May 3, 2001

Raymond challenges Microsoft's security record

Author: JT Smith

From Open Source advocate Eric S. Raymond: About an hour after I posted "Beware the Microsoft shell game!", the
company that wants you to trust your digital identity and your vital
business data to its .NET application servers admitted that there is
an easy root crack in the standard build of Windows 2000 running the
IIS
web server. Code for this exploit has been sighted in the wild.

What this means is that unless a knowledgeable sysadmin has taken
explicit action to prevent it, any 15-year-old who can copy code off
the
Internet can use Microsoft's IIS to bypass your firewall, bypass your
password system, and gain administrator-level access to the machine
that hosts your webserver. They can inspect, alter or delete files at
will no matter how you have them secured. They can also use root-level
access to that machine as a springboard for attacks on other systems
inside your firewall.

A writeup on this latest in the apparently unending stream of gaping
holes in Microsoft's security is at:

http://www.eeye.com/html/Research/Advisories/AD20010501.html.

This is about bad as it gets, folks. It's a big, nasty problem even by
Microsoft's security-bug-of-the-month standards.

At Craig Mundie's anti-open-source sermonette in New York tomorrow (Thursday),
I hope someone will have the temerity to ask him a few simple
questions:

  • 1. Should Microsoft's record on security inspire confidence in
    customers considering entrusting their digital identities to
    Microsoft's Hailstorm system and their critical business
    data to .NET?

2. Even the most cursory inspection of sites that specialize in
tracking security bugs (such as CERT and BugTraq) suggests that
open-source operating systems such as Linux and the BSDs have
a far better security record than Microsoft Windows, both in
having fewer vulnerabilities and in more rapid deployment of
fixes. How does Microsoft propose to close the technology gap
and catch up to the quality level of these systems?

3. How can potential operating-system customers with millions
(perhaps billions) of dollars riding on the security of their
computer systems form a rational estimate of their exposure
if they cannot inspect the source code of those systems?

4. If the answer to question 3 is "You can see the source code if
you're a big enough company to pay us for the privilege", then why
should customers have to pay for the privilege of doing the job
Microsoft's own QA teams so frequently bungle?

5. How would you respond to the following statement: "Any engineer or
executive who, disregarding best practices, entrusts
security-critical functions to closed-source software is committing
an actionable breach of their responsibility to their employer?"

--
Eric S. Raymond

If a thousand men were not to pay their tax-bills this year, that would
... [be] the definition of a peaceable revolution, if any such is
possible.
-- Henry David Thoreau

Category:

  • Migration
Click Here!