correctly.
rwhod - Fixes the vulnerability described in FreeBSD-SA-01:29.rwhod where remote users can cause the rwhod daemon to crash, denying service to clients.
setlocale() string overflow - Fixes the vulnerability described in FreeBSD-SA-97:01.setlocale where the setlocale() call contains a number of potential exploits through string overflows during environment variable expansion
sort - Fixes the vulnerability described in CERT Vulnerability Note VU#417216 where an intruder may be able to block the operation of system administration programs by crashing the sort utility.
system clipboard / J2SE - Fixes a security issue that permitted unauthorized applets access to the system clipboard.
tcpdump - Fixes the vulnerability described in FreeBSD-SA-01:48 where remote users can cause the local tcpdump process to crash, and may be able to cause arbitrary code to be executed.
TCP Initial Sequence Numbers - Fixes the potential vulnerability described in FreeBSD-SA-00:52 where the algorithm to generate the number the system will use for the next incoming TCP connection was not sufficiently random
tcsh '>>' operator - Fixes the vulnerability described in FreeBSD-SA-00:76 where unprivileged local users can cause an arbitrary file to be overwritten when another person invokes the '<<' operator in tcsh (e.g. from within a shell script)
telnetd - Fixes the vulnerability described in FreeBSD-SA-01:49 where remote users can cause arbitrary code to be executed as the user running telnetd.
timed - Fixes the vulnerability described in FreeBSD-SA-01:28 where remote users can cause the timed daemon to crash, denying service to clients.

Mac OS X Server v10.1

MySQL 3.23.42 - Contains a number of fixes from the previous version. See the 3.23.42 section on the MySQL site for details.
Tomcat 3.2.3 - Contains a number of fixes from the previous version. See the Tomcat site for details.
Apache - Fixed the .DS_Store file vulnerability described in http://securityfocus.com/bid/3324
Apache - Fixed the potential vulnerability where .htaccess files might be visible to web browsers if created on HFS+ volumes. The files directive in the http.conf file was modified to block from visibility to web browsers all files whose names begin with .ht, regardless of case.

Mac OS X Web Sharing Update 1.0

Apache 1.3.19 - Fixes security issues with sites use of the mass virtual hosting module mod_vhost_alias or mod_rewrite.
mod_hfs_apple -- Addresses Apache case-insensitivity problems on Mac OS Extended (HFS+) volumes.
OpenSSH 2.9p2 -- Fixes SSH1 vulnerability described in www.openwall.com/advisories/OW-003-ssh-traffic-analysis.txt.
sudo -- Fixes the buffer overflow vulnerability described in FreeBSD-SA-01:38

Mac OS X 10.0.4 Server Update

Samba 2.0.9 -- Addresses the macro vulnerability described in us1.samba.org/samba/whatsnew/macroexploit.html
sudo -- Fixes the buffer overflow vulnerability described in FreeBSD-SA-01:38

Mac OS X 10.0.2

FTP -- Fixes the File Globbing vulnerability described in CERT® Advisory CA-2001-07
NTP -- Fixes the buffer overflow vulnerability described in FreeBSD-SA-01:31

Mac OS X 10.0.1

OpenSSH-2.3.0p1 -- SSH services are enabled via the Sharing pane in System Preferences

Mac OS Runtime for Java (MRJ) 2.2.5

MRJ 2.2.5 -- Fixes a security issue that permitted unauthorized applets access to the system clipboard.

Note:
For the protection of our customers, Apple does not disclose, discuss or confirm security issues until a full investigation has occurred and any necessary patches or releases are available.

I don't have to defend it. If you had some technical knowledge, you'd realize that no product is engineered to provide complete security. Not Windows. Not Linux. Not Apache. Not OSX. Etc, etc. Or have you already forgotten about hacks to OpenSSH, Apache chunk handling, Mac OS X Setuid root access, PHP for OSX, Linux WU-FTPD, Linux line printer daemon, Linux BIND, etc, etc, etc ...

And to quote you, "If you had some technical knowledge, you'd realize" that BIND and WU-FTPd are not products of Linux nor is their such a thing as a Linux product. Linux is just the kernel of a GNU/Linux system. We wouldn't want you to be 'technically incorrect'.

Cop outs and insults. What else would we expect from you? That was not what the manager from Microsoft was saying. He said that they haven't even made the attempt to secure their product. Insecure by default. The organizations you mentioned actually make the effort (and suceed in that effort) to make their products secure, Microsoft is saying it does not. Huge difference.

Past tense, you moron.

And to quote you, "If you had some technical knowledge, you'd realize" that BIND and WU-FTPd are not products of Linux nor is their such a thing as a Linux product. Linux is just the kernel of a GNU/Linux system. We wouldn't want you to be 'technically incorrect'.

IIS, Exchange, Outlook, Outlook Express, Office, etc aren't part of the Windows kernel either, bozo. And yet you're perfectly willng to demagogue all of those products as "Windows" problems. Sheez... don't you four-percenters have anything better to do with your time?

That's so cool, all of Apple's problems can fit in one message and already have been fixed!!! Try doing that with Windows! Apple actually discovers and fixes security flaws! Microsoft still has 18 security holes that have been around for at least one year. When are they going to fix those?

Here's my favorite 'Security Issue' you mention:
OpenSSH-2.3.0p1 -- SSH services are enabled via the Sharing pane in System Preferences
Wow! The hacker's are going to get a lot of milage out of that one!

IIS, Exchange, Outlook, Outlook Express, Office, etc aren't part of the Windows kernel either, bozo. And yet you're perfectly willng to demagogue all of those products as "Windows" problems. Sheez... don't you four-percenters have anything better to do with your time?

Please post the message where I say that IIS, Exchange, Outlook, Outlook Express, Office are a part of the Windows kernel. You make this claim all the time yet are unable to back it up. Please do for a change.

Got anything else besides personal insults to bolster your case? You seem to like to say "moron" a lot to folks that don't agree with you. Join us in the adult world.

But, when a consumer has a choice of buying the lowest Mac with little/no software; or a top notch PC with scads of software; the user typically choses the PC.

Huh? Macs comes preloaded with a bunch of excellent software, including a superior operating system, Internet applications, word processing, graphics software, Quicken, iTunes, iPhoto, iMovie, QuickTime, utilities, etc. Is there some particular must-have application you know of that Mac users can't get?

I'll turn the tables. Show me bugs in which the Windows kernel caused a vulnerability

How can I? Microsoft does not release information about its kernel to the general public like Apple and the Open Source OSes-- xBSD and GNU/Linux. In fact, Microsoft has tried to bully several organizations in order to prevent the general public from receiving information regarding an insecurity of Windows. What do they have to hide Bush2000? Even "proprietary" Apple has their kernel open for the whole world to view...for free!

You and the rest of the Mac bigots are speaking out of both sides of your mouth, holding up Microsoft as evidence of buggy code while sweeping your own bugs under the rug when somebody (namely, me) brings them up.

Ew, Mac users are now 'bigots' -- I thought you were calling us 'morons' and 'bozos' earlier. Got anymore personal insults up your sleeves?

Mac OS X bugs aren't swept under the carpet. They are fixed. As evidensed by your post of a total of one Apple Web Page of bugs. One page. That's the shortest bug list I know of in the OS industry. It shows that Apple isn't afraid of letting the general public know what they have fixed and what was wrong at the time.

Leave it to you to spotlight one of the less severe bugs while ignoring the rest of the serious bugs...

Leave it you to think that adding a menu option in a system preferences window is a "less severe bug". Do you actually read the things you cross post from the Apple web site?

Where are those supposive posts where I say that, "Outlook is a part of the Windows kernel"? Still waiting on that. Or was that just a case of you doing a "Drive By Lying"?

There are a truckload of recent Apple security updates listed on Apple's website.

Yes, Apple is very good about issuing security updates whenever a potential vulnerability is discovered, often on the same day as the initial report. Typically, the update is installed automatically when the user logs on to the Internet. In contrast, Microsoft takes weeks or months to respond to security issues, if at all.

The list of security issues on Mac OS X is very short compared to the gaping holes in Windows, and the number of Windows virus/worm/security victims is probably in the millions.

To my knowledge, not one Mac OS X user has actually been the victim of the security exploits, thanks to Apple's better coding practices and response time.

It's amusing when I get a call from a Windows user complaining that their computer is malfunctioning, I tell them to check their web server home page and sometimes it comes up with a message like "This computer has been hacked by China!" I've never seen that happen on a Mac.

Wrong. You can easily search the database of hotfixes and security bulletins. They describe exactly where the bug was found and the component it affects.

I don't see the kernel source there. Where is it? That's what we were talking about, the kernel. What happens if I don't want to trust what Microsoft has to say about Windows' kernel? If you don't trust Apple, you can look and inspect their kernel source just xBSD and GNU/Linux systems. You don't even have to go to court to get that code, its free for the taking...even compile it on an x86 box.

Disclaimer: Opinions posted on Free Republic are those of the individual posters and do not necessarily represent the opinion of Free Republic or its management. All materials posted herein are protected by copyright law and the exemption for fair use of copyrighted works.